CloudEngine 8800, 7800, 6800, and 5800 Series

Switches
V200R005C10

Configuration Guide - Ethernet

Switching
Issue 09
Date 2021-06-03

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2021. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.

Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China

Website: https://e.huawei.com

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. i

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching About This Document

About This Document

Intended Audience
This document is intended for network engineers responsible for CE series switches
configuration and management. You should be familiar with basic Ethernet
knowledge and have extensive experience in network deployment and
management.

Symbol Conventions
The symbols that may be found in this document are defined as follows.

Symbol Description

Indicates a potentially hazardous

situation which, if not avoided, could
result in equipment damage, data loss,
performance deterioration, or
unanticipated results.
NOTICE is used to address practices
not related to personal injury.

Supplements the important

information in the main text.
NOTE is used to address information
not related to personal injury,
equipment damage, and environment
deterioration.

Command Conventions
The command conventions that may be found in this document are defined as
follows.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. ii

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching About This Document

Convention Description

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are

optional.

{ x | y | ... } Optional items are grouped in braces and separated

by vertical bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and

separated by vertical bars. One item is selected or
no item is selected.

{ x | y | ... }* Optional items are grouped in braces and separated

by vertical bars. A minimum of one item or a
maximum of all items can be selected.

[ x | y | ... ]* Optional items are grouped in brackets and

separated by vertical bars. Several items or no item
can be selected.

&<1-n> The parameter before the & sign can be repeated 1

to n times.

# A line starting with the # sign is comments.

Interface Numbering Conventions

Interface numbers used in this manual are examples. In device configuration, use
the existing interface numbers on devices.

Security Conventions
● Password setting
– When configuring a password, the cipher text is recommended. To ensure
device security, change the password periodically.
– When you configure a password in plain text that starts and ends with
%^%#......%^%# (the password can be decrypted by the device), the
password is displayed in the same manner as the configured one in the
configuration file. Do not use this setting. After the system master key is
set using the set master-key command, do not start and end the key
with %@%# because the string starting and ending with %@%# is
considered as a valid cipher-text key.
– When you configure a password in cipher text, different features cannot
use the same cipher-text password. For example, the cipher-text password
set for the AAA feature cannot be used for other features.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. iii

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching About This Document

– After the system software is downgraded and the switch restarts with the
configuration of the higher version, AAA, VTY, serial interface login, and
SNMP user passwords become invalid. As a result, users fail to log in to
the switch using the passwords and the switch is disconnected from the
network management system.
To address this problem, take the following measures:
i. If no password is configured for the console port, log in to the device
through the console port, and reconfigure AAA and password for
users such as VTY and SNMP users. For security purposes, the
console port password is recommended.
ii. If a password is configured for login through the console port, the
password becomes invalid after the downgrade and you cannot log
in to the switch through the console port. In the case of downgrade
to a version later than V200R005C10, contact Huawei technical
support engineers for assistance. If the version is downgraded to
V200R005C10 or an earlier version, perform the following steps to
resolve the issue:
1) Connect to the console port.
2) Power cycle the device. During the startup, enter Ctrl+B
according to the prompt to enter the BIOS menu.
3) Select 7.Modify console password to delete and change the
console port password.
4) Restart the device, log in to the device through the console port,
and reconfigure the password for AAA, VTY, or SNMP user.
● Encryption algorithm
Currently, the device uses the following encryption algorithms: DES, 3DES,
AES, DSA, RSA, DH, ECDH, HMAC, SHA1, SHA2, PBKDF2, scrypt, and MD5.
The encryption algorithm depends on the applicable scenario. Use the
recommended encryption algorithm; otherwise, security defense requirements
may be not met.
– For the symmetrical encryption algorithm, use AES with the key of 256
bits or more.
– When you need to use an asymmetric cryptography, RSA (2048-bit or
longer key) is recommended. In addition, use different key pairs for
encryption and signature.
– For the digital signature, RSA (2048-bit or longer key) or DSA (2048-bit
or longer key) is recommended.
– For key negotiation, DH (2048-bit or longer key) or ECDH (256-bit or
longer key) is recommended.
– For the hash algorithm, use SHA with the key of 256 bits or more.
– For the HMAC algorithm, use HMAC-SHA2.
– DES, 3DES, RSA and AES are reversible encryption algorithm. If protocols
are used for interconnection, the locally stored password must be
reversible.
– SHA1, SHA2, and MD5 are irreversible encryption algorithm. When
configuring a password for local administrator, it is recommended that
you use the SHA2 irreversible encryption algorithm.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. iv

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching About This Document

– To prevent brute force cracking of the user password, the iteration

algorithm is added to the password on the basis of salts. The iteration
algorithm uses PBKDF2 or scrypt key export algorithm.
– The ECB mode has a poor capability of defending against plaintext
playback attacks, so ECB is not recommended for password encryption.
– In SSH2.0, the symmetric cryptography using the CBC mode may undergo
the plaintext-recovery attack to cause a data leak. Therefore, the CBC
mode is not recommended for SSH2.0.
● Data
Some data (such as MAC or IP addresses of terminals) may be obtained or
used during operation or fault location of your purchased products, services,
features, so you have an obligation to make privacy policies and take
measures according to the applicable law of the country to protect data.
● The terms mirrored port, port mirroring, traffic mirroring, and mirroring in this
manual are mentioned only to describe the product's function of
communication error or failure detection, and do not involve collection or
processing of any personal information or communication data of users.

Reference Standards and Protocols

To obtain reference standards and protocols, log in to Huawei official website,
search for "protocol compliance list", and download the Huawei CloudEngine
Switches Protocol Compliance List.

Declaration
● This manual is only a reference for you to configure your devices. The
contents in the manual, such as command line syntax, and command outputs,
are based on the device conditions in the lab. The manual provides
instructions for general scenarios, but do not cover all usage scenarios of all
product models. The contents in the manual may be different from your
actual device situations due to the differences in software versions, models,
and configuration files. The manual will not list every possible difference. You
should configure your devices according to actual situations.
● The specifications provided in this manual are tested in lab environment (for
example, the tested device has been configured with a certain type of cards or
only one protocol is run on the device). Results may differ from the listed
specifications when you attempt to obtain the maximum values with multiple
functions enabled on the device.
● In this document, public IP addresses may be used in feature introduction and
configuration examples and are for reference only unless otherwise specified.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. v

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching About This Document

Mapping Between Product Software and Related

Products
For details about the mapping between product software and related products,
see CloudEngine Switches Software Versions. Select the correct matching
version. Otherwise, functions may be unavailable.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. vi

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching Contents

Contents

About This Document................................................................................................................ ii

1 Ethernet Switching..................................................................................................................1
1.1 Overview of Ethernet Switching.........................................................................................................................................1
1.2 Basic Concepts of Ethernet.................................................................................................................................................. 2
1.2.1 Ethernet Network Layers.................................................................................................................................................. 2
1.2.2 Introduction to Ethernet Cable Standards.................................................................................................................. 3
1.2.3 CSMA/CD................................................................................................................................................................................ 6
1.2.4 Minimum Frame Length and Maximum Transmission Distance.........................................................................7
1.2.5 Duplex Modes of Ethernet................................................................................................................................................ 7
1.2.6 Auto-Negotiation of Ethernet......................................................................................................................................... 8
1.2.7 Collision Domain and Broadcast Domain................................................................................................................. 10
1.2.8 MAC Sub-layer....................................................................................................................................................................10
1.2.9 LLC Sub-layer...................................................................................................................................................................... 14
1.3 Switching on Ethernet......................................................................................................................................................... 15
1.3.1 Layer 2 Switching.............................................................................................................................................................. 15
1.3.2 Layer 3 Switching.............................................................................................................................................................. 16
1.4 Application Scenarios for Ethernet Switching............................................................................................................. 19
1.4.1 Building a Data Center Network..................................................................................................................................19
1.5 Terms and Abbreviations.................................................................................................................................................... 20

2 MAC Address Table Configuration.................................................................................... 22

2.1 Overview of MAC Addresses............................................................................................................................................. 23
2.2 Understanding MAC Address Tables.............................................................................................................................. 23
2.2.1 Definition and Classification of MAC Address Entries.......................................................................................... 23
2.2.2 Elements and Functions of a MAC Address Table..................................................................................................25
2.2.3 MAC Address Entry Learning and Aging................................................................................................................... 26
2.2.4 MAC Address Learning Control.....................................................................................................................................28
2.2.5 MAC Address Flapping.....................................................................................................................................................29
2.2.6 MAC Address-Triggered ARP Entry Update.............................................................................................................. 31
2.3 Application Scenarios for MAC Address Tables.......................................................................................................... 33
2.4 Summary of MAC Address Table Configuration Tasks.............................................................................................34
2.5 Licensing Requirements and Limitations for MAC Address Tables...................................................................... 37
2.6 Default Settings for MAC Address Tables.....................................................................................................................43

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. vii

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching Contents

2.7 Configuring MAC Address Tables.................................................................................................................................... 44

2.7.1 Configuring a Static MAC Address Entry................................................................................................................... 44
2.7.2 Configuring a Blackhole MAC Address Entry...........................................................................................................45
2.7.3 Setting the Aging Time of Dynamic MAC Address Entries................................................................................. 45
2.7.4 Disabling MAC Address Learning (CE Switches Excluding CE6870EI and CE6875EI)................................ 46
2.7.5 Disabling MAC Address Learning (CE6870EI and CE6875EI)............................................................................. 51
2.7.6 Configuring the MAC Address Limiting Function................................................................................................... 56
2.7.7 Configuring a MAC Hash Algorithm........................................................................................................................... 57
2.8 Configuring MAC Address Anti-flapping.......................................................................................................................58
2.8.1 Configuring a MAC Address Learning Priority for an Interface.........................................................................58
2.8.2 Preventing MAC Address Flapping Between Interfaces with the Same Priority..........................................59
2.8.3 Verifying the Configuration of the MAC Address Anti-flapping....................................................................... 60
2.9 Configuring MAC Address Flapping Detection........................................................................................................... 60
2.10 Configuring the Switch to Discard Packets with an All-0 MAC Address......................................................... 63
2.11 Configuring the Switch to Discard Packets That Do Not Match Any MAC Address Entry........................64
2.12 Disabling the Device from Discarding Packets in Which the Destination MAC Address and the
Configured Static MAC Address Conflict.............................................................................................................................. 65
2.13 Enabling MAC Address-triggered ARP Entry Update............................................................................................. 66
2.14 Enabling Port Bridge..........................................................................................................................................................68
2.15 Maintaining MAC Address Tables................................................................................................................................. 69
2.15.1 Displaying MAC Address Entries................................................................................................................................ 69
2.15.2 Deleting MAC Address Entries.................................................................................................................................... 70
2.15.3 Clearing MAC Address Flapping Records................................................................................................................ 70
2.15.4 Enabling the Trap Function for MAC Address Change....................................................................................... 71
2.16 Configuration Examples for MAC Address Tables................................................................................................... 71
2.16.1 Example for Configuring the MAC Address Table............................................................................................... 71
2.16.2 Example for Configuring MAC Address Learning in a VLAN........................................................................... 73
2.16.3 Example for Configuring MAC Address Anti-flapping........................................................................................75
2.16.4 Example for Configuring MAC Address Flapping Detection............................................................................ 77
2.17 Troubleshooting MAC Address Tables......................................................................................................................... 79
2.17.1 Correct MAC Address Entry Cannot Be Learned on the Device...................................................................... 79

3 Link Aggregation Configuration........................................................................................ 83

3.1 Overview of Link Aggregation......................................................................................................................................... 83
3.2 Understanding Link Aggregation.................................................................................................................................... 84
3.2.1 Concepts............................................................................................................................................................................... 84
3.2.2 Forwarding Principle......................................................................................................................................................... 85
3.2.3 Link Aggregation in Manual Load Balancing Mode..............................................................................................86
3.2.4 Link Aggregation in LACP Mode.................................................................................................................................. 87
3.2.5 Load Balancing Using Link Aggregation................................................................................................................... 92
3.2.6 Preferential Forwarding of Local Traffic on an Eth-Trunk in a Stack.............................................................. 92
3.2.7 Inter-Device Link Aggregation...................................................................................................................................... 94
3.3 Application Scenarios for Link Aggregation................................................................................................................ 96

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. viii

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching Contents

3.3.1 Using Eth-Trunk to Connect Two Access Switches to a Core Switch............................................................... 96

3.4 Summary of Link Aggregation Configuration Tasks................................................................................................. 97
3.5 Licensing Requirements and Limitations for Ethernet Link Aggregation..........................................................99
3.6 Default Settings for Link Aggregation........................................................................................................................ 104
3.7 Configuring Link Aggregation in Manual Load Balancing Mode...................................................................... 104
3.7.1 (Optional) Setting the Number of LAGs.................................................................................................................104
3.7.2 Creating a LAG................................................................................................................................................................. 105
3.7.3 Setting the Link Aggregation Mode to Manual Load Balancing....................................................................106
3.7.4 Adding Member Interfaces to an Eth-Trunk.......................................................................................................... 107
3.7.5 (Optional) Setting the Lower Threshold for the Number of Active Interfaces......................................... 109
3.7.6 (Optional) Configuring the Weight of Load Balancing for a Member Interface......................................109
3.7.7 (Optional) Configuring a Load Balancing Mode (CE Switches Excluding the CE6870EI and CE6875EI)
......................................................................................................................................................................................................... 110
3.7.8 (Optional) Configuring a Load Balancing Mode (CE6870EI and CE6875EI)..............................................115
3.7.9 (Optional) Configuring an Eth-Trunk Load Balancing Mode for PPPoE Packets...................................... 121
3.7.10 (Optional) Binding an Eth-Trunk Member Interface to a VLAN.................................................................. 122
3.7.11 Verifying the Link Aggregation Configuration................................................................................................... 123
3.8 Configuring Link Aggregation in LACP Mode...........................................................................................................124
3.8.1 (Optional) Setting the Number of LAGs.................................................................................................................124
3.8.2 Creating a LAG................................................................................................................................................................. 125
3.8.3 Setting the Link Aggregation Mode to LACP........................................................................................................ 126
3.8.4 Adding Member Interfaces to an Eth-Trunk.......................................................................................................... 127
3.8.5 (Optional) Setting the Upper and Lower Thresholds for the Number of Active Interfaces................. 129
3.8.6 (Optional) Configuring the Weight of Load Balancing for a Member Interface......................................130
3.8.7 (Optional) Configuring a Load Balancing Mode (CE Switches Excluding the CE6870EI and CE6875EI)
......................................................................................................................................................................................................... 131
3.8.8 (Optional) Configuring a Load Balancing Mode (CE6870EI and CE6875EI)..............................................136
3.8.9 (Optional) Configuring an Eth-Trunk Load Balancing Mode for PPPoE Packets...................................... 142
3.8.10 (Optional) Setting the LACP System Priority...................................................................................................... 144
3.8.11 (Optional) Setting the LACP Interface Priority...................................................................................................144
3.8.12 (Optional) Setting the LACP System ID and MAC Address in Layer 3 Mode.......................................... 145
3.8.13 (Optional) Configuring LACP Preemption........................................................................................................... 146
3.8.14 (Optional) Setting the Timeout Interval for Receiving LACPDUs................................................................ 147
3.8.15 (Optional) Binding a VLAN to an Eth-Trunk Member Interface.................................................................. 148
3.8.16 (Optional) Configuring an Eth-Trunk Member Interface in Force Up State............................................ 150
3.8.17 (Optional) Enabling State Flapping Suppression on an Eth-Trunk............................................................. 151
3.8.18 Verifying the Link Aggregation Configuration................................................................................................... 152
3.9 Configuring Preferential Forwarding of Local Traffic on an Eth-Trunk in a Stack.......................................152
3.10 Creating an Eth-Trunk Layer 3 Sub-interface......................................................................................................... 154
3.11 Maintaining Link Aggregation..................................................................................................................................... 155
3.11.1 Enabling LACP Alarm Control.................................................................................................................................. 155
3.11.2 Configuring a Rule for Collecting Statistics on Packets Containing Specified 5-tuple Information
......................................................................................................................................................................................................... 156

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. ix

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching Contents

3.11.3 Clearing Statistics......................................................................................................................................................... 157

3.11.4 Monitoring the LAG Operating................................................................................................................................ 157
3.11.5 Using Ping to Monitor the Reachability of Layer 3 Eth-Trunk Member Interfaces............................... 158
3.12 Configuration Examples for Link Aggregation.......................................................................................................159
3.12.1 Example for Configuring Link Aggregation in Manual Load Balancing Mode (CE Switches Excluding
CE6870EI and CE6875EI)......................................................................................................................................................... 159
3.12.2 Example for Configuring Link Aggregation in LACP Mode............................................................................ 162
3.12.3 Example for Configuring an Eth-Trunk to Work in Dynamic LACP Mode................................................ 165
3.12.4 Example for Configuring an Inter-Chassis Eth-Trunk to Preferentially Forward Traffic Through Local
Member Interfaces.................................................................................................................................................................... 168
3.12.5 Example for Configuring Inter-device Link Aggregation in LACP Mode (Standalone Device)..........172
3.13 Troubleshooting Link Aggregation............................................................................................................................. 176
3.13.1 Traffic Is Unevenly Load Balanced Among Eth-Trunk Member Interfaces Because the Load
Balancing Mode Is Incorrect.................................................................................................................................................. 176
3.13.2 The Physical Status of the Member Interface Is Up But the Link Protocol Status Is Down Because
Link Aggregation Is Not Configured on the Remote End............................................................................................ 177

4 M-LAG Configuration......................................................................................................... 178

4.1 Overview of M-LAG........................................................................................................................................................... 178
4.2 Understanding M-LAG...................................................................................................................................................... 179
4.2.1 Basic Concepts..................................................................................................................................................................179
4.2.2 Information Exchange Principles............................................................................................................................... 182
4.2.3 M-LAG Loop Prevention Mechanism....................................................................................................................... 185
4.2.4 M-LAG Consistency Check........................................................................................................................................... 187
4.2.5 Traffic Forwarding When an M-LAG Works Properly.........................................................................................191
4.2.6 Traffic Forwarding in M-LAG Failure Scenarios....................................................................................................198
4.3 Application Scenarios for M-LAG.................................................................................................................................. 206
4.4 Summary of M-LAG Configuration Tasks.................................................................................................................. 209
4.5 Licensing Requirements and Limitations for M-LAG............................................................................................. 210
4.6 Configuring M-LAG Through the Root Bridge..........................................................................................................223
4.6.1 Configuring the Root Bridge and Bridge ID........................................................................................................... 224
4.6.2 Configuring a DFS Group............................................................................................................................................. 224
4.6.3 Configuring M-LAG Consistency Check................................................................................................................... 228
4.6.4 Configuring an Interface as a Peer-link Interface................................................................................................ 234
4.6.5 Configuring an M-LAG Member Interface............................................................................................................. 235
4.6.6 (Optional) Configuring the Dual-Active Gateway............................................................................................... 238
4.6.7 (Optional) Configuring the Interface Status When the Peer-Link Fails....................................................... 240
4.6.8 (Optional) Enabling Enhanced M-LAG Layer 3 Forwarding in an IPv6 Scenario..................................... 241
4.6.9 Verifying the Configuration of M-LAG Configured Through the Root Bridge........................................... 242
4.7 Configuring M-LAG Through V-STP (Recommended)...........................................................................................243
4.7.1 Configuring V-STP........................................................................................................................................................... 243
4.7.2 Configuring a DFS Group............................................................................................................................................. 244
4.7.3 (Optional) Configuring STP Multi-Process............................................................................................................. 247
4.7.4 Configuring M-LAG Consistency Check................................................................................................................... 248

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. x

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching Contents

4.7.5 Configuring an Interface as a Peer-link Interface................................................................................................ 254

4.7.6 Configuring an M-LAG Member Interface............................................................................................................. 255
4.7.7 (Optional) Configuring the Dual-Active Gateway...............................................................................................258
4.7.8 (Optional) Configuring the Interface Status When the Peer-Link Fails....................................................... 260
4.7.9 (Optional) Enabling Enhanced M-LAG Layer 3 Forwarding in an IPv6 Scenario..................................... 262
4.7.10 Verifying the Configuration of M-LAG Configured Through V-STP............................................................ 263
4.8 Maintaining M-LAG........................................................................................................................................................... 264
4.8.1 Monitoring the M-LAG Operating Status............................................................................................................... 264
4.8.2 Clearing M-LAG Historical Fault Event Information........................................................................................... 264
4.9 Configuration Examples for M-LAG............................................................................................................................. 264
4.9.1 Example for Deploying M-LAG to Connect the Device to an Ethernet Network in Dual-Homing
Mode Through the Root Bridge............................................................................................................................................ 264
4.9.2 Example for Dual-Homing a Switch to an IP Network Through V-STP....................................................... 272
4.10 M-LAG Technical Topics................................................................................................................................................. 279

5 VLAN Configuration........................................................................................................... 280

5.1 Overview of VLANs............................................................................................................................................................ 280
5.2 Understanding VLANs....................................................................................................................................................... 282
5.2.1 Basic Concepts of VLANs.............................................................................................................................................. 282
5.2.2 Principle of VLAN Communication........................................................................................................................... 289
5.2.3 VLAN Aggregation.......................................................................................................................................................... 294
5.2.4 VLAN Damping................................................................................................................................................................ 302
5.2.5 MUX VLAN.........................................................................................................................................................................302
5.2.6 VLAN Management........................................................................................................................................................ 305
5.2.7 Transparent Transmission of Protocol Packets in a VLAN.................................................................................305
5.3 Application Scenarios for VLANs................................................................................................................................... 306
5.3.1 VLAN Assignment........................................................................................................................................................... 306
5.3.2 Inter-VLAN Communication........................................................................................................................................ 307
5.3.3 VLAN Aggregation.......................................................................................................................................................... 308
5.4 Summary of VLAN Configuration Tasks..................................................................................................................... 309
5.5 Licensing Requirements and Limitations for VLANs.............................................................................................. 310
5.6 Default Settings for VLANs............................................................................................................................................. 316
5.7 Assigning a LAN to VLANs.............................................................................................................................................. 317
5.7.1 Configuring Interface-based VLAN Assignment................................................................................................... 317
5.7.2 Dividing a LAN into VLANs Based on MAC Addresses.......................................................................................319
5.7.3 Dividing a LAN into VLANs Based on IP Subnets................................................................................................ 322
5.7.4 Protocol-based VLAN Assignment............................................................................................................................ 324
5.7.5 Verifying the Configuration of Assigning a LAN to VLANs.............................................................................. 326
5.8 Configuring Inter-VLAN Communication................................................................................................................... 326
5.8.1 Configuring VLANIF Interfaces for Inter-VLAN Communication.................................................................... 327
5.8.2 Configuring Layer 3 Sub-interfaces for Inter-VLAN Communication............................................................329
5.8.3 Verifying the Inter-VLAN Communication Configuration................................................................................. 330
5.9 Configuring VLAN Aggregation to Save IP Addresses........................................................................................... 330

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. xi

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching Contents

5.9.1 Creating a Sub-VLAN..................................................................................................................................................... 330

5.9.2 Creating a Super-VLAN................................................................................................................................................. 332
5.9.3 Assigning an IP Address to the VLANIF Interface of a Super-VLAN..............................................................333
5.9.4 (Optional) Enabling Proxy ARP on the VLANIF Interface of a Super-VLAN............................................... 333
5.9.5 (Optional) Configuring an IP Address Pool for a Sub-VLAN........................................................................... 334
5.9.6 Verifying the VLAN Aggregation Configuration................................................................................................... 335
5.10 Configuring MUX VLAN................................................................................................................................................. 335
5.10.1 Configuring a Principal VLAN for a MUX VLAN................................................................................................ 335
5.10.2 Configuring a Group VLAN for a Subordinate VLAN....................................................................................... 336
5.10.3 Configuring a Separate VLAN for a Subordinate VLAN.................................................................................. 337
5.10.4 Enabling the MUX VLAN Function on a Port...................................................................................................... 337
5.10.5 Verifying the MUX VLAN Configuration............................................................................................................... 338
5.11 Configuring an mVLAN to Implement Integrated Management.................................................................... 338
5.12 Configuring Transparent Transmission of Protocol Packets in a VLAN to Improve Forwarding
Efficiency....................................................................................................................................................................................... 340
5.13 Configuring an Interface to Discard Incoming Tagged Packets.......................................................................341
5.14 Configuring a Hash Mode of the VLAN-XLATE Table......................................................................................... 342
5.15 Maintaining VLANs..........................................................................................................................................................342
5.15.1 Collecting Traffic Statistics Collection in a VLAN.............................................................................................. 342
5.15.2 Clearing Statistics of VLAN Packets....................................................................................................................... 344
5.15.3 Enabling GMAC Ping to Detect Layer 2 Network Connectivity....................................................................344
5.15.4 Enabling GMAC Trace to Locate Faults................................................................................................................. 345
5.16 Configuration Examples for VLANs........................................................................................................................... 345
5.16.1 Example for Assigning VLANs Based on Ports................................................................................................... 345
5.16.2 Example for Assigning VLANs Based on MAC Addresses............................................................................... 347
5.16.3 Example for Assigning VLANs Based on IP Subnets......................................................................................... 349
5.16.4 Example for Implementing Inter-VLAN Communication Using VLANIF Interfaces...............................353
5.16.5 Example for Configuring VLAN Aggregation...................................................................................................... 355
5.16.6 Example for Configuring the MUX VLAN on the Access Layer Device...................................................... 358
5.16.7 Example for Configuring the MUX VLAN on the Aggregation Device.......................................................361
5.16.8 Example for Configuring Transparent Transmission of Protocol Packets in a VLAN.............................365
5.17 Troubleshooting VLANs..................................................................................................................................................368
5.17.1 User Terminals in the Same VLAN Cannot Ping Each Other.........................................................................368
5.17.2 A VLANIF Interface Goes Down...............................................................................................................................370

6 QinQ Configuration............................................................................................................ 371

6.1 Overview of QinQ.............................................................................................................................................................. 371
6.2 Understanding QinQ......................................................................................................................................................... 372
6.2.1 QinQ Fundamentals....................................................................................................................................................... 372
6.2.2 Basic QinQ......................................................................................................................................................................... 374
6.2.3 Selective QinQ.................................................................................................................................................................. 374
6.2.4 TPID..................................................................................................................................................................................... 375
6.3 Application Scenarios for QinQ..................................................................................................................................... 375

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. xii

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching Contents

6.3.1 Application of Basic QinQ............................................................................................................................................ 375

6.3.2 Application of VLAN ID-based Selective QinQ..................................................................................................... 376
6.3.3 Application of MQC-based Selective QinQ............................................................................................................ 378
6.4 Licensing Requirements and Limitations for QinQ................................................................................................. 378
6.5 Configuring QinQ............................................................................................................................................................... 380
6.5.1 Configuring Basic QinQ................................................................................................................................................ 380
6.5.2 Configuring Selective QinQ......................................................................................................................................... 381
6.5.2.1 Configuring VLAN ID-based Selective QinQ...................................................................................................... 381
6.5.2.2 Configuring MQC-based Selective QinQ............................................................................................................. 383
6.5.3 Configuring the TPID Value in an Outer VLAN Tag............................................................................................387
6.6 Configuration Examples for QinQ................................................................................................................................ 388
6.6.1 Example for Configuring Basic QinQ....................................................................................................................... 388
6.6.2 Example for Configuring VLAN ID-based Selective QinQ.................................................................................390
6.6.3 Example for Configuring MQC-based Selective QinQ........................................................................................393

7 VLAN Mapping Configuration..........................................................................................398

7.1 Overview of VLAN Mapping........................................................................................................................................... 398
7.2 Understanding VLAN Mapping......................................................................................................................................399
7.3 Application Scenarios for VLAN Mapping..................................................................................................................401
7.4 Licensing Requirements and Limitations for VLAN Mapping............................................................................. 403
7.5 Configuring VLAN Mapping............................................................................................................................................406
7.5.1 Configuring VLAN-based VLAN Mapping...............................................................................................................406
7.5.2 Configuring MQC-based VLAN Mapping................................................................................................................407
7.6 Configuration Examples for VLAN Mapping............................................................................................................. 411
7.6.1 Example for Configuring VLAN-based 1 to 1 VLAN Mapping.........................................................................412
7.6.2 Example for Configuring VLAN-based 2 to 1 VLAN Mapping.........................................................................414
7.6.3 Example for Configuring VLAN-based 2 to 2 VLAN Mapping.........................................................................419
7.6.4 Example for Configuring MQC-based VLAN Mapping.......................................................................................424

8 GVRP Configuration............................................................................................................429
8.1 Overview of GVRP.............................................................................................................................................................. 429
8.2 Understanding GVRP......................................................................................................................................................... 430
8.2.1 Basic Concepts..................................................................................................................................................................430
8.2.2 Packet Format.................................................................................................................................................................. 434
8.2.3 Working Mechanism...................................................................................................................................................... 435
8.3 Application Scenarios for GVRP..................................................................................................................................... 437
8.4 Licensing Requirements and Limitations for GVRP................................................................................................ 438
8.5 Default Settings for GVRP............................................................................................................................................... 441
8.6 Configuring GVRP............................................................................................................................................................... 441
8.6.1 Enabling GVRP................................................................................................................................................................. 441
8.6.2 (Optional) Setting GARP Timers................................................................................................................................442
8.6.3 Verifying the GVRP Configuration............................................................................................................................. 444
8.7 Maintaining GVRP.............................................................................................................................................................. 444
8.7.1 Clearing GVRP Statistics............................................................................................................................................... 445

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. xiii

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching Contents

8.8 Configuration Examples for GVRP................................................................................................................................ 445

8.8.1 Example for Configuring GVRP.................................................................................................................................. 445

9 STP/RSTP Configuration.................................................................................................... 449

9.1 Overview of STP/RSTP...................................................................................................................................................... 449
9.2 Understanding STP/RSTP................................................................................................................................................. 451
9.2.1 STP Background............................................................................................................................................................... 451
9.2.2 Basic Concepts of STP....................................................................................................................................................452
9.2.3 STP BPDU Format........................................................................................................................................................... 459
9.2.4 STP Topology Calculation............................................................................................................................................. 461
9.2.5 Advantages of RSTP....................................................................................................................................................... 468
9.2.6 Technical Details of RSTP............................................................................................................................................. 475
9.3 Application Scenarios for STP/RSTP............................................................................................................................. 477
9.4 Summary of STP/RSTP Configuration Tasks............................................................................................................. 478
9.5 Licensing Requirements and Limitations for STP/RSTP.........................................................................................479
9.6 Default Settings for STP/RSTP....................................................................................................................................... 482
9.7 Configuring STP/RSTP....................................................................................................................................................... 482
9.7.1 Configuring the STP/RSTP Mode............................................................................................................................... 482
9.7.2 (Optional) Configuring the Root Bridge and Secondary Root Bridge.......................................................... 483
9.7.3 (Optional) Configuring a Priority for a Device..................................................................................................... 484
9.7.4 (Optional) Configuring a Path Cost for a Port..................................................................................................... 485
9.7.5 (Optional) Configuring a Priority for a Port.......................................................................................................... 486
9.7.6 Enabling STP/RSTP......................................................................................................................................................... 487
9.7.7 Verifying the STP/RSTP Configuration..................................................................................................................... 488
9.8 Configuring STP Parameters That Affect the STP Convergence Speed........................................................... 488
9.8.1 Configuring the STP Network Diameter................................................................................................................. 488
9.8.2 Configuring the STP Timeout Interval..................................................................................................................... 489
9.8.3 Configuring STP Timers................................................................................................................................................ 489
9.8.4 Configuring the Maximum Number of Connections in an Eth-Trunk that Affects Spanning Tree
Calculation................................................................................................................................................................................... 491
9.8.5 Verifying the STP/RSTP Configuration..................................................................................................................... 492
9.9 Setting RSTP Parameters That Affect RSTP Convergence.................................................................................... 492
9.9.1 Setting the RSTP Network Diameter........................................................................................................................492
9.9.2 Setting the RSTP Timeout Interval............................................................................................................................ 493
9.9.3 Setting RSTP Timers....................................................................................................................................................... 494
9.9.4 Configuring the Maximum Number of Connections in an Eth-Trunk that Affects Spanning Tree
Calculation................................................................................................................................................................................... 495
9.9.5 Configuring the Link Type for a Port........................................................................................................................497
9.9.6 Configuring the Maximum Transmission Rate of an Interface....................................................................... 497
9.9.7 Switching to the RSTP Mode.......................................................................................................................................498
9.9.8 Configuring Edge Ports and BPDU Filter Ports..................................................................................................... 499
9.9.9 Verifying the STP/RSTP Configuration..................................................................................................................... 500
9.10 Configuring RSTP Protection Functions....................................................................................................................500
9.10.1 Configuring BPDU Protection on a Device...........................................................................................................500

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. xiv

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching Contents

9.10.2 Configuring TC Protection on a Device................................................................................................................. 501

9.10.3 Configuring Root Protection on a Port................................................................................................................. 502
9.10.4 Configuring Loop Prevention on a Port................................................................................................................ 503
9.10.5 Verifying the STP/RSTP Configuration.................................................................................................................. 504
9.11 Configuring Interoperability Between Huawei and Non-Huawei Devices................................................... 504
9.12 Maintaining STP/RSTP.................................................................................................................................................... 505
9.12.1 Clearing STP/RSTP Statistics..................................................................................................................................... 505
9.12.2 Monitoring STP/RSTP Topology Change Statistics............................................................................................ 506
9.13 Configuration Examples for STP/RSTP......................................................................................................................506
9.13.1 Example for Configuring STP....................................................................................................................................506
9.13.2 Example for Configuring RSTP................................................................................................................................. 510

10 MSTP Configuration......................................................................................................... 515

10.1 Overview of MSTP........................................................................................................................................................... 515
10.2 Understanding MSTP...................................................................................................................................................... 516
10.2.1 MSTP Background........................................................................................................................................................ 517
10.2.2 Basic Concepts of MSTP............................................................................................................................................. 518
10.2.3 MST BPDUs..................................................................................................................................................................... 526
10.2.4 MSTP Topology Calculation...................................................................................................................................... 530
10.2.5 MSTP Fast Convergence............................................................................................................................................. 532
10.2.6 MSTP Multi-Process..................................................................................................................................................... 533
10.3 Application Scenarios for MSTP.................................................................................................................................. 542
10.4 Summary of MSTP Configuration Tasks...................................................................................................................543
10.5 Licensing Requirements and Limitations for MSTP..............................................................................................545
10.6 Default Settings for MSTP............................................................................................................................................ 547
10.7 Configuring Basic MSTP Functions............................................................................................................................ 548
10.7.1 Configuring the MSTP Mode.................................................................................................................................... 548
10.7.2 Configuring an MST Region...................................................................................................................................... 549
10.7.3 (Optional) Configuring the Root Bridge and Secondary Root Bridge........................................................551
10.7.4 (Optional) Configuring a Priority for a Switching Device in an MSTI........................................................552
10.7.5 (Optional) Configuring a Path Cost of a Port in an MSTI..............................................................................553
10.7.6 (Optional) Configuring a Port Priority in an MSTI........................................................................................... 554
10.7.7 Enabling MSTP...............................................................................................................................................................554
10.7.8 Verifying the Basic MSTP Configuration...............................................................................................................555
10.8 Configuring MSTP Multi-Process................................................................................................................................ 555
10.8.1 Creating an MSTP Process......................................................................................................................................... 556
10.8.2 Adding an Interface to an MSTP Process............................................................................................................. 556
10.8.3 (Optional) Configuring the Root Bridge and Secondary Root Bridge........................................................558
10.8.4 (Optional) Configuring a Priority for a Switching Device in an MSTI........................................................559
10.8.5 (Optional) Configuring a Path Cost of a Port in an MSTI..............................................................................560
10.8.6 (Optional) Configuring a Port Priority in an MSTI........................................................................................... 561
10.8.7 Configuring TC Notification in MSTP Multi-process.........................................................................................562
10.8.8 Enabling MSTP...............................................................................................................................................................562

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. xv

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching Contents

10.8.9 Verifying the MSTP Multi-Process Configuration.............................................................................................. 563

10.9 Configuring MSTP Parameters on an Interface..................................................................................................... 563
10.9.1 Setting the MSTP Network Diameter.................................................................................................................... 563
10.9.2 Setting the MSTP Timeout Interval........................................................................................................................ 564
10.9.3 Setting the Values of MSTP Timers........................................................................................................................ 565
10.9.4 Configuring the Maximum Number of Connections in an Eth-Trunk that Affects Spanning Tree
Calculation................................................................................................................................................................................... 566
10.9.5 Setting the Link Type of a Port................................................................................................................................ 568
10.9.6 Setting the Maximum Transmission Rate of an Interface.............................................................................. 568
10.9.7 Changing to the MSTP Mode................................................................................................................................... 569
10.9.8 Configuring a Port as an Edge Port and BPDU Filter Port............................................................................. 570
10.9.9 Setting the Maximum Number of Hops in an MST Region...........................................................................571
10.9.10 Verifying the Configuration of MSTP Parameters on an Interface........................................................... 572
10.10 Configuring MSTP Protection Functions................................................................................................................ 572
10.10.1 Configuring BPDU Protection on a Switching Device....................................................................................572
10.10.2 Configuring TC Protection on a Switching Device.......................................................................................... 574
10.10.3 Configuring Root Protection on an Interface................................................................................................... 575
10.10.4 Configuring Loop Protection on an Interface................................................................................................... 576
10.10.5 Configuring Share-Link Protection on a Switching Device.......................................................................... 577
10.10.6 Verifying the Configuration of MSTP Protection Functions........................................................................ 577
10.11 Configuring MSTP Interoperation Between Huawei Devices and Non-Huawei Devices......................578
10.11.1 Configuring a Proposal/Agreement Mechanism............................................................................................. 578
10.11.2 Configuring the MSTP Protocol Packet Format on an Interface............................................................... 579
10.11.3 Enabling the Digest Snooping Function............................................................................................................. 579
10.11.4 Verifying the Configuration of MSTP Interoperation Between Huawei Devices and Non-Huawei
Devices...........................................................................................................................................................................................580
10.12 Maintaining MSTP......................................................................................................................................................... 580
10.12.1 Clearing MSTP Statistics.......................................................................................................................................... 580
10.12.2 Monitoring the Statistics About MSTP Topology Changes.......................................................................... 581
10.13 Configuration Examples for MSTP........................................................................................................................... 581
10.13.1 Example for Configuring MSTP............................................................................................................................. 581

11 VBST Configuration.......................................................................................................... 590

11.1 Overview of VBST............................................................................................................................................................ 590
11.2 Understanding VBST....................................................................................................................................................... 593
11.3 Application Scenarios for VBST................................................................................................................................... 598
11.4 Summary of VBST Configuration Tasks....................................................................................................................600
11.5 Licensing Requirements and Limitations for VBST............................................................................................... 601
11.6 Default Settings for VBST..............................................................................................................................................605
11.7 Configuring Basic VBST Functions..............................................................................................................................606
11.7.1 (Optional) Configuring the Root Bridge and Secondary Root Bridge........................................................606
11.7.2 (Optional) Setting the Device Priority...................................................................................................................607
11.7.3 (Optional) Setting the Path Cost for a Port........................................................................................................ 608
11.7.4 (Optional) Configuring Port Priorities................................................................................................................... 609

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. xvi

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching Contents

11.7.5 (Optional) Manually Configuring the Mapping Between MSTIs and VLANs.......................................... 610
11.7.6 Enabling VBST................................................................................................................................................................ 612
11.7.7 Verifying the Configuration of Basic VBST Functions...................................................................................... 614
11.8 Setting VBST Parameters That Affect VBST Convergence................................................................................. 614
11.8.1 Setting the Network Diameter................................................................................................................................ 614
11.8.2 Setting Values of VBST Timers.................................................................................................................................615
11.8.3 Setting the VBST Timeout Interval......................................................................................................................... 616
11.8.4 Setting the Link Type of a Port................................................................................................................................ 617
11.8.5 Setting the Maximum Transmission Rate of a Port.......................................................................................... 618
11.8.6 Configuring a Port as an Edge Port and BPDU Filter Port............................................................................. 619
11.8.7 Setting the Maximum Number of Hops of VBST.............................................................................................. 620
11.8.8 Verifying the Configuration of VBST Parameters That Affect VBST Convergence.................................621
11.9 Configuring Protection Functions of VBST.............................................................................................................. 621
11.9.1 Configuring BPDU Protection on a Switching Device...................................................................................... 621
11.9.2 Configuring TC Protection on a Switching Device.............................................................................................622
11.9.3 Configuring Root Protection on a Port................................................................................................................. 623
11.9.4 Configuring Loop Protection on a Port................................................................................................................. 624
11.9.5 Verifying the Configuration of VBST Protection Functions............................................................................ 625
11.10 Setting Parameters for Interworking Between a Huawei Datacom Device and a Non-Huawei Device
......................................................................................................................................................................................................... 625
11.11 Maintaining VBST.......................................................................................................................................................... 627
11.11.1 Displaying VBST Running Information and Statistics.................................................................................... 627
11.11.2 Clearing VBST Statistics........................................................................................................................................... 627
11.12 Configuration Examples for VBST............................................................................................................................ 628
11.12.1 Example for Configuring VBST.............................................................................................................................. 628

12 ERPS (G.8032) Configuration......................................................................................... 638

12.1 Overview of ERPS............................................................................................................................................................. 638
12.2 Understanding ERPS....................................................................................................................................................... 640
12.2.1 Basic ERPS Concepts.................................................................................................................................................... 640
12.2.2 RAPS PDUs...................................................................................................................................................................... 646
12.2.3 ERPS Single-ring Principles........................................................................................................................................ 649
12.2.4 ERPS Multi-ring Principles......................................................................................................................................... 654
12.2.5 ERPS Multi-instance..................................................................................................................................................... 659
12.3 Application Scenarios for ERPS................................................................................................................................... 661
12.4 Summary of ERPS Configuration Tasks.................................................................................................................... 662
12.5 Licensing Requirements and Limitations for ERPS............................................................................................... 662
12.6 Default Settings for ERPS.............................................................................................................................................. 664
12.7 Configuring ERPS............................................................................................................................................................. 665
12.7.1 Configuring ERPSv1..................................................................................................................................................... 665
12.7.1.1 Creating an ERPS Ring.............................................................................................................................................665
12.7.1.2 Configuring the Control VLAN..............................................................................................................................665
12.7.1.3 Configuring an ERP Instance and Activating the Mapping Between the ERP Instance and VLAN
......................................................................................................................................................................................................... 666

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. xvii

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching Contents

12.7.1.4 Adding a Layer 2 Port to an ERPS Ring and Configuring the Port Role................................................ 668
12.7.1.5 (Optional) Configuring Timers in an ERPS Ring............................................................................................ 670
12.7.1.6 (Optional) Configuring the MEL Value............................................................................................................. 670
12.7.1.7 Verifying the ERPS Configuration........................................................................................................................ 671
12.7.2 Configuring ERPSv2..................................................................................................................................................... 671
12.7.2.1 Creating an ERPS Ring.............................................................................................................................................671
12.7.2.2 Configuring the Control VLAN..............................................................................................................................673
12.7.2.3 Configuring an ERP Instance and Activating the Mapping Between the ERP Instance and VLAN
......................................................................................................................................................................................................... 673
12.7.2.4 Adding a Layer 2 Port to an ERPS Ring and Configuring the Port Role................................................ 675
12.7.2.5 Configuring the Topology Change Notification Function........................................................................... 677
12.7.2.6 (Optional) Configuring ERPS Protection Switching.......................................................................................678
12.7.2.7 (Optional) Configuring Timers in an ERPS Ring............................................................................................ 679
12.7.2.8 Verifying the ERPS Configuration........................................................................................................................ 680
12.8 Maintaining ERPS............................................................................................................................................................. 680
12.8.1 Clearing ERPS Statistics.............................................................................................................................................. 680
12.9 Configuration Examples for ERPS...............................................................................................................................680
12.9.1 Example for Configuring ERPS Multi-instance................................................................................................... 680
12.9.2 Example for Configuring an ERPS Multi-ring Network................................................................................... 690
12.10 Troubleshooting ERPS.................................................................................................................................................. 700
12.10.1 Traffic Forwarding Fails in an ERPS Ring........................................................................................................... 700

13 Loopback Detection Configuration.............................................................................. 701

13.1 Overview of Loopback Detection............................................................................................................................... 701
13.2 Application Scenarios for Loopback Detection...................................................................................................... 701
13.3 Licensing Requirements and Limitations for Loopback Detection..................................................................703
13.4 Default Settings for Loopback Detection................................................................................................................ 705
13.5 Configuring Loopback Detection................................................................................................................................ 705
13.5.1 Enabling LBDT............................................................................................................................................................... 705
13.5.2 (Optional) Configuring an Action to Perform After a Loopback Is Detected..........................................706
13.5.3 (Optional) Setting the Interval Between Sending Loopback Detection Packets on an Interface.... 708
13.5.4 Verifying the Loopback Detection Configuration.............................................................................................. 709
13.6 Configuration Examples for Loopback Detection................................................................................................. 709
13.6.1 Example for Configuring Loopback Detection....................................................................................................709

14 Layer 2 Protocol Tunneling Configuration..................................................................712

14.1 Overview of Layer 2 Protocol Tunneling..................................................................................................................712
14.2 Understanding Layer 2 Protocol Tunneling............................................................................................................ 714
14.3 Application Scenarios for Layer 2 Protocol Tunneling........................................................................................ 718
14.4 Summary of Layer 2 Protocol Tunneling Configuration Tasks......................................................................... 719
14.5 Licensing Requirements and Limitations for Layer 2 Protocol Tunneling.................................................... 720
14.6 Configuring Interface-based Layer 2 Protocol Tunneling.................................................................................. 722
14.6.1 (Optional) Defining Characteristic Information About a Layer 2 Protocol.............................................. 723
14.6.2 Configuring the Multicast MAC Address for Layer 2 Protocol Tunneling................................................. 724

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. xviii

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching Contents

14.6.3 Enabling Layer 2 Protocol Tunneling on an Interface......................................................................................724

14.6.4 Verifying the Configuration of Interface-based Layer 2 Protocol Tunneling........................................... 726
14.7 Configuring VLAN-based Layer 2 Protocol Tunneling.........................................................................................726
14.7.1 (Optional) Defining Characteristic Information About a Layer 2 Protocol.............................................. 726
14.7.2 Configuring the Multicast MAC Address for Layer 2 Protocol Tunneling................................................. 727
14.7.3 Enabling VLAN-based Layer 2 Protocol Tunneling on an Interface............................................................ 728
14.7.4 Verifying the Layer 2 Protocol Tunneling Configuration................................................................................ 729
14.8 Configuring Basic QinQ-based Layer 2 Protocol Tunneling.............................................................................. 729
14.8.1 (Optional) Defining Characteristic Information About a Layer 2 Protocol.............................................. 730
14.8.2 Configuring the Multicast MAC Address for Layer 2 Protocol Tunneling................................................. 730
14.8.3 Enabling Basic QinQ-based Layer 2 Transparent Transmission on an Interface.................................... 731
14.8.4 Verifying the Layer 2 Protocol Tunneling Configuration................................................................................ 732
14.9 Configuring the Device to Transparently Transmit BPDUs................................................................................ 733
14.10 Maintaining Layer 2 Protocol Tunneling............................................................................................................... 734
14.10.1 Displaying Statistics About Layer 2 Protocol Packets That Are Transparently Transmitted on an
Interface........................................................................................................................................................................................ 734
14.10.2 Clearing Statistics About Layer 2 Protocol Packets That Are Transparently Transmitted on an
Interface........................................................................................................................................................................................ 734
14.11 Configuration Examples for Layer 2 Protocol Tunneling................................................................................. 735
14.11.1 Example for Configuring Interface-based Layer 2 Protocol Tunneling....................................................735
14.11.2 Example for Configuring VLAN-based Layer 2 Protocol Tunneling.......................................................... 738
14.11.3 Example for Configuring Basic QinQ-based Layer 2 Protocol Tunneling............................................... 743

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. xix

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 1 Ethernet Switching

1 Ethernet Switching

This chapter describes how to configure Ethernet switching.

1.1 Overview of Ethernet Switching

1.2 Basic Concepts of Ethernet
1.3 Switching on Ethernet
1.4 Application Scenarios for Ethernet Switching
1.5 Terms and Abbreviations

1.1 Overview of Ethernet Switching

Definition
The earliest Ethernet standard was the DEC-Intel-Xerox (DIX) standard jointly
developed by the Digital Equipment Corporation (DEC), Intel, and Xerox in 1982.
After years of development, Ethernet has become the most widely used local area
network (LAN) type, and many Ethernet standards have been put into use,
including standard Ethernet (10 Mbit/s), fast Ethernet (100 Mbit/s), gigabit
Ethernet (1000 Mbit/s), and 10G Ethernet (10 Gbit/s). IEEE 802.3 was defined
based on Ethernet and is compatible with Ethernet standards.
In the TCP/IP suite, the IP packet encapsulation format on an Ethernet network is
defined in RFC 894, and the IP packet encapsulation format on an IEEE 802.3
network is defined in RFC 1042. Currently, the format defined in RFC 894 is most
commonly used. This format is called Ethernet_II or Ethernet DIX.

NOTE

To distinguish Ethernet frames of the two types, Ethernet frames defined in RFC 894 are
called Ethernet_II frames and Ethernet frames defined in RFC 1042 IEEE 802.3 are called
frames in this document.

History
In 1972, when Robert Metcalfe (father of Ethernet) was hired by Xerox, his first
job was to connect computers in Xerox's Palo Alto Research Center (PARC) to the

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 1

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 1 Ethernet Switching

Advanced Research Projects Agency Network (ARPANET), progenitor of the

Internet. In 1972 also, Robert Metcalfe designed a network to connect computers
in the PARC. That network was based on the Aloha system (a radio network
system) and connected many computers in the PARC, so Metcalfe originally
named the network Alto Aloha network. The Alto Aloha network started
operating in May 1973, and Metcalfe then gave it an official name Ethernet, which
is the prototype of Ethernet. The network operated at a rate of 2.94 Mbit/s and
used thick coaxial cable as transmission medium. In June 1976, Metcalfe and his
assistant David Boggs published a paper Ethernet Distributed Packet Switching for
Local Computer Networks. At the end of 1977, Metcalfe and his three co-workers
were gained a patent on "Multipoint data communication system with collision
detection." Since then, Ethernet was known to the public.

As Ethernet technology develops rapidly, Ethernet has become the most widely
used LAN technology and replaced most of other LAN standards, such as token
ring, fiber distributed data interface (FDDI), and attached resource computer
network (ARCNET). After rapid development of 100M Ethernet in the 20th
century, gigabit Ethernet and even 10G Ethernet are now expanding their
applications as promoted by international standardization organizations and
industry-leading enterprises.

Purpose
Ethernet is a universal communication protocol standard used for local area
networks (LANs). This standard defines the cable type and signal processing
method used for LANs.

Ethernet networks are broadcast networks established based on the Carrier Sense
Multiple Access with Collision Detection (CSMA/CD) mechanism. Collisions restrict
Ethernet performance. Early Ethernet devices such as hubs work at the physical
layer, and cannot confine collisions to a particular scope. This restricts network
performance improvement. Working at the data link layer, switches are able to
confine collisions to a particular scope. Switches help improve Ethernet
performance and have replaced hubs as mainstream Ethernet devices. However,
switches do not restrict broadcast traffic on the Ethernet. This affects Ethernet
performance. Dividing a LAN into virtual local area networks (VLANs) on switches
or using Layer 3 switches can solve this problem.

As a simple, cost-effective, and easy-to-implement LAN technology, Ethernet has

become the mainstream in the industry. Gigabit Ethernet and even 10G Ethernet
make Ethernet the most promising network technology.

1.2 Basic Concepts of Ethernet

1.2.1 Ethernet Network Layers

Ethernet uses passive medium and transmits data in broadcast mode. It defines
protocols used on the physical layer and data link layer, interfaces between the
two layers, and interfaces between the data link layer and upper layers.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 2

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 1 Ethernet Switching

Physical Layer
The physical layer determines basic physical attributes of Ethernet, including data
coding, time scale, and electrical frequency.
The physical layer is the lowest layer in the Open Systems Interconnection (OSI)
reference model and is closest to the physical medium (communication channel)
that transmits data. Data is transmitted on the physical layer in binary bits (0 or
1). Transmission of bits depends on transmission devices and physical media, but
the physical layer does not refer to a specific physical device or a physical media.
Actually, the physical layer is located above a physical medium and provides the
data link layer with physical connections to transmit original bit streams.

Data Link Layer

The data link layer is the second layer in the OSI reference model, located
between the physical layer and network layer. The data link layer obtains service
from the physical layer and provides service for the network layer. The basic
service that the data link layer provides is to reliably transmit data from the
network layer of a source device to the network layer of an adjacent destination
device.
The physical layer and data link layer depend on each other. Therefore, different
working modes of the physical layer must be supported by corresponding data
link layer modes. This hinders Ethernet design and application.
Some organizations and vendors propose to divide the data link layer into two
sub-layers: the Media Access Control (MAC) sub-layer and the Logical Link Control
(LLC) sub-layer. Then different physical layers correspond to different MAC sub-
layers, and the LLC sub-layer becomes totally independent, as shown in Figure
1-1.

Figure 1-1 Hierarchy of Ethernet data link layer

Network
layer
LLC layer
Data link
layer MA
Physica layer
C
l
layer

The following sections describe concepts involved in the physical layer and data
link layer.

1.2.2 Introduction to Ethernet Cable Standards

Introduction to Ethernet Cable Standards

Currently, mature Ethernet physical layer standards are:
● 10BASE-2

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 3

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 1 Ethernet Switching

● 10BASE-5
● 10BASE-T
● 10BASE-F
● 100BASE-T4
● 100BASE-TX
● 100BASE-FX
● 1000BASE-SX
● 1000BASE-LX
● 1000BASE-TX
● 10GBASE-T
● 10GBASE-LR
● 10GBASE-SR
In the preceding standards, 10, 100, 1000 and 10G stand for transmission rates,
and BASE represents baseband.
● 10M Ethernet cable standards
Table 1-1 lists the 10M Ethernet cable standards defined in IEEE 802.3.

Table 1-1 10M Ethernet cable standards

Name Cable Maximum
Transmission Distance

10BASE-5 Thick coaxial cable 500 m

10BASE-2 Thin coaxial cable 200 m

10BASE-T Twisted pair cable 100 m

10BASE-F Fiber 2000 m

NOTE

Coaxial cables have a fatal defect: Devices are connected in series and therefore a
single-point failure can cause the breakdown of the entire network. As the physical
standards of coaxial cables, 10BASE-2 and 10BASE-5 have fallen into disuse.
● 100M Ethernet cable standards
100M Ethernet is also called Fast Ethernet (FE). Compared with 10M Ethernet,
100M Ethernet has a faster transmission rate at the physical layer, but they
have no difference at the data link layer.
Table 1-2 lists the 100M Ethernet cable standards.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 4

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 1 Ethernet Switching

Table 1-2 100M Ethernet cable standards

Name Cable Maximum
Transmission Distance

100Base-T4 Four pairs of Category 3 100 m

twisted pair cables

100Base-TX Two pairs of Category 5 100 m

twisted pair cables

100Base-FX Single-mode fiber or multi- 2000 m

mode fiber

Both 10Base-T and 100Base-TX apply to Category 5 twisted pair cables. They
have different transmission rates. The 10Base-T transmits data at 10 Mbit/s,
whereas the 100Base-TX transmits data at 100 Mbit/s.
The 100Base-T4 is rarely used now.
● Gigabit Ethernet cable standards
Gigabit Ethernet is developed on the basis of the Ethernet standard defined in
IEEE 802.3. Based on the Ethernet protocol, Gigabit Ethernet increases the
transmission rate to 10 times the FE transmission rate, reaching 1 Gbit/s.
Table 1-3 lists the Gigabit Ethernet cable standards.

Table 1-3 Gigabit Ethernet cable standards

Interface Name Cables Maximum
Transmission Distance

1000Base-LX Single-mode fiber or multi- 316 m

mode fiber

1000Base-SX Multi-mode fiber 316 m

1000Base-TX Category 5 twisted pair 100 m

cable

Gigabit Ethernet technology can upgrade the existing Fast Ethernet from 100
Mbit/s to 1000 Mbit/s.
The physical layer of Gigabit Ethernet uses 8B10B coding. In traditional
Ethernet technology, the data link layer delivers 8-bit data sets to its physical
layer. After processing the data sets, the physical layer sends them to the data
link layer. The data sets are still 8 bits after processing.
The situation is different on the Gigabit Ethernet of optical fibers. The
physical layer maps the 8-bit data sets transmitted from the data link layer to
10-bit data sets and then sends them out.
● 10G Ethernet cable standards

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 5

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 1 Ethernet Switching

10G Ethernet is currently defined in supplementary standard IEEE 802.3ae,

which will be combined with IEEE 802.3 later. Table 1-4 lists the 10G Ethernet
cable standards.

Table 1-4 10G Ethernet cable standards

Name Cables Maximum

Transmission Distance

10GBASE-T CAT-6A or CAT-7 100 m

10GBase-LR Single-mode optical fiber 10 km

10GBase-SR Multi-mode optical fiber Several hundred meters

● 100G Ethernet cable standards

The standard for 40G/100G Ethernet is defined in IEEE 802.3ba, which was
published in 2010. 100G Ethernet will be widely used as network technologies
develop.

1.2.3 CSMA/CD
● Definition of CSMA/CD
Ethernet was originally designed to connect computers and other digital
devices on a shared physical line. The computers and digital devices can
access the shared line only in half-duplex mode. Therefore, a mechanism of
collision detection and avoidance is required to prevent multiple devices from
contending for the line. This mechanism is called the carrier Sense Multiple
Access with Collision Detection (CSMA/CD).
The concept of CSMA/CD is described as follows:
– Carrier sense (CS)
Before transmitting data, a station checks whether the line is idle to
reduce chances of collision.
– Multiple access (MA)
Data sent by a station can be received by multiple stations.
– Collision detection (CD)
If two stations transmit electrical signals at the same time, the voltage
amplitude doubles the normal amplitude as signals of the two stations
accumulate. The situation results in collision.
The stations stop transmission after detecting the collision, and resume
the transmission after a random delay.
● CSMA/CD working process
CSMA/CD works as follows:
a. A station continuously detects whether the shared line is idle.

▪ If the line is idle, the station sends data.

▪ If the line is in use, the station waits until the line becomes idle.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 6

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 1 Ethernet Switching

b. If two stations send data at the same time, a collision occurs on the line,
and signals on the line become unstable.
c. After detecting the instability, the station immediately stops sending
data.
d. The station sends a series of disturbing pulses. After a period of time, the
station resumes the data transmission.
The station sends disturbing pulses to inform other stations, especially
the station that sends data at the same time, that a collision occurred on
the line.
After detecting a collision, the station waits for a random period of time,
and then resumes the data transmission.

1.2.4 Minimum Frame Length and Maximum Transmission

Distance
Due to the limitation of the CSMA/CD algorithm, an Ethernet frame must be
longer than or equal to a specified length. On the Ethernet, the minimum frame
length is 64 bytes, which is determined jointly by the maximum transmission
distance and the collision detection mechanism.

The use of minimum frame length can prevent the following situation: station A
finishes sending the last bit, but the first bit does not arrive at station B, which is
far from station A. Station B considers that the line is idle and begins to send data,
leading to a collision.

Figure 1-2 Ethernet_II frame format

6bytes 6bytes 2bytes 46~1500bytes 4bytes

DMAC SMAC Type Data CRC

The upper layer protocol must ensure that the Data field of a packet contains at
least 46 bytes, so that the total length of the Data field, the 14-byte Ethernet
frame header, and the 4-byte check code at the frame tail can reach the minimum
frame length, as shown in Figure 1-2. If the Data field is less than 46 bytes, the
upper layer must pad the field to 46 bytes.

1.2.5 Duplex Modes of Ethernet

The physical layer of Ethernet can work in either half-duplex or full-duplex mode.

● Half-duplex mode
The half-duplex mode has the following features:
– Data can only be sent or received at any time.
– The CSMA/CD mechanism is used.
– The maximum transmission distance is limited.
Hubs work in half-duplex mode.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 7

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 1 Ethernet Switching

● Full-duplex mode
After Layer 2 switches replace hubs, the shared Ethernet changes to the
switched Ethernet, and the half-duplex mode is replaced by the full-duplex
mode. As a result, the transmission rate increases greatly, and the maximum
throughput doubles the transmission rate.
The full-duplex mode solves the problem of collisions and eliminates the need
for the CSMA/CD mechanism.
The full-duplex mode has the following features:
– Data can be sent and received at the same time.
– The maximum throughput doubles the transmission rate.
– This mode does not have the limitation on the transmission distance.
All network cards, Layer 2 devices (except hubs), and Layer 3 devices
produced support the full-duplex mode.
The following hardware components are required to realize the full-duplex
mode:
– Full-duplex network cards and chips
– Physical media with separate data transmission and receiving channels
– Point-to-point connection

1.2.6 Auto-Negotiation of Ethernet

● Purpose of auto-negotiation
The earlier Ethernet adopts the 10 Mbit/s half-duplex mode; therefore,
mechanisms such as CSMA/CD are required to guarantee system stability.
With development of technologies, the full-duplex mode and 100M Ethernet
emerge, which greatly improve the Ethernet performance. How to achieve the
compatibility between the earlier and new Ethernet networks becomes a new
problem.
The auto-negotiation technology is introduced to solve this problem. In auto-
negotiation, the devices on two ends of a link can choose the same operation
parameters by exchanging information. The main parameters to be
negotiated are mode (half-duplex or full-duplex), speed, and flow control.
After the negotiation succeeds, the devices on two ends operate in the
negotiated mode and rate.
The auto-negotiation of duplex mode and speed is defined in the following
standards:
– 100M Ethernet standard: IEEE 802.3u
In IEEE 802.3u, auto-negotiation is defined as an optional function.
– Gigabit Ethernet standard: IEEE 802.3z
In IEEE 802.3z, auto-negotiation is defined as a mandatory and default
function.
● Principle of auto-negotiation
Auto-negotiation is an Ethernet procedure by which two connected devices
choose common transmission parameters. It allows a network device to
transmit the supported operating mode to the peer and receives the operating
mode from the peer. In this process, the connected devices first share their

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 8

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 1 Ethernet Switching

capabilities regarding these parameters and then choose the highest

performance transmission mode they both support.
When no data is transmitted over a twisted pair on an Ethernet network,
pulses of high frequency are transmitted at an interval of 16 ms to maintain
the connections at the link layer. These pulses form a Normal Link Pulse
(NLP) code stream. Some pulses of higher frequency can be inserted in the
NLP to transmit more information. These pulses form a Fast Link Pulse (FLP)
code stream, as shown in Figure 1-3. The basic mechanism of auto-
negotiation is to encapsulate the negotiation information into FLP.

Figure 1-3 Pulse insertion

m
16
s
1ms

16 small pulses are inserted

into every pulse

Similar to an Ethernet network that uses twisted pair cables, an Ethernet

network that uses optical modules and optical fibers also implements auto-
negotiation by sending code streams. These code streams are called
Configuration (C) code streams. Different from electrical interfaces, optical
interfaces do not negotiate traffic transmission rates and they work in duplex
mode. Optical interfaces only negotiate flow control parameters.
If auto-negotiation succeeds, the Ethernet card activates the link. Then, data
can be transmitted on the link. If auto-negotiation fails, the link is
unavailable.
If one end does not support auto-negotiation, the other end that supports
auto-negotiation adopts the default operating mode, which is generally 10
Mbit/s half-duplex.
Auto-negotiation is implemented based on the chip design at the physical
layer. As defined in IEEE 802.3, auto-negotiation is implemented in any of the
following cases:
– A faulty link recovers.
– A device is power recycled.
– Either of two connected devices resets.
– A renegotiation request packet is received.
In other cases, two connected devices do not always send auto-negotiation
code streams. Auto-negotiation does not use special packets or bring
additional protocol costs.
● Auto-negotiation rules for interfaces
Two connected interfaces can communicate with each other only when they
are working in the same working mode.
– If both interfaces work in the same non-auto-negotiation mode, the
interfaces can communicate.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 9

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 1 Ethernet Switching

– If both interfaces work in auto-negotiation mode, the interfaces can

communicate through negotiation. The negotiated working mode
depends on the interface with lower capability (specifically, if one
interface works in full-duplex mode and the other interface works in half-
duplex mode, the negotiated working mode is half-duplex). The auto-
negotiation function also allows the interfaces to negotiate about the
flow control function.
– If a local interface works in auto-negotiation mode and the remote
interface works in a non-auto-negotiation mode, the negotiated working
mode of the local interface depends on the working mode of the remote
interface.

1.2.7 Collision Domain and Broadcast Domain

Collision Domain
On a legacy Ethernet network using thick coaxial cables as a transmission
medium, multiple nodes on a shared medium share the bandwidth on the link and
compete for the right to use the link. A network collision occurs when more than
one node attempts to send a packet on this link at the same time. The carrier
sense multiple access with collision detection (CSMA/CD) mechanism is used to
solve the problem of collisions. Once a collision occurs on a link, the CSMA/CD
mechanism prevents data transmission on this link within a specified time.
Collisions are inevitable on an Ethernet network, and the probability that collision
occurs increases when more nodes are deployed on a shared medium. All nodes
on a shared medium constitute a collision domain. All the nodes in a collision
domain compete for bandwidth. Packets sent from a node, including unicast,
multicast, and broadcast packets, can reach all the other nodes in the collision
domain.

Broadcast Domain
Packets are broadcast in a collision domain, which results in a low bandwidth
efficiency and degrades packet processing performance of network devices.
Therefore, broadcasting of packets must be restricted. For example, the ARP
protocol sends broadcast packets to obtain MAC addresses mapping specified IP
addresses. The all 1s MAC address FFFF-FFFF-FFFF is the broadcast MAC address.
All nodes must process data frames with this MAC address as the destination MAC
address. A broadcast domain is a group of nodes, among which broadcast packet
from one node can reach all the other nodes. A network bridge forwards unicast
packets according to its MAC address table and forwards broadcast packets to all
its ports. Therefore, nodes connected to all ports of a bridge belong to a broadcast
domain, but each port belongs to a different collision domain.

1.2.8 MAC Sub-layer

Functions of the MAC Sub-layer
The MAC sub-layer has the following functions:
● Provides access to physical links.
The MAC sub-layer is associated with the physical layer. That is, different MAC
sub-layers provide access to different physical layers.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 10

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 1 Ethernet Switching

Ethernet has two types of MAC sub-layers:

– Half-duplex MAC: provides access to the physical layer in half-duplex
mode.
– Full-duplex MAC: provides access to the physical layer in full-duplex
mode.
The two types of MAC sub-layers are integrated in a network interface card.
After the network interface card is initialized, auto-negotiation is performed
to choose an operation mode, and then a MAC sub-layer is chosen according
to the operation mode.
● Identifies stations at the data link layer.
The MAC sub-layer reserves a unique MAC address for each station.
The MAC sub-layer uses a MAC address to uniquely identify a station.
MAC addresses are managed by Institute of Electrical and Electronics
Engineers (IEEE) and allocated in blocks. An organization, generally a device
manufacturer, obtains a unique address block from IEEE. The address block is
called an Organizationally Unique Identifier (OUI). Using the OUI, the
organization can allocate MAC addresses to 16777216 devices.
A MAC address has 48 bits, which are generally expressed in 12-digit dotted
hexadecimal notation. For example, the 48-bit MAC address
000000001110000011111100001110011000000000110100 is represented by
00e0.fc39.8034.
The first 6 digits in dotted hexadecimal notation stand for the OUI, and the
last 6 digits are allocated by the vendor. For example, in 00e0.fc39.8034,
00e0.fc is the OUI allocated by IEEE to Huawei, and 39.8034 is the address
number allocated by Huawei.
The second bit of a MAC address indicates whether the address is globally
unique or locally unique. Ethernet uses globally unique MAC addresses.
MAC addresses are divided into the following types:
– Physical MAC address
A physical MAC address is burned into hardware (such as a network
interface card) and uniquely identifies a terminal on the Ethernet.
– Broadcast MAC address
A broadcast MAC address indicates all the terminals on a network.
The 48 bits of a broadcast MAC address are all 1s, such as ffff.ffff.ffff.
– Multicast MAC address
A multicast MAC address indicates a group of terminals on a network.
The eighth bit of a multicast MAC address is 1, such as
000000011011101100111010101110101011111010101000.
● Transmits data over the data link layer. After receiving data from the LLC sub-
layer, the MAC sub-layer adds the MAC address and control information to
the data, and then transmits the data to the physical link. In the process, the
MAC sub-layer provides other functions such as the check function.
Data is transmitted at the data link layer as follows:
a. The upper layer delivers data to the MAC sub-layer.
b. The MAC sub-layer stores the data in the buffer.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 11

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 1 Ethernet Switching

c. The MAC sub-layer adds the destination MAC address and source MAC
address to the data, calculates the length of the data frame, and forms
an Ethernet frame.
d. The Ethernet frame is sent to the peer according to the destination MAC
address.
e. The peer compares the destination MAC address with entries in the MAC
address table.

▪ If a matching entry is found, the frame is accepted.

▪ If no matching entry is found, the frame is discarded.

The preceding describes frame transmission in unicast mode. After an upper-
layer application is added to a multicast group, the data link layer generates a
multicast MAC address according to the application, and then adds the
multicast MAC address to the MAC address table. The MAC sub-layer receives
frames with the multicast MAC address and transmits the frames to the upper
layer.

Ethernet Frame Structure

● Format of an Ethernet_II frame

Figure 1-4 Format of an Ethernet_II frame

6bytes 6bytes 2bytes 46~1500bytes 4bytes
DMAC SMAC Type Data CRC

Table 1-5 describes the fields in an Ethernet_II frame.

Table 1-5 Fields in an Ethernet_II frame

Field Description

DMAC It indicates the destination MAC address. DMAC specifies

the receiver of the frame.

SMAC It indicates the source MAC address. SMAC specifies the

station that sends the frame.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 12

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 1 Ethernet Switching

Field Description

Type The 2-byte Type field identifies the upper layer protocol of
the Data field. The receiver can know the meaning of the
Data field according to the Type field.
Ethernet allows multiple protocols to coexist on a LAN. The
hexadecimal values in the Type field of an Ethernet_II frame
stand for different protocols.
● Frames with the Type field value 0800 are IP frames.
● Frames with the Type field value 0806 are Address
Resolution Protocol (ARP) frames.
● Frames with the Type field value 8035 are Reverse
Address Resolution Protocol (RARP) frames.
● Frames with the Type field value 8137 are Internetwork
Packet Exchange (IPx) and Sequenced Packet Exchange
(SPx) frames.

Data The minimum length of the Data field is 46 bytes, which

ensures that the frame is at least 64 bytes in length. The
46-byte Data field is required even if only 1-byte
information needs to be transmitted.
If the payload of the Data field is less than 46 bytes, the
Data field must be padded to 46 bytes.
The maximum length of the Data field is 1500 bytes.

CRC The Cyclic Redundancy Check (CRC) field provides an error

detection mechanism.
Each sending device calculates a CRC code containing the
DMAC, SMAC, Type, and Data fields. Then the CRC code is
filled into the 4-byte CRC field.

● Format of an IEEE 802.3 frame

Figure 1-5 Format of an IEEE 802.3 frame

6byte 6byte 2byte 38~1492byte 4byte
DMAC SMAC Length LLC SNAP Data CRC

DSAP SSAPControl org code Type

1byte 1byte 1byte 3byte 2byte

As shown in Figure 1-5, the format of an IEEE 802.3 frame is similar to that
of an Ethernet_II frame except that the Type field is changed to the Length
field in an IEEE 802.3 frame, and the LLC field and the Sub-Network Access
Protocol (SNAP) field occupy 8 bytes of the Data field.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 13

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 1 Ethernet Switching

Table 1-6 Format of an IEEE 802.3 frame

Field Description

Length The Length field specifies the number of bytes in the Data
field.

LLC The LLC field consists of three sub-fields: Destination Service

Access Point (DSAP), Source Service Access Point (SSAP),
and Control.

SNAP The SNAP field consists of the Org Code field and the Type
field. Three bytes in the Org Code field are all 0s. The Type
field functions the same as the Type field in Ethernet_II
frames.

NOTE

For description about other fields, see the description of Ethernet_II frames.
Based on the values of DSAP and SSAP, IEEE 802.3 frames can be divided into
the following types:
– If DSAP and SSAP are both 0xff, the IEEE 802.3 frame changes to a
Netware-Ethernet frame that carries NetWare data.
– If DSAP and SSAP are both 0xaa, the IEEE 802.3 frame changes to an
Ethernet_SNAP frame.
Ethernet_SNAP frames can be encapsulated with data of multiple
protocols. The SNAP can be considered as an extension of the Ethernet
protocol. SNAP allows vendors to define their own Ethernet transmission
protocols.
The Ethernet_SNAP standard is defined by IEEE 802.1 to guarantee
interoperability between IEEE 802.3 LANs and Ethernet networks.
– Other values of DSAP and SSAP indicate IEEE 802.3 frames.

1.2.9 LLC Sub-layer

The MAC sub-layer supports two types of frame: IEEE 802.3 frames and Ethernet_II
frames. In an Ethernet_II frame, the Type field identifies the upper layer protocol.
Therefore, only the MAC sub-layer is required on a device, and the LLC sub-layer
does not need to be realized.
In an IEEE 802.3 frame, the LLC sub-layer defines useful features in addition to
traditional services of the data link layer. All these features are provided by the
sub-fields of DSAP, SSAP, and Control.
The following lists three types of point-to-point services:
● Connectionless service
Currently, the Ethernet implements this service.
● Connection-oriented service
A connection is set up before data is transmitted. The reliability of data is
guaranteed during the transmission.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 14

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 1 Ethernet Switching

● Connectionless data transmission with acknowledgement

A connection is not required before data transmission. The acknowledgement
mechanism is used to improve the reliability.

The following is an example that describes the applications of SSAP and DSAP.
Assume that terminals A and B use connection-oriented services. Data is
transmitted in the following process:

1. A sends a frame to B to require the establishment of a connection with B.

2. If B has enough resources, it returns an acknowledgement message that
contains a Service Access Point (SAP). The SAP identifies the connection
required by A.
3. After receiving the acknowledgement message, A knows that B has set up a
local connection with A. After creating an SAP, A sends a message containing
the SAP to B. The connection is set up.
4. The LLC sub-layer of A encapsulates the data into a frame. The DSAP field is
filled in with the SAP sent by B; the SSAP field is filled in with the SAP created
by A. Then the LLC sub-layer sends the frame to the MAC sub-layer of A.
5. The MAC sub-layer of A adds the MAC address and the Length field into the
frame, and then sends the frame to the data link layer.
6. After the frame is received at the MAC sub-layer of B, the frame is
transmitted to the LLC sub-layer. The LLC sub-layer figures out the connection
to which the frame belongs according to the DSAP field.
7. After checking and acknowledging the frame based on the connection type,
the LLC sub-layer of B transmits the frame to the upper layer.
8. After the frame reaches its destination, A instructs B to release the connection
by sending a frame. At this time, the communications end.

1.3 Switching on Ethernet

1.3.1 Layer 2 Switching

A Layer 2 device works at the second layer of the OSI model and forwards data
packets based on media access control (MAC) addresses. Ports on a Layer 2 device
send and receive data independently and belong to different collision domains.
Collision domains are isolated at the physical layer so that collisions will not occur
between hosts (or networks) connected through this Layer 2 device due to uneven
traffic rates on these hosts (or networks).

A Layer 2 device parses and learns source MAC addresses of Ethernet frames and
maintains a mapping table of MAC addresses and ports. This table is called a MAC
address table. When receiving an Ethernet frame, the device searches for the
destination MAC address of the frame in the MAC table to determine through
which port to forward this frame.

1. When the Layer 2 device receives an Ethernet frame, it records the source
MAC address and the inbound port of the frame in the MAC address table to
guide Layer 2 forwarding. If the same MAC address entry exists in the MAC
address table, the device resets the aging time of the entry. An aging
mechanism is used to maintain entries in the MAC address table. Entries that

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 15

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 1 Ethernet Switching

are not updated within the aging time are deleted from the MAC address
table.
2. The device looks up the MAC address table based on the destination MAC
address of the Ethernet frame. If no matching entry is found, the device
forwards the frame to all its ports except the port from which the frame is
received. If the destination MAC address of the frame is a broadcast address,
the device forwards the frame to all its ports except the port from which the
frame is received. If a matching entry is found in the MAC address table, the
device forwards the frame to the port specified in the entry.

According to the preceding forwarding process, a Layer 2 device maintains a MAC

address table and forwards Ethernet frames based on destination MAC addresses.
This forwarding mechanism fully uses network bandwidth and improves network
performance. Figure 1-6 shows an example of Layer 2 switching

Figure 1-6 Layer 2 switching example

MAC Address Port
MAC A Port 1
PC B
MAC B Port 2
MAC C Port 3

PC A Port 2
Port 1
Port 3
PC C
MAC C MAC A Type Data MA
CC
MA
CA
Typ
e Dat
a

Although Layer 2 devices can isolate collision domains, they cannot isolate
broadcast domains. As described in the Layer 2 forwarding process, broadcast
packets and packets that do not match nay entry in the MAC address table are
forwarded to all ports (except the port from which the frame is received). Packet
broadcasting consumes much bandwidth on network links and brings security
issues. Routers can isolate broadcast domains, but high costs and low forwarding
performance of routers limit the application of routers in Layer 2 forwarding. The
virtual local area network (VLAN) technology is introduced to solve this problem
in Layer 2 switching.

1.3.2 Layer 3 Switching

Background of Layer 3 Switches

In early stage of network deployment, most local area networks (LANs) were
established using Layer 2 switches, and routers completed communication
between LANs. At that time, intra-LAN traffic accounted for most of network
traffic and little traffic was transmitted between LANs. A few routers were enough
to handle traffic transmission between LANs.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 16

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 1 Ethernet Switching

As data communication networks expand and more services emerge on the

networks, increasing traffic needs to be transmitted between networks. Routers
cannot adapt to this development trend because of their high costs, low
forwarding performance, and small port quantities. New devices capable of high-
speed Layer 3 forwarding are required. Layer 3 switches are such devices.
Routers use CPUs to complete Layer 3 forwarding, whereas Layer 3 switches use
hardware to complete Layer 3 forwarding. Hardware forwarding has a much
higher performance than software forwarding (CPU based forwarding). Switches
cannot replace routers in all scenarios because routers provide rich interface types,
good service class control, and powerful routing capabilities that Layer 3 switches
cannot provide.

Layer 3 Forwarding Mechanism

Layer 3 switches divide a Layer 2 network into multiple VLANs. They implement
Layer 2 switching within the VLANs and Layer 3 IP connectivity between VLANs.
Two hosts on different networks communicate with each other through the
following process:
1. Before the source host starts communicating with the destination host, it
compares its own IP address with the IP address of the destination host. If IP
addresses of the two hosts have the same network ID (calculated by an AND
operation between the IP addresses and masks), the hosts are located on the
same network segment. In this case, the source host sends an Address
Resolution Protocol (ARP) request to the destination host. After receiving an
ARP reply from the destination host, the source host obtains the MAC address
of the destination host and sends packets to this destination MAC address.
2. If the source and destination hosts are located on different network segments,
the source host sends an ARP request to obtain the MAC address mapping the
gateway IP address. After receiving an ARP reply from the gateway, the source
host sends packets to the MAC address of the gateway. In these packets, the
source IP address is the IP address of the source host, and destination IP
address is still the IP address of the destination host.
The following is the detailed Layer 3 switching process.
As shown in Figure 1-7, the source and destination hosts connect to the same
Layer 3 switch but belong to different VLANs (network segments). Both the two
hosts are located on the directly connected network segments of the Layer 3
switch, so the routes to the IP addresses of the hosts are direct routes.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 17

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 1 Ethernet Switching

Figure 1-7 Layer 3 forwarding

PC A PC B
MAC A MAC B
IP:10.1.1.2 L3 Switch IP:10.2.1.2
GW:10.1.1.1 MAC Switch GW:10.2.1.1
VLAN 2 10.1.1.1 10.2.1.1 VLAN 3

DMAC:MAC Switch DMAC:MAC B

SMAC:MAC A SMAC:MAC Switch
DIP: 10.2.1.2 DIP: 10.2.1.2
SIP: 10.1.1.2 SIP: 10.1.1.2

Figure 1-7 shows the MAC addresses, IP addresses, and gateway addresses of the
hosts, MAC address of the Layer 3 switch, and IP addresses of Layer 3 interfaces
configured in VLANs on the Layer 3 switch. The process of a ping from PC A to PC
B is as follows (the Layer 3 switch has not created any MAC address entry):
1. PC A finds that the destination IP address 10.2.1.2 (PC B) is on a different
network segment than its own IP address. Therefore, PC A sends an ARP
request to request for the MAC address mapping the gateway address
10.1.1.1.
2. L3 Switch receives the ARP request from PC A and finds that 10.1.1.1 is the IP
address of its own Layer 3 interface. L3 switch then sends an ARP reply to PC
A. The ARP reply carries the MAC address of its Layer 3 interface (MAC
Switch). In addition, L3 switch adds the mapping between the IP address and
MAC address of PC A (10.1.1.2 and MAC A) to its ARP table. The IP address
and MAC address of PC A are carried in the ARP request sent from PC A. And
L3 Switch adds the mapping between the source MAC address and VLAN ID
of the packet and outbound port to its MAC table.
3. After PC A receives the ARP reply from the gateway (L3 Switch), it sends an
ICMP request packet. In the ICMP request packet, the destination MAC
address (DMAC) is MAC Switch; the source MAC address (SMAC) is MAC A;
the source IP address (SIP) is 10.1.1.2; the destination IP address (DIP) is
10.2.1.2.
4. When L3 Switch receives the ICMP request packet, it looks up the MAC
address table according to the destination MAC address and VLAN ID of the
packet and finds the entry with the MAC address of its Layer 3 interface, the
packet needs to be forwarded at Layer 3. Then L3 Switch looks up Layer 3
forwarding entries of the switching chip to guide Layer 3 forwarding.
5. The switching chip loops up Layer 3 forwarding entries according to the
destination IP address of the packet. The entry lookup fails because no entry
has been created. The switching chip then sends the packet to the CPU for
software processing.
6. The CPU looks up the software routing table according to the destination IP
address of the packet and finds a directly connected network segment,
network segment of PC B. Then the CPU looks up its ARP table, and the
lookup still fails. Therefore, L3 Switch sends an ARP request to all ports in
VLAN 3 (network segment of PC B), to request the MAC address mapping IP
address 10.2.1.2.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 18

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 1 Ethernet Switching

7. After PC B receives the ARP request from L3 Switch, it checks the ARP request
and finds that 10.2.1.2 is its own IP address. PC B then sends an ARP reply
carrying its MAC address (MAC B). Meanwhile, PC B records the mapping
between the IP address and MAC address of L3 Switch (10.2.1.1 and MAC
Switch) in its ARP table.
8. When L3 Switch receives the ARP reply from PC B, it records the mapping
between the IP address and MAC address of PC B (10.2.1.2 and MAC B) in its
ARP table. L3 Switch changes the destination MAC address in the ICMP
request packet sent from PC A to MAC B and changes the source MAC
address to its own MAC address (MAC Switch), and then sends the ICMP
request to PC B. The Layer 3 forwarding entry containing the IP address and
MAC address of PC B, outbound VLAN ID, and outbound port is also added to
the Layer 3 forwarding of the switching chip. Subsequent packets sent from
PC A to PC B are directly forwarded according to this hardware entry.
9. When PC B receives the ICMP request packet from L3 Switch, it sends an ICMP
reply packet to PC A. The forwarding process for the ICMP reply packet is
similar to that for the ICMP request packet except that the ICMP reply packet
is directly forwarded to PC A by the switching chip according to the hardware
entry. The reason is that L3 Switch has obtained the mapping between the IP
address and MAC address of PC A and added matching Layer 3 forwarding
entry to the L3 forwarding table of the switching chip.
10. Subsequent packets exchanged between PC A and PC B are forwarded
following the same process: MAC address table lookup, Layer 3 forwarding
table lookup, and hardware forwarding by the switching chip.
In a summary, a Layer 3 switch provides high-speed Layer 3 switching through one
routing process (forwarding the first packet to the CPU and creating a hardware
Layer 3 forwarding entry) and multiple switching processes (hardware forwarding
of subsequent packets).

1.4 Application Scenarios for Ethernet Switching

1.4.1 Building a Data Center Network

A data center has a series of complex facilities. Besides a computer system and
cooperating devices (such as communications devices and storage systems), a
data center requires redundant data communication connections, environment
control devices, monitoring devices, and security devices.
Figure 1-8 shows a typical data center network topology. On this network,
switches connect to each other and to servers using Ethernet technology and have
various services deployed to provide low-latency, high-reliability services under
highly concurrent scenarios.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 19

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 1 Ethernet Switching

Figure 1-8 Using Ethernet technology to build a data center network

Data center
backbone
network

Core Layer

Access Layer

Server

As services in a data center require high network performance, 10G or even

higher-speed Ethernet has been widely used in data centers. Data centers create
chances for use of advanced Ethernet technologies and promote development of
Ethernet technologies.

1.5 Terms and Abbreviations

Terms
Term Description

10Base-T Defined in IEEE 802.3i, it is an Ethernet specification that

uses the twist pair with the maximum length of 100 meters
(328.08 ft.) at 10 Mbit/s for each network segment.

100Base-T Defined in IEEE 802.3u, it is a Fast Ethernet specification that

uses the twist pair with the maximum length of 100 meters
(328.08 ft.) at 100 Mbit/s for each network segment.

1000BaseT Defined in IEEE 802.3ab, it is an Ethernet specification that

uses the twist pair with the maximum length of 100 meters
(328.08 ft.) at 1000 Mbit/s for each network segment.

Ethernet Created by Xerox and developed by Xerox, Intel, and Digital

Equipment Corporation (DEC), it is a baseband LAN
specification that uses CSMA/CD and transmits data over
various cables at 10 Mbit/s. Ethernet-related standards are
defined in IEEE 802.3 series.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 20

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 1 Ethernet Switching

Term Description

Ethernet_II An encapsulation format of Ethernet frames, which is the

standard ARPA Ethernet Version 2.0 encapsulation that uses
a 16-bit protocol type code.

Ethernet_SNAP An encapsulation format of Ethernet frames. As specified in

RFC 1042, it allows Ethernet frames to be transmitted
through IEEE 802.2 media.

FE Short for the Fast Ethernet. Complying with IEEE 802.3u, it is

an extension and enhancement of the traditional media-
sharing Ethernet standard and allows data to be transmitted
at 100 Mbit/s.

Full-duplex The full-duplex mode is an operation mode of Ethernet

interfaces. In full-duplex mode, interfaces on both ends can
send and receive data at the same time without interruption.

GE Short for Gigabit Ethernet. Complying with IEEE 802.3z, the

GE is compatible with the 10M Ethernet and the 100M
Ethernet (FE).

Half-duplex An operation mode of Ethernet interfaces. In half-duplex

mode, an interface can only receive or send data at a time.

MAC Short for Media Access Control. At the data link layer of the
OSI model, the MAC sub-layer is adjacent to the physical
layer.

Auto- A function that enables devices on both ends of a physical

negotiation link to automatically select an operation mode by
exchanging information. In auto-negotiation, the duplex
mode and operation rate are negotiated. Once the
negotiation result is approved, the operation mode is fixed
until the device is restarted or the cable is removed.

Abbreviations
Abbreviation Full Name

CSMA/CD Carrier Sense Multiple Access with Collision Detection

GE Gigabit Ethernet

MAC Media Access Control

TCP Transmission Control Protocol

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 21

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

2 MAC Address Table Configuration

This chapter describes how to configure the MAC address table. Each station or
server has a unique Medium Access Control (MAC) address. When a device
exchanges data with connected stations or servers, the device records their MAC
addresses, access interfaces, and VLAN IDs for unicast forwarding.

2.1 Overview of MAC Addresses

2.2 Understanding MAC Address Tables
2.3 Application Scenarios for MAC Address Tables
2.4 Summary of MAC Address Table Configuration Tasks
2.5 Licensing Requirements and Limitations for MAC Address Tables
2.6 Default Settings for MAC Address Tables
2.7 Configuring MAC Address Tables
2.8 Configuring MAC Address Anti-flapping
2.9 Configuring MAC Address Flapping Detection
2.10 Configuring the Switch to Discard Packets with an All-0 MAC Address
2.11 Configuring the Switch to Discard Packets That Do Not Match Any MAC
Address Entry
2.12 Disabling the Device from Discarding Packets in Which the Destination MAC
Address and the Configured Static MAC Address Conflict
2.13 Enabling MAC Address-triggered ARP Entry Update
2.14 Enabling Port Bridge
2.15 Maintaining MAC Address Tables
2.16 Configuration Examples for MAC Address Tables
2.17 Troubleshooting MAC Address Tables

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 22

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

2.1 Overview of MAC Addresses

A MAC address defines the location of a network device. A MAC address consists
of 48 bits and is displayed as a 12-digit hexadecimal number. Bits 0 to 23 are
assigned by the IETF and other institutions to identify vendors, and bits 24 to 47
are the unique ID assigned by vendors to identify their network adapters.
MAC addresses fall into the following types:
● Physical MAC address: uniquely identifies a terminal on an Ethernet network
and is the globally unique hardware address.
● Broadcast MAC address: indicates all terminals on a LAN. The broadcast
address is all 1s (FF-FF-FF-FF-FF-FF).
● Multicast MAC address: indicates a group of terminals on a LAN. All the MAC
addresses with the eighth bit as 1 are multicast MAC addresses (for example,
01-00-00-00-00-00), excluding the broadcast MAC address.

2.2 Understanding MAC Address Tables

A MAC address table is a Layer 2 forwarding table that stores MAC addresses
learned from other devices.

2.2.1 Definition and Classification of MAC Address Entries

Definition of a MAC Address Table
A MAC address table records other devices' MAC addresses learned by the switch,
interfaces on which MAC addresses are learned, and VLANs that the interfaces
belong to. Before forwarding a packet, the switch looks up the destination MAC
address of the packet the MAC address table. If a MAC address entry matches the
destination MAC address, the switch forwards the packet from the corresponding
outbound interface in the MAC address entry. If no MAC address entry matches
the destination MAC address, the switch broadcasts the packet to all interfaces in
the corresponding VLAN, except the inbound interface receiving the packet.

Classification of MAC Address Entries

MAC address entries are classified into dynamic, static, and blackhole entries. In
addition, there are MAC address entries that are related to service types, for
example, secure MAC, MUX MAC, authen MAC, and guest MAC. They are
maintained by service modules and are converted from dynamic MAC address
entries.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 23

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

Table 2-1 Characteristics and functions of different MAC address entries

MAC Address Entry Characteristics Function
Type

Dynamic MAC address ● Dynamic MAC address ● You can check

entry entries are obtained by whether data is
learning source MAC forwarded between
addresses of packets two connected
on an interface, and devices by checking
can be aged. dynamic MAC
● Dynamic MAC address address entries.
entries are lost after a ● You can obtain the
system restart, LPU number of
hot swap, or LPU reset. communicating users
connected to an
interface by checking
the number of
specified dynamic
MAC address entries.

Static MAC address entry ● Static MAC address When static MAC
entries are manually address entries are
configured and configured, authorized
delivered to each LPU. users can use network
Static MAC address resources and other
entries never age. users are prevented
● The static MAC from using the bound
address entries saved MAC addresses to
in the system are not initiate attacks.
lost after a system
restart, LPU hot swap,
or LPU reset.
● After an interface is
statically bound to a
MAC address, other
interfaces discard
packets from this
source MAC address.
● Each static MAC
address entry can have
only one outbound
interface.
● Statically binding an
interface to a MAC
address does not affect
the learning of
dynamic MAC address
entries on the
interface.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 24

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

MAC Address Entry Characteristics Function

Type

Blackhole MAC address ● Blackhole MAC Blackhole MAC address

entry address entries are entries can filter out
manually configured unauthorized users.
and delivered to each
LPU. Blackhole MAC
address entries never
age.
● The blackhole MAC
address entries saved
in the system are not
lost after a system
restart, LPU hot swap,
or LPU reset.
● After blackhole MAC
address entries are
configured, the device
discards packets from
or destined for the
blackhole MAC
addresses.

2.2.2 Elements and Functions of a MAC Address Table

Elements
Each entry in a MAC address table is identified by a MAC address and a VLAN ID
or VSI. When a destination host joins multiple VLANs or VSIs, the host's MAC
address corresponds to multiple VLAN IDs or VSIs in the MAC address table. Table
2-2 lists four MAC address entries, which specify the outbound interfaces for
packets with specified destination MAC addresses and VLAN IDs or VSI names. For
example, the first MAC address entry is used to forward the packets with
destination MAC address 0011-0022-0034 and VLAN 10 through outbound
interface 10GE3/0/1.

Table 2-2 MAC address entries

MAC Address VLAN ID/VSI Name Outbound Interface

0011-0022-0034 10 10GE3/0/1

0011-0022-0034 20 10GE2/0/4

0011-0022-0035 30 Eth-Trunk20

0011-0022-0035 device 10GE2/0/5

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 25

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

Functions
A MAC address table is used for unicast forwarding of packets. In Figure 2-1,
when packets sent from PC1 to PC3 reach the switch, the switch searches its MAC
address table for the destination MAC address MAC3 and VLAN 10 in the packets
to obtain outbound interface Port3. The switch then forwards packets to PC3 from
Port3.

Figure 2-1 Forwarding based on the MAC address table

MAC Address VLANID Port
MAC1 10 Port1
MAC2 10 Port2 PC2
MAC3 10 Port3

PC1 Switch Port2

Port1

Port3 PC3
MAC3 MAC1 VLAN10 Type Data MAC
3 M
AC1
VLAN
1 0 Typ
e Da
ta

2.2.3 MAC Address Entry Learning and Aging

MAC Address Entry Learning

Generally, MAC address entries are learned from source MAC addresses of data
frame.

Figure 2-2 MAC address entry learning

PortA

HostA Data frame SwitchA

As shown in Figure 2-2, HostA sends a data frame to SwitchA. When receiving the
data frame, SwitchA obtains the source MAC address (HostA's MAC address) and
VLAN ID of the frame.

● If the MAC address entry does not exist in the MAC address table, SwitchA
adds an entry with the new MAC address, PortA, and VLAN ID to the MAC
address table.
● If the MAC address entry exists in the MAC address table, SwitchA resets the
aging timer of the MAC address entry and updates the entry.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 26

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

NOTE

● If PortA is a member interface of Eth-TrunkA, the outbound interface in the MAC

address entry is Eth-TrunkA.
● All interfaces of a switch belong to VLAN 1 by default. If the default VLAN is not
changed, the VLAN ID of all MAC address entries is VLAN 1.
● The switch does not learn the BPDU MAC address similar to 0180-c200-xxxx.

MAC address entry learning and update are triggered on a device only when the
device receives data frames.

MAC Address Entry Aging

A device needs to update its MAC address table continuously to adapt to changing
network topologies. Dynamic MAC address entries are not always valid. Each entry
has a life cycle (aging time) and will be deleted when the aging time expires. If an
entry is updated within the aging time, the aging timer of the entry is reset.

Figure 2-3 MAC address entry aging

t1: The entry with MAC
t2-t3: No packet matching
address 00e0-fc00-0001
this MAC address is
and VLAN ID 1 is learned,
received, so hit flag is 0.
and the hit flag is set to 1.

1 2 3 4
0 T T T T

t1 t2 t3 Time

t2: The hit flag of the entry t3: The entry with MAC
with MAC address 00e0-fc00- address 00e0-fc00-0001
0001 and VLAN ID 1 is set to and VLAN ID 1 is deleted
0, but the entry is not deleted. because its hit flag is 0.

As shown in Figure 2-3, the aging time of MAC address entries is set to T. At t1,
packets with source MAC address 00e0-fc00-0001 and VLAN ID 1 arrive at an
interface, which has joined VLAN 1. If no entry with MAC address 00e0-fc00-0001
and VLAN 1 exists in the MAC address table, the MAC address is learned as a
dynamic MAC address entry in the MAC address table, and the hit flag of the
entry is set to 1.

The device checks all dynamic MAC address entries at an interval of T.

1. At t2, if the device finds that the hit flag of the matching dynamic MAC
address entry with MAC address 00e0-fc00-0001 and VLAN 1 is 1, the device
sets the hit flag to 0 but does not delete the MAC address entry.
2. If no packet with source MAC address 00e0-fc00-0001 and VLAN 1 enters the
device between t2 and t3, the hit flag of the matching MAC address entry is
always 0.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 27

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

3. At t3, the device finds that the hit flag of the matching MAC address entry is
0. The device considers that the aging time of the MAC address entry has
expired and deletes the MAC address entry.
The minimum holdtime of a dynamic MAC address entry ranges from T to 2T on
the device.
You can set the aging time of MAC address entries to control the life cycle of
dynamic MAC address entries in a MAC address table.

2.2.4 MAC Address Learning Control

When hackers send a large number of packets with different source MAC
addresses to a device, useless MAC addresses will consume MAC address entry
resources of the device. As a result, the device cannot learn source MAC addresses
of valid packets. The device broadcasts the packets that do not match MAC
address entries, wasting bandwidth resources.
The device provides the following MAC address learning control methods to
address the preceding issue:
● Disabling MAC address learning on a VLAN or an interface
● Limiting the number of learned MAC address entries on a VLAN or an
interface

Table 2-3 MAC address learning control

MAC Address Principle Application Scenario
Learning
Control Method

Disabling MAC After MAC address learning ● In most cases, attack

address learning is disabled on a VLAN or an packets sent by a hacker
on a VLAN or an interface, the device does not enter the device through
interface learn new dynamic MAC the same interface.
address entries on the VLAN Therefore, you can use
or interface. The dynamic either of the two methods
MAC address entries learned to prevent attack packets
before are aged out when from using up MAC
the aging time expires. They address entry resources on
can also be manually deleted the device.
using commands. ● The method of limiting
the number of learned
MAC address entries on a
VLAN or an interface can
also be used to limit the
number of access users.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 28

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

MAC Address Principle Application Scenario

Learning
Control Method

Limiting the The device can only learn a

number of specified number of MAC
learned MAC address entries on a VLAN or
address entries an interface.
on a VLAN or an When the number of learned
interface MAC address entries reaches
the limit, the device reports
an alarm to notify the
network administrator.
After that, the device cannot
learn new MAC address
entries on the VLAN or
interface and discards the
packets with source MAC
addresses out of the MAC
address table.

2.2.5 MAC Address Flapping

What Is MAC Address Flapping

MAC address flapping occurs when a MAC address is learned by two interfaces in
the same VLAN and the MAC address entry learned later overrides the earlier one.
Figure 2-4 shows how MAC address flapping occurs. In the MAC address entry
with MAC address 0011-0022-0034 and VLAN 2, the outbound interface is
changed from 10GE1/0/1 to 10GE1/0/2. MAC address flapping can cause an
increase in the CPU usage on the device.

MAC address flapping does not occur frequently on a network unless a network
loop occurs. If MAC address flapping frequently occurs on your network, you can
quickly locate the fault and eliminate the loops according to alarms and MAC
address flapping records.

Figure 2-4 MAC address flapping

MAC Address VLAN ID Port

0011-0022-0034 2 10GE1/0/1

MAC Address VLAN ID Port

0011-0022-0034 2 10GE1/0/2

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 29

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

How to Detect MAC Address Flapping

MAC address flapping detection determines whether MAC address flapping occurs
by checking whether outbound interfaces in MAC address entries change
frequently.
After MAC address flapping detection is enabled, the device can report an alarm
when MAC address flapping occurs. The alarm contains the flapping MAC address,
VLAN ID, and outbound interfaces between which the MAC address flaps. A loop
may exist between the outbound interfaces. You can locate the cause of the loop
based on the alarm. Alternatively, the device can perform the action specified in
the configuration of MAC address flapping detection to remove the loop
automatically. The action can be quit-vlan (remove the interface from the VLAN)
or error-down (shut down the interface).

Figure 2-5 Networking of MAC address flapping detection

Network

Port1
MAC:11-22-33
SwitchA
Port2 Access port
MAC:11-22-33
Users
SwitchB

SwitchC SwitchD
Broadcast
storm

Incorrect
Data flow
connection

As shown in Figure 2-5, a network cable is correctly connected between SwitchC

to SwitchD, causing a loop between SwitchB, SwitchC, and SwitchD. When Port1 of
SwitchA receives a broadcast packet, SwitchA forwards the packet to SwitchB. The
packet is then sent to Port2 of SwitchA. After MAC address flapping detection is
configured on SwitchA, SwitchA can detect that the source MAC address of the
packet flaps from Port1 to Port2. If the MAC address flaps between Port1 and
Port2 frequently, SwitchA reports an alarm about MAC address flapping to alert
the network administrator.

NOTE

MAC address flapping detection allows a device to detect changes in traffic transmission
paths based on learned MAC addresses, but the device cannot obtain the entire network
topology. It is recommended that this function be used on the interface connected to a user
network where loops may occur.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 30

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

How to Prevent MAC Address Flapping

MAC address flapping occurs on a network when the network has a loop or
undergoes an attack.
During network planning, you can use the following methods to prevent MAC
address flapping:
● Increase the MAC address learning priority of an interface: When the same
MAC address is learned on interfaces of different priorities, the MAC address
entry on the interface with the highest priority overrides the MAC address
entries on the other interfaces.
● Prevent MAC address entries from being overridden on interfaces with the
same priority: If the interface connected to a bogus network device has the
same priority as the interface connected to an authorized device, the MAC
address entry of the bogus device learned later does not override the original
correct MAC address entry. If the authorized device is powered off, the MAC
address entry of the bogus device is learned. After the authorized device is
powered on again, its MAC address cannot be learned.
As shown in Figure 2-6, Port1 of the switch is connected to a server. To prevent
unauthorized users from connecting to the switch using the server's MAC address,
you can set a high MAC address learning priority for Port1.

Figure 2-6 Networking of MAC address flapping prevention

MAC:11-22-33
MAC:11-22-33
Server
unauthorized
user

Port1
Switch

2.2.6 MAC Address-Triggered ARP Entry Update

On an Ethernet network, a host sends and receives Ethernet data frames based on
MAC addresses. The Address Resolution Protocol (ARP) maps IP addresses to MAC
addresses. When two devices on different network segments communicate with
each other, they need to map IP addresses to MAC addresses and outbound
interfaces according to ARP entries.
Generally, the outbound interfaces in the matching MAC address entries and ARP
entries are consistent. As shown in Figure 2-7, the outbound interface in both the
MAC address entry and ARP entry is 10GE1/0/1. The interface is then changed. At
T2, after a packet is received from the peer device, the outbound interface in the
MAC address entry is immediately changed to 10GE1/0/2. However, the outbound

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 31

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

interface in the ARP entry is still 10GE1/0/1. At T3, the aging time of the ARP
entry expires, and the outbound interface in the ARP entry is changed to
10GE1/0/2 through ARP aging probe. Between T2 and T3, the outbound interface
in the ARP entry is unavailable, interrupting communication between devices on
different network segments.

Figure 2-7 MAC address-triggered ARP entry update is not enabled

MAC address entry ARP entry

T1 MAC Address VLAN ID Port IP Address MAC Address VLAN ID Port

11-22-34 2 10GE1/0/1 10.2.2.2 11-22-34 2 10GE1/0/1
Before port switching
Port switching
& ARP aging probe
MAC Address VLAN ID Port IP Address MAC Address VLAN ID Port
T2 11-22-34 2 10GE1/0/2 10.2.2.2 11-22-34 2 10GE1/0/1
After port switching &
ARP aging probe
MAC Address VLAN ID Port IP Address MAC Address VLAN ID Port
T3 11-22-34 2 10GE1/0/2 10.2.2.2 11-22-34 2 10GE1/0/2

MAC address-triggered ARP entry update enables a device to update the

outbound interface in an ARP entry immediately after the outbound interface in
the corresponding MAC address entry changes. As shown in Figure 2-8, MAC
address-triggered ARP entry update is enabled. At T2, after the outbound interface
in the MAC address entry is changed to 10GE1/0/2, the outbound interface in the
ARP entry is immediately changed to 10GE1/0/2. This function prevents
communication interruption between T2 and T3 due to the incorrect outbound
interface in the ARP entry.

Figure 2-8 MAC address-triggered ARP entry update is enabled

MAC address entry ARP entry

T1 MAC Address VLAN ID Port IP Address MAC Address VLAN ID Port

11-22-34 2 10GE1/0/1 10.2.2.2 11-22-34 2 10GE1/0/1
Before port switching
Port switching
& ARP aging probe
MAC Address VLAN ID Port IP Address MAC Address VLAN ID Port
T2 11-22-34 2 10GE1/0/2 10.2.2.2 11-22-34 2 10GE1/0/2
After port switching &
ARP aging probe
MAC Address VLAN ID Port IP Address MAC Address VLAN ID Port
T3 11-22-34 2 10GE1/0/2 10.2.2.2 11-22-34 2 10GE1/0/2

In data center virtualization scenarios, when the location of a virtual machine

(VM) changes, user traffic on the network may be interrupted if the VM cannot
send gratuitous ARP messages promptly to update ARP entries on the gateway. In
this case, the device relearns ARP entries by exchanging ARP messages only after
ARP entries on the gateway age.

When the VM location is changed after MAC-ARP association is enabled and a

gateway's MAC entries are updated upon receipt of Layer 2 user traffic, ARP
entries and outbound interface information are updated as follows to accelerate
Layer 3 traffic convergence:

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 32

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

● If ARP entries exist and the outbound interface of MAC entries is inconsistent
with that of ARP entries, ARP entries are updated based on MAC entries, and
outbound interface information is updated.
● If ARP entries do not exist, a broadcast suppression table is searched based on
MAC entries and ARP probe is re-initiated to update ARP entries and
outbound interface information.

2.3 Application Scenarios for MAC Address Tables

MAC Address Anti-flapping

As shown in Figure 2-9, employees of an enterprise need to access the enterprise
server. If an attacker uses the server MAC address as the source MAC address to
send packets to another interface, the server MAC address is learned on the
interface. Packets sent to the server are sent to unauthorized users. In this case,
employees cannot access the server, and important data will be intercepted by the
attacker. MAC address anti-flapping can be configured to prevent unauthorized
users from using the server MAC address to access the switch.

Figure 2-9 Networking diagram of MAC address anti-flapping

MAC:11-22-33
MAC:11-22-33
Server
unauthorized
user

Port1
Switch

MAC Address Flapping Detection

As shown in Figure 2-10, a loop occurs on a user network because network cables
between two LSWs are incorrectly connected. The loop causes MAC address
flapping and MAC address table flapping.
You can enable MAC address flapping detection on the Switch to detect MAC
address flapping and discover loops.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 33

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

Figure 2-10 Networking diagram of MAC address flapping detection

Network

Switch

LSW1 LSW2

Incorrect connection

2.4 Summary of MAC Address Table Configuration

Tasks
Table 2-4 MAC address table configuration tasks
Scenario Description Task

MAC addresses and Configure static MAC address 2.7.1 Configuring a

interfaces need to entries to bind MAC addresses and Static MAC Address
be bound statically. interfaces, improving security of Entry
authorized users.

Attack packets Configure blackhole MAC address 2.7.2 Configuring a

from unauthorized entries to filter out packets from Blackhole MAC
users need to be unauthorized users, thereby Address Entry
filtered out. protecting the system against
attacks.

Aging of dynamic Set the aging time according to 2.7.3 Setting the
MAC address your needs. Set the aging time to Aging Time of
entries needs to be a large value or 0 (not to age Dynamic MAC
flexibly controlled. dynamic MAC address entries) on Address Entries
a stable network; set a short
aging time in other situations.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 34

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

Scenario Description Task

MAC address Attacks initiated by unauthorized 2.7.4 Disabling MAC

learning needs to users may exhaust MAC address Address Learning
be controlled. entries. To prevent this problem, (CE Switches
disable MAC address learning or Excluding CE6870EI
limit the number of learned MAC and CE6875EI)
address entries. 2.7.5 Disabling MAC
Address Learning
(CE6870EI and
CE6875EI)
2.7.6 Configuring
the MAC Address
Limiting Function

MAC address MAC address flapping occurs on a 2.8 Configuring

flapping needs to network when the network has a MAC Address Anti-
be prevented. loop or undergoes an attack. You flapping
can use the following methods to
prevent MAC address flapping:
● Configure the MAC address
learning priorities for
interfaces. When the same
MAC address is learned by
interfaces of different priorities,
the MAC address entry on the
interface with the highest
priority overrides the MAC
address entries on other
interfaces.
● Prevent MAC address entries
from being overridden on
interfaces with the same
priority.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 35

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

Scenario Description Task

MAC address MAC address flapping occurs 2.9 Configuring

flapping needs to when a MAC address is learned by MAC Address
be detected. two interfaces in the same VLAN Flapping Detection
and the MAC address entry
learned later overrides the earlier
one.
MAC address flapping detection
enables a switch to check whether
any MAC address flaps between
interfaces and determine whether
a loop occurs. When MAC address
flapping occurs, the switch sends
an alarm to the NMS. The
network maintenance personnel
can locate the loop based on the
alarm information and historical
records for MAC address flapping.
This greatly improves network
maintainability. If the network
connected to the switch does not
support loop prevention protocols,
configure the switch to shut down
the interfaces where MAC address
flapping occurs to reduce the
impact of MAC address flapping
on the network.

The switch needs A faulty host or device may send 2.10 Configuring the
to discard packets packets with an all-0 source or Switch to Discard
with an all-0 destination MAC address to a Packets with an
source or switch. Configure the switch to All-0 MAC Address
destination MAC discard such packets and send an
address. alarm to the NMS so that the
network administrator can locate
the faulty host or device based on
the alarm information.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 36

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

Scenario Description Task

The switch needs After a DHCP user goes offline, 2.11 Configuring the
to discard packets the MAC address entry of the user Switch to Discard
in which ages out. If there are packets Packets That Do Not
destination MAC destined for this user, the system Match Any MAC
addresses do not cannot find the MAC address Address Entry
match the MAC entry. The system then broadcasts
address table. the packets to all interfaces in the
VLAN. In this case, all users
receive the packets, which bring
security risks. After the switch is
configured to discard packets that
do not match any MAC address
entry, the switch discards such
packets. This function mitigates
the burden on the switch and
enhances security.

The outbound Configure the MAC address- 2.13 Enabling MAC

interfaces in ARP triggered ARP entry update Address-triggered
entries need to be function. When the outbound ARP Entry Update
updated quickly. interface in a MAC address entry
changes, the device updates the
outbound interface in the
corresponding ARP entry before
ARP probing. This function
shortens service interruption time.

An interface needs By default, an interface does not 2.14 Enabling Port

to forward packets forward packets whose source and Bridge
of which the destination MAC addresses are
source and both learned by this interface.
destination MAC When the interface receives such a
addresses are both packet, it discards the packet as
learned on the an invalid packet. After the port
interface. bridge function is enabled on the
interface, the interface forwards
such packets. This function applies
to a switch that connects to
devices incapable of Layer 2
forwarding or functions as an
access device in a data center.

2.5 Licensing Requirements and Limitations for MAC

Address Tables
Involved Network Elements
Other network elements are not required.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 37

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

License Requirements
The MAC address table is a basic function of the switch, and as such is controlled
by the license for basic software functions. The license for basic software functions
has been loaded and activated before delivery. You do not need to manually
activate it.

Version Requirements

Table 2-5 Products and minimum version supporting the MAC address table

Product Minimum Version Required

CE9860EI V200R020C00

CE8860EI V100R006C00

CE8861EI/CE8868EI V200R005C10

CE8850-32CQ-EI V200R002C50

CE8850-64CQ-EI V200R005C00

CE7850EI V100R003C00

CE7855EI V200R001C00

CE6810EI V100R003C00

CE6810-48S4Q-LI/CE6810-48S- V100R003C10
LI

CE6810-32T16S4Q-LI/ V100R005C10
CE6810-24S2Q-LI

CE6850EI V100R001C00

CE6850-48S6Q-HI V100R005C00

CE6850-48T6Q-HI/CE6850U-HI/ V100R005C10
CE6851HI

CE6855HI V200R001C00

CE6856HI V200R002C50

CE6857EI V200R005C10

CE6860EI V200R002C50

CE6865EI V200R005C00

CE6870-24S6CQ-EI V200R001C00

CE6870-48S6CQ-EI V200R001C00

CE6870-48T6CQ-EI V200R002C50

CE6875-48S4CQ-EI V200R003C00

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 38

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

Product Minimum Version Required

CE6880EI V200R002C50

CE6881, CE6820, and CE6863 V200R005C20

CE6881K V200R019C10

CE6881E V200R019C10

CE6863K V200R019C10

CE5810EI V100R002C00

CE5850EI V100R001C00

CE5850HI V100R003C00

CE5855EI V100R005C10

CE5880EI V200R005C10

CE5881 V200R020C00

NOTE

For details about the mapping between software versions and switch models, see the
Hardware Query Tool.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 39

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

Feature Limitations

Table 2-6 Description of features

Feature Description

MAC address ● Dynamic MAC address entries can be learned on an interface

entry only after the interface is added to an existing VLAN.
● Each static MAC address entry can have only one outbound
interface.
● By default, if a static MAC address is bound to an interface
or the port security function is enabled on an interface, other
interfaces will discard received packets with the source MAC
address being the specific static MAC address or secure MAC
address. However, on the switches except the CE5880EI,
CE6870EI, CE6875EI, and CE6880EI, other interfaces will
properly forward packets with the source MAC address being
the specific static MAC address or secure MAC address, if any
of the following functions is configured on the device: EVPN,
OVSDB, VBDIF interface configured with a MAC address, or a
combination of M-LAG and VLANIF interface configured with
MAC addresses.
● If there is a MAC address that is generated based on DHCP
snooping binding entries, the MAC address cannot be
configured as a static MAC address.
● The blackhole MAC address can be used as the source or
destination MAC address. For the CE6870EI and CE6875EI,
the device forwards Layer 3 packets with the source MAC
address as the blackhole MAC address.
● For CE6870EI and CE6875EI, after TRILL is enabled, the
blackhole MAC address cannot be configured. If the
blackhole MAC address has been configured, enabling TRILL
will cause the blackhole MAC address to become invalid.
● Deleting MAC address entries may cause the reset of the
aging time of MAC address entries.
● After EVN is configured, the aging time of MAC address
entries is 30 minutes and cannot be modified.
● By default, MAC addresses of VBDIF and VLANIF interfaces
are dynamically allocated from the MAC address range of
the system. You can also run the mac-address command to
configure a static MAC address. When the device is
connected to the load balancer or firewall or the if-match
source-mac command is used on the device, Layer 3 traffic
may fail to be forwarded. To address this issue, delete the
configured MAC address of the interface.
● On the CE5880EI, CE6875EI, CE6880EI, CE6870EI, a
maximum of eight virtual MAC addresses can be configured
for VBDIF interfaces, VLANIF interfaces, and VRRP.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 40

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

Feature Description

MAC address ● MAC address learning limiting rules are invalid for existing
learning online users and valid for only new online users.
● If the VLANIF interface is not configured, the device can
learn the local system MAC address.
● Disabling MAC address learning and limiting the number of
learned MAC addresses are valid for a Layer 2 main interface
and its Layer 2 sub-interfaces for the CE6870EI and
CE6875EI.
● The hardware learns MAC address entries at line speed for
the CE6870EI and CE6875EI. When many MAC address
entries are learned in a short period of time, the number of
MAC address entries in the hardware table is larger than the
number of MAC address entries in the software table. When
many MAC address entries are aged in a short period of
time, the number of MAC address entries in the software
table is larger than the number of MAC address entries in
the hardware table. MAC address entries in the software and
hardware tables keep consistent through synchronization.
● On the switches except the CE5880EI, CE6875EI, CE6880EI,
CE6870EI, if the number of MAC addresses learned in the
VLAN reaches the upper limit or the MAC address learning
function is disabled in the VLAN, the packet discarding
function configured using the mac-address limit action
discard command does not take effect on interfaces in the
VLAN.
● Port security and MAC address limiting cannot be configured
on an interface.
● In the SVF, disabling MAC address learning cannot be
configured in the traffic behavior view.
● After MAC address limiting is configured on an interface, the
VXLAN packets received by an interface on a switch model
excluding the CE5880EI, CE6875EI, CE6880EI, CE6870EI are
not affected by this function.
● By default, on the CE6870EI and CE6875EI, the TRILL
function cannot be configured together with any of the
FCOE, port security, MAC VLAN, blackhole MAC, MAC limit,
disabling MAC address learning, URPF, DHCP snooping, or
802.1X functions. To use these functions together with TRILL,
run the trill adjacency-check disable command. The TRILL
function takes precedence over the preceding functions. If
the TRILL function is configured after the preceding
functions are configured, only the TRILL function takes
effect.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 41

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

Feature Description

MAC address ● To prevent uplink traffic interruption, do not configure the

flapping action performed when MAC address flapping is detected on
detection upstream interfaces.
● In earlier versions of V100R006C00, MAC address flapping
detection is inapplicable to TRILL, VPLS, VXLAN, and EVN
networks. In V100R006C00 and later versions, MAC address
flapping detection is inapplicable to only the VPLS network.
● The MAC address flapping detection function can only detect
a single ring. When there are multiple rings, the MAC
address flapping detection function detects only the first
ring. That is, if two or more rings exist in a VLAN, the system
reports only alarms about interfaces in the first ring,
regardless of whether the port status in the first ring is Up or
Down.
● The MAC address flapping detection function can only detect
the first ring in a VLAN within the configurable aging time
(5 minutes by default). For example, MAC address flapping
between PortA and PortB. After PortA or Port B goes Down
and MAC address flapping between PortC and PortD within
the same aging time, the flapped interfaces in the alarm are
still PortA and PortB.
● By default, MAC address triggered ARP entry update is
enabled. If MAC address flapping occurs for more than 10
times, MAC address triggered ARP entry update is disabled.
After MAC address flapping is eliminated, MAC address
triggered ARP entry update is enabled automatically.
● For V200R002C50 and later versions, on models excluding
the CE5880EI, CE6880EI, , when MAC address flapping occurs
on an interface, the system suppresses broadcast, multicast,
and unknown unicast packets. In this case, the forwarding
rate of the outbound interface is 1% of the bandwidth of the
inbound interface. Packets are not suppressed in the
following two situations:
– The interface is configured with storm control and storm
suppression.
– Multicast is enabled globally. In this situation, the system
does not suppress multicast packets.
● When MAC address flapping occurs in a VLAN or BD and the
loop is not eliminated, if the interface is added to or
removed from an Eth-Trunk, the values of Original-Port and
Move-Ports in MAC address flapping records remain
unchanged. After the loop is eliminated, delete MAC address
flapping entries and perform detection again. This prevents
the incorrect source and flapped interfaces from being
detected, loop location, and punishment action (Error-Down
state or storm control) from being delivered to the incorrect
flapped interface.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 42

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

Feature Description

● Port-based automatic local attack defense and traffic

suppression associated with MAC address flapping take
effect only on the ports specified in the Move-Port field.

Other ● A switch model excluding the CE5880EI, CE6875EI, CE6880EI,

features CE6870EI cannot forward Layer 2 packets whose destination
MAC address is a system MAC address.
● On the CE8860EI, CE7850EI, CE7855EI, CE6860EI, CE6850HI,
CE6855HI, CE8861EI, CE8868EI, CE8850EI, CE6865EI,
CE6857EI, and CE6856HI, when the big-MAC or large ARP
table mode is used and different MAC addresses and rates
are used, the hash conflict of the MAC address table is
serious and the hash conflict result is different each time.
When a hash conflict occurs, the device may fail to learn
many MAC addresses and some traffic can only be
broadcast.
● In an SVF composed of box switches in V100R005C10 or
later versions, when the mac-address miss action discard
command is used, a leaf switch in distributed forwarding
mode sends the packets with no matching MAC address
entries to the parent switch, and the parent switch directly
discards the packets with no matching MAC address entries.
A leaf switch in centralized forwarding mode sends the
packets with no matching MAC address entries to the parent
switch. The parent switch directly discards the packets with
no matching MAC address entries.
● The CE6870EI and CE6875EI cannot be configured to discard
packets with the MAC address of all 0s.

2.6 Default Settings for MAC Address Tables

Table 2-7 Default setting for MAC address tables
Parameter Default Value

Aging time of a dynamic MAC address 300 seconds

entry

Whether MAC address learning is Enable

enabled

MAC address learning priority of an 0

interface

Port security Disabled

Limit on the number of MAC addresses 1

learned by an interface

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 43

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

Parameter Default Value

Action to be taken when the number Restrict

of learned MAC addresses reaches the
limit

MAC address flapping detection Enable

Aging time of flapping MAC addresses 300 seconds

Discarding packets with all-0 invalid Disabled

MAC addresses

Port bridge Disabled

2.7 Configuring MAC Address Tables

2.7.1 Configuring a Static MAC Address Entry

Context
MAC addresses and interfaces are bound statically in static MAC address entries.
A device cannot distinguish packets from authorized and unauthorized users when
it learns source MAC addresses of packets to maintain the MAC address table. This
causes network risks. If an unauthorized user uses the MAC address of an
authorized user as the source MAC address of attack packets and connects to
another interface of the device, the device learns an incorrect MAC address entry.
As a result, packets destined for the authorized user are forwarded to the
unauthorized user. For security purposes, you can create static MAC address
entries to bind MAC addresses of authorized users to specified interfaces. This
prevents unauthorized users from intercepting data of authorized users.
Static MAC address entries have the following characteristics:
● A static MAC address entry will not be aged out. After being saved, a static
MAC address entry will not be lost after a system restart, and can only be
deleted manually.
● The VLAN bound to a static MAC address entry must have been created and
assigned to the interface bound to the entry.
● The MAC address in a static MAC address entry must be a unicast MAC
address, and cannot be a multicast or broadcast MAC address.
● A static MAC address entry takes precedence over a dynamic MAC address
entry. The system discards packets with flapping static MAC addresses.

Procedure
Step 1 Run system-view
The system view is displayed.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 44

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

Step 2 Run mac-address static mac-address interface-type interface-number vlan vlan-id

A static MAC address entry is created.

Step 3 Run commit

The configuration is committed.

----End

Verifying the Configuration

Run the display mac-address static command to check configured static MAC
address entries.

2.7.2 Configuring a Blackhole MAC Address Entry

Context
Blackhole MAC address entries can be used to filter out invalid MAC addresses. To
prevent a hacker from using a MAC address to attack a user device or network,
configure the MAC address of an untrusted user as the blackhole MAC address.
The switch directly discards the received packets where the source or destination
MAC address is the blackhole MAC address and the VLAN ID of the packets
corresponds to the blackhole MAC address.

NOTE

The CE6870EI and CE6875EI devices forward Layer 3 packets with the source MAC
addresses matching blackhole MAC address entries.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run mac-address blackhole mac-address vlan vlan-id

A blackhole MAC address entry is configured.

Step 3 Run commit

The configuration is committed.

----End

Verifying the Configuration

Run the display mac-address blackhole [ vlan vlan-id ] [ verbose ] command to
check configured blackhole MAC address entries.

2.7.3 Setting the Aging Time of Dynamic MAC Address Entries

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 45

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

Context
To prevent explosive increase of MAC address entries, set the aging time for
dynamic MAC address entries.
Because the network topology changes frequently, the switch will learn more and
more MAC addresses. Therefore, the aging time needs to be set properly for
dynamic MAC address entries so that the switch can delete unneeded MAC
address entries to prevent a sharp increase of MAC address entries. A shorter
aging time makes the switch more sensitive to network changes and is applicable
to networks where network topology changes frequently. A longer aging time
makes the switch more insensitive to network changes and is only applicable to
stable networks.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run mac-address aging-time aging-time
The aging time is set for dynamic MAC address entries.
The aging time is 0 or an integer that ranges from 60 to 1000000, in seconds. The
default value is 300. The value 0 indicates that dynamic MAC address entries will
not be aged out.

NOTE

When the aging time is 0, MAC address entries can be fixed. To clear the fixed MAC address
entries, set the aging time to a non-0 value. The system then deletes fixed MAC address
entries after twice the aging time.

Step 3 Run commit

The configuration is committed.

----End

Verifying the Configuration

Run the display mac-address aging-time command to view the aging time of
dynamic MAC address entries.

2.7.4 Disabling MAC Address Learning (CE Switches Excluding

CE6870EI and CE6875EI)
Background
The MAC address learning function is enabled by default on the switch. When
receiving a data frame, the switch records the source MAC address of the data
frame and the interface that receives the data frame in a MAC address entry.
When receiving data frames destined for this MAC address, the switch forwards
the data frames through the outbound interface according to the MAC address
entry. The MAC address learning function reduces broadcast packets on a network.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 46

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

After MAC address learning is disabled on an interface, the switch does not learn
source MAC addresses of data frames received by the interface, but the dynamic
MAC address entries learned on the interface are not immediately deleted. These
dynamic MAC address entries are deleted after the aging time expires or can be
manually deleted using commands.

Procedure
Disable MAC address learning on an interface
1. Run system-view
The system view is displayed.
2. Run interface interface-type interface-number
The interface view is displayed.
3. Run mac-address learning disable [ action { discard | forward } ]
MAC address learning is disabled on the interface.
By default, MAC address learning is enabled on an interface.
By default, the switch takes the forward action after MAC address learning is
disabled. That is, the switch forwards packets according to the MAC address
table. When the action is set to discard, the switch looks up the source MAC
address of the packet in the MAC address table. If the source MAC address is
found in the MAC address table, the switch forwards the packet according to
the matching MAC address entry. If the source MAC address is not found, the
switch discards the packet.
4. Run commit
The configuration is committed.

Disable MAC address learning in a VLAN

1. Run system-view
The system view is displayed.
2. Run vlan vlan-id
The VLAN view is displayed.
3. Run mac-address learning disable
MAC address learning is disabled in the VLAN.
By default, MAC address learning is enabled in a VLAN.
4. Run commit
The configuration is committed.

Disabling MAC address learning in the traffic behavior view (This function is
not supported in the SVF.)
1. Configure a traffic classifier.
a. Run system-view
The system view is displayed.
b. Run traffic classifier classifier-name [ type { and | or } ]
A traffic classifier is created and the traffic classifier view is displayed, or
the view of an existing traffic classifier is displayed.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 47

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

and is the logical operator between rules in a traffic classifier, which

means that:

▪ If a traffic classifier contains ACL rules, packets match the traffic

classifier only if they match one ACL rule and all the non-ACL rules.

▪ If a traffic classifier does not contain any ACL rules, packets match
the traffic classifier only if they match all the rules in the classifier.
The logical operator or means that packets match a traffic classifier if
they match one or more rules in the classifier.
By default, the relationship between rules in a traffic classifier is or.
c. Run if-match
Matching rules are defined for the traffic classifier.
For details about matching rules in a traffic classifier, see "Configuring a
Traffic Classifier" in "MQC Configuration" of the CloudEngine 8800, 7800,
6800, and 5800 Series Switches Configuration Guide - QoS Configuration
Guide.
d. Run commit
The configuration is committed.
e. Run quit
Exit from the traffic behavior view.
2. Configure a traffic behavior.
a. Run traffic behavior behavior-name
A traffic behavior is created and the traffic behavior view is displayed, or
the view of an existing traffic behavior is displayed.
b. Run mac-address learning disable
MAC address learning is disabled in a traffic behavior.
c. (Optional) Run statistics enable
The traffic statistics function is enabled.
d. Run commit
The configuration is committed.
e. Run quit
Exit from the traffic behavior view.
f. Run quit
Exit from the system view.
3. Configure a traffic policy.
a. Run system-view
The system view is displayed.
b. Run traffic policy policy-name
A traffic policy is created and the traffic policy view is displayed, or the
view of an existing traffic policy is displayed.
c. Run classifier classifier-name behavior behavior-name [ precedence
precedence-value ]
A traffic behavior is bound to a traffic classifier in the traffic policy.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 48

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

d. Run commit
The configuration is committed.
e. Run quit
Exit from the traffic policy view.
f. Run quit
Exit from the system view.
4. Apply the traffic policy.
NOTE

● A traffic policy containing mac-address learning disable (traffic behavior view)

can only be applied in the inbound direction.
● For details about the configuration guidelines of applying traffic policies in
different views on the CE switches excluding CE6870EI and CE6875EI, see Licensing
Requirements and Limitations for MQC (CE Switches Excluding the CE6870EI and
CE6875EI).
● For switches excluding the CE5880EI and CE6880EI, run the display traffic-policy
pre-state { global [ slot slot-id ] | interface { interface-type interface-number } |
vlan vlan-id | bridge-domain bd-id } policy-name { inbound | outbound }
command before committing the configuration to check the information about
resources occupied by the traffic policy to be applied and determine whether the
traffic policy can be successfully applied based on the information.
● If a traffic policy needs to be applied to multiple VLANs and interfaces or multiple
traffic classifiers for matching packets from different source IP addresses need to
be bound to the same traffic policy, you are advised to add these VLANs, source IP
addresses, and interfaces to the same QoS group and apply the traffic policy to the
QoS group.
– Applying a traffic policy to an interface
i. Run system-view
The system view is displayed.
ii. Run interface interface-type interface-number
The interface view is displayed.
iii. Run traffic-policy policy-name inbound
A traffic policy is applied to the interface in the inbound direction.
iv. Run commit
The configuration is committed.
– Applying a traffic policy to a VLAN
i. Run system-view
The system view is displayed.
ii. Run vlan vlan-id
The VLAN view is displayed.
iii. Run traffic-policy policy-name inbound
A traffic policy is applied to the VLAN in the inbound direction.
After a traffic policy is applied, the system performs traffic policing
for the packets that belong to a VLAN and match traffic classification
rules in the inbound direction.
iv. Run commit

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 49

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

The configuration is committed.

– Applying a traffic policy to the system
i. Run system-view
The system view is displayed.
ii. Run traffic-policy policy-name global [ slot slot-id ] inbound
A traffic policy is applied to the system in the inbound direction.
iii. Run commit
The configuration is committed.
– Applying a traffic policy to a QoS group (Only the CE5880EI and
CE6880EI support this method)
i. Run system-view
The system view is displayed.
ii. Run qos group group-name
The QoS group view is displayed.
iii. Run the following commands as required.
○ Run the group-member interface { interface-type interface-
number1 [ to interface-type interface-number2 ] } &<1-8>
command to add interfaces to the QoS group.
○ Run the group-member vlan { vlan-id1 [ to vlan-id2 ] } &<1-8>
command to add VLANs to the QoS group.
○ Run the group-member ip source ip-address { mask | mask-
length } command to add source IP addresses to the QoS group.
iv. Run traffic-policy policy-name inbound
A traffic policy is applied to the QoS group.
v. Run commit
The configuration is committed.

Verifying the Configuration

● Run the display traffic classifier [ classifier-name ] command to check the
traffic classifier configuration.
● Run the display traffic behavior [ behavior-name ] command to check the
traffic behavior configuration on the device.
● Run the display traffic policy [ policy-name [ classifier classifier-name ] ]
command to check the traffic policy configuration.
● Run the display traffic-policy applied-record [ policy-name ] [ global [ slot
slot-id ] | interface interface-type interface-number | vlan vlan-id | vpn-
instance vpn-instance-name | qos group group-id | bridge-domain bd-id ]
[ inbound | outbound ] command to check the application records of a
specified traffic policy.
NOTE

The CE6810LI does not support the vpn-instance vpn-instance-name parameter.

The CE5810EI, CE5850EI, CE5850HI, CE5855EI, CE6810LI, CE6810EI, and CE6850EI do
not support the bridge-domain bd-id command.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 50

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

● Run the display system tcam fail-record [ slot slot-id ] command to display
TCAM delivery failures.
● Run the display system tcam service brief [ slot slot-id ] command to
display the group index and rule count occupied by different services.
● Run the display system tcam service { cpcar slot slot-id | service-name slot
slot-id [ chip chip-id ] } command to display IDs of entries delivered by
services on the specified chip or in the specified slot.
● Run one of the following commands to display data of a traffic policy that
has been applied:
– display system tcam service traffic-policy { global | vlan vlan-id |
interface interface-type interface-number | vpn-instance vpn-instance-
name | qos group group-id | bridge-domain bd-id } policy-name
{ inbound | outbound } [ slot slot-id [ chip chip-id ] ]
NOTE

The CE6810LI does not support the vpn-instance vpn-instance-name parameter.

The CE5810EI, CE5850EI, CE5850HI, CE5855EI, CE6810LI, CE6810EI, and CE6850EI
do not support the bridge-domain bd-id command.
– display system tcam service traffic-policy slot slot-id policy-name
{ inbound | outbound } [ chip chip-id ]
● (Models excluding the CE5880EI, CE6870EI, CE6875EI, and CE6880EI) Run the
display system tcam match-rules slot slot-id [ [ ingress | egress | group
group-id ] | [ delay-time time-value ] ] * command to display matched
entries.
● (For the CE5880EI and CE6880EI) Run the display system tcam match-rules
slot slot-id chip chip-id index index-id command to display matched entries.

2.7.5 Disabling MAC Address Learning (CE6870EI and

CE6875EI)
Background
The MAC address learning function is enabled by default on the switch. When
receiving a data frame, the switch records the source MAC address of the data
frame and the interface that receives the data frame in a MAC address entry.
When receiving data frames destined for this MAC address, the switch forwards
the data frames through the outbound interface according to the MAC address
entry. The MAC address learning function reduces broadcast packets on a network.
After MAC address learning is disabled on an interface, the switch does not learn
source MAC addresses of data frames received by the interface, but the dynamic
MAC address entries learned on the interface are not immediately deleted. These
dynamic MAC address entries are deleted after the aging time expires or can be
manually deleted using commands.

Procedure
● Disable MAC address learning on an interface.
a. Run system-view
The system view is displayed.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 51

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

b. Run interface interface-type interface-number

The interface view is displayed.
c. Run mac-address learning disable [ action { discard | forward } ]
MAC address learning is disabled on the interface.
By default, MAC address learning is enabled on an interface.
By default, the switch takes the forward action after MAC address
learning is disabled. That is, the switch forwards packets according to the
MAC address table. When the action is set to discard, the switch looks up
the source MAC address of the packet in the MAC address table. If the
source MAC address is found in the MAC address table, the switch
forwards the packet according to the matching MAC address entry. If the
source MAC address is not found, the switch discards the packet.
d. Run commit
The configuration is committed.
● Disable MAC address learning in a VLAN.
a. Run system-view
The system view is displayed.
b. Run vlan vlan-id
The VLAN view is displayed.
c. Run mac-address learning disable
MAC address learning is disabled in the VLAN.
By default, MAC address learning is enabled in a VLAN.
d. Run commit
The configuration is committed.
● Disabling MAC address learning in the traffic behavior view
a. Configure a traffic classifier.
i. Run system-view
The system view is displayed.
ii. Run traffic classifier classifier-name [ type { and | or } ]
A traffic classifier is created and the traffic classifier view is displayed,
or the view of an existing traffic classifier is displayed.
and is the logical operator between rules in a traffic classifier, which
means that:
○ If a traffic classifier contains ACL rules, packets match the traffic
classifier only if they match one ACL rule and all the non-ACL
rules.
○ If a traffic classifier does not contain any ACL rules, packets
match the traffic classifier only if they match all the rules in the
classifier.
The logical operator or means that packets match a traffic classifier
if they match one or more rules in the classifier.
By default, the relationship between rules in a traffic classifier is or.
iii. Run if-match

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 52

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

Matching rules are defined for the traffic classifier.

For details about matching rules in a traffic classifier, see
"Configuring a Traffic Classifier" in "MQC Configuration" of the
CloudEngine 8800, 7800, 6800, and 5800 Series Switches
Configuration Guide - QoS Configuration Guide.
iv. Run commit
The configuration is committed.
v. Run quit
Exit from the traffic classifier view.
b. Configure a traffic behavior.
i. Run traffic behavior behavior-name
A traffic behavior is created and the traffic behavior view is
displayed, or the view of an existing traffic behavior is displayed.
ii. Run mac-address learning disable
MAC address learning is disabled in a traffic behavior.
iii. (Optional) Run statistics enable
The traffic statistics function is enabled.
iv. Run commit
The configuration is committed.
v. Run quit
Exit from the traffic behavior view.
vi. Run quit
Exit from the system view.
c. Configure a traffic policy.
i. Run system-view
The system view is displayed.
ii. Run traffic policy policy-name
A traffic policy is created and the traffic policy view is displayed, or
the view of an existing traffic policy is displayed.
iii. Run classifier classifier-name behavior behavior-name [ precedence
precedence-value ]
A traffic behavior is bound to a traffic classifier in the traffic policy.
iv. Run commit
The configuration is committed.
v. Run quit
Exit from the traffic policy view.
vi. Run quit
Exit from the system view.
d. Apply the traffic policy.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 53

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

NOTE

● A traffic policy containing mac-address learning disable (traffic behavior

view) can only be applied in the inbound direction.
● For details about the configuration guidelines of applying traffic policies in
different views on the CE6870EI and CE6875EI, see Licensing Requirements
and Limitations for MQC (CE6870EI and CE6875EI).
● If a traffic policy needs to be applied to multiple VLANs and interfaces or
multiple traffic classifiers for matching packets from different source IP
addresses need to be bound to the same traffic policy, you are advised to add
these VLANs, source IP addresses, and interfaces to the same QoS group and
apply the traffic policy to the QoS group.

▪ Applying a traffic policy to an interface

1) Run system-view
The system view is displayed.
2) Run interface interface-type interface-number
The interface view is displayed.
3) Run traffic-policy policy-name inbound
A traffic policy is applied to the interface in the inbound
direction.
4) Run commit
The configuration is committed.

▪ Applying a traffic policy to a VLAN

1) Run system-view
The system view is displayed.
2) Run vlan vlan-id
The VLAN view is displayed.
3) Run traffic-policy policy-name inbound
A traffic policy is applied to the VLAN in the inbound direction.
After a traffic policy is applied, the system performs traffic
policing for the packets that belong to a VLAN and match traffic
classification rules in the inbound direction.
4) Run commit
The configuration is committed.

▪ Applying a traffic policy to the system

1) Run system-view
The system view is displayed.
2) Run traffic-policy policy-name global [ slot slot-id ] inbound
A traffic policy is applied to the system in the inbound direction.
3) Run commit
The configuration is committed.

▪ Applying a traffic policy to a BD

1) Run system-view

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 54

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

The system view is displayed.

2) Run bridge-domain bd-id
The BD view is displayed.
3) Run traffic-policy policy-name inbound
A traffic policy is applied to the BD.
4) Run commit
The configuration is committed.

Verifying the Configuration

● Run the display traffic classifier [ classifier-name ] command to check the
traffic classifier configuration.
● Run the display traffic behavior [ behavior-name ] command to check the
traffic behavior configuration on the device.
● Run the display traffic policy [ policy-name [ classifier classifier-name ] ]
command to check the traffic policy configuration.
● Run the display traffic-policy applied-record [ policy-name ] [ global [ slot
slot-id ] | interface interface-type interface-number | vlan vlan-id | vpn-
instance vpn-instance-name | qos group group-id | bridge-domain bd-id ]
[ inbound | outbound ] command to check the application records of a
specified traffic policy.
NOTE

The CE6810LI does not support the vpn-instance vpn-instance-name parameter.

The CE5810EI, CE5850EI, CE5850HI, CE5855EI, CE6810LI, CE6810EI, and CE6850EI do
not support the bridge-domain bd-id command.
● Run the display system tcam fail-record [ slot slot-id ] command to display
TCAM delivery failures.
● Run the display system tcam service brief [ slot slot-id ] command to
display the group index and rule count occupied by different services.
● Run the display system tcam service { cpcar slot slot-id | service-name slot
slot-id [ chip chip-id ] } command to display IDs of entries delivered by
services on the specified chip or in the specified slot.
● Run one of the following commands to display data of a traffic policy that
has been applied:
– display system tcam service traffic-policy { global | vlan vlan-id |
interface interface-type interface-number | vpn-instance vpn-instance-
name | qos group group-id | bridge-domain bd-id } policy-name
{ inbound | outbound } [ slot slot-id [ chip chip-id ] ]
NOTE

The CE6810LI does not support the vpn-instance vpn-instance-name parameter.

The CE5810EI, CE5850EI, CE5850HI, CE5855EI, CE6810LI, CE6810EI, and CE6850EI
do not support the bridge-domain bd-id command.
– display system tcam service traffic-policy slot slot-id policy-name
{ inbound | outbound } [ chip chip-id ]

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 55

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

● (For the CE6870EI and CE6875EI) Run the display system tcam match-rules
slot slot-id [ [ ingress | egress | group group-id ] | [ chip chip-id ] ] *
command to display matched entries.

2.7.6 Configuring the MAC Address Limiting Function

Context
The MAC address limiting function controls the number of access users to prevent
MAC addresses from hackers.
An insecure network is vulnerable to MAC address attacks. When hackers send a
large number of forged packets with different source MAC addresses to the switch,
the MAC address table of the switch will be filled with useless MAC address
entries. As a result, the switch cannot learn source MAC addresses of valid packets.
You can limit the number of MAC address entries learned on the switch. When the
number of learned MAC address entries reaches the limit, the switch does not
learn new MAC address entries. You can also configure an action to take when the
number of MAC address entries reaches the limit. This prevents MAC address
attacks and improves network security.

Procedure
● Limit the number of MAC address entries learned on an interface.
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The interface view is displayed.
c. Run mac-address limit maximum max-num
The maximum number of MAC address entries that can be learned on
the interface is set.
By default, the number of MAC address entries learned on an interface is
not limited.
d. Run mac-address limit alarm { disable | enable }
The switch is configured to or not to generate an alarm when the
number of learned MAC address entries reaches the limit.
By default, the switch generates an alarm when the number of learned
MAC address entries reaches the limit.
e. Run commit
The configuration is committed.
● Limit the number of MAC address entries learned in a VLAN.
a. Run system-view
The system view is displayed.
b. Run vlan vlan-id

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 56

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

The VLAN view is displayed.

c. Run mac-address limit maximum max-num
The maximum number of MAC address entries learned in the VLAN is set.
By default, the number of MAC address entries learned in a VLAN is not
limited.
d. Run mac-address limit action { discard | forward }
The action to be taken on packets with unknown source MAC addresses
is configured when the number of learned MAC address entries reaches
the limit.
By default, the device forwards packets with unknown source MAC
addresses after the number of learned MAC address entries reaches the
limit.
e. Run mac-address limit alarm { disable | enable }
The switch is configured to or not to generate an alarm when the
number of learned MAC address entries reaches the limit.
By default, the switch generates an alarm when the number of learned
MAC address entries reaches the limit.
f. Run commit
The configuration is committed.
----End

Verifying the Configuration

Run the display mac-address limit command to check limiting on MAC address
learning.

2.7.7 Configuring a MAC Hash Algorithm

Context
A device usually uses a hash algorithm to learn MAC address entries to improve
MAC address forwarding performance. When multiple MAC addresses map the
same key value, a MAC address hash conflict may occur. When a MAC address
hash conflict occurs, the device may fail to learn many MAC addresses and can
only broadcast traffic destined for these MAC addresses. The heavy broadcast
traffic increases the load on the device. In this case, use an appropriate hash
algorithm to mitigate the hash conflict.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 57

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

NOTE

● Only the CE5810EI, CE5850HI, CE6800 series (excluding CE6880EI, CE6870EI and
CE6875EI), CE7800 series, and CE8800 series support the configuration of a Hash
Algorithm.
● MAC addresses are distributed on a network randomly, so the best hash algorithm
cannot be determined. Generally, the default hash algorithm is the best one, so do not
change the hash algorithm unless you have special requirements.
● An appropriate hash algorithm can reduce hash conflicts, but cannot prevent them.
● After the hash algorithm is changed, restart the device to make the configuration take
effect.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run mac-address hash-mode { crc16-lower | crc16-upper | crc32-lower | crc32-
upper | lsb }
A hash algorithm is configured.
The default hash algorithm is crc32-lower.
Step 3 Run commit
The configuration is committed.

----End

Verifying the Configuration

● Run the display mac-address hash-mode command to check the running
and configured hash algorithms.
● Run the display mac-address hash-conflict [ mac-address { vlan vlan-id |
bridge-domain bd-id } ] [ slot slot-id ] command to check the MAC address
that cannot be added to the chip due to the hash conflict.

2.8 Configuring MAC Address Anti-flapping

NOTE

The CE5880EI, CE6870EI, CE6875EI, and CE6880EI do not support this function.

2.8.1 Configuring a MAC Address Learning Priority for an

Interface
Context
To prevent MAC address flapping, configure different MAC address learning
priorities for interfaces. When interfaces learn the same MAC address, the MAC
address entry learned by the interface with the highest priority overrides the MAC
address entries learned by the other interfaces.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 58

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface interface-type interface-number

The interface view is displayed.

Step 3 Run mac-address learning priority priority-id

The MAC address learning priority of the interface is set.

By default, the MAC address learning priority of an interface is 0. A larger priority

value indicates a higher MAC address learning priority.

Step 4 Run commit

The configuration is committed.

----End

2.8.2 Preventing MAC Address Flapping Between Interfaces

with the Same Priority

Context
You can configure the device to prevent MAC address flapping between interfaces
with the same priority to improve network security.

The switches are configured to prevent MAC address flapping between interfaces
with the same priority. After a device (such as the server) connected to switches
power off, another interface on switches learns the same MAC address as the
device. The device cannot learn the correct MAC address after it powers on.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run undo mac-address learning priority priority-id allow-flapping

The device is configured to prevent MAC address flapping between interfaces with
the same priority.

By default, the device allows MAC address flapping between interfaces with the
same priority.

Step 3 Run commit

The configuration is committed.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 59

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

2.8.3 Verifying the Configuration of the MAC Address Anti-

flapping

Procedure
● Run the display current-configuration command to view the MAC address
learning priorities of interfaces.
----End

2.9 Configuring MAC Address Flapping Detection

Context
MAC address flapping detection detects all MAC addresses on the device. If MAC
address flapping occurs, the device sends an alarm to the NMS. MAC address
flapping occurs when a MAC address is learned by two or three interfaces in the
same VLAN and the MAC address entry learned later overrides the earlier one.
Generally, the interface that first learns the MAC address is the correct outbound
interface, which is called the original interface. The interface that learns the MAC
address later is called the flapped interface. The flapped interface is often the
interface where a loop occurs or an interface on the downstream network where a
loop occurs. The flapped interface needs to be shut down or configured with
storm control.
By default, the system performs MAC address flapping detection in all VLANs. In a
data center virtualization scenario (virtual terminal migration), MAC address
flapping may occur. This is a normal situation where MAC address flapping
detection is not required. You can configure the whitelist of VLANs in MAC address
flapping detection to prevent MAC address flapping detection from being
performed in a specified VLAN.
If modifying the aging time of flapping MAC address entries takes a long time,
MAC address flapping may occur again and the Error-Down time may be
increased. To ensure that the system performs MAC address flapping detection in
a timely manner, adjust the aging time of flapping MAC addresses correctly.
When a loop on a network causes MAC address flapping and the network does
not support loop prevention protocols, to eliminate the loop, configure an action
to take after MAC address flapping occurs on the corresponding interface.
On VXLAN networks, MAC address flapping detection can be performed based on
Layer 2 sub-interfaces. The device shuts down a Layer 2 sub-interface when
detecting MAC address flapping on the sub-interface. Only one Layer 2
subinterface can be shut down within a MAC entry aging interval.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 60

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

NOTE

● To prevent uplink traffic interruption, do not configure the action performed when MAC
address flapping is detected on upstream interfaces.
● MAC address flapping detection can only detect loops on interfaces, but cannot obtain
the entire network topology. If the user network connected to the switch supports loop
prevention protocols, use the loop prevention protocols instead of MAC address flapping
detection.
● When MAC address flapping occurs in a VLAN or BD and the loop is not eliminated, if
the interface is added to or removed from an Eth-Trunk, the values of Original-Port and
Move-Ports in MAC address flapping records remain unchanged. After the loop is
eliminated, delete MAC address flapping entries and perform detection again. This
prevents the incorrect source and flapped interfaces from being detected, loop location,
and punishment action (Error-Down state or storm control) from being delivered to the
incorrect flapped interface.
● The MAC address flapping detection function can only detect a single ring. When there
are multiple rings, the MAC address flapping detection function detects only the first
ring. That is, if two or more rings exist in a VLAN, the system reports only alarms about
interfaces in the first ring, regardless of whether the port status in the first ring is Up or
Down.
● The MAC address flapping detection function can only detect the first ring in a VLAN
within the configurable aging time (5 minutes by default). For example, MAC address
flapping between PortA and PortB. After PortA or Port B goes Down and MAC address
flapping between PortC and PortD within the same aging time, the flapped interfaces in
the alarm are still PortA and PortB.
● By default, MAC address triggered ARP entry update is enabled. If MAC address flapping
occurs for more than 10 times, MAC address triggered ARP entry update is disabled.
After MAC address flapping is eliminated, MAC address triggered ARP entry update is
enabled automatically.
● On models excluding the CE5880EI and CE6880EI, when MAC address flapping occurs
on an interface, the system suppresses packets. In this case, the forwarding rate of the
outbound interface is 1% of the bandwidth of the inbound interface by default. Packets
are not suppressed in the following two situations:
● The interface is configured with storm control and storm suppression.
● Multicast is enabled globally.
● If the MAC address flaps to the peer-link, traffic suppression associated with MAC
address flapping does not take effect on the peer-link.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run mac-address flapping detection [ security-level { low | middle | high } ]

Global MAC address flapping detection is configured.

By default, global MAC address flapping detection is enabled. The detection

security level is middle, that is after MAC addresses change for 10 times, the
system considers that MAC address flapping occurs.

Step 3 (Optional) Run mac-address flapping detection exclude vlan { vlan-id1 [ to

vlan-id2 ] } &<1-10>
The whitelist of VLANs in MAC address flapping detection is configured.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 61

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

By default, the whitelist of VLANs in MAC address flapping detection is not

configured.
Step 4 (Optional) Run mac-address flapping detection exclude mac-address mac-
address-mask
The whitelist of MAC in MAC address flapping detection is configured.
By default, no MAC address is added to the MAC flapping detection whitelist.
Step 5 (Optional) Run mac-address flapping aging-time aging-time
The aging time of flapping MAC addresses is set.
By default, the aging time of flapping MAC addresses is 5 minutes.
Step 6 (Optional) Configure the interval for reporting traps periodically when MAC
address flapping is detected.
1. Run mac-address flapping periodical trap enable
The device is enabled to report a trap periodically when detecting MAC
address flapping.
By default, the device is disabled from reporting a trap periodically when
detecting MAC address flapping.
2. Run mac-address flapping periodical trap interval interval
The interval for reporting traps periodically is configured when MAC address
flapping is detected.
By default, the device reports traps periodically at an interval of 2 minutes
when detecting MAC address flapping.

NOTE

This command can be configured for all interfaces and is only valid for the flapped
interface.

Step 7 (Optional) Configure the action performed on the interface when MAC address
flapping is detected on the interface.
1. Run interface interface-type interface-number
The interface view is displayed.
Or run interface interface-type interface-number.subnum mode l2
The Layer 2 sub-interface view is displayed.
2. Run mac-address flapping trigger error-down
The interface is configured to enter the Error-Down state after MAC address
flapping occurs.
By default, an interface is not configured to enter the Error-Down state after
MAC address flapping occurs.
Step 8 Run commit
The configuration is committed.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 62

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

Verifying the Configuration

Run the display mac-address flapping command to check the MAC address
flapping detection configuration.

Follow-up Procedure
When the action is set to error-down, if MAC address flapping occurs, the
interface enters the Error-Down state and the device sends an alarm to the NMS.
The device records the status of an interface as Error-Down when it detects that a
fault occurs. The interface in Error-Down state cannot receive or send packets and
the interface indicator is off. You can run the display error-down recovery
command to check information about all interfaces in Error-Down state on the
device.

When the interface is in Error-Down state, check the cause. You can use the
following modes to restore the interface status:
● Manual (after the interface enters the Error-Down state)
When there are few interfaces in Error-Down state, you can run the
shutdown and undo shutdown commands in the interface view or run the
restart command to restore the interface.
● Auto (before the interface enters the Error-Down state)
If there are many interfaces in Error-Down state, the manual mode brings in
heavy workload and the configuration of some interfaces may be ignored. To
prevent this problem, run the error-down auto-recovery cause mac-address-
flapping interval interval-value command in the system view to enable an
interface in error-down state to go Up and set a recovery delay. You can run
the display error-down recovery command to view automatic recovery
information about the interface.
NOTE

This mode is invalid for the interface that has entered the Error-Down state, and is only
valid for the interface that enters the Error-Down state after the error-down auto-
recovery cause mac-address-flapping interval interval-value command is used.

2.10 Configuring the Switch to Discard Packets with an

All-0 MAC Address

Context
A faulty network device may send packets with an all-0 source or destination MAC
address to the switch. You can configure the switch to discard such packets.

You can configure the switch to discard packets with an all-0 source or destination
MAC address.

NOTE

CE5880EI, CE6870EI, CE6875EI and CE6880EI do not support this function.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 63

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run drop illegal-mac enable
The switch is enabled to discard packets with an all-0 MAC address.
By default, the switch does not discard packets with an all-0 MAC address.
Step 3 Run commit
The configuration is committed.

----End

Verifying the Configuration

Run the display current-configuration command to check whether the switch is
enabled to discard packets with an all-0 MAC address.

2.11 Configuring the Switch to Discard Packets That Do

Not Match Any MAC Address Entry

Context
After the switch is configured to discard packets that do not match any MAC
address entries, such packets are discarded, which reduces the load on the switch
and enhances system security.
After a DHCP user goes offline, the MAC address entry of the user ages out. If
there are packets destined for this user, the switch cannot find the MAC address
entry and therefore broadcasts the packets to all interfaces in the VLAN. In this
case, all users receive the packets, which bring security risks. To reduce the load on
the switch and enhance security, configure the switch to discard packets that do
not match any MAC address entries.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run vlan vlan-id
The VLAN view is displayed.
Step 3 Run mac-address miss action discard
The switch is configured to discard packets that do not match any MAC address
entries.
By default, the switch broadcasts the packets that do not match any MAC address
entries in a VLAN.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 64

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

Step 4 Run commit

The configuration is committed.

----End

Verifying the Configuration

Run the display current-configuration command to check whether the switch is
configured to discard packets that do not match any MAC address entries.

2.12 Disabling the Device from Discarding Packets in

Which the Destination MAC Address and the
Configured Static MAC Address Conflict

Context
For the packets in which the destination MAC address and the configured static
MAC address conflict, the device can be configured to or not to discard packets.

NOTE

Only the CE6850HI, CE6850U-HI, CE6851HI, CE6855HI, CE6856HI, CE6857EI, CE6865EI, CE7800
series, and CE8800 series switches support the function.

By default, the device discards packets in which the destination MAC address and
the configured static MAC address conflict. This function reduces the device
burden and ensures security.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run undo mac-address drop static-conflict enable
The device is disabled from discarding packets in which the destination MAC
address and the configured static MAC address conflict.
By default, the device is enabled to discard packets in which the destination MAC
address and the configured static MAC address conflict.
Step 3 Run commit
The configuration is committed.

----End

Verifying the Configuration

Run the display current-configuration command to check whether the device is
enabled to discard packets in which the destination MAC address and the
configured static MAC address conflict. If there is the undo mac-address drop

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 65

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

static-conflict enable command configuration, the device is not enabled to

discard packets in which the destination MAC address and the configured static
MAC address conflict. If there is no undo mac-address drop static-conflict
enable command configuration, the device is enabled to discard packets in which
the destination MAC address and the configured static MAC address conflict.

2.13 Enabling MAC Address-triggered ARP Entry

Update

Context
The MAC address-triggered ARP entry update enables the switch to update the
corresponding ARP entry when the outbound interface in a MAC address entry
changes.
On the Ethernet, MAC address entries are used to guide Layer 2 data forwarding.
The ARP entries that define the mapping between IP addresses and MAC
addresses guide communication between devices on different network segments.
The outbound interface in a MAC address entry is updated by packets, whereas
the outbound interface in an ARP entry is updated after the aging time is reached.
In this case, the outbound interfaces in the MAC address entry and ARP entry may
be different. In Figure 2-11, SwitchA and SwitchB function as gateways of the
server and have VRRP enabled to enhance reliability. VRRP packets are transmitted
on the directly connected link between the two switches. When the server sends
packets, only one network interface is selected to forward packets. When a
network fault or traffic exception is detected, another network interface is used.

Figure 2-11 Networking for configuring MAC address-triggered ARP entry update
when a VRRP active/backup switchover is performed

SwitchA(VRRP Master) SwitchB(VRRP Backup)

Port2 Port2
Port1 Port1

Port1 Port2

Server

● SwitchA functions as the master device, and the server uses Port2 to send
packets. SwitchA learns the ARP entry and MAC address entry on Port2, and
SwitchB learns the server MAC address on Port1.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 66

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

● When the server detects that Port2 is faulty, the server uses Port1 to forward
service packets. SwitchA then learns the server MAC address on Port1. If the
server does not send an ARP Request packet to SwitchA, SwitchA still
maintains the ARP entry on Port2. In this case, packets sent from SwitchA to
the server are still forwarded through Port2 until the ARP entry is aged out.
To solve the problem, configure MAC address-triggered ARP entry update. This
function enables the device to update the corresponding ARP entry when the
outbound interface in a MAC address entry changes.

In data center virtualization scenarios, when the location of a virtual machine

(VM) changes, user traffic on the network may be interrupted if the VM cannot
send gratuitous ARP messages promptly to update ARP entries on the gateway. In
this case, the device relearns ARP entries by exchanging ARP messages only after
ARP entries on the gateway age.

When the VM location is changed after MAC-ARP association is enabled and a

gateway's MAC entries are updated upon receipt of Layer 2 user traffic, ARP
entries and outbound interface information are updated as follows to accelerate
Layer 3 traffic convergence:
● If ARP entries exist and the outbound interface of MAC entries is inconsistent
with that of ARP entries, ARP entries are updated based on MAC entries, and
outbound interface information is updated.
● If ARP entries do not exist, a broadcast suppression table is searched based on
MAC entries and ARP probe is re-initiated to update ARP entries and
outbound interface information.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run mac-address update arp enable

MAC address-triggered ARP entry update is enabled.

By default, the MAC address-triggered ARP entry update function is enabled.

NOTE

● This command takes effect only for dynamic ARP entries. Static ARP entries are not
updated when the corresponding MAC address entries change.
● The mac-address update arp enable command does not take effect after ARP entry
fixing is enabled by using the arp anti-attack entry-check { fixed-mac | fixed-all |
send-ack } enable command.
● After the mac-address update arp enable command is run, the switch updates an ARP
entry only when the outbound interface in the corresponding MAC address entry
changes.
● By default, MAC address triggered ARP entry update is enabled. If MAC address flapping
occurs for more than 10 times, MAC address triggered ARP entry update is disabled.
After MAC address flapping is eliminated, MAC address triggered ARP entry update is
enabled automatically.

Step 3 Run commit

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 67

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

The configuration is committed.

----End

Verifying the Configuration

Run the display current-configuration command to check whether the MAC
address-triggered ARP entry update function is enabled. If there are configurations
of the undo mac-address update arp enable command, MAC address-triggered
ARP entry update is not configured. If there is no configuration of the undo mac-
address update arp enable command, MAC address-triggered ARP entry update
is configured.

2.14 Enabling Port Bridge

Context
The port bridge function enables an interface to forward packets in which the
source and destination MAC addresses are the same.
By default, an interface does not forward packets whose source and destination
MAC addresses are both learned by this interface. When the interface receives
such a packet, it discards the packet as an invalid packet.
After the port bridge function is enabled on the interface, the interface forwards
such a packet if the destination MAC address of the packet is in the MAC address
table.
The port bridge function is used in the following scenarios:
The device is used as an access device in a data center and is connected to servers.
Each server is configured with multiple virtual machines. The virtual machines
need to transmit data to each other. If data between virtual machines is
transmitted on the server, the data transmission rate and server performance may
be affected. To improve the data transmission rate and server performance, enable
the port bridge function on the interfaces connected to the servers so that the
device forwards data packets between the virtual machines.

NOTE

CE5880EI, CE6880EI do not support this function.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The interface view is displayed.
Step 3 Run port bridge enable
The port bridge function is enabled.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 68

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

By default, the port bridge function is disabled on an interface.

Step 4 Run commit
The configuration is committed.

----End

Verifying the Configuration

Run the display current-configuration command to check whether the port
bridge function is enabled.

2.15 Maintaining MAC Address Tables

2.15.1 Displaying MAC Address Entries

Table 2-8 Commands used to display MAC address entries
Action Command

Display all MAC address entries. display mac-address

Display static MAC address entries. display mac-address static

Display MAC address entries learned in display mac-address dynamic vlan

a VLAN. vlan-id
Display MAC address entries learned display mac-address dynamic
on an interface. interface interface-type interface-
number
Display a specified MAC address. display mac-address mac-address

Display the aging time of dynamic display mac-address aging-time

MAC address entries.

Display statistics on MAC address ● Display the total statistics: display

entries. mac-address total-number
● Display the statistics of various
types of MAC address entries:
display mac-address summary

Display the system MAC address. display system mac-address

Display the bridge MAC address. display bridge mac-address

Display the MAC address of an display interface interface-type

interface. interface-number
Hardware address indicates the MAC
address of the interface.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 69

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

Action Command

Display the MAC address of a VLANIF display interface vlanif vlan-id

interface. Hardware address indicates the MAC
address of the VLANIF interface.

2.15.2 Deleting MAC Address Entries

Table 2-9 Commands used to delete MAC address entries
Action Command

Delete dynamically learned MAC reset mac-address

address entries.

Delete all static and blackhole MAC undo mac-address all

address entries.

Delete static and blackhole MAC undo mac-address vlan vlan-id

address entries in a VLAN.

Delete static and blackhole MAC undo mac-address interface-type

address entries on an interface. interface-number

2.15.3 Clearing MAC Address Flapping Records

Context
NOTE

● Cleared MAC address flapping records cannot be restored.

● When MAC address flapping occurs in a VLAN or BD and the loop is not eliminated, if
the interface is added to or removed from an Eth-Trunk, the values of Original-Port and
Move-Ports in MAC address flapping records remain unchanged. After the loop is
eliminated, delete MAC address flapping entries and perform detection again. This
prevents the incorrect source and flapped interfaces from being detected, loop location,
and punishment action (Error-Down state or storm control) from being delivered to the
incorrect flapped interface.

Procedure
● Run the reset mac-address flapping record [ all ] command in the user view
to clear MAC address flapping records.
----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 70

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

2.15.4 Enabling the Trap Function for MAC Address Change

Context
To learn MAC address change in a timely manner, enable the trap function for
MAC address learning or aging.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 (Optional) Run mac-address notification interval interval-time
The interval at which the device checks MAC address learning or aging is set.
By default, the device checks MAC address learning or aging at intervals of 10s.
Step 3 Run interface interface-type interface-number
The interface view is displayed.
Step 4 Run mac-address notification { aging | learning | all }
The trap function for MAC address learning or aging is enabled.
By default, the trap function for MAC address learning or aging is disabled.

----End

2.16 Configuration Examples for MAC Address Tables

This section only provides configuration examples for individual features. For
details about multi-feature configuration examples, feature-specific configuration
examples, interoperation examples, protocol or hardware replacement examples,
and industry application examples, see the Typical Configuration Examples.

2.16.1 Example for Configuring the MAC Address Table

Networking Requirements
As shown in Figure 2-12, the MAC address of the user host PC1 is
0002-0002-0002 and that of the user host PC2 is 0003-0003-0003. PC1 and PC2
are connected to the Switch through the LSW. The LSW is connected to 10GE1/0/1
of the Switch, which belongs to VLAN 2. The MAC address of the server is
0004-0004-0004. The server is connected to 10GE1/0/2 of the Switch. 10GE1/0/2
belongs to VLAN 2.
● To prevent hackers from using MAC addresses to attack the network,
configure two static MAC address entries for each user host on the Switch.
● To prevent hackers from stealing user information by forging the MAC
address of the server, configure a static MAC address entry on the Switch for
the server.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 71

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

NOTE

This example applies to the scenario where there are few users. When there are many
users, perform dynamic binding according to Example for Configuring Port Security.

Figure 2-12 Configuring the MAC address table

Network Server

MAC address: 4-4-4

Switch
10GE1/0/2

10GE1/0/1

LSW

PC1 PC2

MAC address: 2-2-2 MAC address: 3-3-3

Configuration Roadmap
The configuration roadmap is as follows:
1. Create a VLAN and add an interface to the VLAN to implement Layer 2
forwarding.
2. Configure static MAC address entries to prevent MAC address attacks.
3. Configure the aging time of dynamic MAC address entries to update the
entries.

Procedure
Step 1 Configure static MAC address entries.
# Create VLAN 2 and add 10GE1/0/1 and 10GE1/0/2 to VLAN 2.
<HUAWEI> system-view
[~HUAWEI] sysname Switch
[*HUAWEI] commit
[~Switch] vlan 2
[*Switch-vlan2] quit
[*Switch] interface 10ge 1/0/1
[*Switch-10GE1/0/1] port link-type trunk
[*Switch-10GE1/0/1] port trunk allow-pass vlan 2
[*Switch-10GE1/0/1] quit
[*Switch] interface 10ge 1/0/2
[*Switch-10GE1/0/2] port link-type trunk
[*Switch-10GE1/0/2] port trunk allow-pass vlan 2
[*Switch-10GE1/0/2] quit
[*Switch] commit

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 72

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

# Configure a static MAC address entry.

[~Switch] mac-address static 2-2-2 10GE 1/0/1 vlan 2
[*Switch] mac-address static 3-3-3 10GE 1/0/1 vlan 2
[*Switch] mac-address static 4-4-4 10GE 1/0/2 vlan 2
[*Switch] commit

Step 2 Set the aging time of a dynamic MAC address entry.

[~Switch] mac-address aging-time 500
[*Switch] commit

Step 3 Verify the configuration.

# Run the display mac-address static command in any view to check whether the
static MAC address entries are successfully added to the MAC address table.
[~Switch] display mac-address static vlan 2
BD : bridge-domain Age : dynamic MAC learned time in seconds
-------------------------------------------------------------------------------
MAC Address VLAN/VSI/BD Learned-From Type
-------------------------------------------------------------------------------
0002-0002-0002 2/-/- 10GE1/0/1 static
0003-0003-0003 2/-/- 10GE1/0/1 static
0004-0004-0004 2/-/- 10GE1/0/2 static
-------------------------------------------------------------------------------
Total items: 3

# Run the display mac-address aging-time command in any view to check

whether the aging time of dynamic entries is set successfully.
[~Switch] display mac-address aging-time
Aging time: 500 second(s)

----End

Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 2
#
mac-address aging-time 500
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 2
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 2
#
mac-address static 0002-0002-0002 10GE1/0/1 vlan 2
mac-address static 0003-0003-0003 10GE1/0/1 vlan 2
mac-address static 0004-0004-0004 10GE1/0/2 vlan 2
#
return

2.16.2 Example for Configuring MAC Address Learning in a

VLAN

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 73

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

Networking Requirements
As shown in Figure 2-13, user network 1 is connected to Switch on the 10GE1/0/1
through an LSW. User network 2 is connected to Switch on the 10GE1/0/2 through
another LSW. Both 10GE1/0/1 and 10GE1/0/2 belong to VLAN 2. To prevent MAC
address attacks and limit the number of access users on the device, limit MAC
address learning on all the interfaces in VLAN 2.

Figure 2-13 Networking diagram for MAC address limiting in a VLAN

Network

Switch
10GE1/0/1 10GE1/0/2

LSW LSW

User User
VLAN 2
network 1 network 2

Configuration Roadmap
The configuration roadmap is as follows:
1. Create a VLAN and add an interface to the VLAN to implement Layer 2
forwarding.
2. Limit MAC address learning on all the interfaces in the VLAN to prevent MAC
address attacks and limit the number of access users.

Procedure
Step 1 Limit MAC address learning.
# Add 10GE1/0/1 and 10GE1/0/2 to VLAN 2.
<HUAWEI> system-view
[~HUAWEI] sysname Switch
[*HUAWEI] commit
[~Switch] vlan 2
[*Switch-vlan2] quit
[*Switch] interface 10ge 1/0/1
[*Switch-10GE1/0/1] port link-type trunk
[*Switch-10GE1/0/1] port trunk allow-pass vlan 2
[*Switch-10GE1/0/1] quit
[*Switch] interface 10ge 1/0/2
[*Switch-10GE1/0/2] port link-type trunk
[*Switch-10GE1/0/2] port trunk allow-pass vlan 2

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 74

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

[*Switch-10GE1/0/2] quit
[*Switch] commit

# Configure the following MAC address limiting rule in VLAN 2: A maximum of

100 MAC addresses can be learned. When the number of learned MAC addresses
reaches the limit, the device sends an alarm.
[~Switch] vlan 2
[~Switch-vlan2] mac-address limit maximum 100 alarm enable
[*Switch-vlan2] quit
[*Switch] commit

Step 2 Verify the configuration.

# Run the display mac-address limit command in any view to check whether the
MAC address limiting rule is successfully configured.
[~Switch] display mac-address limit
MAC Address Limit is enabled
Total MAC Address limit rule count : 1

Port VLAN/VSI/SI/BD Slot Maximum Action Alarm

-------------------------------------------------------------------
-- 2 -- 100 forward enable

----End

Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 2
#
vlan 2
mac-address limit maximum 100
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 2
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 2
#
return

2.16.3 Example for Configuring MAC Address Anti-flapping

Networking Requirements
Employees of an enterprise need to access the enterprise server. If an attacker uses
the server MAC address as the source MAC address to send packets to another
interface, the server MAC address is learned on the interface. Packets sent to the
server are sent to unauthorized users. In this case, employees cannot access the
server, and important data will be intercepted by the attacker.

As shown in Figure 2-14, MAC address anti-flapping can be configured to protect

the server from attacks.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 75

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

Figure 2-14 Networking diagram of MAC address anti-flapping

Server
MAC:11-22-33

10GE1/0/1 VLAN 10

Switch
10GE1/0/2 PC4
MAC:11-22-33

LSW

PC1 PC2 PC3

VLAN10

Configuration Roadmap
The configuration roadmap is as follows:

1. Create a VLAN and add an interface to the VLAN to implement Layer 2

forwarding.
2. Configure MAC address anti-flapping on the server-side interface.

Procedure
Step 1 Create a VLAN and add interfaces to the VLAN.

# Add 10GE1/0/1 and 10GE1/0/2 to VLAN 10.

<HUAWEI> system-view
[~HUAWEI] sysname Switch
[*HUAWEI] commit
[~Switch] vlan 10
[*Switch-vlan10] quit
[*Switch] interface 10ge 1/0/2
[*Switch-10GE1/0/2] port link-type trunk
[*Switch-10GE1/0/2] port trunk allow-pass vlan 10
[*Switch-10GE1/0/2] quit
[*Switch] interface 10ge 1/0/1
[*Switch-10GE1/0/1] port default vlan 10
[*Switch-10GE1/0/1] commit

Step 2 # Set the MAC address learning priority of 10GE1/0/1 to 2.

[~Switch-10GE1/0/1] mac-address learning priority 2
[*Switch-10GE1/0/1] commit
[~Switch-10GE1/0/1] quit

Step 3 Verify the configuration.

# Run the display current-configuration command in any view to check whether

the MAC address learning priority of the interface is set correctly.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 76

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

[~Switch] display current-configuration interface 10ge 1/0/1

#
interface 10GE1/0/1
port default vlan 10
mac-address learning priority 2
#
return

----End

Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10
#
interface 10GE1/0/1
port default vlan 10
mac-address learning priority 2
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 10
#
return

2.16.4 Example for Configuring MAC Address Flapping

Detection

Networking Requirements
As shown in Figure 2-15, a loop occurs on a user network because network cables
between two LSWs are incorrectly connected. The loop causes MAC address
flapping and bridge table flapping.
You can enable MAC address flapping detection on the Switch to detect MAC
address flapping and discover loops.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 77

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

Figure 2-15 Networking diagram of MAC address flapping detection

Network

Switch
10GE1/0/1 10GE1/0/2

LSW1 LSW2
Incorrect
connection

Configuration Roadmap
The configuration roadmap is as follows:

1. Enable MAC address flapping detection.

2. Set the aging time of flapping MAC addresses.
3. Configure the action performed on the interface when MAC address flapping
is detected on the interface to prevent loops.

Procedure
Step 1 Enable MAC address flapping detection.
<HUAWEI> system-view
[~HUAWEI] sysname Switch
[*HUAWEI] commit
[~Switch] mac-address flapping detection
[*Switch] commit

Step 2 Set the aging time of flapping MAC addresses.

[~Switch] mac-address flapping aging-time 500
[*Switch] commit

Step 3 Shut down 10GE1/0/1 and 10GE1/0/2 when MAC address flapping is detected.
[~Switch] interface 10ge 1/0/1
[~Switch-10GE1/0/1] mac-address flapping trigger error-down
[*Switch-10GE1/0/1] quit
[*Switch] interface 10ge 1/0/2
[*Switch-10GE1/0/2] mac-address flapping trigger error-down
[*Switch-10GE1/0/2] quit
[*Switch] commit

Step 4 Configure automatic recovery and set the automatic recovery time for the
shutdown interface.
[~Switch] error-down auto-recovery cause mac-address-flapping interval 500
[*Switch] commit

Step 5 Verify the configuration.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 78

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

After the configuration is complete, when the MAC address on 10GE1/0/1 flaps to
10GE1/0/2, 10GE1/0/2 is shut down. Run the display mac-address flapping
command to view the flapping records.
[~Switch] display mac-address flapping
MAC Address Flapping Configurations :
-------------------------------------------------------------------------------
Flapping detection : Enable
Aging time(s) : 500
Quit-VLAN Recover time(m) : --
Exclude VLAN-list : --
Security level : Middle
Exclude BD-list : --
-------------------------------------------------------------------------------
S : start time E : end time (D) : error down
-------------------------------------------------------------------------------
Time : S:2017-08-24 14:40:11 E:2017-08-24 14:40:23
VLAN/BD : 1/-
MAC Address : 0025-9e95-7c24
Original-Port: 10GE1/0/1
Move-Ports : 10GE1/0/2(D)
MoveNum : 83
-------------------------------------------------------------------------------
Total items on slot 1: 1

----End

Configuration Files
Switch configuration file
#
sysname Switch
#
mac-address flapping aging-time 500
#
error-down auto-recovery cause mac-address-flapping interval 500
#
interface 10GE1/0/1
mac-address flapping trigger error-down
#
interface 10GE1/0/2
mac-address flapping trigger error-down
#
return

2.17 Troubleshooting MAC Address Tables

2.17.1 Correct MAC Address Entry Cannot Be Learned on the

Device

Fault Description
MAC address entries cannot be learned on the device, so Layer 2 forwarding fails.

Procedure
Step 1 Check that the configurations on the interface are correct.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 79

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

Run the display mac-address command in any view to check whether the binding
relationships between the MAC address, VLAN, and interface are correct.
<HUAWEI> display mac-address
Flags: * - Backup
# - forwarding logical interface, operations cannot be performed based
on the interface.
BD : bridge-domain Age : dynamic MAC learned time in seconds
-------------------------------------------------------------------------------
MAC Address VLAN/VSI/BD Learned-From Type
-------------------------------------------------------------------------------
0025-9e80-2494 1/-/- 10GE1/0/1 dynamic
-------------------------------------------------------------------------------
Total items: 1

If not, re-configure the binding relationships between the MAC address, VLAN,
and interface.
If yes, go to step 2.
Step 2 Check whether a loop on the network causes MAC address flapping.
● Remove the loop from the network.
If no loop exists, go to step 3.
Step 3 Check that MAC address learning is enabled.
Check whether MAC address learning is enabled in the interface view and the
VLAN view.
[~HUAWEI-10GE1/0/1] display this
#
interface 10GE1/0/1
mac-address learning disable
port link-type trunk
port trunk allow-pass vlan 10
#
return
[~HUAWEI-vlan10] display this
#
vlan 10
mac-address learning disable
#
return

If the command output contains mac-address learning disable, MAC address

learning is disabled on the interface or VLAN.
● If MAC address learning is disabled, run the undo mac-address learning
disable [ action { discard | forward } ] command in the interface view or
undo mac-address learning disable in the VLAN view to enable MAC
address learning.
● If MAC address learning is enabled on the interface or vlan, go to step 4.
Step 4 Check whether any blackhole MAC address entry or MAC address limiting is
configured.
If a blackhole MAC address entry or MAC address limiting is configured, the
interface discards packets.
● Blackhole MAC address entry
Run the display mac-address blackhole command to check whether any
blackhole MAC address entry is configured.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 80

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

<HUAWEI> display mac-address blackhole

Flags: * - Backup
# - forwarding logical interface, operations cannot be performed based
on the interface.
BD : bridge-domain Age : dynamic MAC learned time in seconds
-------------------------------------------------------------------------------

MAC Address VLAN/VSI/BD Learned-From Type

Age
-------------------------------------------------------------------------------

0001-0001-0001 100/-/- - blackhole -

0002-0002-0002 200/-/- - blackhole -
-------------------------------------------------------------------------------

Total items: 2

If a blackhole MAC address entry is displayed, run the undo mac-address

blackhole command to delete it.
● MAC address limiting on the interface or VLAN
– Run the display this command in the interface view or VLAN view. If the
command output contains mac-address limit maximum, the number of
learned MAC addresses is limited. Run either of the following commands:

▪ Run the undo mac-address limit command in the interface view or

VLAN view to cancel MAC address limiting.

▪ Run the mac-address limit command in the interface view or VLAN

view to increase the maximum number of learned MAC address
entries.
– Run the display this command in the interface view. If the command
output contains port-security maximum or port-security enable, the
number of secure dynamic MAC addresses is limited on the interface. Run
either of the following commands:
NOTE

By default, the limit on the number of secure dynamic MAC addresses is 1 after
port security is enabled.

▪ Run the undo port-security enable command in the interface view

to disable port security.

▪ Run the port-security maximum command in the interface view to

increase the maximum number of secure dynamic MAC address
entries on the interface.
If the fault persists, go to step 5.
Step 5 Check whether the number of learned MAC address entries has reached the
maximum value supported by the switch.
Run the display mac-address summary command to check the number of MAC
address entries in the MAC address table.
● If the number of learned MAC address entries has reached the maximum
value supported by the switch, no MAC address entry can be created. Run the
display mac-address command to view all MAC address entries.
– If the number of MAC address entries learned on an interface is much
larger than the number of devices on the network connected to the

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 81

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

interface, a user on the network may maliciously update the MAC

address table. Check the device connected to the interface:

▪ If the interface is connected to a device, run the display mac-

address command on the device to view its MAC address table.
Locate the interface connected to the malicious user host based on
the displayed MAC address entries. If the interface that you find is
connected to another device, repeat this step until you find the user
of the malicious user.

▪ If the interface is connected to a computer, perform either of the

following operations after obtaining permission from the
administrator:
○ Disconnect the computer. When the attack stops, connect the
computer to the network again.
○ Run the port-security enable command on the interface to
enable port security or run the mac-address limit command to
set the maximum number of MAC addresses that the interface
can learn to 1.

▪ If the interface is connected to a hub, perform either of the following

operations:
○ Configure port mirroring or other tools to observe packets
received by the interface. Analyze the packet types to locate the
attacking computer. Disconnect the computer after obtaining
permission from the administrator. When the attack stops,
connect the computer to the hub again.
○ Disconnect computers connected to the hub one by one after
obtaining permission from the administrator. If the fault is
rectified after a computer is disconnected, the computer is the
attacker. After it stops the attack, connect it to the hub again.
– If the number of MAC addresses on the interface is equal to or smaller
than the number of devices connected to the interface, the number of
devices connected to the switch has exceeded the maximum supported
by the switch. Adjust network deployment.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 82

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

3 Link Aggregation Configuration

Link aggregation is a technology that bundles multiple Ethernet links into a logical
link to increase bandwidth, improve reliability, and load balance traffic.

3.1 Overview of Link Aggregation

3.2 Understanding Link Aggregation
3.3 Application Scenarios for Link Aggregation
3.4 Summary of Link Aggregation Configuration Tasks
3.5 Licensing Requirements and Limitations for Ethernet Link Aggregation
3.6 Default Settings for Link Aggregation
3.7 Configuring Link Aggregation in Manual Load Balancing Mode
3.8 Configuring Link Aggregation in LACP Mode
3.9 Configuring Preferential Forwarding of Local Traffic on an Eth-Trunk in a Stack
On a network where interfaces of multiple switches in a stack form an Eth-Trunk,
you can configure the Eth-Trunk to preferentially forward local traffic to increase
bandwidth use efficiency between stack devices and improve traffic forwarding
efficiency.
3.10 Creating an Eth-Trunk Layer 3 Sub-interface
3.11 Maintaining Link Aggregation
3.12 Configuration Examples for Link Aggregation
3.13 Troubleshooting Link Aggregation

3.1 Overview of Link Aggregation

Definition
Ethernet link aggregation, also called Eth-Trunk, bundles multiple physical links
into a logical link to increase link bandwidth. The bundled links back up each
other, increasing reliability.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 83

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Purpose
As networks grow in scale, users require Ethernet backbone networks to provide
higher bandwidth and reliability. In the past, to increase the bandwidth, users had
to replace legacy devices with high-speed devices. This solution, however, is costly
and inflexible.
Link aggregation helps increase bandwidth by bundling a group of physical
interfaces into a single logical interface, without having to upgrade hardware. In
addition, link aggregation provides link backup mechanisms, greatly improving
link reliability.
Link aggregation has the following advantages:
● Increased bandwidth
The bandwidth of the link aggregation interface is the sum of the bandwidth
of member interfaces.
● Higher reliability
When an active link fails, traffic on this active link moves to another active
link, improving reliability of the link aggregation interface.
● Load balancing
In a link aggregation group (LAG), traffic is load balanced among active link
members.

3.2 Understanding Link Aggregation

3.2.1 Concepts
In Figure 3-1, DeviceA and DeviceB are connected through three Ethernet physical
links. These links bundle into a logical link, and their bandwidths are combined to
form the total bandwidth of the logical link. The three physical Ethernet links
provide backup for each other, improving reliability.

NOTE
Both devices connected by the Eth-Trunk must use the same number of physical interfaces,
interface rate, jumbo, and flow control mode.

Figure 3-1 Eth-Trunk networking

Eth-Trunk

DeviceA DeviceB

The link aggregation interface can be used as a common Ethernet interface to

implement routing protocols and other services. Unlike a common Ethernet
interface, the link aggregation interface needs to select one or more member
interfaces to forward traffic.
Link aggregation concepts are described as follows:

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 84

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

● Link aggregation, link aggregation group (LAG), and link aggregation

interface
Link aggregation technology bundles a group of physical interfaces into a
logical interface to increase bandwidth and improve reliability.
An LAG binds multiple Ethernet links.
Each LAG has one logical interface, that is, link aggregation interface or Eth-
Trunk.
● Member interface and member link
The interfaces that constitute an Eth-Trunk are member interfaces. A link
corresponding to a member interface is a member link.
● Active and inactive interfaces and links
There are two types of interfaces in a LAG: active interfaces that forward data
and inactive interfaces that do not forward data.
The link connected to an active interface is the active link, and the link
connected to an inactive interface is the inactive link.
● Upper threshold for the number of active interfaces
When the number of active interfaces reaches this threshold, the bandwidth
of the Eth-Trunk will not increase even if more member links go Up. This
guarantees high network reliability. When the number of active member
interfaces reaches the upper threshold, additional active member interfaces
go Down.
For example, 8 fully-functioning member links bundle into an Eth-Trunk link,
with each link providing a bandwidth of 1 Gbit/s. If the Eth-Trunk link only
needs to provide a maximum bandwidth of 5 Gbit/s, you can set the
maximum number of Up member links to 5 or larger. The remaining
unselected links in Up state automatically enter the backup state, improving
reliability.
NOTE

The upper threshold for the number of active interfaces is inapplicable to the manual
load balancing mode. For details about the manual load balancing mode, see 3.2.3
Link Aggregation in Manual Load Balancing Mode.
● Lower threshold for the number of active interfaces
When the number of active interfaces falls below the lower threshold, the
Eth-Trunk goes Down. This guarantees the minimum available bandwidth for
the Eth-Trunk.
For example, if the Eth-Trunk is required to provide a minimum bandwidth of
2 Gbit/s and each member link's bandwidth is 1 Gbit/s, the lower threshold
must be set to 2 or larger.

3.2.2 Forwarding Principle

As shown in Figure 3-2, an Eth-Trunk is deployed at the data link layer, that is,
between the LLC sub-layer and the MAC sub-layer.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 85

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Figure 3-2 Eth-Trunk in the Ethernet protocol stack

LLC
Data link Eth-Trunk
layer
MAC
Physical layer PHY

The Eth-Trunk forwarding table is composed of the following entries:

● HASH-KEY value
The key value is calculated through the hash algorithm based on the MAC
address or IP address in a data packet.
● Interface number
Eth-Trunk forwarding entries are relevant to the number of member interfaces
in an Eth-Trunk. Different HASH-KEY values map different outbound
interfaces.
If physical interfaces 1, 2, 3, and 4 are bundled into an Eth-Trunk, the Eth-
Trunk forwarding table contains four entries and the HASH-KEY values
correspond to interface numbers, as shown in Figure 3-3.

Figure 3-3 Example of an Eth-Trunk forwarding table

HASH-KEY 0 1 2 3 4 5 6 7 8 15
PORT 1 2 3 4 1 2 3 4 1 4

The Eth-Trunk module forwards a packet according to the Eth-Trunk forwarding

table:
1. The Eth-Trunk module receives a packet from the MAC sub-layer, and then
extracts its source MAC address/IP address or destination MAC address/IP
address.
2. The Eth-Trunk module calculates the HASH-KEY value using the hash
algorithm.
3. Based on the HASH-KEY value, the Eth-Trunk module searches the Eth-Trunk
forwarding table for the interface number, and then sends the packet from
the corresponding interface.

3.2.3 Link Aggregation in Manual Load Balancing Mode

Link aggregation can work in manual load balancing or Link Aggregation Control
Protocol (LACP) mode. The main difference between the two modes is whether
LACP is used.
In manual load balancing mode, you must manually create an Eth-Trunk and add
member interfaces to the Eth-Trunk. LACP is not used. In this mode, all active links
load balance traffic evenly. If an active link fails, the other active links share the

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 86

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

traffic evenly. The manual load balancing mode is suitable in scenarios where the
link between two directly connected devices requires a high bandwidth but the
devices do not support the LACP protocol.

3.2.4 Link Aggregation in LACP Mode

Background
An Eth-Trunk in manual load balancing mode can increase the bandwidth. In
manual mode, however, only member link disconnections can be detected. Other
faults, such as link layer faults and incorrect link connections, cannot be detected.
The Link Aggregation Control Protocol (LACP) can be used to detect more fault
types, improving fault tolerance of the Eth-Trunk, providing backup, and ensuring
high reliability of member links.
LACP provides a standard negotiation mechanism that a switching device can use
to create and start the aggregated link based on its configuration. LACP maintains
the link status after the aggregated link is created and adjusts or removes the link
if an aggregated link's status changes.
For example, in Figure 3-4, four interfaces on DeviceA should be connected to the
corresponding interfaces on DeviceB, and these interfaces are all bundled into an
Eth-Trunk. However, one interface on DeviceA has been connected to an interface
on DeviceC. As a result, DeviceA may send data destined for DeviceB to DeviceC. If
link aggregation in manual mode load balancing is used, this fault would go
undetected.
In this situation, if LACP is enabled on DeviceA and DeviceB, the Eth-Trunk only
selects active links (links connected to DeviceB) to forward data after negotiation.
Data sent by DeviceA destined for DeviceB only reaches DeviceB.

Figure 3-4 Incorrect Eth-Trunk connection

DeviceA DeviceB

Eth-Trunk

DeviceC

Concepts
● LACP system priority
LACP system priorities determine the sequence in which devices at two ends
of an Eth-Trunk select active interfaces to join a LAG. In order for a LAG to be
established, both devices must select the same interfaces as active interfaces.
To achieve this, one device (with a higher priority) is responsible for selecting
the active interfaces. The other device (with a lower priority) then selects the
same interfaces as active interfaces. In priority comparisons, numerically
lower values have higher priority.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 87

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

● LACP interface priority

Interface LACP priorities affect which interfaces of an Eth-Trunk are selected
as active interfaces. The smaller the LACP interface priority value, the higher
the LACP interface priority. The interfaces with the highest LACP interface
priority become active interfaces.

Implementation of Link Aggregation in LACP Mode

LACP, as specified in IEEE 802.3ad, implements dynamic link aggregation and de-
aggregation, allowing devices at both ends of the link to exchange Link
Aggregation Control Protocol Data Units (LACPDUs).
After member interfaces are added to an Eth-Trunk in LACP mode, each device
sends LACPDUs to inform the other device of its system priority, MAC address,
member interface priorities, interface numbers, and keys. Keys are used to
determine whether the remote end connected to each interface is in the same
LAG and whether bandwidth of each interface is the same. The other device then
compares this information with its own corresponding information, and selects
which interfaces are to be aggregated. Both devices perform LACP negotiation to
select active interfaces and links.
● An Eth-Trunk in LACP mode is set up as follows:
a. Devices at both ends exchange LACPDUs.
As shown in Figure 3-5, create an Eth-Trunk in LACP mode on DeviceA
and DeviceB and add member interfaces to the Eth-Trunk. Then enable
LACP on the member interfaces. Both devices can then exchange
LACPDUs.

Figure 3-5 Exchange of LACPDUs

DeviceA LACPDU DeviceB

LACPDU

b. Devices at both ends determine the Actor and active links.

As shown in Figure 3-6, when DeviceB receives LACPDUs from DeviceA,
DeviceB checks and records information about DeviceA and compares
system priorities. If the system priority of DeviceA is higher than that of
DeviceB, DeviceA becomes the Actor. If DeviceA and DeviceB have the
same system priority, the device with a smaller MAC address becomes the
Actor.
After devices at both ends select the Actor, they select active interfaces
according to the priorities of the Actor's interfaces. An Eth-Trunk is
established when devices at both ends select the same interfaces as
active interfaces. After Eth-Trunk is established, active links load balance
data.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 88

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Figure 3-6 Selecting the Actor and active links in LACP mode
LACP port priority LACP port priority
DeviceA DeviceB
1 3
2 2
3 1
The device with higher The device with lower
system priority system priority
Compare system priority
and determine the Actor
LACP port priority LACP port priority
DeviceA 1 3 DeviceB
2 2
3 1
Actor
The Actor determines
active links
LACP port priority LACP port priority
DeviceA DeviceB
1 3
2 2
3 1
Actor
● LACP preemption
When LACP preemption is enabled, interfaces with higher priorities in a LAG
always function as active interfaces.
As shown in Figure 3-7, Port 1, Port 2, and Port 3 are member interfaces of
an Eth-Trunk; DeviceA acts as the Actor; the upper threshold for the number
of active interfaces is 2; LACP priorities of Port 1, Port 2, and Port 3 are 10, 20,
and 30 respectively. When LACP negotiation is complete, Port 1 and Port 2 are
selected as active interfaces because their LACP priorities are higher, and Port
3 is used as the backup interface.

Figure 3-7 LACP preemption

DeviceA LACP port priority DeviceB
Port 1 10 Port 1
Port 2 20 Eth-Trunk Port 2
Port 3 30 Port 3
Actor

Active link
Backup link

LACP preemption has the following effects on selection of the active

interfaces:
– LACP preemption allows the original active interface to be re-selected
after recovering from a fault. For example, when Port 1 fails, Port 3
replaces Port 1 as the active interface. LACP preemption is not enabled
on the Eth-Trunk by default, and Port 1 remains in the backup state after
it recovers. If LACP preemption is enabled on the Eth-Trunk, Port 1
replaces Port 3 to become the active interface again.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 89

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

– LACP preemption allows active interfaces to be re-selected when the

LACP interface priority changes. For example, the LACP interface priority
of Port 3 is changed to 5. If LACP preemption is enabled, Port 3 will
replace Port 2 as an active interface.
● LACP preemption delay
The LACP preemption delay is the time that a backup link waits before
becoming the active link after LACP preemption occurs. The LACP preemption
delay is used to prevent unstable data transmission over an Eth-Trunk link
caused by frequent status changes of member links.
● Switchover between active and inactive links
In LACP mode, a link switchover in a LAG is triggered if a device at one end
detects one of the following events:
– An active link goes Down.
– LACP detects a link fault.
– An active interface becomes unavailable.
– When LACP preemption is enabled, a backup interface becomes the
active interface when its priority is changed to be higher than that of the
current active interface.
When any of the preceding events occurs, LACP takes effect in the following
sequence:
a. Shuts down the faulty link.
b. Selects the backup link with the highest priority among N backup links to
replace the faulty active link.
c. The highest priority backup link becomes the active link and begins
forwarding data.

LACP Implementation Modes

LACP can work in static or dynamic LACP mode:

● Static LACP mode

In static LACP mode, two ends exchange LACPDUs to negotiate link
aggregation parameters to determine active and inactive interfaces.
In static LACP mode, you must manually create an Eth-Trunk and add
member interfaces to the Eth-Trunk. Different from the manual load
balancing mode, the static LACP mode selects active member interfaces by
sending LACPDUs. That is, when a group of interfaces are added to an Eth-
Trunk, devices at the two ends determine active and inactive interfaces by
sending LACPDUs to each other.
The static LACP mode is called the M:N mode. In this mode, both load
balancing and redundancy can be implemented. In a LAG, M links are active
to forward data and perform load balancing, and other N links are inactive.
The inactive links function as backup links and do not forward data. When
one active link fails, the system selects the link with the highest priority
among backup links to replace the faulty link. The link with the highest
priority becomes active and starts to forward data.
On the network shown in Figure 3-8, DeviceA and DeviceB are directly
connected and both of them support LACP. The Eth-Trunk working in static

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 90

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

LACP mode can be configured on the two devices to implement load

balancing and link backup. The static LACP mode is mainly applied to
situations where the bandwidth of M links must be assured and a fault
tolerance mechanism is in place. If an active link fails, the system selects the
backup link with the highest priority as the active link.

Figure 3-8 Eth-Trunk in static LACP mode

DeviceA DeviceB

Eth-Trunk

Active link
Backup link

● Dynamic LACP mode

LACPDU exchange in static and dynamic LACP modes is the same, but the
processing upon an LACP negotiation failure is different:
– In static LACP mode, an Eth-Trunk becomes Down and cannot forward
data after an LACP negotiation failure.
– In dynamic LACP mode, an Eth-Trunk becomes Down after an LACP
negotiation failure, but its member interfaces inherit VLAN attributes of
the Eth-Trunk and enter the Indep state. The member interfaces can still
forward data at Layer 2.
After a device configured with an Eth-Trunk in dynamic LACP mode receives
LACPDUs from the remote device, the two devices will use LACPDUs to
negotiate link aggregation parameters. After the negotiation, link aggregation
provides the same function as the Eth-Trunk working in static LACP mode.
An Eth-Trunk in dynamic LACP mode is often used to directly connect the
device and server. As shown in Figure 3-9, ServerA needs to obtain the
configuration file from ServerB through DeviceA.
– After ServerA restarts and has no configuration, LACP negotiation fails.
The dynamic LACP mode ensures that ServerA obtains the configuration
file from ServerB through an Eth-Trunk member interface.
– After DeviceA receives LACPDUs from ServerA, it uses LACPDUs to
negotiate link aggregation parameters with ServerA.

Figure 3-9 Eth-Trunk in dynamic LACP mode

Eth-Trunk

ServerA DeviceA Gateway File ServerB

Eth-Trunk in dynamic LACP mode

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 91

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

NOTE

Eth-Trunk in dynamic LACP mode can be used only in a scenario where a Huawei device is
interconnected with a server. (Ports on the server must be isolated from each other. For
example, NICs on the server cannot be configured to work in bridge mode. If the ports are not
isolated, loops may occur on the network.) In other scenarios, you are advised to deploy Eth-
Trunk in static LACP mode.

3.2.5 Load Balancing Using Link Aggregation

Load balancing can be implemented on a data flow or multiple data flows to
relieve the pressure on a single physical link. A data flow is a group of data
packets with one or more identical attributes. The attributes include the source/
destination MAC address, source/destination IP address, and source/destination
TCP/UDP port number.

When an Eth-Trunk is used to forward data frames, data frames of the same data
flow may be transmitted over different physical links. This mode ensures optimal
bandwidth utilization. However, data frames may arrive at the destination in a
different order to which they were transmitted, resulting to mis-sequencing.

Flow-based load balancing is introduced to prevent this problem. Flow-based load

balancing ensures that frames of the same data flow are forwarded on the same
physical link and implements load balancing of flows. The system achieves this by
using the hash algorithm to calculate the address in a data frame and generate a
HASH-KEY value. Then the system searches for the outbound interface in the Eth-
Trunk forwarding table based on the generated HASH-KEY value. Each MAC or IP
address corresponds to a HASH-KEY value, so the system uses different outbound
interfaces to forward data. Flow-based load balancing ensures the sequence of
data transmission, but cannot ensure the bandwidth utilization.

3.2.6 Preferential Forwarding of Local Traffic on an Eth-Trunk

in a Stack

Concepts
● Stack device
The stack device is a logical device formed by connecting multiple devices
through dedicated stack cables. In Figure 3-10, DeviceB and DeviceC are
connected to form a logical device.
● Inter-device Eth-Trunk
An inter-chassis Eth-Trunk contains physical interfaces of multiple devices in a
stack. When a device in the stack fails or a physical interface added to the
Eth-Trunk fails, traffic can be transmitted between devices through stack
cables. This ensures reliable transmission and implements device backup.
● Preferential forwarding of local traffic
In network b of Figure 3-10, traffic from DeviceB or DeviceC is only
forwarded through local member interfaces when the network runs properly.
In network a of Figure 3-10, traffic is forwarded across devices through stack
cables.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 92

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Figure 3-10 Inter-device Eth-Trunk

DeviceA DeviceA

Eth-Trunk Eth-Trunk

iStack iStack

DeviceB DeviceC DeviceB DeviceC

a. The Eth-Trunk is not enabled to b. The Eth-Trunk is enabled to preferentially

preferentially forward local interface traffic. forward local interface traffic.

Data flow 1
Data flow 2
Stack cable

Inter-Device Eth-Trunk Supporting Preferential Forwarding of Local Traffic

Inter-chassis Eth-Trunk supporting preferential forwarding of local traffic saves
bandwidth resources between devices and improves traffic forwarding efficiency.
In a stack, an Eth-Trunk is configured to be the outbound interface of traffic to
ensure reliable transmission. Eth-Trunk member interfaces are located on different
devices. If preferential forwarding of local traffic is not enabled, when the stack
device forwards traffic, the Eth-Trunk may select inter-device member interfaces
based on the hash algorithm. This forwarding mode occupies bandwidth resources
between devices and reduces traffic forwarding efficiency.

As shown in Figure 3-10, DeviceB and DeviceC constitute a stack, and the stack
connects to DeviceA through an Eth-Trunk. After the Eth-Trunk in the stack is
configured to preferentially forward local traffic, the following functions are
implemented:

● Forwarding received traffic by the local device

When DeviceB has Eth-Trunk member interfaces and the member interfaces
function properly, the Eth-Trunk forwarding table of DeviceB contains only
local member interfaces. In this manner, the hash algorithm selects a local
member interface, and traffic is only forwarded through DeviceB.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 93

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

● Forwarding received traffic by another device

When DeviceB does not have any Eth-Trunk member interface or all member
interfaces are faulty, the Eth-Trunk forwarding table of DeviceB contains all
available member interfaces. In this manner, the hash algorithm selects a
member interface on DeviceC, and traffic is forwarded through DeviceC.
NOTE

● This function is only valid for known unicast packets, and is invalid for unknown unicast,
broadcast, and multicast packets.
● Before configuring an Eth-Trunk to preferentially forward local traffic, ensure that
member interfaces of the local Eth-Trunk have sufficient bandwidth to forward local
traffic; otherwise, traffic may be discarded.

3.2.7 Inter-Device Link Aggregation

For link aggregation between standalone devices, if the Eth-Trunk or the remote
device fails, the switch or server cannot communicate with the remote device. This
problem can be resolved by deploying inter-device link aggregation, which allows
a switch or server to be dual-homed to two devices, thereby achieving device-level
link reliability.

Based on the networking of uplink devices, CloudEngine series switches support

three inter-device link aggregation technologies: stacking, M-LAG, and M-LAG Lite.

Stacking
Interfaces on member switches in a stack can be bundled into an Eth-Trunk.

This inter-device link aggregation mode is applied to scenarios where the stack is
connected to other devices, and protects the link between upstream and
downstream devices. The Eth-Trunk can still work even if a member switch fails or
one link of the Eth-Trunk fails, ensuring reliable transmission of data traffic. This
prevents single-point failures of a member device in a stack and greatly improves
the network-wide reliability.

For details, see Stack Configuration in the CloudEngine 8800, 7800, 6800, and
5800 Series Switches Configuration Guide - Virtualization Configuration Guide.

Figure 3-11 Physical and logical topologies of inter-device link aggregation in a

stack

Stack

Physical topology Logical topology

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 94

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

M-LAG
M-LAG allows two access switches in the same state to perform link aggregation
negotiation with the access device. In Figure 3-12, the access device
communicates with the M-LAG through link aggregation, achieving device-level
reliability instead of only card-level reliability. The M-LAG is a dual-active system
that is composed of two access switches.

M-LAG is a horizontal virtualization technology that virtualizes two M-LAG devices

into one logical device, that is, a unified Layer 2 logical node. In practice, M-LAG
provides loop-free networking between aggregation and access layers and
replaces STP. Compared with STP, M-LAG provides clear logical topology and
better link use efficiency.

M-LAG master and backup devices forward data simultaneously and their
forwarding behaviors are the same. The forwarding behaviors of M-LAG master
and backup device roles are different only in scenarios where faults occur.

For details, see M-LAG Configuration in the CloudEngine 8800, 7800, 6800, and
5800 Series Switches Configuration Guide - Ethernet Switching Configuration
Guide.

Figure 3-12 Physical and logical topologies of inter-device link aggregation in an

M-LAG system

DAD link

Peer-link

Physical topology Logical topology

M-LAG Lite
Figure 3 shows the inter-device link aggregation on the M-LAG Lite networking.
Compared with inter-device link aggregation in a stack or M-LAG system, inter-
device link aggregation in an M-LAG Lite system removes the heartbeat cable
(iStack link or peer-link) required for establishing a stack/M-LAG between devices.
Inter-device link aggregation in an M-LAG Lite system simplifies deployment,
saves costs, and ensures that services are not interrupted during the upgrade.

In Figure 3, the same Eth-Trunk ID, LACP system ID, LACP system priority, and
different numbers of Eth-Trunk member interfaces are configured on DeviceB and
DeviceC. (On one member device, the lacp port-id-extension enable command is
run in views of all the member interfaces to increase the number of each member
interface by 32768.) In this way, the inter-device Eth-Trunk interface negotiation
can be successful. The two devices evenly load balance data. When one device
fails, traffic can be forwarded through the other device, implementing device-level
reliability.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 95

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

DeviceB and DeviceC must be Layer 3 gateways and cannot be Layer 2 transparent
transmission devices. If an upstream device functions as the gateway, the ARP
entries of the server or switch learned by the gateway have two egresses, causing
MAC address flapping. Therefore, the devices to which the server or switch
connects in M-LAG Lite mode must be Layer 3 gateways.
For details about M-LAG Lite, see "Example for Configuring M-LAG Lite" in
Configuration Examples for Comprehensive Scenarios in the CloudEngine 8800,
7800, 6800, and 5800 Series Switches Configuration Guide - Typical Configuration
Examples.

Figure 3-13 Inter-device link aggregation in M-LAG Lite networking

Internet

DeviceB DeviceC

Eth-Trunk

DeviceA Data traffic

3.3 Application Scenarios for Link Aggregation

3.3.1 Using Eth-Trunk to Connect Two Access Switches to a

Core Switch
As shown in Figure 3-14, access switches SwitchB and SwitchC of the data center
connect to core switch SwitchA. SwitchB and SwitchC connect to many users, and
SwitchA connects to the external network through the egress router. More and
more users connecting to the network want to communicate with each other. The
links between SwitchA and SwitchB, and between SwitchA and SwitchC require
sufficient bandwidth and reliability. Eth-Trunk 1 and Eth-Trunk 2 are then created
to provide high bandwidth and reliability.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 96

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Figure 3-14 Eth-Trunk networking

Internet

SwitchA

Eth-Trunk1 Eth-Trunk2

SwitchB SwitchC

User1 User2 User3 User4

You can determine the working mode for the Eth-Trunk according to the following
situations:
● If devices at both ends of the Eth-Trunk support LACP, the LACP mode is
recommended.
● If the device at either end of the Eth-Trunk does not support LACP, you must
use the manual load balancing mode.

3.4 Summary of Link Aggregation Configuration Tasks

The device supports link aggregation in the manual load balancing mode and Link
Aggregation Control Protocol (LACP) mode. In a stack, local traffic is preferentially
forwarded by the Eth-Trunk.
Table 3-1 lists the link aggregation configuration tasks.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 97

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Table 3-1 Link aggregation configuration tasks

Item Description Task

Configure link In manual load 3.7 Configuring Link

aggregation in manual balancing mode, you Aggregation in Manual
load balancing mode. must manually create an Load Balancing Mode
Eth-Trunk and add
member interfaces to the
Eth-Trunk. All active links
forward data and evenly
load balance traffic. The
manual load balancing
mode is often used when
the remote device does
not support LACP.

Configure link In LACP mode, you must 3.8 Configuring Link

aggregation in LACP manually create an Eth- Aggregation in LACP
mode. Trunk and add interfaces Mode
to the Eth-Trunk. LACP
determines active
interfaces by negotiating
parameters in LACPDUs.
LACP provides backup
links and ensures high
reliability of member
links.

Configure preferential On a network where the 3.9 Configuring

forwarding of local stack and Eth-Trunk are Preferential Forwarding
traffic in a stack. used, configure the Eth- of Local Traffic on an
Trunk to preferentially Eth-Trunk in a Stack
forward local traffic to
increase bandwidth use
efficiency between stack
devices and improve
traffic forwarding
efficiency.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 98

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Item Description Task

Create an Eth-Trunk Layer 3 Sub-interfaces 3.10 Creating an Eth-

Layer 3 sub-interface. can be configured on a Trunk Layer 3 Sub-
Layer 3 Eth-Trunk. When interface
Layer 3 devices connect
to Layer 2 devices in
different VLANs through
the Layer 3 Eth-Trunk,
Layer 3 sub-interfaces
must be configured on
the Eth-Trunk to identify
packets from different
VLANs and to enable
users in these VLANs to
communicate with each
other.

3.5 Licensing Requirements and Limitations for

Ethernet Link Aggregation
Involved Network Element
Other network elements are not required.

Licensing Requirements
Ethernet link aggregation is a basic function of the switch, and as such is
controlled by the license for basic software functions. The license for basic
software functions has been loaded and activated before delivery. You do not need
to manually activate it.

Version Requirements

Table 3-2 Products and minimum version supporting Ethernet link aggregation

Product Minimum Version Required

CE9860EI V200R020C00

CE8860EI V100R006C00

CE8861EI/CE8868EI V200R005C10

CE8850-32CQ-EI V200R002C50

CE8850-64CQ-EI V200R005C00

CE7850EI V100R003C00

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 99

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Product Minimum Version Required

CE7855EI V200R001C00

CE6810EI V100R003C00

CE6810-48S4Q-LI/CE6810-48S- V100R003C10
LI

CE6810-32T16S4Q-LI/ V100R005C10
CE6810-24S2Q-LI

CE6850EI V100R001C00

CE6850-48S6Q-HI V100R005C00

CE6850-48T6Q-HI/CE6850U-HI/ V100R005C10
CE6851HI

CE6855HI V200R001C00

CE6856HI V200R002C50

CE6857EI V200R005C10

CE6860EI V200R002C50

CE6865EI V200R005C00

CE6870-24S6CQ-EI V200R001C00

CE6870-48S6CQ-EI V200R001C00

CE6870-48T6CQ-EI V200R002C50

CE6875-48S4CQ-EI V200R003C00

CE6880EI V200R002C50

CE6881, CE6820, CE6863 V200R005C20

CE6881K V200R019C10

CE6881E V200R019C10

CE6863K V200R019C10

CE5810EI V100R002C00

CE5850EI V100R001C00

CE5850HI V100R003C00

CE5855EI V100R005C10

CE5880EI V200R005C10

CE5881 V200R020C00

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 100

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

NOTE

For details about the mapping between software versions and switch models, see the
Hardware Query Tool.

Feature Limitations
Licensing Requirements and Limitations Before an Eth-Trunk Is Configured
● Table 3-3 describes the specifications of Ethernet link aggregation.

Table 3-3 Specifications of Ethernet link aggregation

Version Specification

Versions earlier than V100R005C00 Each Eth-Trunk supports a maximum

of 8 member interfaces on the
CE5810EI and 16 member interfaces
on other models.
Each Eth-Trunk contains a maximum
of 8 member interfaces in an SVF
system.

V100R005C00 to V200R019C00 Each Eth-Trunk supports a maximum

of 8 member interfaces on the
CE5810EI.
Each Eth-Trunk supports a maximum
of 64 member interfaces on the
CE5880EI and CE6880EI. The
maximum number of member
interfaces in each Eth-Trunk on
other models is determined by the
assign forward eth-trunk mode
command. After the maximum
number of LAGs supported by the
device is set, restart the device to
make the configuration take effect.

V200R019C10 and later versions Each Eth-Trunk supports a maximum

of 8 member interfaces on the
CE5810EI.
Each Eth-Trunk supports a maximum
of 128 member interfaces on the
CE6880EI and CE5880EI.
The maximum number of member
interfaces in each Eth-Trunk on
other models is determined by the
assign forward eth-trunk mode
command. After the maximum
number of LAGs supported by the
device is set, restart the device to
make the configuration take effect.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 101

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

● In an SVF system, an Eth-Trunk cannot be set up between leaf switches of

different series or between a parent switch and a leaf switch.
● In distributed forwarding mode, switches can be configured with less than 256
link aggregation groups.
● In V100R005C00 and earlier versions, the assign forward eth-trunk mode
command cannot be configured in an SVF system.
● In V100R005C10 and later versions, the assign forward eth-trunk mode
command can be configured in an SVF system. Each Eth-Trunk supports a
maximum of eight member interfaces on the CE5810EI. When the CE5810EI
functions as the leaf switch, the following situations occur:
– When the maximum number of member interfaces in each LAG
configured by the assign forward eth-trunk mode command is greater
than or equal to 8, each LAG allows a maximum of eight member
interfaces on the CE5810EI.
– assign forward eth-trunk mode command is less than 8, the command
is also valid for the CE5810EI.
● In versions earlier than V200R002C50, member interfaces of an Eth-Trunk
must use the same rate.
For example, GE and 10GE interfaces cannot join the same Eth-Trunk,
whereas GE electrical and optical interfaces can join the same Eth-Trunk.
In V200R002C50 and later versions, Ethernet interfaces working with different
rates can join the same Eth-Trunk.
● The number of member interfaces of an Eth-Trunk cannot exceed the
maximum number of member interfaces allowed.
● Member interfaces cannot be configured with some services or static MAC
address entries. For example, when an interface is added to an Eth-Trunk, the
interface must use the default link type.
● Member interfaces of an Eth-Trunk cannot be an Eth-Trunk.
● Device connection
– If an interface of the local device is added to an Eth-Trunk, an interface of
the remote device directly connected to the interface of the local device
must also be added to an Eth-Trunk. Otherwise, communication between
the two devices will fail.
– Both devices of the Eth-Trunk must use the same number of physical
interfaces, interface rate, duplex mode, jumbo, and flow control mode.
– Both devices of an Eth-Trunk must use the same link aggregation mode.
● Preferential forwarding of local traffic is only valid for known unicast packets.
It is invalid for broadcast packets, multicast packets, and unknown unicast
packets.
● If the system resource mode of the CE8860EI is large-arp, and the IfType field
displays 8 and the TargetBlade and TargetPort fields display non-zero values
in the output of the display fei ipv4 arp command run in the diagnostic view,
the outbound interface of the ARP entry is a physical member interface of an
Eth-Trunk. The switch cannot perform Eth-Trunk load balancing and
preferential forwarding of local traffic for Layer 3 unicast traffic corresponding
to the ARP entry.
● VLANs, VXLANs, carrier VLANs, and main interfaces share system resources. If
system resources are insufficient, the configurations of these features may fail.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 102

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Licensing Requirements and Limitations After an Eth-Trunk Is Configured

● An Ethernet interface can be added to only one Eth-Trunk. To add an Ethernet
interface to another Eth-Trunk, delete it from the original one first.
● When an Eth-Trunk member interface is removed from an Eth-Trunk or a
physical interface is added to an Eth-Trunk, run the shutdown command for
the Eth-Trunk member interface or physical interface, and then run the undo
shutdown command after the Eth-Trunk member interface is removed from
or the physical interface is added to the Eth-Trunk.
● After an interface is added to an Eth-Trunk, the Eth-Trunk learns MAC address
entries or ARP entries, but the member interface does not.
● Before deleting an Eth-Trunk, delete member interfaces from the Eth-Trunk.
● In V100R005C10, if 256, 512, or 1024 link aggregation groups (LAGs) are
configured in an SVF system consisting of fixed switches, Layer 2 port
isolation cannot be configured on Eth-Trunks. In V100R006C00 and later
versions, if a leaf switch is a CE5810EI switch and 256, 512, or 1024 LAGs are
configured, the leaf switch CE5810EI does not support the Layer 2 port
isolation configuration on Eth-Trunks. This limitation does not apply to other
leaf switches.
● After running the service type tunnel command to enable service loopback,
an Eth-Trunk interface can only be used to loop service packets back to tunnel
interfaces.
– When member interfaces of an Eth-Trunk are on leaf switches, service
loopback cannot be enabled on the Eth-Trunk.
– When service loopback is enabled on an Eth-Trunk, interfaces on leaf
switches cannot be added to the Eth-Trunk.
● For CE6870EI and CE6875EI, The following services are in descending order of
priority: M-LAG unidirectional isolation, MQC (traffic policing, traffic statistics
collection, and packet filtering), querying the outbound interface of packets
with specified 5-tuple information, source MAC address, and destination MAC
address, local VLAN mirroring, sFlow, NetStream, and VLANIF interface
statistics collection. When the services are configured on an interface in the
outbound direction, only the service with the highest priority takes effect. For
example, when both packet filtering and VLANIF interface statistics collection
are configured on a VLANIF interface, packet filtering takes effect.
For sFlow and NetStream, the preceding limitations apply only to Layer 2 sub-
interfaces and Layer 3 sub-interfaces. For details about the priorities between
MQC-based traffic statistics collection and traffic statistics collection on a
VLANIF interface, see Licensing Requirements and Limitations for Traffic
Statistics Collection.
● The CE5880EI, CE6880EI, CE6875EI, , and CE6870EI do not support forwarding
packet capture from member interfaces in a specified Eth-Trunk. The switches
can capture the packets to be sent to the CPU only on Eth-Trunks, but not on
member interfaces of the Eth-Trunks.
● The dynamic load balancing for an LAG and elastic load balancing functions
cannot be applied together.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 103

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

3.6 Default Settings for Link Aggregation

Table 3-4 Default settings for link aggregation

Parameter Default Setting

Link aggregation mode Manual load balancing mode

Upper threshold for the number of 8 on the CE5810EI, 32 on the CE6870EI

active member links and CE6875EI, 64 on the CE6880EI and
CE5880EI, and 16 on other models. In
the SVF, the maximum number of
active interfaces is 8.

Lower threshold for the number of 1

active member links

LACP system priority 32768

LACP interface priority 32768

LACP preemption Disabled

LACP preemption delay 30s

Timeout interval at which LACPDUs 90s

are received

Preferentially forwarding local traffic Enabled

on an Eth-Trunk

3.7 Configuring Link Aggregation in Manual Load

Balancing Mode

3.7.1 (Optional) Setting the Number of LAGs

Context
Typically, the number of LAGs supported by a switch is fixed. However, you can
run the assign forward eth-trunk mode command to flexibly set the number of
LAGs supported by a switch, implementing flexible networking and meeting
diversified service requirements.

NOTE

The number of LAGs supported by the CE5810EI, CE5880EI, and CE6880EI is fixed. The
CE5810EI, CE5880EI, and CE6880EI do not support a variable number of LAGs.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 104

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run assign forward eth-trunk mode { 64 | 128 | 256 | 512 | 1024 }
The number of LAGs supported by the device is set.
For CE6870EI and CE6875EI, the number of LAGs supported by the device can be
set using the assign forward eth-trunk mode { 256 | 512 | 1024 } command.
By default, the CE6870EI and CE6875EI support 512 LAGs; other models support
128 LAGs.

NOTE

After the assign forward eth-trunk mode command is used to change the number of
LAGs supported by the device, restart the device to make the configuration take effect.

Step 3 Run commit

The configuration is committed.

----End

3.7.2 Creating a LAG

Context
Each LAG has one logical interface, that is, an Eth-Trunk. Before configuring link
aggregation, create an Eth-Trunk.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface eth-trunk trunk-id
An Eth-Trunk is created and the Eth-Trunk interface view is displayed.
If the specified Eth-Trunk already exists, this command directly displays the Eth-
Trunk interface view.
trunk-id defines the Eth-Trunk ID. The value ranges of different models are
different. Table 3-5 lists value ranges of different models.

Table 3-5 Value ranges of different models

Product Model Value Range

CE5810EI The value range cannot be adjusted. The value of trunk-id

is in the range 0 to 127. Each Eth-Trunk allows a
maximum of eight member interfaces.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 105

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Product Model Value Range

CE6870EI and The value range can be adjusted using the assign forward
CE6875EI eth-trunk mode { 256 | 512 | 1024 } command.
● When 256 is specified, the value is in the range 0 to
255. Each Eth-Trunk allows a maximum of 64 member
interfaces.
● When 512 is specified, the value is in the range 0 to
511. Each Eth-Trunk allows a maximum of 32 member
interfaces. The default value is 512.
● When 1024 is specified, the value is in the range 0 to
1023. Each Eth-Trunk allows a maximum of 16 member
interfaces.

CE5880EI, The value range cannot be adjusted. The value of trunk-id

CE6880EI is in the range 0 to 1023. Each Eth-Trunk allows a
maximum of 64 member interfaces.

Other models: The value range can be adjusted using the assign forward
eth-trunk mode { 64 | 128 | 256 | 512 | 1024 } command.
● When 64 is specified, the value is in the range 0 to 63.
Each Eth-Trunk allows a maximum of 32 member
interfaces.
● When 128 is specified, the value is in the range 0 to
127. Each Eth-Trunk allows a maximum of 16 member
interfaces. The default value is 128.
● When 256 is specified, the value is in the range 0 to
255. Each Eth-Trunk allows a maximum of 8 member
interfaces.
● When 512 is specified, the value is in the range 0 to
511. Each Eth-Trunk allows a maximum of 4 member
interfaces.
● When 1024 is specified, the value is in the range 0 to
1023. Each Eth-Trunk allows at most 2 member
interfaces.

Step 3 Run commit

The configuration is committed.

----End

3.7.3 Setting the Link Aggregation Mode to Manual Load

Balancing

Context
Link aggregation can work in manual load balancing mode and LACP mode.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 106

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

In manual load balancing mode, you must manually create an Eth-Trunk and add
member interfaces to the Eth-Trunk. All active links forward data and evenly load
balance traffic. The manual load balancing mode is used when the remote device
does not support LACP.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface eth-trunk trunk-id
The Eth-Trunk interface view is displayed.
Step 3 Run mode manual [ load-balance ]
The Eth-Trunk is configured to work in manual load balancing mode.
By default, an Eth-Trunk works in manual load balancing mode.
Before configuring an Eth-Trunk, ensure that both devices use the same working
mode.
Step 4 Run commit
The configuration is committed.

----End

3.7.4 Adding Member Interfaces to an Eth-Trunk

Context
You can add member interfaces to an Eth-Trunk in the Eth-Trunk interface view or
member interface view.
When adding an interface to an Eth-Trunk, pay attention to the following points:
● On the CE5810EI, an Eth-Trunk contains a maximum of 8 member interfaces.
On the CE5880EI and CE6880EI, an Eth-Trunk contains a maximum of 64
member interfaces. On other models, the number of member interfaces in an
Eth-Trunk depends on the assign forward eth-trunk mode command. The
member interfaces in an Eth-Trunk must have the same type.
● A member interface cannot be configured with some services or static MAC
addresses.
● When adding an interface to an Eth-Trunk, ensure that the interface uses the
default link type.
● An Eth-Trunk cannot be added to another Eth-Trunk.
● An Ethernet interface can be added to only one Eth-Trunk. To add the
Ethernet interface to another Eth-Trunk, delete it from the Eth-Trunk first.
● If an interface of the local device is added to an Eth-Trunk, an interface of the
remote device directly connected to the interface of the local device must also
be added to an Eth-Trunk so that the two ends can communicate.
● After interfaces are added to an Eth-Trunk, the Eth-Trunk learns MAC
addresses and ARP entries but member interfaces do not.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 107

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

● Devices at both ends of an Eth-Trunk must use the same number of physical
interfaces, interface rate, duplex mode, jumbo, and flow control mode.
● In a stack scenario, it is recommended that the number of member interfaces
added to a LAG be the nth power of 2. Otherwise, unknown unicast traffic
may be unevenly load balanced.

Procedure
● Add member interfaces to an Eth-Trunk in the Eth-Trunk interface view.
a. Run system-view
The system view is displayed.
b. Run interface eth-trunk trunk-id
The Eth-Trunk interface view is displayed.
c. Run trunkport interface-type { interface-number1 [ to interface-
number2 ] } &<1-n>
A member interface is added to the Eth-Trunk.
When you add member interfaces to an Eth-Trunk in a batch, if one
interface cannot be added to the Eth-Trunk, all subsequent interfaces in
the batch cannot be added to the Eth-Trunk, either.

NOTE

For the CE5810EI, the value of n is 8. For the CE5880EI and CE6880EI, the value of n
is 64. For other models, the value of n depends on the assign forward eth-trunk
mode command.
d. Run commit
The configuration is committed.
● Add member interfaces to an Eth-Trunk in the member interface view.
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The member interface view is displayed.
c. Run eth-trunk trunk-id
The member interface is added to an Eth-Trunk.
d. Run commit
The configuration is committed.
----End

Follow-up Procedure
When the status of an Eth-Trunk member interface changes, the system sends
traps containing the status change information for you to confirm whether the
device encounters any fault. If you want to know the ID of the Eth-Trunk to which
the member interface belongs, run the trunk-member trap in private-mib
enable command to enable Eth-Trunk member interfaces to send traps through a

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 108

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

private MIB. Traps sent through a private MIB carry the number of the specific
Eth-Trunk interface.
After the trunk-member trap in private-mib enable command is run, traps are
sent through a private MIB, instead of a public MIB. In this case, you can view the
traps only by using the private MIB of Huawei.

3.7.5 (Optional) Setting the Lower Threshold for the Number

of Active Interfaces
Context
The lower threshold for the number of active interfaces affects the status and
bandwidth of an Eth-Trunk. To ensure that the Eth-Trunk functions properly and is
less affected by member link status changes, set the lower threshold for the
number of active interfaces.
When the number of active interfaces falls below the lower threshold, the Eth-
Trunk goes Down. This ensures that the Eth-Trunk has a minimum available
bandwidth.
The upper threshold for the number of active interfaces is inapplicable to the
manual load balancing mode.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface eth-trunk trunk-id
The Eth-Trunk interface view is displayed.
Step 3 Run least active-linknumber link-number
The lower threshold for the number of active interfaces is set.
By default, the lower threshold for the number of active interfaces is 1.
The lower threshold for the number of active interfaces on the local switch can be
different from that on the remote switch.
Step 4 Run commit
The configuration is committed.

----End

3.7.6 (Optional) Configuring the Weight of Load Balancing for

a Member Interface

Context
On an Eth-Trunk interface, you can load balance traffic among member interfaces
according to the weights configured for the member interfaces.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 109

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

The higher the weight of a member interface, the heavier the load over the
member link. Therefore, you can configure a higher weight for a member interface
so that the member link can carry a heavier load.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface interface-type interface-number

The Eth-Trunk member interface view is displayed.

Step 3 Run distribute-weight weight-value

The load balancing weight is configured for the Eth-Trunk member interface.

The default weight of an Eth-Trunk member interface is 1.

The total weight of member interfaces in an Eth-Trunk cannot exceed the

maximum number of member interfaces allowed.

Step 4 Run commit

The configuration is committed.

----End

3.7.7 (Optional) Configuring a Load Balancing Mode (CE

Switches Excluding the CE6870EI and CE6875EI)

Context
An Eth-Trunk supports per-packet load balancing and per-flow load balancing.
● Per-packet load balancing can improve Eth-Trunk bandwidth efficiency to
ensure even load balancing among equal-cost routes, but cannot prevent
packet mis-sequencing. To ensure packet sequencing, confirm that the device
or terminal receiving traffic supports packet reassembly in case of packet mis-
sequencing. Switches support the following per-packet load balancing modes:
– Random mode: The outbound interface of packets is generated randomly
and calculated based on the time when the packets reach the Eth-Trunk.
When the IP address and MAC address of known unicast packets remain
unchanged, configure random per-packet load balancing.
– Round-robin mode: Eth-Trunk member interfaces forward traffic in turn.
When known unicast packets have a similar length, configure round-
robin per-packet load balancing.
● Per-flow load balancing ensures that packets of the same data flow are
forwarded on the same physical link and those of different data flows are
forwarded on different physical links. Table 3-6 lists the load balancing
modes for different types of packets.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 110

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Table 3-6 Load balancing modes for different types of packets

Packet Default Load Configurable Remarks
(Inbound Balancing Mode Load Balancing
Interface) Mode

IPv4 packets src-ip, dst-ip, l4- src-ip, dst-ip, l4- The load
src-port and l4- src-port, l4-dst- balancing mode
dst-port port, and is relevant to the
protocol packet type and
irrelevant to the
IPv6 packets src-ip, dst-ip, l4- src-ip, dst-ip, packet
src-port, and l4- protocol, l4-src- forwarding
dst-port port, and l4-dst- process.
port
For example,
MPLS packets Ingress/Egress/ For switches even if the
Transit: top- excluding the system provides
label and 2nd- CE6865EI, only Layer 2
label CE6857EI, forwarding for
CE8861EI, and IPv4 packets, the
CE8868EI: IPv4 packets are
load balanced
Ingress/Egress/
according to the
Transit: top-
load balancing
label, 2nd-label,
mode for IPv4
dst-ip, and src-ip
packets. When
For the the system
CE6865EI, cannot identify
CE6857EI, IPv4, IPv6, or
CE8861EI, and MPLS packets,
CE8868EI: the system load
Ingress/Egress/ balances packets
Transit: top- based on src-
label, 2nd-label, mac, dst-mac,
3rd-label, 4th- src-interface,
label, 5th-label, and eth-type for
dst-ip, src-ip, Layer 2 packets.
and src-
interface

Layer 2 packets src-mac and dst- src-mac, dst-

except IPv4, IPv6, mac mac, src-
and MPLS interface, and
packets eth-type

TRILL packets Ingress node: src-mac, dst- TRILL packets

inner src-mac mac, src-ip, dst- can be load
and dst-mac for ip, src-interface, balanced on the
Layer 2 packets; l4-src-port, l4- transit node only
src-ip, dst-ip, l4- dst-port when the load-
src-port, and l4- balance
dst-port for enhanced
Layer 3 packets [ resilient ]

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 111

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Packet Default Load Configurable Remarks

(Inbound Balancing Mode Load Balancing
Interface) Mode

Transit/Egress src-mac, dst- profile profile-

node: inner src- mac, src-ip, dst- name command
mac and dst- ip, l4-src-port is used.
mac for Layer 2 and l4-dst-port
packets; src-ip,
dst-ip, l4-src-
port, and l4-dst-
port for Layer 3
packets

FCoE packets dst-fcid and src- dst-fcid and src- -

fcid fcid

NOTE

Load balancing is valid only for outgoing traffic; therefore, the load balancing modes for the
interfaces at both ends of the link can be different and do not affect each other.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 (Optional) Run load-balance profile profile-name
A load balancing profile is configured and its view is displayed. profile-name
specifies the name of the load balancing profile.
By default, there is a load balancing profile named default.
Run the following commands as required. You can configure a load balancing
mode for Layer 2 packets, IPv4 packets, IPv6 packets, FCoE, and MPLS packets
respectively.

● Run l2 [ src-mac | dst-mac | src-interface | eth-type ] *

A load balancing mode is configured for Layer 2 packets (non-IP packets).

By default, the switch load balances Layer 2 packets (non-IP packets) based
on the source MAC address (src-mac) and destination MAC address (dst-
mac).
● Run ip [ src-ip | dst-ip | l4-src-port | l4-dst-port | protocol ] *

A load balancing mode is configured for IPv4 packets.

By default, the switch load balances IPv4 packets based on the source IP
address (src-ip), destination IP address (dst-ip), transport-layer source port
numbers (l4-src-port), and transport-layer destination port numbers (l4-dst-
port).
● Run ipv6 [ src-ip | dst-ip | protocol | l4-src-port | l4-dst-port ] *

A load balancing mode is configured for IPv6 packets.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 112

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

By default, the switch load balances IPv6 packets based on the source IP
address (src-ip), destination IP address (dst-ip), transport-layer source port
numbers (l4-src-port), and transport-layer destination port numbers (l4-dst-
port).
● Run mpls [ top-label | dst-ip | src-ip | 2nd-label | 3rd-label | 4th-label | 5th-
label | src-interface ] *
A load balancing mode is configured for MPLS packets.
By default, the switch load balances MPLS packets based on the two outer
labels (top-label and 2nd-label).
NOTE

Only the CE6865EI, CE6857EI, CE8861EI, and CE8868EI support 3rd-label, 4th-label,
5th-label, and src-interface. If src-ip or dst-ip is configured, 4th-label or 5th-label
cannot be configured.
In V200R005C10 and earlier versions, if 4th-label and 5th-label are configured for
load balancing of MPLS packets in the load balancing profile view or ECMP view, this
configuration takes effect for both Eth-Trunk and ECMP. The load balancing mode
based on src-ip and dst-ip conflicts with that based on 4th-label and 5th-label, and
the last delivered configuration takes effect. Therefore, the effective load balancing
mode is inconsistent with that in the configuration file.
● Run fcoe { dst-fcid | src-fcid } *

A load balancing mode is configured for FCoE packets.

By default, the switch load balances FCoE packets based on the source FC_ID
(src-fcid) and destination FC_ID (dst-fcid).
● Run eth-trunk { hash-mode hash-mode-id | universal-id universal-id } *

A load balancing mode is configured for the Eth-Trunk.

By default, an Eth-Trunk load balances packets based on hash-mode (1) and
universal-id (1).
On the CE5880EI and CE6880EI, hash-mode has a fixed value of 1.
● Run stack { hash-mode hash-mode-id | universal-id universal-id } *

A load balancing mode is configured for a stack port or fabric port in the
specified load balancing profile.
By default, a stack port or fabric port load balances packets based on hash-
mode (1) and universal-id (1) in a load balancing profile.
Step 3 (Optional) Run quit
Return to the system view.
Step 4 Run the following commands as required.
● Configure a load balancing mode for known unicast traffic.
a. Run interface eth-trunk trunk-id
The Eth-Trunk interface view is displayed.
b. Run load-balance { dst-ip | dst-mac | random | round-robin | src-ip |
src-mac | src-dst-ip | src-dst-mac | enhanced [ resilient ] profile profile-
name }
A load balancing mode is configured for the Eth-Trunk.
By default, the load balancing mode of the Eth-Trunk is enhanced
profile.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 113

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

NOTE

Only the CE8868EI, CE8861EI, CE7855EI, CE7850EI, CE6880EI, CE6865EI, CE6857EI,

CE6856HI, CE6855HI, CE6851HI, CE6850HI, CE6850U-HI, CE5880EI support resilient
parameter.
Only the CE8868EI, CE8861EI, CE8860EI, CE8850EI, CE7855EI, CE7850EI, CE6865EI,
CE6860EI, and CE6857EI support random and round-robin parameters.

▪ dst-ip: based on destination IP addresses

▪ dst-mac: based on destination MAC addresses

▪ random: The outbound interface of packets is generated randomly

and calculated based on the time when the packets reach the Eth-
Trunk. When the IP address and MAC address of known unicast
packets do not change, use this mode to perform packet-based load
balancing so that traffic is load balanced. The random mode causes
the mis-sequencing problem. Ensure that the receive device or
terminal supports assembly of mis-sequenced packets.

▪ round-robin: Each Eth-Trunk member interface forwards traffic in

turn. For known unicast traffic, if packets have approximate lengths,
configure this load balancing mode to achieve even load balancing.
This mode may cause the mis-sequencing problem. Ensure that the
receive device or terminal supports assembly of mis-sequenced
packets.

▪ src-ip: based on source IP addresses

▪ src-mac: based on source MAC addresses

▪ src-dst-ip: based on the Exclusive-Or result of source and destination

IP addresses

▪ src-dst-mac: based on the Exclusive-Or result of source and

destination MAC addresses

▪ enhanced [ resilient ] profile: based on the fields in the global load

balancing profile. resilient indicates that traffic on links is switched
less as much as possible when links are increased or reduced and
only some traffic is switched between links. For example, an LAG has
three member links, data is forwarded based on the hash key, and
one link is faulty. When resilient is not specified, traffic is reallocated
on the other two links. When resilient is specified, traffic that has
been allocated on the other two links remain unchanged, and traffic
on the faulty link is evenly allocated on the two links. Therefore,
there is less impact on services. When the faulty link recovers, some
traffic on the other two links is switched to it. Traffic allocation on
links is different from that before the fault occurrence.
NOTE

The CE5810-48T4S-EI uses dual chips that are connected through two
interfaces. Traffic between chips is load balanced between the two
interfaces. The load balancing mode is the same as enhanced profile on an
Eth-Trunk. When the global load balancing mode is changed, the load
balancing mode on two interfaces between chips is also affected.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 114

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

c. Run commit
The configuration is committed.
● Configure a load balancing mode for unknown unicast traffic.
a. Run load-balance unknown-unicast { mac | enhanced }
A load balancing mode is configured.
By default, the load balancing mode is enhanced.
b. Run commit
The configuration is committed.

----End

Follow-up Procedure
● Configure simulated calculation of an Eth-Trunk outbound interface.
Configure simulated calculation of an Eth-Trunk outbound interface after
specifying the 5-tuple information, source MAC address, and destination
address.
display load-balance forwarding-path unicast interface eth-trunk trunk-id src-interface interface-
type interface-number { ethtype ethtype-number | vlan vlan-id | [ [ src-ip src-ip-data | dst-ip dst-ip-
data ] * | [ src-ipv6 src-ipv6-data | dst-ipv6 dst-ipv6-data ] * ] | src-mac src-mac-data | dst-mac dst-
mac-data | protocol { protocol-number | icmp | igmp | ip | ospf | tcp [ l4-src-port src-port-data | l4-
dst-port dst-port-data ] * | udp [ l4-src-port src-port-data | l4-dst-port dst-port-data ] * } } * slot slot-
id
● Verifying the Configuration
Verify the outbound interface of packets that contain specified 5-tuple
information, source MAC address, and destination MAC address.
display port forwarding-path { src-ip src-ip-data | dst-ip dst-ip-data | src-mac src-mac-data | dst-
mac dst-mac-data | protocol { protocol-number | gre | icmp | igmp | ip | ipinip | ospf | tcp [ l4-src-
port src-port-data | l4-dst-port dst-port-data ] * | udp [ l4-src-port src-port-data | l4-dst-port dst-
port-data ] * } } *

3.7.8 (Optional) Configuring a Load Balancing Mode

(CE6870EI and CE6875EI)

Context
An Eth-Trunk uses flow-based load balancing. Per-flow load balancing ensures
that packets of the same data flow are forwarded on the same physical link and
those of different data flows are forwarded on different physical links.
Load balancing is valid only for outgoing traffic; therefore, interfaces at both ends
of the link can use different load balancing modes.
Table 3-7 lists load balancing modes for different types of packets.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 115

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Table 3-7 Load balancing modes for different types of packets

Packet (Inbound Default Load Balancing Configurable Load
Interface) Mode Balancing Mode

IPv4 packets src-ip, dst-ip, l4-src- src-ip, dst-ip, l4-src-

port, and l4-dst-port port, l4-dst-port, and
protocol

IPv6 packets src-ip, dst-ip, l4-src- src-ip, dst-ip, l4-src-

port, and l4-dst-port port, l4-dst-port, and
protocol
NOTE
IPv6 packet load balancing
modes, l4-src-port and l4-
dst-port, are affected by
the l4-src-port and l4-dst-
port fields of IPv4 packets.
That is, when the load
balancing modes of IPv4
packets include l4-src-port
or l4-dst-port, the l4-src-
port or l4-dst-port field
also participates in load
balancing of IPv6 packets.

MPLS packets Ingress/Egress/Transit: Ingress/Egress/Transit:

top-label, 2nd-label, top-label, 2nd-label,
fields in the inner IP and 3rd-label
header (IPv4: src-ip, dst- NOTE
ip, l4-src-port, and l4- The load balancing mode
dst-port; IPv6: src-ip, based on fields in the inner
dst-ip, l4-src-port, and IP header (IPv4: src-ip, dst-
ip, l4-src-port, and l4-dst-
l4-dst-port), and 2nd-
port; IPv6: src-ip, dst-ip,
label l4-src-port, and l4-dst-
port) does not need to be
configured, but the fields
that participate in load
balancing are affected by
the load balancing mode
configuration of IPv4 and
IPv6 packets. If the l4-src-
port and l4-dst-port fields
are specified in the
configured load balancing
mode, packets may be
unable to be load balanced
in the configured load
balancing mode. To
prevent this problem,
cancel the configuration of
the l4-src-port and l4-dst-
port fields in the load
balancing mode of IPv4
and MPLS packets.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 116

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Packet (Inbound Default Load Balancing Configurable Load

Interface) Mode Balancing Mode

VPLS packets Ingress/Egress/Transit: Ingress/Egress/Transit:

top-label, fields in the inner-sip and inner-dip
inner ETH header (src- NOTE
mac, dst-mac, and ETH For VPLS packets, the load
TYPE), and 2nd-label balancing mode based on
fields in the inner Ethernet
header (src-mac, dst-mac
and eth-type) does not
need to be configured, but
the fields that participate
in load balancing are
affected by the load
balancing mode
configuration of the l2
[ src-mac | dst-mac | vlan
| eth-type ] * command.

Layer 2 packets except src-mac, dst-mac and src-mac, dst-mac, vlan,

IPv4, IPv6, and MPLS vlan and eth-type
packets

TRILL packets Ingress node: src-mac, src-mac, dst-mac, src-ip,

dst-mac, and vlan for dst-ip, l4-src-port, l4-
Layer 2 packets; src-ip, dst-port, and protocol
dst-ip, l4-src-port, and
l4-dst-port for Layer 3
packets

Transit node: src-mac, src-mac, dst-mac, vlan,

dst-mac, vlan, src-ip, src-ip, and dst-ip
and dst-ip in the inner
tag

Egress node: src-mac, src-mac, dst-mac, vlan,

dst-mac, vlan, src-ip, src-ip, and dst-ip
and dst-ip in the inner
tag

FCoE packets dst-fcid and src-fcid dst-fcid, src-fcid

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run load-balance profile profile-name

A load balancing profile is configured and its view is displayed. profile-name

specifies the name of the load balancing profile.

By default, there is a load balancing profile named default.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 117

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Step 3 Run the following commands as required. You can configure load balancing modes
for Layer 2, IPv4, IPv6, MPLS, VPLS, TRILL, and FCoE packets, respectively.
● Run l2 [ src-mac | dst-mac | vlan | eth-type ] *

A load balancing mode is configured for Layer 2 packets (not IP packets) in

the specified load balancing profile.
NOTE

During Layer 2 forwarding, the switch load balances only IPv4, IPv6, 802.1ah, ARP, and
CFM packets based on eth-type.
During Layer 2 forwarding, an Eth-Trunk configured with Dot1q tunnel, VLAN stacking,
VLL, or VPLS cannot load balance packets based on the VLAN ID.
● Run ip [ src-ip | dst-ip | l4-src-port | l4-dst-port | protocol ] *

A load balancing mode is configured for IPv4 packets.

By default, the switch load balances IPv4 packets based on the source IP
address (src-ip), destination IP address (dst-ip), transport-layer source port
numbers (l4-src-port), and transport-layer destination port numbers (l4-dst-
port).
● Run ipv6 [ src-ip | dst-ip | protocol ] *

A load balancing mode is configured for IPv6 packets.

By default, the switch load balances IPv6 packets based on the source IP
address (src-ip), destination IP address (dst-ip), transport-layer source port
numbers (l4-src-port), and transport-layer destination port numbers (l4-dst-
port).
NOTE

To load balance IPv6 packets based on the transport-layer source and destination port
numbers, run the ip [ l4-src-port | l4-dst-port ] * command.
● Run mpls [ 2nd-label | 3rd-label | top-label ] * or mpls [ src-ip | dst-ip | l4-
src-port | l4-dst-port ] *
A load balancing mode is configured for MPLS packets in the specified load
balancing profile.
By default, MPLS packets are load balanced based on top-label, 2nd-label,
and fields in the inner IP header (IPv4/IPv6: src-ip, dst-ip, l4-src-port, and l4-
dst-port).

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 118

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

NOTE

On an IPv6 underlay network, if the IPv6 VXLAN function is enabled and the switch
functions as a transit or egress node on the MPLS network, configurations related to
the hash field in inner information in MPLS packets do not take effect in the load
balancing profile. In this scenario, the mpls inner-type { ipv4 | ipv6 | l2 | any }
command cannot be used to change the load balancing mode for MPLS packets in the
load balancing profile. Instead, you can use the source and destination IP addresses in
inner information in MPLS packets to configure a load balancing mode in the load
balancing profile.
– The mpls [ inner-ip | inner-ipv6 ] * command can be configured only when the
IPv6 VXLAN function is enabled. In addition, this command cannot be used to
configure a load balancing mode for VPLS packets. If the IPv6 VXLAN function is
disabled, the switch automatically deletes the configurations related to the mpls
[ inner-ip | inner-ipv6 ] * command.
– For the CE6870EI and CE6875EI, if MPLS packets with four or more labels are
received, Eth-Trunk or ECMP load balancing cannot be implemented based on the
inner IP header.
– For the CE6870EI and CE6875EI, if the implicit null label is disabled and the outer
label is popped out (for example, ASBR in inter-AS VPN Option B and inter-AS VPN
Option C networking), packets may be unable to be load balanced in the load
balancing mode using ECMP or Eth-Trunk based on the inner field in MPLS packets.
– The mpls [ inner-ip | inner-ipv6 ] * command takes effect only on the CE6875EI.
● Run user-defined ethernet-over-mpls [ dot1q-tagtag-number ] { inner-
sipsip-offsetsip-nybble-number | inner-dipdip-offsetdip-nybble-number } *
Load balancing based on the inner IP address of VPLS packets is configured
on the outbound Eth-Trunk on the transit node.
● Run fcoe { dst-fcid | src-fcid } *

A load balancing mode is configured for FCoE packets.

By default, the switch load balances FCoE packets based on the source FC_ID
(src-fcid) and destination FC_ID (dst-fcid).
● Run trill egress mode { l2 | ipv4 | ipv6 }
An Eth-Trunk load balancing mode is configured on egress and transit nodes
of the TRILL network.
By default, the Eth-Trunk load balancing mode on egress and transit nodes of
the TRILL network is ipv4.
– l2: indicates load balancing based on the source MAC address,
destination MAC address, and VLAN ID. The items used in load balancing
depend on the l2 command.
– ipv4: indicates load balancing based on the source MAC address,
destination MAC address, source IPv4 address, destination IPv4 address,
and VLAN ID. The items used in load balancing depend on the l2 and ip
commands.
– ipv6: indicates load balancing based on the source MAC address,
destination MAC address, source IPv6 address, destination IPv6 address,
and VLAN ID. The items used in load balancing depend on the l2 and
ipv6 commands.
● Run eth-trunk { src-interface | seedseed-data | universal-iduniversal-id |
hash-modehash-mode-id } *
An Eth-Trunk load balancing mode is configured in the specified load
balancing profile.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 119

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

NOTE

Packets forwarded at Layer 3 cannot be load balanced based on destination MAC

addresses, source MAC addresses, VLAN IDs, and Ethernet types.
Eth-Trunk and ECMP on the device share the same load balancing profile. The load
balancing mode configured using the l2, ip, ipv6, or mpls command takes effect for
both link aggregation and ECMP. The load balancing modes configured using the eth-
trunk (load-balance-profile view) and ecmp (load-balance-profile view)
commands take effect only for link aggregation and ECMP respectively.
When load balancing using both Eth-Trunk and ECMP is uneven, change the value of
universal-id or the hash mode.
● Run mode symmetry
A method is configured for an Eth-Trunk to hash a pair of flows to the same
interface.
By default, no method is configured for an Eth-Trunk to hash a pair of flows
to the same interface.

Step 4 Run commit

The configuration is committed.

----End

Follow-up Procedure
● Configure simulated calculation of an Eth-Trunk outbound interface.
Run the display load-balance forwarding-path unicast interface eth-trunk
trunk-id src-interface interface-type interface-number { ethtype ethtype-
number | vlan vlan-id | [ [ src-ip src-ip-data | dst-ip dst-ip-data ] * | [ src-ipv6
src-ipv6-data | dst-ipv6 dst-ipv6-data ] * ] | src-mac src-mac-data | dst-mac
dst-mac-data | protocol { protocol-number | icmp | igmp | ip | ospf | tcp [ l4-
src-port src-port-data | l4-dst-port dst-port-data ] * | udp [ l4-src-port src-
port-data | l4-dst-port dst-port-data ] * } } * slot slot-id command to
configure simulated calculation of an Eth-Trunk outbound interface after the
5-tuple information, source MAC address, and destination address are
specified.
● Verify the configuration.
Run the display port forwarding-path { src-ip src-ip-data | dst-ip dst-ip-data
| src-mac src-mac-data | dst-mac dst-mac-data | protocol { protocol-number |
gre | icmp | igmp | ip | ipinip | ospf | tcp [ l4-src-port src-port-data | l4-dst-
port dst-port-data ] * | udp [ l4-src-port src-port-data | l4-dst-port dst-port-
data ] * } } * [ enhanced ] command to check the outbound interface of
packets that contain specified 5-tuple information, source MAC address, and
destination MAC address.
Run the display port forwarding-path mpls { { src-ip src-ip-data [ ip-mask-
len | source-ip-mask ] | dst-ip dst-ip-data [ ip-mask-len | dst-ip-mask ] } * |
{ src-ipv6 src-ipv6-data [ ipv6-mask-len ] | dst-ipv6 dst-ipv6-data [ ipv6-
mask-len ] } * }{ transit label-number labelnum | ingress | egress label-
number labelnum } command to check the outbound interface of MPLS
packets that contain information such as the inner source IP address,
destination IP address, role, and number of labels.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 120

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

3.7.9 (Optional) Configuring an Eth-Trunk Load Balancing

Mode for PPPoE Packets

Context
By default, a CE switch processes received PPPoE packets as common Ethernet
packets. Figure 3-15 shows the format of PPPoE packets. The switch cannot
identify the 5-tuple information in PPPoE packets and performs the hash
algorithm based on the outer Ethernet frame of common Layer 2 packets by
default. Fields in the Layer 2 frames of PPPoE packets are fixed except the source
MAC address, so packets are often unevenly load balanced on an Eth-Trunk. To
improve the load balancing effect, use inner information of PPPoE packets for load
balancing.

Figure 3-15 Format of PPPoE packets

Destination Source Ether_ PPPoE Checks

Type Packets um Ethernet
address address

PPP
Version Type Code Session_ID Length PPPoE
Packet

IP
PPP PPP
Packet Padding

NOTE

The CE5880EI and CE6880EI can identify PPPoE packets and load balance the PPPoE
packets without configuring Eth-Trunk load balancing.

Procedure
● Configure a load balancing mode for PPPoE packets on the CE6870EI and
CE6875EI.
a. Run system-view

The system view is displayed.

b. Run load-balance eth-trunk pppoe { session-id | l4-src-port { ppp-
address-compression | ppp-protocol-compression | both | none } }

A load balancing mode is configured for PPPoE packets.

By default, the switch load balances PPPoE packets based on the source
MAC address (smac), destination MAC address (dmac), and VLAN ID
(vlan).

You can specify session-id and l4-src-port so that the switch load
balances PPPoE packets based on the session ID and transport-layer
source port of PPPoE packets.
c. Run commit

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 121

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

The configuration is committed.

● Configure a load balancing mode for PPPoE packets on other models
excluding the CE6870EI and CE6875EI.
a. Run system-view
The system view is displayed.
b. Run load-balance profile profile-name
The global load balancing profile view is displayed.
By default, the load balancing profile name is default.
c. Run eth-trunk hash-mode 8
The Eth-Trunk load balancing hash algorithm is set to 8.
d. Run quit
The system view is displayed.
e. Run load-balance ecmp
The ECMP view is displayed.
f. Run hashmode 7
The ECMP load balancing hash algorithm is set to 7.
g. Run quit
The system view is displayed.
h. Run load-balance pppoe { session-id | l4-src-port { ppp-address-
compression | ppp-protocol-compression | both | none } }
A load balancing mode is configured for PPPoE packets.
By default, the switch load balances PPPoE packets based on the source
MAC address (smac) and destination MAC address (dmac).
You can specify session-id and l4-src-port so that the switch load
balances PPPoE packets based on the session ID and transport-layer
source port of PPPoE packets.

NOTE

This command is supported only by the following models: CE6850HI, CE6850U-

HI, CE6851HI, CE6855HI, CE6856HI, CE6857EI, CE6860EI, CE6865EI, CE7800
series, and CE8800 series switches.
i. Run commit
The configuration is committed.
----End

3.7.10 (Optional) Binding an Eth-Trunk Member Interface to a

VLAN

Context
A server is often equipped with two or more network adapters. When a server
connects to a switch, one network adapter is used for server management and the

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 122

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

other network adapters are used for traffic forwarding. In this case, there is much
idle time on the network adapter used for server management and switch
interfaces, and the bandwidth use efficiency is low. To address this issue, upgrade
the server software so that the network adapter used for server management can
be also used for traffic forwarding. When the switch uses an Eth-Trunk to connect
to the server, one Eth-Trunk member interface can be bound to a VLAN for server
management. In addition, service VLANs can be configured on the Eth-Trunk so
that service traffic is load balanced among all Eth-Trunk member interfaces. The
bandwidth use efficiency is therefore improved.

NOTE

The CE6870EI and CE6875EI do not support this function.

NOTE

● This function applies to the scenario where a switch connects to a server, and it can only be
configured on the member interface connecting to the server's management NIC.
● In an Eth-Trunk, only one member interface can be bound to a VLAN or VLANs and one
member interface can be bound to a maximum of eight VLANs. Member interfaces of
multiple Eth-Trunks can be bound to the same VLAN.
● The switch supports a maximum of 256 bound VLANs. If N Eth-Trunk member interfaces
are bound to M VLANs, the maximum value of N multiplied by M is 256.
● After this command is configured, packets from the bound VLAN can be only forwarded
through the bound Eth-Trunk member interface. Non-unicast traffic on the Eth-Trunk can
be only forwarded through the bound Eth-Trunk member interface.
● When an Eth-Trunk member interface is bound to a VLAN or VLANs, VLAN mapping, VLAN
stacking, MUX VLAN, or FCoE VLAN cannot be configured.
● When an Eth-Trunk member interface is bound to a VLAN or VLANs, M-LAG cannot be
configured.
● If Layer 2 sub-interfaces are created on an Eth-Trunk and a member interface is bound to
an independent VLAN, the VLAN cannot connect to non-VXLAN tunnels.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface interface-type interface-number

The Eth-Trunk member interface view is displayed.

Step 3 Run trunk member binding vlan vlan-id

The Eth-Trunk member interface is bound to a VLAN.

By default, an Eth-Trunk member interface is not bound to a VLAN.

Step 4 Run commit

The configuration is committed.

----End

3.7.11 Verifying the Link Aggregation Configuration

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 123

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Procedure
● Run the display eth-trunk [ trunk-id [ interface interface-type interface-
number | verbose ] | brief ] command to check the Eth-Trunk configuration.
● Run the display eth-trunk membership trunk-id command to check
information about Eth-Trunk member interfaces.
● Run the display load-balance profile [ profile-name ] command to check the
load balancing profile of the Eth-Trunk.
● Run the display forward eth-trunk mode command to check the number of
LAGs supported by the device.
----End

3.8 Configuring Link Aggregation in LACP Mode

3.8.1 (Optional) Setting the Number of LAGs

Context
Typically, the number of LAGs supported by a switch is fixed. However, you can
run the assign forward eth-trunk mode command to flexibly set the number of
LAGs supported by a switch, implementing flexible networking and meeting
diversified service requirements.

NOTE

The number of LAGs supported by the CE5810EI, CE5880EI, and CE6880EI is fixed. The
CE5810EI, CE5880EI, and CE6880EI do not support a variable number of LAGs.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run assign forward eth-trunk mode { 64 | 128 | 256 | 512 | 1024 }
The number of LAGs supported by the device is set.
For CE6870EI and CE6875EI, the number of LAGs supported by the device can be
set using the assign forward eth-trunk mode { 256 | 512 | 1024 } command.
By default, the CE6870EI and CE6875EI support 512 LAGs; other models support
128 LAGs.

NOTE

After the assign forward eth-trunk mode command is used to change the number of
LAGs supported by the device, restart the device to make the configuration take effect.

Step 3 Run commit

The configuration is committed.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 124

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

3.8.2 Creating a LAG

Context
Each LAG has one logical interface, that is, an Eth-Trunk. Before configuring link
aggregation, create an Eth-Trunk.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface eth-trunk trunk-id
An Eth-Trunk is created and the Eth-Trunk interface view is displayed.
If the specified Eth-Trunk already exists, this command directly displays the Eth-
Trunk interface view.
trunk-id defines the Eth-Trunk ID. The value ranges of different models are
different. Table 3-8 lists value ranges of different models.

Table 3-8 Value ranges of different models

Product Model Value Range

CE5810EI The value range cannot be adjusted. The value of trunk-id

is in the range 0 to 127. Each Eth-Trunk allows a
maximum of eight member interfaces.

CE6870EI and The value range can be adjusted using the assign forward
CE6875EI eth-trunk mode { 256 | 512 | 1024 } command.
● When 256 is specified, the value is in the range 0 to
255. Each Eth-Trunk allows a maximum of 64 member
interfaces.
● When 512 is specified, the value is in the range 0 to
511. Each Eth-Trunk allows a maximum of 32 member
interfaces. The default value is 512.
● When 1024 is specified, the value is in the range 0 to
1023. Each Eth-Trunk allows a maximum of 16 member
interfaces.

CE5880EI, The value range cannot be adjusted. The value of trunk-id

CE6880EI is in the range 0 to 1023. Each Eth-Trunk allows a
maximum of 64 member interfaces.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 125

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Product Model Value Range

Other models: The value range can be adjusted using the assign forward
eth-trunk mode { 64 | 128 | 256 | 512 | 1024 } command.
● When 64 is specified, the value is in the range 0 to 63.
Each Eth-Trunk allows a maximum of 32 member
interfaces.
● When 128 is specified, the value is in the range 0 to
127. Each Eth-Trunk allows a maximum of 16 member
interfaces. The default value is 128.
● When 256 is specified, the value is in the range 0 to
255. Each Eth-Trunk allows a maximum of 8 member
interfaces.
● When 512 is specified, the value is in the range 0 to
511. Each Eth-Trunk allows a maximum of 4 member
interfaces.
● When 1024 is specified, the value is in the range 0 to
1023. Each Eth-Trunk allows at most 2 member
interfaces.

Step 3 Run commit

The configuration is committed.

----End

3.8.3 Setting the Link Aggregation Mode to LACP

Context
Link aggregation can work in manual load balancing mode, static LACP mode, or
dynamic LACP mode.
In LACP mode, you must manually create an Eth-Trunk and add interfaces to the
Eth-Trunk. However, LACP controls active interfaces through negotiation.
Eth-Trunks in dynamic LACP mode are used only when a Huawei device connects
to a server. For other scenarios, configuring Eth-Trunks in static LACP mode is
recommended to reduce the chances of potential loops.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface eth-trunk trunk-id
The Eth-Trunk interface view is displayed.
Step 3 Configure a working mode of the Eth-Trunk.
Configure the static or dynamic LACP mode.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 126

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

● When the two directly connected devices support LACP, static LACP is
recommended.
Run mode lacp-static
The Eth-Trunk is configured to work in static LACP mode.
Before configuring an Eth-Trunk, ensure that both devices use the same
working mode.
● When a device is directly connected to a server, the dynamic LACP mode is
often used. You can also use the static LACP mode.
Run mode lacp-dynamic
The Eth-Trunk is configured to work in dynamic LACP mode.

Step 4 Run commit

The configuration is committed.

----End

3.8.4 Adding Member Interfaces to an Eth-Trunk

Context
You can add member interfaces to an Eth-Trunk in the Eth-Trunk interface view or
member interface view.

When adding an interface to an Eth-Trunk, pay attention to the following points:

● On the CE5810EI, an Eth-Trunk contains a maximum of 8 member interfaces.

On the CE5880EI and CE6880EI, an Eth-Trunk contains a maximum of 64
member interfaces. On other models, the number of member interfaces in an
Eth-Trunk depends on the assign forward eth-trunk mode command. The
member interfaces in an Eth-Trunk must have the same type.
● When member interfaces are added to an Eth-Trunk, they must use the
default interface type and cannot be configured with some services or static
MAC address entries.
● Physical Ethernet interfaces, including split interfaces, can be added to an Eth-
Trunk. However, logical interfaces such as Layer 3 interfaces, VLANIF
interfaces, and Eth-Trunks cannot be added to an Eth-Trunk.
● An Ethernet interface can be added to only one Eth-Trunk. To add the
Ethernet interface to another Eth-Trunk, delete it from the Eth-Trunk first.
● Different Ethernet interfaces can be added to the same Eth-Trunk interface.
To enable interfaces operating at different rates to forward traffic after they
are added to an Eth-Trunk in LACP mode, run the lacp mixed-rate link
enable command.
When Eth-Trunk member interfaces work at different rates, the active
interface is selected as follows: select an Actor based on the system priority
and system ID, and then select the active interface based on the port priority
and port ID of the Actor. To configure a specific interface as the active
interface, run the lacp priority command in the interface view to increase the
interface priority.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 127

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

● If an interface of the local device is added to an Eth-Trunk, an interface of the

remote device directly connected to the interface of the local device must also
be added to an Eth-Trunk so that the two ends can communicate.
● After interfaces are added to an Eth-Trunk, the Eth-Trunk learns MAC
addresses and ARP entries but member interfaces do not.
● Devices at both ends of an Eth-Trunk must use the same number of physical
interfaces, interface rate, duplex mode, jumbo and flow control mode.
● In a stack scenario, it is recommended that the number of member interfaces
added to an LAG be the nth power of 2. Otherwise, unknown unicast traffic
may be unevenly load balanced.

Procedure
● Add member interfaces to an Eth-Trunk in the Eth-Trunk interface view.
a. Run system-view

The system view is displayed.

b. Run interface eth-trunk trunk-id

The Eth-Trunk interface view is displayed.

c. (Optional) Run lacp mixed-rate link enable

Interfaces operating at different rates are enabled to forward packets

after the interfaces are added to an Eth-Trunk interface in static LACP
mode.

NOTE

The rate of the interface added to the Eth-Trunk interface is not limited. For
example, 10G and 100G interfaces can be added to the same Eth-Trunk interface.
d. Run trunkport interface-type { interface-number1 [ to interface-
number2 ] } &<1-n>
NOTE

For the CE5810EI, the value of n is 8. For the CE5880EI and CE6880EI, the value of n
is 64. For other models, the value of n depends on the assign forward eth-trunk
mode command.

A member interface is added to the Eth-Trunk.

When you add member interfaces to an Eth-Trunk in a batch, if one

interface cannot be added to the Eth-Trunk, all subsequent interfaces in
the batch cannot be added to the Eth-Trunk, either.
e. Run commit

The configuration is committed.

● Add member interfaces to an Eth-Trunk in the member interface view.
a. Run system-view

The system view is displayed.

b. Run interface interface-type interface-number

The member interface view is displayed.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 128

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

c. Run eth-trunk trunk-id

The member interface is added to an Eth-Trunk.

d. Run commit

The configuration is committed.

----End

Follow-up Procedure
When the status of an Eth-Trunk member interface changes, the system sends
traps containing the status change information for you to confirm whether the
device encounters any fault. If you want to know the ID of the Eth-Trunk to which
the member interface belongs, run the trunk-member trap in private-mib
enable command to enable Eth-Trunk member interfaces to send traps through a
private MIB. Traps sent through a private MIB carry the number of the specific
Eth-Trunk interface.

After the trunk-member trap in private-mib enable command is run, traps are
sent through a private MIB, instead of a public MIB. In this case, you can view the
traps only by using the private MIB of Huawei.

3.8.5 (Optional) Setting the Upper and Lower Thresholds for

the Number of Active Interfaces

Context
The number of Up member links affects the status and bandwidth of an Eth-
Trunk. To ensure that the Eth-Trunk functions properly and is less affected by
member link status changes, set the following thresholds.

● Lower threshold for the number of active interfaces: When the number of
active interfaces falls below this threshold, the Eth-Trunk goes Down. This
guarantees the Eth-Trunk a minimum available bandwidth.
● Upper threshold for the number of active interfaces: When the number of
active interfaces reaches this threshold, you can add new member interfaces
to the Eth-Trunk, but excess member interfaces enter the Down state. This
improves network reliability with assured bandwidth.

The upper threshold for the number of active interfaces at the local end can be
different from that at the remote end. If the two values are different, the smaller
one is used.
NOTE

After the upper and lower thresholds for the number of active interfaces are set, the range
of the active interface quantity is specified. Depending on the negotiation result of the local
and remote ends on a link, the number of active interfaces can reach the upper threshold
at most. The active interface is selected as follows: select an Actor based on the system
priority and system ID, and then select the active interface based on the port priority and
port ID of the Actor. To configure a specific interface as the active interface, run the lacp
priority command in the interface view to increase the interface priority.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 129

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface eth-trunk trunk-id

The Eth-Trunk interface view is displayed.

Step 3 Run least active-linknumber link-number

The lower threshold for the number of active interfaces is set.

By default, the lower threshold for the number of active interfaces is 1.

The lower threshold for the number of active interfaces on the local device can be
different from that on the remote device. If the two values are different, the larger
one is used.

Step 4 Run lacp max active-linknumber link-number

The upper threshold for the number of active interfaces is set.

By default, the upper threshold for the number of active interfaces is 8 on the
CE5810EI. for CE5880EI and CE6880EI, the upper threshold for the number of
active interfaces is 64, for other models, the upper threshold for the number of
active interfaces depends on the assign forward eth-trunk mode command:

For the CE6870EI and CE6875EI:

● When 256 is specified, the maximum number of active interfaces is 64.
● When 512 is specified, the maximum number of active interfaces is 32.
● When 1024 is specified, the maximum number of active interfaces is 16.

For other models except the CE6870EI and CE6875EI:

● When 64 is specified, the maximum number of active interfaces is 32.
● When 128 is specified, the maximum number of active interfaces is 16.
● When 256 is specified, the maximum number of active interfaces is 8.
● When 512 is specified, the maximum number of active interfaces is 4.
● When 1024 is specified, the maximum number of active interfaces is 2.

The upper threshold for the number of active interfaces must be greater than or
equal to the lower threshold for the number of active interfaces.

Step 5 Run commit

The configuration is committed.

----End

3.8.6 (Optional) Configuring the Weight of Load Balancing for

a Member Interface

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 130

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Context
On an Eth-Trunk interface, you can load balance traffic among member interfaces
according to the weights configured for the member interfaces.
The higher the weight of a member interface, the heavier the load over the
member link. Therefore, you can configure a higher weight for a member interface
so that the member link can carry a heavier load.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The Eth-Trunk member interface view is displayed.
Step 3 Run distribute-weight weight-value
The load balancing weight is configured for the Eth-Trunk member interface.
The default weight of an Eth-Trunk member interface is 1.
The total weight of member interfaces in an Eth-Trunk cannot exceed the
maximum number of member interfaces allowed.
Step 4 Run commit
The configuration is committed.

----End

3.8.7 (Optional) Configuring a Load Balancing Mode (CE

Switches Excluding the CE6870EI and CE6875EI)

Context
An Eth-Trunk supports per-packet load balancing and per-flow load balancing.
● Per-packet load balancing can improve Eth-Trunk bandwidth efficiency to
ensure even load balancing among equal-cost routes, but cannot prevent
packet mis-sequencing. To ensure packet sequencing, confirm that the device
or terminal receiving traffic supports packet reassembly in case of packet mis-
sequencing. Switches support the following per-packet load balancing modes:
– Random mode: The outbound interface of packets is generated randomly
and calculated based on the time when the packets reach the Eth-Trunk.
When the IP address and MAC address of known unicast packets remain
unchanged, configure random per-packet load balancing.
– Round-robin mode: Eth-Trunk member interfaces forward traffic in turn.
When known unicast packets have a similar length, configure round-
robin per-packet load balancing.
● Per-flow load balancing ensures that packets of the same data flow are
forwarded on the same physical link and those of different data flows are

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 131

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

forwarded on different physical links. Table 3-9 lists the load balancing
modes for different types of packets.

Table 3-9 Load balancing modes for different types of packets

Packet Default Load Configurable Remarks
(Inbound Balancing Mode Load Balancing
Interface) Mode

IPv4 packets src-ip, dst-ip, l4- src-ip, dst-ip, l4- The load
src-port and l4- src-port, l4-dst- balancing mode
dst-port port, and is relevant to the
protocol packet type and
irrelevant to the
IPv6 packets src-ip, dst-ip, l4- src-ip, dst-ip, packet
src-port, and l4- protocol, l4-src- forwarding
dst-port port, and l4-dst- process.
port
For example,
MPLS packets Ingress/Egress/ For switches even if the
Transit: top- excluding the system provides
label and 2nd- CE6865EI, only Layer 2
label CE6857EI, forwarding for
CE8861EI, and IPv4 packets, the
CE8868EI: IPv4 packets are
load balanced
Ingress/Egress/
according to the
Transit: top-
load balancing
label, 2nd-label,
mode for IPv4
dst-ip, and src-ip
packets. When
For the the system
CE6865EI, cannot identify
CE6857EI, IPv4, IPv6, or
CE8861EI, and MPLS packets,
CE8868EI: the system load
Ingress/Egress/ balances packets
Transit: top- based on src-
label, 2nd-label, mac, dst-mac,
3rd-label, 4th- src-interface,
label, 5th-label, and eth-type for
dst-ip, src-ip, Layer 2 packets.
and src-
interface

Layer 2 packets src-mac and dst- src-mac, dst-

except IPv4, IPv6, mac mac, src-
and MPLS interface, and
packets eth-type

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 132

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Packet Default Load Configurable Remarks

(Inbound Balancing Mode Load Balancing
Interface) Mode

TRILL packets Ingress node: src-mac, dst- TRILL packets

inner src-mac mac, src-ip, dst- can be load
and dst-mac for ip, src-interface, balanced on the
Layer 2 packets; l4-src-port, l4- transit node only
src-ip, dst-ip, l4- dst-port when the load-
src-port, and l4- balance
dst-port for enhanced
Layer 3 packets [ resilient ]
profile profile-
Transit/Egress src-mac, dst- name command
node: inner src- mac, src-ip, dst- is used.
mac and dst- ip, l4-src-port
mac for Layer 2 and l4-dst-port
packets; src-ip,
dst-ip, l4-src-
port, and l4-dst-
port for Layer 3
packets

FCoE packets dst-fcid and src- dst-fcid and src- -

fcid fcid

NOTE

Load balancing is valid only for outgoing traffic; therefore, the load balancing modes for the
interfaces at both ends of the link can be different and do not affect each other.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 (Optional) Run load-balance profile profile-name

A load balancing profile is configured and its view is displayed. profile-name

specifies the name of the load balancing profile.

By default, there is a load balancing profile named default.

Run the following commands as required. You can configure a load balancing
mode for Layer 2 packets, IPv4 packets, IPv6 packets, FCoE, and MPLS packets
respectively.

● Run l2 [ src-mac | dst-mac | src-interface | eth-type ] *

A load balancing mode is configured for Layer 2 packets (non-IP packets).

By default, the switch load balances Layer 2 packets (non-IP packets) based
on the source MAC address (src-mac) and destination MAC address (dst-
mac).

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 133

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

● Run ip [ src-ip | dst-ip | l4-src-port | l4-dst-port | protocol ] *

A load balancing mode is configured for IPv4 packets.

By default, the switch load balances IPv4 packets based on the source IP
address (src-ip), destination IP address (dst-ip), transport-layer source port
numbers (l4-src-port), and transport-layer destination port numbers (l4-dst-
port).
● Run ipv6 [ src-ip | dst-ip | protocol | l4-src-port | l4-dst-port ] *

A load balancing mode is configured for IPv6 packets.

By default, the switch load balances IPv6 packets based on the source IP
address (src-ip), destination IP address (dst-ip), transport-layer source port
numbers (l4-src-port), and transport-layer destination port numbers (l4-dst-
port).
● Run mpls [ top-label | dst-ip | src-ip | 2nd-label | 3rd-label | 4th-label | 5th-
label | src-interface ] *
A load balancing mode is configured for MPLS packets.
By default, the switch load balances MPLS packets based on the two outer
labels (top-label and 2nd-label).
NOTE

Only the CE6865EI, CE6857EI, CE8861EI, and CE8868EI support 3rd-label, 4th-label,
5th-label, and src-interface. If src-ip or dst-ip is configured, 4th-label or 5th-label
cannot be configured.
In V200R005C10 and earlier versions, if 4th-label and 5th-label are configured for
load balancing of MPLS packets in the load balancing profile view or ECMP view, this
configuration takes effect for both Eth-Trunk and ECMP. The load balancing mode
based on src-ip and dst-ip conflicts with that based on 4th-label and 5th-label, and
the last delivered configuration takes effect. Therefore, the effective load balancing
mode is inconsistent with that in the configuration file.
● Run fcoe { dst-fcid | src-fcid } *

A load balancing mode is configured for FCoE packets.

By default, the switch load balances FCoE packets based on the source FC_ID
(src-fcid) and destination FC_ID (dst-fcid).
● Run eth-trunk { hash-mode hash-mode-id | universal-id universal-id } *

A load balancing mode is configured for the Eth-Trunk.

By default, an Eth-Trunk load balances packets based on hash-mode (1) and
universal-id (1).
On the CE5880EI and CE6880EI, hash-mode has a fixed value of 1.
● Run stack { hash-mode hash-mode-id | universal-id universal-id } *

A load balancing mode is configured for a stack port or fabric port in the
specified load balancing profile.
By default, a stack port or fabric port load balances packets based on hash-
mode (1) and universal-id (1) in a load balancing profile.

Step 3 (Optional) Run quit

Return to the system view.

Step 4 Run the following commands as required.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 134

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

● Configure a load balancing mode for known unicast traffic.

a. Run interface eth-trunk trunk-id
The Eth-Trunk interface view is displayed.
b. Run load-balance { dst-ip | dst-mac | random | round-robin | src-ip |
src-mac | src-dst-ip | src-dst-mac | enhanced [ resilient ] profile profile-
name }
A load balancing mode is configured for the Eth-Trunk.
By default, the load balancing mode of the Eth-Trunk is enhanced
profile.
NOTE

Only the CE8868EI, CE8861EI, CE7855EI, CE7850EI, CE6880EI, CE6865EI, CE6857EI,

CE6856HI, CE6855HI, CE6851HI, CE6850HI, CE6850U-HI, CE5880EI support resilient
parameter.
Only the CE8868EI, CE8861EI, CE8860EI, CE8850EI, CE7855EI, CE7850EI, CE6865EI,
CE6860EI, and CE6857EI support random and round-robin parameters.

▪ dst-ip: based on destination IP addresses

▪ dst-mac: based on destination MAC addresses

▪ random: The outbound interface of packets is generated randomly

and calculated based on the time when the packets reach the Eth-
Trunk. When the IP address and MAC address of known unicast
packets do not change, use this mode to perform packet-based load
balancing so that traffic is load balanced. The random mode causes
the mis-sequencing problem. Ensure that the receive device or
terminal supports assembly of mis-sequenced packets.

▪ round-robin: Each Eth-Trunk member interface forwards traffic in

turn. For known unicast traffic, if packets have approximate lengths,
configure this load balancing mode to achieve even load balancing.
This mode may cause the mis-sequencing problem. Ensure that the
receive device or terminal supports assembly of mis-sequenced
packets.

▪ src-ip: based on source IP addresses

▪ src-mac: based on source MAC addresses

▪ src-dst-ip: based on the Exclusive-Or result of source and destination

IP addresses

▪ src-dst-mac: based on the Exclusive-Or result of source and

destination MAC addresses

▪ enhanced [ resilient ] profile: based on the fields in the global load

balancing profile. resilient indicates that traffic on links is switched
less as much as possible when links are increased or reduced and
only some traffic is switched between links. For example, an LAG has
three member links, data is forwarded based on the hash key, and
one link is faulty. When resilient is not specified, traffic is reallocated
on the other two links. When resilient is specified, traffic that has
been allocated on the other two links remain unchanged, and traffic

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 135

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

on the faulty link is evenly allocated on the two links. Therefore,

there is less impact on services. When the faulty link recovers, some
traffic on the other two links is switched to it. Traffic allocation on
links is different from that before the fault occurrence.
NOTE

The CE5810-48T4S-EI uses dual chips that are connected through two
interfaces. Traffic between chips is load balanced between the two
interfaces. The load balancing mode is the same as enhanced profile on an
Eth-Trunk. When the global load balancing mode is changed, the load
balancing mode on two interfaces between chips is also affected.
c. Run commit
The configuration is committed.
● Configure a load balancing mode for unknown unicast traffic.
a. Run load-balance unknown-unicast { mac | enhanced }
A load balancing mode is configured.
By default, the load balancing mode is enhanced.
b. Run commit
The configuration is committed.

----End

Follow-up Procedure
● Configure simulated calculation of an Eth-Trunk outbound interface.
Configure simulated calculation of an Eth-Trunk outbound interface after
specifying the 5-tuple information, source MAC address, and destination
address.
display load-balance forwarding-path unicast interface eth-trunk trunk-id src-interface interface-
type interface-number { ethtype ethtype-number | vlan vlan-id | [ [ src-ip src-ip-data | dst-ip dst-ip-
data ] * | [ src-ipv6 src-ipv6-data | dst-ipv6 dst-ipv6-data ] * ] | src-mac src-mac-data | dst-mac dst-
mac-data | protocol { protocol-number | icmp | igmp | ip | ospf | tcp [ l4-src-port src-port-data | l4-
dst-port dst-port-data ] * | udp [ l4-src-port src-port-data | l4-dst-port dst-port-data ] * } } * slot slot-
id
● Verifying the Configuration
Verify the outbound interface of packets that contain specified 5-tuple
information, source MAC address, and destination MAC address.
display port forwarding-path { src-ip src-ip-data | dst-ip dst-ip-data | src-mac src-mac-data | dst-
mac dst-mac-data | protocol { protocol-number | gre | icmp | igmp | ip | ipinip | ospf | tcp [ l4-src-
port src-port-data | l4-dst-port dst-port-data ] * | udp [ l4-src-port src-port-data | l4-dst-port dst-
port-data ] * } } *

3.8.8 (Optional) Configuring a Load Balancing Mode

(CE6870EI and CE6875EI)

Context
An Eth-Trunk uses flow-based load balancing. Per-flow load balancing ensures
that packets of the same data flow are forwarded on the same physical link and
those of different data flows are forwarded on different physical links.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 136

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Load balancing is valid only for outgoing traffic; therefore, interfaces at both ends
of the link can use different load balancing modes.
Table 3-10 lists load balancing modes for different types of packets.

Table 3-10 Load balancing modes for different types of packets

Packet (Inbound Default Load Balancing Configurable Load
Interface) Mode Balancing Mode

IPv4 packets src-ip, dst-ip, l4-src- src-ip, dst-ip, l4-src-

port, and l4-dst-port port, l4-dst-port, and
protocol

IPv6 packets src-ip, dst-ip, l4-src- src-ip, dst-ip, l4-src-

port, and l4-dst-port port, l4-dst-port, and
protocol
NOTE
IPv6 packet load balancing
modes, l4-src-port and l4-
dst-port, are affected by
the l4-src-port and l4-dst-
port fields of IPv4 packets.
That is, when the load
balancing modes of IPv4
packets include l4-src-port
or l4-dst-port, the l4-src-
port or l4-dst-port field
also participates in load
balancing of IPv6 packets.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 137

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Packet (Inbound Default Load Balancing Configurable Load

Interface) Mode Balancing Mode

MPLS packets Ingress/Egress/Transit: Ingress/Egress/Transit:

top-label, 2nd-label, top-label, 2nd-label,
fields in the inner IP and 3rd-label
header (IPv4: src-ip, dst- NOTE
ip, l4-src-port, and l4- The load balancing mode
dst-port; IPv6: src-ip, based on fields in the inner
dst-ip, l4-src-port, and IP header (IPv4: src-ip, dst-
ip, l4-src-port, and l4-dst-
l4-dst-port), and 2nd-
port; IPv6: src-ip, dst-ip,
label l4-src-port, and l4-dst-
port) does not need to be
configured, but the fields
that participate in load
balancing are affected by
the load balancing mode
configuration of IPv4 and
IPv6 packets. If the l4-src-
port and l4-dst-port fields
are specified in the
configured load balancing
mode, packets may be
unable to be load balanced
in the configured load
balancing mode. To
prevent this problem,
cancel the configuration of
the l4-src-port and l4-dst-
port fields in the load
balancing mode of IPv4
and MPLS packets.

VPLS packets Ingress/Egress/Transit: Ingress/Egress/Transit:

top-label, fields in the inner-sip and inner-dip
inner ETH header (src- NOTE
mac, dst-mac, and ETH For VPLS packets, the load
TYPE), and 2nd-label balancing mode based on
fields in the inner Ethernet
header (src-mac, dst-mac
and eth-type) does not
need to be configured, but
the fields that participate
in load balancing are
affected by the load
balancing mode
configuration of the l2
[ src-mac | dst-mac | vlan
| eth-type ] * command.

Layer 2 packets except src-mac, dst-mac and src-mac, dst-mac, vlan,

IPv4, IPv6, and MPLS vlan and eth-type
packets

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 138

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Packet (Inbound Default Load Balancing Configurable Load

Interface) Mode Balancing Mode

TRILL packets Ingress node: src-mac, src-mac, dst-mac, src-ip,

dst-mac, and vlan for dst-ip, l4-src-port, l4-
Layer 2 packets; src-ip, dst-port, and protocol
dst-ip, l4-src-port, and
l4-dst-port for Layer 3
packets

Transit node: src-mac, src-mac, dst-mac, vlan,

dst-mac, vlan, src-ip, src-ip, and dst-ip
and dst-ip in the inner
tag

Egress node: src-mac, src-mac, dst-mac, vlan,

dst-mac, vlan, src-ip, src-ip, and dst-ip
and dst-ip in the inner
tag

FCoE packets dst-fcid and src-fcid dst-fcid, src-fcid

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run load-balance profile profile-name
A load balancing profile is configured and its view is displayed. profile-name
specifies the name of the load balancing profile.
By default, there is a load balancing profile named default.
Step 3 Run the following commands as required. You can configure load balancing modes
for Layer 2, IPv4, IPv6, MPLS, VPLS, TRILL, and FCoE packets, respectively.
● Run l2 [ src-mac | dst-mac | vlan | eth-type ] *

A load balancing mode is configured for Layer 2 packets (not IP packets) in

the specified load balancing profile.
NOTE

During Layer 2 forwarding, the switch load balances only IPv4, IPv6, 802.1ah, ARP, and
CFM packets based on eth-type.
During Layer 2 forwarding, an Eth-Trunk configured with Dot1q tunnel, VLAN stacking,
VLL, or VPLS cannot load balance packets based on the VLAN ID.
● Run ip [ src-ip | dst-ip | l4-src-port | l4-dst-port | protocol ] *

A load balancing mode is configured for IPv4 packets.

By default, the switch load balances IPv4 packets based on the source IP
address (src-ip), destination IP address (dst-ip), transport-layer source port
numbers (l4-src-port), and transport-layer destination port numbers (l4-dst-
port).

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 139

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

● Run ipv6 [ src-ip | dst-ip | protocol ] *

A load balancing mode is configured for IPv6 packets.

By default, the switch load balances IPv6 packets based on the source IP
address (src-ip), destination IP address (dst-ip), transport-layer source port
numbers (l4-src-port), and transport-layer destination port numbers (l4-dst-
port).
NOTE

To load balance IPv6 packets based on the transport-layer source and destination port
numbers, run the ip [ l4-src-port | l4-dst-port ] * command.
● Run mpls [ 2nd-label | 3rd-label | top-label ] * or mpls [ src-ip | dst-ip | l4-
src-port | l4-dst-port ] *
A load balancing mode is configured for MPLS packets in the specified load
balancing profile.
By default, MPLS packets are load balanced based on top-label, 2nd-label,
and fields in the inner IP header (IPv4/IPv6: src-ip, dst-ip, l4-src-port, and l4-
dst-port).
NOTE

On an IPv6 underlay network, if the IPv6 VXLAN function is enabled and the switch
functions as a transit or egress node on the MPLS network, configurations related to
the hash field in inner information in MPLS packets do not take effect in the load
balancing profile. In this scenario, the mpls inner-type { ipv4 | ipv6 | l2 | any }
command cannot be used to change the load balancing mode for MPLS packets in the
load balancing profile. Instead, you can use the source and destination IP addresses in
inner information in MPLS packets to configure a load balancing mode in the load
balancing profile.
– The mpls [ inner-ip | inner-ipv6 ] * command can be configured only when the
IPv6 VXLAN function is enabled. In addition, this command cannot be used to
configure a load balancing mode for VPLS packets. If the IPv6 VXLAN function is
disabled, the switch automatically deletes the configurations related to the mpls
[ inner-ip | inner-ipv6 ] * command.
– For the CE6870EI and CE6875EI, if MPLS packets with four or more labels are
received, Eth-Trunk or ECMP load balancing cannot be implemented based on the
inner IP header.
– For the CE6870EI and CE6875EI, if the implicit null label is disabled and the outer
label is popped out (for example, ASBR in inter-AS VPN Option B and inter-AS VPN
Option C networking), packets may be unable to be load balanced in the load
balancing mode using ECMP or Eth-Trunk based on the inner field in MPLS packets.
– The mpls [ inner-ip | inner-ipv6 ] * command takes effect only on the CE6875EI.
● Run user-defined ethernet-over-mpls [ dot1q-tagtag-number ] { inner-
sipsip-offsetsip-nybble-number | inner-dipdip-offsetdip-nybble-number } *
Load balancing based on the inner IP address of VPLS packets is configured
on the outbound Eth-Trunk on the transit node.
● Run fcoe { dst-fcid | src-fcid } *

A load balancing mode is configured for FCoE packets.

By default, the switch load balances FCoE packets based on the source FC_ID
(src-fcid) and destination FC_ID (dst-fcid).
● Run trill egress mode { l2 | ipv4 | ipv6 }
An Eth-Trunk load balancing mode is configured on egress and transit nodes
of the TRILL network.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 140

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

By default, the Eth-Trunk load balancing mode on egress and transit nodes of
the TRILL network is ipv4.
– l2: indicates load balancing based on the source MAC address,
destination MAC address, and VLAN ID. The items used in load balancing
depend on the l2 command.
– ipv4: indicates load balancing based on the source MAC address,
destination MAC address, source IPv4 address, destination IPv4 address,
and VLAN ID. The items used in load balancing depend on the l2 and ip
commands.
– ipv6: indicates load balancing based on the source MAC address,
destination MAC address, source IPv6 address, destination IPv6 address,
and VLAN ID. The items used in load balancing depend on the l2 and
ipv6 commands.
● Run eth-trunk { src-interface | seedseed-data | universal-iduniversal-id |
hash-modehash-mode-id } *
An Eth-Trunk load balancing mode is configured in the specified load
balancing profile.
NOTE

Packets forwarded at Layer 3 cannot be load balanced based on destination MAC

addresses, source MAC addresses, VLAN IDs, and Ethernet types.
Eth-Trunk and ECMP on the device share the same load balancing profile. The load
balancing mode configured using the l2, ip, ipv6, or mpls command takes effect for
both link aggregation and ECMP. The load balancing modes configured using the eth-
trunk (load-balance-profile view) and ecmp (load-balance-profile view)
commands take effect only for link aggregation and ECMP respectively.
When load balancing using both Eth-Trunk and ECMP is uneven, change the value of
universal-id or the hash mode.
● Run mode symmetry
A method is configured for an Eth-Trunk to hash a pair of flows to the same
interface.
By default, no method is configured for an Eth-Trunk to hash a pair of flows
to the same interface.

Step 4 Run commit

The configuration is committed.

----End

Follow-up Procedure
● Configure simulated calculation of an Eth-Trunk outbound interface.
Run the display load-balance forwarding-path unicast interface eth-trunk
trunk-id src-interface interface-type interface-number { ethtype ethtype-
number | vlan vlan-id | [ [ src-ip src-ip-data | dst-ip dst-ip-data ] * | [ src-ipv6
src-ipv6-data | dst-ipv6 dst-ipv6-data ] * ] | src-mac src-mac-data | dst-mac
dst-mac-data | protocol { protocol-number | icmp | igmp | ip | ospf | tcp [ l4-
src-port src-port-data | l4-dst-port dst-port-data ] * | udp [ l4-src-port src-
port-data | l4-dst-port dst-port-data ] * } } * slot slot-id command to
configure simulated calculation of an Eth-Trunk outbound interface after the

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 141

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

5-tuple information, source MAC address, and destination address are

specified.
● Verify the configuration.
Run the display port forwarding-path { src-ip src-ip-data | dst-ip dst-ip-data
| src-mac src-mac-data | dst-mac dst-mac-data | protocol { protocol-number |
gre | icmp | igmp | ip | ipinip | ospf | tcp [ l4-src-port src-port-data | l4-dst-
port dst-port-data ] * | udp [ l4-src-port src-port-data | l4-dst-port dst-port-
data ] * } } * [ enhanced ] command to check the outbound interface of
packets that contain specified 5-tuple information, source MAC address, and
destination MAC address.
Run the display port forwarding-path mpls { { src-ip src-ip-data [ ip-mask-
len | source-ip-mask ] | dst-ip dst-ip-data [ ip-mask-len | dst-ip-mask ] } * |
{ src-ipv6 src-ipv6-data [ ipv6-mask-len ] | dst-ipv6 dst-ipv6-data [ ipv6-
mask-len ] } * }{ transit label-number labelnum | ingress | egress label-
number labelnum } command to check the outbound interface of MPLS
packets that contain information such as the inner source IP address,
destination IP address, role, and number of labels.

3.8.9 (Optional) Configuring an Eth-Trunk Load Balancing

Mode for PPPoE Packets

Context
By default, a CE switch processes received PPPoE packets as common Ethernet
packets. Figure 3-16 shows the format of PPPoE packets. The switch cannot
identify the 5-tuple information in PPPoE packets and performs the hash
algorithm based on the outer Ethernet frame of common Layer 2 packets by
default. Fields in the Layer 2 frames of PPPoE packets are fixed except the source
MAC address, so packets are often unevenly load balanced on an Eth-Trunk. To
improve the load balancing effect, use inner information of PPPoE packets for load
balancing.

Figure 3-16 Format of PPPoE packets

Destination Source Ether_ PPPoE Checks

Type Packets um Ethernet
address address

PPP
Version Type Code Session_ID Length PPPoE
Packet

IP
PPP PPP
Packet Padding

NOTE

The CE5880EI and CE6880EI can identify PPPoE packets and load balance the PPPoE
packets without configuring Eth-Trunk load balancing.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 142

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Procedure
● Configure a load balancing mode for PPPoE packets on the CE6870EI and
CE6875EI.
a. Run system-view

The system view is displayed.

b. Run load-balance eth-trunk pppoe { session-id | l4-src-port { ppp-
address-compression | ppp-protocol-compression | both | none } }

A load balancing mode is configured for PPPoE packets.

By default, the switch load balances PPPoE packets based on the source
MAC address (smac), destination MAC address (dmac), and VLAN ID
(vlan).

You can specify session-id and l4-src-port so that the switch load
balances PPPoE packets based on the session ID and transport-layer
source port of PPPoE packets.
c. Run commit

The configuration is committed.

● Configure a load balancing mode for PPPoE packets on other models
excluding the CE6870EI and CE6875EI.
a. Run system-view

The system view is displayed.

b. Run load-balance profile profile-name

The global load balancing profile view is displayed.

By default, the load balancing profile name is default.

c. Run eth-trunk hash-mode 8

The Eth-Trunk load balancing hash algorithm is set to 8.

d. Run quit

The system view is displayed.

e. Run load-balance ecmp

The ECMP view is displayed.

f. Run hashmode 7

The ECMP load balancing hash algorithm is set to 7.

g. Run quit

The system view is displayed.

h. Run load-balance pppoe { session-id | l4-src-port { ppp-address-
compression | ppp-protocol-compression | both | none } }

A load balancing mode is configured for PPPoE packets.

By default, the switch load balances PPPoE packets based on the source
MAC address (smac) and destination MAC address (dmac).

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 143

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

You can specify session-id and l4-src-port so that the switch load
balances PPPoE packets based on the session ID and transport-layer
source port of PPPoE packets.

NOTE

This command is supported only by the following models: CE6850HI, CE6850U-

HI, CE6851HI, CE6855HI, CE6856HI, CE6857EI, CE6860EI, CE6865EI, CE7800
series, and CE8800 series switches.
i. Run commit

The configuration is committed.

----End

3.8.10 (Optional) Setting the LACP System Priority

Context
LACP system priorities determine the sequence in which devices at two ends of an
Eth-Trunk select active interfaces to join a LAG. In order for a LAG to be
established, both devices must select the same interfaces as active interfaces. To
achieve this, one device (with a higher priority) is responsible for selecting the
active interfaces. The other device (with a lower priority) then selects the same
interfaces as active interfaces.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run lacp priority priority

The LACP system priority is set.

In priority comparisons, numerically lower values have higher priority. By default,

the LACP system priority is 32768.

The end with a smaller priority value functions as the Actor. If the two ends have
the same priority, the end with a smaller MAC address functions as the Actor.

Step 3 Run commit

The configuration is committed.

----End

3.8.11 (Optional) Setting the LACP Interface Priority

Context
In LACP mode, LACP interface priorities are set to prioritize interfaces of the same
device. Interfaces with higher priorities are selected as active interfaces.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 144

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface interface-type interface-number

The member interface view is displayed.

Step 3 Run lacp priority priority

The LACP priority of the member interface is configured.

By default, the LACP interface priority is 32768. In priority comparisons,

numerically lower values have higher priority.

By default, the system selects active interfaces based on interface priorities. This
may lead to low-speed member interfaces with high priorities being selected as
active interfaces, providing less bandwidth for services. To select high-speed
member interfaces as active interfaces, run the lacp select { priority | speed }
command to configure the system to select active interfaces based on the
interface rate.

Step 4 Run commit

The configuration is committed.

----End

3.8.12 (Optional) Setting the LACP System ID and MAC

Address in Layer 3 Mode

Context
When devices are connected through Eth-Trunk interfaces in LACP mode, the
device with a higher LACP system priority functions as the LACP Actor. The other
device then selects active member interfaces based on the interface priorities of
the LACP Actor. If the two connected devices have the same LACP system priority,
the LACP system IDs determine the device priorities. To configure an LACP system
ID, run the lacp system-id command. The device with a higher priority then
becomes the LACP Actor. The other device then selects active member interfaces
based on the interface priorities of the LACP Actor.

In this scenario, two Layer 3 Eth-Trunks of the device use the bridge MAC address
by default. When the MAC address is the same, the Layer 3 protocol cannot work.
To ensure that Layer 3 traffic is forwarded normally, configure the MAC address in
Layer 3 mode for at least one Eth-Trunk so that the two Eth-Trunks use different
MAC addresses.

Procedure
Step 1 Run system-view

The system view is displayed.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 145

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Step 2 Run interface interface-type interface-number

The member interface view is displayed.
Step 3 Run lacp system-id mac-address
The LACP system ID of the member interface is configured.
By default, the LACP system ID of an Eth-Trunk interface is the system bridge MAC
address.
The lacp system-id and lacp m-lag system-id commands are mutually exclusive.
Step 4 (This step is mandatory when Layer 3 traffic needs to be forwarded.) Configure
the MAC Address for an Eth-Trunk in Layer 3 Mode.
1. Run undo portswitch
The Eth-Trunk changes to the Layer 3 mode.
By default, an Eth-Trunk works in Layer 2 mode.
2. Run mac-address mac-address
The MAC address of the Eth-Trunk is configured.
By default, an Eth-Trunk uses the system MAC address.
Step 5 Run commit
The configuration is committed.

----End

3.8.13 (Optional) Configuring LACP Preemption

Context
The LACP preemption function ensures that the interface with the highest LACP
priority will return to functioning as an active interface after recovering from a
fault. If LACP preemption is disabled, the interface cannot become active interface
after it recovers.
The LACP preemption delay is the period that an inactive interface waits before
changing to the active interface. The LACP preemption delay reduces the chances
of unstable data transmission on an Eth-Trunk due to frequent status changes of
some links.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface eth-trunk trunk-id
The Eth-Trunk interface view is displayed.
Step 3 Run lacp preempt enable
LACP preemption is enabled for the Eth-Trunk.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 146

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

By default, LACP preemption is disabled. To ensure normal running of an Eth-

Trunk, enable or disable LACP preemption on both ends of the Eth-Trunk.

Step 4 Run lacp preempt delay delay-time

The LACP preemption delay of the Eth-Trunk is set.

By default, the LACP preemption delay is 30 seconds. If both devices of an Eth-

Trunk use different preemption delays, the longer preemption delay becomes
effective.

Step 5 Run commit

The configuration is committed.

----End

3.8.14 (Optional) Setting the Timeout Interval for Receiving

LACPDUs

Context
If the Eth-Trunk on the local device cannot detect a self-loop or fault that occurred
on a member interface in the LAG on the remote device, data on the local device
is still load balanced among original active interfaces. As a result, data traffic on
the faulty link is discarded.

After the timeout interval at which LACPDUs are received is set, if a local member
interface does not receive any LACPDUs within the configured timeout interval,
the local member interface becomes Down immediately and no longer forwards
data.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface eth-trunk trunk-id

The Eth-Trunk interface view is displayed.

Step 3 Run lacp timeout { fast [ user-defined user-defined ] | slow }

The timeout interval at which LACPDUs are received is set.

By default, the timeout interval at which an Eth-Trunk receives LACPDUs is 90

seconds.

● After you run the lacp timeout command, the local end notifies the remote
end of the timeout interval by sending LACPDUs. When fast is specified, the
interval for sending LACPDUs is 1 second. When slow is specified, the interval
for sending LACPDUs is 30 seconds.
● When fast is specified, the timeout interval for receiving LACPDUs is 3
seconds. When slow is specified, the timeout interval for receiving LACPDUs is
90 seconds.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 147

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

● You can use different modes of the timeout interval at the two ends.
However, to facilitate maintenance, you are advised to use the same mode at
both ends.
Step 4 Run commit
The configuration is committed.

----End

3.8.15 (Optional) Binding a VLAN to an Eth-Trunk Member

Interface

Context
A server often has two or more NICs. One NIC is used for server management and
service traffic forwarding, other NICs are used for only service traffic forwarding. In
Figure 3-17, a switch is connected to a server through the Eth-Trunk that is added
to VLAN 10 and VLAN 20. VLAN 10 and VLAN 20 are used for forwarding
management packets and service packets, respectively. An independent VLAN
needs to be configured on an Eth-Trunk member interface that connected to the
management NIC of a server, that is, VLAN 10 needs to be bound to the Eth-Trunk
member interface so that the Eth-Trunk member interface can be specially used
for server management. This prevents management packets from being discarded
when management packets are load balanced on different NICs. In addition,
service traffic of VLAN 20 can still be load balanced on all Eth-Trunk member
interfaces, improving the bandwidth usage.

Figure 3-17 Connecting a switch to a server

VLAN 10 VLAN 20

Eth-Trunk
Interface configured with
the independent VLAN
Interface of the management NIC

Server Interface of the service NIC

Traffic of management packets
Traffic of service packets

When the Eth-Trunk member interface configured with the independent VLAN is
in Unselect state during LACP negotiation, it cannot forward packets. In this
situation, you can run the trunk member vlan lacp disable command to
configure a flexibly independent VLAN on an Eth-Trunk member interface. When
the Eth-Trunk member interface is in Unselect state, the flexibly independent
VLAN becomes available. The system automatically disables LACP so that the Eth-
Trunk member interface in Unselect state can still forward packets. When the
flexibly independent VLAN becomes available, the Eth-Trunk member interface can

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 148

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

only forward packets in the local VLAN but cannot process traffic from other
VLANs. When the Eth-Trunk member interface enters the Select state, the
independent VLAN becomes available and the Eth-Trunk member interface can
still process traffic from other VLANs.

NOTE

The CE6870EI and CE6875EI do not support the independent VLAN and flexibly
independent VLAN, and the CE5880EI and CE6880EI do not support the flexibly
independent VLAN.

NOTE

● This function applies to the scenario where a switch connects to a server, and it can only be
configured on the member interface connecting to the server's management NIC.
● In an Eth-Trunk, only one member interface can be bound to a VLAN or VLANs and one
member interface can be bound to a maximum of eight VLANs. Member interfaces of
multiple Eth-Trunks can be bound to the same VLAN.
● The switch supports a maximum of 256 bound VLANs. If N Eth-Trunk member interfaces
are bound to M VLANs, the maximum value of N multiplied by M is 256.
● After this command is configured, packets from the bound VLAN can be only forwarded
through the bound Eth-Trunk member interface. Non-unicast traffic on the Eth-Trunk can
be only forwarded through the bound Eth-Trunk member interface.
● When an Eth-Trunk member interface is bound to a VLAN or VLANs, VLAN mapping, VLAN
stacking, MUX VLAN, or FCoE VLAN cannot be configured.
● When an Eth-Trunk member interface is bound to a VLAN or VLANs, M-LAG cannot be
configured.
● If Layer 2 sub-interfaces are created on an Eth-Trunk and a member interface is bound to
an independent VLAN, the VLAN cannot connect to non-VXLAN tunnels.

Procedure
● Bind an independent VLAN to an Eth-Trunk member interface.
a. Run system-view

The system view is displayed.

b. Run interface interface-type interface-number

The Eth-Trunk member interface view is displayed.

c. Run trunk member binding vlan vlan-id

A VLAN is bound to the Eth-Trunk member interface.

By default, no VLAN is bound to an Eth-Trunk member interface.

When binding a VLAN to an Eth-Trunk member interface, ensure that the

Eth-Trunk interface has been added to the VLAN.
d. Run commit

The configuration is committed.

● Bind a flexibly independent VLAN to an Eth-Trunk member interface.
a. Run system-view

The system view is displayed.

b. Run interface eth-trunk trunk-id

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 149

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

The Eth-Trunk interface view is displayed.

c. Run mode { lacp-static | lacp-dynamic }
The Eth-Trunk is configured to work in LACP mode.
d. Run quit
Exit from the Eth-Trunk interface view.
e. Run interface interface-type interface-number
The Eth-Trunk member interface view is displayed.
f. Run trunk member binding vlan vlan-id
A VLAN is bound to the Eth-Trunk member interface.
By default, no VLAN is bound to an Eth-Trunk member interface.
When binding a VLAN to an Eth-Trunk member interface, ensure that the
Eth-Trunk interface has been added to the VLAN.
g. Run trunk member lacp disable
A flexibly independent VLAN is bound to the Eth-Trunk member interface.
By default, an Eth-Trunk member interface is not configured with a
flexibly independent VLAN.
After this command is configured, all VLANs bound to the Eth-Trunk
member interface become flexibly independent VLANs and the Eth-Trunk
member interface can only forward packets from the flexibly independent
VLANs.
h. Run commit
The configuration is committed.
----End

3.8.16 (Optional) Configuring an Eth-Trunk Member Interface

in Force Up State
Context
When a server connects to the switch, to improve the reliability, the switch
interface directly connected to the server is added to the Eth-Trunk in static LACP
mode. When the server restarts or goes online and the timeout interval of the Eth-
Trunk that receives LACPDUs is reached, the Eth-Trunk member interface becomes
Down. You can configure the Eth-Trunk member interface in Force Up state so that
the Eth-Trunk member interface can continue to forward service traffic.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The interface view is displayed.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 150

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Step 3 Run lacp force-up

The interface is configured in Force Up state.

By default, an interface is not in Force Up state.

After this lacp force-up command is run, the force-up state takes effect only
when all the member interfaces of the Eth-Trunk interface in static LACP mode
time out in receipt of LACPDUs.

When all the Eth-Trunk member interfaces' force-up state takes effect, the
minimum number of active member links configured using the least active-
linknumber link-number command still takes effect, but the maximum number of
active member links configured using the max active-linknumber link-number
command stops taking effect.

Step 4 Run commit

The configuration is committed.

----End

3.8.17 (Optional) Enabling State Flapping Suppression on an

Eth-Trunk

Context

● If the state of an Eth-Trunk frequently flaps, the LACP protocol status of the
Eth-Trunk also flaps, affecting the Eth-Trunk operations. To resolve this
problem, enable the state flapping suppression function on the Eth-Trunk
working in LACP mode.
● After LACP negotiation succeeds on an Eth-Trunk interface, the interface will
save the source MAC address of the most recently received packet, and will
check the source MAC addresses of packets. If the Eth-Trunk interface receives
a packet with the source MAC address being different from the one which
saved, the Eth-Trunk may be flapped because the once more negotiation.
To prevent an Eth-Trunk interface from alternating between Up and Down,
enable the invalid-MAC-based flapping suppression function on the Eth-Trunk
interface working in LACP mode. After this function is enabled, the Eth-Trunk
interface drops the packet and records the packet information if receiving a
packet with the source MAC address being different from the valid one. In this
manner, the Eth-Trunk interface does not alternate between Up and Down
even if packet flapping occurs.

Procedure
● Enable the state flapping suppression function on an Eth-Trunk.
a. Run system-view

The system view is displayed.

b. Run interface eth-trunk trunk-id

The Eth-Trunk interface view is displayed.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 151

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

c. Run lacp dampening state-flapping

The state flapping suppression function is enabled on the Eth-Trunk.
By default, the state flapping suppression function is disabled on an Eth-
Trunk.
d. Run commit
The configuration is committed.
● Enable the invalid-MAC-based state flapping suppression function on an Eth-
Trunk.
a. Run system-view
The system view is displayed.
b. Run interface eth-trunk trunk-id
The Eth-Trunk interface view is displayed.
c. Run undo lacp dampening unexpected-mac disable
The invalid-MAC-based state flapping suppression function is enabled on
the Eth-Trunk.
By default, the invalid-MAC-based state flapping suppression function is
enabled on an Eth-Trunk.
d. Run commit
The configuration is committed.
----End

3.8.18 Verifying the Link Aggregation Configuration

Procedure
● Run the display eth-trunk [ trunk-id [ interface interface-type interface-
number | verbose ] | brief ] command to check the Eth-Trunk configuration.
● Run the display eth-trunk membership trunk-id command to check
information about Eth-Trunk member interfaces.
● Run the display load-balance profile [ profile-name ] command to check the
load balancing profile of the Eth-Trunk.
● Run the display forward eth-trunk mode command to check the number of
LAGs supported by the device.
----End

3.9 Configuring Preferential Forwarding of Local Traffic

on an Eth-Trunk in a Stack
On a network where interfaces of multiple switches in a stack form an Eth-Trunk,
you can configure the Eth-Trunk to preferentially forward local traffic to increase
bandwidth use efficiency between stack devices and improve traffic forwarding
efficiency.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 152

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Context
Determine whether to enable preferentially forwarding of local traffic on an Eth-
Trunk based on actual needs:
● If active interfaces in the local Eth-Trunk have sufficient bandwidth to forward
traffic on the local device, enable this function to improve traffic forwarding
efficiency and increase bandwidth use efficiency between stack devices.
● If active interfaces in the local Eth-Trunk do not have sufficient bandwidth to
forward traffic on the local device, disable this function to prevent packet loss.
Some traffic on the local device is forwarded through member interfaces on
another device.
NOTE

For the CE8860EI, when the system resource mode is set to the large ARP mode or the UFT
flexible resource mode of ARP entries, preferentially forwarding of local traffic does not apply to
Layer 3 traffic whose outbound interface in the ARP entry is an Eth-Trunk member interface.

Pre-configuration Tasks
Before enabling local preferential forwarding on an Eth-Trunk, complete the
following tasks:
● Create an Eth-Trunk and add physical interfaces to the Eth-Trunk.
● Establish a stack.
● Ensure that member interfaces of the local Eth-Trunk have sufficient
bandwidth to forward local traffic.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface eth-trunk trunk-id
The view of an Eth-Trunk is displayed.
Step 3 Run undo local-preference disable
The Eth-Trunk is configured to preferentially forward local traffic.
By default, an Eth-Trunk forwards traffic preferentially through local member
interfaces.

NOTE

This function is valid only for known unicast packets, and does not work with unknown
unicast packets, broadcast packets, and multicast packets.

Step 4 (Optional) Run local-preference least active-linknumber linknumber

The minimum number of active links for enabling preferential forwarding of local
traffic is configured for the Eth-Trunk.
By default, the minimum number of active links for enabling preferential
forwarding of local traffic is not configured for an Eth-Trunk.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 153

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

If the number of active links on an Eth-Trunk is smaller than the value of

linknumber, the system automatically disables preferential forwarding of local
traffic on the Eth-Trunk.

Step 5 Run commit

The configuration is committed.

----End

3.10 Creating an Eth-Trunk Layer 3 Sub-interface

Context
Layer 3 Sub-interfaces can be configured on a Layer 3 Eth-Trunk. When Layer 3
devices connect to Layer 2 devices in different VLANs through the Layer 3 Eth-
Trunk, Layer 3 sub-interfaces must be configured on the Eth-Trunk to identify
packets from different VLANs and to enable users in these VLANs to communicate
with each other.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface eth-trunk trunk-id

An Eth-Trunk is created and the Eth-Trunk interface view is displayed.

Step 3 Run undo portswitch

A Layer 3 Eth-Trunk is configured.

Step 4 Run quit

Exit the Eth-Trunk interface view.

Step 5 Run interface eth-trunk trunk-id.subnumber

An Eth-Trunk Layer 3 sub-interface is created, and the Layer 3 sub-interface view

is displayed.

subnumber specifies the number of the Layer 3 sub-interface. The value is in the
range 1 to 99999999.

NOTE

By default, the LinkDown alarm (Trap OID: 1.3.6.1.6.1.1.5.3) is generated when the status of a
Layer 2 or Layer 3 sub-interface changes. If a large number of Layer 2 or Layer 3 sub-interfaces
exist on a device, the LinkDown alarm is reported on the sub-interfaces at the interval of several
minutes. In this case, an NMS has to process a large number of interface status change alarms,
which overloads the NMS. To resolve this problem, run the subinterface trap updown disable
command in the system view to disable LinkDown alarm generation on the Layer 2 or Layer 3
sub-interfaces as needed. After this command is run, the LinkDown alarm is no longer
generated on any of the device's Layer 2 or Layer 3 sub-interfaces in case of a status change.
Therefore, exercise caution when running this command.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 154

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Step 6 Run ip address ip-address { mask | mask-length } [ sub ]

An IP address is configured for the Layer 3 sub-interface.
When configuring multiple IP addresses for an Eth-Trunk Layer 3 sub-interface, use
the sub keyword to indicate the second and subsequent IP addresses.
Step 7 Run dot1q termination vid vid
The Eth-trunk Layer 3 sub-interface is configured to terminate single-tagged
packets.
Step 8 Run commit
The configuration is committed.

----End

3.11 Maintaining Link Aggregation

3.11.1 Enabling LACP Alarm Control

To prevent a device from frequently reporting LACP alarms, LACP alarm control
can be enabled. After this function is enabled, the device reports alarms only when
LACP negotiation fails due to specific reasons.

Prerequisites
Eth-Trunk interfaces have been configured to work in LACP mode.

Context
A device reports an LACP alarm if its Eth-Trunk service in LACP mode fails. To
prevent the device from frequently reporting such alarms, LACP alarm control can
be enabled. After this function is enabled, the device reports
hwLacpNegotiateFailed, hwLacpPartialLinkLoss, hwLacpTotalLinkLoss, or Eth-Trunk
linkdown alarms only when LACP negotiation fails due to the following reasons:
● The device's physical link goes Down.
● LACP negotiation times out.
● LACP determines that packets are looped back.
● LACP determines that the system ID and port key in the LACPDU from the
peer end on the local port are inconsistent with those from the peer end on
the reference port.

NOTE

The CE6850EI, CE6810EI, and CE5800 series switches do not support this function.

Procedure
Step 1 Run system-view
The system view is displayed.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 155

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Step 2 Run lacp alarm-control link-failure

LACP alarm control is enabled.

A device that has reported an hwLacpNegotiateFailed, hwLacpPartialLinkLoss,

hwLacpTotalLinkLoss, or Eth-Trunk linkdown alarm will report a clear alarm if the
following conditions are met:

1. The lacp alarm-control link-failure command is run.

2. The trigger conditions for the reported alarm are beyond the four reasons for
LACP negotiation Down.

Although a clear alarm is reported, the problem triggering the alarm persists.

After the lacp alarm-control link-failure command is run, the

hwLacpNegotiateFailed, hwLacpPartialLinkLoss, hwLacpTotalLinkLoss, and Eth-
Trunk linkdown alarms are not reported except for the preceding four reasons.
Therefore, exercise caution when running this command.

Step 3 Run commit

The configuration is committed.

----End

3.11.2 Configuring a Rule for Collecting Statistics on Packets

Containing Specified 5-tuple Information
Context
The 5-tuple information includes the source and destination IP addresses, source
and destination port numbers, and protocol type. Traffic transmitted on each
device interface contains different 5-tuple information. If the outbound interface is
an Eth-Trunk or packets have multiple ECMP next hops, you can configure rules
for collecting statistics on packets that contain specified 5-tuple information to
facilitate fault locating and traffic forwarding path identification.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run port forwarding-path path-id pathnum { src-ip src-ip-data [ srcip-mask-len ]

| dst-ip dst-ip-data [ dstip-mask-len ] | protocol { protocolnum | tcp [ l4-src-port
src-port-data | l4-dst-port dst-port-data ] * | udp [ l4-src-port src-port-data | l4-
dst-port dst-port-data ] * } } * statistics precedence precedencenum

A rule for collecting statistics on packets with specified 5-tuple information is

configured.

Step 3 Run commit

The configuration is committed.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 156

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Follow-up Procedure
If traffic flows through the interface, you can use the display port forwarding-
path path-id pathnum statistics command to check statistics on the packets that
contain specified 5-tuple information.

3.11.3 Clearing Statistics

Context

NOTICE

Statistics cannot be restored once being cleared.

Procedure
● Run the reset lacp statistics eth-trunk [ trunk-id [ interface interface-type
interface-number ] ] command to clear statistics on transmitted and received
LACP packets.
● Run the reset port forwarding-path path-id pathnum statistics command
to clear statistics on the packets that contain the specified 5-tuple
information.

----End

3.11.4 Monitoring the LAG Operating

Context
During routine maintenance, run the following commands in any view to check
the LAG operating status.

Procedure
● Run the display eth-trunk [ trunk-id [ interface interface-type interface-
number | verbose ] | brief ] command to check the Eth-Trunk configuration.
● Run the display lacp statistics eth-trunk [ trunk-id [ interface interface-type
interface-number ] ] command to check the statistics about LACPDUs sent
and received in LACP mode.
● Run the display interface eth-trunk [ trunk-id ] command to check the Eth-
Trunk status.
● Run the display eth-trunk membership trunk-id command to check
information about member interfaces of an Eth-Trunk.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 157

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

3.11.5 Using Ping to Monitor the Reachability of Layer 3 Eth-

Trunk Member Interfaces
Context
Multiple physical interfaces can bundle into an Eth-Trunk, and these physical
interfaces are Eth-Trunk member interfaces. Each member interface uses a
specified transmission path. The path-specific service parameters, such as delay,
jitter, and packet loss ratio, are also different. Therefore, you cannot determine
which member interface is faulty when the quality of services on an Eth-Trunk
deteriorates. To resolve this problem, perform a ping test to detect each physical
link, facilitating faulty link locating.

NOTE

The ping test applies to scenarios where two devices are directly connected through an Eth-
Trunk.

Pre-configuration Tasks
Before using ping to monitor the reachability of Layer 3 Eth-Trunk member
interfaces, complete the following task:
● Run the undo portswitch command to configure the Eth-Trunk to work in
Layer 3 mode and configure an IP address for the Layer 3 Eth-Trunk.
NOTE

An Eth-Trunk works in Layer 2 mode by default.

Procedure
Step 1 Enable the receive end to monitor Layer 3 Eth-Trunk member interfaces.
1. Run the system-view command to enter the system view.
2. Run the trunk member-port-inspect command to enable the receive end to
monitor Layer 3 Eth-Trunk member interfaces.
By default, the receive end is disabled from monitoring Layer 3 Eth-Trunk
member interfaces.

NOTE

The trunk member-port-inspect command takes effect for all Layer 3 Eth-Trunks on
a device. To test the connectivity of Eth-Trunks, disable this function after detection of
Eth-Trunk member interfaces is completed. If this function is not disabled, the device
keeps monitoring Eth-Trunk member interfaces, which consumes a lot of system
resources.

Step 2 Enable the transmit end to monitor Layer 3 Eth-Trunk member interfaces.
1. Run the ping [ ip ] [ -8021p 8021p-value | -a source-ip-address | -c count | -d
| { -f | ignore-mtu } | -h ttl-value | -i interface-type interface-number | -m
time | -p pattern | -q | -r | -ri | -s packetsize | -system-time | -t timeout | { -
tos tos-value | -dscp dscp-value } | -v | -vpn-instance vpn-instance-name ] *
host [ ip-forwarding ] command to enable the transmit end to monitor the
reachability of Layer 3 Eth-Trunk member interfaces.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 158

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

NOTE

When testing the reachability of Layer 3 Eth-Trunk member interfaces, you must specify
the -a and -i parameters in the ping command. -a and -i indicate the source IP address
and source interface of ICMP Echo Request packets respectively.

The ping command output contains the following information:

– Response to each ping message: If an Echo Response packet is not

received by the transmit end after the timer expires, the "Request time
out" message is displayed, indicating that an Eth-Trunk member interface
fails. If an Echo Response packet is received, the data bytes, message
sequence number, and response time are displayed, indicating that no
Eth-Trunk member interface fails.
– Final statistics: The statistics include the number of sent and received
packets, percentage of failure response packets, and minimum,
maximum, and average response time.
<HUAWEI> ping -a 192.168.1.1 -i 10ge 1/0/1 10.1.1.2
PING 10.1.1.2: 56 data bytes, press CTRL_C to
break
Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=254 time=2
ms
Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=254 time=1
ms
Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=254 time=2
ms
Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=254 time=1
ms
Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=254 time=2
ms

--- 10.1.1.2 ping statistics ---

5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/2 ms

----End

3.12 Configuration Examples for Link Aggregation

This section only provides configuration examples for individual features. For
details about multi-feature configuration examples, feature-specific configuration
examples, interoperation examples, protocol or hardware replacement examples,
and industry application examples, see the Typical Configuration Examples.

3.12.1 Example for Configuring Link Aggregation in Manual

Load Balancing Mode (CE Switches Excluding CE6870EI and
CE6875EI)

Networking Requirements
In Figure 3-18, SwitchA and SwitchB connect to devices in VLAN 10 and VLAN 20
through Ethernet links, and heavy traffic is transmitted between SwitchA and
SwitchB.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 159

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

SwitchA and SwitchB can provide higher link bandwidth to implement inter-VLAN
communication. Data transmission and link reliability need to be ensured.

Figure 3-18 Link aggregation in manual load balancing mode

VLAN10 VLAN10

10GE1/0/4 10GE1/0/1 10GE1/0/4

10GE1/0/1
SwitchA 10GE1/0/2 Eth-Trunk 10GE1/0/2 SwitchB
10GE1/0/3 10GE1/0/3
10GE1/0/5 Eth-Trunk 1 Eth-Trunk 1 10GE1/0/5

VLAN20 VLAN20

Configuration Roadmap
The configuration roadmap is as follows:
1. Create an Eth-Trunk and add member interfaces to the Eth-Trunk to increase
link bandwidth.
2. Create VLANs and add interfaces to the VLANs.
3. Configure a load balancing mode to ensure that traffic is load balanced
among Eth-Trunk member interfaces.

Procedure
Step 1 Create an Eth-Trunk on SwitchA and SwitchB, and add member interfaces to the
Eth-Trunk.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchA
[*HUAWEI] commit
[~SwitchA] interface eth-trunk 1
[*SwitchA-Eth-Trunk1] mode manual load-balance
[*SwitchA-Eth-Trunk1] trunkport 10ge 1/0/1 to 1/0/3
[*SwitchA-Eth-Trunk1] commit
[~SwitchA-Eth-Trunk1] quit
<HUAWEI> system-view
[~HUAWEI] sysname SwitchB
[*HUAWEI] commit
[~SwitchB] interface eth-trunk 1
[*SwitchB-Eth-Trunk1] mode manual load-balance
[*SwitchB-Eth-Trunk1] trunkport 10ge 1/0/1 to 1/0/3
[*SwitchB-Eth-Trunk1] commit
[~SwitchB-Eth-Trunk1] quit

Step 2 Create VLANs and add interfaces to the VLANs.

# Create VLAN 10 and VLAN 20, and add interfaces to them. The configuration of
SwitchB is similar to the configuration of SwitchA, and is not mentioned here.
[~SwitchA] vlan batch 10 20
[*SwitchA] interface 10ge 1/0/4
[*SwitchA-10GE1/0/4] port link-type trunk

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 160

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

[*SwitchA-10GE1/0/4] port trunk allow-pass vlan 10

[*SwitchA-10GE1/0/4] quit
[*SwitchA] interface 10ge 1/0/5
[*SwitchA-10GE1/0/5] port link-type trunk
[*SwitchA-10GE1/0/5] port trunk allow-pass vlan 20
[*SwitchA-10GE1/0/5] quit
[*SwitchA] commit

# Configure Eth-Trunk 1 to allow packets from VLAN 10 and VLAN 20 to pass

through. The configuration of SwitchB is similar to the configuration of SwitchA,
and is not mentioned here.
[~SwitchA] interface eth-trunk 1
[~SwitchA-Eth-Trunk1] port link-type trunk
[*SwitchA-Eth-Trunk1] port trunk allow-pass vlan 10 20
[*SwitchA-Eth-Trunk1] commit
[~SwitchA-Eth-Trunk1] quit

Step 3 Configure a load balancing mode for Eth-Trunk 1. The configuration of SwitchB is
similar to the configuration of SwitchA, and is not mentioned here.
[~SwitchA] interface eth-trunk 1
[~SwitchA-Eth-Trunk1] load-balance src-dst-mac
[*SwitchA-Eth-Trunk1] commit
[~SwitchA-Eth-Trunk1] quit

NOTE

If the device is CE6870EI or CE6875EI, see 3.7.8 (Optional) Configuring a Load Balancing
Mode (CE6870EI and CE6875EI).

Step 4 Verify the configuration.

Run the display eth-trunk 1 command in any view to check whether the Eth-
Trunk is created and whether member interfaces are added.
[~SwitchA] display eth-trunk 1
Eth-Trunk1's state information is:
Working Mode: Normal Hash Arithmetic: src-dst-mac
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 16
Operating Status: up Number of Up Ports in Trunk: 3
--------------------------------------------------------------------------------
PortName Status Weight
10GE1/0/1 Up 1
10GE1/0/2 Up 1
10GE1/0/3 Up 1

The preceding command output shows that Eth-Trunk 1 has three member
interfaces: 10GE1/0/1, 10GE1/0/2, and 10GE1/0/3. The member interfaces are all
in Up state. The Operating Status of Eth-Trunk 1 is up.

----End

Configuration Files
● Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 10 20
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10 20
load-balance src-dst-mac
#

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 161

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

interface 10GE1/0/1
eth-trunk 1
#
interface 10GE1/0/2
eth-trunk 1
#
interface 10GE1/0/3
eth-trunk 1
#
interface 10GE1/0/4
port link-type trunk
port trunk allow-pass vlan 10
#
interface 10GE1/0/5
port link-type trunk
port trunk allow-pass vlan 20
#
return

● Configuration file of SwitchB

#
sysname SwitchB
#
vlan batch 10 20
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10 20
load-balance src-dst-mac
#
interface 10GE1/0/1
eth-trunk 1
#
interface 10GE1/0/2
eth-trunk 1
#
interface 10GE1/0/3
eth-trunk 1
#
interface 10GE1/0/4
port link-type trunk
port trunk allow-pass vlan 10
#
interface 10GE1/0/5
port link-type trunk
port trunk allow-pass vlan 20
#
return

3.12.2 Example for Configuring Link Aggregation in LACP

Mode

Networking Requirements
To improve bandwidth and connection reliability, configure a link aggregation
group (LAG) on two directly connected Switches, as shown in Figure 3-19. The
requirements are as follows:

● Two active links implement load balancing.

● One link functions as the backup link. When a fault occurs on an active link,
the backup link replaces the faulty link to maintain reliable data transmission.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 162

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Figure 3-19 Link aggregation in LACP mode

SwitchA SwitchB
10GE1/0/1 10GE1/0/1
10GE1/0/2 Eth-Trunk 10GE1/0/2
10GE1/0/3 10GE1/0/3
Eth-Trunk 1 Eth-Trunk 1

Active link
Backup link

Configuration Roadmap
The configuration roadmap is as follows:
1. Create an Eth-Trunk and configure the Eth-Trunk to work in LACP mode to
implement link aggregation.
2. Add member interfaces to the Eth-Trunk.
3. Set the LACP system priority and determine the Actor so that the Partner
selects active interfaces based on the Actor interface priority.
4. Set the upper threshold for the number of active interfaces to improve
reliability.
5. Set LACP interface priorities and determine active interfaces so that interfaces
with higher priorities are selected as active interfaces.

Procedure
Step 1 Create Eth-Trunk 1 on SwitchA and configure Eth-Trunk 1 to work in LACP mode.
The configuration of SwitchB is similar to the configuration of SwitchA, and is not
mentioned here.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchA
[*HUAWEI] commit
[~SwitchA] interface eth-trunk 1
[*SwitchA-Eth-Trunk1] mode lacp-static
[*SwitchA-Eth-Trunk1] commit
[~SwitchA-Eth-Trunk1] quit

Step 2 Add member interfaces to Eth-Trunk 1 on SwitchA. The configuration of SwitchB is

similar to the configuration of SwitchA, and is not mentioned here.
[~SwitchA] interface 10ge 1/0/1
[~SwitchA-10GE1/0/1] eth-trunk 1
[*SwitchA-10GE1/0/1] quit
[*SwitchA] interface 10ge 1/0/2
[*SwitchA-10GE1/0/2] eth-trunk 1
[*SwitchA-10GE1/0/2] quit
[*SwitchA] interface 10ge 1/0/3
[*SwitchA-10GE1/0/3] eth-trunk 1
[*SwitchA-10GE1/0/3] quit
[*SwitchA] commit

Step 3 Set the system priority on SwitchA to 100 so that SwitchA becomes the Actor.
[~SwitchA] lacp priority 100
[*SwitchA] commit

Step 4 On SwitchA, set the upper threshold for the number of active interfaces to 2.
[~SwitchA] interface eth-trunk 1
[~SwitchA-Eth-Trunk1] lacp max active-linknumber 2

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 163

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

[*SwitchA-Eth-Trunk1] commit
[~SwitchA-Eth-Trunk1] quit

Step 5 Set the LACP interface priority and determine active links on SwitchA.
[~SwitchA] interface 10ge 1/0/1
[~SwitchA-10GE1/0/1] lacp priority 100
[*SwitchA-10GE1/0/1] quit
[*SwitchA] interface 10ge 1/0/2
[*SwitchA-10GE1/0/2] lacp priority 100
[*SwitchA-10GE1/0/2] quit
[*SwitchA] commit

Step 6 Verify the configuration.

# Check information about the Eth-Trunk of the Switches and check whether
negotiation is successful on the link.
[~SwitchA] display eth-trunk 1
Eth-Trunk1's state information is:
Local:
LAG ID: 1 Working Mode: Static
Preempt Delay: Disabled Hash Arithmetic: profile default
System Priority: 100 System ID: 0025-9e95-7c31
Least Active-linknumber: 1 Max Active-linknumber: 2
Operating Status: up Number Of Up Ports In Trunk: 2
Timeout Period: Slow
--------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey PortState Weight
10GE1/0/1 Selected 10GE 100 1 20289 10111100 1
10GE1/0/2 Selected 10GE 100 2 20289 10111100 1
10GE1/0/3 Unselect 10GE 32768 3 20289 10100000 1

Partner:
--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey PortState
10GE1/0/1 32768 0025-9e95-7c11 32768 4 20289 10111100
10GE1/0/2 32768 0025-9e95-7c11 32768 5 20289 10111100
10GE1/0/3 32768 0025-9e95-7c11 32768 6 20289 10100000
[~SwitchB] display eth-trunk 1
Eth-Trunk1's state information is:
Local:
LAG ID: 1 Working Mode: Static
Preempt Delay: Disabled Hash Arithmetic: profile default
System Priority: 32768 System ID: 0025-9e95-7c11
Least Active-linknumber: 1 Max Active-linknumber: 16
Operating Status: up Number Of Up Ports In Trunk: 2
Timeout Period: Slow
--------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey PortState Weight
10GE1/0/1 Selected 10GE 32768 4 20289 10111100 1
10GE1/0/2 Selected 10GE 32768 5 20289 10111100 1
10GE1/0/3 Unselect 10GE 32768 6 20289 10100000 1

Partner:
--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey PortState
10GE1/0/1 100 0025-9e95-7c31 100 1 20289 10111100
10GE1/0/2 100 0025-9e95-7c31 100 2 20289 10111100
10GE1/0/3 100 0025-9e95-7c31 32768 3 20289 10100000

The preceding information shows that the LACP system priority of SwitchA is 100,
which is higher than the LACP system priority of SwitchB. Member interfaces
10GE1/0/1 and 10GE1/0/2 become the active interfaces and are in Selected state.
Interface 10GE1/0/3 is in Unselect state. Two links are active and work in load
balancing mode, and one link is the backup link.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 164

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Configuration Files
● Configuration file of SwitchA
#
sysname SwitchA
#
lacp priority 100
#
interface Eth-Trunk1
mode lacp-static
lacp max active-linknumber 2
#
interface 10GE1/0/1
eth-trunk 1
lacp priority 100
#
interface 10GE1/0/2
eth-trunk 1
lacp priority 100
#
interface 10GE1/0/3
eth-trunk 1
#
return
● Configuration file of SwitchB
#
sysname SwitchB
#
interface Eth-Trunk1
mode lacp-static
#
interface 10GE1/0/1
eth-trunk 1
#
interface 10GE1/0/2
eth-trunk 1
#
interface 10GE1/0/3
eth-trunk 1
#
return

3.12.3 Example for Configuring an Eth-Trunk to Work in

Dynamic LACP Mode

Networking Requirements
In Figure 3-20, ServerA is directly connected to SwitchA through an Eth-Trunk in
static LACP mode. ServerB (file server) connected to SwitchA stores ServerA's
network adapter configuration. After ServerA restarts, its configuration is lost and
SwitchA must obtain the configuration from ServerB. SwitchA cannot perform
negotiation with ServerA because ServerA has lost its Eth-Trunk configuration. In
addition, SwitchA's Eth-Trunk cannot go Up and therefore is unable to forward
data.
You can configure the Eth-Trunk on SwitchA to work in dynamic LACP mode.
When LACP negotiation fails, SwitchA can forward packets at Layer 2 through
member interfaces. Therefore, ServerA can successfully obtain the configuration
from ServerB. After ServerA obtains the configuration, an Eth-Trunk in LACP mode
is established. Devices at both ends of the Eth-Trunk send LACPDUs for
negotiation.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 165

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Figure 3-20 Eth-Trunk in dynamic LACP mode

NIC1 10GE1/0/1
NIC2 Eth-Trunk 10GE1/0/2
NIC3 10GE1/0/3
ServerA SwitchA Gateway File ServerB

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the Eth-Trunk on SwitchA to work in dynamic LACP mode, and add
Ethernet physical interfaces to the Eth-Trunk to implement link aggregation.
2. Set the upper threshold for the number of active interfaces to improve
reliability.
3. Set LACP interface priorities and determine active interfaces so that interfaces
with higher priorities are selected as active interfaces.

Procedure
Step 1 Configure the Eth-Trunk on SwitchA to work in dynamic LACP mode and add
Ethernet physical interfaces to the Eth-Trunk.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchA
[*HUAWEI] commit
[~SwitchA] interface eth-trunk 1
[*SwitchA-Eth-Trunk1] mode lacp-dynamic
[*SwitchA-Eth-Trunk1] quit
[*SwitchA] interface 10ge 1/0/1
[*SwitchA-10GE1/0/1] eth-trunk 1
[*SwitchA-10GE1/0/1] quit
[*SwitchA] interface 10ge 1/0/2
[*SwitchA-10GE1/0/2] eth-trunk 1
[*SwitchA-10GE1/0/2] quit
[*SwitchA] interface 10ge 1/0/3
[*SwitchA-10GE1/0/3] eth-trunk 1
[*SwitchA-10GE1/0/3] quit
[*SwitchA] commit

Step 2 On SwitchA, set the upper threshold for the number of active interfaces to 2.
[~SwitchA] interface eth-trunk 1
[~SwitchA-Eth-Trunk1] lacp max active-linknumber 2
[*SwitchA-Eth-Trunk1] quit
[*SwitchA] commit

Step 3 Set LACP interface priorities and determine active links on SwitchA.
[~SwitchA] interface 10ge 1/0/1
[~SwitchA-10GE1/0/1] lacp priority 100
[*SwitchA-10GE1/0/1] quit
[*SwitchA] interface 10ge 1/0/2
[*SwitchA-10GE1/0/2] lacp priority 100
[*SwitchA-10GE1/0/2] quit
[*SwitchA] commit

Step 4 Verify the configuration.

# Run the display eth-trunk command on SwitchA to check Eth-Trunk
information. The command output shows Eth-Trunk information, such as Eth-

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 166

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Trunk ID (1) and working mode (dynamic LACP mode). 10GE1/0/1, 10GE1/0/2,
and 10GE1/0/3 are in Indep state.
[~SwitchA] display eth-trunk 1
Eth-Trunk1's state information is:
Local:
LAG ID: 1 Working Mode: Dynamic
Preempt Delay: Disabled Hash Arithmetic: profile default
System Priority: 32768 System ID: 0025-9e95-7c11
Least Active-linknumber: 1 Max Active-linknumber: 2
Operating Status: up Number Of Up Ports In Trunk: 0
Timeout Period: Slow
--------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey PortState
Weight
10GE1/0/1 Indep 10GE 100 0 321 10100010 1
10GE1/0/2 Indep 10GE 100 1 321 10100010 1
10GE1/0/3 Indep 10GE 32768 2 321 10100010
1

Partner:
--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey
PortState
10GE1/0/1 0 0000-0000-0000 0 0 0 10100011
10GE1/0/2 0 0000-0000-0000 0 0 0 10100011
10GE1/0/3 0 0000-0000-0000 0 0 0 10100011

# After SwitchA receives LACPDUs from ServerA and link aggregation negotiation
between SwitchA and ServerA succeeds, run the display eth-trunk command on
SwitchA to check Eth-Trunk information. The command output shows Eth-Trunk
information, such as Eth-Trunk ID (1) and working mode (dynamic LACP mode).
10GE1/0/1 and 10GE1/0/2 are active interfaces and in Selected state, and
10GE1/0/3 is in Unselect state.
[~SwitchA] display eth-trunk 1
Eth-Trunk1's state information is:
Local:
LAG ID: 1 Working Mode: Dynamic
Preempt Delay: Disabled: Hash Arithmetic: profile default
System Priority: 32768 System ID: 0025-9e95-7c11
Least Active-linknumber: 1 Max Active-linknumber: 2
Operating Status: up Number Of Up Ports In Trunk: 2
Timeout Period: Slow
--------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey PortState
Weight
10GE1/0/1 Selected 10GE 100 0 321 10111100 1
10GE1/0/2 Selected 10GE 100 1 321 10111100 1
10GE1/0/3 Unselect 10GE 32768 2 321 10100000
1

Partner:
--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey
PortState
10GE1/0/1 32768 0025-9e95-7c31 32768 0 321
10111100
10GE1/0/2 32768 0025-9e95-7c31 32768 1 321
10111100
10GE1/0/3 32768 0025-9e95-7c31 32768 2 321 10100000

----End

Configuration Files
Configuration file of SwitchA

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 167

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

#
sysname SwitchA
#
interface Eth-Trunk1
mode lacp-dynamic
lacp max active-linknumber 2
#
interface 10GE1/0/1
eth-trunk 1
lacp priority 100
#
interface 10GE1/0/2
eth-trunk 1
lacp priority 100
#
interface 10GE1/0/3
eth-trunk 1
#
return

3.12.4 Example for Configuring an Inter-Chassis Eth-Trunk to

Preferentially Forward Traffic Through Local Member
Interfaces

Networking Requirements
As shown in Figure 3-21, SwitchB and SwitchC are connected through stack cables
to increase the total capacity of devices. The two switches functions as a logical
switch. SwitchB functions as the master switch and SwitchC as the backup switch.
To implement backup between devices and improve reliability, physical interfaces
on the two switches are added to an Eth-Trunk. Traffic from two VLANs, VLAN 2
and VLAN 3, is forwarded through both the two interfaces 10GE1/0/1 and
10GE1/0/2 when the network runs properly. This provides high bandwidth use
efficiency between devices and low traffic forwarding efficiency.
To improve traffic forwarding efficiency, each interface should only forward traffic
from one VLAN (in this example, 10GE1/0/1 forwards traffic from VLAN 2 and
10GE1/0/2 forwards traffic from VLAN3). To achieve this goal, configure the Eth-
Trunk to preferentially forward local traffic.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 168

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Figure 3-21 Preferentially forwarding local traffic through the local member
interface

Network

SwitchA

10GE1/0/1 10GE1/0/2

Eth-Trunk 1

10GE1/0/1 10GE2/0/1
iStack
SwitchB SwitchC
10GE1/0/2 10GE2/0/2

10GE1/0/2 10GE1/0/2

SwitchD SwitchE

10GE1/0/1 10GE1/0/1

VLAN 2 VLAN 33
VLAN

VLAN 2 data flow

VLAN 3 data flow
Stack cable

Configuration Roadmap
The configuration roadmap is as follows:
1. Create an Eth-Trunk to implement link aggregation.
2. Add member interfaces to the Eth-Trunk.
3. Enable the Eth-Trunk to preferentially forward local traffic so that traffic is
forwarded by member interfaces on the local device.
4. Configure Layer 2 forwarding to implement Layer 2 connectivity.

Procedure
Step 1 Create an Eth-Trunk and specify the allowed VLANs.
# Configure the stack. In this example, SwitchB is the master switch.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 169

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

<HUAWEI> system-view
[~HUAWEI] sysname SwitchB
[*HUAWEI] commit
[~SwitchB] vlan batch 2 3
[*SwitchB] interface eth-trunk 1
[*SwitchB-Eth-Trunk1] port link-type trunk
[*SwitchB-Eth-Trunk1] port trunk allow-pass vlan 2 3
[*SwitchB-Eth-Trunk1] commit
[~SwitchB-Eth-Trunk1] quit

# Configure SwitchA.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchA
[*HUAWEI] commit
[~SwitchA] vlan batch 2 3
[*SwitchA] interface eth-trunk 1
[*SwitchA-Eth-Trunk1] port link-type trunk
[*SwitchA-Eth-Trunk1] port trunk allow-pass vlan 2 3
[*SwitchA-Eth-Trunk1] commit
[~SwitchA-Eth-Trunk1] quit

Step 2 Add member interfaces to the Eth-Trunk.

# Configure the stack.
[~SwitchB] interface 10GE 1/0/1
[~SwitchB-10GE1/0/1] eth-trunk 1
[*SwitchB-10GE1/0/1] quit
[*SwitchB] interface 10GE 2/0/1
[*SwitchB-10GE2/0/1] eth-trunk 1
[*SwitchB-10GE2/0/1] quit
[*SwitchB] commit

# Configure SwitchA.
[~SwitchA] interface 10GE 1/0/1
[~SwitchA-10GE1/0/1] eth-trunk 1
[*SwitchA-10GE1/0/1] quit
[*SwitchA] interface 10GE 1/0/2
[*SwitchA-10GE1/0/2] eth-trunk 1
[*SwitchA-10GE1/0/2] quit
[*SwitchA] commit

Step 3 In the stack, configure the Eth-Trunk to preferentially forward local traffic.
[~SwitchB] interface eth-trunk 1
[~SwitchB-Eth-Trunk1] undo local-preference disable
[*SwitchB-Eth-Trunk1] commit
[~SwitchB-Eth-Trunk1] quit

Step 4 Configure Layer 2 forwarding.

# Configure the stack.
[~SwitchB] interface 10GE 1/0/2
[~SwitchB-10GE1/0/2] port link-type trunk
[*SwitchB-10GE1/0/2] port trunk allow-pass vlan 2
[*SwitchB-10GE1/0/2] quit
[*SwitchB] interface 10GE 2/0/2
[*SwitchB-10GE2/0/2] port link-type trunk
[*SwitchB-10GE2/0/2] port trunk allow-pass vlan 3
[*SwitchB-10GE2/0/2] quit
[*SwitchB] commit

# Configure SwitchD.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchD
[*HUAWEI] commit

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 170

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

[~SwitchD] vlan 2
[*SwitchD-vlan2] quit
[*SwitchD] interface 10GE 1/0/1
[*SwitchD-10GE1/0/1] port link-type trunk
[*SwitchD-10GE1/0/1] port trunk allow-pass vlan 2
[*SwitchD-10GE1/0/1] quit
[*SwitchD] interface 10GE 1/0/2
[*SwitchD-10GE1/0/2] port link-type trunk
[*SwitchD-10GE1/0/2] port trunk allow-pass vlan 2
[*SwitchD-10GE1/0/2] quit
[*SwitchD] commit

# Configure SwitchE.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchE
[*HUAWEI] commit
[~SwitchE] vlan 3
[*SwitchE-vlan3] quit
[*SwitchE] interface 10GE 1/0/1
[*SwitchE-10GE1/0/1] port link-type trunk
[*SwitchE-10GE1/0/1] port trunk allow-pass vlan 3
[*SwitchE-10GE1/0/1] quit
[*SwitchE] interface 10GE 1/0/2
[*SwitchE-10GE1/0/2] port link-type trunk
[*SwitchE-10GE1/0/2] port trunk allow-pass vlan 3
[*SwitchE-10GE1/0/2] quit
[*SwitchE] commit

Step 5 Verify the configuration.

After the configuration is complete, run the display eth-trunk membership
command in any view. You can view information about Eth-Trunk member
interfaces.
The display on the stack is used as an example.
[~SwitchB] display eth-trunk membership 1
Trunk ID: 1
Used Status: Valid
Type: Ethernet
Working Mode: Normal
Number Of Ports in Trunk: 2
Number Of Up Ports in Trunk: 2
Operating Status: up

Interface 10GE1/0/1, valid, operate up, weight=1,

Interface 10GE2/0/1, valid, operate up, weight=1,

----End

Configuration Files
● Configuration file of the stack
#
sysname SwitchB
#
vlan batch 2 to 3
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
interface 10GE1/0/1
eth-trunk 1
#
interface 10GE1/0/2
port link-type trunk

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 171

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

port trunk allow-pass vlan 2

#
interface 10GE2/0/1
eth-trunk 1
#
interface 10GE2/0/2
port link-type trunk
port trunk allow-pass vlan 3
#
return

● Configuration file of SwitchA

#
sysname SwitchA
#
vlan batch 2 to 3
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
interface 10GE1/0/1
eth-trunk 1
#
interface 10GE1/0/2
eth-trunk 1
#
return

● Configuration file of SwitchD

#
sysname SwitchD
#
vlan batch 2
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 2
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 2
#
return

● Configuration file of SwitchE

#
sysname SwitchE
#
vlan batch 3
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 3
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 3
#
return

3.12.5 Example for Configuring Inter-device Link Aggregation

in LACP Mode (Standalone Device)

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 172

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

Networking Requirements
In Figure 3-22, DeviceA is dual-homed to DeviceB and DeviceC. The Eth-Trunk in
LACP mode is deployed on DeviceA, and its member interfaces are connected to
10GE1/0/1 and 10GE1/0/2 of DeviceB and DeviceC. 10GE1/0/1 and 10GE1/0/2 use
the same rate and duplex mode. Traffic needs to be load balanced on the two
devices.

Figure 3-22 Dual-active networking where a device is dual-homed through the

Eth-Trunk in LACP mode

Internet

DeviceB DeviceC
10GE1/0/1 10GE1/0/1
~10GE1/0/2 ~10GE1/0/2

10GE1/0/1~10GE1/0/4

Eth-Trunk
DeviceA

Configuration Roadmap
The configuration roadmap is as follows:
1. Create Eth-Trunk 1 in static LACP mode on DeviceA, DeviceB, and DeviceC and
add member interfaces to Eth-Trunk 1 to implement link aggregation.
2. Configure the same LACP system ID on DeviceB and DeviceC.
3. Configure the same LACP system priority on DeviceB and DeviceC.
4. Configure number of Eth-Trunk member interfaces on DeviceC to increase by
32768 to prevent repeated numbers of Eth-Trunk member interfaces in LACP
mode on DeviceB and DeviceC.

Procedure
Step 1 Create Eth-Trunk 1 in LACP mode on DeviceA, DeviceB, and DeviceC and add
member interfaces to Eth-Trunk 1.
<HUAWEI> system-view
[~HUAWEI] sysname DeviceA
[*HUAWEI] commit
[~DeviceA] interface eth-trunk 1
[*DeviceA-Eth-Trunk1] mode lacp-static
[*DeviceA-Eth-Trunk1] trunkport 10ge 1/0/1 to 1/0/4
[*DeviceA-Eth-Trunk1] commit
[~DeviceA-Eth-Trunk1] quit
<HUAWEI> system-view
[~HUAWEI] sysname DeviceB
[*HUAWEI] commit
[~DeviceB] interface eth-trunk 1

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 173

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

[*DeviceB-Eth-Trunk1] mode lacp-static

[*DeviceB-Eth-Trunk1] trunkport 10ge 1/0/1 to 1/0/2
[*DeviceB-Eth-Trunk1] commit
<HUAWEI> system-view
[~HUAWEI] sysname DeviceC
[*HUAWEI] commit
[~DeviceC] interface eth-trunk 1
[*DeviceC-Eth-Trunk1] mode lacp-static
[*DeviceC-Eth-Trunk1] trunkport 10ge 1/0/1 to 1/0/2
[*DeviceC-Eth-Trunk1] commit

Step 2 Set the LACP system ID on DeviceB and DeviceC to 00e0-cf00-0000.

[~DeviceB-Eth-Trunk1] lacp system-id 00e0-cf00-0000
[*DeviceB-Eth-Trunk1] commit
[~DeviceB-Eth-Trunk1] quit
[~DeviceC-Eth-Trunk1] lacp system-id 00e0-cf00-0000
[*DeviceC-Eth-Trunk1] commit
[~DeviceC-Eth-Trunk1] quit

Step 3 Set the LACP system priority on DeviceB and DeviceC to 100.
[~DeviceB] lacp priority 100
[*DeviceB] commit
[~DeviceC] lacp priority 100
[*DeviceC] commit

Step 4 Configure numbers of Eth-Trunk member interfaces on DeviceC to increase by

32768.
[~DeviceC] interface eth-trunk 1
[~DeviceC-Eth-Trunk1] lacp port-id-extension enable
[*DeviceC-Eth-Trunk1] commit

Step 5 Verify the configuration.

# Check information about the Eth-Trunk of each device and check whether the
negotiation is successful.
[~DeviceA] display eth-trunk 1
Eth-Trunk1's state information is:
Local:
LAG ID: 1 Working Mode: Static
Preempt Delay: Disabled Hash Arithmetic: profile default
System Priority: 100 System ID: e468-a356-0cb1
Least Active-linknumber: 1 Max Active-linknumber: 16
Operating Status: up Number Of Up Ports In Trunk: 4
Timeout Period: Slow
--------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey PortState Weight
10GE1/0/1 Selected 10GE 32768 3 321 10111100 1
10GE1/0/2 Selected 10GE 32768 1 321 10100010 1
10GE1/0/3 Selected 10GE 32768 4 321 10111100 1
10GE1/0/4 Selected 10GE 32768 2 321 10100010 1

Partner:
--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey PortState
10GE1/0/1 100 00e0-cf00-0000 32768 32769 321 10111100
10GE1/0/2 100 00e0-cf00-0000 32768 32770 321 10111100
10GE1/0/1 100 00e0-cf00-0000 32768 4 321 10111100
10GE1/0/2 100 00e0-cf00-0000 32768 5 321 10111100
[~DeviceB] display eth-trunk 1
Eth-Trunk1's state information is:
Local:
LAG ID: 1 Working Mode: Static
Preempt Delay: Disabled Hash Arithmetic: profile default
System Priority: 100 System ID: 00e0-cf00-0000
Least Active-linknumber: 1 Max Active-linknumber: 32
Operating Status: up Number Of Up Ports In Trunk: 2
Timeout Period: Slow

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 174

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

--------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey PortState Weight
10GE1/0/1 Selected 10GE 32768 4 321 10111100 1
10GE1/0/2 Selected 10GE 32768 5 321 10111100 1

Partner:
--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey PortState
10GE1/0/3 100 e468-a356-0cb1 32768 4 321 10111100
10GE1/0/4 100 e468-a356-0cb1 32768 2 321 10100010
[~DeviceC] display eth-trunk 1
Eth-Trunk1's state information is:
Local:
LAG ID: 1 Working Mode: Static
Preempt Delay: Disabled Hash Arithmetic: profile default
System Priority: 100 System ID: 00e0-cf00-0000
Least Active-linknumber: 1 Max Active-linknumber: 16
Operating Status: up Number Of Up Ports In Trunk: 2
Timeout Period: Slow
--------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey PortState Weight
10GE1/0/1 Selected 10GE 32768 32769 321 10111100 1
10GE1/0/2 Selected 10GE 32768 32770 321 10111100 1

Partner:
--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey PortState
10GE1/0/1 100 e468-a356-0cb1 32768 3 321 10111100
10GE1/0/2 100 e468-a356-0cb1 32768 1 321 10100010

The preceding information shows that the value of Operating Status on each
device is up, negotiation of Eth-Trunk 1 is successful. Member interfaces on
DeviceB and DeviceC are active interfaces in Selected state, member interfaces of
DeviceB and DeviceC can load balance traffic. The PortNo parameter on DeviceC
indicates that the numbers of Eth-Trunk member interfaces on DeviceC to increase
by 32768.
----End

Configuration Files
● DeviceA configuration file
#
sysname DeviceA
#
interface Eth-Trunk1
mode lacp-static
#
interface 10GE1/0/1
eth-trunk 1
#
interface 10GE1/0/2
eth-trunk 1
#
interface 10GE1/0/3
eth-trunk 1
#
interface 10GE1/0/4
eth-trunk 1
#
return
● DeviceB configuration file
#
sysname DeviceB
#
lacp priority 100

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 175

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

#
interface Eth-Trunk1
mode lacp-static
lacp system-id 00e0-cf00-0000
#
interface 10GE1/0/1
eth-trunk 1
#
interface 10GE1/0/2
eth-trunk 1
#
return

● DeviceC configuration file

#
sysname DeviceC
#
lacp priority 100
#
interface Eth-Trunk1
mode lacp-static
lacp system-id 00e0-cf00-0000
lacp port-id-extension enable
#
interface 10GE1/0/1
eth-trunk 1
#
interface 10GE1/0/2
eth-trunk 1
#
return

3.13 Troubleshooting Link Aggregation

3.13.1 Traffic Is Unevenly Load Balanced Among Eth-Trunk

Member Interfaces Because the Load Balancing Mode Is
Incorrect
Fault Description
Traffic is unevenly load balanced among Eth-Trunk member interfaces due to the
incorrect load balancing mode.

Procedure
1. Run the display eth-trunk command to check whether the load balancing
mode of the Eth-Trunk meets networking requirements. For example, source
or destination IP address-based load balancing is not recommended in Layer 2
networking.
2. Run the load-balance command to set an appropriate load balancing mode.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 176

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 3 Link Aggregation Configuration

NOTE

You can set the load balancing mode based on traffic models. When a parameter of
traffic changes frequently, you can set the load balancing mode based on this
parameter to ensure that the traffic is load balanced evenly. For example, if IP
addresses of packets change frequently, use the load balancing mode based on dst-ip,
src-ip, or src-dst-ip. If MAC addresses of packets change frequently but IP addresses
are fixed, use the load balancing mode based on dst-mac, src-mac, or src-dst-mac.

3.13.2 The Physical Status of the Member Interface Is Up But

the Link Protocol Status Is Down Because Link Aggregation Is
Not Configured on the Remote End

Fault Description
SwitchA is configured with link aggregation, but SwitchB is not configured with
link aggregation. As a result, the physical status of the member interface on
SwitchA is Up but the link protocol status is Down.
SwitchA SwitchB
10GE1/0/1 10GE1/0/1
10GE1/0/2 Eth-Trunk 10GE1/0/2
10GE1/0/3 10GE1/0/3
Eth-Trunk 1 Eth-Trunk 1

Procedure
Step 1 Run the display this command on 10GE1/0/1, 10GE1/0/2, and 10GE1/0/3 of
SwitchB. The three interfaces do no join the Eth-Trunk.
If interfaces join the Eth-Trunk, you can view the following configuration in the
command output.
#
interface 10GE1/0/1
eth-trunk 1
#

Step 2 On SwitchB, configure the same link aggregation mode as SwitchA. For details,
see 3.7 Configuring Link Aggregation in Manual Load Balancing Mode or 3.8
Configuring Link Aggregation in LACP Mode.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 177

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

4 M-LAG Configuration

4.1 Overview of M-LAG

4.2 Understanding M-LAG
4.3 Application Scenarios for M-LAG
4.4 Summary of M-LAG Configuration Tasks
4.5 Licensing Requirements and Limitations for M-LAG
4.6 Configuring M-LAG Through the Root Bridge
4.7 Configuring M-LAG Through V-STP (Recommended)
4.8 Maintaining M-LAG
4.9 Configuration Examples for M-LAG
4.10 M-LAG Technical Topics

4.1 Overview of M-LAG

Definition
Multichassis Link Aggregation Group (M-LAG) implements link aggregation
among multiple devices. In a dual-active system shown in Figure 4-1, one device
is connected to two devices through M-LAG to achieve device-level link reliability.

Figure 4-1 M-LAG network

M-LAG

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 178

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Purpose
As an inter-device link aggregation technology, M-LAG increases link bandwidth,
improves link reliability, and implements load balancing. It has the following
advantages:
● High reliability
M-LAG protects link reliability for entire devices.
● Simplified network and configuration
M-LAG is a horizontal virtualization technology that virtualizes two dual-
homed devices into one device. M-LAG prevents loops on a Layer 2 network
and implements redundancy. M-LAG greatly simplifies the network and
configuration.
● Independent upgrade
Two devices can be upgraded independently. This prevents service interruption
when either device is upgrading.

Reference
● M-LAG Best Practices: CloudEngine Series Switches M-LAG Technical Topics
● Video: CloudEngine Series Switch M-LAG Feature Introduction

4.2 Understanding M-LAG

4.2.1 Basic Concepts

In Figure 4-2, the user-side device (switch or host) connects to SwitchA and
SwitchB through M-LAG to constitute a dual-active system. SwitchA and SwitchB
then forward traffic together to ensure network reliability.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 179

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Figure 4-2 Basic M-LAG topology

Network

Dual-Active
Detection
Packets
peer-link
SwitchA SwitchB

M-LAG

M-LAG M-LAG
member member
interface interface
Switch
Dual-active
system

Table 4-1 describes basic concepts of M-LAG.

Table 4-1 Basic concepts of M-LAG

Concept Description

Dynamic Fabric A DFS group is used for pairing between M-LAG

Service (DFS) group devices. M-LAG devices use the DFS group protocol to
synchronize information such as the interface status
and entries.

DFS master device The device is configured with M-LAG and is in master
state. It is also called the M-LAG master device.

DFS backup device The device is configured with M-LAG and is in backup
state. It is also called the M-LAG backup device.
NOTE
A DFS group consists of a master device and a backup device.
Under normal circumstances, both the master and backup
devices forward service traffic and their forwarding behaviors
are the same. The master and backup devices have different
forwarding behaviors only when a fault occurs.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 180

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Concept Description

Dual-Active Detection A DAD link is used for M-LAG master and backup
(DAD) link devices to exchange DAD packets at Layer 3.
NOTE
Under normal circumstances, the DAD link does not
participate in any traffic forwarding behaviors in the M-LAG. It
is only used to detect whether two master devices exist when
a fault occurs. The DAD link can be an external link, for
example, if the M-LAG is connected to an IP network and the
two member devices can communicate through the IP
network, the link that enables communication between the
member devices can function as the DAD link. An independent
link that provides Layer 3 reachability can also be configured
as the DAD link, for example, a link between management
interfaces of the member devices can function as the DAD
link.

Peer-link interface Peer-link interfaces are at both ends of a peer-link.

Peer-link A peer-link is between two directly connected devices

and has link aggregation configured. It is used to
exchange negotiation packets and transmit part of
traffic. After an interface is configured as a peer-link
interface, other services cannot be configured on the
interface.
To improve the peer-link reliability, you are advised to
use multiple links for aggregation.

HB DFS master device The device negotiates to the master state through the
heartbeat link.
NOTE
Under normal circumstances, the HB DFS master/backup
status negotiation through heartbeat packets does not affect
traffic forwarding behaviors in the M-LAG. It is used only in
secondary fault rectification scenarios. If faults on the original
DFS master device are rectified and the peer-link fault persists,
the corresponding interfaces on the backup device are
triggered to enter the Error-Down state based on the HB DFS
master/backup status. This mechanism prevents abnormal
traffic forwarding in the scenario where two master devices
exist and improves device reliability.

HB DFS backup device The device negotiates to the backup state through the
heartbeat link.
NOTE
Under normal circumstances, the HB DFS master/backup
status negotiation through heartbeat packets does not affect
traffic forwarding behaviors in the M-LAG. It is used only in
secondary fault rectification scenarios. If faults on the original
DFS master device are rectified and the peer-link fault persists,
the corresponding interfaces on the backup device are
triggered to enter the Error-Down state based on the HB DFS
master/backup status. This mechanism prevents abnormal
traffic forwarding in the scenario where two master devices
exist and improves device reliability.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 181

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Concept Description

M-LAG member M-LAG member interfaces are the Eth-Trunks on M-

interface LAG master and backup devices that are connected to
the user-side host or switch.
To improve the reliability, you are advised to configure
link aggregation in LACP mode.
M-LAG member interfaces also work in master/backup
mode. When the local and remote member interfaces
synchronize information, the interface that changes
from Down to Up first becomes the master M-LAG
member interface, and the other interface becomes the
backup M-LAG member interface.
NOTE
The master and backup M-LAG member interfaces have
different forwarding behaviors only when the M-LAG forwards
multicast traffic.

4.2.2 Information Exchange Principles

The dual-active system that is set up based on M-LAG provides device-level
reliability. Figure 4-3 shows the M-LAG establishment process. The process
includes the following stages:

Figure 4-3 M-LAG establishment

Network

DAD link
SwitchA SwitchB
peer-link
M-LAG establishment

DFS group Hello packet

DFS group device
information packet
M-LAG device
information packet
M-LAG synchronization
packet

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 182

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

1. DFS group pairing

After two M-LAG devices are configured, they send DFS group Hello packets
to each other through the peer-link. When receiving Hello packets from the
remote device, the local device checks whether the DFS group ID in the
packets is the same as that of the local device. If the DFS group IDs are the
same, DFS group pairing of the two devices is successful.
2. DFS group master/backup negotiation
After the pairing is successful, the two devices send DFS group device
information packets to each other. The devices determine the DFS group
master and backup status based on the DFS group priorities and system MAC
addresses carried in the packets.
SwitchB is used as an example. When receiving packets from SwitchA, SwitchB
checks and records information about SwitchA, and compares its DFS group
priority with that of SwitchA. If SwitchA has a higher DFS group priority than
SwitchB, SwitchA is the DFS master device and SwitchB is the DFS backup
device. If SwitchA and SwitchB have the same DFS group priority, the device
with a smaller MAC address functions as the DFS master device.
NOTE

A DFS group consists of a master device and a backup device. Under normal
circumstances, both the master and backup devices forward service traffic and their
forwarding behaviors are the same. The master and backup devices have different
forwarding behaviors only when a fault occurs.
3. Master/backup negotiation of M-LAG member interfaces
After DFS group master/backup negotiation is successful, the two devices
send M-LAG device information packets carrying configuration information of
M-LAG member interfaces to each other through the peer-link. After member
interface information is synchronized, master and backup M-LAG member
interfaces are determined.
When the local and remote member interfaces synchronize information, the
interface that changes from Down to Up first becomes the master M-LAG
member interface, and the other interface becomes the backup M-LAG
member interface. By default, revertive switching is not performed between
the master and backup interfaces. That is, if the device where the original
master M-LAG member interface resides recovers from a failure, the original
backup interface that becomes the master interface remains in master state,
and the original master interface that recovers from a failure is still in backup
state. The master/backup negotiation mechanism of M-LAG member
interfaces differs from that of the DFS group.
NOTE

The master and backup M-LAG member interfaces have different forwarding behaviors
only when the M-LAG forwards multicast traffic.
4. DAD
After M-LAG master and backup devices are negotiated, the two devices send
M-LAG DAD packets at an interval of 1s through the DAD link. If a device
detects that the peer-link fails, it sends three DAD packets at an interval of
100 ms to accelerate detection. If both devices can receive packets from each
other, the dual-active system starts to work.
Under normal circumstances, the DAD link does not participate in any traffic
forwarding behaviors in the M-LAG. It is only used to detect whether two

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 183

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

master devices exist when the DFS group pairing or peer-link fails. Therefore,
the M-LAG still works properly even if DAD fails. The DAD link can be an
external link, for example, if the M-LAG is connected to an IP network and
the two member devices can communicate through the IP network, the link
that enables communication between the member devices can function as the
DAD link. An independent link that provides Layer 3 reachability can also be
configured as the DAD link, for example, a link between management
interfaces of the member devices can function as the DAD link.
– The DAD link is deployed between management interfaces. Management
interface IP addresses bound to the DFS group must be reachable to each
other, and VPN instances are bound to management interfaces to ensure
that DAD packets and service packets are separated.
– The DAD link is deployed on a service network, and the IP address bound
to the DFS group must be reachable at Layer 3. If peer-link interfaces
establish a routing neighbor relationship, DAD packets on the service
network are transmitted through the peer-link using the optimal route. If
the peer-link fails, DAD packets are transmitted to the remote device
through the suboptimal path during route convergence, and the DAD
time is 0.5s or 1s longer.
NOTE

In V200R005C10 and later versions, two devices send DAD packets at the specified
interval immediately after the heartbeat link is Up. In secondary fault rectification
scenarios where enhanced DAD for secondary faults is enabled, faults on the original
DFS master or backup device are rectified and the peer-link fault persists. If the local
and remote devices' IP addresses are bound to the DFS group, M-LAG devices
negotiate the HB DFS master/backup status based on the DFS information carried in
DAD packets, and the corresponding interfaces on the HB DFS backup device are
triggered to enter the Error-Down state, preventing abnormal traffic forwarding in the
scenario where two master devices exist.
5. M-LAG information synchronization
When working properly, the two devices send M-LAG synchronization packets
through the peer-link to synchronize information with each other in real time.
M-LAG synchronization packets include MAC address entries, ARP entries, STP
and VRRP packets information. The devices also send the status of M-LAG
member interfaces. In this way, traffic forwarding is not affected when any
device fails, ensuring that normal services are not interrupted.
NOTE

For the CE6870EI, CE6875EI, and CE5880EI, after a VLANIF or VBDIF interface is
configured on an M-LAG member device, the real MAC address of the VLANIF or
VBDIF interface is synchronized to the peer device through the M-LAG synchronization
channel and delivered as a dynamic MAC address.

Table 4-2 M-LAG synchronization packet information

Type Description

MAC MAC address entry synchronization

ARP ARP packet synchronization

ND ND packet synchronization

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 184

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Type Description

STP STP status synchronization

Others Information such as the status of an

M-LAG member interface

4.2.3 M-LAG Loop Prevention Mechanism

M-LAG has a loop prevention mechanism that helps construct a loop-free
network. Figure 4-4 shows how M-LAG constructs a loop-free network. Unicast
traffic from the access device or network-side to M-LAG devices is forwarded
through the local device preferentially, and the peer-link does not transmit data
traffic under normal circumstances. When traffic is broadcast to the remote M-
LAG device through the peer-link, unidirectional traffic isolation is configured
between the peer-link and M-LAG member interface. That is, traffic received
through the peer-link is not forwarded through the M-LAG member interface, and
therefore no loop occurs. This is the unidirectional isolation mechanism of M-LAG.

Figure 4-4 Traffic forwarding when an M-LAG is connected to a Layer 2 network

Ethernet
Network

DAD link

peer-link

Unicast traffic from an

access-side device
Unicast traffic from a
network-side device
Broadcast traffic

Unidirectional Blocked
isolation interface

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 185

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Unidirectional Isolation Mechanism

Prerequisites for the Mechanism to Take Effect
When M-LAG master and backup devices are negotiated, the system checks
whether the access device is dual-homed to the M-LAG using M-LAG
synchronization packets.
● If the access device is dual-homed to the M-LAG, the two M-LAG devices
deliver the unidirectional isolation configuration of the corresponding M-LAG
member interface to isolate traffic from peer-link interfaces to M-LAG
member interfaces.
NOTE

Unidirectional isolation in the M-LAG loop prevention mechanism takes effect for
Layer 2 traffic (including unicast, multicast, and broadcast traffic) and Layer 3
multicast traffic, and does not take effect for Layer 3 unicast traffic.If the access device
is single-homed to the M-LAG, the M-LAG does not deliver the unidirectional isolation
configuration of the corresponding M-LAG member interface.
● If the access device is single-homed to the M-LAG, the M-LAG does not
deliver the unidirectional isolation configuration of the corresponding M-LAG
member interface.
Implementation Principles
In Figure 4-5, a device is dual-homed to an M-LAG. M-LAG devices deliver the
global ACL configuration in the following sequence:
● Rule 1: Layer 3 unicast packets with a peer-link interface as the source
interface and an M-LAG member interface as the destination interface are
allowed to pass through.
● Rule 2: All packets with a peer-link interface as the source interface and an
M-LAG member interface as the destination interface are rejected.
M-LAG devices use the ACL rule group to implement unidirectional isolation
between peer-link interfaces and M-LAG member interfaces. Flooding traffic such
as broadcast traffic from a peer-link interface to an M-LAG member interface is
isolated. When an M-LAG device detects that the local M-LAG member interface is
in Down state, the device sends M-LAG synchronization packets through the peer-
link to instruct the remote device to revoke the automatically delivered
unidirectional isolation ACL rule group of the corresponding M-LAG member
interface.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 186

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Figure 4-5 M-LAG unidirectional isolation

DAD link

peer-link

Broadcast Unidirectional
traffic isolation

4.2.4 M-LAG Consistency Check

The M-LAG is a dual-active system composed of two devices. It is a horizontal
virtualization technology that virtualizes two devices into one device (a Layer 2
logical node). The logical topology is clear, and some configurations of two
devices in the M-LAG must be consistent. If some configurations of two devices in
the M-LAG are inconsistent, the M-LAG may fail to work or a loop may occur.
When the M-LAG is applied to an enterprise data center network, if the
configuration of two devices in the M-LAG is manually performed or compared,
the efficiency is low and there are many potential risks of incorrect configurations.
To address the preceding issues, Huawei proposes M-LAG consistency check. The
M-LAG mechanism provides the configuration consistency check to request the
configuration of each module. Based on the comparison result after M-LAG
consistency check is enabled, you can adjust the configurations of devices in the
M-LAG to prevent problems such as network loops or data loss.
The M-LAG configuration falls into two types: key configuration (Type 1) and
common configuration (Type 2), as described in Table 4-3. Two M-LAG
consistency check modes are available: strict and loose.
● Key configuration (Type 1): If the configurations of two devices in the M-LAG
are inconsistent, problems may occur, for example, loops may occur or
packets are discarded for a long period of time though the M-LAG status is
normal.
In strict mode, if the key configuration of two devices in the M-LAG is
inconsistent, member interfaces on the M-LAG backup device enter the Error-
Down state and the alarm about key configuration inconsistency is generated.
In loose mode, if the key configuration of two devices in the M-LAG is
inconsistent, the alarm about key and common configuration inconsistency is
generated.
● Common configuration (Type 2): If the configurations of two devices in the
M-LAG are inconsistent, the M-LAG status may be abnormal. Compared with
the key configuration, the common configuration problem can be easily
detected and has less impact on the live network.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 187

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Regardless of the mode, if the following common configuration of two

devices in the M-LAG is inconsistent, the alarm about key and common
configuration inconsistency is generated.

Table 4-3 M-LAG consistency check list

View Configuration Type

System view Whether STP is enabled Type 1

STP working mode

Whether BPDU
protection is enabled

Mapping between VLANs

and MSTIs
NOTE
The device checks the
mapping between VLANs
and MSTIs in STP process
0.

M-LAG member Whether STP is enabled

interface view
Whether root protection
is enabled

LACP mode

System view VLAN configuration Type 2

Static MAC address

entries
● Static MAC address
entry in which the
interface is an M-LAG
member interface
● Static MAC address
entry of a VXLAN
tunnel

Aging time of dynamic

MAC address entries

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 188

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

View Configuration Type

Static ARP entries

● Short static ARP
entries
● Long static ARP
entries
– If outbound
interfaces are
specified in static
ARP entries, only
the static ARP
entries in which
the outbound
interfaces are M-
LAG member
interfaces are
checked.
– If the VLANs to
which static ARP
entries belong are
specified, the VLAN
IDs are compared.
– If outbound
interfaces and the
VLANs to which
static ARP entries
belong are
specified, the static
ARP entries in
which the
outbound
interfaces are M-
LAG member
interfaces and the
VLAN IDs are
compared.
– Static ARP entry of
an IPv4 VXLAN
tunnel

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 189

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

View Configuration Type

NOTE
The switch cannot check
short static ARP entries of
a specified VPN instance. If
the outbound interface of
a long static ARP entry is
an M-LAG member
interface and is bound to a
VPN instance or the
VLANIF interface
corresponding to the VLAN
to which the outbound
interface belongs is bound
to a VPN instance, the
switch cannot check the
static ARP entry.

Aging time of dynamic

ARP entries

Bridge Domain (BD)

configuration
● BD ID
● VNI associated with
the BD

VBDIF interface
configuration
● BD ID
● IPv4 address
● IPv6 address
● VRRP4 group
● MAC address
● Status
NOTE
The device only checks the
virtual MAC address by
default.
For the IPv6 address and
VRRP4 configuration, the
consistency check only
take effect when the
VBDIF interface is up. If the
VBDIF interface is down,
the preceding
configurations do not take
effect on the interface.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 190

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

View Configuration Type

VLANIF interface
configuration
● VLAN ID
● IPv4 address
● IPv6 address
● VRRP4 group
● VRRP6 group
● MAC address
● Status
NOTE
The device only checks the
virtual MAC address by
default.
For the IPv6 address and
VRRP4 configuration, the
consistency check only
take effect when the
VLANIF interface is up. If
the VLANIF interface is
down, the preceding
configurations do not take
effect on the interface.

M-LAG member STP priority

interface view
VLAN ID

Parameters

Number of member
interfaces of the Eth-
Trunk to which an M-
LAG member interface
belongs
NOTE
Only the numbers of
member interfaces of Eth-
Trunks are compared. The
physical Up/Down status
or bandwidth of member
interfaces is not checked.

4.2.5 Traffic Forwarding When an M-LAG Works Properly

An M-LAG dual-active system starts to work after it is established successfully. The
M-LAG master and backup devices load balance traffic and their forwarding
behaviors are the same. The following describes how an M-LAG forwards traffic
when it works properly.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 191

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Unicast Traffic Forwarding

Unicast traffic forwarding includes Layer 2 known unicast traffic forwarding and
Layer 3 unicast traffic forwarding.

In Figure 4-6, an access device is dual-homed to an M-LAG dual-active system

and known unicast traffic is forwarded as follows:

For north-south unicast traffic from the M-LAG access side, M-LAG member
devices forward the traffic together after receiving it from the access device
through aggregated links in load balancing mode. M-LAG master and backup
devices forward received north-south unicast traffic to the network side based on
the routing table.

For east-west unicast traffic, when the M-LAG dual-active system is set up and
there is no single-homing interface, Layer 2 traffic is preferentially forwarded
through the local M-LAG device, and Layer 3 traffic is forwarded through dual-
active gateways. Layer 2 and Layer 3 east-west unicast traffic is not forwarded
through the peer-link and is directly forwarded to corresponding member
interfaces by M-LAG master and backup devices.

Figure 4-6 Known unicast traffic forwarding through an M-LAG

Network

DAD link

Peer-link

North-south unicast traffic

from an M-LAG member
interface

North-south unicast traffic

from a non-M-LAG member
interface

East-west unicast traffic

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 192

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Multicast Traffic Forwarding

● M-LAG Connecting to a Layer 2 Network
If an M-LAG is connected to an upstream Layer 2 network, traffic from the
Layer 2 network to the M-LAG can only be sent to one device in the M-LAG;
otherwise, a loop may occur. In Figure 4-7, assume that the M-LAG uplink
interface on the right M-LAG member device is blocked by STP.
When ServerB functions as a multicast source and ServerA functions as a
multicast group member, both M-LAG master and backup devices can forward
multicast traffic. When receiving traffic from the network side, the receiving
device directly forwards the traffic to the local M-LAG member interface. If
the local M-LAG member interface fails, multicast traffic is forwarded through
the peer-link to the M-LAG member interface on the other M-LAG device for
transmission, as shown in Figure 4-8.
When ServerA functions as a multicast source and ServerB functions as a
multicast group member, traffic from the multicast source is load balanced to
M-LAG master and backup devices. Because the uplink interface on the right
M-LAG device is blocked, the outbound interface of multicast traffic is the
peer-link interface.

Figure 4-7 Multicast traffic forwarding when an M-LAG is connected to a

Layer 2 network
Multicast
source Receiver
ServerB ServerB

Ethernet Ethernet
Network Network

DAD link DAD link

Peer-link Peer-link

ServerA Receiver Multicast

ServerA
source

Multicast traffic forwarding from

a network-side multicast source Blocked interface
Multicast traffic forwarding from
an access-side multicast source

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 193

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Figure 4-8 Multicast traffic forwarding when an M-LAG is connected to a

Layer 2 network and an M-LAG member interface fails
Multicast Multicast
ServerB ServerB
source source

Ethernet Ethernet
Network Network

DAD link DAD link

Peer-link Peer-link

ServerA Receiver ServerA Receiver

Multicast traffic forwarding from

a network-side multicast source Blocked interface
Downlink
Multicast traffic forwarding when
failure
the local member interface fails
● M-LAG Connecting to a Layer 3 Network
If an M-LAG is connected to an upstream Layer 3 network, M-LAG member
devices need to support Layer 2 and Layer 3 multicast. In Figure 4-9, an
access device is dual-homed to an M-LAG dual-active system and multicast
traffic is forwarded as follows:
When ServerB functions as a multicast source and ServerA functions as a
multicast group member, both M-LAG master and backup devices divert
traffic from the multicast source, query the local multicast forwarding table,
and load balance the traffic to the multicast group member based on the
following rules:
– If the last digit of the multicast group address is an odd number (for
example, 225.1.1.1, FF1E::1, or FF1E::B), the M-LAG device where the
master M-LAG member interface resides forwards the traffic to the
multicast group member.
– If the last digit of the multicast group address is an even number (for
example, 225.1.1.2, FF1E::2, or FF1E::A), the M-LAG device where the
backup M-LAG member interface resides forwards the traffic to the
multicast group member.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 194

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

NOTE

In versions earlier than V200R003C00, only the M-LAG device where the master M-
LAG member interface resides forwards multicast traffic to the multicast group
member. In V200R003C00 and later versions, both devices where the master and
backup M-LAG member interfaces reside can forward multicast traffic to the multicast
group member to implement load balancing. If the two M-LAG devices run different
versions, the multicast traffic forwarding rule is subject to the device running the
earlier version.
In V200R003C00 and later versions, for the CE6870EI and CE6875EI, an M-LAG
consisting of standalone switches or stacks supports IPv6 Layer 3 multicast, and an M-
LAG consisting of other models does not support IPv6 Layer 3 multicast.
When ServerA functions as a multicast source and ServerB functions as a
multicast group member, traffic sent by the multicast source is load balanced
to M-LAG master and backup devices. After receiving the traffic, M-LAG
master and backup devices query the local multicast forwarding table and
forward the traffic.

Figure 4-9 Multicast traffic forwarding when an M-LAG is connected to a

Layer 3 network
Multicast
Receiver
source
ServerB ServerB

IP IP
Network Network

DAD link Backup DAD link

Master Peer-link Peer-link
Master

Multicast
ServerA Receiver ServerA source

Independent Layer 3 link

Multicast traffic Multicast traffic
forwarding from a forwarding from an
network-side multicast access-side multicast
source source

According to multicast traffic forwarding in the preceding figure, an

independent Layer 3 link needs to be configured between M-LAG devices
when the M-LAG forwards multicast traffic, which is different from unicast
traffic forwarding. The reason is that only one uplink exists at the network
side when a fault occurs, and the independent Layer 3 link deployed between
M-LAG master and backup devices can transmit multicast packets. In Figure

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 195

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

4-10, the network-side link is connected to the M-LAG backup device.

Multicast packets forwarded through a peer-link interface cannot be
forwarded to the specified M-LAG member interface because of unidirectional
isolation, and multicast packets in which the last digit of the multicast group
address is an odd number cannot be forwarded to the M-LAG device where
the master M-LAG member interface resides through the peer-link. Therefore,
the multicast packets can only be forwarded to the M-LAG device through the
independent Layer 3 link.

Figure 4-10 Multicast traffic forwarding when an M-LAG is single-homed to a

Layer 3 network
Multicast
S-2
source

IP
Network

DAD link
Master Backup
Peer-link

S-1 Receiver

Link failure
Multicast traffic forwarding from
a network-side multicast source
Independent Layer 3 link

Broadcast Traffic Forwarding

● M-LAG Connecting to a Layer 2 Network
If an M-LAG is connected to an upstream Layer 2 network, traffic from the
Layer 2 network to the M-LAG can only be sent to one device in the M-LAG;
otherwise, a loop may occur. The following uses traffic forwarding on an M-
LAG master device as an example. In Figure 4-11, assume that the M-LAG
uplink interface on the right M-LAG member device is blocked by STP. After
receiving broadcast traffic, the M-LAG master device forwards the traffic to
each next hop. When the traffic reaches the M-LAG backup device, the traffic
is not forwarded to S-1 because of the unidirectional isolation mechanism
between peer-link interfaces and M-LAG member interfaces.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 196

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Figure 4-11 Broadcast traffic forwarding when an M-LAG is connected to a

Layer 2 network

Ethernet
Network

DAD link
Peer-link
Master Backup

S-1 S-2

Blocked interface

Unidirectional isolation
Access-side broadcast traffic
Network-side broadcast traffic

● M-LAG Connecting to a Layer 3 Network

The following uses traffic forwarding on an M-LAG backup device as an
example. In Figure 4-12, the M-LAG backup device forwards received
broadcast traffic to each next hop. When the traffic reaches the M-LAG
master device, the traffic is not forwarded to S-1 because of the unidirectional
isolation mechanism between peer-link interfaces and M-LAG member
interfaces.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 197

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Figure 4-12 Broadcast traffic forwarding when an M-LAG is connected to a

Layer 3 network

IP
Network

DAD link
Peer-link
Master Backup

S-1 S-2

Unidirectional isolation

Broadcast traffic sent by S-1

Broadcast traffic sent by S-2

4.2.6 Traffic Forwarding in M-LAG Failure Scenarios

M-LAG technology improves link reliability from card-level to device-level. If a
fault (link, device, or peer-link fault) occurs, M-LAG ensures that normal services
are not affected. The following describes how M-LAG ensures proper service
running when a fault occurs.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 198

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Uplink Failure

Figure 4-13 Uplink failure

Network Network

Uplink failure

DAD link Backup DAD link Backup

Master
Peer-link Master
Peer-link

S-1 S-1

DAD packets are generally transmitted through the DAD link between
management interfaces. Therefore, DAD between M-LAG master and backup
devices is not affected when an uplink fails. The dual-active system is not affected,
and M-LAG master and backup devices still properly forward traffic. In Figure
4-13, traffic passing the M-LAG master device is forwarded through the peer-link
because the uplink of the M-LAG master device fails.
If the DAD link is on a service network and the faulty uplink is the DAD link, the
M-LAG works properly without being affected. If the peer-link also fails, DAD
cannot be performed and packet loss occurs.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 199

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Downlink Failure

Figure 4-14 Downlink failure

Network Network

Downlink
failure

DAD link Backup DAD link

Master Master
Peer-link Peer-link Backup

S-1 S-1

If a downlink M-LAG member interface fails, the DFS group master and backup
states do not change. However, if the faulty M-LAG member interface is in master
state, the backup M-LAG member interface changes to master state, and traffic is
switched to the corresponding link for transmission. The link of the faulty M-LAG
member interface goes Down, and the dual-homing networking changes to
single-homing networking. The MAC address of the faulty M-LAG member
interface is changed to that of the peer-link interface in corresponding entries.
After the faulty M-LAG member interface recovers, the status of M-LAG member
interfaces is not changed. The backup M-LAG member interface that changes to
the master M-LAG member interface remains in master state, and the original
master M-LAG member interface is in backup state after the fault is rectified. You
can run the display dfs-group dfs-group-id node node-id m-lag command to
view the status of an M-LAG member interface.
Assume that a multicast source is at the network side and a multicast group
member is at the access side. If the M-LAG member interface on the M-LAG
master device fails, the device instructs the remote device to update multicast
entries through M-LAG synchronization packets. M-LAG master and backup
devices do not load balance traffic depending on whether the last digit of the
multicast group address is an odd or even number, and all multicast traffic is
forwarded by the M-LAG backup device on which the M-LAG member interface is
Up. If the M-LAG member interface on the M-LAG backup device fails, multicast
traffic is forwarded similarly.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 200

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

M-LAG Master Device Failure

Figure 4-15 M-LAG master device failure

Network Network

M-LAG master
device failure

DAD link Backup DAD link Master

Master Master
Peer-link Peer-link Backup

S-1 S-1

If the M-LAG master device fails, the M-LAG backup device becomes the master
device and continues to forward traffic, and its Eth-Trunk link is still in Up state.
The Eth-Trunk link of the M-LAG master device goes Down, and the dual-homing
networking changes to single-homing networking.
If the M-LAG backup device fails, the M-LAG master and backup status remains
unchanged, and the Eth-Trunk link of the M-LAG backup device goes Down. The
Eth-Trunk link of the M-LAG master device is still in Up state and continues to
forward traffic. The dual-homing networking changes to single-homing
networking.
When a faulty M-LAG member device recovers, the peer-link goes Up first, and the
two M-LAG member devices renegotiate their master and backup roles. After the
negotiation succeeds, the M-LAG member interface on the faulty M-LAG member
device goes Up and traffic is load balanced. Both the M-LAG master and backup
devices retain their original roles after recovering from a fault.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 201

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Peer-Link Failure

Figure 4-16 Peer-link failure

Network Network

Peer-link failure

DAD link Backup DAD link Backup

Master Peer-link Master Peer-link

S-1 S-1

Faulty link

Error-Down interface

If the peer-link fails but the DAD heartbeat status is normal when M-LAG is used
for dual-homing access on a common Ethernet, VXLAN, or IP network, interfaces
excluding the logical interface, management interface, peer-link interface, and
stack interface on the M-LAG backup device enter the Error-Down state by
default. If the peer-link fails but the DAD heartbeat status is normal when M-LAG
is used for dual-homing access on a TRILL network, the M-LAG member interface
on the M-LAG backup device enters the Error-Down state.
When the faulty peer-link recovers, the M-LAG member interface in the Error-
Down state automatically restores to the Up state after 240s by default, and the
other interfaces in the Error-Down state automatically restore to the Up state
immediately.
You can run the dual-active detection error-down mode routing-switch
command to configure logical interfaces to enter the Error-Down state when the
peer-link fails but the DAD heartbeat status is normal in an M-LAG scenario. If the
peer-link fails but the DAD heartbeat status is normal when M-LAG is used for
dual-homing access on a VXLAN or IP network, the VLANIF interface, VBDIF
interface, loopback interface, and M-LAG member interface on the M-LAG backup
device enter the Error-Down state.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 202

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

NOTE

After logical interfaces are configured to change to Error-Down state when the peer-link
fails but the DAD heartbeat status is normal in an M-LAG, if a faulty peer-link interface in
the M-LAG recovers, the devices restore VLANIF interfaces, VBDIF interfaces, and loopback
interfaces to Up state 6 seconds after DFS group pairing succeeds to ensure that ARP entry
synchronization on a large number of VLANIF interfaces is normal. If a delay after which
the Layer 3 protocol status of the interface changes to Up is configured, the delay after
which VLANIF interfaces, VBDIF interfaces, and loopback interfaces go Up is the configured
delay plus 6 seconds.

You can run the m-lag unpaired-port suspend and m-lag unpaired-port
reserved commands to flexibly configure whether an interface enters the Error-
Down state when the peer-link fails but the DAD heartbeat status is normal in an
M-LAG scenario. Table 4-4 describes the interfaces in the Error-Down state when
the peer-link fails, the DAD heartbeat status is normal, and the following functions
are configured.

Table 4-4 Interfaces in the Error-Down state when the peer-link fails but the DAD
heartbeat status is normal
Device Configuration M-LAG Access to a Common
Ethernet, VXLAN, or IP Network

Default scenario Interfaces excluding the logical

interface, management interface, peer-
link interface, and stack interface are
in the Error-Down state.

Suspend function enabled only Only the M-LAG member interface

and the interface configured with this
function are in the Error-Down state.

Reserved function enabled only Interfaces excluding the interface

configured with this function, logical
interface, management interface, peer-
link interface, and stack interface are
in the Error-Down state.

Suspend and reserved functions Only the M-LAG member interface

configured and the interface configured with the
suspend function are in the Error-
Down state.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 203

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

M-LAG Secondary Faults (Peer-Link and M-LAG Faults)

Figure 4-17 Networking when enhanced DAD for secondary faults is enabled

1 Network Network 2

Peer-link failure

DAD link Backup DAD link Backup

Master Peer-link Master Peer-link

S-1 ter S-1

G mas re
A u
M-L ice fail
d e v
3 4
Network Network

Enhanced DAD
for secondary
faults

Backup Master
DAD link DAD link

Master Peer-link Master Peer-link Backup

S-1 S-1

Faulty link
Interface in Error-
Down state

As shown in scenario 2 in Figure 4-17, if the peer-link fails but the DAD heartbeat
status is normal when M-LAG is used for dual-homing access, some interfaces on
the DFS backup device enter the Error-Down state. In this case, the DFS master
device continues to work. If the DFS master device cannot work because it is
powered off or it restarts due to a fault, both the DFS master and backup devices
cannot forward traffic, as shown in scenario 3 in Figure 4-17.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 204

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

In this scenario, enhanced DAD for secondary faults ensures nonstop forwarding
when secondary faults occur, meeting reliability requirements. As shown in Figure
4-17, this function is used to describe different fault phases and triggered
behaviors.
1. Peer-link failure: If the peer-link fails but the DAD heartbeat status is normal,
some interfaces (for details, see Peer-Link Failure) on the DFS backup device
are triggered to enter the Error-Down state. The DFS master device continues
to work.
2. DFS master device failure: If the peer-link fails and the DFS master device
cannot work because it is powered off or it restarts because of a fault, the M-
LAG master and backup devices cannot forward traffic and services are
interrupted.
3. Enhanced DAD for secondary faults enabled: If enhanced DAD for secondary
faults is enabled, the DFS backup device can detect that the DFS master
device fails through the DAD mechanism (because it does not receive any
heartbeat packets from the master device within a certain period). The
backup device then becomes the DFS master device, restores the interfaces in
Error-Down state to the Up state, and forwards traffic.
4. Secondary fault rectification scenario: Faults on the original DFS master
device are rectified and the peer-link failure persists.
– If the LACP M-LAG system ID is switched to the LACP system ID of the
local device within a certain period, the access device selects only one of
the uplinks as the active link during LACP negotiation. The actual traffic
forwarding is normal.
– If the default LACP M-LAG system ID is used, that is, it is not switched,
two M-LAG devices use the same system ID to negotiate with the access
device. Therefore, links to both devices can be selected as the active link.
In this scenario, because the peer-link failure persists, M-LAG devices
cannot synchronize information such as the priority and system MAC
address of each other. As a result, two M-LAG master devices exist, and
multicast traffic forwarding may be abnormal. In this case, as shown in
Figure 4-18, the HB DFS master/backup status is negotiated through
heartbeat packets carrying necessary information for DFS group master/
backup negotiation (such as the DFS group priority and system MAC
address). Some interfaces (for details, see Peer-Link Failure) on the HB
DFS backup device are triggered to enter the Error-Down state. The HB
DFS master device continues to work.
NOTE

If secondary faults occur on the DFS backup device after the peer-link fails, traffic
forwarding is not affected. The DFS master device continues to forward traffic.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 205

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Figure 4-18 Networking when secondary faults are rectified

4
5
Faulty device recovers Network
Network
& peer-link fault
persists

DAD link DFS: DAD link

Master HB DFS: HB DFS:
Backup Master
DFS: Peer-link
Master Peer-link Backup

S-1 S-1

Faulty link DAD packets

Interface in Error-
Down state

4.3 Application Scenarios for M-LAG

M-LAG mainly applies to scenarios where a server or switch is dual-homed to an
Ethernet, Transparent Interconnection of Lots of Links (TRILL), Virtual eXtensible
Local Area Network (VXLAN), or IP network. It provides load balancing and
backup. M-LAG falls into single-level M-LAG and multi-level M-LAG.

Single-level M-LAG
● Connecting a switch in dual-homing mode
As shown in Figure 4-19, to ensure reliability, a switch is connected to a
network to implement link redundancy. MSTP can be deployed to implement
redundancy, but the link use efficiency is low and many bandwidth resources
are wasted. To implement redundancy and improve the link use efficiency,
deploy M-LAG between SwitchA and SwitchB so that the switch can be dual-
homed to SwitchA and SwitchB. SwitchA and SwitchB load balance traffic.
When one device fails, traffic can be rapidly switched to the other device to
ensure nonstop service transmission.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 206

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Figure 4-19 Connecting a switch in dual-homing mode

Ethernet/IP/
TRILL/VXLAN
Network

peer-link
Switch A Switch B

M-LAG

Switch

Server 1 Server 2

● Connecting a server in dual-homing mode

As shown in Figure 4-20, to ensure reliability, a server is often connected to a
network through link aggregation. If the device connected to the server fails,
services are interrupted. To prevent this problem, a server can connect to a
network through M-LAG. That is, deploy M-LAG between SwitchA and
SwitchB and connect the server to SwitchA and SwitchB. SwitchA and SwitchB
load balance traffic. When one device fails, traffic can be rapidly switched to
the other device to ensure nonstop service transmission.
NOTE

The configuration of dual homing a server is the same as common link aggregation
configuration. Ensure that the server and switches use the same link aggregation mode.
The LACP mode at both ends is recommended.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 207

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Figure 4-20 Connecting a server in dual-homing mode

Ethernet/IP/
TRILL/VXLAN
Network

peer-link
Switch A Switch B

M-LAG

Server

Multi-level M-LAG
As shown in Figure 4-21, after M-LAG is deployed between SwitchA and SwitchB,
M-LAG is deployed between SwitchC and SwitchD. The two M-LAGs are
connected. This deployment simplifies networking and allows more servers to be
connected to the network in dual-homing mode. Before deploying multi-level M-
LAG, configure Virtual Spanning Tree Protocol (V-STP).

Figure 4-21 Networking of multi-level M-LAG

Network

Peer-link
SwitchC SwitchD

Peer-link
SwitchA SwitchB

Server

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 208

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

4.4 Summary of M-LAG Configuration Tasks

You can perform the following M-LAG configurations according to the actual
networking.

Table 4-5 M-LAG configuration tasks

Mode Description Task Configura
tion Notes

Root bridge When the root 1. 4.6.1 Configuring the ● Configu

bridge mode is used Root Bridge and Bridge re the
to configure M-LAG, ID M-LAG
the M-LAG master 2. 4.6.2 Configuring a DFS master
and backup devices Group and
must be used as backup
root bridges and 3. 4.6.3 Configuring M-LAG devices
configured with the Consistency Check as root
same bridge ID on 4. 4.6.4 Configuring an bridges
the STP network so Interface as a Peer-link and
that the two devices Interface configu
are simulated into re the
one root bridge. The 5. 4.6.5 Configuring an M- same
M-LAG master and LAG Member Interface bridge
backup devices are 6. 4.6.6 (Optional) ID for
not affected by the Configuring the Dual- them.
network topology Active Gateway ● STP
change on the Layer 7. 4.6.7 (Optional) must
2 network. Configuring the Interface be
Status When the Peer- disable
Link Fails d on
the
8. 4.6.8 (Optional) Enabling
peer-
Enhanced M-LAG Layer 3
link
Forwarding in an IPv6
interfac
Scenario
e.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 209

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Mode Description Task Configura

tion Notes

V-STP V-STP virtualizes the 1. 4.7.1 Configuring V-STP You must

(recommen M-LAG master and 2. 4.7.2 Configuring a DFS enable STP
ded) backup devices Group on the
enabled with STP peer-link
into one device to 3. 4.7.4 Configuring M-LAG interface
perform STP Consistency Check and
calculation. 4. 4.7.5 Configuring an configure
Interface as a Peer-link global V-
Interface STP.
5. 4.7.6 Configuring an M-
LAG Member Interface
6. 4.7.7 (Optional)
Configuring the Dual-
Active Gateway
7. 4.7.8 (Optional)
Configuring the Interface
Status When the Peer-
Link Fails
8. 4.7.9 (Optional) Enabling
Enhanced M-LAG Layer 3
Forwarding in an IPv6
Scenario

NOTE

● When the root bridge mode is used, two devices that constitute an M-LAG must function as
root bridges on a Layer 2 network and do not support M-LAG cascading in the root bridge
mode.
● When the V-STP mode is used, two devices that constitute an M-LAG can choose not to
function as root bridges on a Layer 2 network. The networking is flexible and the two
devices support M-LAG cascading. V-STP is recommended because it can eliminate loops
caused by incorrect M-LAG configurations or connections.

4.5 Licensing Requirements and Limitations for M-LAG

Involved Network Elements
Other network elements are not required.

License Requirements
M-LAG is a basic function of the switch, and as such is controlled by the license
for basic software functions. The license for basic software functions has been
loaded and activated before delivery. You do not need to manually activate it.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 210

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Version Requirements

Table 4-6 Products and minimum version supporting M-LAG

Product Minimum Version Required

CE8868EI V200R005C10

CE8861EI V200R005C10

CE8860EI V100R006C00

CE8850-32CQ-EI V200R002C50

CE8850-64CQ-EI V200R005C00

CE7850EI V100R005C10

CE7855EI V200R001C00

CE6810EI V100R005C10

CE6810LI V100R005C10

CE6850EI V100R005C10

CE6850HI/CE6850U-HI/ V100R005C10
CE6851HI

CE6855HI V200R001C00

CE6856HI V200R002C50

CE6857EI V200R005C10

CE6860EI V200R002C50

CE6865EI V200R005C00

CE6870-24S6CQ-EI/ V200R001C00
CE6870-48S6CQ-EI

CE6870-48T6CQ-EI V200R002C50

CE6875EI V200R003C00

CE6880EI V200R005C00

CE5880EI V200R005C10

CE5810EI V100R005C10

CE5850EI V100R005C10

CE5850HI V100R005C10

CE5855EI V100R005C10

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 211

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

NOTE

For details about the mapping between software versions and switch models, see the
Hardware Query Tool.

Feature Dependencies and Limitations

Limitations on M-LAG Establishment

● During M-LAG setup, you must use optical modules or copper transceiver
modules that are certified for Huawei data center switches. If high-speed
cables or active optical cables (AOCs) are used, you must purchase cables
from Huawei. Optical or copper transceiver modules that are not certified for
Huawei Ethernet switches, and cables not purchased from Huawei cannot
ensure transmission reliability and may affect service stability. Huawei is not
liable for any problem caused by the use of optical or copper modules that
are not certified for Huawei data center switches, or cables not purchased
from Huawei, and will not fix such problems.
● The two devices that constitute an M-LAG must use the same model. If one
end is an SVF, the other end must be an SVF. If one end is a CloudEngine
8800, 7800, 6800, and 5800 series switches, the other end must be a
CloudEngine 8800, 7800, 6800, and 5800 series switches. It is recommended
that devices at both ends use the same model and version.

Limitations on Configuring the Root Bridge and V-STP

● The two devices that constitute an M-LAG need to be configured with the
root bridge and bridge ID or V-STP. They are virtualized into one device for
STP calculation to prevent loops.
● When the root bridge mode is used to configure M-LAG, the two devices that
constitute an M-LAG must use the same bridge ID and the highest root
priority so that the devices function as the root nodes.
● When the switch used as the root bridge is configured with M-LAG, the switch
does not support STP multi-process. When the switch is configured with both
V-STP and M-LAG, the switch does not support the MSTP mode or STP multi-
process in versions earlier than V200R002C50; the switch does not support the
MSTP mode but supports the STP multi-process in V200R002C50 and later
versions.
● In V-STP scenarios, configure M-LAG and connect cables according to the
following sequence:
a. Configure V-STP.
b. Configure a DFS group and peer-link interfaces.
c. Use a cable to connect peer-link interfaces of M-LAG master and backup
devices.
d. Configure M-LAG member interfaces and use cables to connect M-LAG
master and backup devices and the user-side host or switching device.

Limitations on Configuring M-LAG Consistency Check

● To ensure that traffic is forwarded normally, the configurations of M-LAG

interfaces with the same M-LAG ID on the master and backup devices must
be consistent.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 212

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

● If the M-LAG consistency check mode is set to strict mode and the system
detects that type 1 configurations of the two M-LAG devices are inconsistent,
contact the device administrator to immediately adjust the configurations and
not restart the devices. If type 1 configurations are inconsistent, member
interfaces on the M-LAG backup device enter the Error-Down state and the
alarm about type 1 configuration inconsistency is generated.
If the administrator does not adjust the configurations and restarts the M-
LAG master device, interfaces on the M-LAG backup device may enter the
Error-Down state because of type 1 configuration inconsistency during re-
negotiation between M-LAG devices when the master device is recovering. In
this case, M-LAG member interfaces on the M-LAG master device go Up after
a delay. As a result, both the M-LAG master and backup devices fail to
forward traffic, and services are interrupted.
If M-LAG configuration consistency check is disabled and type 1 and type 2
configurations of M-LAG master and backup devices are inconsistent, traffic
forwarding may be abnormal. You are advised to manually adjust
configurations of M-LAG master and backup devices to ensure that they have
consistent type 1 and type 2 configurations, and enable M-LAG configuration
consistency check.
● If the system software of M-LAG member switches is upgraded from a version
earlier than V200R003C00 to V200R019C10 or a later version, the M-LAG
configuration consistency check fails during the upgrade. If the system
software of M-LAG member switches is upgraded from a version between
V200R003C00 and V200R005C10 to V200R019C10 or a later version, the M-
LAG configuration consistency check is not supported during the upgrade.
After the upgrade is complete, the M-LAG configuration consistency check is
performed.
Limitations on Configuring Dual-Active Gateways
● When the two devices that constitute an M-LAG function as gateways and
servers are single-homed or dual-homed to the two devices, pay attention to
the following points:
– (Recommended) Select the access mode in which the same IP and MAC
addresses are configured for VLANIF and VBDIF interfaces. This mode is
supported in V100R006C00 and later versions. In V200R002C50 and
earlier versions, if the same IP and MAC addresses are configured on two
VLANIF or VBDIF interfaces, the IP and MAC address conflict alarm
hwEthernetARPMACIPConflict is generated. It is normal that this alarm is
generated in this scenario. You can ignore this alarm. To mask this alarm,
run the undo snmp-agent trap enable feature-name arp trap-name
hwethernetarpmacipconflict command to disable the alarm function
for this conflict. After the alarm function for this conflict is disabled, you
cannot detect loops on the network through alarms, and user services
may be interrupted. Exercise caution when performing this operation. In
V200R003C00SPC810 and later versions, if the same IP and MAC
addresses are configured on two VLANIF and VBDIF interfaces, the
conflict alarm is not generated.
– In a data center, if M-LAG dual-active gateways need to be deployed, you
are advised to deploy them by configuring IP addresses and virtual MAC
addresses of VLANIF/VBDIF interfaces, not by configuring VRRP.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 213

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

– Configure the M-LAG dual-active gateway in VRRP mode. The gateway

needs to be configured with the same MAC address, otherwise it will
cause failure to learn ARP and continuous traffic loss
● In V200R002C50 and earlier versions, when devices are dual-homed to
gateways through M-LAG, the M-LAG master and backup devices are
configured with many Layer 2 sub-interfaces, and optical interfaces on the M-
LAG master and backup devices are connected to copper transceiver modules,
restarting the M-LAG master or backup device may cause packet loss for a
long time. In this case, you are advised to manually switch traffic to the other
M-LAG device and upgrade and restart the original M-LAG device.
● In an M-LAG single-homing scenario where enhanced M-LAG Layer 3
forwarding is enabled, if VLANIF or VBDIF interfaces on both M-LAG member
devices are configured with different IP addresses, no virtual MAC address can
be configured for the VLANIF or VBDIF interfaces.

Limitations on Configuring DAD

● When configuring an independent dual-active detection link, you are advised

to use main interfaces to establish the dual-active detection link. If a VLANIF
interface is used, ensure that the peer-link interface does not allow packets
from the VLAN to pass through. Otherwise, a loop or MAC address flapping
occurs.

Limitations on Configuring the Peer-Link

● When member interfaces of a peer-link are deployed on the same card, a

fault of the card causes a peer-link fault. To improve reliability, it is
recommended that member interfaces of the peer-link be deployed on
different cards.

Limitations in Fault Scenarios

● When M-LAG faults occur, the convergence performance of Layer 3 traffic is

in direct proportion to the ARP entries learned on the switch and interface. If
there are many ARP entries, the convergence performance is low.
● To prevent STP flapping caused by device restart and peer-link faults and
ensure switching performance, you are advised to set the delay in reporting
the Up event to be at least 30s on the M-LAG interface, peer-link interface,
and other service interfaces. By default, the delay for an M-LAG interface to
report the Up state is 120s in V200R005C00 and earlier versions, and 240s in
V200R005C10 and later versions.
● After a switch restarts or a card resets, the physical status of an interface
changes to Up, but the upper-layer protocol modules do not meet forwarding
requirements, resulting in packet loss. To ensure switching performance, by
default, the delay for an M-LAG interface to report the Up state is 120s in
V200R005C00 and earlier versions, and 240s in V200R005C10 and later
versions. If a delay after which the Layer 3 protocol status changes to Up is
configured on a VLANIF interface, ensure that the delay for an M-LAG
member interface to report the Up event is longer than the delay configured
on the VLANIF interface. Otherwise, triggering of learning for ND entries that
fail to be synchronized depends on ND Miss messages.
● A static MAC address can be configured for an M-LAG member interface in
V200R002C50 and later versions. When the M-LAG member interface fails,

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 214

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

the MAC address of the faulty M-LAG member interface is changed to that of
a peer-link interface in corresponding entries.
● In V200R005C10 and earlier versions, if a static ARP entry with a specified M-
LAG member interface as the outbound interface is configured in an M-LAG
dual-homing scenario, the outbound interface of the ARP entry cannot be
changed to a peer-link interface when the M-LAG member interface fails. As a
result, traffic cannot be forwarded. Therefore, do not configure a static ARP
entry with a specified M-LAG member interface as the outbound interface in
an M-LAG dual-homing scenario.
● In V200R005C00 and earlier versions, if a static IPv6 neighbor entry with a
specified M-LAG member interface as the outbound interface is configured in
an M-LAG dual-homing scenario, the outbound interface of the entry cannot
be changed to a peer-link interface when the M-LAG member interface fails.
As a result, traffic cannot be forwarded. Therefore, do not configure a static
IPv6 neighbor entry with a specified M-LAG member interface as the
outbound interface in an M-LAG dual-homing scenario. In V200R005C10, you
can enable enhanced M-LAG Layer 3 forwarding on switches except the
CE6810LI, CE5880EI, and CE6880EI to apply for backup FRR resources for all
ND entries with M-LAG member interfaces as outbound interfaces. The
outbound interfaces can be changed to peer-link interfaces to establish active
and standby paths for traffic forwarding. However, FRR resources applied for
static IPv6 peer relationship entries are not released when the M-LAG
member interface goes Down and the corresponding VLANIF interface is still
Up. As a result, the corresponding system resources are not released.
● If an access device is dual-homed to M-LAG master and backup devices
through Layer 2 sub-interfaces and one Layer 2 sub-interface is Down, north-
south traffic cannot be forwarded through the peer-link because of the M-
LAG unidirectional isolation mechanism, resulting in packet loss. In the M-LAG
unidirectional isolation mechanism, if a device is dual-homed to the M-LAG in
active-active mode through main interfaces, all packets excluding Layer 3
known unicast packets from a peer-link interface to an M-LAG member
interface are isolated.
● After logical interfaces are configured to change to Error-Down state when
the peer-link fails but the DAD heartbeat status is normal in an M-LAG, if a
faulty peer-link interface in the M-LAG recovers, the devices restore VLANIF
interfaces, VBDIF interfaces, and loopback interfaces to Up state 6 seconds
after DFS group pairing succeeds to ensure that ARP entry synchronization on
a large number of VLANIF interfaces is normal. If a delay after which the
Layer 3 protocol status of the interface changes to Up is configured, the delay
after which VLANIF interfaces, VBDIF interfaces, and loopback interfaces go
Up is the configured delay plus 6s.
Limitations on Interconnection with an M-LAG
● In M-LAG scenarios, when the switch connects to the Network Attached
Storage (NAS) device or a load balancer, the NAS device or load balancer (for
example, F5 load balancer enabled with Auto Last Hop) does not send an ARP
request message to learn the gateway's MAC address. Instead, the NAS device
or load balancer analyzes data flows from the gateway and uses the source
MAC address in data flows received first as the gateway's MAC address. In this
case, the same MAC address needs to be configured on VLANIF interfaces of
the two switches (switches excluding the CE6870EI and CE6875EI) that
constitute an M-LAG; otherwise, the NAS device or load balancer may fail to

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 215

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

forward traffic due to the unidirectional isolation mechanism between the

peer-link and M-LAG member interface.
Configuration Notes When M-LAG Is Deployed with Other Services
When M-LAG needs to be configured with multiple other services, some services
may fail to be delivered because of insufficient ACL resources. For services that can
be configured together with M-LAG, see "Using CSS/M-LAG with Other Services"
in CloudEngine Series Switches ACL Technical Special Topic.
The support for service features by M-LAG and the device is similar, but there are
differences which are described in Table 4-7.

Table 4-7 Constraints when M-LAG is used with other features

Feature Configuration Note

Stack Switches can set up a stack, and the stack then can be
used to establish an M-LAG as an independent device.

SVF Switches can set up an SVF system, and the SVF system
then can be used to establish an M-LAG as an independent
device. In an SVF system, M-LAG member interfaces must
be on spine or leaf switches. The interfaces cannot be on
both spine and leaf switches.

VBST M-LAG and VBST cannot be configured together.

QinQ and VLAN The M-LAG is accessed through VLAN mapping and VLAN
Mapping stacking. Layer 3 services, including ARP, ND, and ICMP are
not supported.

CFM M-LAG and CFM cannot be configured together.

GVRP GVRP and M-LAG cannot be configured on an Eth-Trunk

together.

DHCP ● The two devices that constitute an M-LAG cannot be

configured with DHCP snooping.
● The DHCP relay function must be configured on the
two devices that constitute an M-LAG.
● The DHCP server function must be configured on the
two devices that constitute an M-LAG, and addresses in
the address pools of the two devices cannot overlap.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 216

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Feature Configuration Note

IP unicast routing ● The two devices that constitute an M-LAG cannot set
up routing neighbor relationships with the devices to be
accessed.
● If two member devices in an M-LAG need to establish a
neighbor relationship, you are advised to manually
configure router IDs on the two M-LAG devices. If the
devices automatically obtain router IDs, the neighbor
relationship may fail to be established due to a router
ID conflict.
● M-LAG member devices function as active-active
gateways. An independent link between M-LAG
member devices is used as the best-effort link and
OSPF is configured. M-LAG member devices import the
direct route of a downstream server connected to the
M-LAG and advertise the route to each other. IP FRR is
configured, and the direct route is specified as the
primary link and the dynamic OSPF route is specified as
the backup link. When a network-side device sends
traffic to the server, the traffic is transmitted along the
backup path on the M-LAG gateways because there is
no ARP entry for the primary link. As a result, a loop
occurs between the M-LAG member devices and the
network-side device cannot access the server. In this
case, you can run the ip ip-prefix ip-prefix-name
[ index index-number ] { permit | deny } ipv4-address
mask-length [ match-network ] [ greater-equal
greater-equal-value ] [ less-equal less-equal-value ]
command on the M-LAG gateways to configure an
OSPF routing policy to permit all routes excluding the
direct route.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 217

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Feature Configuration Note

IPv4 multicast In versions earlier than V100R006C00, M-LAG does not

support IPv4 Layer 3 multicast.
An M-LAG set up with standalone switches, stack systems,
or SVF systems supports IPv4 Layer 3 multicast in
V100R006C00 and later versions. Pay attention to the
following points:
● In addition to the peer-link, there must be a direct Layer
3 link between the M-LAG master and backup devices.
STP must be disabled on the interfaces at both ends of
the Layer 3 link.
● The M-LAG master and backup devices must have the
same multicast configuration.
● On the M-LAG master and backup devices, PIM-SM and
IGMP must be enabled on all the VLANIF interfaces that
need to run Layer 3 multicast services, and IGMP
snooping must be enabled in the corresponding VLANs.
● The PIM silent function must be configured on the user-
side interfaces of the M-LAG master and backup
devices.
● If the Layer 3 link is established on a VLANIF interface
of the M-LAG master and backup devices, the VLANIF
interface must run the PIM protocol, and the
corresponding VLAN cannot be allowed on the peer-
link.
● If the peer-link is selected as the optimal link to the RP
or multicast source by the unicast routing protocol,
multicast traffic with the peer-link interface as the
outbound interface may fail to be forwarded. To prevent
this problem, ensure that the Layer 3 link between the
M-LAG master and backup devices has a route cost less
than or equal to the route cost of the peer-link, so that
the Layer 3 link is selected as the optimal route by the
unicast routing protocol.
On the network when the Receiver is dual-homed to an
M-LAG:
● Only the master M-LAG member interface forwards
multicast traffic to the Receiver in versions earlier than
V200R003C00.
● Both the master and backup M-LAG member interfaces
forward multicast traffic to the Receiver, implementing
load sharing in V200R003C00 and later versions. The M-
LAG master and backup devices share load according to
the following rule: If the last decimal number of the
multicast group address is an odd number, such as the
address 225.1.1.1, the master M-LAG member interface
forwards the multicast traffic. If the last decimal
number of the multicast group address is an even

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 218

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Feature Configuration Note

number, such as the address 225.1.1.2, the backup M-

LAG member interface forwards the multicast traffic.
● If the M-LAG master and backup devices run different
versions, the multicast traffic forwarding rule is subject
to the device running the earlier version.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 219

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Feature Configuration Note

IPv6 multicast In versions earlier than V200R003C00, M-LAG does not

support IPv6 Layer 3 multicast.
An M-LAG set up with standalone switches or stack
systems on the CE6870EI and CE6875EI supports IPv6
Layer 3 multicast, and other models do not support IPv6
Layer 3 multicastin V200R003C00 and later versions. Pay
attention to the following points:
● In addition to the peer-link, there must be a direct Layer
3 link between the M-LAG master and backup devices.
STP must be disabled on the interfaces at both ends of
the Layer 3 link.
● The M-LAG master and backup devices must have the
same multicast configuration.
● On the M-LAG master and backup devices, PIM-SM
(IPv6) and MLD must be enabled on all the VLANIF
interfaces that need to run Layer 3 multicast services,
and MLD snooping must be enabled in the
corresponding VLANs.
● The PIM silent (IPv6) function must be configured on
the user-side interfaces of the M-LAG master and
backup devices.
● If the Layer 3 link is established on a VLANIF interface
of the M-LAG master and backup devices, the VLANIF
interface must run the PIM (IPv6) protocol, and the
corresponding VLAN cannot be allowed on the peer-
link.
● If the peer-link is selected as the optimal link to the RP
or multicast source by the unicast routing protocol,
multicast traffic with the peer-link interface as the
outbound interface may fail to be forwarded. To prevent
this problem, ensure that the Layer 3 link between the
M-LAG master and backup devices has a route cost less
than or equal to the route cost of the peer-link, so that
the Layer 3 link is selected as the optimal route by the
unicast routing protocol.
If the Receiver is dual-homed to an M-LAG in
V200R003C00 and later versions:
Both the master and backup M-LAG member interfaces
forward multicast traffic to the Receiver, implementing
load sharing. The M-LAG master and backup devices share
load according to the following rule: If the last
hexadecimal number of the multicast group address is an
odd number, such as the addresses FF1E::1 and FF1E::B, the
master M-LAG member interface forwards the multicast
traffic. If the last hexadecimal number of the multicast
group address is an even number, such as the addresses
FF1E::2 and FF1E::A, the backup M-LAG member interface
forwards the multicast traffic.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 220

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Feature Configuration Note

FCoE The M-LAG function is not available if FSB and FCF or FSB
and NPV coexist on the device.

IPSG The two devices that constitute an M-LAG cannot be

configured with IPSG.

VPLS The two devices that constitute an M-LAG cannot be

configured as PE devices.

MPLS/L3VPN For devices that support MPLS and L3VPN, MPLS and
L3VPN cannot be configured on M-LAG member
interfaces.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 221

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Feature Configuration Note

VXLAN ● In versions earlier than V200R003C00, Layer 2 sub-

interfaces that use the QinQ traffic encapsulation type
cannot be configured with M-LAG together. In
V200R003C00 and later versions, M-LAG can be
configured with termination QinQ Layer 2 sub-
interfaces and cannot be configured with transparent
transmission QinQ Layer 2 sub-interfaces.
● A switch configured with M-LAG does not support
segment VXLAN for Layer 2 DCI.
● In V200R019C10 and earlier versions, for the CE5880EI
and CE6880EI, the function of configuring a VXLAN
tunnel over an IPv6 underlay network and the M-LAG
function are mutually exclusive and cannot be deployed
on the same switch.
● When VXLAN dual-active access is configured and the
gateways work in loopback mode in a distributed
gateway scenario, the NVE interfaces of different M-
LAG systems on the network must be configured with
different MAC addresses. For example, if devices A and
B establish M-LAG system 1 and devices C and D
establish M-LAG system 2, the NVE interfaces of M-LAG
systems 1 and 2 must be configured with different MAC
addresses.
● If active-active gateways are configured on VBDIF
interfaces when a switch is connected to a VXLAN
network, the VRRP or VRRP6 mode cannot be used.
● Currently, M-LAG member devices synchronize packets
through UDP. The default UDP port number is 1025,
which is different from the UDP port number
configured for the all-active gateway neighbor in the
DFS group view. If the two UDP port numbers conflict,
you can run the source ip ip-address [ vpn-instance
vpn-instance-name ] [ peer peer-ip-address [ udp-port
port-number ] ] or source ipv6 ipv6-address [ vpn-
instance vpn-instance-name ] [ peer peer-ipv6-address
[ udp-port port-number ] ] command to change the
UDP port number bound to the DFS group, or run the
udp port port-number command to change the UDP
port number configured for the all-active gateway
neighbor.

Storm control You are not advised to configure storm control for
multicast packets on physical member interfaces of a peer-
link. Otherwise, M-LAG synchronization packets may be
suppressed, resulting in abnormal forwarding of data
packets in the M-LAG system.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 222

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Feature Configuration Note

Port security ● After port security is configured on a port, dynamic

MAC addresses learned by the port are changed to
secure dynamic MAC addresses or sticky MAC
addresses. Secure dynamic MAC addresses and sticky
MAC addresses are static MAC addresses and cannot be
synchronized through peer-link interfaces on the two
M-LAG member devices.
● When port security is configured on the M-LAG
interfaces through which a device is dual-homed, the
secure dynamic MAC addresses or sticky MAC addresses
on the two M-LAG member devices may be different.

BFD ● Only the CE6857EI, CE6865EI, CE8861EI, and CE8868EI

can establish BFD sessions with connected devices
through M-LAG member interfaces.
● If a device establishes a BFD session with a connected
device through the M-LAG member interface, and the
two M-LAG member devices synchronize BFD protocol
packets through peer-link interfaces, BFD protocol
packets enter the interface queue with the priority of 6
for forwarding. If service packets enter the interface
queue with the priority of 7 for forwarding and the
interface uses the default PQ scheduling mode, the BFD
session flaps because BFD protocol packets are
discarded when the service packets arrive at the
interface at the 100% output link rate within a period
of time. If other protocol packets are forwarded through
peer-link interfaces, the packets may also be discarded
due to the scheduling priority problem.

Ping and tracert When an M-LAG member device pings or tracerts an

access device, the ping or tracert fails. In V200R019C10
and later versions, an M-LAG member device can ping an
access device, but a tracert may still fail.

4.6 Configuring M-LAG Through the Root Bridge

When the root bridge mode is used to configure M-LAG, the M-LAG master and
backup devices must be used as root bridges and configured with the same bridge
ID on the STP network so that the two devices are simulated into one root bridge.
The M-LAG master and backup devices are not affected by the network topology
change on the Layer 2 network.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 223

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

4.6.1 Configuring the Root Bridge and Bridge ID

Context
When the root bridge mode is used to configure M-LAG, the M-LAG master and
backup devices must be used as root bridges and configured with the same bridge
ID on the STP network so that the two devices are simulated into one root bridge.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run stp [ instance instance-id ] root primary

The device is configured as the root bridge.

By default, a switch does not function as the root bridge of any spanning tree.
After the configuration is complete, the priority of the device is 0 and cannot be
changed.

If instance is not specified, the device is the root bridge in instance 0.

Step 3 Run stp bridge-address mac-address

The MAC address of the device that participates in spanning tree calculation is
specified.

By default, the device's MAC address is the bridge MAC address of the device that
participates in spanning tree calculation. You are advised to use the smaller MAC
address of the M-LAG master and slave device as the bridge MAC address for
spanning tree calculation.

Step 4 Run commit

The configuration is committed.

----End

4.6.2 Configuring a DFS Group

Context
A Dynamic Fabric Service (DFS) group is used for device pairing. A DFS group
needs to be bound to an IP address so that DFS master and backup devices can
exchange Dual-Active Detection (DAD) packets. The bound IP address is used for
communication with the remote end.

When a device is dual-homed to PEs on an Ethernet, a VXLAN, or an IP network,

you need to bind the DFS group to an IP address. Ensure that IP addresses have
been configured for Layer 3 interfaces on the two PEs and the two PEs can
communicate. If the device is connected to a VPN network, you also need to bind
the DFS group to a VPN instance. Ensure that the VPN instance has been created
on the device.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 224

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run dfs-group dfs-group-id
A DFS group is created and its view is displayed, or the view of an existing DFS
group is displayed.
Step 3 Bind the DFS group to an IP address based on the actual scenario.
When a device is dual-homed to PEs on an Ethernet, a VXLAN, or an IP network,
bind the DFS group to an IP address. Run either of the following commands. The
commands cannot be configured simultaneously.
● Run source ip ip-address [ vpn-instance vpn-instance-name ] [ peer peer-ip-
address [ udp-port port-number ] ]
The DFS group is bound to an IPv4 address and a VPN instance.
● Run source ipv6 ipv6-address [ vpn-instance vpn-instance-name ] [ peer
peer-ipv6-address [ udp-port port-number ] ]
The DFS group is bound to an IPv6 address and a VPN instance.
Assume that the heartbeat IP address and UDP port number of the peer device are
specified when the heartbeat IP address for communication bound to a DFS group
is configured. When the configuration takes effect, the two M-LAG devices
immediately start to send and receive heartbeat packets and negotiate the HB
DFS master/backup status. In scenarios where enhanced DAD for secondary faults
is enabled, if faults on the original DFS master device are rectified and the peer-
link fault persists, the corresponding interfaces on the backup device are triggered
to enter the Error-Down state based on the HB DFS master/backup status. This
mechanism prevents abnormal traffic forwarding in the scenario where two
master devices exist and improves device reliability.
Step 4 (Optional) Run priority priority
The priority of the DFS group is set.
The priority of a DFS group is used for master/backup negotiation between two
devices. A larger value indicates a higher priority of the device. The device with a
higher priority is the master device.
If the priorities of two devices are the same, the device with a smaller MAC
address is the master device.
By default, the priority of a DFS group is 100.
Step 5 (Optional) Run m-lag up-delay value [ auto-recovery interval interval-time ]
The delay for the M-LAG member interface to report the Up event is set.
To ensure the revertive switching performance, the default delay for the M-LAG
member interface to report the Up event is 240s, and the automatic recovery
interval is not configured in scenarios such as switch restart, card reset, or peer-
link fault recovery.
Step 6 (Optional) Run set lacp system-id switch-delay { switch-delay-time |
immediately }

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 225

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

The delay in switching the LACP M-LAG system ID is set.

By default, the LACP M-LAG system ID is not switched. The immediately
parameter indicates that the LACP M-LAG system ID is switched immediately.
When the value of the switch-delay-time parameter is 0, the LACP M-LAG system
ID is not switched.
Step 7 (Optional) Run authentication-mode hmac-sha256 password password
The authentication mode and password of DFS group synchronization packets are
configured.
By default, the authentication mode of DFS group synchronization packets is not
configured.
Step 8 (Optional) Run dfs-master led enable
The stack status indicator is enabled to display the DFS group master and backup
status.
By default, the stack status indicator does not display the DFS group master and
backup status.
After the stack status indicator is enabled to display the DFS group master and
backup status, the stack status indicator on the DFS master device is steady on
and that on the DFS backup device is off.
Step 9 (Optional) Run dual-active detection error-down { delay delay-time | disable }
The action of changing interfaces excluding the management interface, peer-link
interface, and stack interface on the backup device to Error-Down state when the
peer-link fails but the DAD heartbeat status is normal is disabled or delayed.
By default, interfaces excluding the management interface, peer-link interface, and
stack interface on the backup device change to Error-Down state when the peer-
link fails but the DAD heartbeat status is normal.
When an access device is single-homed to M-LAG master and backup devices
using Layer 3 access mode, traffic forwarding on the backup device is not affected
in a dual-active scenario where the peer-link fails but the DAD heartbeat status is
normal. To prevent packet loss, you can run the dual-active detection error-
down command to disable or delay the action of changing interfaces excluding
the management interface, peer-link interface, and stack interface on the backup
device to Error-Down state when the peer-link fails but the DAD heartbeat status
is normal.
When an access device is connected to M-LAG master and backup devices using
M-LAG dual-homing access mode or Layer 2 access mode, you cannot disable or
delay the Error-Down action.
Step 10 (Optional) Run dual-active detection enhanced enable
Enhanced DAD for secondary faults is enabled.
On a dual-homing network where M-LAG is deployed, when the peer-link fails but
the DAD status is normal, some interfaces on the DFS backup device enter the
Error-Down state. In this case, the DFS master device continues to work. When the
DFS master device cannot work because it is powered off or it restarts, the M-LAG
master and backup devices cannot forward traffic.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 226

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

In this case, enhanced DAD for secondary faults can be enabled. When the peer-
link fails and secondary faults occur, the DFS backup device detects the fault on
the DFS master device and restores the interfaces in Error-Down state to forward
traffic. This ensures nonstop transmission when secondary faults occur.

If the peer-link fault persists after secondary faults are rectified, two master
devices may exist. It is recommended that you specify the IP address of the peer
device when configuring the IP address bound to the DFS group. In this case, if the
peer-link fault persists after the faulty device recovers, the corresponding
interfaces on the HB DFS backup device are triggered to enter the Error-Down
state, preventing abnormal traffic forwarding in the scenario where two master
devices exist.

Step 11 (Optional) Run dual-active detection error-down mode routing-switch

Logical interfaces are configured to enter the Error-Down state when the peer-link
fails but the DAD status is normal in an M-LAG scenario.

By default, logical interfaces are not triggered to enter the Error-Down state when
the peer-link fails but the DAD status is normal in an M-LAG scenario. On a dual-
homing TRILL network where M-LAG is deployed, when the peer-link fails but the
DAD status is normal, the M-LAG interface on the backup device enters the Error-
Down state. On a dual-homing Ethernet or IP network where M-LAG is deployed,
when the peer-link fails but the DAD status is normal, physical interfaces except
the logical interface, interface configured with m-lag unpaired-port reserved,
management interface, peer-link interface, and stack interface on the backup
device all enter the Error-Down state.

On the IP or VXLAN network where M-LAG is deployed, when the dual-active

detection error-down mode routing-switch command is used, only VLANIF
interfaces, VBDIF interfaces, loopback interfaces, and M-LAG member interfaces
are triggered to enter the Error-Down state.

NOTE

After logical interfaces are configured to change to Error-Down state when the peer-link
fails but the DAD heartbeat status is normal in an M-LAG, if a faulty peer-link interface in
the M-LAG recovers, the devices restore VLANIF interfaces, VBDIF interfaces, and loopback
interfaces to Up state 6 seconds after DFS group pairing succeeds to ensure that ARP entry
synchronization on a large number of VLANIF interfaces is normal. If a delay after which
the Layer 3 protocol status of the interface changes to Up is configured, the delay after
which VLANIF interfaces, VBDIF interfaces, and loopback interfaces go Up is the configured
delay plus 6 seconds.

Step 12 (Optional) Run peer-link mac-address remain enable

The system is configured not to trigger the remote M-LAG device to delete the
corresponding MAC address on the peer-link interface under certain conditions.

By default, the system triggers the remote M-LAG device to delete the
corresponding MAC address on the peer-link interface under certain conditions.

Step 13 Run commit

The configuration is committed.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 227

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

4.6.3 Configuring M-LAG Consistency Check

Prerequisites
The DFS group between two devices in the M-LAG has been paired successfully
and the master and backup states have been negotiated.

Context
The M-LAG configuration falls into two types: key configuration (Type 1) and
common configuration (Type 2), as described in Table 4-8. Two M-LAG
consistency check modes are available: strict and loose.
● Key configuration (Type 1): If the configurations of two devices in the M-LAG
are inconsistent, problems may occur, for example, loops may occur or
packets are discarded for a long period of time though the M-LAG status is
normal.

In strict mode, if the key configuration of two devices in the M-LAG is

inconsistent, member interfaces on the M-LAG backup device enter the Error-
Down state and the alarm about key configuration inconsistency is generated.
In loose mode, if the key configuration of two devices in the M-LAG is
inconsistent, the alarm about key and common configuration inconsistency is
generated.

● Common configuration (Type 2): If the configurations of two devices in the

M-LAG are inconsistent, the M-LAG status may be abnormal. Compared with
the key configuration, the common configuration problem can be easily
detected and has less impact on the live network.

Regardless of the mode, if the following common configuration of two

devices in the M-LAG is inconsistent, the alarm about key and common
configuration inconsistency is generated.

Table 4-8 M-LAG consistency check list

View Configuration Type

System view Whether STP is enabled Type 1

STP working mode

Whether BPDU
protection is enabled

Mapping between VLANs

and MSTIs
NOTE
The device checks the
mapping between VLANs
and MSTIs in STP process
0.

M-LAG member Whether STP is enabled

interface view

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 228

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

View Configuration Type

Whether root protection

is enabled

LACP mode

System view VLAN configuration Type 2

Static MAC address

entries
● Static MAC address
entry in which the
interface is an M-LAG
member interface
● Static MAC address
entry of a VXLAN
tunnel

Aging time of dynamic

MAC address entries

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 229

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

View Configuration Type

Static ARP entries

● Short static ARP
entries
● Long static ARP
entries
– If outbound
interfaces are
specified in static
ARP entries, only
the static ARP
entries in which
the outbound
interfaces are M-
LAG member
interfaces are
checked.
– If the VLANs to
which static ARP
entries belong are
specified, the VLAN
IDs are compared.
– If outbound
interfaces and the
VLANs to which
static ARP entries
belong are
specified, the static
ARP entries in
which the
outbound
interfaces are M-
LAG member
interfaces and the
VLAN IDs are
compared.
– Static ARP entry of
an IPv4 VXLAN
tunnel

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 230

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

View Configuration Type

NOTE
The switch cannot check
short static ARP entries of
a specified VPN instance. If
the outbound interface of
a long static ARP entry is
an M-LAG member
interface and is bound to a
VPN instance or the
VLANIF interface
corresponding to the VLAN
to which the outbound
interface belongs is bound
to a VPN instance, the
switch cannot check the
static ARP entry.

Aging time of dynamic

ARP entries

Bridge Domain (BD)

configuration
● BD ID
● VNI associated with
the BD

VBDIF interface
configuration
● BD ID
● IPv4 address
● IPv6 address
● VRRP4 group
● MAC address
● Status
NOTE
The device only checks the
virtual MAC address by
default.
For the IPv6 address and
VRRP4 configuration, the
consistency check only
take effect when the
VBDIF interface is up. If the
VBDIF interface is down,
the preceding
configurations do not take
effect on the interface.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 231

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

View Configuration Type

VLANIF interface
configuration
● VLAN ID
● IPv4 address
● IPv6 address
● VRRP4 group
● VRRP6 group
● MAC address
● Status
NOTE
The device only checks the
virtual MAC address by
default.
For the IPv6 address and
VRRP4 configuration, the
consistency check only
take effect when the
VLANIF interface is up. If
the VLANIF interface is
down, the preceding
configurations do not take
effect on the interface.

M-LAG member STP priority

interface view
VLAN ID

Parameters

Number of member
interfaces of the Eth-
Trunk to which an M-
LAG member interface
belongs
NOTE
Only the numbers of
member interfaces of Eth-
Trunks are compared. The
physical Up/Down status
or bandwidth of member
interfaces is not checked.

Procedure
● Configure M-LAG consistency check.
a. Run system-view
The system view is displayed.
b. Run dfs-group dfs-group-id

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 232

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

A DFS group is created and its view is displayed, or the view of an

existing DFS group is displayed.
c. Run consistency-check enable mode { strict | loose }
M-LAG consistency check is enabled and a check mode is specified.
By default, M-LAG consistency check is disabled.
d. Run commit
The configuration is committed.
● Check the M-LAG consistency check status and configuration of devices in the
M-LAG.
– Run the display dfs-group command to check the M-LAG consistency
check result.
– Run the display dfs-group consistency-check { global | interface m-lag
m-lag-id | static-arp | static-mac } command to check the configuration
of M-LAG master and backup devices.
– Run the display dfs-group consistency-check status command to
display the running status of M-LAG consistency check.
----End

Exception Handling
● In loose mode, if the key or common configuration of two devices in the M-
LAG is inconsistent, either of the following alarms is triggered:
"ETRUNK_1.3.6.1.4.1.2011.5.25.178.8.2.1 hwMLagConsistencyCheckType1" and
"ETRUNK_1.3.6.1.4.1.2011.5.25.178.8.2.3 hwMLagConsistencyCheckType2".
When the configuration of two devices in the M-LAG is adjusted, M-LAG
consistency check is successful and the alarm is cleared.
● In strict mode, if the key configuration of two devices in the M-LAG is
inconsistent, member interfaces on the M-LAG backup device enter the Error-
Down state and the alarm about key configuration inconsistency is generated:
"ETRUNK_1.3.6.1.4.1.2011.5.25.178.8.2.1 hwMLagConsistencyCheckType1".
The device records the status of an interface as Error-Down when it detects
that a fault occurs. The interface in Error-Down state cannot receive or send
packets and the interface indicator is off. You can run the display error-down
recovery command to check information about all interfaces in Error-Down
state on the device.
When the interface enters the Error-Down state, adjust the configuration of
M-LAG master and backup devices. You are not advised to manually restore
the interface or run the error-down auto-recovery cause m-lag interval
interval-value command in the system view to enable the interface to go Up
automatically. Otherwise, excess packets, packet loss, or forwarding failure
may occur. Exercise caution when you perform the preceding operation.
If the M-LAG consistency check mode is set to strict mode and the system
detects that type 1 configurations of the two M-LAG devices are inconsistent,
it is recommended that the device administrator immediately adjust the
configurations, and it is not recommended that the device administrator
restart the devices. If type 1 configurations are inconsistent, member

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 233

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

interfaces on the M-LAG backup device enter the Error-Down state and the
alarm about type 1 configuration inconsistency is generated.

If the administrator does not adjust the configurations and restarts the M-
LAG master device, interfaces on the M-LAG backup device may enter the
Error-Down state because of type 1 configuration inconsistency during re-
negotiation between M-LAG devices when the master device is recovering. In
this case, M-LAG member interfaces on the M-LAG master device go Up after
a delay. As a result, both the M-LAG master and backup devices fail to
forward traffic, and services are interrupted.

----End

4.6.4 Configuring an Interface as a Peer-link Interface

Context
A peer-link is a direct aggregated link between two devices configured with M-
LAG. It is used to exchange protocol packets and transmit some traffic, and
ensures normal running of M-LAG.

Prerequisites
The direct link between two devices configured with M-LAG has been configured
as an aggregated link.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface eth-trunk trunk-id

The Eth-Trunk interface view is displayed.

Step 3 Run trunkport interface-type { interface-number1 [ to interface-number2 ] } &<1-

n>

A member interface is added to the Eth-Trunk.

When you add member interfaces to an Eth-Trunk in a batch, if one interface

cannot be added to the Eth-Trunk, all subsequent interfaces in the batch cannot
be added to the Eth-Trunk, either.

NOTE

For the CE5810EI, the value of n is 8. For the CE5880EI and CE6880EI, the value of n is 64. For
other models, the value of n depends on the assign forward eth-trunk mode command.

Step 4 Run mode lacp-static

The Eth-Trunk is configured to work in static LACP mode.

By default, an Eth-Trunk works in manual load balancing mode. To ensure M-LAG

reliability, you are advised to configure the Eth-Trunk to work in static LACP mode.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 234

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Step 5 Run undo stp enable

STP is disabled on the interface.
By default, STP is enabled on an interface.

NOTE

STP needs to be disabled because two devices need to be simulated into one STP root bridge
and the directly connected interface cannot be blocked.

Step 6 Run peer-link peer-link-id

The interface is configured as a peer-link interface.
By default, no interface is configured as a peer-link interface.
● An interface configured as a peer-link interface joins all VLANs by default.
● An interface configured as a peer-link interface cannot be configured with any
service.
● If the ERPS control VLAN, TRILL carrier VLAN, Super-VLAN, or FCoE VLAN
needs to be configured, perform Step 7 to remove the peer-link interface
from the control VLAN, carrier VLAN, Super-VLAN, or FCoE VLAN. Otherwise,
the control VLAN, carrier VLAN, Super-VLAN, or FCoE VLAN cannot be
configured.
● If the network-side VLANIF interface is configured, perform Step 7 to remove
the peer-link interface from the VLAN. Otherwise, heartbeat detection may
take ineffective.
Step 7 (Optional) Run port vlan exclude { { vlan-id1 [ to vlan-id2 ] } &<1-10> }
The VLANs not allowed by the peer-link interface are specified.
By default, no allowed VLAN is specified on a peer-link interface.
Step 8 Run commit
The configuration is committed.

----End

4.6.5 Configuring an M-LAG Member Interface

Prerequisites
The links between a user-side device and two devices configured with M-LAG have
been configured as aggregated links. To improve reliability and prevent incorrect
configurations or loops during M-LAG configuration, you are advised to configure
link aggregation in LACP mode.

Procedure
● When the Eth-Trunk works in manual load balancing mode, perform the
following operations.
a. Run system-view
The system view is displayed.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 235

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

b. Run interface eth-trunk trunk-id

The Eth-Trunk interface view is displayed.
c. Run trunkport interface-type { interface-number1 [ to interface-
number2 ] } &<1-n>
A member interface is added to the Eth-Trunk.
When you add member interfaces to an Eth-Trunk in a batch, if one
interface cannot be added to the Eth-Trunk, all subsequent interfaces in
the batch cannot be added to the Eth-Trunk, either.

NOTE

For the CE5810EI, the value of n is 8. For the CE5880EI and CE6880EI, the value of n
is 64. For other models, the value of n depends on the assign forward eth-trunk
mode command.
d. Run dfs-group dfs-group-id m-lag m-lag-id
The Eth-Trunk is bound to a DFS group, that is, the Eth-Trunk is
configured as an M-LAG member interface.

NOTE

The two devices configured with M-LAG must use the same M-LAG ID.
e. Run commit
The configuration is committed.
● (Recommended) When the Eth-Trunk works in LACP mode, perform the
following operations.
a. Run system-view
The system view is displayed.
b. Run interface eth-trunk trunk-id
The Eth-Trunk interface view is displayed.
c. Run trunkport interface-type { interface-number1 [ to interface-
number2 ] } &<1-n>
NOTE

For the CE5810EI, the value of n is 8. For the CE5880EI and CE6880EI, the value of n
is 64. For other models, the value of n depends on the assign forward eth-trunk
mode command.

A member interface is added to the Eth-Trunk.

When you add member interfaces to an Eth-Trunk in a batch, if one
interface cannot be added to the Eth-Trunk, all subsequent interfaces in
the batch cannot be added to the Eth-Trunk, either.
d. Run mode { lacp-static | lacp-dynamic }
The Eth-Trunk is configured to work in LACP mode.
e. Run dfs-group dfs-group-id m-lag m-lag-id
The Eth-Trunk is bound to a DFS group, that is, the Eth-Trunk is
configured as an M-LAG member interface.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 236

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

NOTE

The two devices configured with M-LAG must use the same M-LAG ID.
f. (Optional) Configure the LACP M-LAG system priority and system ID.

▪ Run the quit command to exit from the Eth-Trunk interface view.
NOTE

After the DFS pairing succeeds in V200R001C00 and later versions, the
master device automatically synchronizes its LACP M-LAG system priority
and system ID to the backup device. The M-LAG member interface of the
backup device uses the synchronized LACP M-LAG system priority and
system ID to perform LACP negotiation. You do not need to manually
configure the LACP M-LAG system priority and system ID.

▪ Run the lacp m-lag priority priority command to set the LACP M-
LAG system priority.
The default LACP M-LAG system priority is 32768.
○ The LACP M-LAG system priority is valid for the M-LAG
composed of an Eth-Trunk in LACP mode, whereas the LACP
system priority configured by the lacp priority command is valid
for an Eth-Trunk in LACP mode.
○ The LACP M-LAG system priority configured in the Eth-Trunk
interface view takes effect only on the Eth-Trunk. When DFS
pairing succeeds, the M-LAG master device does not synchronize
the LACP M-LAG system priority of the Eth-Trunk to the M-LAG
backup device. Therefore, the LACP M-LAG system priority of an
Eth-Trunk must be configured on both the M-LAG master and
backup devices and be the same.

▪ Run the lacp m-lag system-id mac-address command to set the

LACP M-LAG system ID.
By default, the LACP M-LAG system ID in the system view is the MAC
address of the Ethernet interface on the MPU.
○ The LACP M-LAG system ID is valid for the M-LAG composed of
an Eth-Trunk in LACP mode.
○ The LACP M-LAG system ID configured in the Eth-Trunk
interface view takes effect only on the Eth-Trunk. When DFS
pairing succeeds, the M-LAG master device does not synchronize
the LACP M-LAG system ID of the Eth-Trunk to the M-LAG
backup device. Therefore, the LACP M-LAG system ID of an Eth-
Trunk must be configured on both the M-LAG master and
backup devices and be the same.
○ You are advised to use the smaller MAC address on the M-LAG
master and backup devices as the LACP M-LAG system ID.
g. Run commit

The configuration is committed.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 237

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

4.6.6 (Optional) Configuring the Dual-Active Gateway

Prerequisites
The M-LAG member interface has been added to the corresponding VLAN, or the
Layer 2 sub-interface of the Eth-Trunk to which the M-LAG member interface
belongs has been added to the corresponding BD.

Context
On a dual-homing IP or VXLAN network, both the M-LAG master and backup
devices need to function as Layer 3 gateways. In this case, VLANIF/VBDIF
interfaces corresponding to M-LAG member interfaces must have the same IP
address and MAC address. You can configure the same IP address and run the
mac-address command to configure the same virtual MAC address for the
VLANIF/VBDIF interfaces.

Procedure
● Configure an IP address and a MAC address for a VLANIF/VBDIF interface to
implement dual-active gateway.
a. Run system-view
The system view is displayed.
b. Run interface { vlanif vlan-id | vbdif bd-id }
The VLANIF or VBDIF interface view is displayed.
c. Configure an IP address for the interface:

▪ On IPv4 networks, run ip address ip-address { mask | mask-length }

[ sub ]
An IPv4 address is configured for the VLANIF/VBDIF interface.

▪ On IPv6 networks, perform the following operations:

1) Run ipv6 enable
IPv6 is enabled for the VLANIF/VBDIF interface.
2) Run ipv6 address { ipv6-address prefix-length | ipv6-address/
prefix-length }
Or run ipv6 address { ipv6-address prefix-length | ipv6-address/
prefix-length } eui-64
A global unicast address is configured for the VLANIF/VBDIF
interface.
An IP address is assigned to the VLANIF/VBDIF interface.
By default, no IP address is configured for an interface.
VLANIF/VBDIF interfaces corresponding to M-LAG member interfaces of
M-LAG master and backup devices must be configured with the same IP
address.
d. Run mac-address (VLANIF interface view) mac-address
Or run mac-address (VBDIF interface view) mac-address

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 238

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

A virtual MAC address is configured for the VLANIF/VBDIF interface.

By default, the MAC address of a VLANIF/VBDIF interface must be the
same as the system MAC address.
VLANIF/VBDIF interfaces corresponding to M-LAG member interfaces of
M-LAG master and backup devices must be configured with the same
virtual MAC address.
e. (Optional) Run protocol up-delay-time time-value
The delay before the Layer 3 protocol status of an interface can go Up is
set.
By default, the delay before the Layer 3 protocol status of a VLANIF
interface can go Up is 1s. When there are many ARP entries, the delay is
increased.
When the faulty device or peer-link recovers, many ARP entries need to
be synchronized in a batch. You can configure the delay so that the
protocol status of the interface goes Up after ARP entries are
synchronized. This prevents protocol packets from being discarded,
reduces the packet loss during link recovery, and improves convergence
performance.

NOTE

After a switch restarts or a card resets, the physical status of an interface

changes to Up, but the upper-layer protocol modules do not meet forwarding
requirements, resulting in packet loss. To ensure the revertive switching
performance, the default delay for an M-LAG member interface to report the Up
event is 240 seconds. If a delay after which the Layer 3 protocol status changes
to Up is configured on a VLANIF interface, ensure that the delay for an M-LAG
member interface to report the Up event is longer than the delay configured on
the VLANIF interface. Otherwise, triggering of learning for ND entries that fail to
be synchronized depends on ND Miss messages.
f. Run commit
The configuration is committed.
● NOTE
a.
After a switch restarts or a card resets, the physical status of an interface
changes to Up, but the upper-layer protocol modules do not meet forwarding
requirements, resulting in packet loss. To ensure the revertive switching
performance, the default delay for an M-LAG member interface to report the Up
event is 240 seconds. If a delay after which the Layer 3 protocol status changes
to Up is configured on a VLANIF interface, ensure that the delay for an M-LAG
member interface to report the Up event is longer than the delay configured on
the VLANIF interface. Otherwise, triggering of learning for ND entries that fail to
be synchronized depends on ND Miss messages.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 239

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

4.6.7 (Optional) Configuring the Interface Status When the

Peer-Link Fails

Context
On a dual-homing Ethernet, VXLAN, or IP network where M-LAG is deployed,
when the peer-link fails but the DAD status is normal, interfaces except the
management interface, peer-link interface, and stack interface on the backup
device all enter the Error-Down state. When the faulty peer-link is restored, the M-
LAG interface in Error-Down state goes Up after 240 seconds by default and other
interfaces in Error-Down state go Up automatically.

In practice, uplink interfaces running routing protocols or DAD-enabled heartbeat

interfaces should not enter the Error-Down state. You can configure the interface
whether to enter the Error-Down state according to the actual situation.

Table 4-9 describes the Error-Down state of interfaces when the peer-link fails but
the DAD status is normal.

Table 4-9 Error-Down state of interfaces when the peer-link fails but the DAD
status is normal

Device Configuration Ethernet, VXLAN, or IP Network

Where M-LAG Is Deployed

Default setting Interfaces except the management

interface, peer-link interface, and stack
interface on the backup device all
enter the Error-Down state.

Device where m-lag unpaired-port Only the M-LAG member interface

suspend is configured and the interface configured with m-
lag unpaired-port suspend are in
Error-Down state.

Device where m-lag unpaired-port Interfaces except the interface

reserved is configured configured with m-lag unpaired-port
reserved, management interface,
peer-link interface, and stack interface
on the backup device all enter the
Error-Down state.

Device where both m-lag unpaired- Only the M-LAG member interface
port suspend and m-lag unpaired- and the interface configured with m-
port reserved are configured lag unpaired-port suspend are in
Error-Down state.

Procedure
Step 1 Run system-view

The system view is displayed.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 240

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Step 2 Run interface interface-type interface-number

The interface view is displayed.
Step 3 Run m-lag unpaired-port reserved
The interface is configured not to enter the Error-Down state when the peer-link
fails but the DAD status is normal.
● You can configure m-lag unpaired-port suspend on other interfaces of the
backup device so that the specified interface is configured to automatically
enter the Error-Down state when the peer-link fails but the DAD status is
normal.
● You are advised to configure this command on interfaces of both the M-LAG
master and slave devices, so the Error-Down state of interfaces is consistent
after an active/standby switchover of the M-LAG master and backup devices.
● This command cannot be configured on the peer-link interface and M-LAG
member interfaces.
Step 4 Run commit
The configuration is committed.

----End

4.6.8 (Optional) Enabling Enhanced M-LAG Layer 3

Forwarding in an IPv6 Scenario
Context
To speed up convergence when an M-LAG member interface fails in an IPv6
scenario, you can enable enhanced M-LAG Layer 3 forwarding so that backup FRR
resources are requested for all ND entries with M-LAG member interfaces as
outbound interfaces. Active and standby paths are established for traffic
forwarding on downlink outbound interfaces. If an M-LAG member interface fails,
the outbound interface can be quickly changed to a peer-link interface.

NOTE

CE6810LI, CE5880EI, and CE6880EI switches do not support enhanced M-LAG Layer 3
forwarding in an IPv6 scenario.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run m-lag forward layer-3 enhanced enable
Enhanced M-LAG Layer 3 forwarding is enabled in an IPv6 scenario.
By default, enhanced M-LAG Layer 3 forwarding is disabled in an IPv6 scenario.
After enhanced M-LAG Layer 3 forwarding is enabled in an IPv6 scenario, backup
FRR resources are requested for all ND entries with M-LAG member interfaces as
outbound interfaces. The outbound interfaces can be changed to peer-link

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 241

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

interfaces to establish active and standby paths for traffic forwarding. If the FEI
side detects that an M-LAG member interface fails, dual-homing networking is
changed to single-homing networking. The next hop in the corresponding ND
entry is changed from the M-LAG member interface to the peer-link interface. This
improves the switchover performance when faults occur.

NOTE

● After enhanced M-LAG Layer 3 forwarding is enabled in an IPv6 scenario, the active and
standby paths may fail to be delivered due to increased next-hop resource consumption.
As a result, packet loss occurs.
● After enhanced M-LAG Layer 3 forwarding is enabled in an IPv6 scenario, the TTL value
decreases by 1 on the M-LAG master and backup devices because packets are forwarded
inside the M-LAG.
● After enhanced M-LAG Layer 3 forwarding is enabled, you need to configure an Eth-
Trunk interface to clear all the learned ND entries when the Eth-Trunk joining in or
being removed from M-LAG. This prevents the upper-layer protocol module from
detecting the waste of FRR resources caused by the change of M-LAG member
interfaces.
● After enhanced M-LAG Layer 3 forwarding is enabled, you can disable this function only
after 300s. After enhanced M-LAG Layer 3 forwarding is disabled, you can enable this
function only after 300s.

Step 3 Run commit

The configuration is committed.
----End

4.6.9 Verifying the Configuration of M-LAG Configured

Through the Root Bridge
Procedure
● Run the display dfs-group dfs-group-id [ node node-id m-lag [ brief ] |
peer-link ] command to check M-LAG information.
----End

Follow-up Procedure
After M-LAG is configured, if the peer-link fails but the heartbeat status is normal,
some interfaces on the backup device will enter the Error-Down state. The device
records the status of an interface as Error-Down when it detects that a fault
occurs. The interface in Error-Down state cannot receive or send packets and the
interface indicator is off. You can run the display error-down recovery command
to check information about all interfaces in Error-Down state on the device.
When M-LAG is used for dual-homing to an Ethernet, VXLAN network, or IP
network and the peer-link fails but the heartbeat is normal, all physical interfaces
except the management interface, peer-link interface, and stack interface on the
backup device will enter the error-down state. When the peer-link recovers, the M-
LAG interface in Error-Down state becomes Up after 240 seconds by default, and
the physical interfaces in Error-Down state are restored to Up state.
When the interface enters the Error-Down state, locate the cause. You are not
advised to manually restore the interface or run the error-down auto-recovery

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 242

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

cause m-lag interval interval-value command in the system view to enable the
interface to go Up automatically. Otherwise, packet loss or forwarding failure may
occur. Exercise caution when you perform the preceding operation.

4.7 Configuring M-LAG Through V-STP

(Recommended)
V-STP virtualizes the M-LAG master and backup devices enabled with STP into one
device to perform STP calculation.

4.7.1 Configuring V-STP

Context
Virtual Spanning Tree Protocol (V-STP) is a Layer 2 topology management feature
and virtualizes two STP-enabled devices into one device to perform STP
calculation.

STP can detect the M-LAG master or backup status. After V-STP is enabled on the
M-LAG master and backup devices and M-LAG master/backup negotiation is
successful, two devices are virtualized into one device for port role calculation and
fast convergence. STP needs to synchronize the bridge information and instance
priority of the M-LAG master and backup devices. After M-LAG master/backup
negotiation is successful, the backup device uses the bridge MAC address and
instance priority that is synchronized from the master device for STP calculation
and packet transmission. This ensures STP parameter calculation on the virtualized
device.

V-STP can be only applicable to M-LAG networking. It can be used in multi-level

M-LAG interconnection scenarios and scenarios where devices in the M-LAG
function as non-root-bridges.

When configuring V-STP, ensure that the STP/RSTP timer settings on the two
devices that constitute an M-LAG be the same. Otherwise, network flapping may
occur.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run stp mode { stp | rstp }

The switch is configured to work in STP or RSTP mode.

By default, the switch works in MSTP mode.

V-STP does not support the MSTP mode, and supports multi-process. By default,
an MSTP process works in MSTP mode. Currently, only STP and RSTP modes are
supported in V-STP scenarios. The MSTP process therefore must be configured to
work in STP or RSTP mode in V-STP scenarios.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 243

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Step 3 (Optional) Run stp bridge-address mac-address

The bridge MAC address used in spanning tree participation is configured.
By default, the switch's MAC address is the bridge MAC address of the switch that
participates in spanning tree calculation.
To prevent STP network flapping caused by switch restart or DFS active/standby
switchover and ensure revertive switching performance, you are advised to set a
larger bridge MAC address for the switch in DFS backup state when the M-LAG
master and backup devices have the same priority.
Step 4 Run stp v-stp enable
V-STP is enabled on an M-LAG device.
By default, V-STP is disabled on an M-LAG device.
Step 5 Run commit
The configuration is committed.

----End

4.7.2 Configuring a DFS Group

Context
A Dynamic Fabric Service (DFS) group is used for device pairing. A DFS group
needs to be bound to an IP address so that DFS master and backup devices can
exchange Dual-Active Detection (DAD) packets. The bound IP address is used for
communication with the remote end.
When a device is dual-homed to PEs on an Ethernet, a VXLAN, or an IP network,
you need to bind the DFS group to an IP address. Ensure that IP addresses have
been configured for Layer 3 interfaces on the two PEs and the two PEs can
communicate. If the device is connected to a VPN network, you also need to bind
the DFS group to a VPN instance. Ensure that the VPN instance has been created
on the device.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run dfs-group dfs-group-id
A DFS group is created and its view is displayed, or the view of an existing DFS
group is displayed.
Step 3 Bind the DFS group to an IP address based on the actual scenario.
When a device is dual-homed to PEs on an Ethernet, a VXLAN, or an IP network,
bind the DFS group to an IP address. Run either of the following commands. The
commands cannot be configured simultaneously.
● Run source ip ip-address [ vpn-instance vpn-instance-name ] [ peer peer-ip-
address [ udp-port port-number ] ]

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 244

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

The DFS group is bound to an IPv4 address and a VPN instance.

● Run source ipv6 ipv6-address [ vpn-instance vpn-instance-name ] [ peer
peer-ipv6-address [ udp-port port-number ] ]
The DFS group is bound to an IPv6 address and a VPN instance.

Assume that the heartbeat IP address and UDP port number of the peer device are
specified when the heartbeat IP address for communication bound to a DFS group
is configured. When the configuration takes effect, the two M-LAG devices
immediately start to send and receive heartbeat packets and negotiate the HB
DFS master/backup status. In scenarios where enhanced DAD for secondary faults
is enabled, if faults on the original DFS master device are rectified and the peer-
link fault persists, the corresponding interfaces on the backup device are triggered
to enter the Error-Down state based on the HB DFS master/backup status. This
mechanism prevents abnormal traffic forwarding in the scenario where two
master devices exist and improves device reliability.

Step 4 (Optional) Run priority priority

The priority of the DFS group is set.

The priority of a DFS group is used for master/backup negotiation between two
devices. A larger value indicates a higher priority of the device. The device with a
higher priority is the master device.

If the priorities of two devices are the same, the device with a smaller MAC
address is the master device.

By default, the priority of a DFS group is 100.

Step 5 (Optional) Run m-lag up-delay value [ auto-recovery interval interval-time ]

The delay for the M-LAG member interface to report the Up event is set.

To ensure the revertive switching performance, the default delay for the M-LAG
member interface to report the Up event is 240s, and the automatic recovery
interval is not configured in scenarios such as switch restart, card reset, or peer-
link fault recovery.

Step 6 (Optional) Run set lacp system-id switch-delay { switch-delay-time |

immediately }

The delay in switching the LACP M-LAG system ID is set.

By default, the LACP M-LAG system ID is not switched. The immediately

parameter indicates that the LACP M-LAG system ID is switched immediately.
When the value of the switch-delay-time parameter is 0, the LACP M-LAG system
ID is not switched.

Step 7 (Optional) Run authentication-mode hmac-sha256 password password

The authentication mode and password of DFS group synchronization packets are
configured.

By default, the authentication mode of DFS group synchronization packets is not

configured.

Step 8 (Optional) Run dfs-master led enable

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 245

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

The stack status indicator is enabled to display the DFS group master and backup
status.

By default, the stack status indicator does not display the DFS group master and
backup status.

After the stack status indicator is enabled to display the DFS group master and
backup status, the stack status indicator on the DFS master device is steady on
and that on the DFS backup device is off.

Step 9 (Optional) Run dual-active detection error-down { delay delay-time | disable }

The action of changing interfaces excluding the management interface, peer-link

interface, and stack interface on the backup device to Error-Down state when the
peer-link fails but the DAD heartbeat status is normal is disabled or delayed.

By default, interfaces excluding the management interface, peer-link interface, and

stack interface on the backup device change to Error-Down state when the peer-
link fails but the DAD heartbeat status is normal.

When an access device is single-homed to M-LAG master and backup devices

using Layer 3 access mode, traffic forwarding on the backup device is not affected
in a dual-active scenario where the peer-link fails but the DAD heartbeat status is
normal. To prevent packet loss, you can run the dual-active detection error-
down command to disable or delay the action of changing interfaces excluding
the management interface, peer-link interface, and stack interface on the backup
device to Error-Down state when the peer-link fails but the DAD heartbeat status
is normal.

When an access device is connected to M-LAG master and backup devices using
M-LAG dual-homing access mode or Layer 2 access mode, you cannot disable or
delay the Error-Down action.

Step 10 (Optional) Run dual-active detection enhanced enable

Enhanced DAD for secondary faults is enabled.

On a dual-homing network where M-LAG is deployed, when the peer-link fails but
the DAD status is normal, some interfaces on the DFS backup device enter the
Error-Down state. In this case, the DFS master device continues to work. When the
DFS master device cannot work because it is powered off or it restarts, the M-LAG
master and backup devices cannot forward traffic.

In this case, enhanced DAD for secondary faults can be enabled. When the peer-
link fails and secondary faults occur, the DFS backup device detects the fault on
the DFS master device and restores the interfaces in Error-Down state to forward
traffic. This ensures nonstop transmission when secondary faults occur.

If the peer-link fault persists after secondary faults are rectified, two master
devices may exist. It is recommended that you specify the IP address of the peer
device when configuring the IP address bound to the DFS group. In this case, if the
peer-link fault persists after the faulty device recovers, the corresponding
interfaces on the HB DFS backup device are triggered to enter the Error-Down
state, preventing abnormal traffic forwarding in the scenario where two master
devices exist.

Step 11 (Optional) Run dual-active detection error-down mode routing-switch

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 246

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Logical interfaces are configured to enter the Error-Down state when the peer-link
fails but the DAD status is normal in an M-LAG scenario.
By default, logical interfaces are not triggered to enter the Error-Down state when
the peer-link fails but the DAD status is normal in an M-LAG scenario. On a dual-
homing TRILL network where M-LAG is deployed, when the peer-link fails but the
DAD status is normal, the M-LAG interface on the backup device enters the Error-
Down state. On a dual-homing Ethernet or IP network where M-LAG is deployed,
when the peer-link fails but the DAD status is normal, physical interfaces except
the logical interface, interface configured with m-lag unpaired-port reserved,
management interface, peer-link interface, and stack interface on the backup
device all enter the Error-Down state.
On the IP or VXLAN network where M-LAG is deployed, when the dual-active
detection error-down mode routing-switch command is used, only VLANIF
interfaces, VBDIF interfaces, loopback interfaces, and M-LAG member interfaces
are triggered to enter the Error-Down state.

NOTE

After logical interfaces are configured to change to Error-Down state when the peer-link
fails but the DAD heartbeat status is normal in an M-LAG, if a faulty peer-link interface in
the M-LAG recovers, the devices restore VLANIF interfaces, VBDIF interfaces, and loopback
interfaces to Up state 6 seconds after DFS group pairing succeeds to ensure that ARP entry
synchronization on a large number of VLANIF interfaces is normal. If a delay after which
the Layer 3 protocol status of the interface changes to Up is configured, the delay after
which VLANIF interfaces, VBDIF interfaces, and loopback interfaces go Up is the configured
delay plus 6 seconds.

Step 12 (Optional) Run peer-link mac-address remain enable

The system is configured not to trigger the remote M-LAG device to delete the
corresponding MAC address on the peer-link interface under certain conditions.
By default, the system triggers the remote M-LAG device to delete the
corresponding MAC address on the peer-link interface under certain conditions.
Step 13 Run commit
The configuration is committed.

----End

4.7.3 (Optional) Configuring STP Multi-Process

Context
STP multi-process is used for independent calculation of spanning trees between
M-LAG access devices. After STP multi-process is enabled, some M-LAG member
interfaces on M-LAG devices can be managed in each process. Devices perform
STP calculation based on processes, and the interfaces that are not in processes do
not participate in STP calculation of processes. This speeds up STP convergence.

NOTE

STP multi-process must be configured simultaneously on M-LAG master and backup

devices, including the number of processes, process ID, and the status of STP. Otherwise, the
V-STP function cannot be used.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 247

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run stp process process-id
An STP process is created and the STP process view is displayed.
Step 3 Run stp mode { stp | rstp }
The working mode of the STP process is configured.
By default, the working mode of an STP process is MSTP. V-STP does not support
the MSTP mode, so the V-STP mode needs to switch to STP or RSTP. When a
switch starts, the default STP process with the ID of 0 exists. STP configurations in
the system view and interface view belong to STP process 0.
Step 4 Run stp enable
MSTP of the STP process is enabled.
By default, STP in a process is disabled.
Step 5 Run commit
The configuration is committed.

----End

4.7.4 Configuring M-LAG Consistency Check

Prerequisites
The DFS group between two devices in the M-LAG has been paired successfully
and the master and backup states have been negotiated.

Context
The M-LAG configuration falls into two types: key configuration (Type 1) and
common configuration (Type 2), as described in Table 4-10. Two M-LAG
consistency check modes are available: strict and loose.
● Key configuration (Type 1): If the configurations of two devices in the M-LAG
are inconsistent, problems may occur, for example, loops may occur or
packets are discarded for a long period of time though the M-LAG status is
normal.
In strict mode, if the key configuration of two devices in the M-LAG is
inconsistent, member interfaces on the M-LAG backup device enter the Error-
Down state and the alarm about key configuration inconsistency is generated.
In loose mode, if the key configuration of two devices in the M-LAG is
inconsistent, the alarm about key and common configuration inconsistency is
generated.
● Common configuration (Type 2): If the configurations of two devices in the
M-LAG are inconsistent, the M-LAG status may be abnormal. Compared with

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 248

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

the key configuration, the common configuration problem can be easily

detected and has less impact on the live network.
Regardless of the mode, if the following common configuration of two
devices in the M-LAG is inconsistent, the alarm about key and common
configuration inconsistency is generated.

Table 4-10 M-LAG consistency check list

View Configuration Type

System view Whether STP is enabled Type 1

STP working mode

Whether BPDU
protection is enabled

Mapping between VLANs

and MSTIs
NOTE
The device checks the
mapping between VLANs
and MSTIs in STP process
0.

M-LAG member Whether STP is enabled

interface view
Whether root protection
is enabled

LACP mode

System view VLAN configuration Type 2

Static MAC address

entries
● Static MAC address
entry in which the
interface is an M-LAG
member interface
● Static MAC address
entry of a VXLAN
tunnel

Aging time of dynamic

MAC address entries

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 249

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

View Configuration Type

Static ARP entries

● Short static ARP
entries
● Long static ARP
entries
– If outbound
interfaces are
specified in static
ARP entries, only
the static ARP
entries in which
the outbound
interfaces are M-
LAG member
interfaces are
checked.
– If the VLANs to
which static ARP
entries belong are
specified, the VLAN
IDs are compared.
– If outbound
interfaces and the
VLANs to which
static ARP entries
belong are
specified, the static
ARP entries in
which the
outbound
interfaces are M-
LAG member
interfaces and the
VLAN IDs are
compared.
– Static ARP entry of
an IPv4 VXLAN
tunnel

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 250

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

View Configuration Type

NOTE
The switch cannot check
short static ARP entries of
a specified VPN instance. If
the outbound interface of
a long static ARP entry is
an M-LAG member
interface and is bound to a
VPN instance or the
VLANIF interface
corresponding to the VLAN
to which the outbound
interface belongs is bound
to a VPN instance, the
switch cannot check the
static ARP entry.

Aging time of dynamic

ARP entries

Bridge Domain (BD)

configuration
● BD ID
● VNI associated with
the BD

VBDIF interface
configuration
● BD ID
● IPv4 address
● IPv6 address
● VRRP4 group
● MAC address
● Status
NOTE
The device only checks the
virtual MAC address by
default.
For the IPv6 address and
VRRP4 configuration, the
consistency check only
take effect when the
VBDIF interface is up. If the
VBDIF interface is down,
the preceding
configurations do not take
effect on the interface.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 251

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

View Configuration Type

VLANIF interface
configuration
● VLAN ID
● IPv4 address
● IPv6 address
● VRRP4 group
● VRRP6 group
● MAC address
● Status
NOTE
The device only checks the
virtual MAC address by
default.
For the IPv6 address and
VRRP4 configuration, the
consistency check only
take effect when the
VLANIF interface is up. If
the VLANIF interface is
down, the preceding
configurations do not take
effect on the interface.

M-LAG member STP priority

interface view
VLAN ID

Parameters

Number of member
interfaces of the Eth-
Trunk to which an M-
LAG member interface
belongs
NOTE
Only the numbers of
member interfaces of Eth-
Trunks are compared. The
physical Up/Down status
or bandwidth of member
interfaces is not checked.

Procedure
● Configure M-LAG consistency check.
a. Run system-view
The system view is displayed.
b. Run dfs-group dfs-group-id

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 252

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

A DFS group is created and its view is displayed, or the view of an

existing DFS group is displayed.
c. Run consistency-check enable mode { strict | loose }
M-LAG consistency check is enabled and a check mode is specified.
By default, M-LAG consistency check is disabled.
d. Run commit
The configuration is committed.
● Check the M-LAG consistency check status and configuration of devices in the
M-LAG.
– Run the display dfs-group command to check the M-LAG consistency
check result.
– Run the display dfs-group consistency-check { global | interface m-lag
m-lag-id | static-arp | static-mac } command to check the configuration
of M-LAG master and backup devices.
– Run the display dfs-group consistency-check status command to
display the running status of M-LAG consistency check.
----End

Exception Handling
● In loose mode, if the key or common configuration of two devices in the M-
LAG is inconsistent, either of the following alarms is triggered:
"ETRUNK_1.3.6.1.4.1.2011.5.25.178.8.2.1 hwMLagConsistencyCheckType1" and
"ETRUNK_1.3.6.1.4.1.2011.5.25.178.8.2.3 hwMLagConsistencyCheckType2".
When the configuration of two devices in the M-LAG is adjusted, M-LAG
consistency check is successful and the alarm is cleared.
● In strict mode, if the key configuration of two devices in the M-LAG is
inconsistent, member interfaces on the M-LAG backup device enter the Error-
Down state and the alarm about key configuration inconsistency is generated:
"ETRUNK_1.3.6.1.4.1.2011.5.25.178.8.2.1 hwMLagConsistencyCheckType1".
The device records the status of an interface as Error-Down when it detects
that a fault occurs. The interface in Error-Down state cannot receive or send
packets and the interface indicator is off. You can run the display error-down
recovery command to check information about all interfaces in Error-Down
state on the device.
When the interface enters the Error-Down state, adjust the configuration of
M-LAG master and backup devices. You are not advised to manually restore
the interface or run the error-down auto-recovery cause m-lag interval
interval-value command in the system view to enable the interface to go Up
automatically. Otherwise, excess packets, packet loss, or forwarding failure
may occur. Exercise caution when you perform the preceding operation.
If the M-LAG consistency check mode is set to strict mode and the system
detects that type 1 configurations of the two M-LAG devices are inconsistent,
it is recommended that the device administrator immediately adjust the
configurations, and it is not recommended that the device administrator
restart the devices. If type 1 configurations are inconsistent, member

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 253

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

interfaces on the M-LAG backup device enter the Error-Down state and the
alarm about type 1 configuration inconsistency is generated.

If the administrator does not adjust the configurations and restarts the M-
LAG master device, interfaces on the M-LAG backup device may enter the
Error-Down state because of type 1 configuration inconsistency during re-
negotiation between M-LAG devices when the master device is recovering. In
this case, M-LAG member interfaces on the M-LAG master device go Up after
a delay. As a result, both the M-LAG master and backup devices fail to
forward traffic, and services are interrupted.

----End

4.7.5 Configuring an Interface as a Peer-link Interface

Context
A peer-link is a direct aggregated link between two devices configured with M-
LAG. It is used to exchange protocol packets and transmit some traffic, and
ensures normal running of M-LAG.

Prerequisites
The direct link between two devices configured with M-LAG has been configured
as an aggregated link.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface eth-trunk trunk-id

The Eth-Trunk interface view is displayed.

Step 3 Run trunkport interface-type { interface-number1 [ to interface-number2 ] } &<1-

n>

A member interface is added to the Eth-Trunk.

When you add member interfaces to an Eth-Trunk in a batch, if one interface

cannot be added to the Eth-Trunk, all subsequent interfaces in the batch cannot
be added to the Eth-Trunk, either.

NOTE

For the CE5810EI, the value of n is 8. For the CE5880EI and CE6880EI, the value of n is 64. For
other models, the value of n depends on the assign forward eth-trunk mode command.

Step 4 Run mode lacp-static

The Eth-Trunk is configured to work in static LACP mode.

By default, an Eth-Trunk works in manual load balancing mode. To ensure M-LAG

reliability, you are advised to configure the Eth-Trunk to work in static LACP mode.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 254

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Step 5 Run stp enable

STP is enabled on the interface.
By default, STP is enabled on an interface.
Step 6 (Optional) Run stp binding process process-id1 [ to process-id2 ] link-share
The peer-link is configured in link-share mode and the port is added to multiple
STP processes to complete STP calculation.
Step 7 Run peer-link peer-link-id
The interface is configured as a peer-link interface.
By default, no interface is configured as a peer-link interface.
● An interface configured as a peer-link interface joins all VLANs by default.
● An interface configured as a peer-link interface cannot be configured with any
service.
● If the ERPS control VLAN, TRILL carrier VLAN, Super-VLAN, or FCoE VLAN
needs to be configured, perform Step 7 to remove the peer-link interface
from the control VLAN, carrier VLAN, Super-VLAN, or FCoE VLAN. Otherwise,
the control VLAN, carrier VLAN, Super-VLAN, or FCoE VLAN cannot be
configured.
● If the network-side VLANIF interface is configured, perform Step 7 to remove
the peer-link interface from the VLAN. Otherwise, heartbeat detection may
take ineffective.
Step 8 (Optional) Run port vlan exclude { { vlan-id1 [ to vlan-id2 ] } &<1-10> }
The VLANs not allowed by the peer-link interface are specified.
By default, no allowed VLAN is specified on a peer-link interface.
Step 9 Run commit
The configuration is committed.

----End

4.7.6 Configuring an M-LAG Member Interface

Prerequisites
The links between a user-side device and two devices configured with M-LAG have
been configured as aggregated links. To improve reliability and prevent incorrect
configurations or loops during M-LAG configuration, you are advised to configure
link aggregation in LACP mode.

Procedure
● When the Eth-Trunk works in manual load balancing mode, perform the
following operations.
a. Run system-view
The system view is displayed.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 255

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

b. Run interface eth-trunk trunk-id

The Eth-Trunk interface view is displayed.
c. Run trunkport interface-type { interface-number1 [ to interface-
number2 ] } &<1-n>
A member interface is added to the Eth-Trunk.
When you add member interfaces to an Eth-Trunk in a batch, if one
interface cannot be added to the Eth-Trunk, all subsequent interfaces in
the batch cannot be added to the Eth-Trunk, either.

NOTE

For the CE5810EI, the value of n is 8. For the CE5880EI and CE6880EI, the value of n
is 64. For other models, the value of n depends on the assign forward eth-trunk
mode command.
d. Run dfs-group dfs-group-id m-lag m-lag-id
The Eth-Trunk is bound to a DFS group, that is, the Eth-Trunk is
configured as an M-LAG member interface.

NOTE

The two devices configured with M-LAG must use the same M-LAG ID.
e. (Optional) Run stp binding process process-id
The port is added to the specified MSTP process.
After STP multi-process is enabled, some M-LAG member interfaces on
M-LAG devices can be managed in each process. Devices perform STP
calculation based on processes, and the interfaces that are not in
processes do not participate in STP calculation of processes. The M-LAG
member port is added to the specified MSTP process.

▪ When M-LAG member interfaces in different processes belong to the

same BD and the peer-link interface is faulty, loops may occur. To
address this issue, assign M-LAG member interfaces in different
processes to different BDs.

▪ Run the shutdown command to disable an interface and services are

not configured before the process of M-LAG member interfaces
switching. Run the undo shutdown command to enable an interface
and services are configured after the process of M-LAG member
interfaces switching.
f. Run commit
The configuration is committed.
● (Recommended) When the Eth-Trunk works in LACP mode, perform the
following operations.
a. Run system-view
The system view is displayed.
b. Run interface eth-trunk trunk-id
The Eth-Trunk interface view is displayed.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 256

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

c. Run trunkport interface-type { interface-number1 [ to interface-

number2 ] } &<1-n>
NOTE

For the CE5810EI, the value of n is 8. For the CE5880EI and CE6880EI, the value of n
is 64. For other models, the value of n depends on the assign forward eth-trunk
mode command.

A member interface is added to the Eth-Trunk.

When you add member interfaces to an Eth-Trunk in a batch, if one
interface cannot be added to the Eth-Trunk, all subsequent interfaces in
the batch cannot be added to the Eth-Trunk, either.
d. Run mode { lacp-static | lacp-dynamic }
The Eth-Trunk is configured to work in LACP mode.
e. Run dfs-group dfs-group-id m-lag m-lag-id
The Eth-Trunk is bound to a DFS group, that is, the Eth-Trunk is
configured as an M-LAG member interface.

NOTE

The two devices configured with M-LAG must use the same M-LAG ID.
f. (Optional) Run stp binding process process-id
The port connected to the access link is added to the specified MSTP
process.
After STP multi-process is enabled, some M-LAG member interfaces on
M-LAG devices can be managed in each process. Devices perform STP
calculation based on processes, and the interfaces that are not in
processes do not participate in STP calculation of processes. The M-LAG
member port is added to the specified MSTP process.

▪ When M-LAG member interfaces in different processes belong to the

same BD and the peer-link interface is faulty, loops may occur. To
address this issue, assign M-LAG member interfaces in different
processes to different BDs.

▪ Run the command shutdown to disable an interface and services are

not configured before the process of M-LAG member interfaces
switching. Run the command undo shutdown to enable an interface
and services are configured after the process of M-LAG member
interfaces switching.
g. (Optional) Configure the LACP M-LAG system priority and system ID.

▪ Run the quit command to exit from the Eth-Trunk interface view.
NOTE

After the DFS pairing succeeds in V200R001C00 and later versions, the
master device automatically synchronizes its LACP M-LAG system priority
and system ID to the backup device. The M-LAG member interface of the
backup device uses the synchronized LACP M-LAG system priority and
system ID to perform LACP negotiation. You do not need to manually
configure the LACP M-LAG system priority and system ID.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 257

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

▪ Run the lacp m-lag priority priority command to set the LACP M-
LAG system priority.
The default LACP M-LAG system priority is 32768.
○ The LACP M-LAG system priority is valid for the M-LAG
composed of an Eth-Trunk in LACP mode, whereas the LACP
system priority configured by the lacp priority command is valid
for an Eth-Trunk in LACP mode.
○ The LACP M-LAG system priority configured in the Eth-Trunk
interface view takes effect only on the Eth-Trunk. When DFS
pairing succeeds, the M-LAG master device does not synchronize
the LACP M-LAG system priority of the Eth-Trunk to the M-LAG
backup device. Therefore, the LACP M-LAG system priority of an
Eth-Trunk must be configured on both the M-LAG master and
backup devices and be the same.

▪ Run the lacp m-lag system-id mac-address command to set the

LACP M-LAG system ID.
By default, the LACP M-LAG system ID in the system view is the MAC
address of the Ethernet interface on the MPU.
○ The LACP M-LAG system ID is valid for the M-LAG composed of
an Eth-Trunk in LACP mode.
○ The LACP M-LAG system ID configured in the Eth-Trunk
interface view takes effect only on the Eth-Trunk. When DFS
pairing succeeds, the M-LAG master device does not synchronize
the LACP M-LAG system ID of the Eth-Trunk to the M-LAG
backup device. Therefore, the LACP M-LAG system ID of an Eth-
Trunk must be configured on both the M-LAG master and
backup devices and be the same.
○ You are advised to use the smaller MAC address on the M-LAG
master and backup devices as the LACP M-LAG system ID.
h. Run commit

The configuration is committed.

----End

4.7.7 (Optional) Configuring the Dual-Active Gateway

Prerequisites
The M-LAG member interface has been added to the corresponding VLAN, or the
Layer 2 sub-interface of the Eth-Trunk to which the M-LAG member interface
belongs has been added to the corresponding BD.

Context
On a dual-homing IP or VXLAN network, both the M-LAG master and backup
devices need to function as Layer 3 gateways. In this case, VLANIF/VBDIF
interfaces corresponding to M-LAG member interfaces must have the same IP
address and MAC address. You can configure the same IP address and run the

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 258

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

mac-address command to configure the same virtual MAC address for the
VLANIF/VBDIF interfaces.

Procedure
● Configure an IP address and a MAC address for a VLANIF/VBDIF interface to
implement dual-active gateway.
a. Run system-view

The system view is displayed.

b. Run interface { vlanif vlan-id | vbdif bd-id }

The VLANIF or VBDIF interface view is displayed.

c. Configure an IP address for the interface:

▪ On IPv4 networks, run ip address ip-address { mask | mask-length }

[ sub ]
An IPv4 address is configured for the VLANIF/VBDIF interface.

▪ On IPv6 networks, perform the following operations:

1) Run ipv6 enable
IPv6 is enabled for the VLANIF/VBDIF interface.
2) Run ipv6 address { ipv6-address prefix-length | ipv6-address/
prefix-length }
Or run ipv6 address { ipv6-address prefix-length | ipv6-address/
prefix-length } eui-64
A global unicast address is configured for the VLANIF/VBDIF
interface.

An IP address is assigned to the VLANIF/VBDIF interface.

By default, no IP address is configured for an interface.

VLANIF/VBDIF interfaces corresponding to M-LAG member interfaces of

M-LAG master and backup devices must be configured with the same IP
address.
d. Run mac-address (VLANIF interface view) mac-address

Or run mac-address (VBDIF interface view) mac-address

A virtual MAC address is configured for the VLANIF/VBDIF interface.

By default, the MAC address of a VLANIF/VBDIF interface must be the

same as the system MAC address.

VLANIF/VBDIF interfaces corresponding to M-LAG member interfaces of

M-LAG master and backup devices must be configured with the same
virtual MAC address.
e. (Optional) Run protocol up-delay-time time-value

The delay before the Layer 3 protocol status of an interface can go Up is

set.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 259

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

By default, the delay before the Layer 3 protocol status of a VLANIF

interface can go Up is 1s. When there are many ARP entries, the delay is
increased.
When the faulty device or peer-link recovers, many ARP entries need to
be synchronized in a batch. You can configure the delay so that the
protocol status of the interface goes Up after ARP entries are
synchronized. This prevents protocol packets from being discarded,
reduces the packet loss during link recovery, and improves convergence
performance.

NOTE

After a switch restarts or a card resets, the physical status of an interface

changes to Up, but the upper-layer protocol modules do not meet forwarding
requirements, resulting in packet loss. To ensure the revertive switching
performance, the default delay for an M-LAG member interface to report the Up
event is 240 seconds. If a delay after which the Layer 3 protocol status changes
to Up is configured on a VLANIF interface, ensure that the delay for an M-LAG
member interface to report the Up event is longer than the delay configured on
the VLANIF interface. Otherwise, triggering of learning for ND entries that fail to
be synchronized depends on ND Miss messages.
f. Run commit
The configuration is committed.
● NOTE
a.
After a switch restarts or a card resets, the physical status of an interface
changes to Up, but the upper-layer protocol modules do not meet forwarding
requirements, resulting in packet loss. To ensure the revertive switching
performance, the default delay for an M-LAG member interface to report the Up
event is 240 seconds. If a delay after which the Layer 3 protocol status changes
to Up is configured on a VLANIF interface, ensure that the delay for an M-LAG
member interface to report the Up event is longer than the delay configured on
the VLANIF interface. Otherwise, triggering of learning for ND entries that fail to
be synchronized depends on ND Miss messages.

----End

4.7.8 (Optional) Configuring the Interface Status When the

Peer-Link Fails
Context
On a dual-homing Ethernet, VXLAN, or IP network where M-LAG is deployed,
when the peer-link fails but the DAD status is normal, interfaces except the
management interface, peer-link interface, and stack interface on the backup
device all enter the Error-Down state. When the faulty peer-link is restored, the M-
LAG interface in Error-Down state goes Up after 240 seconds by default and other
interfaces in Error-Down state go Up automatically.
In practice, uplink interfaces running routing protocols or DAD-enabled heartbeat
interfaces should not enter the Error-Down state. You can configure the interface
whether to enter the Error-Down state according to the actual situation.
Table 4-11 describes the Error-Down state of interfaces when the peer-link fails
but the DAD status is normal.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 260

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Table 4-11 Error-Down state of interfaces when the peer-link fails but the DAD
status is normal

Device Configuration Ethernet, VXLAN, or IP Network

Where M-LAG Is Deployed

Default setting Interfaces except the management

interface, peer-link interface, and stack
interface on the backup device all
enter the Error-Down state.

Device where m-lag unpaired-port Only the M-LAG member interface

suspend is configured and the interface configured with m-
lag unpaired-port suspend are in
Error-Down state.

Device where m-lag unpaired-port Interfaces except the interface

reserved is configured configured with m-lag unpaired-port
reserved, management interface,
peer-link interface, and stack interface
on the backup device all enter the
Error-Down state.

Device where both m-lag unpaired- Only the M-LAG member interface
port suspend and m-lag unpaired- and the interface configured with m-
port reserved are configured lag unpaired-port suspend are in
Error-Down state.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface interface-type interface-number

The interface view is displayed.

Step 3 Run m-lag unpaired-port reserved

The interface is configured not to enter the Error-Down state when the peer-link
fails but the DAD status is normal.

● You can configure m-lag unpaired-port suspend on other interfaces of the

backup device so that the specified interface is configured to automatically
enter the Error-Down state when the peer-link fails but the DAD status is
normal.
● You are advised to configure this command on interfaces of both the M-LAG
master and slave devices, so the Error-Down state of interfaces is consistent
after an active/standby switchover of the M-LAG master and backup devices.
● This command cannot be configured on the peer-link interface and M-LAG
member interfaces.

Step 4 Run commit

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 261

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

The configuration is committed.

----End

4.7.9 (Optional) Enabling Enhanced M-LAG Layer 3

Forwarding in an IPv6 Scenario
Context
To speed up convergence when an M-LAG member interface fails in an IPv6
scenario, you can enable enhanced M-LAG Layer 3 forwarding so that backup FRR
resources are requested for all ND entries with M-LAG member interfaces as
outbound interfaces. Active and standby paths are established for traffic
forwarding on downlink outbound interfaces. If an M-LAG member interface fails,
the outbound interface can be quickly changed to a peer-link interface.

NOTE

CE6810LI, CE5880EI, and CE6880EI switches do not support enhanced M-LAG Layer 3
forwarding in an IPv6 scenario.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run m-lag forward layer-3 enhanced enable
Enhanced M-LAG Layer 3 forwarding is enabled in an IPv6 scenario.
By default, enhanced M-LAG Layer 3 forwarding is disabled in an IPv6 scenario.
After enhanced M-LAG Layer 3 forwarding is enabled in an IPv6 scenario, backup
FRR resources are requested for all ND entries with M-LAG member interfaces as
outbound interfaces. The outbound interfaces can be changed to peer-link
interfaces to establish active and standby paths for traffic forwarding. If the FEI
side detects that an M-LAG member interface fails, dual-homing networking is
changed to single-homing networking. The next hop in the corresponding ND
entry is changed from the M-LAG member interface to the peer-link interface. This
improves the switchover performance when faults occur.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 262

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

NOTE

● After enhanced M-LAG Layer 3 forwarding is enabled in an IPv6 scenario, the active and
standby paths may fail to be delivered due to increased next-hop resource consumption.
As a result, packet loss occurs.
● After enhanced M-LAG Layer 3 forwarding is enabled in an IPv6 scenario, the TTL value
decreases by 1 on the M-LAG master and backup devices because packets are forwarded
inside the M-LAG.
● After enhanced M-LAG Layer 3 forwarding is enabled, you need to configure an Eth-
Trunk interface to clear all the learned ND entries when the Eth-Trunk joining in or
being removed from M-LAG. This prevents the upper-layer protocol module from
detecting the waste of FRR resources caused by the change of M-LAG member
interfaces.
● After enhanced M-LAG Layer 3 forwarding is enabled, you can disable this function only
after 300s. After enhanced M-LAG Layer 3 forwarding is disabled, you can enable this
function only after 300s.

Step 3 Run commit

The configuration is committed.

----End

4.7.10 Verifying the Configuration of M-LAG Configured

Through V-STP
Procedure
● Run the display dfs-group dfs-group-id [ node node-id m-lag [ brief ] |
peer-link ] command to check M-LAG information.
● Run the display stp [ process process-id ] v-stp command to check the V-STP
status and statistics.
----End

Follow-up Procedure
After M-LAG is configured, if the peer-link fails but the heartbeat status is normal,
some interfaces on the backup device will enter the Error-Down state. The device
records the status of an interface as Error-Down when it detects that a fault
occurs. The interface in Error-Down state cannot receive or send packets and the
interface indicator is off. You can run the display error-down recovery command
to check information about all interfaces in Error-Down state on the device.
When M-LAG is used for dual-homing to an Ethernet, VXLAN network, or IP
network and the peer-link fails but the heartbeat is normal, all physical interfaces
except the management interface, peer-link interface, and stack interface on the
backup device will enter the error-down state. When the peer-link recovers, the M-
LAG interface in Error-Down state becomes Up after 2 minutes by default, and the
physical interfaces in Error-Down state are restored to Up state.
When the interface enters the Error-Down state, locate the cause. You are not
advised to manually restore the interface or run the error-down auto-recovery
cause m-lag interval interval-value command in the system view to enable the
interface to go Up automatically. Otherwise, packet loss or forwarding failure may
occur. Exercise caution when you perform the preceding operation.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 263

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

4.8 Maintaining M-LAG

4.8.1 Monitoring the M-LAG Operating Status

Context
During M-LAG operating status monitoring, you can check causes for fault
locating if an M-LAG fault occurs.

Procedure
Step 1 Run the display m-lag troubleshooting [ history ]command to check causes for
the M-LAG faults.

This command can display the causes of a maximum of 100 recent faults at most.

----End

4.8.2 Clearing M-LAG Historical Fault Event Information

Context
Before you check causes of M-LAG faults within a certain period, clear the existing
historical fault event information on the device.
NOTE

The historical fault event information about M-LAG faults cannot be restored after being
cleared. Confirm your operation before clearing the historical fault event information.

Procedure
● Run the reset m-lag troubleshooting history command in the user view to
clear historical fault event information about M-LAG faults.

----End

4.9 Configuration Examples for M-LAG

This section only provides configuration examples for individual features. For
details about multi-feature configuration examples, feature-specific configuration
examples, interoperation examples, protocol or hardware replacement examples,
and industry application examples, see the Typical Configuration Examples.

4.9.1 Example for Deploying M-LAG to Connect the Device to

an Ethernet Network in Dual-Homing Mode Through the Root
Bridge

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 264

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Networking Requirements
As shown in Figure 4-22, a server is dual-homed to an Ethernet network through
M-LAG. The customer requires high service reliability. Link aggregation between
the server and devices only achieves link-level reliability, and a fault on a device
may cause service interruption. M-LAG can be configured. When devices work
properly, links load balance traffic and a fault of any device does not affect
services. High service reliability is therefore ensured. On an Ethernet network, the
blocked interface cannot transmit heartbeat packets of M-LAG master and backup
devices; therefore, a DFS group is configured and bound to the IP address of the
management interface to ensure that heartbeat packets of M-LAG master and
backup devices can be transmitted normally.

Figure 4-22 Networking for dual-homing the M-LAG to a common Ethernet

network

Ethernet
Network
SwitchC SwitchD
10GE1/0/1 10GE1/0/2
10GE1/0/2 10GE1/0/1
Peer-link 1
10GE1/0/1 10GE1/0/2 10GE1/0/2 10GE1/0/1
10GE1/0/3 10GE1/0/3
SwitchA SwitchB
10GE1/0/4 10GE1/0/4
10GE1/0/6 10GE1/0/5 10GE1/0/5 10GE1/0/6

Server

Configuration Roadmap
1. Configure SwitchA and SwitchB as the root bridge and configure the same
bridge ID to ensure that M-LAG master and backup devices are used as root
bridges.
2. Configure IP addresses for management interfaces on SwitchA and SwitchB to
ensure Layer 3 connectivity and transmission of heartbeat packets of M-LAG
master and backup devices.
3. Configure M-LAG on SwitchA and SwitchB so that the server is dual-homed to
SwitchA and SwitchB.
4. Create VLANIF interfaces on SwitchC and SwitchD and configure IP addresses
for the VLANIF interfaces. Create VRRP groups on the VLANIF interfaces and
configure VRRP groups as gateways of M-LAG master and backup devices.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 265

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Procedure
Step 1 Configure SwitchA and SwitchB as root bridges and configure the same bridge ID
for them.
NOTE

If the two devices that constitute an M-LAG connect to downstream switching devices, you must
configure root protection.

# Configure SwitchA.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchA
[*HUAWEI] commit
[~SwitchA] stp root primary
[*SwitchA] stp bridge-address 39-39-39
[*SwitchA] interface eth-trunk 1
[*SwitchA-Eth-Trunk1] trunkport 10ge 1/0/5
[*SwitchA-Eth-Trunk1] trunkport 10ge 1/0/6
[*SwitchA-Eth-Trunk1] stp edged-port enable
[*SwitchA-Eth-Trunk1] commit
[~SwitchA-Eth-Trunk1] quit

# Configure SwitchB.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchB
[*HUAWEI] commit
[~SwitchB] stp root primary
[*SwitchB] stp bridge-address 39-39-39
[*SwitchB] interface eth-trunk 1
[*SwitchB-Eth-Trunk1] trunkport 10ge 1/0/5
[*SwitchB-Eth-Trunk1] trunkport 10ge 1/0/6
[*SwitchB-Eth-Trunk1] stp edged-port enable
[*SwitchB-Eth-Trunk1] commit
[~SwitchB-Eth-Trunk1] quit

Step 2 Configure IP addresses for management interfaces on SwitchA and SwitchB.

# Configure SwitchA.
[~SwitchA] interface meth 0/0/0
[~SwitchA-MEth0/0/0] ip address 10.1.1.1 24
[*SwitchA-MEth0/0/0] quit
[*SwitchA] commit

# Configure SwitchB.
[~SwitchB] interface meth 0/0/0
[~SwitchB-MEth0/0/0] ip address 10.1.1.2 24
[*SwitchB-MEth0/0/0] quit
[*SwitchB] commit

Step 3 Create a DFS group and bind IP addresses of management interfaces to the DFS
group on SwitchA and SwitchB.
Configure IP addresses for management interfaces on SwitchA and SwitchB to
ensure Layer 3 connectivity.
# Configure SwitchA.
[~SwitchA] dfs-group 1
[*SwitchA-dfs-group-1] source ip 10.1.1.1
[*SwitchA-dfs-group-1] priority 150
[*SwitchA-dfs-group-1] quit
[*SwitchA] commit

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 266

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

# Configure SwitchB.
[~SwitchB] dfs-group 1
[*SwitchB-dfs-group-1] source ip 10.1.1.2
[*SwitchB-dfs-group-1] priority 120
[*SwitchB-dfs-group-1] quit
[*SwitchB] commit

Step 4 Configure the link between SwitchA and SwitchB as a peer-link.

# Configure SwitchA.
[~SwitchA] interface eth-trunk 0
[*SwitchA-Eth-Trunk0] trunkport 10ge 1/0/3
[*SwitchA-Eth-Trunk0] trunkport 10ge 1/0/4
[*SwitchA-Eth-Trunk0] undo stp enable
[*SwitchA-Eth-Trunk0] mode lacp-static
[*SwitchA-Eth-Trunk0] peer-link 1
[*SwitchA-Eth-Trunk0] quit
[*SwitchA] commit

# Configure SwitchB.
[~SwitchB] interface eth-trunk 0
[*SwitchB-Eth-Trunk0] trunkport 10ge 1/0/3
[*SwitchB-Eth-Trunk0] trunkport 10ge 1/0/4
[*SwitchB-Eth-Trunk0] undo stp enable
[*SwitchB-Eth-Trunk0] mode lacp-static
[*SwitchB-Eth-Trunk0] peer-link 1
[*SwitchB-Eth-Trunk0] quit
[*SwitchB] commit

Step 5 Add Eth-Trunks that connect SwitchA and SwitchB to the server to VLAN 11 and
bind the Eth-Trunks to the DFS group.
The uplink interface of the server connected to the switch needs to be bound to
an aggregation link, and the link aggregation modes on the server and switch
must be consistent.
# Configure SwitchA.
[~SwitchA] vlan batch 11
[*SwitchA] interface eth-trunk 1
[*SwitchA-Eth-Trunk1] mode lacp-dynamic
[*SwitchA-Eth-Trunk1] port link-type access
[*SwitchA-Eth-Trunk1] port default vlan 11
[*SwitchA-Eth-Trunk1] dfs-group 1 m-lag 1
[*SwitchA-Eth-Trunk1] quit
[*SwitchA] commit

# Configure SwitchB.
[~SwitchB] vlan batch 11
[*SwitchB] interface eth-trunk 1
[*SwitchB-Eth-Trunk1] mode lacp-dynamic
[*SwitchB-Eth-Trunk1] port link-type access
[*SwitchB-Eth-Trunk1] port default vlan 11
[*SwitchB-Eth-Trunk1] dfs-group 1 m-lag 1
[*SwitchB-Eth-Trunk1] quit
[*SwitchB] commit

Step 6 Configure the links between SwitchA and SwitchC and between SwitchB and
SwitchD as aggregated links, and configure interface types and allowed VLANs.
# Configure SwitchA.
[~SwitchA] interface eth-trunk 2
[*SwitchA-Eth-Trunk2] mode lacp-static

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 267

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

[*SwitchA-Eth-Trunk2] port link-type trunk

[*SwitchA-Eth-Trunk2] port trunk allow-pass vlan 11
[*SwitchA-Eth-Trunk2] trunkport 10ge 1/0/1
[*SwitchA-Eth-Trunk2] trunkport 10ge 1/0/2
[*SwitchA-Eth-Trunk2] quit
[*SwitchA] commit

# Configure SwitchB.
[~SwitchB] interface eth-trunk 2
[*SwitchB-Eth-Trunk2] mode lacp-static
[*SwitchB-Eth-Trunk2] port link-type trunk
[*SwitchB-Eth-Trunk2] port trunk allow-pass vlan 11
[*SwitchB-Eth-Trunk2] trunkport 10ge 1/0/1
[*SwitchB-Eth-Trunk2] trunkport 10ge 1/0/2
[*SwitchB-Eth-Trunk2] quit
[*SwitchB] commit

# Configure SwitchC.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchC
[*HUAWEI] commit
[~SwitchC] vlan batch 11
[*SwitchC] interface eth-trunk 2
[*SwitchC-Eth-Trunk2] mode lacp-static
[*SwitchC-Eth-Trunk2] port link-type trunk
[*SwitchC-Eth-Trunk2] port trunk allow-pass vlan 11
[*SwitchC-Eth-Trunk2] trunkport 10ge 1/0/1
[*SwitchC-Eth-Trunk2] trunkport 10ge 1/0/2
[*SwitchC-Eth-Trunk2] quit
[*SwitchC] commit

# Configure SwitchD.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchD
[*HUAWEI] commit
[~SwitchD] vlan batch 11
[*SwitchD] interface eth-trunk 2
[*SwitchD-Eth-Trunk2] mode lacp-static
[*SwitchD-Eth-Trunk2] port link-type trunk
[*SwitchD-Eth-Trunk2] port trunk allow-pass vlan 11
[*SwitchD-Eth-Trunk2] trunkport 10ge 1/0/1
[*SwitchD-Eth-Trunk2] trunkport 10ge 1/0/2
[*SwitchD-Eth-Trunk2] quit
[*SwitchD] commit

Step 7 Create VLANIF interfaces on SwitchC and SwitchD and configure IP addresses for
the VLANIF interfaces. Create VRRP groups on the VLANIF interfaces.
# Configure VRRP group 1 on SwitchC and set the priority of SwitchC to 120.
[~SwitchC] interface vlanif 11
[*SwitchC-Vlanif11] ip address 10.2.1.1 24
[*SwitchC-Vlanif11] vrrp vrid 1 virtual-ip 10.2.1.111
[*SwitchC-Vlanif11] vrrp vrid 1 priority 120
[*SwitchC-Vlanif11] quit
[*SwitchC] commit

# Configure VRRP group 1 on SwitchD. SwitchD uses default priority 100.

[~SwitchD] interface vlanif 11
[*SwitchD-Vlanif11] ip address 10.2.1.2 24
[*SwitchD-Vlanif11] vrrp vrid 1 virtual-ip 10.2.1.111
[*SwitchD-Vlanif11] quit
[*SwitchD] commit

Step 8 Verify the configuration.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 268

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

● Run the display dfs-group command to check M-LAG information.

# Check information about the M-LAG with DFS group 1.
[~SwitchA] display dfs-group 1 m-lag
* : Local node
Heart beat state : OK
Node 1 *
Dfs-Group ID : 1
Priority : 150
Address : ip address 10.1.1.1
State : Master
Causation :-
System ID : 0025-9e95-7c31
SysName : SwitchA
Version : V100R006C00
Device Type : CE6850EI
Node 2
Dfs-Group ID : 1
Priority : 120
Address : ip address 10.1.1.2
State : Backup
Causation :-
System ID : 0025-9e95-7c11
SysName : SwitchB
Version : V100R006C00
Device Type : CE6850EI
# Check M-LAG information on SwitchA.
[~SwitchA] display dfs-group 1 node 1 m-lag brief
* - Local node

M-Lag ID Interface Port State Status Consistency-check

1 Eth-Trunk 1 Up active(*)-active --

Failed reason:
1 -- Relationship between vlan and port is inconsistent
2 -- STP configuration under the port is inconsistent
3 -- STP port priority configuration is inconsistent
4 -- LACP mode of M-LAG is inconsistent
5 -- M-LAG configuration is inconsistent
6 -- The number of M-LAG members is inconsistent
# Check M-LAG information on SwitchB.
[~SwitchA] display dfs-group 1 node 2 m-lag brief
* - Local node

M-Lag ID Interface Port State Status Consistency-check

1 Eth-Trunk 1 Up active-active(*) --

Failed reason:
1 -- Relationship between vlan and port is inconsistent
2 -- STP configuration under the port is inconsistent
3 -- STP port priority configuration is inconsistent
4 -- LACP mode of M-LAG is inconsistent
5 -- M-LAG configuration is inconsistent
6 -- The number of M-LAG members is inconsistent
In the preceding command outputs, the value of Heart beat state is OK,
indicating that the heartbeat is normal. SwitchA is used as Node 1, its priority
is 150, and its status is Master. SwitchB is used as Node 2, its priority is 120,
and its status is Backup. The value of Causation is -, and the values of Port
State of Node 1 and Node 2 are both Up, and the M-LAG status of Node 1
and Node 2 is both active, indicating that the M-LAG configuration is correct.
● Run the display vrrp command on SwitchC and SwitchD. You can see that
SwitchC is in Master state and SwitchD is in Backup state.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 269

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

[~SwitchC] display vrrp verbose

Vlanif11 | Virtual Router 1
State : Master
Virtual IP : 10.2.1.111
Master IP : 10.2.1.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 0s Remain : --
TimerRun : 1s
TimerConfig : 1s
Auth Type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config Type : Normal
Create Time : 2020-01-30 11:39:18
Last Change Time : 2020-02-04 11:38:58
[~SwitchD] display vrrp verbose
Vlanif11 | Virtual Router 1
State : Backup
Virtual IP : 10.2.1.111
Master IP : 10.2.1.1
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0s Remain : --
TimerRun : 1s
TimerConfig : 1s
Auth Type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config Type : Normal
Create Time : 2020-01-30 11:39:18
Last Change Time : 2020-02-04 11:38:58

----End

Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
dfs-group 1
priority 150
source ip 10.1.1.1
#
vlan batch 11
#
stp bridge-address 0039-0039-0039
stp instance 0 root primary
#
interface MEth0/0/0
ip address 10.1.1.1 255.255.255.0
#
interface Eth-Trunk0
stp disable
mode lacp-static
peer-link 1
#
interface Eth-Trunk1
port default vlan 11
stp edged-port enable
mode lacp-dynamic
dfs-group 1 m-lag 1
#
interface Eth-Trunk2
port link-type trunk

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 270

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

port trunk allow-pass vlan 11

mode lacp-static
#
interface 10GE1/0/1
eth-trunk 2
#
interface 10GE1/0/2
eth-trunk 2
#
interface 10GE1/0/3
eth-trunk 0
#
interface 10GE1/0/4
eth-trunk 0
#
interface 10GE1/0/5
eth-trunk 1
#
interface 10GE1/0/6
eth-trunk 1
#
return
● SwitchB configuration file
#
sysname SwitchB
#
dfs-group 1
priority 120
source ip 10.1.1.2
#
vlan batch 11
#
stp bridge-address 0039-0039-0039
stp instance 0 root primary
#
interface MEth0/0/0
ip address 10.1.1.2 255.255.255.0
#
interface Eth-Trunk0
stp disable
mode lacp-static
peer-link 1
#
interface Eth-Trunk1
port default vlan 11
stp edged-port enable
mode lacp-dynamic
dfs-group 1 m-lag 1
#
interface Eth-Trunk2
port link-type trunk
port trunk allow-pass vlan 11
mode lacp-static
#
interface 10GE1/0/1
eth-trunk 2
#
interface 10GE1/0/2
eth-trunk 2
#
interface 10GE1/0/3
eth-trunk 0
#
interface 10GE1/0/4
eth-trunk 0
#
interface 10GE1/0/5
eth-trunk 1
#

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 271

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

interface 10GE1/0/6
eth-trunk 1
#
return
● SwitchC configuration file
#
sysname SwitchC
#
vlan batch 11
#
interface Vlanif11
ip address 10.2.1.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.2.1.111
vrrp vrid 1 priority 120
#
interface Eth-Trunk2
port link-type trunk
port trunk allow-pass vlan 11
mode lacp-static
#
interface 10GE1/0/1
eth-trunk 2
#
interface 10GE1/0/2
eth-trunk 2
#
return
● SwitchD configuration file
#
sysname SwitchD
#
vlan batch 11
#
interface Vlanif11
ip address 10.2.1.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.2.1.111
#
interface Eth-Trunk2
port link-type trunk
port trunk allow-pass vlan 11
mode lacp-static
#
interface 10GE1/0/1
eth-trunk 2
#
interface 10GE1/0/2
eth-trunk 2
#
return

4.9.2 Example for Dual-Homing a Switch to an IP Network

Through V-STP

Networking Requirements
As shown in Figure 4-23, the switch is dual-homed to the IP network through M-
LAG. The requirements are as follows:
● When one access link fails, traffic can be fast switched to the other link to
ensure reliability.
● The load balancing mode can be used to forward traffic to make full use of
bandwidth and ensure that two links are in active state.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 272

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

Figure 4-23 Dual-homing to an IP network through M-LAG

IP
Network

SwitchC
10GE1/0/1 10GE1/0/2

10GE1/0/1 Peer-link 1 10GE1/0/1

10GE1/0/5 10GE1/0/5
SwitchA SwitchB
10GE1/0/4 10GE1/0/4
10GE1/0/2 10GE1/0/3 10GE1/0/3 10GE1/0/2

10GE1/0/1~1/0/4
Switch

Configuration Roadmap
The configuration roadmap is as follows:

1. On the switch, bind the uplink interface to an Eth-Trunk.

2. Configure the V-STP, DFS group, peer-link, and M-LAG interface on SwitchA
and SwitchB.
3. On SwitchA and SwitchB, configure an IP address and a MAC address for a
VLANIF interface to implement dual-active gateway of access devices.
4. Configure OSPF on SwitchA, SwitchB, and SwitchC to ensure Layer 3
connectivity.
NOTE

In a V-STP scenario, to prevent a port from being blocked due to the spanning tree
calculation result, configure the main interface to implement Layer 3 connectivity or
disable the spanning tree protocol on the IP network.
5. On SwitchA and SwitchB, associate uplink and downlink interfaces with the
Monitor Link group to prevent a user-side traffic forwarding failure and traffic
loss due to the uplink fault.

Procedure
Step 1 On the switch, bind the uplink interface to an Eth-Trunk.

# Configure the switch.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 273

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

<HUAWEI> system-view
[~HUAWEI] sysname Switch
[*HUAWEI] commit
[~Switch] vlan batch 11
[*Switch] interface eth-trunk 20
[*Switch-Eth-Trunk20] mode lacp-static
[*Switch-Eth-Trunk20] port link-type trunk
[*Switch-Eth-Trunk20] port trunk allow-pass vlan 11
[*Switch-Eth-Trunk20] trunkport 10ge 1/0/1 to 1/0/4
[*Switch-Eth-Trunk20] quit
[*Switch] commit

Step 2 Configure the V-STP, DFS group, peer-link, and M-LAG interface on SwitchA and
SwitchB.
# Configure SwitchA.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchA
[*HUAWEI] commit
[~SwitchA] stp mode rstp
[~SwitchA] stp bridge-address 1-1-1
[*SwitchA] stp v-stp enable
[*SwitchA] interface loopback 0
[*SwitchA-LoopBack0] ip address 10.1.1.1 32
[*SwitchA-LoopBack0] quit
[*SwitchA] dfs-group 1
[*SwitchA-dfs-group-1] source ip 10.1.1.1
[*SwitchA-dfs-group-1] priority 150
[*SwitchA-dfs-group-1] quit
[*SwitchA] interface eth-trunk 1
[*SwitchA-Eth-Trunk1] trunkport 10ge 1/0/4
[*SwitchA-Eth-Trunk1] trunkport 10ge 1/0/5
[*SwitchA-Eth-Trunk1] mode lacp-static
[*SwitchA-Eth-Trunk1] peer-link 1
[*SwitchA-Eth-Trunk1] quit
[*SwitchA] vlan batch 11
[*SwitchA] interface eth-trunk 10
[*SwitchA-Eth-Trunk10] mode lacp-static
[*SwitchA-Eth-Trunk10] port link-type trunk
[*SwitchA-Eth-Trunk10] port trunk allow-pass vlan 11
[*SwitchA-Eth-Trunk10] trunkport 10ge 1/0/2
[*SwitchA-Eth-Trunk10] trunkport 10ge 1/0/3
[*SwitchA-Eth-Trunk10] dfs-group 1 m-lag 1
[*SwitchA-Eth-Trunk10] quit
[*SwitchA] commit

# Configure SwitchB.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchB
[*HUAWEI] commit
[~SwitchB] stp mode rstp
[~SwitchB] stp bridge-address 1-1-1
[*SwitchB] stp v-stp enable
[*SwitchB] interface loopback 0
[*SwitchB-LoopBack0] ip address 10.1.1.2 32
[*SwitchB-LoopBack0] quit
[*SwitchB] dfs-group 1
[*SwitchB-dfs-group-1] source ip 10.1.1.2
[*SwitchB-dfs-group-1] priority 120
[*SwitchB-dfs-group-1] quit
[*SwitchB] interface eth-trunk 1
[*SwitchB-Eth-Trunk1] trunkport 10ge 1/0/4
[*SwitchB-Eth-Trunk1] trunkport 10ge 1/0/5
[*SwitchB-Eth-Trunk1] mode lacp-static
[*SwitchB-Eth-Trunk1] peer-link 1
[*SwitchB-Eth-Trunk1] quit
[*SwitchB] vlan batch 11
[*SwitchB] interface eth-trunk 10

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 274

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

[*SwitchB-Eth-Trunk10] mode lacp-static

[*SwitchB-Eth-Trunk10] port link-type trunk
[*SwitchB-Eth-Trunk10] port trunk allow-pass vlan 11
[*SwitchB-Eth-Trunk10] trunkport 10ge 1/0/2
[*SwitchB-Eth-Trunk10] trunkport 10ge 1/0/3
[*SwitchB-Eth-Trunk10] dfs-group 1 m-lag 1
[*SwitchB-Eth-Trunk10] quit
[*SwitchB] commit

Step 3 On SwitchA and SwitchB, configure an IP address and a MAC address for a VLANIF
interface to implement dual-active gateway of access devices.
VLANIF interfaces corresponding to M-LAG member interfaces of M-LAG master
and backup devices must be configured with the same IP address and MAC
address so that M-LAG devices use the same IP address and virtual MAC address.
# Configure SwitchA.
[~SwitchA] interface vlanif 11
[*SwitchA-Vlanif11] ip address 10.2.1.1 24
[*SwitchA-Vlanif11] mac-address 0000-5e00-0101
[*SwitchA-Vlanif11] quit
[*SwitchA] commit

# Configure SwitchB.
[~SwitchB] interface vlanif 11
[*SwitchB-Vlanif11] ip address 10.2.1.1 24
[*SwitchB-Vlanif11] mac-address 0000-5e00-0101
[*SwitchB-Vlanif11] quit
[*SwitchB] commit

Step 4 Configure OSPF on SwitchA, SwitchB, and SwitchC to ensure Layer 3 connectivity.
# Configure SwitchA.
[~SwitchA] interface 10ge 1/0/1
[~SwitchA-10GE1/0/1] undo portswitch
[*SwitchA-10GE1/0/1] ip address 10.3.1.1 24
[*SwitchA-10GE1/0/1] quit
[*SwitchA] ospf 1
[*SwitchA-ospf-1] area 0
[*SwitchA-ospf-1-area-0.0.0.0] network 10.1.1.1 0.0.0.0
[*SwitchA-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255
[*SwitchA-ospf-1-area-0.0.0.0] network 10.3.1.0 0.0.0.255
[*SwitchA-ospf-1-area-0.0.0.0] quit
[*SwitchA-ospf-1] quit
[*SwitchA] commit

# Configure SwitchB.
[~SwitchB] interface 10ge 1/0/1
[~SwitchB-10GE1/0/1] undo portswitch
[*SwitchB-10GE1/0/1] ip address 10.4.1.1 24
[*SwitchB-10GE1/0/1] quit
[*SwitchB] ospf 1
[*SwitchB-ospf-1] area 0
[*SwitchB-ospf-1-area-0.0.0.0] network 10.1.1.2 0.0.0.0
[*SwitchB-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255
[*SwitchB-ospf-1-area-0.0.0.0] network 10.4.1.0 0.0.0.255
[*SwitchB-ospf-1-area-0.0.0.0] quit
[*SwitchB-ospf-1] quit
[*SwitchB] commit

# Configure SwitchC.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchC
[*HUAWEI] commit
[~SwitchC] interface 10ge 1/0/1
[~SwitchC-10GE1/0/1] undo portswitch
[*SwitchC-10GE1/0/1] ip address 10.3.1.2 24

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 275

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

[*SwitchC-10GE1/0/1] quit
[*SwitchC] interface 10ge 1/0/2
[*SwitchC-10GE1/0/2] undo portswitch
[*SwitchC-10GE1/0/2] ip address 10.4.1.2 24
[*SwitchC-10GE1/0/2] quit
[*SwitchC] ospf 1
[*SwitchC-ospf-1] area 0
[*SwitchC-ospf-1-area-0.0.0.0] network 10.3.1.0 0.0.0.255
[*SwitchC-ospf-1-area-0.0.0.0] network 10.4.1.0 0.0.0.255
[*SwitchC-ospf-1-area-0.0.0.0] quit
[*SwitchC-ospf-1] quit

Step 5 On SwitchA and SwitchB, associate uplink and downlink interfaces with the
Monitor Link group.

# Configure SwitchA.
[~SwitchA] monitor-link group 1
[*SwitchA-mtlk-group1] port 10ge 1/0/1 uplink
[*SwitchA-mtlk-group1] port eth-trunk 10 downlink 1
[*SwitchA-mtlk-group1] quit
[*SwitchA] commit

# Configure SwitchB.
[~SwitchB] monitor-link group 1
[*SwitchB-mtlk-group1] port 10ge 1/0/1 uplink
[*SwitchB-mtlk-group1] port eth-trunk 10 downlink 1
[*SwitchB-mtlk-group1] quit
[*SwitchB] commit

Step 6 Verify the configuration.

Run the display dfs-group command to check M-LAG information.

# Check information about the M-LAG with DFS group 1.

[~SwitchA] display dfs-group 1 m-lag
* : Local node
Heart beat state : OK
Node 1 *
Dfs-Group ID : 1
Priority : 150
Address : ip address 10.1.1.1
State : Master
Causation :-
System ID : 0025-9e95-7c31
SysName : SwitchA
Version : V100R006C00
Device Type : CE6850EI
Node 2
Dfs-Group ID : 1
Priority : 120
Address : ip address 10.1.1.2
State : Backup
Causation :-
System ID : 0025-9e95-7c11
SysName : SwitchB
Version : V100R006C00
Device Type : CE6850EI

# Check M-LAG information on SwitchA.

[~SwitchA] display dfs-group 1 node 1 m-lag brief
* - Local node

M-Lag ID Interface Port State Status

1 Eth-Trunk 10 Up active(*)-active

# Check M-LAG information on SwitchB.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 276

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

[~SwitchB] display dfs-group 1 node 2 m-lag brief

* - Local node

M-Lag ID Interface Port State Status

1 Eth-Trunk 10 Up active-active(*)

In the preceding command outputs, the value of Heart beat state is OK,
indicating that the heartbeat is normal. SwitchA is used as Node 1, its priority is
150, and its status is Master. SwitchB is used as Node 2, its priority is 120, and its
status is Backup. The value of Causation is -, the values of Port State of Node 1
and Node 2 are both Up, and the M-LAG status of both Node 1 and Node 2 is
active, indicating that the M-LAG configuration is correct.
----End

Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
dfs-group 1
priority 150
source ip 10.1.1.1
#
vlan batch 11
#
stp mode rstp
stp bridge-address 0001-0001-0001
stp v-stp enable
#
interface Vlanif11
ip address 10.2.1.1 255.255.255.0
mac-address 0000-5e00-0101
#
interface Eth-Trunk1
mode lacp-static
peer-link 1
#
interface Eth-Trunk10
port link-type trunk
port trunk allow-pass vlan 11
mode lacp-static
dfs-group 1 m-lag 1
#
interface 10GE1/0/1
undo portswitch
ip address 10.3.1.1 255.255.255.0
#
interface 10GE1/0/2
eth-trunk 10
#
interface 10GE1/0/3
eth-trunk 10
#
interface 10GE1/0/4
eth-trunk 1
#
interface 10GE1/0/5
eth-trunk 1
#
interface LoopBack0
ip address 10.1.1.1 255.255.255.255
#
monitor-link group 1
port 10GE1/0/1 uplink
port Eth-Trunk10 downlink 1

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 277

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

#
ospf 1
area 0.0.0.0
network 10.1.1.1 0.0.0.0
network 10.2.1.0 0.0.0.255
network 10.3.1.0 0.0.0.255
#
return

● SwitchB configuration file

#
sysname SwitchB
#
dfs-group 1
priority 120
source ip 10.1.1.2
#
vlan batch 11
#
stp mode rstp
stp bridge-address 0001-0001-0001
stp v-stp enable
#
interface Vlanif11
ip address 10.2.1.1 255.255.255.0
mac-address 0000-5e00-0101
#
interface Eth-Trunk1
mode lacp-static
peer-link 1
#
interface Eth-Trunk10
port link-type trunk
port trunk allow-pass vlan 11
mode lacp-static
dfs-group 1 m-lag 1
#
interface 10GE1/0/1
undo portswitch
ip address 10.4.1.1 255.255.255.0
#
interface 10GE1/0/2
eth-trunk 10
#
interface 10GE1/0/3
eth-trunk 10
#
interface 10GE1/0/4
eth-trunk 1
#
interface 10GE1/0/5
eth-trunk 1
#
interface LoopBack0
ip address 10.1.1.2 255.255.255.255
#
monitor-link group 1
port 10GE1/0/1 uplink
port Eth-Trunk10 downlink 1
#
ospf 1
area 0.0.0.0
network 10.1.1.2 0.0.0.0
network 10.2.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
#
return

● SwitchC configuration file

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 278

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 4 M-LAG Configuration

#
sysname SwitchC
#
interface 10GE1/0/1
undo portswitch
ip address 10.3.1.2 255.255.255.0
#
interface 10GE1/0/2
undo portswitch
ip address 10.4.1.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.3.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
#
return

● Switch configuration file

#
sysname Switch
#
vlan batch 11
#
interface Eth-Trunk20
port link-type trunk
port trunk allow-pass vlan 11
mode lacp-static
#
interface 10GE1/0/1
eth-trunk 20
#
interface 10GE1/0/2
eth-trunk 20
#
interface 10GE1/0/3
eth-trunk 20
#
interface 10GE1/0/4
eth-trunk 20
#
return

4.10 M-LAG Technical Topics

The preceding sections describe only the configuration procedure and examples of
M-LAG. For recommended M-LAG deployment models and configuration
suggestions in more multi-feature scenarios, see M-LAG Technical Topics.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 279

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

5 VLAN Configuration

Virtual local area network (VLAN) technology has advantages of broadcast

domain isolation, security hardening, flexible networking, and good extensibility.

5.1 Overview of VLANs

5.2 Understanding VLANs
5.3 Application Scenarios for VLANs
5.4 Summary of VLAN Configuration Tasks
5.5 Licensing Requirements and Limitations for VLANs
5.6 Default Settings for VLANs
5.7 Assigning a LAN to VLANs
5.8 Configuring Inter-VLAN Communication
5.9 Configuring VLAN Aggregation to Save IP Addresses
5.10 Configuring MUX VLAN
5.11 Configuring an mVLAN to Implement Integrated Management
5.12 Configuring Transparent Transmission of Protocol Packets in a VLAN to
Improve Forwarding Efficiency
5.13 Configuring an Interface to Discard Incoming Tagged Packets
5.14 Configuring a Hash Mode of the VLAN-XLATE Table
5.15 Maintaining VLANs
5.16 Configuration Examples for VLANs
5.17 Troubleshooting VLANs

5.1 Overview of VLANs

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 280

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

Definition
Virtual Local Area Network (VLAN) technology divides a physical LAN into
multiple broadcast domains, each of which is called a VLAN.

Purpose
Ethernet technology implements data communication over shared media based on
Carrier Sense Multiple Access/Collision Detection (CSMA/CD). When an Ethernet
network has a large number of hosts, both collisions and broadcast storms
become a serious problem, affecting network performance and in some cases
causing the network to completely break down. Although using switches to
connect LANs can prevent collisions, they cannot isolate broadcast packets or
improve network quality.

VLAN technology divides a physical LAN into multiple VLANs to isolate broadcast
domains. Because each VLAN functions as a separate broadcast domain, hosts can
communicate directly with other hosts only if they are in the same VLAN.

Figure 5-1 Networking diagram for a typical VLAN application

Router

SwitchA SwitchB

VLAN2 VLAN3

Figure 5-1 shows a simple VLAN networking diagram. Two switches are placed in
different locations (for example, in different floors of a building). Each switch is
connected to two servers that respectively belong to different VLANs, and the four
servers belong to two VLANs.

Benefits
The VLAN technology brings the following benefits to customers:
● Limits scope of broadcast domains: A broadcast domain is limited in a VLAN.
This saves bandwidth and improves network processing capabilities.
● Enhances LAN security: Packets from different VLANs are transmitted
separately, preventing hosts in a VLAN from communicating directly with
hosts in another VLAN.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 281

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

● Improves network robustness: A fault in one VLAN does not affect hosts in
other VLANs.
● Allows flexible definition of virtual groups: With VLAN technology, hosts in
different geographical locations can be grouped together, thereby simplifying
network construction and maintenance.

5.2 Understanding VLANs

5.2.1 Basic Concepts of VLANs

VLAN Frame Format
A conventional Ethernet frame is encapsulated with the Length/Type field for an
upper-layer protocol following the Destination address and Source address fields,
as shown in Figure 5-2.

Figure 5-2 Conventional Ethernet frame format

6bytes 6bytes 2bytes 46-1500bytes 4bytes
Destination Source Length/Type Data FCS
address address

IEEE 802.1Q is an Ethernet networking standard for a specified Ethernet frame

format. It adds a 4-byte field between the Source address and the Length/Type
fields of the original frame, as shown in Figure 5-3.

Figure 5-3 802.1Q frame format

6bytes 6bytes 4bytes 2bytes 46-1500bytes 4bytes

Destination Source 802.1Q Length/ Data FCS

address address Tag Type

TPID PRI CFI VID

2bytes 3bits 1bit 12bits

Table 5-1 describes the fields contained in a 802.1Q tag.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 282

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

Table 5-1 Fields contained in an 802.1Q tag

Field Leng Name Description

th

TPID 2 Tag Protocol Identifier The value 0x8100 indicates an

bytes (TPID), indicating the frame 802.1Q-tagged frame. If an
type. 802.1Q-incapable device receives
an 802.1Q frame, it will discard
the frame.

PRI 3 bits Priority (PRI), indicating the The value ranges from 0 to 7. The
frame priority. greater the value, the higher the
priority. These values can be used
to prioritize different classes of
traffic to ensure that frames with
high priorities are transmitted first
when traffic is heavy.

CFI 1 bit Canonical Format Indicator If the value is 0, the MAC address
(CFI), indicating whether is in the canonical format. CFI is
the MAC address is in used to ensure compatibility
canonical format. between Ethernet networks and
Token Ring networks. It is always
set to zero for Ethernet switches.

VID 12 VLAN ID (VID), indicating VLAN IDs range from 0 to 4095.

bits the VLAN to which the The values 0 and 4095 are
frame belongs. reserved, and therefore VLAN IDs
range from 1 to 4094 (VLANs
4064 to 4094 are default reserved
VLANs. You can run the vlan
reserved command to configure
the reserved VLAN range).

Each frame sent by a 802.1Q-capable switch carries a VLAN ID. The following are
the two types of Ethernet frames in a VLAN:
● Tagged frames: frames with 4-byte 802.1Q tags.
● Untagged frames: frames without 4-byte 802.1Q tags.

Link Types
As shown in Figure 5-4, there are the following types of VLAN links:

● Access link: connects a host to a switch. Generally, a host does not know
which VLAN it belongs to, and host hardware cannot distinguish frames with
VLAN tags. Therefore, hosts send and receive only untagged frames.
● Trunk link: connects a switch to another switch or to a router. Data of
different VLANs is transmitted along a trunk link. The two ends of a trunk link
must be able to distinguish frames with VLAN tags. Therefore, only tagged
frames are transmitted along trunk links.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 283

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

Figure 5-4 Link types

VLAN3 VLAN3
Server3 Server4

Access link
3
3 3
2 Trunk link Trunk link 2
DeviceB DeviceA DeviceC
2
Access link

Server1 Server2
VLAN2 VLAN2

untagged frames in VLAN2 2 frames tagged with VLAN2

untagged frames in VLAN3 3 frames tagged with VLAN3

Access Link
Trunk Link

NOTE

● A host does not need to know the VLAN to which it belongs. It sends only untagged
frames.
● After receiving an untagged frame from a host, a switching device determines the
VLAN to which the frame belongs. The determination is based on the configured
VLAN assignment method such as port information, and then the switching device
processes the frame accordingly.
● If the frame needs to be forwarded to another switching device, the frame must be
transparently transmitted along a trunk link. Frames transmitted along trunk links
must carry VLAN tags to allow other switching devices to properly forward the frame
based on the VLAN information.
● Before sending the frame to the destination host, the switching device connected to
the destination host removes the VLAN tag from the frame to ensure that the host
receives an untagged frame.
Generally, only tagged frames are transmitted on trunk links; only untagged frames are
transmitted on access links. In this manner, switching devices on the network can properly
process VLAN information and hosts are not concerned about VLAN information.

Port Types
After the 802.1Q defines VLAN frames, ports can be classified into four types:

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 284

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

● Access port
As shown in Figure 5-4, an access port on a switch connects to the port on a
host. The access port can only connect to an access link. Only the VLAN
whose ID is the same as the default VLAN ID is allowed on the access port.
Ethernet frames sent from the access port are untagged frames.
● Trunk port
As shown in Figure 5-4, a trunk port on a switch connects to another switch.
It can only connect to a trunk link. Multiple tagged VLAN frames are allowed
on the trunk port.
● Hybrid port
As shown in Figure 5-5, a hybrid port on a switch can connect either to a host
or to another switch. A hybrid port can connect either to an access link or to a
trunk link. The hybrid port allows multiple VLAN frames and removes tags
from some VLAN frames on the outbound port.

Figure 5-5 Port types

Hybrid Port
Access Link
Trunk Link

● QinQ port
QinQ ports are enabled with the IEEE 802.1 QinQ protocol. A QinQ port adds
a tag to a single-tagged frame and supports a maximum of 4094 x 4094
VLAN tags, which meets the requirement for the VLAN quantity.
Figure 5-6 shows the format of a QinQ frame. The outer tag is often called
the public tag and carries the VLAN ID of the public network, whereas the
inner tag is often called the private tag and carries the VLAN ID of the private
network.

Figure 5-6 Format of a QinQ frame

6 bytes 6 bytes 4 bytes 4 bytes 2 bytes 46-1500 bytes 4 bytes
Destination Source 802.1Q 802.1Q Length/ FCS
Data
address address Tag Tag Type (CRC-32)

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 285

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

For details on the QinQ protocol, see QinQ.

Default VLAN
The default VLAN ID of an interface is called the port default VLAN ID (PVID). The
meaning of the default VLAN varies according to the port type.
For details on different PVIDs and methods of processing Ethernet frames, see
Frame processing based on the port type.

VLAN Assignment
VLAN assignment is a basic VLAN configuration. Users in the same VLAN can
communicate with each other. Table 5-2 shows the VLAN assignment methods
and their usage scenarios.

Table 5-2 Differences between VLAN assignment modes

VLAN Principle Advantage Disadvanta
Assignment ge
Mode

VLAN In this mode, VLANs are It is simple to VLANs must

assignment classified based on interface define VLAN be re-
based on numbers of the switch. members. configured
interface The network administrator when VLAN
configures a port VLAN ID members
(PVID), that is, default VLAN change
ID, for each port on the locations.
switching device. That is, a
port belongs to a VLAN by
default.
● When a data frame
reaches a port, it is
marked with the PVID if
the data frame carries no
VLAN tag and the port is
configured with a PVID.
● If the data frame carries
a VLAN tag, the
switching device will not
add a VLAN tag to the
data frame even if the
port is configured with a
PVID.
Different types of ports
process VLAN frames in
different manners.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 286

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

VLAN Principle Advantage Disadvanta

Assignment ge
Mode

VLAN In this mode, VLANs are When the physical ● This

assignment classified based on the MAC locations of users mode is
based on addresses of network change, you do not applicabl
MAC interface cards (NICs). The need to re- e to only
addresses network administrator configure VLANs a simple
configures the mappings for the users. This networki
between MAC addresses improves the ng
and VLAN IDs. security of users environm
In this case, when a and increases the ent
switching device receives an flexibility of user where
untagged packet, it searches access. the NIC
the MAC-VLAN table for a seldom
tag to be added to the changes.
packet according to the ● In
MAC address of the packet. addition,
all
members
on the
network
must be
pre-
defined.

VLAN When receiving an Packets sent from This mode

assignment untagged packet, a specified network is applicable
based on IP switching device adds a segments or IP to the
subnets VLAN tag to the packet addresses are networking
based on the source IP transmitted in environmen
address of the packet. specific VLANs. t where
This facilitates users are
management. distributed
in an
orderly
manner and
multiple
users are on
the same
network
segment.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 287

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

VLAN Principle Advantage Disadvanta

Assignment ge
Mode

Protocol- VLANs are assigned based This mode binds ● The

based VLAN on protocol (suite) types service types to network
assignment and encapsulation formats VLANs, facilitating administr
of frames. management and ator
A network administrator maintenance. must
preconfigures mappings preconfig
between protocol types and ure
VLAN IDs. When receiving mapping
an untagged frame, the s
switch adds the VLAN tag between
mapping the protocol type all
of the frame to the frame. protocol
The frame is then types
transmitted in the specified and
VLAN. VLAN
IDs.
● The
switch
needs to
analyze
protocol
address
formats
and
convert
the
formats,
which
consume
s
excessive
resources
.
Therefore
, this
mode
slows
down
switch
response
time.

The switch supports multiple VLAN assignment modes, the priority is of MAC
address-based VLAN assignment or IP subnet-based VLAN assignment, protocol-
based VLAN assignment, interface-based VLAN assignment in a descending order.
● If packets match both MAC address-based VLAN assignment and IP subnet-
based VLAN assignment, by default, MAC address-based VLAN assignment is

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 288

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

preferentially adopted. Alternatively, you can run commands to change

priorities of these two VLAN assignment modes to select a VLAN assignment
mode.
● Interface-based VLAN assignment has the lowest priority and is the most
common VLAN assignment mode.

5.2.2 Principle of VLAN Communication

Basic Principle of VLAN Communication
To improve the efficiency in processing frames, frames within a switch all carry
VLAN tags for uniform processing. When a data frame reaches a port of the
switch, if the frame carries no VLAN tag and the port is configured with a PVID,
the frame is marked with the port's PVID. If the frame has a VLAN tag, the switch
will not mark a VLAN tag for the frame regardless of whether the port is
configured with a PVID.
The switch processes frames differently according to the type of port receiving the
frames. The following describes the frame processing according to the port type.

Table 5-3 Frame processing based on the port type

Port Untagged Frame Tagged Frame Frame
Type Processing Processing Transmission

Access Accepts an untagged ● Accepts the tagged After the PVID tag
port frame and adds a tag frame if the frame's is stripped, the
with the default VLAN VLAN ID matches frame is
ID to the frame. the default VLAN transmitted.
ID.
● Discards the tagged
frame if the frame's
VLAN ID differs
from the default
VLAN ID.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 289

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

Port Untagged Frame Tagged Frame Frame

Type Processing Processing Transmission

Trunk ● Adds a tag with the ● Accepts a tagged ● If the frame's

port default VLAN ID to frame if the VLAN VLAN ID
the untagged frame ID carried in the matches the
and then transmits frame is permitted default VLAN ID
it if the default by the port. and the VLAN
VLAN ID is ● Discards a tagged ID is permitted
permitted by the frame if the VLAN by the port, the
port. ID carried in the switch removes
● Adds a tag with the frame is denied by the tag and
default VLAN ID to the port. transmits the
the untagged frame frame.
and then discards it ● If the frame's
if the default VLAN VLAN ID differs
ID is denied by the from the
port. default VLAN
ID, but the
VLAN ID is still
permitted by
the port, the
switch will
directly transmit
the frame.

Hybrid ● Adds a tag with the ● Accepts a tagged If the frame's

port default VLAN ID to frame if the VLAN VLAN ID is
an untagged frame ID carried in the permitted by the
and accepts the frame is permitted port, the frame is
frame if the port by the port. transmitted. The
permits the default ● Discards a tagged port can be
VLAN ID. frame if the VLAN configured
● Adds a tag with the ID carried in the whether to
default VLAN ID to frame is denied by transmit frames
an untagged frame the port. with tags.
and discards the
frame if the port
denies the default
VLAN ID.

QinQ QinQ ports are enabled with the IEEE 802.1 QinQ protocol. A QinQ
port port adds a tag to a single-tagged frame, and supports a maximum of
4094 x 4094 VLAN tags, which meets the requirement on the number
of VLANs.

NOTE

Because all interfaces join VLAN 1 by default, broadcast storms may occur if unknown
unicast, multicast, or broadcast packets exist in VLAN 1. To prevent loops, delete interfaces
that do not need to be added to VLAN 1 from VLAN 1.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 290

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

Intra-VLAN Communication
Sometimes VLAN users are connected to different switches, in which case the
VLAN spans multiple switches. Since ports between these switches must recognize
and send packets belonging to the VLAN, the trunk link technology becomes
helpful in simplifying this solution.

The trunk link plays the following two roles:

● Trunk line
The trunk link transparently transmits VLAN packets between switches.
● Backbone line
The trunk link transmits packets belonging to multiple VLANs.

Figure 5-7 Trunk link communication

VLAN 3

DeviceA Port2 Port1 DeviceB

Port4 Trunk Link Port3

VLAN 2
UserA UserB

As shown in Figure 5-7, the trunk link between DeviceA and DeviceB must both
support the intra-communication of VLAN 2 and the intra-communication of
VLAN 3. Therefore, the ports at both ends of the trunk link must be configured to
belong to both VLANs. That is, Port2 on DeviceA and Port1 on DeviceB must
belong to both VLAN 2 and VLAN 3.

User A sends a frame to User B in the following process:

1. The frame is first sent to Port4 on DeviceA.

2. A tag is added to the frame on Port4. The VID field of the tag is set to 2, that
is, the ID of the VLAN to which Port4 belongs.
3. DeviceA queries its MAC address table for the MAC forwarding entry with the
destination MAC address of User B.
– If this entry exists, DeviceA sends the frame to the outbound interface
Port2.
– If this entry does not exist, DeviceA sends the frame to all interfaces
bound to VLAN 2 except for Port4.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 291

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

4. Port2 sends the frame to DeviceB.

5. After receiving the frame, DeviceB queries its MAC address table for the MAC
forwarding entry with the destination MAC address of User B.
– If this entry exists, DeviceB sends the frame to the outbound interface
Port3.
– If this entry does not exist, DeviceB sends the frame to all interfaces
bound to VLAN 2 except for Port1.
6. Port3 sends the frame to User B.

Inter-VLAN Communication
After VLANs are configured, users in different VLANs cannot directly communicate
with each other. To implement communication between VLANs, use either of the
following methods:
● Layer 3 sub-interface
As shown in Figure 5-8, DeviceA is a Layer 3 switch supporting Layer 3 sub-
interface, and DeviceB is a Layer 2 switch. LANs are connected using the
switched Ethernet interface on DeviceB and the routed Ethernet interface on
DeviceA. User hosts are assigned to VLAN2 and VLAN3. To implement inter-
VLAN communication, configure as follows:
– On DeviceA, create two Layer 3 sub-interfaces Port1.1 and Port2.1 on the
Ethernet interface connecting to DeviceB, and configure 802.1Q
encapsulation on Layer 3 sub-interfaces corresponding to VLAN2 and
VLAN3.
– Configure IP addresses for Layer 3 sub-interfaces.
– Set types of Ethernet interfaces connecting DeviceB and DeviceA to
Trunk or Hybrid, to allow VLAN2 and VLAN3 frames.
– Set the default gateway address to the IP address of the Layer 3 sub-
interface mapping the VLAN to which the user host belongs.

Figure 5-8 Inter-VLAN communication using Layer 3 sub-interfaces

DeviceA
Port1.1 Port2.1

VLAN Trunk

DeviceB
Access port

Host A Host B Host C Host D

VLAN2 VLAN3

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 292

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

Host A communicates with host C as follows:

a. Host A checks the IP address of host C and determines that host C is in
another VLAN.
b. Host A sends an ARP request packet to DeviceA to request DeviceA's MAC
address.
c. After receiving the ARP request packet, DeviceA returns an ARP reply
packet in which the source MAC address is the MAC address of the Layer
3 sub-interface mapping VLAN2.
d. Host A obtains DeviceA's MAC address.
e. Host A sends a packet whose destination MAC address is the MAC
address of the Layer 3 sub-interface and destination IP address is host C's
IP address to DeviceA.
f. After receiving the packet, DeviceA forwards the packet and detects that
the route to host C is a direct route. The packet is forwarded by the Layer
3 sub-interface mapping VLAN3.
g. Functioning as the gateway of hosts in VLAN3, DeviceA broadcasts an
ARP packet requesting host C's MAC address.
h. After receiving the packet, host C returns an ARP reply packet.
i. After receiving the reply packet, DeviceA sends the packet from host A to
host C. All packets sent from host A to host C are sent to DeviceA first to
implement Layer 3 forwarding.
● VLANIF interface
Layer 3 switching combines routing and switching techniques to implement
routing on a switch, improving the overall performance of the network. After
sending the first data flow, a Layer 3 switch generates a mapping table on
which it records the mapping between the MAC address and the IP address
for the data flow. If the switch needs to send the same data flow again, it
directly sends the data flow at Layer 2 based on the mapping table. In this
manner, network delays caused by route selection are eliminated, and data
forwarding efficiency is improved.
In order for new data flows to be correctly forwarded, the routing table must
have the correct routing entries. Therefore, VLANIF interfaces are used to
configure routing protocols on Layer 3 switches to reach Layer 3 routes.
A VLANIF interface is a Layer 3 logical interface, which can be configured on
either a Layer 3 switch or a router.
As shown in Figure 5-9, hosts connected to the switch are assigned to VLAN 2
and VLAN 3. To implement inter-VLAN communication, configure as follows:
– Create two VLANIF interfaces on the device, and configure IP addresses
for them.
– Set the default gateway address to the IP address of the VLANIF interface
mapping the VLAN to which the user host belongs.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 293

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

Figure 5-9 Inter-VLAN communication through VLANIF interfaces

Device

VLANIF2 VLANIF3

UserA UserB UserC UserD

VLAN2 VLAN3

Host A communicates with host C as follows:

a. Host A checks the IP address of host C and determines that host C is in
another subnet.
b. Host A sends an ARP request packet to Device to request Device's MAC
address.
c. After receiving the ARP request packet, Device returns an ARP reply
packet in which the source MAC address is the MAC address of VLANIF2.
d. Host A obtains Device's MAC address.
e. Host A sends a packet whose destination MAC address is the MAC
address of the VLANIF interface and destination IP address is host C's IP
address to Device.
f. After receiving the packet, Device forwards the packet and detects that
the route to host C is a direct route. The packet is forwarded by VLANIF3.
g. Functioning as the gateway of hosts in VLAN3, Device broadcasts an ARP
packet requesting host C's MAC address.
h. After receiving the packet, host C returns an ARP reply packet.
i. After receiving the reply packet, Device sends the packet from host A to
host C. All packets sent from host A to host C are sent to Device first to
implement Layer 3 forwarding.

5.2.3 VLAN Aggregation

Background of VLAN Aggregation

VLAN is widely applied to switching networks because of its flexible control of
broadcast domains and convenient deployment. On a Layer-3 switch, the
interconnection between the broadcast domains is implemented using one VLAN

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 294

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

to correspond to one Layer 3 logic interface. However, this can waste IP addresses.
Figure 5-10 shows the VLAN division in the device.

Figure 5-10 Networking of a common VLAN

L3 Switch
VLANIF2:10.1.1.1 VLANIF4:10.1.1.25

VLANIF3:10.1.1.17

L2 Switch L2 Switch L2 Switch

VLAN 2 VLAN 3 VLAN 4

10.1.1.0/28 10.1.1.16/29 10.1.1.24/30

Table 5-4 Example of assigning server addresses on a common VLAN

VLAN Subnet Gateway Number of Number of Practical
Address Available Available Requiremen
Addresses Servers ts

2 10.1.1.0/28 10.1.1.1 14 13 10

3 10.1.1.16/2 10.1.1.17 6 5 5
9

4 10.1.1.24/3 10.1.1.25 2 1 1
0

As shown in Table 5-4, VLAN 2 requires 10 server addresses. The subnet

10.1.1.0/28 with the mask length as 28 bits is assigned for VLAN 2. 10.1.1.0 is the
address of the subnet, and 10.1.1.15 is the directed broadcast address. These two
addresses cannot serve as the host address. In addition, as the default address of
the network gateway of the subnet, 10.1.1.1 cannot be used as the host address.
The other 13 addresses ranging from 10.1.1.2 to 10.1.1.14 can be used by the
servers. In this way, although VLAN 2 needs only 10 addresses, 13 addresses need
to be assigned for it according to the division of the subnet.
VLAN 3 requires five server addresses. The subnet 10.1.1.16/29 with the mask
length as 29 bits needs to be assigned for VLAN 3. VLAN 4 requires only one
address. The subnet 10.1.1.24/30 with the mask length as 30 bits needs to be
assigned for VLAN 4.
In above, 16 (10+5+1) addresses are needed for all the preceding VLANs. However,
28 (16+8+4) addresses are needed according to the common VLAN addressing

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 295

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

mode even if the optimal scheme is used. Nearly half of the addresses is wasted.
In addition, if VLAN 2 is accessed to three servers instead of 10 servers later, the
extra addresses will not be used by other VLANs and will be wasted.
This division is inconvenient for the later network upgrade and expansion. Assume
that two more servers need to be added to VLAN 4 and VLAN 4 does not want to
change the assigned IP addresses, and the addresses after 10.1.1.24 has been
assigned to others, a new subnet with the mask length as 29 bits and a new VLAN
need to be assigned for the new customers of VLAN 4. Therefore, the customers of
VLAN 4 have only three servers, but the customers are assigned to two subnets
and are not in the same VLAN. As a result, this is inconvenient for network
management.
In above, many IP addresses are used as the addresses of subnets, directional
broadcast addresses of subnets, and default addresses of network gateways of
subnets. These IP addresses cannot be used as the server addresses in the VLAN.
The limit on address assignation reduces the addressing flexibility, so that many
idle addresses are wasted. To solve this problem, VLAN aggregation is used.

Principle
The VLAN aggregation technology, also known as the super-VLAN, provides a
mechanism that partitions the broadcast domain using multiple VLANs in a
physical network so that different VLANs can belong to the same subnet. In VLAN
aggregation, two concepts are involved, namely, super-VLAN and sub-VLAN.
● Super-VLAN: It is different from the common VLAN. In the super-VLAN, only
Layer 3 interfaces are created and physical ports are not contained. The super-
VLAN can be viewed as a logical Layer 3 concept. It is a collection of many
sub-VLANs.
● Sub-VLAN: It is used to isolate broadcast domains. In the sub-VLAN, only
physical ports are contained and Layer 3 VLANIF interfaces cannot be created.
The Layer 3 switching with the external network is implemented through the
Layer 3 interface of the super-VLAN.
A super-VLAN can contain one or more sub-VLANs retaining different broadcast
domains. The sub-VLAN does not occupy an independent subnet segment. In the
same super-VLAN, IP addresses of servers belong to the subnet segment of the
super-VLAN, regardless of the mapping between servers and sub-VLANs.
The same Layer 3 interface is shared by sub-VLANs. Some subnet IDs, default
gateway addresses of the subnets, and directed broadcast addresses of the
subnets are saved and different broadcast domains can use the addresses in the
same subnet segment. As a result, subnet differences are eliminated, addressing
becomes flexible and idle addresses are reduced.
Table 5-4 is used to explain the implementation. Suppose that user demands are
unchanged. In VLAN 2, 10 server addresses are demanded; in VLAN 3, five server
addresses are demanded; in VLAN 4, one server address is demanded.
According to the implementation of VLAN aggregation, create VLAN 10 and
configure VLAN 10 as a super-VLAN. Then assign a subnet address 10.1.1.0/24
with the mask length being 24 to VLAN 10; 10.1.1.0 is the subnet ID and 10.1.1.1
is the gateway address of the subnet, as shown in Figure 5-11. Address
assignments of sub-VLANs (VLAN 2, VLAN 3, and VLAN 4) are shown in Table
5-5.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 296

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

Figure 5-11 Networking of VLAN aggregation

L3 Switch

Super VLAN 10
VLANIF10:10.1.1.1/24

VLAN 2 VLAN 3 VLAN 4

Sub VLAN 2 Sub VLAN 3 Sub VLAN 4

Host IP Host IP Host IP
10.1.1.2-10.1.1.11 10.1.1.12-10.1.1.16 10.1.1.17

Table 5-5 Example for assigning Server addresses in VLAN aggregation mode
VLAN Subnet Gateway Number of Number of Practical
address available available requirement
addresses servers s

2 10.1.1.0/2 10.1.1.1 10 10.1.1.2-10.1.1.1 10

4 1

3 5 10.1.1.12-10.1.1. 5
16

4 1 10.1.1.17 1

In VLAN aggregation implementation, sub-VLANs are not divided according to the

previous subnet border. Instead, their addresses are flexibly assigned in the subnet
corresponding to the super-VLAN according to the required server number.
As the Table 5-5 shows that VLAN 2, VLAN 3, and VLAN 4 share a subnet
(10.1.1.0/24), a default gateway address of the subnet (10.1.1.1), and a directed
broadcast address of the subnet (10.1.1.255). In this manner, the subnet ID
(10.1.1.16, 10.1.1.24), the default gateway of the subnet (10.1.1.17, 10.1.1.25), and
the directed broadcast address of the subnet (10.1.1.15, 10.1.1.23, and 10.1.1.27)
can be used as IP addresses of servers.
Totally, 16 addresses (10 + 5 + 1 = 16) are required for the three VLANs. In
practice, in this subnet, a total of 16 addresses are assigned to the three VLANs

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 297

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

(10.1.1.2 to 10.1.1.17). A total of 19 IP addresses are used, that is, the 16 server
addresses together with the subnet ID (10.1.1.0), the default gateway of the
subnet (10.1.1.1), and the directed broadcast address of the subnet (10.1.1.255). In
the network segment, 236 addresses (255 - 19 = 236) are available, which can be
used by any server in the sub-VLAN.

Communication Between VLANs

● Introduction
VLAN aggregation ensures that different VLANs use the IP addresses in the
same subnet segment. This, however, leads to the problem of Layer 3
forwarding between sub-VLANs.
In common VLAN mode, the servers of different VLANs can communicate
with each other based on the Layer 3 forwarding through their respective
gateways. In VLAN aggregation mode, the servers in a super-VLAN use the IP
addresses in the same network segment and share the same gateway address.
The servers in different sub-VLANs belong to the same subnet. Therefore, they
communicate with each other based on the Layer 2 forwarding, rather than
the Layer 3 forwarding through a gateway. In practice, servers in different
sub-VLANs are separated in Layer 2. As a result, sub-VLANs fails to
communicate with each other.
To solve the preceding problem, you can use Proxy ARP.
NOTE

For details about proxy ARP, see ARP in the IP Services.

● Layer 3 communication between different sub-VLANs
If hosts on the same network segment of the same physical network but in
different VLANs need to communicate at Layer 3, you need to enable inter-
VLAN proxy ARP on the corresponding VLANIF interfaces.
As shown in Figure 5-12, Host A and Host B on the same network segment
are connected to the Switch, Host A belongs to VLAN 3, and Host B belongs
to VLAN 2. Host A and Host B belong to different sub-VLANs, so they cannot
communicate at Layer 2.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 298

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

Figure 5-12 Inter-VLAN proxy ARP implementation

Switch

Super-VLAN 4
VLANIF 4
IP:10.10.10.3/24
MAC:3-3-3

VLAN 3 VLAN 2

Sub-VLAN 3 Sub-VLAN 2

HostA HostB
IP:10.10.10.1/24 IP:10.10.10.2/24
MAC:1-1-1 MAC:2-2-2

You can enable inter-VLAN proxy ARP on VLANIF 4 of the Switch to solve this
problem.
a. Host A sends an ARP Request packet for the MAC address of Host B.
b. After receiving the ARP Request packet, the Switch detects that the
destination IP address is not its IP address and determines that the
requested MAC address is not its MAC address. The Switch then checks
whether there is an ARP entry of Host B.

▪ If there is an ARP entry that matches Host B and VLAN information

in this entry is different from that in the receiving port, the Switch
checks whether inter-VLAN proxy ARP is enabled on the
corresponding VLANIF interface.
○ If inter-VLAN proxy ARP is enabled, the Switch sends the MAC
address of VLANIF 4 to Host A.
After receiving the ARP Replay packet from the Switch, Host A
considers the packet as the ARP Replay packet from Host B. Host
A learns the MAC address of VLANIF 4 on the Switch and uses
this MAC address to send data packets to Host B.
○ If inter-VLAN proxy ARP is not enabled, the Switch discards the
ARP Request packet sent by Host A.

▪ If there is no ARP entry of Host B, the Switch discards the ARP

Request packet sent by Host A, and checks whether inter-VLAN proxy
ARP is enabled on the corresponding VLANIF interface.
○ If inter-VLAN proxy ARP is enabled, the Switch broadcasts the
ARP Request packet with the IP address of Host B as the
destination IP address within VLAN 2. After the Switch receives
an ARP Reply packet from Host B, the Switch generates an ARP
entry indicating the mapping between the IP and MAC addresses
of Host B.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 299

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

○ If inter-VLAN proxy ARP is not enabled, the Switch does not

perform any operations.
● Layer 2 communication between a sub-VLAN and an external network
As shown in Figure 5-13, in the Layer 2 VLAN communication based on ports,
the received or sent frames are not tagged with the super-VLAN ID.

Figure 5-13 Networking of Layer 2 communication between a sub-VLAN and

an external network

Internet

Switch2
Port1 VLAN Trunk all
Port3 VLAN Trunk all
Switch1
Port1 Port2

Super VLAN 10
VLANIF10:10.1.1.1/24

VLAN 2 VLAN 3

Server A Server B
10.1.1.2/24 10.1.1.3/24

The frame that accesses Switch1 through Port1 on Server A is tagged with the
ID of VLAN 2. The VLAN ID, however, is not changed to the ID of VLAN 10 on
Switch1 even if VLAN 2 is the sub-VLAN of VLAN 10. After passing through
Port3, which is the trunk type, this frame still carries the ID of VLAN 2.
That is, Switch1 itself does not send the frames of VLAN 10. In addition,
Switch1 discards the frames of VLAN 10 that are sent to Switch1 by other
devices because Switch1 has no corresponding physical port for VLAN 10.
A super-VLAN has no physical port. This limitation is obligatory, as shown
below:
– If you configure the super-VLAN and then the trunk interface, the frames
of a super-VLAN are filtered automatically according to the VLAN range
set on the trunk interface.
As shown in Figure 5-13, no frame of the super-VLAN 10 passes through
Port3 on Switch1, even though the interface allows frames from all
VLANs to pass through.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 300

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

– If you finish configuring the trunk interface and allow all VLANs to pass
through, you still cannot configure the super-VLAN on Switch1. The root
cause is that any VLAN with physical ports cannot be configured as the
super-VLAN, and the trunk interface allows only the frames tagged with
VLAN IDs to pass through. Therefore, no VLAN can be configured as a
super-VLAN.
As for Switch1, the valid VLANs are just VLAN 2 and VLAN 3, and all frames
are forwarded in these VLANs.
● Layer 3 communication between a sub-VLAN and an external network

Figure 5-14 Networking of Layer 3 communication between a sub-VLAN and

an external network
VLANIF20
10.1.3.1/24
Port2
Switch2 VLANIF10
10.1.2.2/24 Server C
Port1
10.1.3.2/24
Port3 VLANIF10
10.1.2.1/24
Switch1
Port1 Port2

Super VLAN 4
VLANIF4:10.1.1.1/24

VLAN 2 VLAN 3

Server A Server B
10.1.1.2/24 10.1.1.3/24

As shown in Figure 5-14, Switch1 is configured with super-VLAN 4, sub-VLAN

2, sub-VLAN 3, and a common VLAN 10. Switch2 is configured with two
common VLANs, namely, VLAN 10 and VLAN 20. Suppose that Switch1 is
configured with the route to the network segment 10.1.3.0/24, and Switch2 is
configured with the route to the network segment 10.1.1.0/24. Then Server A
in sub-VLAN 2 that belongs to the super-VLAN 4 needs to access Server C in
Switch2.
a. After comparing the IP address of Server C 10.1.3.2 with its IP address,
Server A finds that two IP addresses are not in the same network
segment 10.1.1.0/24.
b. Server A initiates an ARP broadcast to its gateway to request for the MAC
address of the gateway.
c. After receiving the ARP request, Switch1 identifies the correlation
between the sub-VLAN and the super-VLAN, and offers an ARP response

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 301

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

to Server A through sub-VLAN 2. The source MAC address in the ARP

response packet is the MAC address of VLANIF4 for super-VLAN 4.
d. Server A learns the MAC address of the gateway.
e. Server A sends the packet to the gateway, with the destination MAC
address as the MAC address of VLANIF4 for super-VLAN 4, and the
destination IP address as 10.1.3.2.
f. After receiving the packet, Switch1 performs the Layer 3 forwarding and
sends the packet to Switch2, with the next hop address as 10.1.2.2, the
outgoing interface as VLANIF10.
g. After receiving the packet, Switch2 performs the Layer 3 forwarding and
sends the packet to Server C through the directly-connected interface
VLANIF20.
h. The response packet from Server C reaches Switch1 after the Layer 3
forwarding on Switch2.
i. After receiving the packet, Switch1 performs the Layer 3 forwarding and
sends the packet to Server A through the super-VLAN.

5.2.4 VLAN Damping

In a specified VLAN where a VLANIF interface has been configured, when all
interfaces in the VLAN go Down, the VLAN becomes Down. The interface Down
event is reported to the VLANIF interface, causing the VLANIF interface status
change. To avoid network flapping due to the status change of the VLANIF
interface, you can enable VLAN damping on the VLANIF interface and set a delay
after which the VLANIF interface goes Down.
With VLAN damping enabled, when the last Up interface in the VLAN goes Down,
the Down event will be reported to the VLANIF interface after a delay (the delay
can be set as required). If an interface in the VLAN goes Up during the delay, the
status of the VLANIF interface keeps unchanged. That is, the VLAN damping
function postpones the time at which the VLAN reports a Down event to the
VLANIF interface, avoiding unnecessary route flapping.

5.2.5 MUX VLAN

Background
On a data center network, the data center administrator has the following
requirements: All servers of the data center can access the external network. Some
servers can communicate, whereas some servers are isolated. To allow all servers
to access external networks, configure communication between VLANs. If there
are a large number of servers in a data center, assign VLANs to servers that
cannot communicate with each other. This wastes VLAN IDs and requires great
workload on network configuration and maintenance.
Multiplex VLAN (MUX VLAN) controls network resources by VLAN. MUX VLAN
allows some servers in a data center to communicate and some servers to be
isolated. In addition, MUX VLAN saves VLAN IDs and facilitates maintenance.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 302

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

Basic Concepts
As shown in Table 5-6, a MUX VLAN is classified into principal VLANs and
subordinate VLANs; a subordinate VLAN is classified into separate VLANs and
group VLANs.

Table 5-6 Classification of a MUX VLAN

MUX VLAN VLAN Type Associated Access Authority
Port

Principal - Principal port A principal port can

VLAN communicate with all ports in a
MUX VLAN.

Subordinate Separate Separate A separate port can

VLAN VLAN port communicate only with a
principal port and is isolated
from other types of ports.
A separate VLAN must be
bound to a principal VLAN.

Group VLAN Group port A group port can communicate

with a principal port and the
other ports in the same group,
but cannot communicate with
ports in other groups or a
separate port.
A group VLAN must be bound
to a principal VLAN.

Principle of Communication in MUX VLAN

As shown in Figure 5-15, the principal port connects to the external network, the
separate port connects to users who do not need to communicate, and the group
port connects to users who need to communication. By doing this, internal users
of the data center can communicate and some users are isolated.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 303

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

Figure 5-15 Application scenario of MUX VLAN at the access layer

Internet

Principal Port
Switch

Group Port Separate Port

Server1 Server2 Server3 Server4

Group VLAN Separate VLAN

On an aggregation device, you can create a VLANIF interface for the principal
VLAN. The IP address of the VLANIF interface can be used as the gateway address
of a server. As shown in Figure 5-16, MUX VLAN is configured on aggregation
switch Switch1 to implement isolation or interworking.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 304

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

Figure 5-16 Application scenario of MUX VLAN at the aggregation layer

Internet

VLAN2
(Principal VLAN)

Switch1

Switch2 Switch3 Switch4 Switch5

ServerB ServerC ServerD ServerE

VLAN3(Group VLAN) VLAN4(Separate VLAN)

5.2.6 VLAN Management

To use a network management system to manage multiple devices, create a
VLANIF interface on each device and configure a management IP address for the
VLANIF interface. You can then log in to a device and manage it using its
management IP address. If a user-side interface is added to the VLAN, users
connected to the interface can also log in to the device. This brings security risks
to the device.

After a VLAN is configured as a management VLAN (mVLAN), no access interface

or dot1q-tunnel interface can be added to the VLAN. An access interface or a
dot1q-tunnel interface is connected to users. The mVLAN forbids users connected
to access and dot1q-tunnel interfaces to log in to the device, improving device
performance.

5.2.7 Transparent Transmission of Protocol Packets in a VLAN

When a gateway device or Layer 2 switch is enabled with snooping functions such
as DHCP/IGMP/MLD snooping, the device needs to parse and process protocol
packets such as ARP, DHCP, and IGMP packets. That is, protocol packets received
by an interface are sent to the CPU for processing. The interface sends protocol
packets without differentiating VLANs. If the preceding functions are deployed,
protocol packets from all VLANs are sent to the CPU for processing.

If the device works as the gateway or provides the snooping functions for only
some VLANs, the device does not need to process protocol packets in other VLANs.
After the protocol packets in other VLANs are sent to the CPU, the CPU needs to
forward them to other devices. This mechanism is called software forwarding.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 305

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

Protocol packet processing in software forwarding decreases the forwarding

efficiency.
To address this issue, deploy transparent transmission of protocol packets in
VLANs where protocol packets do not need to be processed. This function enables
the device to transparently transmit the protocol packets in the VLANs to other
devices, which improves the forwarding speed and efficiency.

5.3 Application Scenarios for VLANs

5.3.1 VLAN Assignment

Port-Based VLAN Assignment

Figure 5-17 Networking diagram of port-based VLAN assignment

SwitchA

Switch

UserA UserB UserC

VLAN 2 VLAN 3 VLAN 4

According to different requirements for interfaces, the switch in a data center

assigns interfaces connected to users to different VLANs so that services of users
are isolated. Each user has a virtual switch and each VLAN is a virtual work group.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 306

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

MAC Address-Based VLAN Assignment

Figure 5-18 Networking diagram of MAC address-based VLAN assignment

User C
SwitchA
VLAN 10

User A User A
VLAN 10 VLAN 10

As shown in Figure 5-18, User A is initially connected to Switch A in a data center.

Now, it is required that User A be connected to another interface of SwicthA. To
ensure that User A can still communicate with User C, configure the assignment of
VLANs based on MAC addresses on Switch A. As long as the MAC address of User
A remains unchanged, no configuration needs to be changed for User A to
communicate with User C.

5.3.2 Inter-VLAN Communication

Inter-VLAN communication can be classified into the following two types:

Multiple VLANs Belong to the Same Device

Figure 5-19 Networking diagram of communications between multiple VLANs on

the same device

Switch A

Trunk Link

L2 Switch

UserA UserB UserC

VLAN 2 VLAN 3 VLAN 4

As shown in Figure 5-19, if VLAN 2, VLAN 3, and VLAN 4 only belong to SwitchA,
you can configure a VLANIF interface for each VLAN on SwitchA to implement the
communications between these VLANs.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 307

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

Multiple VLANs Belong to Different Devices

Figure 5-20 Networking diagram of communications between multiple VLANs on

different devices
Trunk Link
Switch A Switch B
(L3 Switch) (L3 Switch)
Trunk Link Trunk Link
L2 Switch L2 Switch

UserA UserB UserC UserA UserB UserC

VLAN 2 VLAN 3 VLAN 4 VLAN 2 VLAN 3 VLAN 4

As shown in Figure 5-20, VLAN 2, VLAN 3, and VLAN 4 are VLANs across different
switches. In such a situation, you can configure a VLANIF interface respectively on
Switch A and Switch B for each VLAN, and then configure a static route or run a
routing protocol between Switch A and Switch B.

5.3.3 VLAN Aggregation

Figure 5-21 Networking diagram of VLAN aggregation application

Network

Switch
Proxy ARP

L2 Switch L2 Switch L2 Switch L2 Switch

Super VLAN 2 Super VLAN 3

Sub VLAN 21 Sub VLAN 22 Sub VLAN 31 Sub VLAN 32

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 308

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

As shown in Figure 5-21, four VLANs, namely, VLAN 21, VLAN 22, VLAN 31, and
VLAN 32, are configured. If these VLANs need to communicate with each other,
you should configure an IP address for each VLAN on the Switch.

Alternatively, you can enable VLAN aggregation to aggregate VLAN 21 and VLAN
22 into super VLAN 2, and VLAN 31 and VLAN 32 into super VLAN 3. Therefore,
you can save IP addresses by only assigning IP addresses to the super VLANs.

After Proxy ARP is configured on Switch, the sub-VLANs in each super VLAN can
communicate with each other.

5.4 Summary of VLAN Configuration Tasks

Table 5-7 lists the VLAN configuration tasks.

Table 5-7 VLAN configuration tasks

Item Description Task

Assigning a LAN to LANs can isolate the 5.7 Assigning a LAN to

VLANs hosts that do not need VLANs
to communicate with
each other, which
improves network
security, reduces
broadcast traffic, and
prevents broadcast
storms.

Configuring Inter-VLAN After VLANs are 5.8 Configuring Inter-

Communication configured, users in the VLAN Communication
same VLAN can
communication with
each other while users in
different VLANs cannot.
To implement inter-VLAN
communication,
configure the VLANIF
interfaces which are
Layer 3 logical interfaces,
Layer 3 sub-interface.

Configuring VLAN VLAN aggregation saves 5.9 Configuring VLAN

Aggregation to Save IP IP addresses and Aggregation to Save IP
Addresses implements inter-VLAN Addresses
communication.

Configuring a MUX Configuring a MUX 5.10 Configuring MUX

VLAN to Separate Layer VLAN allows users in VLAN
2 Traffic different VLANs to
communicate with each
other, and separates
users in a certain VLAN.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 309

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

Item Description Task

Configuring an mVLAN Management VLAN 5.11 Configuring an

to Implement Integrated (mVLAN) configuration mVLAN to Implement
Management allows users to use the Integrated
VLANIF interface of the Management
mVLAN to log in to the
management switch to
centrally manage
devices.

Configuring Transparent A switch directly 5.12 Configuring

Transmission of Protocol transparently transmits Transparent
Packets in a VLAN to protocol packets in a Transmission of
Improve Forwarding specified VLAN without Protocol Packets in a
Efficiency sending them to the VLAN to Improve
CPU. Forwarding Efficiency

Configuring an Interface If a user connects a 5.13 Configuring an

to Discard Incoming switch to a user-side Interface to Discard
Tagged Packets interface without Incoming Tagged
permission, the user-side Packets
interface may receive
tagged packets. To
prevent unauthorized
access, you can configure
the user-side interface to
discard incoming tagged
packets.

5.5 Licensing Requirements and Limitations for VLANs

Involved Network Elements
Other network elements are not required.

Licensing Requirements
VLAN is a basic function of the switch, and as such is controlled by the license for
basic software functions. The license for basic software functions has been loaded
and activated before delivery. You do not need to manually activate it.

Version Requirements

Table 5-8 Products and minimum versions supporting VLAN technology

Product Minimum Version Required

CE8860EI V100R006C00

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 310

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

Product Minimum Version Required

CE8861EI/CE8868EI V200R005C10

CE8850-32CQ-EI V200R002C50

CE8850-64CQ-EI V200R005C00

CE7850EI V100R003C00

CE7855EI V200R001C00

CE6810EI V100R003C00

CE6810-48S4Q-LI, CE6810-48S- V100R003C10

LI

CE6810-32T16S4Q-LI, V100R005C10
CE6810-24S2Q-LI

CE6850EI V100R001C00

CE6850-48S6Q-HI V100R005C00

CE6850-48T6Q-HI, CE6850U-HI, V100R005C10

CE6851HI

CE6855HI V200R001C00

CE6856HI V200R002C50

CE6857EI V200R005C10

CE6860EI V200R002C50

CE6865EI V200R005C00

CE6870-24S6CQ-EI V200R001C00

CE6870-48S6CQ-EI V200R001C00

CE6870-48T6CQ-EI V200R002C50

CE6875-48S4CQ-EI V200R003C00

CE6880EI V200R002C50

CE5810EI V100R002C00

CE5850EI V100R001C00

CE5850HI V100R003C00

CE5855EI V100R005C10

CE5880EI V200R005C10

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 311

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

NOTE

For details about the mapping between software versions and switch models, see the
Hardware Query Tool.

Feature Dependencies and Limitations

● Plan service and management VLANs separately so that broadcast storms in
service VLANs will not affect the management of switches.
● Specify the VLANs from which packets need to be transparently transmitted
by a trunk interface. You are advised not to run the port trunk allow-pass
vlan all command to configure a trunk interface to transparently transmit
packets of all VLANs.
● The CE6810LI does not support IPv4 or IPv6 Layer 3 forwarding. After the IPv4
or IPv6 function is enabled on an interface of the CE6810LI, the configured
IPv4 or IPv6 address can only be used to manage the switch.
● VLAN 1 is a built-in VLAN of the system, does not need to be created, and
cannot be deleted. Do not configure VLAN 1 as a management VLAN or
super-VLAN. To prevent broadcast storms on a backbone device, cancel
adding interfaces to VLAN 1.
● On the CE6870EI and CE6875EI, MAC address-based VLAN assignment cannot
be used with port security or MAC address learning limit.
● Switches excluding the CE5880EI, CE6875EI, CE6880EI , CE6870EI do not
support VLAN-based mirroring when having MAC address-based VLAN
assignment configured.
● On the CE6870EI and CE6875EI, a few packets will be lost after the mac-vlan
enable or undo mac-vlan enable command is executed when MAC address-
based VLAN assignment is configured. Exercise caution when performing this
operation.
● On the CE6870EI and CE6875EI, PVID of an interface must be the same as an
IP subnet-based VLAN ID when the IP subnet-based VLAN is used for Layer 3
forwarding.
● When an interface has a PVID configured and the encapsulation untag
command is executed to configure a Layer 2 sub-interface to accept untagged
packets, untagged packets are forwarded to the VXLAN through the Layer 2
sub-interface if the Layer 2 sub-interface is Up. If the Layer 2 sub-interface is
Down, untagged packets are forwarded based on the PVID.
● When a hybrid interface has a PVID and the port hybrid tagged vlan
command configured, the BPDUs sent by the interface carry the PVID when
the interface is running protocols such as STP, LACP, LLDP, GVRP, HGMP, and
802.3AH. As a result, the interface cannot be interconnected with the peer
end. To prevent this problem, configure the interface to work in untagged
mode when the interface is running these protocols.
● The outer VLAN ID encapsulated for a QinQ Layer 2 sub-interface cannot be
the same as the default VLAN ID and allowed VLAN ID of the corresponding
Layer 2 main interface.
● VLANs, VXLANs, carrier VLANs, and main interfaces share system resources. If
system resources are insufficient, the configurations of these features may fail.
● Reserved VLANs

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 312

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

– Reserved VLANs conflict with common VLANs, so reserved VLANs cannot

be used as common VLANs.
– Created reserved VLANs take effect only after the switch restarts, so the
VLANs that are being used cannot be configured as reserved VLANs.
– Reserved VLANs can only be used by Layer 3 main interfaces of the
CE6855HI, CE7855EI, CE6856HI, CE6865EI, CE6857EI, CE8861EI, and
CE8868EI.

▪ These reserved VLANs take effect without requiring the restart of the
switch. You can configure a maximum of eight reserved VLAN ranges
for Layer 3 main interfaces. The reserved VLAN ranges specified
using the vlan reserved for main-interface startvlanid to endvlanid
command multiple times cannot overlap.

▪ When you run the undo vlan reserved for main-interface

startvlanid to endvlanid command to cancel a specific reserved VLAN
range, the entire reserved VLAN range will be canceled. If a main
interface has been added to a reserved VLAN in the range, the undo
vlan reserved for main-interface command cannot be executed.

▪ The reserved VLANs of main interfaces cannot be included in the

Layer 2 reserved VLAN range configured using the vlan reserved
command.

▪ If the dynamic VLAN to be learned through GVRP is within the

reserved VLAN range of main interfaces, the dynamic VLAN cannot
be learned.

▪ In an SVF system, the VID configured for a Layer 2 sub-interface

using the encapsulation dot1q vid vid command cannot be a VLAN
ID that is in the reserved VLAN range of a main interface.
● VLAN aggregation
– Physical interfaces cannot be added to a VLAN that configured as a
super-VLAN.
– A VLAN can be added to only one super-VLAN.
– A super-VLAN must be different from its sub-VLANs.
– An IP address must be assigned to the VLANIF interface for a super-VLAN.
Otherwise, proxy ARP does not take effect.
● MUX VLAN
– The interface that has the MUX VLAN function enabled cannot be added
to VLANs in the same MUX VLAN.
– An access interface can be added to only one MUX VLAN. A trunk or
hybrid interface can be added to a maximum of 32 MUX VLANs.
– Disabling MAC address learning or limiting the number of learned MAC
addresses on an interface that has the MUX VLAN function enabled will
affect the MUX VLAN function.
– All member VLANs in a MUX VLAN must belong to the same STP
instance; otherwise, traffic forwarding may fail or loops may occur. The
VLANs in QinQ and VLAN mapping must also belong to the same STP
instance.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 313

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

– The VLAN ID assigned to a principal VLAN cannot be used to configure

VLAN mapping, VLAN stacking, super-VLAN, or sub-VLAN.
– The VLAN ID assigned to a group VLAN or separate VLAN cannot be used
to configure a VLANIF interface, VLAN mapping, VLAN stacking, super-
VLAN, or sub-VLAN.
– The MUX VLAN function conflicts with port security and VLAN ID-based
selective QinQ and cannot be configured together with these features.
– MUX VLAN cannot be configured together with TRILL, MPLS, EVN, and
VBST.
– In MUX VLAN cascading scenarios on switches except the CE6810LI, a
VLANIF interface can be created for a principal VLAN, but this VLANIF
interface cannot forward traffic from sub-VLANs at Layer 3.
– On the CE6810LI, VLANIF interfaces cannot be created for a principal
VLAN and sub-VLANs.
– A VLANIF interface cannot be created for a VLAN configured with the
MUX VLAN function on the CE6881, CE6863, and CE6820.
● VLAN traffic statistics collection
– Traffic statistics collection in a VLAN and traffic statistics collection on a
Layer 2 sub-interface are mutually exclusive on the CE6870EI and
CE6875EI.
– On the CE6870EI and CE6875EI, traffic statistics collection does not take
effect in a MUX VLAN.
– Traffic statistics are accumulative and cannot be automatically cleared by
the system. To clear traffic statistics in a VLAN, run the reset vlan
statistics command in the VLAN.
– The traffic statistics function occupies system resources. If system
resources are insufficient, configurations may fail. Disable this function
when traffic statistics do not need to be collected.
– On all switch models running versions earlier than V100R006C00, the
following traffic statistics collection functions are listed in descending
order of priority: Traffic statistics collection in a VLAN, MQC-based traffic
statistics collection, and traffic statistics collection on a VLANIF interface.
When the three functions are all configured, only the traffic statistics
collection function with a higher priority takes effect. The following table
lists the traffic statistics collection functions in descending order of
priority in V100R006C00 and later versions.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 314

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

Table 5-9 Priorities of traffic statistics collection functions

Model Priorities of traffic statistics
collection functions

CE5880EI, CE6880EI, Inbound and outbound directions:

Traffic statistics collection in a
VLAN > Traffic statistics collection
on a VLANIF interface
Traffic statistics collection based
on 5-tuple information of IP
packets and MQC-based traffic
statistics collection are compatible
with the two statistics collection
functions.

CE6850EI, CE6810EI, CE6810LI, Inbound direction: Traffic statistics

CE5855EI, CE5810EI collection in a VLAN > Traffic
statistics collection on a VLANIF
interface
Outbound direction: Traffic
statistics collection based on 5-
tuple information of IP packets >
MQC-based traffic statistics
collection > Traffic statistics
collection in a VLAN > Traffic
statistics collection on a VLANIF
interface.

CE6870EI, CE6875EI Traffic statistics collection based

on 5-tuple information of IP
packets > MQC-based traffic
statistics collection > Traffic
statistics collection on a VLANIF
interface

Other switch models Inbound direction: The four

collection methods are compatible
with each other.
Outbound direction: Traffic
statistics collection based on 5-
tuple information of IP packets >
Traffic statistics collection on a
VLANIF interface; Traffic statistics
collection based on 5-tuple
information of IP packets > MQC-
based traffic statistics collection
Traffic statistics collection in a
VLAN can be used together with
traffic statistics collection based
on 5-tuple information of IP
packets, based on MQC, and on a
VLANIF interface.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 315

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

– On the CE6875EI, statistics on outgoing traffic do not include statistics on

packets forwarded at Layer 3.
– On the CE6870EI and CE6875EI, the outgoing traffic statistics in a VLAN
bound to an EVN instance are inaccurate.
– On the CE5880EI, and CE6880EI, when the packet forwarding mode is set
to cut-through, VLAN traffic statistics collection is not supported.
– On the CE6870EI and CE6875EI, if port mirroring is configured on an
interface and the interface is added to a VLAN, traffic statistics on the
interface will be twice the actual statistics during outgoing VLAN traffic
statistics collection.
● VLANIF interface traffic statistics collection
– After you run the undo statistics enable command to disable traffic
statistics collection on a VLANIF interface, traffic statistics on the VLANIF
interface will not be collected and the collected traffic statistics on the
interface will be cleared. Statistics on IPv4 packets and IPv6 packets can
be collected separately. You can run the undo statistics enable
command to clear statistics of a specific packet type. For details, see the
statistics enable (VLANIF interface view) command.
– Enabling traffic statistics collection on a VLANIF interface may affect the
forwarding performance. For example, some interfaces may fail to
forward packets at line rate when all interfaces are configured to forward
packets at line rate. Therefore, use this statistics collection function if
required.
– On the CE6870EI and CE6875EI:
– The following services are in descending order of priority: M-LAG
unidirectional isolation, MQC (traffic policing, traffic statistics collection,
and packet filtering), querying the outbound interface of packets with
specified 5-tuple information, source MAC address, and destination MAC
address, local VLAN mirroring, sFlow, NetStream, and VLANIF interface
statistics collection. When the services are configured on an interface in
the outbound direction, only the service with the highest priority takes
effect. For example, when both packet filtering and VLANIF interface
statistics collection are configured on a VLANIF interface, packet filtering
takes effect.
For sFlow and NetStream, the preceding limitations apply only to Layer 2
sub-interfaces and Layer 3 sub-interfaces. For details about the priorities
between MQC-based traffic statistics collection and traffic statistics
collection on a VLANIF interface, see Licensing Requirements and
Limitations for Traffic Statistics Collection.
– If traffic statistics collection on Layer 3 sub-interfaces is disabled on the
CE8860EI, CE8850EI, CE7850EI, CE6860EI, CE6856HI, CE6855HI,
CE6851HI, CE6850U-HI, CE6850HI, CE6850EI, CE6810EI, CE6810LI,
CE5855EI, CE5850HI, CE5850EI, and CE5810EI, the downstream traffic
statistics on a VLANIF interface are incorrectly included in the traffic
statistics on the Layer 3 sub-interface with the same VLAN ID.

5.6 Default Settings for VLANs

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 316

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

Table 5-10 Default settings for VLANs

Parameter Default Setting

Port link type Access

Default VLAN ID 1

Damping time 0s

Traffic statistics function of VLAN Disabled

Traffic statistics function of the Disabled

VLANIF interface

5.7 Assigning a LAN to VLANs

VLANs can isolate the hosts that require no communication with each other, which
improves network security, reduces broadcast traffic, and suppresses broadcast
storms.

5.7.1 Configuring Interface-based VLAN Assignment

Context
VLANs can be assigned based on interfaces. With interface-based VLAN
assignment, an interface is added to a VLAN, after which the interface can
forward packets from the VLAN. Interface-based VLAN assignment allows hosts in
the same VLAN to communicate and prevents hosts in different VLANs from
communicating, limiting broadcast packets to within a VLAN.

Before configuring interface-based VLAN assignment, create a VLAN, configure

the link type of an interface, and add the interface to the VLAN.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 (Optional) Run vlan assign { global | local } { vlan-id1 [ to vlan-id2 ] } &<1-5>

VLANs are assigned globally.

NOTE

CE5800 series switches excluding CE5880EI, CE6810EI, CE6810LI, and CE6850EI do not support
this command.

On a large Layer 2 network, Software Defined Network (SDN) controller is used to

facilitate control and deployment. You can directly configure services or protocols
on the SDN controller. The SDN controller then delivers information to the
forwarder through OpenFlow, implementing uniform maintenance and
management. You can also directly configure services or protocols on the

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 317

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

forwarder. To prevent VLAN conflicts on the SDN controller and forwarder and
reduce maintenance costs, run the vlan assign command to configure VLAN
assignment.
● global: After VLANs are assigned globally, the VLAN created by the vlan vlan-
id command must be in the allocated VLAN range.
● local: After VLANs are assigned locally, the VLANs allowed by all interfaces
must be in the allocated VLAN range.
Step 3 (Optional) Run vlan reserved vlan-id
A reserved VLAN is configured.
By default, the reserved VLAN ID ranges from 4064 to 4094. After vlan-id is
specified, the VLAN specified by vlan-id to the VLAN specified by vlan-id plus 30
are configured as reserved VLANs.
NOTE

CE5880EI and CE6880EI do not support this step.

Step 4 Run vlan vlan-id

A VLAN is created and the VLAN view is displayed. If the specified VLAN has been
created, this command displays the VLAN view.
The value ranges from 1 to 4094. It cannot be the reserved VLAN ID. To batch
create VLANs, run the vlan batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command
to create VLANs. Then run the vlan vlan-id command to enter the VLAN view.

NOTE

When multiple VLANs are created on a switch, you are advised to configure names for the
VLANs to facilitate management.
Run the name vlan-name command in the VLAN view to create a VLAN name. After the
VLAN name is configured, you can run the vlan vlan-name vlan-name command in the
system view to enter the corresponding VLAN view.

Step 5 Run quit

Return to the system view.
Step 6 Configure attributes for an Ethernet interface.
1. Run the interface interface-type interface-number command to enter the
view of the Ethernet interface that wants to join the VLAN.
2. Run the port link-type { access | hybrid | trunk | dot1q-tunnel } command
to configure the link type of the Ethernet interface.
By default, the link type of an interface is access.
– If an Ethernet interface directly connects to a terminal, the link type of
the Ethernet interface can be access or hybrid.
– If an Ethernet interface connects to an interface of another switch, the
link type of the Ethernet interface can be trunk or hybrid.
3. (Optional) Run the port priority priority-value command to configure the
priority of the Ethernet interface.
By default, the priority of an Ethernet interface is 0. The value ranges from 0
to 7. A larger value indicates a higher priority.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 318

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

Step 7 Add the Ethernet interface to a VLAN. By default, the VLAN and default VLAN that
an interface joins are both VLAN 1.
Run the following command as required.
● Access or QinQ interface
Run the port default vlan vlan-id command to add the interface to the
specified VLAN.
Run the port interface-type { interface-number1 [ to interface-number2 ] }
&<1-10> command in the VLAN view to add one interface or a group of
interfaces to a VLAN.
● Trunk interface
– Run the port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] }
&<1-40> | all } command to add the interface to the specified VLAN.
– (Optional) Run the port trunk pvid vlan vlan-id command to configure
the default VLAN of the trunk interface.
● Hybrid interface
– Run the following command as required.

▪ Run the port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] }

&<1-10> | all } command to add a hybrid interface to a VLAN in
untagged mode.
In untagged mode, an interface removes tags from outgoing packets.
This mode applies to the scenario where an Ethernet interface
directly connects to a terminal.

▪ Run the port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] }

&<1-10> | all } command to add a hybrid interface to a VLAN in
tagged mode.
In tagged mode, an interface does not remove tags from outgoing
packets. This mode applies to the scenario where an Ethernet
interface connects to an interface of another switch.
– (Optional) Run the port hybrid pvid vlan vlan-id command to configure
the default VLAN of the hybrid interface.
Step 8 Run commit
The configuration is committed.

----End

5.7.2 Dividing a LAN into VLANs Based on MAC Addresses

Context
NOTE

The switch enabled with MAC address-based VLAN assignment cannot process protocol
packets sent to the CPU, and it is recommended that MAC address-based VLAN assignment
be used in Layer 2 transparent transmission scenarios.

MAC address-based VLAN assignment is used if user locations do not need to be

concerned. This improves security and flexibility for terminal users.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 319

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

VLANs configured based on MAC addresses process only untagged frames, and
treat tagged frames in the same manner as VLANs configured based on ports.
After receiving an untagged frame, a port searches for a MAC-VLAN mapping
based on the source MAC address in the frame.
● If a mapping is found, the port forwards the frame based on the VLAN ID and
priority value in the mapping.
● If no matching mapping is found, the port matches the frame with other
matching rules.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 (Optional) Run vlan assign global { vlan-id1 [ to vlan-id2 ] } &<1-5>
VLANs that can be globally assigned are specified.

NOTE

CE5800 series switches excluding CE5880EI, CE6810EI, CE6810LI, and CE6850EI do not support
this command.

After VLANs are assigned, the VLANs created using the vlan vlan-id command
must be within the assignable VLAN range.
Step 3 (Optional) Run vlan reserved vlan-id
A reserved VLAN is configured.
By default, the reserved VLAN ID ranges from 4064 to 4094. After vlan-id is
specified, the VLAN specified by vlan-id to the VLAN specified by vlan-id plus 30
are configured as reserved VLANs.
NOTE

CE5880EI and CE6880EI do not support this step.

Step 4 Run vlan vlan-id

A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been
created, the VLAN view is directly displayed.
The VLAN ID ranges from 1 to 4094 (excluding reserved VLANs). If VLANs need to
be created in batches, run the vlan batch { vlan-id1 [ to vlan-id2 ] } &<1-10>
command to create VLANs in batches, and then run the vlan vlan-id command to
enter the view of a specified VLAN.

NOTE

If a device is configured with multiple VLANs, configuring names for these VLANs is
recommended:
Run the name vlan-name command in the VLAN view. After a VLAN name is configured,
you can run the vlan vlan-name vlan-name command in the system view to enter the
corresponding VLAN view.

Step 5 Run mac-vlan mac-address mac-address [ priority priority ]

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 320

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

A MAC address is mapped to the VLAN.

● The mac-address value is in H-H-H format. An H is a hexadecimal number
that contains one to four digits, such as 00e0 and fc01. If an H contains less
than four digits, 0s are padded ahead. For example, if you specify an H as e0,
it is displayed as 00e0. A MAC address cannot be set to all 0s, all Fs or
multicast addresses.
● priority specifies the 802.1p priority relevant to the MAC addresses. The value
ranges from 0 to 7. A larger value indicates a higher priority. The default
value is 0. After the 802.1p priority is specified, frames with high priorities are
first forwarded when traffic is congested. CE6870EI and CE6875EI do not
support this parameter.
Step 6 Run quit
The system view is displayed.
Step 7 Configure attributes for Ethernet interfaces.
1. Run the interface interface-type interface-number command to enter the
view of the interface.
2. Run the port link-type hybrid command to set the link type of the interface
to hybrid.
The interface where MAC address-based VLAN assignment is to be enabled is
a hybrid interface.
By default, the link type is access.
3. Run the port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> |
all } command to configure the hybrid interface to allow frames with a
specified VLAN ID to pass through.
Step 8 Run mac-vlan enable
MAC address-based VLAN assignment is enabled.
By default, MAC address-based VLAN assignment is disabled.

NOTE

● For CE6870EI and CE6875EI, MAC address-based VLAN assignment cannot be used with
port security or MAC address limiting on the same interface.
● When MAC address-based VLAN assignment is used, the priority of packets with the
VLAN ID of 0 cannot be modified.
● When MAC address-based assignment is configured on the CE6870EI and CE6875EI,
running the mac-vlan enable or undo mac-vlan enable command may cause few
packets to be discarded. Exercise caution when you run this command.

Step 9 Run commit

The configuration is committed.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 321

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

5.7.3 Dividing a LAN into VLANs Based on IP Subnets

Context
NOTE

The CE6810LI does not support IP subnet-based VLAN assignment.

The switch enabled with IP subnet-based VLAN assignment cannot process protocol packets
sent to the CPU, and it is recommended that IP subnet-based VLAN assignment be used in
Layer 2 transparent transmission scenarios.

IP subnet-based assignment allows users to easily join a VLAN, transfer from one
VLAN to another, and exit from a VLAN. IP subnet-based VLAN assignment is
applicable to networks that have traveling users and require simple management.
The switch enabled with IP subnet-based VLAN assignment processes only
untagged frames. After receiving untagged frames, the switch determines the
VLANs to which the frames belong based on their source IP addresses and
network segment addresses before sending them to corresponding VLANs.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 (Optional) Run vlan assign global { vlan-id1 [ to vlan-id2 ] } &<1-5>
VLANs that can be globally assigned are specified.

NOTE

CE5800 series switches excluding CE5880EI, CE6810EI, CE6810LI, and CE6850EI do not support
this command.

After VLANs are assigned, the VLANs created using the vlan vlan-id command
must be within the assignable VLAN range.
Step 3 (Optional) Run vlan reserved vlan-id
A reserved VLAN is configured.
By default, the reserved VLAN ID ranges from 4064 to 4094. After vlan-id is
specified, the VLAN specified by vlan-id to the VLAN specified by vlan-id plus 30
are configured as reserved VLANs.
NOTE

CE5880EI and CE6880EI do not support this step.

Step 4 Run vlan vlan-id

A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been
created, the VLAN view is directly displayed.
The VLAN ID ranges from 1 to 4094 (excluding reserved VLANs). If VLANs need to
be created in batches, run the vlan batch { vlan-id1 [ to vlan-id2 ] } &<1-10>
command to create VLANs in batches, and then run the vlan vlan-id command to
enter the view of a specified VLAN.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 322

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

NOTE

If the switch is configured with multiple VLANs, configuring names for these VLANs is
recommended:
Run the name vlan-name command in the VLAN view. After a VLAN name is configured,
you can run the vlan vlan-name vlan-name command in the system view to enter the
corresponding VLAN view.

Step 5 Run ip-subnet-vlan [ ip-subnet-index ] ip ip-address { mask | mask-length }

[ priority priority ]

An IP subnet is associated with the VLAN.

● ip-subnet-index specifies the IP subnet index. The subnet index can be

specified by a user or automatically generated by the system.
● ip-address specifies the source IP address or network address based on which
a VLAN is configured. The value is in dotted decimal notation.
● priority specifies the 802.1p priority value related to the VLAN configured
based on the IP address or network address. The value ranges from 0 to 7.
The greater the value, the higher the priority. The default value is 0. After the
802.1p priority value is specified, frames with high priorities are first
forwarded when traffic is congested. The CE6870EI and CE6875EI do not
support this parameter.

The CE5810EI and CE5855EI support 256 subnets, the CE6870EI and CE6875EI
support 16 subnets, and other models support 512 subnets. The IP subnet or the
IP address associated with a VLAN cannot be a multicast network segment or
multicast address.

Step 6 Run quit

The system view is displayed.

Step 7 Configure attributes for Ethernet interfaces.

1. Run the interface interface-type interface-number command to enter the
view of the Ethernet interface configured with IP subnet-based VLAN
assignment.
2. Run the port link-type hybrid command to set the link type of the interface
to hybrid.
IP subnet-based VLAN assignment must be configured on the hybrid interface.
By default, the link type is access.
3. Run the port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> |
all } command to add the hybrid interface to the IP subnet-based VLAN.

Step 8 (Optional) Run vlan precedence ip-subnet-vlan

IP subnet-based VLAN assignment is configured with a higher priority.

By default, MAC address-based VLAN assignment is used.

NOTE

The CE6810LI, CE6870EI, and CE6875EI do not support this step.

Step 9 Run ip-subnet-vlan enable

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 323

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

IP subnet-based VLAN assignment is enabled.

By default, IP subnet-based VLAN assignment is disabled.
Step 10 Run commit
The configuration is committed.

----End

5.7.4 Protocol-based VLAN Assignment

Context
NOTE

CE6810LI does not support protocol-based VLAN assignment.

The switch enabled with protocol-based VLAN assignment cannot process protocol packets
sent to the CPU, and it is recommended that protocol-based VLAN assignment be used in
Layer 2 transparent transmission scenarios.

Both IP subnet-based and protocol-based VLAN assignment are called network

layer-based VLAN assignment, which reduces manual VLAN configuration
workload and allows users to easily join a VLAN, transfer from one VLAN to
another, and exit from a VLAN. The switch that has protocol-based VLAN
assignment enabled processes only untagged frames, and treats tagged frames in
the same manner as interface-based VLAN assignment.
When receiving an untagged frame from an interface, the switch identifies the
protocol profile of the frame and then determines the VLAN that the frame
belongs to.
● If protocol-based VLANs are configured on the interface and the protocol
profile of the frame matches a protocol-based VLAN, the switch adds the
VLAN tag to the frame.
● If protocol-based VLANs are configured on the interface and the protocol
profile of the frame matches no protocol-based VLAN, the switch adds the
PVID of the interface to the frame.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 (Optional) Run vlan assign global { vlan-id1 [ to vlan-id2 ] } &<1-5>
VLANs that can be globally assigned are specified.

NOTE

CE5800 series switches excluding CE5880EI, CE6810EI, CE6810LI, and CE6850EI do not support
this command.

After VLANs are assigned, the VLANs created using the vlan vlan-id command
must be within the assignable VLAN range.
Step 3 (Optional) Run vlan reserved vlan-id

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 324

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

A reserved VLAN is configured.

By default, the reserved VLAN ID ranges from 4064 to 4094. After vlan-id is
specified, the VLAN specified by vlan-id to the VLAN specified by vlan-id plus 30
are configured as reserved VLANs.
NOTE

CE5880EI and CE6880EI do not support this step.

Step 4 Run vlan vlan-id

A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been
created, the VLAN view is directly displayed.
The VLAN ID ranges from 1 to 4094 (excluding reserved VLANs). If VLANs need to
be created in batches, run the vlan batch { vlan-id1 [ to vlan-id2 ] } &<1-10>
command to create VLANs in batches, and then run the vlan vlan-id command to
enter the view of a specified VLAN.

NOTE

If a device is configured with multiple VLANs, configuring names for these VLANs is
recommended:
Run the name vlan-name command in the VLAN view. After a VLAN name is configured,
you can run the vlan vlan-name vlan-name command in the system view to enter the
corresponding VLAN view.
Manually configuring and maintaining VLANs is challenging on a large Layer 2 network.
Configuration inconsistency may occur. To improve maintenance efficiency and simplify
configuration, run the vlan range { vlan-id1 [ to vlan-id2 ] } &<1-10> command to create a
temporary VLAN range and configure services in the VLAN range view. Services are then
delivered in batches to all the VLANs in the VLAN range.

Step 5 Run protocol-vlan [ protocol-index ] { at | ipv4 | ipv6 | ipx { ethernetii | llc | raw
| snap } | mode { ethernetii-etype etype-id1 | llc dsap dsap-id ssap ssap-id |
snap-etype etype-id2 } }
Protocols are associated with VLANs and a protocol profile is specified.
● protocol-index specifies the index of a protocol profile.
A protocol profile depends on protocol types and encapsulation formats, and
a VLAN associated with a protocol can be defined in a protocol profile.
● When specifying the source and destination service access points, pay
attention to the following points:
– dsap-id and ssap-id cannot be both set to 0xaa.
– dsap-id and ssap-id cannot be both set to 0xe0. 0xe0 indicates llc,
encapsulation format of IPX packets.
– dsap-id and ssap-id cannot be both set to 0xff. 0xff indicates raw,
encapsulation format of IPX packets.
Step 6 Run quit
The system view is displayed.
Step 7 Configure attributes for the Ethernet interface.
1. Run interface interface-type interface-number
The view of the interface that allows the protocol-based VLAN is displayed.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 325

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

2. Run port link-type hybrid

The interface is configured as the hybrid interface.
Protocol-based VLAN assignment can only be configured on hybrid interfaces.
3. Run port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
The hybrid interface is configured to allow the protocol-based VLAN.

Step 8 Run protocol-vlan vlan vlan-id { all | protocol-index1 [ to protocol-index2 ] }

[ priority priority ]

The interface is associated with a protocol-based VLAN.

● vlan-id must be the ID of a protocol-based VLAN.

● priority specifies the 802.1p priority of a protocol-based VLAN. The value
ranges from 0 to 7. A larger value indicates a higher priority. The default
value is 0. After the 802.1p priority of a protocol-based VLAN is specified, the
switch first forwards high-priority frames in the case of congestion.

Step 9 Run commit

The configuration is committed.

----End

5.7.5 Verifying the Configuration of Assigning a LAN to VLANs

Procedure
● Run the display vlan reserved command to view information about reserved
VLANs.
● Run the display port vlan [ interface-type interface-number ] [ active ]
command to view information about interfaces of the VLAN.
● Run the display vlan command to check information about all VLANs or a
specified VLAN.
● Run the display mac-vlan { mac-address { all | mac-address } | vlan vlan-id }
command to check information about VLANs configured based on MAC
addresses.
● Run the display ip-subnet-vlan vlan { all | vlan-id1 [ to vlan-id2 ] }
command to check information about IP subnet associated with VLANs.
● Run the display protocol-vlan vlan { all | vlan-id1 [ to vlan-id2 ] } command
to check the types and indexes of the protocols associated with VLANs.
● Run the display protocol-vlan interface { all | interface-type interface-
number } command to check information about VLANs configured based on
protocols associated with ports.

----End

5.8 Configuring Inter-VLAN Communication

This section describes how to configure VLANIF interfaces and Layer 3 sub-
interfaces to implement inter-VLAN communication.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 326

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

Pre-configuration Tasks
Before creating a VLANIF interface, complete the following tasks:
● Create a VLAN.
● Associate the VLAN with the physical interface.

5.8.1 Configuring VLANIF Interfaces for Inter-VLAN

Communication
Context
After VLANs are configured, users in the same VLAN can communicate with each
other while users in different VLANs cannot. To implement inter-VLAN
communication, configure VLANIF interfaces which are Layer 3 logical interfaces.
If a VLAN goes Down because all ports in the VLAN go Down, the system
immediately reports the VLAN Down event to the corresponding VLANIF interface,
instructing the VLANIF interface to go Down. To prevent network flapping caused
by changes of VLANIF interface status, enable VLAN damping on the VLANIF
interface. After the last Up port in a VLAN goes Down, the system starts a delay
timer and informs the corresponding VLANIF interface of the VLAN Down event
after the timer expires. If a port in the VLAN goes Up during the delay period, the
VLANIF interface remains Up.
If a new VLANIF interface does not need to be enabled immediately (the new
VLANIF interface may affect services on the live network), run the set shutdown
default vlanif command to shut down the VLANIF interface. Then the VLANIF
interfaces that are created subsequently are disabled by default, and the system
generates the shutdown command configuration for them. To enable the
configured VLANIF interface, run the undo shutdown command to manually
enable it.
MTU is short for maximum transmission unit. An MTU value determines the
maximum number of bytes each time a sender can send. If the size of packets
exceeds the MTU supported by a transit node or a receiver, the transit node or
receiver fragments the packets or even discards them, aggravating the network
transmission load. To avoid this problem, set the MTU value of the VLANIF
interface.
After configuring bandwidth for VLANIF interfaces, you can use the NMS to query
the bandwidth. This facilitates traffic monitoring.

NOTE

To implement communication between VLANs, hosts in each VLAN must use the IP address
of the corresponding VLANIF interface as the gateway address.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 (Optional) Run set shutdown default vlanif

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 327

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

New VLANIF interfaces are configured in shutdown state.

By default, a new VLANIF interface is enabled.

Step 3 Run interface vlanif vlan-id

A VLANIF interface is created and the VLANIF interface view is displayed.

The VLAN ID specified in this command must be the ID of an existing VLAN.

A VLANIF interface is Up only when at least one physical port added to the
corresponding VLAN is Up.

Step 4 Run ip address ip-address { mask | mask-length } [ sub ]

An IP address is assigned to the VLANIF interface for communication at the

network layer.

If IP addresses assigned to VLANIF interfaces belong to different network

segments, a routing protocol must be configured on the device to provide
reachable routes. Otherwise, VLANIF interfaces cannot communicate with each
other at the network layer.

Step 5 (Optional) Run damping time delay-time

The delay period of VLAN damping is configured.

The delay-time value ranges from 0 to 20, in seconds. By default, the delay is 0
seconds, indicating that VLAN damping is disabled.

Step 6 (Optional) Run mtu mtu

The MTU value of the VLANIF interface is configured.

By default, the value is 1500.

NOTE

● The MTU refers to the maximum length of the Layer 3 IP header and subsequent data
frames, excluding the Layer 2 frame header.
● The mtu value plus the Layer 2 frame header of a VLANIF interface must be smaller
than the jumboframe value of the peer interface; otherwise, some packets may be
discarded.

Step 7 (Optional) Run bandwidth bandwidth

The bandwidth of the VLANIF interface is configured.

By default, the bandwidth of a VLANIF interface is 1000 Mbit/s.

Step 8 Run commit

The configuration is committed.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 328

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

5.8.2 Configuring Layer 3 Sub-interfaces for Inter-VLAN

Communication

Context
Users belong to different VLANs and are located on different network segments
can communicate with each other by configuring Layer 3 sub-interfaces.

NOTE

To implement communication between VLANs, hosts in each VLAN must use the IP address
of the corresponding Layer 3 sub-interface as the gateway address.

NOTE

The CE6810LI does not support configuring Layer 3 sub-interfaces.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface interface-type interface-number

The interface view is displayed.

Step 3 On an Ethernet interface, run undo portswitch

The interface is switched to Layer 3 mode.

By default, an Ethernet interface works in Layer 2 mode.

The mode switching function takes effect when the interface only has attribute
configurations (for example, shutdown and description configurations).
Alternatively, if configuration information supported by both Layer 2 and Layer 3
interfaces exists (for example, mode lacp and lacp system-id configurations), no
configuration that is not supported after the working mode of the interface is
switched can exist. If unsupported configurations exist on the interface, delete the
configurations first and then run the undo portswitch command.

NOTE

If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch
batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in
the system view to switch these interfaces to Layer 3 mode in batches.

Step 4 Run quit

Return to the system view.

Step 5 Run interface interface-type interface-number.subinterface-number

The Layer 3 sub-interface view is displayed.

Step 6 Run ip address ip-address { mask | mask-length } [ sub ]

The IP address of the Layer 3 sub-interface is set.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 329

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

Step 7 Run dot1q termination vid pe-vid

The VLANs allowed by the dot1q Layer 3 sub-interface are specified.
Each Layer 3 sub-interface can terminate only one VLAN tag.
Layer 3 sub-interfaces of different main interfaces can be associated with the
same VLAN ID. However, different Layer 3 sub-interfaces of the same main
interface cannot be associated with the same VLAN ID.
Step 8 Run commit
The configuration is committed.

----End

5.8.3 Verifying the Inter-VLAN Communication Configuration

Prerequisites
The configurations of inter-VLAN communication are complete.

Procedure
● Run the display vlan [ vlan-id1 [ to vlan-id2 ] | vlan-name vlan-name |
summary ] command to check information about all VLANs or a specified
VLAN.
● Run the display interface vlanif [ vlan-id ] command to check information
about VLANIF interfaces.
Before running this command, ensure that VLANIF interfaces have been
configured.
----End

5.9 Configuring VLAN Aggregation to Save IP

Addresses
VLAN aggregation prevents the waste of IP addresses and implements inter-VLAN
communication.

5.9.1 Creating a Sub-VLAN

Context
In VLAN aggregation, a sub-VLAN can contain only physical interfaces (it cannot
contain VLANIF interfaces). All the interfaces in a sub-VLAN use the same IP
address of the VLANIF interface associated with the super-VLAN. VLAN
aggregation reduces the number of subnet IDs, subnet default gateway addresses,
and directed broadcast IP addresses needed on the network segment and ensures
that IP addresses are assigned efficiently. VLAN aggregation allows each sub-
VLAN to function as a broadcast domain to implement broadcast isolation and
saves IP address resources.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 330

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run vlan vlan-id
A sub-VLAN is created and the sub-VLAN view is displayed.

NOTE

If a device is configured with multiple VLANs, it is recommended that you configure a name for
each VLAN.
To do so, run the name vlan-name command in the VLAN view. After a VLAN name is
configured, run the vlan vlan-name vlan-name command in the system view to enter the
corresponding VLAN view.

Step 3 Run quit

Return to the system view.
Step 4 Configure the link type of the interface.
● Configure the link type of the interface as access.
a. Run interface interface-type interface-number
The interface view is displayed.
b. Run port link-type access
The link type of the interface is set to access.
c. Run port default vlan vlan-id
The interface is added to the sub-VLAN.
d. Run quit
Return to the system view.
● Configure the link type of the interface as trunk.
a. Run interface interface-type interface-number
The interface view is displayed.
b. Run port link-type trunk
The link type of the interface is set to trunk.
c. Run port trunk allow-pass vlanvlan-id
The interface is added to the sub-VLAN.
d. Run quit
Return to the system view.
● Configure the link type of the interface as hybrid.
a. Run interface interface-type interface-number
The interface view is displayed.
b. Run port link-type hybrid
The link type of the interface is set to hybrid.
c. Run port hybrid tagged vlanvlan-id
Or run port hybrid untagged vlanvlan-id

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 331

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

The interface is added to the sub-VLAN.

d. Run quit
Return to the system view.

Step 5 Run commit

The configuration is committed.

----End

5.9.2 Creating a Super-VLAN

Prerequisites
Before configuring a super-VLAN, ensure that sub-VLANs have been configured.

Context
A super-VLAN consists of several sub-VLANs. A VLANIF interface can be configured
for the super-VLAN and assigned an IP address (no physical interface can be
added to a super-VLAN).

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run vlan vlan-id

A VLAN is created, and the VLAN view is displayed.

The VLAN ID of a super-VLAN must be different from every sub-VLAN ID.

Step 3 Run aggregate-vlan

A super-VLAN is created.

A super-VLAN cannot contain any physical interfaces.

VLAN 1 cannot be configured as a super-VLAN.

Step 4 Run access-vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

A sub-VLAN is added to a super-VLAN.

Before adding sub-VLANs to a super-VLAN, ensure that these sub-VLANs are not
configured with VLANIF interfaces.

The device supports 256 sub-VLANs in a super-VLAN.

Step 5 Run commit

The configuration is committed.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 332

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

5.9.3 Assigning an IP Address to the VLANIF Interface of a

Super-VLAN

Context
The IP address of the VLANIF interface of a super-VLAN must contain the subnet
segments where users in sub-VLANs reside. All the sub-VLANs use the IP address
of the VLANIF interface of the super-VLAN, saving IP addresses.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface vlanif vlan-id
A VLANIF interface is created for a super-VLAN, and the view of the VLANIF
interface is displayed.
Step 3 Run ip address ip-address { mask | mask-length } [ sub ]
An IP address is assigned to the VLANIF interface.
Step 4 Run commit
The configuration is committed.

----End

5.9.4 (Optional) Enabling Proxy ARP on the VLANIF Interface

of a Super-VLAN
Context
VLAN aggregation does not support Layer 3 communication between hosts in
different sub-VLANs.
To enable hosts in one sub-VLAN to communicate with hosts in another sub-VLAN
or on another network over Layer 3, enable proxy ARP.
After a super-VLAN and its VLANIF interface are created, proxy ARP must be
enabled to allow the super-VLAN to forward or process ARP request and reply
packets. Proxy ARP helps PCs in sub-VLANs communicate with each other at the
network layer.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface vlanif vlan-id
The view of the VLANIF interface of the super-VLAN is displayed.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 333

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

Step 3 Run arp proxy inter-vlan enable

Inter-sub-VLAN proxy ARP is enabled.

An IP address must have been assigned to the VLANIF interface corresponding to

the super-VLAN. Otherwise, proxy ARP cannot take effect.

Step 4 Run commit

The configuration is committed.

----End

5.9.5 (Optional) Configuring an IP Address Pool for a Sub-

VLAN
Specifying an IP address range for users in a sub-VLAN filters out unauthorized
users of which IP addresses are beyond the range.

Context
Specifying an IP address range for users in a sub-VLAN filters out unauthorized
users of which IP addresses are beyond the range.

After configuring an IP address pool for a sub-VLAN, note the following points:
● Only packets with IP addresses in the IP address pool are processed in the
sub-VLAN. The packets include ARP Request packets, ARP Reply packets, and
ARP proxy packets. Packets with IP addresses beyond the IP address pool are
discarded.
NOTE
If the sub-VLAN and DHCP address pools are used together, ensure that the range of the
sub-VLAN address pool covers the range of the DHCP address pool. Or, do not use the sub-
VLAN and DHCP address pools together.
● Only entries mapping IP addresses in the IP address pool are learned in the
sub-VLAN.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run vlan vlan-id

The view of a created sub-VLAN is displayed.

Step 3 Run ip pool start-address [ to end-address ]

An IP address pool is configured for the sub-VLAN.

Step 4 Run commit

The configuration is committed.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 334

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

5.9.6 Verifying the VLAN Aggregation Configuration

Procedure
● Run the display vlan [ vlan-id [ verbose ] ] or display vlan [ vlan-id1 [ to
vlan-id2 ] | vlan-name vlan-name | summary ] command to check VLAN
information.
● Run the display interface vlanif [ vlan-id ] command to check information
about a specific VLANIF interface.
● Run the display sub-vlan [ vlan-id ] command to check mappings between
sub-VLANs and super-VLANs.
● Run the display super-vlan [ vlan-id ] command to check sub-VLANs
contained in a super-VLAN.
----End

5.10 Configuring MUX VLAN

Configuring a MUX VLAN allows users in different VLANs to communicate with
each other, and separates users in a certain VLAN.

NOTE

CE5880EI and CE6880EI do not support MUX VLAN.

Pre-configuration Tasks
Before configuring a MUX VLAN, complete the following task:
● Creating VLANs

5.10.1 Configuring a Principal VLAN for a MUX VLAN

Context
Ports added to a principal VLAN can communicate with every port in the MUX
VLAN.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run vlan vlan-id
A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been
created, the VLAN view is directly displayed.
The VLAN ID ranges from 1 to 4094 (VLANs 4064 to 4094 are default reserved
VLANs. You can run the vlan reserved command to configure the reserved VLAN
range). If VLANs need to be created in batches, run the vlan batch { vlan-id1 [ to

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 335

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

vlan-id2 ] } &<1-10> command to create VLANs in batches, and then run the vlan
vlan-id command to enter the view of a specified VLAN.

NOTE

If a device is configured with multiple VLANs, configuring names for these VLANs is
recommended:
Run the name vlan-name command in the VLAN view. After a VLAN name is configured,
you can run the vlan vlan-name vlan-name command in the system view to enter the
corresponding VLAN view.

Step 3 Run mux-vlan

The VLAN is configured as a principal VLAN.

The VLAN ID assigned to a principal VLAN can no longer be used to configure the
VLANIF interface, Super-VLAN, Sub-VLAN, VLAN Mapping, VLAN Stacking.

Step 4 Run commit

The configuration is committed.

----End

5.10.2 Configuring a Group VLAN for a Subordinate VLAN

Context
A VLAN associated with a group port is called a group VLAN. Group ports in a
group VLAN can communicate with each other.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run vlan vlan-id

The view of a created principal VLAN is displayed.

Step 3 Run subordinate group { vlan-id1 [ to vlan-id2 ] } &<1-10>

A group VLAN is configured for the subordinate VLAN.

A maximum of 128 group VLANs can be configured for a principal VLAN.

The VLAN ID assigned to a group VLAN can no longer be used to configure the
VLANIF interface, Super-VLAN, Sub-VLAN, VLAN Mapping, VLAN Stacking.

Step 4 Run commit

The configuration is committed.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 336

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

5.10.3 Configuring a Separate VLAN for a Subordinate VLAN

Context
A VLAN associated with separate ports is called a separate VLAN. Ports in a
separate VLAN cannot communicate with each other.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run vlan vlan-id
The view of a created principal VLAN is displayed.
Step 3 Run subordinate separate vlan-id
A separate VLAN is configured for a subordinate VLAN.
Only one separate VLAN can be configured for a principal VLAN.
Group VLANs and separate VLANs in one MUX VLAN cannot use the same VLAN
ID.
The VLAN ID assigned to a separate VLAN can no longer be used to configure the
VLANIF interface, Super-VLAN, Sub-VLAN, VLAN Mapping, VLAN Stacking.
Step 4 Run commit
The configuration is committed.

----End

5.10.4 Enabling the MUX VLAN Function on a Port

Context
After the MUX VLAN function is enabled on a port, the principal VLAN and
subordinate VLAN can communicate with each other; ports in a group VLAN can
communicate with each other; ports in a separate VLAN cannot communicate with
each other.

Pre-configuration Tasks
Before enabling the MUX VLAN function on a port, complete the following task:
● Adding the port to a principal or subordinate VLAN as an access, hybrid, or
trunk interface

Procedure
Step 1 Run system-view
The system view is displayed.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 337

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

Step 2 Run interface interface-type interface-number

The interface view is displayed.
Step 3 Run port link-type { hybrid | access | trunk }
The port link-type is set.
Step 4 Run port mux-vlan enable vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
The MUX VLAN function is enabled.
After the MUX VLAN function is enabled on an interface, VLAN stacking and VLAN
mapping cannot be configured on the interface.

NOTE

● Access interfaces can be added to only one MUX VLAN group. Trunk and hybrid
interfaces can be added to multiple MUX VLAN groups. An interface can be added to a
maximum of 32 MUX VLAN groups.
● The interface enabled with the MUX VLAN function cannot be added to other VLANs of
the MUX VLAN group.
● Disabling MAC address learning or limiting the number of learned MAC addresses on an
interface affects the MUX VLAN function on the interface.
● The MUX VLAN and port security functions cannot be enabled on the same interface.
● In a cascading scenario, the MUX VLAN cannot be enabled between interfaces
connecting access and aggregation devices.

Step 5 Run commit

The configuration is committed.

----End

5.10.5 Verifying the MUX VLAN Configuration

Procedure
● Run the display mux-vlan command to check information about the MUX
VLAN.
----End

5.11 Configuring an mVLAN to Implement Integrated

Management

Context
Management VLAN (mVLAN) configuration allows users to use the VLANIF
interface of the mVLAN to log in to the management switch to centrally manage
devices. To use a network management system to manage multiple devices, create
a VLANIF interface on each device and configure a management IP address for the
VLANIF interface. You can then log in to a device and manage it using its
management IP address. If a user-side interface is added to the VLAN, users

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 338

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

connected to the interface can also log in to the device. This brings security risks
to the device.

After a VLAN is configured as an mVLAN, no access interface or dot1q-tunnel

interface can be added to the VLAN. An access interface or a dot1q-tunnel
interface is connected to users. The mVLAN forbids users connected to access and
dot1q-tunnel interfaces to log in to the device, improving device performance.

Pre-configuration Tasks
Before creating a VLANIF interface, complete the following tasks:

● Create a VLAN.
● Associate the VLAN with the physical interface.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run vlan vlan-id

The VLAN view is displayed.

NOTE

If a device is configured with multiple VLANs, configuring names for these VLANs is
recommended:
Run the name vlan-name command in the VLAN view. After a VLAN name is configured,
you can run the vlan vlan-name vlan-name command in the system view to enter the
corresponding VLAN view.

Step 3 Run management-vlan

An mVLAN is configured.

After an mVLAN is configured, an interface added to the mVLAN must be a trunk

or hybrid interface.

VLAN 1 cannot be configured as an mVLAN.

Step 4 Run quit

The VLAN view is quit.

Step 5 Run interface vlanif vlan-id

A VLANIF interface is created and the VLANIF interface view is displayed.

Step 6 Run ip address ip-address { mask | mask-length } [ sub ]

The IP address of the VLANIF interface is configured.

After assigning an IP address to the VLANIF interface, you can run the stelnet
command to log in to a management switch to manage attached devices.

Step 7 Run commit

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 339

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

The configuration is committed.

----End

Verifying the Configuration

● Run the display vlan command to check information about the mVLAN. The
command output shows information about the mVLAN in the line started
with an asterisk sign (*).

5.12 Configuring Transparent Transmission of Protocol

Packets in a VLAN to Improve Forwarding Efficiency
VLAN transparent transport improves forwarding efficiency. A switch directly
forwards protocol packets of a specific VLAN without sending the packets to its
CPU.

Context
If the device is a gateway of some VLANs or snooping functions are deployed in
some VLANs, the device does not need to process protocol packets in other VLANs.
After the protocol packets in other VLANs are sent to the CPU, the CPU needs to
forward them to other devices. This mechanism is called software forwarding.
Software forwarding affects the forwarding speed and efficiency of protocol
packets because protocol packets need to be processed.
To address this issue, deploy transparent transmission of protocol packets in
VLANs where protocol packets do not need to be processed. This function enables
the device to transparently transmit the protocol packets in the VLANs to other
devices, which improves the forwarding speed and efficiency.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run vlan vlan-id
The VLAN view is displayed.

NOTE

If a device is configured with multiple VLANs, configuring names for these VLANs is
recommended:
Run the name vlan-name command in the VLAN view. After a VLAN name is configured,
you can run the vlan vlan-name vlan-name command in the system view to enter the
corresponding VLAN view.

Step 3 Run protocol-transparent

Transparent transmission of protocol packets in a VLAN is enabled.
By default, transparent transmission of protocol packets in a VLAN is disabled.
Transparent transmission of protocol packets cannot be configured in VLAN 1.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 340

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

NOTE

A VLAN enabled with transparent transmission of protocol packets cannot be configured as

a multicast VLAN or MUX VLAN.

Step 4 Run commit

The configuration is committed.

----End

Verifying the Configuration

Run the display this command in the VLAN view to check the configuration for
transparent transmission of protocol packets in a VLAN.

5.13 Configuring an Interface to Discard Incoming

Tagged Packets

Context
All packets sent from user devices are untagged, so user-side interfaces on a
switch does not receive tagged packets, and the interface must be configured as
an access interface. If a user connects a switch to a user-side interface without
permission, the user-side interface may receive tagged packets. To prevent
unauthorized access, you can configure the user-side interface to discard incoming
tagged packets.

Only interfaces that are connected to user devices and do not receive tagged
packets can be configured to discard incoming tagged packets.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface interface-type interface-number

The member interface view is displayed.

Step 3 Run port discard tagged-packet

The interface is configured to discard incoming tagged packets.

By default, an interface does not discard incoming tagged packets.

Step 4 Run commit

The configuration is committed.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 341

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

5.14 Configuring a Hash Mode of the VLAN-XLATE

Table
When a hash conflict in the VLAN-XLATE table occurs, run the assign forward
vlan-xlate command to change the uplink and downlink hash modes of the
VLAN-XLATE table to reduce hash conflicts.

Context
NOTE

● After a hash mode of the VLAN-XLATE table is configured, you must restart the device to
make the configuration take effect.
● Only the CE6850HI, CE6851HI, CE6855HI, CE6856HI, CE6850U-HI, CE6855HI, CE6857EI,
CE6860EI, CE6865EI, CE7800 series, and CE8800 series switches support this function.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run assign forward vlan-xlate { egress | ingress } hash { crc16-lower | crc16-
upper | crc32-lower | crc32-upper | lsb }

A hash mode of the VLAN-XLATE table is configured.

By default, the uplink and downlink hash modes of the VLAN-XLATE table are
both crc32-lower.

Step 3 Run commit

The configuration is committed.

----End

Verifying the Configuration

Run the display forward vlan-xlate hash mode command in all views to check
the uplink and downlink hash modes of the VLAN-XLATE table.

5.15 Maintaining VLANs

5.15.1 Collecting Traffic Statistics Collection in a VLAN

Context
You can enable traffic statistics collection on a VLAN or on a VLANIF interface to
monitor VLAN traffic.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 342

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

Procedure
● Configure traffic statistics collection in a VLAN.
a. Run the system-view command to enter the system view.
b. Run the vlan vlan-id command to enter the VLAN view.
c. In the VLAN view, run the statistics enable command to enable traffic
statistics collection in a VLAN.
By default, traffic statistics collection is disabled in a VLAN.

NOTE

If the forwarding mode on a CE5880EI or CE6880EI switch is cut through, the switch
cannot collect traffic statistics in a VLAN.
Traffic statistics collection in a VLAN and traffic statistics collection on a Layer 2 sub-
interface are mutually exclusive on the CE6870EI and CE6875EI.
d. Run the commit command to commit the configuration.
● Configure traffic statistics collection on a VLANIF interface.
NOTE

The CE6810LI cannot collect traffic statistics on a VLANIF interface.

a. Run the system-view command to enter the system view.
b. Run the interface vlanif vlan-id command to enter the VLANIF interface
view.
c. (Optional) Run the ipv6 enable command to enable IPv6 function on the
interface.
By default, the IPv6 function is disabled on an interface.
Before enabling IPv6 packet statistics collection on a VLANIF interface,
enable the IPv6 function on the interface.
d. Enable traffic statistics collection on the VLANIF interface.

▪ For CE5800 (excluding the CE5855EI), CE6810EI, CE6850EI, and

CE6880EI, run the statistics enable command.

▪ For CE6870EI and CE6875EI switches, run the statistics [ ipv6 ]

enable [ inbound | outbound ] command.

▪ For CE5855EI, CE6800 series (excluding the CE6810EI, CE6850EI,

CE6870EI, CE6875EI, and CE6880EI, CE7800 series, and CE8800 series,
run the statistics [ ipv4 | ipv6 ] enable command.
By default, traffic statistics collection is disabled on a VLANIF interface.
e. Run the commit to commit the configuration.
----End

Follow-up Procedure
● Run the display vlan vlan-id statistics command in any view to check traffic
statistics in a specified VLAN.
● Run the display interface vlanif [ vlan-id ] command in any view to check
traffic statistics on a VLANIF interface.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 343

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

5.15.2 Clearing Statistics of VLAN Packets

Context
If you want to collect traffic statistics for a specified time on an interface, you
must first clear existing statistics on the interface.

NOTICE

Statistics about VLAN packets cannot be restored after you clear it. So, confirm the
action before you use the command.

To clear the statistics of VLAN packets, run the following reset vlan statistics
command in the user view:

Procedure
● Run the reset vlan vlan-id statistics command to clear the packets of the
specified VLAN statistics.
----End

5.15.3 Enabling GMAC Ping to Detect Layer 2 Network

Connectivity

Context
Similar to IP ping, GMAC ping efficiently detects and locates Ethernet faults and
monitors link quality.

NOTE

CE5880EI and CE6880EI do not support this function.

Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the ping mac enable command to globally enable GMAC ping.
By default, GMAC ping is disabled.
After GMAC ping is enabled on the device, the device can ping the remote device
and respond to the received GMAC ping packets.
Step 3 Run the commit command to commit the configuration.
Step 4 Run the ping mac mac-address vlan vlan-id [ interface interface-type interface-
number | -c count | -s packetsize | -t timeout ] * command to perform GMAC ping
to check connectivity of the link between the local device and the remote device.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 344

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

5.15.4 Enabling GMAC Trace to Locate Faults

Context
Similar to IP traceroute, GMAC trace efficiently detects and locates Ethernet faults
and monitors the link quality.

NOTE

CE5880EI and CE6880EI do not support this function.

Procedure
Step 1 Configure the devices at both ends of a link and an intermediate device.
Perform the following operations on the devices at both ends of the link to be
tested and intermediate device.
1. Run the system-view command to enter the system view.
2. Run the trace mac enable command to globally enable GMAC trace.
By default, GMAC trace is disabled.
After GMAC ping is enabled on the device, the device can ping the remote
device and respond to received GMAC ping packets.
3. Run the commit command to commit the configuration.
Step 2 Perform GMAC trace.
Perform the following operations on the device at one end of the link to be tested.
1. Run the system-view command to enter the system view.
2. Run the trace mac mac-address vlan vlan-id [ interface interface-type
interface-number | -t timeout ]* command to locate a connectivity fault
between the local device and the remote device.

----End

5.16 Configuration Examples for VLANs

This section only provides configuration examples for individual features. For
details about multi-feature configuration examples, feature-specific configuration
examples, interoperation examples, protocol or hardware replacement examples,
and industry application examples, see the Typical Configuration Examples.

5.16.1 Example for Assigning VLANs Based on Ports

Networking Requirements
In Figure 5-22, multiple user terminals are connected to switches in a data center.
Users who use the same service all access the network using different devices.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 345

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

To ensure communication security and avoid broadcast storms, the administrator

wants to allow users who use the same service to communicate with each other
but isolate users who use different services.

Configure the switch with port-based VLAN assignment and add ports connected
to users who use the same service to the same VLAN. This way, users who use the
same services can directly communicate, but users using different services cannot
communicate over Layer 2.

Figure 5-22 Networking diagram for assigning VLANs based on ports

10GE1/0/3 10GE1/0/3
SwitchA SwitchB
10GE1/0/1 10GE1/0/2 10GE1/0/1 10GE1/0/2

User1 User3 User2 User4

VLAN2 VLAN3 VLAN2 VLAN3

Configuration Roadmap
1. Create VLANs and add ports connected to users using different services to
different VLANs to isolate Layer 2 traffic.
2. Configure the type of link between SwitchA and SwitchB and VLANs to allow
users who use the same service to communicate.

Procedure
Step 1 Create VLAN2 and VLAN3 on SwitchA, and add ports connecting to user terminals
to different VLANs. Configuration of SwitchB is the same as that of SwitchA.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchA
[*HUAWEI] commit
[~SwitchA] vlan batch 2 3
[*SwitchA] interface 10ge 1/0/1
[*SwitchA-10GE1/0/1] port default vlan 2
[*SwitchA-10GE1/0/1] quit
[*SwitchA] interface 10ge 1/0/2
[*SwitchA-10GE1/0/2] port default vlan 3
[*SwitchA-10GE1/0/2] quit
[*SwitchA] commit

Step 2 Configure the type of the port connected to SwitchB on SwitchA and the allowed
VLANs. The configuration of SwitchB is the same as that of SwitchA.

[~SwitchA] interface 10ge 1/0/3

[~SwitchA-10GE1/0/3] port link-type trunk
[*SwitchA-10GE1/0/3] port trunk allow-pass vlan 2 3
[*SwitchA-10GE1/0/3] commit

Step 3 Verify the configuration.

Add User1 and User2 to the same IP address segment, for example,
192.168.100.0/24. Add User3 and User4 to the same IP address segment, for
example, 192.168.200.0/24.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 346

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

Only User1's and User2's terminals can ping each other. Only User3's and User4's
terminals can ping each other.

----End

Configuration Files
● Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 2 to 3
#
interface 10GE1/0/1
port default vlan 2
#
interface 10GE1/0/2
port default vlan 3
#
interface 10GE1/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
return

● Configuration file of SwitchB

#
sysname SwitchB
#
vlan batch 2 to 3
#
interface 10GE1/0/1
port default vlan 2
#
interface 10GE1/0/2
port default vlan 3
#
interface 10GE1/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
return

5.16.2 Example for Assigning VLANs Based on MAC Addresses

Networking Requirements
On a company network, the network administrator adds users in a department to
the same VLAN. To improve information security, only users is this department are
allowed to access the intranet.
In Figure 5-23, User1, User2, and User3 connect to the key department
demanding high security. It is required that only the three users be allowed to
access the intranet through Switch.
To improve information security of the key department, you can configure MAC
address-based VLAN assignment and bind MAC addresses of User1, User2, and
User3 to a VLAN.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 347

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

Figure 5-23 Networking diagram for assigning VLANs based on MAC addresses

Enterprise
network

10GE1/0/1

Switch

10GE1/0/2 10GE1/0/3 10GE1/0/4

MAC:22-22-22 MAC:33-33-33 MAC:44-44-44

User1 User2 User3
VLAN 10

Configuration Roadmap
1. Create VLANs and determine which VLAN the users of employees belong to.
2. Add Ethernet interfaces to VLANs so that packets from the VLANs can pass
through the interfaces.
3. Associate MAC addresses of User1, User2, and User3 with the specified VLAN
so that the VLAN of the packet can be determined based on the source MAC
address.

Procedure
Step 1 Configure the Switch.
# Create VLANs.
<HUAWEI> system-view
[~HUAWEI] sysname Switch
[*HUAWEI] commit
[~Switch] vlan batch 10
[*Switch] commit

# Add interfaces to the VLANs. The configuration of 10GE1/0/3 and 10GE1/0/4 is

the same as that of 10GE1/0/2.
[~Switch] interface 10ge 1/0/1
[~Switch-10GE1/0/1] port link-type hybrid
[*Switch-10GE1/0/1] port hybrid tagged vlan 10
[*Switch-10GE1/0/1] quit
[*Switch] interface 10ge 1/0/2
[*Switch-10GE1/0/2] port link-type hybrid
[*Switch-10GE1/0/2] port hybrid untagged vlan 10
[*Switch-10GE1/0/2] quit
[*Switch] commit

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 348

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

# Associate MAC addresses of User1, User2, and User3 with VLAN 10.
[~Switch] vlan 10
[~Switch-vlan10] mac-vlan mac-address 22-22-22
[*Switch-vlan10] mac-vlan mac-address 33-33-33
[*Switch-vlan10] mac-vlan mac-address 44-44-44
[*Switch-vlan10] quit
[*Switch] commit

# Enable MAC address-based VLAN assignment on 10GE1/0/2. The configuration

of 10GE1/0/3 and 10GE1/0/4 is the same as that of 10GE1/0/2.
[~Switch] interface 10ge 1/0/2
[~Switch-10GE1/0/2] mac-vlan enable
[*Switch-10GE1/0/2] quit
[*Switch] commit

Step 2 Verify the configuration.

User1, User2, and User3 can access the intranet, whereas other users cannot
access the intranet.

----End

Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10
#
vlan 10
mac-vlan mac-address 0022-0022-0022
mac-vlan mac-address 0033-0033-0033
mac-vlan mac-address 0044-0044-0044
#
interface 10GE1/0/1
port link-type hybrid
port hybrid tagged vlan 10
#
interface 10GE1/0/2
port link-type hybrid
port hybrid untagged vlan 10
mac-vlan enable
#
interface 10GE1/0/3
port link-type hybrid
port hybrid untagged vlan 10
mac-vlan enable
#
interface 10GE1/0/4
port link-type hybrid
port hybrid untagged vlan 10
mac-vlan enable
#
return

5.16.3 Example for Assigning VLANs Based on IP Subnets

Networking Requirements
A data center network has multiple services, including office services, production
services, and disaster recovery services. Each service uses a unique IP subnet. To

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 349

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

facilitate management, packets of the same service must be transmitted in the

same VLAN, and packets of different services be transmitted in different VLANs.
In Figure 5-24, the switch connects to the office server, production server, and
disaster recovery server on different network segments. Different services need to
be assigned to different VLANs and distributed to different remote networks.

NOTE

The CE6810LI does not support IP subnet-based VLAN assignment.

Figure 5-24 Networking diagram for assigning VLANs based on IP subnets

Production
Campus center Disaster
office recovery
network center

RouterB
RouterA 10GE1/0/3 RouterC

10GE1/0/2 10GE1/0/4
Switch
10GE1/0/5 10GE1/0/7
10GE1/0/6

Office service server Disaster service server

192.168.1.2 192.168.3.2
/24 /24

Production sErvice server

192.168.2.2
/24

Configuration Roadmap
1. Create VLANs and determine which VLAN each service belongs to.
2. Associate IP subnets with VLANs so that VLANs of packets can be determined
based on the source IP addresses or specified network segments.
3. Add interfaces to VLANs so that packets of the IP subnet-based VLANs can
pass through the interfaces.
4. Enable IP subnet-based VLAN assignment.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 350

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

Procedure
Step 1 Create VLANs.

# Create VLAN 100, VLAN 200, and VLAN 300 on the Switch.
<HUAWEI> system-view
[~HUAWEI] sysname Switch
[*HUAWEI] commit
[~Switch] vlan batch 100 200 300
[*Switch] commit

Step 2 Configure interfaces.

# Set the link type of 10GE1/0/5, 10GE1/0/6, and 10GE1/0/7 to hybrid and add it
to VLAN 100, VLAN 200, and VLAN 300 respectively in untagged mode. And
enable IP subnet-based VLAN assignment on 10GE1/0/5, 10GE1/0/6, and
10GE1/0/7.
[~Switch] interface 10ge 1/0/5
[~Switch-10GE1/0/5] port link-type hybrid
[*Switch-10GE1/0/5] port hybrid untagged vlan 100
[*Switch-10GE1/0/5] ip-subnet-vlan enable
[*Switch-10GE1/0/5] quit
[*Switch] interface 10ge 1/0/6
[*Switch-10GE1/0/6] port link-type hybrid
[*Switch-10GE1/0/6] port hybrid untagged vlan 200
[*Switch-10GE1/0/6] ip-subnet-vlan enable
[*Switch-10GE1/0/6] quit
[*Switch] interface 10ge 1/0/7
[*Switch-10GE1/0/7] port link-type hybrid
[*Switch-10GE1/0/7] port hybrid untagged vlan 300
[*Switch-10GE1/0/7] ip-subnet-vlan enable
[*Switch-10GE1/0/7] quit
[*Switch] commit

# Add 10GE1/0/2 of the Switch to VLAN 100.

[~Switch] interface 10ge 1/0/2
[~Switch-10GE1/0/2] port link-type trunk
[*Switch-10GE1/0/2] port trunk allow-pass vlan 100
[*Switch-10GE1/0/2] quit
[*Switch] commit

# Add 10GE1/0/3 of the Switch to VLAN 200.

[~Switch] interface 10ge 1/0/3
[~Switch-10GE1/0/3] port link-type trunk
[*Switch-10GE1/0/3] port trunk allow-pass vlan 200
[*Switch-10GE1/0/3] quit
[*Switch] commit

# Add 10GE1/0/4 of the Switch to VLAN 300.

[~Switch] interface 10ge 1/0/4
[~Switch-10GE1/0/4] port link-type trunk
[*Switch-10GE1/0/4] port trunk allow-pass vlan 300
[*Switch-10GE1/0/4] quit
[*Switch] commit

Step 3 Configure IP subnet-based VLAN assignment.

# Associate IP subnet 192.168.1.2/24 with VLAN 100.

[~Switch] vlan 100
[~Switch-vlan100] ip-subnet-vlan 1 ip 192.168.1.2 24
[*Switch-vlan100] quit

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 351

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

# Associate IP subnet 192.168.2.2/24 with VLAN 200.

[*Switch] vlan 200
[*Switch-vlan200] ip-subnet-vlan 1 ip 192.168.2.2 24
[*Switch-vlan200] quit

# Associate IP subnet 192.168.3.2/24 with VLAN 300.

[*Switch] vlan 300
[*Switch-vlan300] ip-subnet-vlan 1 ip 192.168.3.2 24
[*Switch-vlan300] quit
[*Switch] commit

Step 4 Verify the configuration.

Run the display ip-subnet-vlan vlan all command on the Switch. The following
information is displayed:
[~Switch] display ip-subnet-vlan vlan all
IP-subnet-VLAN count: 3 total count: 3
----------------------------------------------------------------
VLAN Index IpAddress SubnetMask Priority
----------------------------------------------------------------
100 1 192.168.1.2 255.255.255.0 0
200 1 192.168.2.2 255.255.255.0 0
300 1 192.168.3.2 255.255.255.0 0
----------------------------------------------------------------

The product service, office service, and disaster recovery service can only be
transmitted in the production center, campus office network, and disaster recovery
data center respectively.

----End

Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 100 200 300
#
vlan 100
ip-subnet-vlan 1 ip 192.168.1.2 255.255.255.0
#
vlan 200
ip-subnet-vlan 1 ip 192.168.2.2 255.255.255.0
#
vlan 300
ip-subnet-vlan 1 ip 192.168.3.2 255.255.255.0
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 100
device transceiver 10GBASE-COPPER
#
interface 10GE1/0/3
port link-type trunk
port trunk allow-pass vlan 200
device transceiver 10GBASE-COPPER
#
interface 10GE1/0/4
port link-type trunk
port trunk allow-pass vlan 300
device transceiver 10GBASE-COPPER
#

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 352

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

interface 10GE1/0/5
port link-type hybrid
port hybrid untagged vlan 100
ip-subnet-vlan enable
device transceiver 10GBASE-COPPER
#
interface 10GE1/0/6
port link-type hybrid
port hybrid untagged vlan 200
ip-subnet-vlan enable
device transceiver 10GBASE-COPPER
#
interface 10GE1/0/7
port link-type hybrid
port hybrid untagged vlan 300
ip-subnet-vlan enable
device transceiver 10GBASE-COPPER
#
return

5.16.4 Example for Implementing Inter-VLAN Communication

Using VLANIF Interfaces

Networking Requirements
Users in a company use different services and locate at different network
segments. Users who use the same service belong to different VLANs and they
want to communicate with each other.

In Figure 5-25, User 1 and User 2 use the same service and need to communicate,
but belong to different VLANs and are located on different network segments.

Figure 5-25 Networking diagram for implementing inter-VLAN communication

using VLANIF interfaces
Switch

10GE1/0/1 10GE1/0/2
VLANIF10 VLANIF20
10.10.10.2/24 10.10.20.2/24

VLAN 10 VLAN 20

User1 User2
10.10.10.3/24 10.10.20.3/24

Configuration Roadmap
1. Create VLANs on the switches for different users.
2. Add interfaces to VLANs so that packets of the VLANs can pass through the
interfaces.
3. Create VLANIF interfaces and configure IP addresses for the VLANIF interfaces
to implement Layer 3 communication.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 353

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

NOTE

To implement communication between VLANs, hosts in each VLAN must use the IP address
of the corresponding VLANIF interface as the gateway address.

Procedure
Step 1 Configure the Switch.
# Create VLANs.
<HUAWEI> system-view
[~HUAWEI] sysname Switch
[*HUAWEI] commit
[~Switch] vlan batch 10 20
[*Switch] commit

# Add interfaces to VLANs.

[~Switch] interface 10ge 1/0/1
[~Switch-10GE1/0/1] port default vlan 10
[*Switch-10GE1/0/1] quit
[*Switch] interface 10ge 1/0/2
[*Switch-10GE1/0/2] port default vlan 20
[*Switch-10GE1/0/2] quit
[*Switch] commit

# Assign IP addresses to the VLANIF interfaces.

[~Switch] interface vlanif 10
[*Switch-Vlanif10] ip address 10.10.10.2 24
[*Switch-Vlanif10] quit
[*Switch] interface vlanif 20
[*Switch-Vlanif20] ip address 10.10.20.2 24
[*Switch-Vlanif20] quit
[*Switch] commit

Step 2 Verify the configuration.

Configure the IP address 10.10.10.3/24 on user 1's host, configure the VLANIF 10
interface IP address 10.10.10.2/24 as the gateway address.
Configure the IP address 10.10.20.3/24 on user 1's host, configure the VLANIF 10
interface IP address 10.10.20.2/24 as the gateway address.
After the preceding configurations are complete, User 1 in VLAN 10 and User 2 in
VLAN 20 can communicate.

----End

Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
interface Vlanif20
ip address 10.10.20.2 255.255.255.0
#

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 354

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

interface 10GE1/0/1
port default vlan 10
#
interface 10GE1/0/2
port default vlan 20
#
return

5.16.5 Example for Configuring VLAN Aggregation

Networking Requirements
A company has many departments that reside on the same network segment. For
security purposes, the company adds different departments to different VLANs.
Users in different departments need to communicate with each other.

In Figure 5-26, VLAN 2 and VLAN 3 are assigned to different departments,

SwitchA is the access device, and SwitchB is the gateway. Users in VLAN 2 and
VLAN 3 need to communicate with each other.

Figure 5-26 Networking of VLAN aggregation

Internet

Router

10GE1/0/1 VLAN 10
SwitchB Super-VLAN 4
VLANIF 4:10.1.1.1/24
10GE1/0/5
10GE1/0/5
SwitchA
10GE1/0/1 10GE1/0/3
10GE1/0/2 10GE1/0/4
VLAN2 VLAN3

VLAN 2 VLAN 3

Configuration Roadmap
You can configure VLAN aggregation on SwitchB and add VLANs of different
departments to the super-VLAN so that users in different departments can access
the Internet using the super-VLAN. Proxy ARP can be configured in the super-
VLAN so that users in different departments can communicate with each other.
The configuration roadmap is as follows:

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 355

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

1. Configure VLANs and interfaces on SwitchA and SwitchB, add users of

different departments to different VLANs, and configure interfaces on SwitchA
and SwitchB to transparently transmit packets from VLANs.
2. Configure a super-VLAN, a VLANIF interface, and a static route on SwitchB to
provide Internet access for hosts.
3. Configure proxy ARP in the super-VLAN on SwitchB so that users in different
departments can communicate at Layer 3.

Procedure
Step 1 Configure VLANs and interfaces on SwitchA and SwitchB, add users of different
departments to different VLANs, and configure an interface to transparently
transmit packets to SwitchB.
1. Configure SwitchA.
# Configure 10GE1/0/1 as an access interface. The configurations of
10GE1/0/2 to 10GE1/0/4 are similar to the configuration of 10GE1/0/1, and
are not mentioned here.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchA
[*HUAWEI] commit
[~SwitchA] interface 10ge 1/0/1
[~SwitchA-10GE1/0/1] port link-type access
[*SwitchA-10GE1/0/1] quit
[*SwitchA] commit
# Create VLAN 2 and VLAN 3, add 10GE1/0/1 and 10GE1/0/2 to VLAN 2, and
add 10GE1/0/3 and 10GE1/0/4 to VLAN 3.
[~SwitchA] vlan batch 2 3
[*SwitchA] vlan 2
[*SwitchA-vlan2] port 10ge 1/0/1 1/0/2
[*SwitchA-vlan2] quit
[*SwitchA] vlan 3
[*SwitchA-vlan3] port 10ge 1/0/3 1/0/4
[*SwitchA-vlan3] quit
[*SwitchA] commit
# Configure the interface of SwitchA connected to SwitchB to transparently
transmit packets from VLAN 2 and VLAN 3 to SwitchB.
[~SwitchA] interface 10ge 1/0/5
[~SwitchA-10GE1/0/5] port link-type trunk
[*SwitchA-10GE1/0/5] port trunk allow-pass vlan 2 3
[*SwitchA-10GE1/0/5] quit
[*SwitchA] commit

2. Configure SwitchB.
# Create VLAN 2, VLAN 3, VLAN 4, and VLAN 10, and configure the interface
of SwitchB connected to SwitchA to transparently transmit packets from VLAN
2 and VLAN 3 to SwitchB.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchB
[*HUAWEI] commit
[~SwitchB] vlan batch 2 3 4 10
[*SwitchB] interface 10ge 1/0/5
[*SwitchB-10GE1/0/5] port link-type trunk
[*SwitchB-10GE1/0/5] port trunk allow-pass vlan 2 3
[*SwitchB-10GE1/0/5] quit
[*SwitchB] commit

Step 2 Configure a super-VLAN and a VLANIF interface corresponding to the super-VLAN.

# Configure super-VLAN 4 on SwitchB and add VLAN 2 and VLAN 3 to super-VLAN
4 as sub-VLANs.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 356

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

[~SwitchB] vlan 4
[~SwitchB-vlan4] aggregate-vlan
[*SwitchB-vlan4] access-vlan 2 to 3
[*SwitchB-vlan4] quit
[*SwitchB] commit

# Create and configure VLANIF 4 so that users in different departments can access
the Internet using super-VLAN 4.
[~SwitchB] interface vlanif 4
[*SwitchB-Vlanif4] ip address 10.1.1.1 24
[*SwitchB-Vlanif4] quit
[*SwitchB] commit

Step 3 Configure a static route.

# Configure the uplink interface 10GE1/0/1 on SwitchB to transparently transmit
packets from the VLAN to which SwitchB and the router belong.
[~SwitchB] interface 10ge 1/0/1
[~SwitchB-10GE1/0/1] port link-type trunk
[*SwitchB-10GE1/0/1] port trunk allow-pass vlan 10
[*SwitchB-10GE1/0/1] quit
[*SwitchB] commit

# Create and configure VLANIF 10 and specify its IP address of VLANIF 10 as the
IP address for connecting SwitchB and the router.
[~SwitchB] interface vlanif 10
[*SwitchB-Vlanif10] ip address 10.10.1.1 24
[*SwitchB-Vlanif10] quit
[*SwitchB] commit

# On SwitchB, configure a static route to the router so that users can access the
Internet.
[~SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.10.1.2
[*SwitchB] commit

NOTE

Configure the router interface connected to SwitchB and assign to it the IP address of
10.10.1.2. For details, see the router configuration manual.

Step 4 Assign IP addresses to servers.

Configure an IP address for each server. Ensure that the servers reside on the same
network segment as VLAN 4.

After the preceding steps are complete, servers in each department can access the
Internet. However, servers in VLAN 2 and VLAN 3 cannot ping each other. Proxy
ARP needs to be configured on SwitchB.

Step 5 Configure proxy ARP.

# Configure proxy ARP in super-VLAN 4 on SwitchB so that users in different
departments can communicate at Layer 3.
[~SwitchB] interface vlanif 4
[~SwitchB-Vlanif4] arp proxy inter-vlan enable
[*SwitchB-Vlanif4] quit
[*SwitchB] commit

Step 6 Verify the configuration.

After the configuration is complete, users in VLAN 2 and VLAN 3 can ping each
other and access the Internet.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 357

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 2 to 3
#
interface 10GE1/0/1
port default vlan 2
#
interface 10GE1/0/2
port default vlan 2
#
interface 10GE1/0/3
port default vlan 3
#
interface 10GE1/0/4
port default vlan 3
#
interface 10GE1/0/5
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
return

● SwitchB configuration file

#
sysname SwitchB
#
vlan batch 2 to 4 10
#
vlan 4
aggregate-vlan
access-vlan 2 to 3
#
interface Vlanif4
ip address 10.1.1.1 255.255.255.0
arp proxy inter-vlan enable
#
interface Vlanif10
ip address 10.10.1.1 255.255.255.0
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface 10GE1/0/5
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
ip route-static 0.0.0.0 0.0.0.0 10.10.1.2
#
return

5.16.6 Example for Configuring the MUX VLAN on the Access

Layer Device

Networking Requirements
In Figure 5-27, office service servers ServerB, ServerC, ServerD, and ServerE are
deployed on a data center network. All servers can connect to the campus office
network. The data center administrator requires that ServerB should communicate
with ServerC and ServerD should be isolated from ServerE.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 358

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

To solve the problem, deploy the MUX VLAN on the switch connected to servers,
and connect the principal port to the office network, separate port to servers that
do not need to communicate, and group port to servers that need to
communicate. This saves VLAN IDs on the network and facilitates network
management.

NOTE

CE5880EI and CE6880EI do not support this configuration.

Figure 5-27 MUX VLAN configuration

Campus
office
network

VLAN2
10GE1/0/1 (Principal VLAN)
Switch

10GE1/0/2 10GE1/0/5

10GE1/0/3 10GE1/0/4

UserB UserC UserD UserE

VLAN3(Group VLAN) VLAN4(Separate VLAN)

Configuration Roadmap
1. Configure the principal VLAN.
2. Configure the group VLAN.
3. Configure the separate VLAN.
4. Add interfaces to the VLANs and enable the MUX VLAN function.

Procedure
Step 1 Configure a MUX VLAN.
# Create VLAN 2, VLAN 3, and VLAN 4.
<HUAWEI> system-view
[~HUAWEI] sysname Switch
[*HUAWEI] commit
[~Switch] vlan batch 2 3 4
[*Switch] commit

# Configure the Group VLAN and Separate VLAN in the MUX VLAN.
[~Switch] vlan 2
[~Switch-vlan2] mux-vlan
[*Switch-vlan2] subordinate group 3
[*Switch-vlan2] subordinate separate 4

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 359

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

[*Switch-vlan2] quit
[*Switch] commit

# Add interfaces to the VLANs and enable the MUX VLAN function on the
interfaces.
[~Switch] interface 10ge 1/0/1
[~Switch-10GE1/0/1] port default vlan 2
[*Switch-10GE1/0/1] port mux-vlan enable vlan 2
[*Switch-10GE1/0/1] quit
[*Switch] interface 10ge 1/0/2
[*Switch-10GE1/0/2] port default vlan 3
[*Switch-10GE1/0/2] port mux-vlan enable vlan 3
[*Switch-10GE1/0/2] quit
[*Switch] interface 10ge 1/0/3
[*Switch-10GE1/0/3] port default vlan 3
[*Switch-10GE1/0/3] port mux-vlan enable vlan 3
[*Switch-10GE1/0/3] quit
[*Switch] interface 10ge 1/0/4
[*Switch-10GE1/0/4] port default vlan 4
[*Switch-10GE1/0/4] port mux-vlan enable vlan 4
[*Switch-10GE1/0/4] quit
[*Switch] interface 10ge 1/0/5
[*Switch-10GE1/0/5] port default vlan 4
[*Switch-10GE1/0/5] port mux-vlan enable vlan 4
[*Switch-10GE1/0/5] quit
[*Switch] commit

Step 2 Verify the configuration.

● Server B, Server C, Server D, and Server E can access external networks.
● Server B and Server C can ping each other.
● Server D and Server E cannot ping each other.
● Server B and Server C cannot ping Server D or host E. Server D and Server E
cannot ping Server B or Server C.

----End

Configuration File
Configuration file of the Switch
#
sysname Switch
#
vlan batch 2 to 4
#
vlan 2
mux-vlan
subordinate separate 4
subordinate group 3
#
interface 10GE1/0/1
port default vlan 2
port mux-vlan enable vlan 2
#
interface 10GE1/0/2
port default vlan 3
port mux-vlan enable vlan 3
#
interface 10GE1/0/3
port default vlan 3
port mux-vlan enable vlan 3
#
interface 10GE1/0/4
port default vlan 4

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 360

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

port mux-vlan enable vlan 4

#
interface 10GE1/0/5
port default vlan 4
port mux-vlan enable vlan 4
#
return

5.16.7 Example for Configuring the MUX VLAN on the

Aggregation Device
Networking Requirements
Figure 5-28 shows a data center network where office servers ServerA, ServerB,
ServerC, and ServerD are deployed. All servers can connect to the campus office
network. The data center administrator requires that ServerA should communicate
with ServerB and ServerC should be isolated from ServerD.
In Figure 5-28, Switch1 is located at the aggregation layer, the gateway is
connected to downstream terminals, and Switch2 and Switch3 are access devices.
You can configure MUX VLAN on Switch1 to Switch3. MUX VLAN meets enterprise
requirements, saves VLAN IDs, and facilitates network maintenance.

NOTE

CE5880EI and CE6880EI switches do not support the MUX VLAN function. CE6810LI
switches do not support VLANIF interfaces corresponding to the principal VLAN and sub-
VLAN. They are not applicable to the preceding scenario.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 361

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

Figure 5-28 Networking of MUX VLAN

Campus
office
network

Gateway VLANIF2
10GE1/0/1 IP:10.10.10.1/24

10GE1/0/1
VLAN2
Switch1 (Principal VLAN)
10
2 GE
1 /0/ 1/0
1 0 GE /3
1 /0/ 1 10
GE
GE 1/0
10 /1
Switch2 Switch3
10GE1/0/2 10GE1/0/3 10GE1/0/2 10GE1/0/3

ServerA ServerB ServerC ServerD

VLAN3(Group VLAN) VLAN4(Separate VLAN)

Configuration Roadmap
1. Create VLAN 2 to VLAN 4 on Switch1 to Switch3, configure VLAN 2 as the
principal VLAN, VLAN 3 as the subordinate group VLAN, and VLAN 4 as the
subordinate separate VLAN.
2. Connect the gateway to Switch1 through 10GE1/0/1, create VLANIF 2 on the
gateway, configure the IP address 10.10.10.1/24 as the gateway address of
downstream servers.
3. Configure 10GE1/0/1 on Switch2 and Switch3 to allow packets from VLAN 2
to VLAN 4, enable MUX VLAN on the downlink interface, and add the
downlink interface to the VLAN that servers belong to.

Procedure
Step 1 Configure MUX VLAN.
# Create VLAN 2 to VLAN 4 on Switch1, Switch2, and Switch3, and configure
VLAN 2 as the principal VLAN, VLAN 3 as the subordinate group VLAN, and VLAN
4 as the subordinate separate VLAN. Switch1 is used as an example. The
configurations of Switch2 and Switch3 are the same as that of Switch1.
<HUAWEI> system-view
[~HUAWEI] sysname Switch1

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 362

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

[*HUAWEI] commit
[~Switch1] vlan batch 2 3 4
[*Switch1] vlan 2
[*Switch1-vlan2] mux-vlan
[*Switch1-vlan2] subordinate group 3
[*Switch1-vlan2] subordinate separate 4
[*Switch1-vlan2] quit
[*Switch1] commit

# Add 10GE1/0/1 on Switch1 to VLAN 2 and enable MUX VLAN on it, and
configure 10GE1/0/2 and 10GE1/0/3 to allow packets from VLAN 2 to VLAN 4.
[~Switch1] interface 10ge 1/0/1
[~Switch1-10GE1/0/1] port link-type trunk
[*Switch1-10GE1/0/1] port trunk allow-pass vlan 2
[*Switch1-10GE1/0/1] port mux-vlan enable vlan 2
[*Switch1-10GE1/0/1] quit
[*Switch1] interface 10ge 1/0/2
[*Switch1-10GE1/0/2] port link-type trunk
[*Switch1-10GE1/0/2] port trunk allow-pass vlan 2 to 4
[*Switch1-10GE1/0/2] quit
[*Switch1] interface 10ge 1/0/3
[*Switch1-10GE1/0/3] port link-type trunk
[*Switch1-10GE1/0/3] port trunk allow-pass vlan 2 to 4
[*Switch1-10GE1/0/3] quit
[*Switch1] commit

Step 2 Create VLANIF 2 on 10GE1/0/1 connecting the gateway to Switch1, and configure
the IP address 10.10.10.1/24 as the gateway address of downstream servers.
<HUAWEI> system-view
[~HUAWEI] sysname Gateway
[*HUAWEI] commit
[~Gateway] vlan batch 2
[*Gateway] interface 10ge 1/0/1
[*Gateway-10GE1/0/1] port link-type trunk
[*Gateway-10GE1/0/1] port trunk allow-pass vlan 2
[*Gateway-10GE1/0/1] quit
[*Gateway] interface vlanif 2
[*Gateway-Vlanif2] ip address 10.10.10.1 24
[*Gateway-Vlanif2] quit
[*Gateway] commit

NOTE

If the MUX VLAN contains multiple group VLANs and devices in group VLANs need to
communicate, run the arp proxy intra-vlan enable command on the VLANIF interface of
the gateway to configure intra-VLAN proxy ARP.

Step 3 Configure 10GE1/0/1 on Switch2 and Switch3 to allow packets from VLAN 2 to
VLAN 4, enable MUX VLAN on 10GE1/0/2 and 10GE1/0/3, and add the downlink
interfaces to the VLAN that servers belong to. Switch2 is used as an example. The
configuration of Switch3 is the same as that of Switch2.
# Configure 10GE1/0/1 as a trunk interface and configure it to allow packets from
VLAN 2 to VLAN 4.
[~Switch2] interface 10ge 1/0/1
[~Switch2-10GE1/0/1] port link-type trunk
[*Switch2-10GE1/0/1] port trunk allow-pass vlan 2 to 4
[*Switch2-10GE1/0/1] quit
[*Switch2] commit

# Enable MUX VLAN on 10GE1/0/2 and 10GE1/0/3, and add them to the VLAN to
which servers belong.
[~Switch2] interface 10ge 1/0/2
[~Switch2-10GE1/0/2] port default vlan 3
[*Switch2-10GE1/0/2] port mux-vlan enable vlan 3

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 363

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

[*Switch2-10GE1/0/2] quit
[*Switch2] commit
[~Switch2] interface 10ge 1/0/3
[~Switch2-10GE1/0/3] port default vlan 3
[*Switch2-10GE1/0/3] port mux-vlan enable vlan 3
[*Switch2-10GE1/0/3] quit
[*Switch2] commit

Step 4 Configure IP addresses for servers.

Configure an IP address for each server to ensure that the IP addresses of servers
are on the same network segment as the gateway address.
Step 5 Verify the configuration.
After the configuration is complete, each server can access the Internet, SwitchA
and SwitchB can ping each other, SwitchC and SwitchD cannot ping each other,
and SwitchA and SwitchB cannot ping SwitchC or SwitchD.

----End

Configuration Files
● Gateway configuration file
#
sysname Gateway
#
vlan batch 2
#
interface Vlanif2
ip address 10.10.10.1 255.255.255.0
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 2
#
return
● Switch1 configuration file
#
sysname Switch1
#
vlan batch 2 to 4
#
vlan 2
mux-vlan
subordinate separate 4
subordinate group 3
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 2
port mux-vlan enable vlan 2
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4
#
interface 10GE1/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4
#
return
● Switch2 configuration file
#
sysname Switch2
#

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 364

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

vlan batch 2 to 4
#
vlan 2
mux-vlan
subordinate separate 4
subordinate group 3
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4
#
interface 10GE1/0/2
port default vlan 3
port mux-vlan enable vlan 3
#
interface 10GE1/0/3
port default vlan 3
port mux-vlan enable vlan 3
#
return

● Switch3 configuration file

#
sysname Switch3
#
vlan batch 2 to 4
#
vlan 2
mux-vlan
subordinate separate 4
subordinate group 3
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4
#
interface 10GE1/0/2
port default vlan 4
port mux-vlan enable vlan 4
#
interface 10GE1/0/3
port default vlan 4
port mux-vlan enable vlan 4
#
return

5.16.8 Example for Configuring Transparent Transmission of

Protocol Packets in a VLAN
Networking Requirements
In Figure 5-29, a data center network has office servers ServerA and ServerB.
ServerA and ServerB belong to VLAN 10 and obtain IP addresses through DHCP.
SwitchB is a Layer 2 switching device and has DHCP snooping enabled to defend
against DHCP-oriented attacks. In this case, protocol packets in all VLANs are sent
to the CPU for processing, and the CPU needs to forward the packets to other
devices. This affects the forwarding speed and efficiency of protocol packets. To
address this issue, enable transparent transmission of protocol packets in VLAN 10
on SwitchB. After protocol packets from VLAN 10 reach SwitchB, SwitchB directly
forwards the protocol packets without sending them to the CPU. This accelerates
forwarding of protocol packets.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 365

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

Figure 5-29 Networking for configuring transparent transmission of protocol

packets in a VLAN
DHCP Server

Internet

10GE1/0/2

SwitchB

10GE1/0/1

10GE1/0/3
SwitchA
10GE1/0/1 10GE1/0/2

ServerA ServerB
VLAN10

Configuration Roadmap
1. Allocate the downlink interfaces of SwitchA connected to office servers to
VLAN 10.
2. Enable transparent transmission of protocol packets in a VLAN on SwitchB.
When protocol packets from a specified VLAN reach SwitchB, SwitchB directly
forwards the protocol packets without sending them to the CPU.

Procedure
Step 1 Add the downlink interfaces on SwitchA to VLAN 10 and configure the uplink
interfaces to allow VLAN 10.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchA
[*HUAWEI] commit
[~SwitchA] vlan 10
[*SwitchA-vlan10] quit
[*SwitchA] interface 10ge 1/0/1
[*SwitchA-10GE1/0/1] port default vlan 10
[*SwitchA-10GE1/0/1] quit
[*SwitchA] interface 10ge 1/0/2
[*SwitchA-10GE1/0/2] port default vlan 10

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 366

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

[*SwitchA-10GE1/0/2] quit
[*SwitchA] interface 10ge 1/0/3
[*SwitchA-10GE1/0/3] port link-type trunk
[*SwitchA-10GE1/0/3] port trunk allow-pass vlan 10
[*SwitchA-10GE1/0/3] quit
[*SwitchA] commit

Step 2 Enable transparent transmission of protocol packets in a VLAN on SwitchB.

<HUAWEI> system-view
[~HUAWEI] sysname SwitchB
[*HUAWEI] commit
[~SwitchB] vlan 10
[*SwitchB-vlan10] quit
[*SwitchB] interface 10ge 1/0/1
[*SwitchB-10GE1/0/1] port link-type trunk
[*SwitchB-10GE1/0/1] port trunk allow-pass vlan 10
[*SwitchB-10GE1/0/1] quit
[*SwitchB] interface 10ge 1/0/2
[*SwitchB-10GE1/0/2] port link-type trunk
[*SwitchB-10GE1/0/2] port trunk allow-pass vlan 10
[*SwitchB-10GE1/0/2] quit
[*SwitchB] vlan 10
[*SwitchB-vlan10] protocol-transparent
[*SwitchB-vlan10] quit
[*SwitchB] commit

Step 3 Verify the configuration.

Run the display this command in the view of VLAN 10 on SwitchB. You can see
that transparent transmission of protocol packets is enabled in VLAN 10.
[~SwitchB] vlan 10
[~SwitchB-vlan10] display this
#
vlan 10
protocol-transparent
#
return

----End

Configuration Files
Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 10
#
interface 10GE1/0/1
port default vlan 10
#
interface 10GE1/0/2
port default vlan 10
#
interface 10GE1/0/3
port link-type trunk
port trunk allow-pass vlan 10
#
return

Configuration file of SwitchB

#
sysname SwitchB
#
vlan batch 10

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 367

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

#
vlan 10
protocol-transparent
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 10
#
return

5.17 Troubleshooting VLANs

5.17.1 User Terminals in the Same VLAN Cannot Ping Each

Other
Fault Description
User terminals in the same VLAN cannot ping each other.

Procedure
Step 1 Check whether the interfaces connected to the user terminals are in Up state.
Run the display interface interface-type interface-number command in any view
to check the status of the interfaces.
● If the interface is Down, rectify the interface fault.
● If the interface is Up, go to Step 2.
Step 2 Check whether the IP addresses of user terminals are in the same network
segment.
● If they are in different network segments, change the IP addresses of the user
terminals.
● If they are in the same network segment, go to Step 3
Step 3 Check whether the MAC address entries on the Switch are correct.
Run the display mac-address command on the Switch to check whether the MAC
addresses, interfaces, and VLANs in the learned MAC address entries are correct. If
the learned MAC address entries are incorrect, run the undo mac-address mac-
address vlan vlan-id command on the system view to delete the current entries so
that the Switch can learn MAC address entries again.
After the MAC address table is updated, check the MAC address entries again.
● If the MAC address entries are incorrect, go to Step 4.
● If the MAC address entries are correct, go to Step 5.
Step 4 Check whether the VLAN is properly configured.
● Check the VLAN configuration according to the following table.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 368

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

Check Item Method

Whether the Run the display vlan vlan-id command in any view to
VLAN has been check whether the VLAN has been created. If not, run the
created vlan command in system view to create the VLAN.

Whether the Run the display vlan vlan-id command in any view to
interfaces are check whether the VLAN contains the interfaces. If not,
added to the add the interfaces to the VLAN.
VLAN NOTE
If the interfaces are located on different devices, add the
interfaces connecting the devices to the VLAN.
The default type of a Switch interface is Access. You can run the
port link-type command to change the interface type.
– Add an access interface to the VLAN using either of
the following methods:
1. Run the port default vlan command in the
interface view.
2. Run the port command in the VLAN view.
– Add a trunk interface to the VLAN.
Run the port trunk allow-pass vlan command in the
interface view.
– Add a hybrid interface to the VLAN using either of the
following methods:
1. Run the port hybrid tagged vlan command in the
interface view.
2. Run the port hybrid untagged vlan command in
the interface view.

Whether Check the connections between interfaces and user

connections terminals according to the network plan. If any user
between terminal is connected to an incorrect interface, connect it
interfaces and to the correct interface.
user terminals
are correct

After the preceding operations, if the MAC address entries are correct, go to
Step 5.
Step 5 Check whether Layer 2 port isolation is configured.
Run the interface interface-type interface-number command in the system view
to enter the interface view, and then run the display this command to check
whether Layer 2 port isolation is configured on the interface.
● If Layer 2 port isolation is not configured, go to Step 6.
● If Layer 2 port isolation is configured, run the undo port-isolate enable
command on the interface to disable port isolation. If the fault persists, go to
Step 6.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 369

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 5 VLAN Configuration

Step 6 Check whether the correct static Address Resolution Protocol (ARP) entries are
configured on the user terminals. If the static ARP entries are incorrect, modify
them.

----End

5.17.2 A VLANIF Interface Goes Down

Fault Description
A VLANIF interface is in Down state.

Common Causes and Solutions

Table 5-11 lists the common causes and solutions.

Table 5-11 Common causes and solutions for the VLANIF interface going down
Common Cause Solution

No interface is added to the Add interfaces to the corresponding

corresponding VLAN. VLAN.

All interfaces added to the VLAN are Rectify the fault. A VLANIF interface is
physically Down. Up as long as an interface in the
corresponding VLAN is Up.

No IP address is assigned to the Run the ip address command in the

VLANIF interface. view of the VLANIF interface to assign
an IP address to the VLANIF interface.

The VLANIF interface is shut down. Run the undo shutdown (interface
view) command in the view of the
VLANIF interface to enable the VLANIF
interface.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 370

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 6 QinQ Configuration

6 QinQ Configuration

This chapter describes the concepts and configuration procedure of 802.1Q-

in-802.1Q (QinQ), and provides configuration examples.

6.1 Overview of QinQ

6.2 Understanding QinQ
6.3 Application Scenarios for QinQ
6.4 Licensing Requirements and Limitations for QinQ
6.5 Configuring QinQ
6.6 Configuration Examples for QinQ

6.1 Overview of QinQ

Definition
QinQ expands VLAN space by adding an additional 802.1Q tag to 802.1Q tagged
packets. A packet carries two 802.1Q tags: a public VLAN tag and a private VLAN
tag.

Purpose
Ethernet is widely used on ISP networks, but 802.1Q VLANs are unable to identify
and isolate large numbers of users on metro Ethernet networks because the 12-bit
VLAN tag field defined in IEEE 802.1Q only identifies a maximum of 4096 VLANs.
QinQ was developed to expand VLAN space beyond 4096 VLANs so that a larger
number of users can be identified on a metro Ethernet network.

QinQ was originally developed to expand VLAN space by adding an additional

802.1Q tag to an 802.1Q-tagged packet. In this way, the number of VLANs can
increase to 4094 x 4094 (values 0 and 4095 are reserved). Packets are forwarded
based on outer VLAN tags on the public network, and devices on the public
network add outer VLAN IDs to MAC address tables of the corresponding VLANs.
Inner VLAN tags of packets are transmitted as data on the public network.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 371

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 6 QinQ Configuration

In addition to expanding VLAN space, QinQ is applied in other scenarios with the
development of metro Ethernet networks and carriers' requirements on refined
service operation. The outer and inner VLAN tags can be used to differentiate
packets based on users and services. For example, the inner tag represents a user,
while the outer tag represents a service. Moreover, QinQ is used as a simple and
practical virtual private network (VPN) technology because inner tags of QinQ
packets are transparently transmitted over a public network. It extends core
multiprotocol label switching (MPLS) VPN services to metro Ethernet networks to
establish an end-to-end VPN.

Benefits
QinQ offers the following benefits:
● Extends VLANs to isolate and identify more users.
● Facilitates service deployment by allowing the inner and outer tags to
represent different information. For example, use the inner tag to identify a
user and the outer tag to identify a service.

6.2 Understanding QinQ

6.2.1 QinQ Fundamentals

QinQ expands VLAN space by adding an additional 802.1Q VLAN tag to an
802.1Q-tagged packet. Devices forward packets over the public network according
to outer VLAN tags of the packets, and learn MAC addresses from the outer VLAN
tags. The private VLAN tags in the packets are forwarded as payload of the
packets.

Figure 6-1 Typical QinQ application

VLAN 1~20 VLAN 1~10

CE2 CE3 CE4

Customer Customer
network B network A

VLAN 4 VLAN 3

PE1 Pubilc PE2

network
VLAN 3 VLAN 4

Customer Customer
network A network B
CE1 CE2
VLAN 1~10 VLAN 1~20

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 372

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 6 QinQ Configuration

As shown in Figure 6-1, customer network A is divided into private VLANs 1 to 10,
and customer network B is divided into private VLANs 1 to 20. The carrier
allocates public VLANs 3 and 4 to customer networks A and B respectively. When
tagged packets from networks A and B arrive at the carrier network, the packets
are tagged outer VLANs 3 and 4. Therefore, the packets from different customer
networks are separated on the carrier network, even though the customer
networks use overlapping VLAN ranges. When the packets reach the PE on the
other side of the carrier network, the PE removes public VLAN tags from the
packets and forwards the packets to the CE of the respective customer network.

QinQ Packet Encapsulation Format

A QinQ packet has a fixed format, in which an 802.1Q tag is added outside the
existing 802.1Q tag of the packet. QinQ allows overlaying of multiple tags.

NOTE

Because a QinQ packet has 4 more bytes than an 802.1Q packet, the maximum frame
length allowed by each interface on the carrier network should be at least 1504 bytes. The
default frame length allowed by interfaces of a switch is larger than 1504 bytes, so you do
not need to adjust it. For details on how to configure the frame length allowed by an
interface, see Setting the Jumbo Frame Length Allowed on an Interface.

Figure 6-2 802.1Q encapsulation

802.1Q Encapsulation
DA SA 802.1Q TAG LEN/ETYPE DATA FCS
6 Bytes 6 Bytes 4 Bytes 2 Bytes 46 Bytes~1500 Bytes 4 Bytes

QinQ
Encapsulation
DA SA 802.1Q TAG 802.1Q TAG LEN/ETYPE DATA FCS
6 Bytes 6 Bytes 4 Bytes 4 Bytes 2 Bytes 46 Bytes~1500 Bytes 4 Bytes

TPID Priority CFI VLAN ID

QinQ Implementation
QinQ can be implemented in either of the following ways:

1. Basic QinQ
Basic QinQ is implemented based on interfaces. After basic QinQ is
configured on an interface, the device adds the default VLAN tag of this
interface to all packets regardless of whether the packets carry VLAN tags.
– If a single-tagged packet is received, the packet becomes a double-
tagged packet.
– If an untagged packet is received, the packet is tagged with the default
VLAN ID of the local interface.
2. Selective QinQ

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 373

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 6 QinQ Configuration

Selective QinQ is implemented based on interfaces and VLAN IDs. That is, an
interface can forward packets based on a single VLAN tag or double VLAN
tags. In addition, the device processes packets received on an interface as
follows based on their VLAN IDs:
– Adds different outer VLAN tags to packets carrying different inner VLAN
IDs.
– Marks outer 802.1p fields and adds different outer VLAN tags to packets
according to the 802.1p fields in inner VLAN tags.
In addition to separating carrier and customer networks, selective QinQ
provides extensive service features and allows flexible networking.

QinQ Encapsulation
QinQ technology converts single-tagged packets into double-tagged packets.
QinQ is classified into basic QinQ and selective QinQ depending on the data
encapsulated:
● Interface-based QinQ encapsulation
This encapsulation mode is also called QinQ tunneling. It encapsulates
packets arriving at the same interface with the same outer VLAN tag, and
therefore cannot distinguish users and services at the same time.
● VLAN ID-based QinQ encapsulation
VLAN ID-based QinQ encapsulation, also called selective QinQ, encapsulates
packets with different outer tags to differentiate users.
● MQC-based QinQ encapsulation
MQC-based QinQ encapsulation, also called selective QinQ, classifies traffic
and encapsulates outer tags of matching data flows.

6.2.2 Basic QinQ

Basic QinQ is also called QinQ tunneling and is implemented based on interfaces.
Basic QinQ allows the device to add the default VLAN tag of an interface to a
packet received on the interface.
● If the received packet carries one VLAN tag, the packet then has double tags.
● If the received packet does not carry any VLAN tag, the packet then carries
the default VLAN tag of an interface.

6.2.3 Selective QinQ

Selective QinQ is more flexible than QinQ, and is also called VLAN stacking. In
addition to basic QinQ functions, selective QinQ can perform different actions for
packets from different VLANs, including:
● VLAN ID-based selective QinQ: adds different outer VLAN tags to packets
with different inner VLAN IDs.
● MQC-based selective QinQ: adds different outer tags to packets based on QoS
policies. MQC-based selective QinQ implements differentiated services.
Differences between basic QinQ and selective QinQ are as follows:
● Basic QinQ: adds the same outer tag to all the frames arriving at the Layer 2
QinQ interface.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 374

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 6 QinQ Configuration

● Selective QinQ: adds different outer tags to the frames with inner VLAN tags
or frames matching traffic classification rules. VLAN assignment is more
accurate.

6.2.4 TPID
The Tag Protocol Identifier (TPID) specifies the protocol type of a VLAN tag. The
TPID value defined in IEEE 802.1Q is 0x8100.

Figure 6-3 shows the Ethernet packet format defined in IEEE 802.1Q. An IEEE
802.1Q tag lies between the Source Address field and the Length/Type field. A
device determines whether packets carry the specified VLAN tag according to the
TPID. When an interface receives a packet, the device compares the configured
TPID with that in the packet. If they are the same, the packet carries the VLAN
tag. If they are different, the packet does not carry the VLAN tag.

Figure 6-3 802.1Q encapsulation

802.1Q Encapsulation
DA SA 802.1Q TAG Length/Type Data FCS
6 Bytes 6 Bytes 4 Bytes 2 Bytes 46 Bytes~1500 Bytes 4 Bytes

TPID 2 Bytes TCI 2 Bytes

0X8100 Priority CFI VLAN ID
3bits 1bit 12bits

To implement interoperation between QinQ-capable devices of different vendors,

devices of different vendors use 0x8100 as the inner TPID value but may use
different outer TPID values. You can set the TPID value in outgoing QinQ packets
sent from Huawei devices to the TPID value used by non-Huawei devices so that
the Huawei and non-Huawei devices can communicate.

6.3 Application Scenarios for QinQ

6.3.1 Application of Basic QinQ

As shown in Figure 6-4, tenant 1 and tenant 2 in a data center are located in
different positions, and are connected to SwitchA and SwitchB on the core/
backbone network. To ensure security of services and save core/backbone network
VLAN IDs, traffic between two tenants needs to be transparently transmitted
through the core/backbone network, tenants using the same service in different
branches are allowed to communicate, and tenants using different services need
to be isolated. Basic QinQ is configured to meet the preceding requirements.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 375

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 6 QinQ Configuration

Figure 6-4 Networking of basic QinQ

SwicthA SwicthB
Interface3 Core/Backbone Interface3
network
Interface1 Interface2 Interface1 Interface2

Tenant1 Tenant2 Tenant1 Tenant2

VLAN2- VLAN1000- VLAN100- VLAN500-
VLAN500 VLAN2000 VLAN500 VLAN2500

Table 6-1 describes VLAN assignment for tenant 1 and tenant 2.

Table 6-1 VLAN assignment for tenant 1 and tenant 2

Tenant Name VLAN ID Range Outer VLAN ID

Tenant 1 2 to 500 10

Tenant 2 500 to 2500 20

Configure QinQ on SwitchA and SwitchB so that tenants using the same service in
different branches are allowed to communicate and tenants using different
services need to be isolated.
● Configure SwitchA to encapsulate outer VLAN 10 to packets entering
Interface1 and outer VLAN 20 to packets entering Interface2.
● Configure SwitchB to encapsulate outer VLAN 10 to packets entering
Interface1 and outer VLAN 20 to packets entering Interface2.
● Configure Interface3 on SwitchA and SwitchB to allow packets from VLAN 10
and VLAN 20.

6.3.2 Application of VLAN ID-based Selective QinQ

As shown in Figure 6-5, in a data center, tenants lease office and production
service servers. Production services are transmitted in VLANs 10 to 30, and office
services are transmitted in VLANs 31 to 50. Tenants are located in positions A and
B, and tenant devices are connected through SwitchA and SwitchB of the core/

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 376

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 6 QinQ Configuration

backbone network. To ensure service security and save VLAN IDs of the core/
backbone network, it is required that traffic in positions A and B be transmitted
through the core/backbone network, users using the same service be allowed to
communicate, and users using different services be isolated. You can configure
VLAN ID-based selective QinQ to meet the requirements.

Figure 6-5 Networking of VLAN ID-based selective QinQ

SwicthA SwicthB
Interface2 Core/Backbone Interface2
Network

Interface1 Interface1

User
User
VLAN10~
VLAN10~
VLAN50
VLAN50

A Manufacturing Service: VLAN10 ~ VLAN30 B

Office Service: VLAN31 ~ VLAN50

Table 6-2 shows the planning of outer VLAN IDs.

Table 6-2 VLAN assignment of tenants

Service Name Range of VLAN IDs Outer VLAN

Production service 10-30 100

Office service 31-50 200

Configure selective QinQ on SwitchA and SwitchB so that users using the same
service in different branches are allowed to communicate, and users using
different services are isolated.

● On SwitchA, add VLAN 100 to packets that have inner VLAN IDs 10 to 30 and
enter Interface1, and VLAN 200 to packets that have inner VLAN IDs 31 to 50
and enter Interface1.
● On SwitchB, add VLAN 100 to packets that have inner VLAN IDs 10 to 30 and
enter Interface1, and VLAN 200 to packets that have inner VLAN IDs 31 to 50
and enter Interface1.
● Configure Interface2 on SwitchA and SwitchB to allow packets from VLAN 100
and VLAN 200.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 377

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 6 QinQ Configuration

6.3.3 Application of MQC-based Selective QinQ

As shown in Figure 6-6, video and data information is stored on the servers. A
user device transmits IPTV and Internet access services, and connects to the server
through the enterprise backbone network. SwitchB and SwitchC are edge devices
of the enterprise backbone network. To save VLAN IDs on the enterprise backbone
network, traffic needs to be transparently transmitted on the enterprise backbone
network. In addition, IPTV services need to be transmitted only on the video
server, Internet access services need to be transmitted only on the data server, and
different services need to be differentiated. MQC-based Selective QinQ can be
configured on SwitchB and SwitchC to meet the preceding requirements.

Figure 6-6 Networking of MQC-based selective QinQ

Video
server

SwitchA SwitchB SwitchC SwitchD

Enterprise IPTV
Backbone
Data Network
server
PC

6.4 Licensing Requirements and Limitations for QinQ

Involved Network Elements

Other network elements are not required.

Licensing Requirements
QinQ is a basic function of the switch, and as such is controlled by the license for
basic software functions. The license for basic software functions has been loaded
and activated before delivery. You do not need to manually activate it.

Version Requirements

Table 6-3 Products and minimum version supporting QinQ

Product Minimum Version Required

CE8860EI V100R006C00

CE8861EI/CE8868EI V200R005C10

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 378

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 6 QinQ Configuration

Product Minimum Version Required

CE8850-32CQ-EI V200R002C50

CE8850-64CQ-EI V200R005C00

CE7850EI V100R003C00

CE7855EI V200R001C00

CE6810EI V100R003C00

CE6810-48S4Q-LI/CE6810-48S- V100R003C10
LI

CE6810-32T16S4Q-LI/ V100R005C10
CE6810-24S2Q-LI

CE6850EI V100R001C00

CE6850-48S6Q-HI V100R005C00

CE6850-48T6Q-HI/CE6850U-HI/ V100R005C10
CE6851HI

CE6855HI V200R001C00

CE6856HI V200R002C50

CE6857EI V200R005C10

CE6860EI V200R002C50

CE6865EI V200R005C00

CE6870-24S6CQ-EI V200R001C00

CE6870-48S6CQ-EI V200R001C00

CE6870-48T6CQ-EI V200R002C50

CE6875-48S4CQ-EI V200R003C00

CE6880EI V200R002C50

CE5810EI V100R002C00

CE5850EI V100R001C00

CE5850HI V100R003C00

CE5855EI V100R005C10

CE5880EI V200R005C10

NOTE

For details about the mapping between software versions and switch models, see the
Hardware Query Tool.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 379

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 6 QinQ Configuration

Feature Limitations
● Selective QinQ based on the VLAN ID can be only enabled on hybrid or trunk
interfaces in the inbound direction.
● The outer VLAN ID must exist and the interface must be added to the outer
VLAN in untagged mode.
● The interface learns the MAC address in the VLAN specified by the outer
VLAN tag of packets.
● The MUX VLAN and selective QinQ based on the VLAN ID cannot be
configured on the same interface.
● If only single-tagged packets from a VLAN need to be transparently
transmitted, do not specify the VLAN as the inner VLAN for selective QinQ.
● If forwarding resources exceed the specifications, VLAN stacking can be
configured. However, after the device restarts, the invalid VLAN stacking
configuration may become valid and valid VLAN stacking configuration may
become invalid.
● If VLAN stacking is configured on an interface corresponding to the VLAN,
VBST negotiation for this VLAN will fail.
● QinQ cannot be used with features such as DHCP, ARP, and IGMP.
● Starting from V200R003C00, for the CE6875EI and CE6870EI, when original
packets carry two or three VLAN tags and the device is configured with IPv6
VXLAN and VLAN stacking, tags in forwarded packets are incorrect. Please
deploy VLAN stacking on the neighboring device.
● The original VLAN specified in the port vlan-stacking command cannot be
the same as the outer VLAN configured on a QinQ Layer 2 sub-interface.
● For the CE6857EI, CE6865EI, CE8861EI, and CE8868EI, no extra VLAN tag can
be added to the original double-tagged packets, even if VLAN stacking is
configured.
● M-LAG cannot be configured together with VLAN Mapping or VLAN Stacking.

6.5 Configuring QinQ

6.5.1 Configuring Basic QinQ

Context
Basic QinQ enables the device to add a public tag to incoming packets so that
user packets can be forwarded on the public network. To separate private
networks from public networks and conserve VLAN resources, configure double
802.1Q tags on QinQ interfaces of the device. Inner VLAN tags are used on
internal networks and outer VLAN tags are used on external networks. QinQ
expands VLAN space to 4094x4094 VLANs and allows packets on different private
networks with the same VLAN IDs to be transparently transmitted.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 380

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 6 QinQ Configuration

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run vlan vlan-id

A VLAN used on the public network is created.

Step 3 Run quit

Exit from the VLAN view.

Step 4 Run interface interface-type interface-number

The interface view is displayed.

The interface can be a physical interface or an Eth-Trunk interface.

Step 5 Run port link-type dot1q-tunnel

The link type of the interface is set to Dot1q-tunnel.

By default, the link type of an interface is access. Dot1q-tunnel interfaces do not

support Layer 2 multicast.

Step 6 Run port default vlan vlan-id

The VLAN ID of the public VLAN tag, that is, the default VLAN of the interface, is
configured.

By default, VLAN 1 is the default VLAN of all interfaces.

Step 7 Run commit

The configuration is committed.

----End

Verifying the Configuration

● Run the display current-configuration interface interface-type interface-
number command to check the QinQ configuration on the interface.

6.5.2 Configuring Selective QinQ

Selective QinQ adds different outer VLAN tags to packets with different inner
VLAN tags on an interface, and is more flexible than QinQ.

6.5.2.1 Configuring VLAN ID-based Selective QinQ

Context
Selective QinQ based on the VLAN ID enables the device to add different outer
VLAN tags to received data frames according to VLAN IDs in the frames.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 381

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 6 QinQ Configuration

NOTE

● Selective QinQ based on the VLAN ID can be only enabled on hybrid or trunk interfaces
in the inbound direction.
● The outer VLAN ID must exist and the interface must be added to the outer VLAN in
untagged mode.
● The interface learns the MAC address in the VLAN specified by the outer VLAN tag of
packets.
● The MUX VLAN and selective QinQ based on the VLAN ID cannot be configured on the
same interface.
● The original VLAN specified in the port vlan-stacking command cannot be the same as
the outer VLAN configured on a QinQ Layer 2 sub-interface.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The interface view is displayed.
Step 3 Run port link-type { hybrid | trunk }
The link type of the interface is configured as hybrid or trunk.
By default, the link type of an interface is access.
Step 4 Add the interface to a VLAN.
Run the following command as required.
● Trunk interface
Run the port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] }&<1-40> |
all } command to add the trunk interface to the stacked VLAN.
● Hybrid interface
Run the port hybrid untagged vlan vlan-id command to add the hybrid
interface to the stacked VLAN in untagged mode.
The VLAN ID specified by vlan-id must already exist on the device. The original
VLAN can be not created.
Step 5 Run port vlan-stacking vlan vlan-id1 [ to vlan-id2 ] stack-vlan vlan-id3
[ remark-8021p 8021p-value ]
Selective QinQ based on the VLAN ID is configured.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 382

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 6 QinQ Configuration

NOTE

If the port vlan-stacking command has been executed at least three times with specified
VLAN ranges and VLAN ranges are combined twice at least, the configuration of each
command must be committed. Otherwise, packets may be lost. For example, when port
vlan-stacking vlan 31 to 60 stack-vlan 100, port vlan-stacking vlan 20 to 30 stack-vlan
100, and port vlan-stacking vlan 61 to 70 stack-vlan 100 commands are used, VLAN
ranges 20 to 60 and 20 to 70 are combined twice. Therefore, commit the configuration of
each command.
For the CE6865EI, CE6857EI, CE8861EI, and CE8868EI, the qinq protocol and port vlan-
stacking commands cannot be configured together.

Step 6 Run commit

The configuration is committed.
----End

Verifying the Configuration

● Run the display current-configuration interface interface-type interface-
number command to check the configuration of selective QinQ based on the
VLAN ID on the interface.

6.5.2.2 Configuring MQC-based Selective QinQ

Context
MQC-based selective QinQ uses a traffic classifier to classify packets based on
VLAN IDs and associates the traffic classifier with a traffic behavior that defines
the action of adding outer VLAN tags, so that the device can add outer VLAN tags
to packets matching the traffic classifier.

NOTE

The CE6870EI and CE6875EI do not support this function.

Procedure
1. Configure a traffic classifier.
a. Run system-view
The system view is displayed.
b. Run traffic classifier classifier-name [ type { and | or } ]
A traffic classifier is created and the traffic classifier view is displayed, or
the view of an existing traffic classifier is displayed.
and is the logical operator between rules in a traffic classifier, which
means that:

▪ If a traffic classifier contains ACL rules, packets match the traffic

classifier only if they match one ACL rule and all the non-ACL rules.

▪ If a traffic classifier does not contain any ACL rules, packets match
the traffic classifier only if they match all the rules in the classifier.
The logical operator or means that packets match a traffic classifier if
they match one or more rules in the classifier.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 383

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 6 QinQ Configuration

By default, the relationship between rules in a traffic classifier is or.

c. Run if-match
Matching rules are defined for the traffic classifier.
For details about matching rules in a traffic classifier, see "Configuring a
Traffic Classifier" in "MQC Configuration" of the CloudEngine 8800, 7800,
6800, and 5800 Series Switches Configuration Guide - QoS Configuration
Guide.
d. Run commit
The configuration is committed.
e. Run quit
Exit from the traffic behavior view.
2. Configure a traffic behavior.
a. Run traffic behavior behavior-name
A traffic behavior is created and the traffic behavior view is displayed, or
the view of an existing traffic behavior is displayed.
b. Run vlan-stacking vlan vlan-id
An action of adding an outer VLAN tag is configured in the traffic
behavior.
c. Run commit
The configuration is committed.
d. Run quit
Exit from the traffic behavior view.
e. Run quit
Exit from the system view.
3. Configure a traffic policy.
a. Run system-view
The system view is displayed.
b. Run traffic policy policy-name
A traffic policy is created and the traffic policy view is displayed, or the
view of an existing traffic policy is displayed.
c. Run classifier classifier-name behavior behavior-name [ precedence
precedence-value ]
A traffic behavior is bound to a traffic classifier in the traffic policy.
d. Run commit
The configuration is committed.
e. Run quit
Exit from the traffic policy view.
f. Run quit
Exit from the system view.
4. Apply the traffic policy.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 384

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 6 QinQ Configuration

NOTE

● A traffic policy containing vlan-stacking cannot be applied to the outbound

direction.
● For details about the configuration guidelines of applying traffic policies in
different views on the CE switches excluding CE6870EI and CE6875EI, see Licensing
Requirements and Limitations for MQC (CE Switches Excluding the CE6870EI and
CE6875EI).
● For switches excluding the CE5880EI and CE6880EI, run the display traffic-policy
pre-state { global [ slot slot-id ] | interface { interface-type interface-number } |
vlan vlan-id | bridge-domain bd-id } policy-name { inbound | outbound }
command before committing the configuration to check the information about
resources occupied by the traffic policy to be applied and determine whether the
traffic policy can be successfully applied based on the information.
● If a traffic policy needs to be applied to multiple VLANs and interfaces or multiple
traffic classifiers for matching packets from different source IP addresses need to
be bound to the same traffic policy, you are advised to add these VLANs, source IP
addresses, and interfaces to the same QoS group and apply the traffic policy to the
QoS group.
– Applying a traffic policy to an interface
i. Run system-view
The system view is displayed.
ii. Run interface interface-type interface-number
The interface view is displayed.
iii. Run traffic-policy policy-name inbound
A traffic policy is applied to the interface in the inbound direction.
iv. Run commit
The configuration is committed.
– Applying a traffic policy to a VLAN
i. Run system-view
The system view is displayed.
ii. Run vlan vlan-id
The VLAN view is displayed.
iii. Run traffic-policy policy-name inbound
A traffic policy is applied to the VLAN in the inbound direction.
After a traffic policy is applied to a VLAN, the system performs traffic
policing for the packets that come from the VLAN and match traffic
classification rules in the inbound direction.
iv. Run commit
The configuration is committed.
– Applying a traffic policy to the system
i. Run system-view
The system view is displayed.
ii. Run traffic-policy policy-name global [ slot slot-id ] inbound
A traffic policy is applied to the system in the inbound direction.
iii. Run commit

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 385

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 6 QinQ Configuration

The configuration is committed.

– Applying a traffic policy to a QoS group
i. Run system-view
The system view is displayed.
ii. Run qos group group-name
The QoS group view is displayed.
iii. Run the following commands as required.
○ Run the group-member interface { interface-type interface-
number1 [ to interface-type interface-number2 ] } &<1-8>
command to add interfaces to the QoS group.
○ (For CE5880EI, CE6870EI, CE6875EI and CE6880EI) Run the
group-member vlan { vlan-id1 [ to vlan-id2 ] } &<1-8>
command to add VLANs to the QoS group.
○ ( For CE Switches Excluding CE6870EI and CE6875EI) Run the
group-member ip source ip-address { mask | mask-length }
command to add source IP addresses to the QoS group.
iv. Run traffic-policy policy-name inbound
A traffic policy is applied to a QoS group.
v. Run commit
The configuration is committed.

Verifying the Configuration

● Run the display traffic classifier [ classifier-name ] command to check the
traffic classifier configuration.
● Run the display traffic behavior [ behavior-name ] command to check the
traffic behavior configuration on the device.
● Run the display traffic policy [ policy-name [ classifier classifier-name ] ]
command to check the traffic policy configuration.
● Run the display traffic-policy applied-record [ policy-name ] [ global [ slot
slot-id ] | interface interface-type interface-number | vlan vlan-id | vpn-
instance vpn-instance-name | qos group group-id | bridge-domain bd-id ]
[ inbound | outbound ] command to check the application records of a
specified traffic policy.
NOTE

The CE6810LI does not support the vpn-instance vpn-instance-name parameter.

The CE5810EI, CE5850EI, CE5850HI, CE5855EI, CE6810LI, CE6810EI, and CE6850EI do
not support the bridge-domain bd-id command.
● Run the display system tcam fail-record [ slot slot-id ] command to display
TCAM delivery failures.
● Run the display system tcam service brief [ slot slot-id ] command to
display the group index and rule count occupied by different services.
● Run the display system tcam service { cpcar slot slot-id | service-name slot
slot-id [ chip chip-id ] } command to display IDs of entries delivered by
services on the specified chip or in the specified slot.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 386

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 6 QinQ Configuration

● Run one of the following commands to display data of a traffic policy that
has been applied:
– display system tcam service traffic-policy { global | vlan vlan-id |
interface interface-type interface-number | vpn-instance vpn-instance-
name | qos group group-id | bridge-domain bd-id } policy-name
{ inbound | outbound } [ slot slot-id [ chip chip-id ] ]
NOTE

The CE6810LI does not support the vpn-instance vpn-instance-name parameter.

The CE5810EI, CE5850EI, CE5850HI, CE5855EI, CE6810LI, CE6810EI, and CE6850EI
do not support the bridge-domain bd-id command.
– display system tcam service traffic-policy slot slot-id policy-name
{ inbound | outbound } [ chip chip-id ]
● (Models excluding the CE5880EI, CE6870EI, CE6875EI, and CE6880EI) Run the
display system tcam match-rules slot slot-id [ [ ingress | egress | group
group-id ] | [ delay-time time-value ] ] * command to display matched
entries.
● (For the CE6870EI and CE6875EI) Run the display system tcam match-rules
slot slot-id [ [ ingress | egress | group group-id ] | [ chip chip-id ] ] *
command to display matched entries.
● (For the CE5880EI and CE6880EI) Run the display system tcam match-rules
slot slot-id chip chip-id index index-id command to display matched entries.

6.5.3 Configuring the TPID Value in an Outer VLAN Tag

Context
To enable interoperation between devices from different vendors, set the same
TPID value in outer VLAN tags on the devices. Devices from different vendors or in
different network plans may use different TPID values in VLAN tags of VLAN
packets. To adapt to an existing network plan, the switch supports TPID value
configuration. You can set the TPID value on the switch to be the same as the
TPID value in the network plan to ensure compatibility with the current network.

NOTE

● To implement interoperability with a non-Huawei device, ensure that the protocol type
in the outer VLAN tag added by the switch can be identified by the non-Huawei device.
● The qinq protocol command identifies incoming packets, and adds or changes the TPID
value of outgoing packets.
● For the CE6865EI, CE6857EI, CE8861EI, and CE8868EI, the qinq protocol and port vlan-
stacking commands cannot be configured together.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The interface view is displayed.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 387

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 6 QinQ Configuration

Step 3 Run qinq protocol protocol-id

The protocol type in the outer VLAN tag is set.
The qinq protocol command cannot be used on Dot1q-tunnel interfaces.
The TPID value can be 0x8100, 0x9100, or 0x88a8.
By default, the TPID value in the outer VLAN tag is 0x8100.
Step 4 Run commit
The configuration is committed.
----End

6.6 Configuration Examples for QinQ

This section only provides configuration examples for individual features. For
details about multi-feature configuration examples, feature-specific configuration
examples, interoperation examples, protocol or hardware replacement examples,
and industry application examples, see the Typical Configuration Examples.

6.6.1 Example for Configuring Basic QinQ

Networking Requirements
As shown in Figure 6-7, tenant 1 and tenant 2 in a data center are located in
different positions. SwitchA and SwitchB are at the edge of the data center and
connected through the core/backbone network.
The requirements are as follows:
● Tenant 1 and tenant 2 plan their VLANs independently.
● Traffic of the two tenants is transparently transmitted on the core/backbone
network. Devices using the same services in the two branches are allowed to
communicate and devices using different services are isolated.
You can configure QinQ to meet the preceding requirements. VLAN 100 and VLAN
200 provided by the core/backbone network can be used to implement
communication of tenant 1 and tenant 2 respectively.

Figure 6-7 Networking diagram for configuring QinQ

SwitchA 10GE1/0/3 SwitchB

Core/Backbone 10GE1/0/3
network
VLAN 100,200 10GE1/0/1
10GE1/0/1 10GE1/0/2 10GE1/0/2

Tenant1 Tenant2 Tenant1 Tenant2

VLAN10~ VLAN20~ VLAN10~ VLAN20~
VLAN50 VLAN60 VLAN50 VLAN60

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 388

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 6 QinQ Configuration

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure VLAN 100 and VLAN 200 on both SwitchA and SwitchB, and set the
link type of interfaces connected to tenants to QinQ and add the interfaces to
VLAN so that different outer VLAN tags are added to different tenants.
2. Add interfaces connected to the core/backbone network on SwitchA and
SwitchB to VLAN 100 and VLAN 200 to permit packets from these VLANs to
pass through.

Procedure
Step 1 Create VLANs.
# Create VLAN 100 and VLAN 200 on SwitchA.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchA
[*HUAWEI] commit
[~SwitchA] vlan batch 100 200
[*SwitchA] commit

# Create VLAN 100 and VLAN 200 on SwitchB.

<HUAWEI> system-view
[~HUAWEI] sysname SwitchB
[*HUAWEI] commit
[~SwitchB] vlan batch 100 200
[*SwitchB] commit

Step 2 Set the link type of interfaces to QinQ.

# Configure 10GE1/0/1 and 10GE1/0/2 on SwitchA as QinQ interfaces, and set
outer VLAN tags of 10GE1/0/1 and 10GE1/0/2 to VLAN 100 and VLAN 200
respectively. The configuration of SwitchB is similar to the configuration of
SwitchA, and is not mentioned here.
[~SwitchA] interface 10ge 1/0/1
[~SwitchA-10GE1/0/1] port link-type dot1q-tunnel
[*SwitchA-10GE1/0/1] port default vlan 100
[*SwitchA-10GE1/0/1] quit
[*SwitchA] interface 10ge 1/0/2
[*SwitchA-10GE1/0/2] port link-type dot1q-tunnel
[*SwitchA-10GE1/0/2] port default vlan 200
[*SwitchA-10GE1/0/2] quit
[*SwitchA] commit

Step 3 Configure the interface connected to the core/backbone network on the switch.
# Add 10GE1/0/3 on SwitchA to VLAN 100 and VLAN 200. The configuration of
SwitchB is similar to the configuration of SwitchA, and is not mentioned here.
[~SwitchA] interface 10ge 1/0/3
[~SwitchA-10GE1/0/3] port link-type trunk
[*SwitchA-10GE1/0/3] port trunk allow-pass vlan 100 200
[*SwitchA-10GE1/0/3] commit
[~SwitchA-10GE1/0/3] quit

Step 4 Verify the configuration.

On a server in a VLAN of tenant 1, ping another server in the same VLAN. The
ping operation succeeds, indicating that devices in tenant 1 can communicate with
each other.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 389

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 6 QinQ Configuration

On a server in a VLAN of tenant 2, ping another server in the same VLAN. The
ping operation succeeds, indicating that devices in tenant 2 can communicate with
each other.
On a server in a VLAN of tenant 2, ping another server in the same VLAN. The
ping operation fails, indicating that tenants are isolated.
----End

Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 200
#
interface 10GE1/0/1
port link-type dot1q-tunnel
port default vlan 100
#
interface 10GE1/0/2
port link-type dot1q-tunnel
port default vlan 200
#
interface 10GE1/0/3
port link-type trunk
port trunk allow-pass vlan 100 200
#
return
● SwitchB configuration file
#
sysname SwitchB
#
vlan batch 100 200
#
interface 10GE1/0/1
port link-type dot1q-tunnel
port default vlan 100
#
interface 10GE1/0/2
port link-type dot1q-tunnel
port default vlan 200
#
interface 10GE1/0/3
port link-type trunk
port trunk allow-pass vlan 100 200
#
return

6.6.2 Example for Configuring VLAN ID-based Selective QinQ

Networking Requirements
As shown in Figure 6-8, in a data center, tenants lease office and production
service servers. Production services are transmitted in VLANs 10 to 30, and office
services are transmitted in VLANs 31 to 50. Tenants are located in positions A and
B, and tenant devices are connected through SwitchA and SwitchB of the core/
backbone network. The following requirements need to be met to ensure service
security and save VLAN IDs of the core/backbone network:
● Traffic in positions A and B is transmitted through the core/backbone
network.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 390

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 6 QinQ Configuration

● Devices transmitting the same service are allowed to communicate, and

devices transmitting different services are isolated.

Figure 6-8 Networking for configuring VLAN ID-based selective QinQ

SwitchA SwitchB
10GE1/0/2 Core/Backbone 10GE1/0/2
Network
VLAN100
VLAN200

10GE1/0/1 10GE1/0/1

User
User
VLAN10~
VLAN10~
VLAN50
VLAN50
Manufacturing Service: VLAN10 ~ VLAN30
A Office Service: VLAN31 ~ VLAN50 B

Configuration Roadmap
You can configure VLAN ID-based selective QinQ to meet the preceding
requirements. Production service servers communicate in VLAN 100 and office
service servers communicate in VLAN 200 of the core/backbone network, and
different service servers are isolated.
The configuration roadmap is as follows:
1. Create VLAN 100 and VLAN 200 on SwitchA and SwitchB, and configure
selective QinQ on interfaces of SwitchA and SwitchB so that different VLAN
tags are added to different packets of services.
2. Add interfaces of SwitchA and SwitchB connected to the core/backbone
network to VLANs so that packets from VLAN 100 and VLAN 200 are allowed
to pass through.

Procedure
Step 1 Create VLANs.
# Create VLAN 100 and VLAN 200 on SwitchA.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchA
[*HUAWEI] commit
[~SwitchA] vlan batch 100 200
[*SwitchA] commit

# Create VLAN 100 and VLAN 200 on SwitchB.

<HUAWEI> system-view
[~HUAWEI] sysname SwitchB

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 391

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 6 QinQ Configuration

[*HUAWEI] commit
[~SwitchB] vlan batch 100 200
[*SwitchB] commit

Step 2 Configure selective QinQ on interfaces.

# Configure 10GE1/0/1 on SwitchA.
[~SwitchA] interface 10ge 1/0/1
[~SwitchA-10GE1/0/1] port link-type hybrid
[*SwitchA-10GE1/0/1] port hybrid untagged vlan 100 200
[*SwitchA-10GE1/0/1] port vlan-stacking vlan 10 to 30 stack-vlan 100
[*SwitchA-10GE1/0/1] port vlan-stacking vlan 31 to 50 stack-vlan 200
[*SwitchA-10GE1/0/1] quit
[*SwitchA] commit

# Configure 10GE1/0/1 on SwitchB.

[~SwitchB] interface 10ge 1/0/1
[~SwitchB-10GE1/0/1] port link-type hybrid
[*SwitchB-10GE1/0/1] port hybrid untagged vlan 100 200
[*SwitchB-10GE1/0/1] port vlan-stacking vlan 10 to 30 stack-vlan 100
[*SwitchB-10GE1/0/1] port vlan-stacking vlan 31 to 50 stack-vlan 200
[*SwitchB-10GE1/0/1] quit
[*SwitchB] commit

Step 3 Configure interfaces of SwitchA and SwitchB connected to the core/backbone

network.
# Add 10GE1/0/2 on SwitchA to VLAN 100 and VLAN 200. The configuration of
SwitchB is similar to the configuration of SwitchA, and is not mentioned here.
[~SwitchA] interface 10ge 1/0/2
[~SwitchA-10GE1/0/2] port link-type trunk
[*SwitchA-10GE1/0/2] port trunk allow-pass vlan 100 200
[*SwitchA-10GE1/0/2] commit
[~SwitchA-10GE1/0/2] quit

Step 4 Verify the configuration.

From a production service server in VLANs 10 to 30 in position A, ping a
production service server in the same VLAN in position B. The ping operation
succeeds, indicating that production service servers can communicate with each
other.
From an office service server in VLANs 31 to 50 in position A, ping an office
service server in the same VLAN in position B. The ping operation succeeds,
indicating that office service servers can communicate with each other.
From a production service server in VLANs 10 to 30 in position A, ping an office
service server in VLANs 31 to 50 in position B. The ping operation fails, indicating
that services are isolated.

----End

Configuration Files
● Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 100 200
#
interface 10GE1/0/1
port link-type hybrid

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 392

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 6 QinQ Configuration

port hybrid untagged vlan 100 200

port vlan-stacking vlan 10 to 30 stack-vlan 100
port vlan-stacking vlan 31 to 50 stack-vlan 200
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 100 200
#
return

● Configuration file of SwitchB

#
sysname SwitchB
#
vlan batch 100 200
#
interface 10GE1/0/1
port link-type hybrid
port hybrid untagged vlan 100 200
port vlan-stacking vlan 10 to 30 stack-vlan 100
port vlan-stacking vlan 31 to 50 stack-vlan 200
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 100 200
#
return

6.6.3 Example for Configuring MQC-based Selective QinQ

Networking Requirements
As shown in Figure 6-9, servers on a data center network store video and data
information. The MAC addresses of data and video servers are 0003-0003-0003
and 0004-0004-0004 respectively. A school network transmits teachers' office and
multimedia services, and servers are connected through the enterprise backbone
network. The enterprise backbone network allocates VLAN 2 to teachers' office
service and VLAN 3 to multimedia service. SwitchB and SwitchC are edge devices
of the enterprise backbone network.
The requirements are as follows:
● Video and data servers are allocated to different VLANs, so they do not affect
each other.
● Traffic is transparently transmitted on the enterprise backbone network.
Teachers' office service is only transmitted to the data server and multimedia
service is only transmitted to the video server so that services can be
differentiated.
MQC-based selective QinQ can be configured on SwitchB to meet the preceding
requirements.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 393

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 6 QinQ Configuration

Figure 6-9 Networking of MQC-based selective QinQ

VLAN200

Data server

10
GE
/2
1/0

1/
SwitchA SwitchB SwitchC SwitchD E

0/
0G

2
Enterprise 1
10GE1/0/1 10GE1/0/2 Teachers' VLAN200
Backbone office
10GE1/0/1 Network 10GE1/0/1
Video server 10
/3 10GE1/0/2 VLAN2,3 10GE1/0/1 GE
E1/0 1 /0/
10G 3

VLAN300
Traffic direction
Multimedia VLAN300
room
Campus

Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs on SwitchB and configure SwitchB to add different VLAN tags
to packets of different services.
2. Configure traffic classifiers, traffic behaviors, and bind them in a traffic policy
on SwitchB.
3. Apply the traffic policy to interfaces of SwitchB to implement selective QinQ.

Procedure
Step 1 Create VLANs.
# Create VLAN 200 and VLAN 300 on SwitchA and add interfaces connected to
servers to VLAN 200 and VLAN 300. The configuration of SwitchD is similar to the
configuration of SwitchA, and is not mentioned here.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchA
[*HUAWEI] commit
[~SwitchA] vlan batch 200 300
[*SwitchA] interface 10ge 1/0/2
[*SwitchA-10GE1/0/2] port default vlan 200
[*SwitchA-10GE1/0/2] quit
[*SwitchA] interface 10ge 1/0/3
[*SwitchA-10GE1/0/3] port default vlan 300
[*SwitchA-10GE1/0/3] quit
[*SwitchA] commit

# On SwitchB, create VLAN 2 and VLAN 3, that is, outer VLAN IDs added to
packets.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchB
[*HUAWEI] commit
[~SwitchB] vlan batch 2 3
[*SwitchB] commit

# On SwitchC, create VLAN 2 and VLAN 3.

<HUAWEI> system-view
[~HUAWEI] sysname SwitchC
[*HUAWEI] commit

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 394

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 6 QinQ Configuration

[~SwitchC] vlan batch 2 3

[*SwitchC] commit

Step 2 Configure traffic classifiers, traffic behaviors, and bind them in a traffic policy on
SwitchB.
[~SwitchB] traffic classifier name1
[*SwitchB-classifier-name1] if-match source-mac 0003-0003-0003
[*SwitchB-classifier-name1] quit
[*SwitchB] traffic behavior name1
[*SwitchB-behavior-name1] vlan-stacking vlan 2
[*SwitchB-behavior-name1] quit
[*SwitchB] traffic classifier name2
[*SwitchB-classifier-name2] if-match source-mac 0004-0004-0004
[*SwitchB-classifier-name2] quit
[*SwitchB] traffic behavior name2
[*SwitchB-behavior-name2] vlan-stacking vlan 3
[*SwitchB-behavior-name2] quit
[*SwitchB] traffic policy name1
[*SwitchB-trafficpolicy-name1] classifier name1 behavior name1
[*SwitchB-trafficpolicy-name1] classifier name2 behavior name2
[*SwitchB-trafficpolicy-name1] quit
[*SwitchB] commit

Step 3 Apply the traffic policy on SwitchB to implement selective QinQ.

# Configure 10GE1/0/1 on SwitchB.

[~SwitchB] interface 10ge 1/0/1
[~SwitchB-10GE1/0/1] port link-type trunk
[*SwitchB-10GE1/0/1] port trunk allow-pass vlan 2 3
[*SwitchB-10GE1/0/1] traffic-policy name1 inbound
[*SwitchB-10GE1/0/1] quit
[*SwitchB] commit

# Configure 10GE1/0/1 on SwitchC.

[~SwitchC] interface 10ge 1/0/1
[~SwitchC-10GE1/0/1] port link-type hybrid
[*SwitchC-10GE1/0/1] port hybrid untagged vlan 2 3
[*SwitchC-10GE1/0/1] quit
[*SwitchC] commit

Step 4 Configure other interfaces.

# Add 10GE 1/0/1 on SwitchA to VLAN 200 and VLAN 300. The configuration of
SwitchD is similar to the configuration of SwitchA, and is not mentioned here.
[~SwitchA] interface 10ge 1/0/1
[~SwitchA-10GE1/0/1] port link-type trunk
[*SwitchA-10GE1/0/1] port trunk allow-pass vlan 200 300
[*SwitchA-10GE1/0/1] quit
[*SwitchA] commit

# Add 10GE1/0/2 on SwitchB to VLAN 2 and VLAN 3.

[~SwitchB] interface 10ge 1/0/2
[~SwitchB-10GE1/0/2] port link-type trunk
[*SwitchB-10GE1/0/2] port trunk allow-pass vlan 2 3
[*SwitchB-10GE1/0/2] quit
[*SwitchB] commit

# Add 10GE1/0/2 on SwitchC to VLAN 2 and VLAN 3.

[~SwitchC] interface 10ge 1/0/2
[~SwitchC-10GE1/0/2] port link-type hybrid
[*SwitchC-10GE1/0/2] port hybrid untagged vlan 2 3
[*SwitchC-10GE1/0/2] quit
[*SwitchC] commit

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 395

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 6 QinQ Configuration

Step 5 Verify the configuration.

● Ping a teacher's office PC from the data server. The ping operation succeeds,
indicating that the teacher's office PC can access the data server.
● Ping a PC in the multimedia room from the video server. The ping operation
succeeds, indicating that the PC can access the video server.
Here, the ping to a teacher's office PC from the data server is used as an example.
The data server and teacher's office PC are configured on the same network
segment. For example, the IP address of the data server is 172.16.0.1/16, and the
IP address of the teacher's office PC is 172.16.0.7/16. Assume that the PC runs the
Window XP operating system.
C:\Documents and Settings\Administrator> ping 172.16.0.7
Pinging 172.16.0.7 with 32 bytes of data:
Reply from 172.16.0.7: bytes=32 time<1ms TTL=128
Reply from 172.16.0.7: bytes=32 time<1ms TTL=128
Reply from 172.16.0.7: bytes=32 time<1ms TTL=128
Reply from 172.16.0.7: bytes=32 time<1ms TTL=128

Ping statistics for 172.16.0.7:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

----End

Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 200 300
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 200 300
#
interface 10GE1/0/2
port default vlan 200
#
interface 10GE1/0/3
port default vlan 300
#
return
● SwitchB configuration file
#
sysname SwitchB
#
vlan batch 2 to 3
#
traffic classifier name1 type or
if-match source-mac 0003-0003-0003 ffff-ffff-ffff
#
traffic classifier name2 type or
if-match source-mac 0004-0004-0004 ffff-ffff-ffff
#
traffic behavior name1
vlan-stacking vlan 2
#
traffic behavior name2
vlan-stacking vlan 3
#
traffic policy name1

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 396

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 6 QinQ Configuration

classifier name1 behavior name1 precedence 5

classifier name2 behavior name2 precedence 10
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 3
traffic-policy name1 inbound
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
return

● SwitchC configuration file

#
sysname SwitchC
#
vlan batch 2 to 3
#
interface 10GE1/0/1
port link-type hybrid
port hybrid untagged vlan 2 to 3
#
interface 10GE1/0/2
port link-type hybrid
port hybrid untagged vlan 2 to 3
#
return

● SwitchD configuration file

#
sysname SwitchD
#
vlan batch 200 300
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 200 300
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 200
#
interface 10GE1/0/3
port link-type trunk
port trunk allow-pass vlan 300
#
return

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 397

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 7 VLAN Mapping Configuration

7 VLAN Mapping Configuration

This chapter describes how to configure VLAN mapping. VLAN mapping

technology changes VLAN tags in packets to implement the mapping between
different VLANs.

7.1 Overview of VLAN Mapping

7.2 Understanding VLAN Mapping
7.3 Application Scenarios for VLAN Mapping
7.4 Licensing Requirements and Limitations for VLAN Mapping
7.5 Configuring VLAN Mapping
7.6 Configuration Examples for VLAN Mapping

7.1 Overview of VLAN Mapping

Definition
VLAN mapping technology changes VLAN tags in packets to implement the
mapping between different VLANs.

Purpose
In some scenarios, two Layer 2 user networks in the same VLAN are connected
through the backbone network. To implement Layer 2 connectivity between users
and deploy Layer 2 protocols such as MSTP uniformly, the two user networks need
to seamlessly interwork with each other. In this case, the backbone network needs
to transmit VLAN packets from the user networks. Generally, VLAN plan on the
backbone network and user network is different, so the backbone network cannot
directly transmit VLAN packets from a user network.
One method is to configure a Layer 2 tunneling technology such as QinQ or VPLS
to encapsulate VLAN packets into packets on the backbone network so that VLAN
packets are transparently transmitted. However, this method increases extra cost
because packets are encapsulated. In addition, Layer 2 tunneling technology may
not support transparent transmission of packets of some protocol packets. The

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 398

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 7 VLAN Mapping Configuration

other method is to configure VLAN mapping. When VLAN packets from a user
network enter the backbone network, an edge device on the backbone network
changes the C-VLAN ID to the S-VLAN ID. After the packets are transmitted to the
other side, the edge device changes the S-VLAN ID to the C-VLAN ID. This method
implements seamless interworking between two user networks.
VLAN IDs in two directly connected Layer 2 networks are different because of
different plans. The user needs to manage the two networks as a single Layer 2
network. For example, Layer 2 connectivity and Layer 2 protocols need to be
deployed uniformly. VLAN mapping can be configured on the switch connecting
the two user networks to map VLAN IDs on the two user networks. This
implements Layer 2 connectivity and uniform management.

7.2 Understanding VLAN Mapping

Basic Principles
After receiving a tagged packet, the switch determines to replace a single tag,
double tags, or the outer tag in double tags based on the VLAN mapping mode.
Then the switch learns the MAC addresses contained in the packet. Based on the
source MAC address and mapped VLAN ID, the switch updates the MAC address
entries in the VLAN mapping table. Based on the destination MAC address and the
mapped VLAN ID, the switch searches for the MAC address entries. If the
destination MAC address matches no entry, the switch broadcasts the packet in
the specified VLAN; if the destination MAC address matches an entry, the switch
forwards the packet through the corresponding outbound interface.
As shown in Figure 7-1, VLAN mapping between VLAN 2 and VLAN 3 is
configured on Interface1. Before sending packets from VLAN 2 to VLAN 3,
Interface1 replaces the VLAN tags with VLAN 3 tags. When receiving packets from
VLAN 3, Interface1 replaces the VLAN tags with VLAN 2 tags. Then packets are
forwarded according to the Layer 2 forwarding process. This implements
communication between devices in VLAN 2 and VLAN 3.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 399

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 7 VLAN Mapping Configuration

Figure 7-1 VLAN mapping

VLAN2 VLAN3
2 3
Interface1

3
SwitchA SwitchB

2 3
2 3

172.16.0.1/16 172.16.0.7/16

NOTE

If devices in two VLANs need to communicate through VLAN mapping, the IP addresses of
these devices must be on the same network segment. If IP addresses of these devices are
on different network segments, communication between devices is implemented through
Layer 3 routes. In this case, VLAN mapping is invalid.

Implementation Modes
The device supports VLAN-based and MQC-based VLAN mapping. There are three
VLAN-based VLAN mapping modes:
● 1 to 1 VLAN mapping
When an interface configured with VLAN mapping receives a single-tagged
packet, the interface maps the VLAN tag in the packet to a new VLAN tag.
● 2 to 1 VLAN mapping
When an interface configured with VLAN mapping receives a double-tagged
packet, the interface maps the outer tag of the packet to a specified tag and
transparently transmits the inner tag as the data.
● 2 to 2 VLAN mapping
When an interface configured with VLAN mapping receives a double-tagged
packet, the interface maps the inner and outer VLAN tags in the packet to
new inner and outer VLAN tags.

MQC-based VLAN mapping uses a traffic classifier to classify packets based on

VLAN IDs, associates the traffic classifier with a traffic behavior defining VLAN
mapping so that the device can re-mark the VLAN ID in packets matching the
traffic classifier. MQC-based VLAN mapping implements differentiated services.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 400

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 7 VLAN Mapping Configuration

7.3 Application Scenarios for VLAN Mapping

VLAN-based VLAN Mapping

● 1 to 1 VLAN mapping
As shown in Figure 7-2, on a data center network, a network administrator
deploys a new branch that is on the same network segment as the
headquarters. However, VLAN IDs in the new branch and headquarters are
inconsistent and VLAN deployment in the headquarters cannot be changed.
To implement communication between the new branch and headquarters,
configure 1 to 1 VLAN mapping on Switch2.

Figure 7-2 Networking of 1 to 1 VLAN mapping

Headqu
VLAN6
arters

Switch3

Switch2

Switch1

New branch

VLAN5

1 to 1 VLAN Mapping

● 2 to 1 VLAN mapping
As shown in Figure 7-3, on a data center network, the office server and
production server are deployed in the old branch, and the servers are
connected to the core network through the access and aggregation switches.
The network administrator deploys a new branch. To save VLAN resources
and isolate different services, configure QinQ on the aggregation switch. To
retain VLAN deployment of core switch Switch5, configure VLAN mapping on
Switch5.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 401

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 7 VLAN Mapping Configuration

Figure 7-3 Networking of 2 to 1 VLAN mapping

Internet

Core Switch IP 501 2

IP 502 3
Switch5

IP 201 2
Switch3 Switch4
Aggregation Switch IP 201 3

Switch1 Switch2
Access Switch

Office Production Office Production 2 to 1 VLAN Mapping

service service service service
VLAN2 VLAN3 VLAN2 VLAN3
Old branch New branch

● 2 to 2 VLAN mapping
As shown in Figure 7-4, two branches of a data center are deployed in
different positions. To save VLAN resources and plan private VLAN IDs in the
data center, QinQ is used. That is, packets from branches to the ISP network
carry double tags. Because VLAN IDs in packets from branches are different
from the VLAN IDs allocated by the ISP network, user packets are discarded.
As a result, communication between branches is interrupted. Configure 2 to 2
VLAN mapping on Switch2 and Switch3 to map double tags on the branch
network to double tags on the ISP network so that branches can
communicate.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 402

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 7 VLAN Mapping Configuration

Figure 7-4 Networking of 2 to 2 VLAN mapping

ISP
Switch2 outside tag:50 Switch3
inner tag:60

Switch1 Switch4

Branch 1 Branch 2
outside tag:100 outside tag:200
inner tag:10 inner tag:20

2 to 2 VLAN Mapping

MQC-based VLAN Mapping

As shown in Figure 7-5, on a data center network, servers store video and data
information. Users are classified into gold and silver users, and gold and silver
users belong to VLAN 200 and VLAN 300 respectively and access servers through
the enterprise backbone network. The enterprise backbone network allocates
VLAN 2 to gold users and VLAN 3 to silver users. Switch2 and Switch3 are edge
devices of the enterprise backbone network. VLAN IDs planned by the video and
data servers and enterprise backbone network are different. To ensure that gold
users can access the video server and silver users can access the data server,
configure MQC-based VLAN mapping on Switch2 and Switch3.

Figure 7-5 Networking of MQC-based VLAN mapping

VLAN200

Video server
VLAN200

Switch1 Switch2 Switch3 Switch4 Gold user

Enterprise backbone
network
Data server VLAN2 VLAN3
Silver user

VLAN Mapping VLAN300

VLAN300
Traffic direction

7.4 Licensing Requirements and Limitations for VLAN

Mapping

Involved Network Element

Other network elements are not required.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 403

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 7 VLAN Mapping Configuration

Licensing Requirements
VLAN mapping is a basic function of the switch, and as such is controlled by the
license for basic software functions. The license for basic software functions has
been loaded and activated before delivery. You do not need to manually activate
it.

Version Requirements

Table 7-1 Products and minimum version supporting VLAN mapping

Product Minimum Version Required

CE8860EI V100R006C00

CE8861EI/CE8868EI V200R005C10

CE8850-32CQ-EI V200R002C50

CE8850-64CQ-EI V200R005C00

CE7850EI V100R003C00

CE7855EI V200R001C00

CE6810EI V100R003C00

CE6810-48S4Q-LI/CE6810-48S- V100R003C10
LI

CE6810-32T16S4Q-LI/ V100R005C10
CE6810-24S2Q-LI

CE6850EI V100R003C00

CE6850-48S6Q-HI V100R005C00

CE6850-48T6Q-HI/CE6850U-HI/ V100R005C10
CE6851HI

CE6855HI V200R001C00

CE6856HI V200R002C50

CE6857EI V200R005C10

CE6860EI V200R002C50

CE6865EI V200R005C00

CE6870-24S6CQ-EI V200R001C00

CE6870-48S6CQ-EI V200R001C00

CE6870-48T6CQ-EI V200R002C50

CE6875-48S4CQ-EI V200R003C00

CE6880EI V200R002C50

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 404

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 7 VLAN Mapping Configuration

Product Minimum Version Required

CE6881, CE6820, CE6863 V200R005C20

CE6881K V200R019C10

CE6881E V200R019C10

CE6863K V200R019C10

CE5810EI V100R003C00

CE5850EI V100R003C00

CE5850HI V100R003C00

CE5855EI V100R005C10

CE5880EI V200R005C10

CE5881 V200R020C00

NOTE

For details about the mapping between software versions and switch models, see the
Hardware Query Tool.

Feature Limitations
● VLAN-based VLAN mapping can only be configured on a trunk or hybrid
interface, and the interface must be added to the VLAN after mapping in
tagged mode.
● When an interface receives double-tagged packets, the TPID in the inner tag
must be 0x8100. Otherwise, mapping of the inner tag does not take effect.
● Before configuring VLAN-based VLAN mapping, do not enable TRILL on the
interface.
● If forwarding resources exceed the specifications, VLAN mapping can be
configured. However, after the device restarts, the invalid VLAN mapping
configuration may become valid and valid VLAN mapping configuration may
become invalid.
● If VLAN mapping is configured on an interface corresponding to the VLAN,
VBST negotiation for this VLAN will fail.
● For CE6870EI and CE6875EI, supports 1 to 1 VLAN mapping, and does not
support MQC-based VLAN Mapping.
● VLAN mapping cannot be used with IGMP or IGMP snooping.
● Starting from V200R003C00, for the CE6875EI and CE6870EI, when original
packets carry three VLAN tags and the device is configured with IPv6 VXLAN
and VLAN mapping, tags in forwarded packets are incorrect. Please deploy
VLAN mapping on the neighboring device.
● DHCP snooping can only be configured with 1-to-1 VLAN mapping.
● If a traffic classifier references an ACL rule that matches the outer VLAN ID
and the VLAN mapping function is configured:

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 405

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 7 VLAN Mapping Configuration

– For the CE6870EI and CE6875EI: The translated VLAN ID after VLAN
mapping is matched in the inbound direction, and the original VLAN ID
before VLAN mapping is matched in the outbound direction.
– For other models: The translated VLAN ID after VLAN mapping is
matched in both the inbound and outbound directions.
● M-LAG cannot be configured together with VLAN Mapping or VLAN Stacking.

7.5 Configuring VLAN Mapping

7.5.1 Configuring VLAN-based VLAN Mapping

Context
VLAN mapping allows an interface to map the single VLAN tag, double VLAN
tags, or outer VLAN tag in double VLAN tags in received single-tagged or double-
tagged packets to the public VLAN tag or tags.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The interface view is displayed.
Step 3 Configure the link type of the interface as trunk or hybrid.
NOTE

● VLAN mapping can only be configured on a trunk or hybrid interface. The interface
must be added to the VLAN after mapping in tagged mode.
● When 2 to 1 or 2 to 2 VLAN mapping is configured, the VLAN ID allowed by the
interface enabled with VLAN mapping must be the outer VLAN ID.
● On the CE5810EI, if remark-8021p 8021p-value is specified, 7.5.2 Configuring MQC-
based VLAN Mapping is recommended. Do not configure 2 to 1 or 2 to 2 VLAN
mapping in this situation.

Run either of the following commands as needed:

● Set the link type of the interface to trunk.
a. Run port link-type trunk
The link type of the interface is set to trunk.
b. Run port trunk allow-pass vlan { vlan-id1 [ to vlan-id2 ] } &<1-40>
The VLAN allowed by the interface configured with VLAN mapping is
specified. Here, the VLAN is the one after VLAN mapping.
● Set the link type of the interface to hybrid.
a. Run port link-type hybrid
The link type of the interface is set to hybrid.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 406

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 7 VLAN Mapping Configuration

b. Run port hybrid tagged vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

The VLAN allowed by the interface configured with VLAN mapping is
specified. Here, the VLAN is the one after VLAN mapping.

Step 4 Configure VLAN mapping. (CE6870EI and CE6875EI only support 1 to 1 VLAN
mapping.)

Run the following command as required.

NOTE

If the trill enable command has been executed, delete the trill enable command
configuration before running the port vlan-mapping command.
● Configure 1 to 1 VLAN mapping.
Run port vlan-mapping vlan vlan-id1 map-vlan vlan-id3 [ remark-8021p
8021p-value ]
The interface is configured to map a single tag of packets to a specified tag.
● Configure 2 to 1 VLAN mapping.
Run port vlan-mapping vlan vlan-id1 inner-vlan vlan-id2 map-vlan vlan-id3
[ remark-8021p 8021p-value ]
The interface is configured to map the outer VLAN tag in double-tagged
packets to a specified tag and to transparently transmit the inner VLAN tag.
● Configure 2 to 2 VLAN mapping.
Run port vlan-mapping vlan vlan-id1 inner-vlan vlan-id2 map-vlan vlan-id3
map-inner-vlan vlan-id4 [ remark-8021p 8021p-value ]
The interface is configured to map double tags of packets to specified double
tags.

Step 5 Run commit

The configuration is committed.

----End

Verifying the Configuration

● Run the display vlan vlan-id command to check whether the interface is
added to the VLAN specified by the mapped public VLAN ID.
● Run the display current-configuration command to check the VLAN
mapping configuration on an interface.

7.5.2 Configuring MQC-based VLAN Mapping

Context
MQC-based VLAN mapping uses a traffic classifier to classify packets based on
VLAN IDs, associates the traffic classifier with a traffic behavior defining VLAN
mapping so that the device can re-mark the VLAN ID in packets matching the
traffic classifier.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 407

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 7 VLAN Mapping Configuration

NOTE

The CE6870EI and CE6875EI do not support this function.

Procedure
1. Configure a traffic classifier.
a. Run system-view
The system view is displayed.
b. Run traffic classifier classifier-name [ type { and | or } ]
A traffic classifier is created and the traffic classifier view is displayed, or
the view of an existing traffic classifier is displayed.
and is the logical operator between rules in a traffic classifier, which
means that:

▪ If a traffic classifier contains ACL rules, packets match the traffic

classifier only if they match one ACL rule and all the non-ACL rules.

▪ If a traffic classifier does not contain any ACL rules, packets match
the traffic classifier only if they match all the rules in the classifier.
The logical operator or means that packets match a traffic classifier if
they match one or more rules in the classifier.
By default, the relationship between rules in a traffic classifier is or.
c. Run if-match
Matching rules are defined for the traffic classifier.
For details about matching rules in a traffic classifier, see "Configuring a
Traffic Classifier" in "MQC Configuration" of the CloudEngine 8800, 7800,
6800, and 5800 Series Switches Configuration Guide - QoS Configuration
Guide.
d. Run commit
The configuration is committed.
e. Run quit
Exit from the traffic behavior view.
2. Configure a traffic behavior.
a. Run traffic behavior behavior-name
A traffic behavior is created and the traffic behavior view is displayed, or
the view of an existing traffic behavior is displayed.
b. Run vlan-mapping vlan vlan-id
The interface is configured to replace the outer VLAN tag in packets.
c. (Optional) Run vlan-mapping inner-vlan inner-vlan-id
The interface is configured to replace the inner VLAN tag in packets.
d. Run commit
The configuration is committed.
e. Run quit
Exit from the traffic behavior view.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 408

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 7 VLAN Mapping Configuration

f. Run quit
Exit from the system view.
3. Configure a traffic policy.
a. Run system-view
The system view is displayed.
b. Run traffic policy policy-name
A traffic policy is created and the traffic policy view is displayed, or the
view of an existing traffic policy is displayed.
c. Run classifier classifier-name behavior behavior-name [ precedence
precedence-value ]
A traffic behavior is bound to a traffic classifier in the traffic policy.
d. Run commit
The configuration is committed.
e. Run quit
Exit from the traffic policy view.
f. Run quit
Exit from the system view.
4. Apply the traffic policy.
NOTE

● For details about the configuration guidelines of applying traffic policies in

different views on the CE switches excluding CE6870EI and CE6875EI, see Licensing
Requirements and Limitations for MQC (CE Switches Excluding the CE6870EI and
CE6875EI).
– Applying a traffic policy to an interface
i. Run system-view
The system view is displayed.
ii. Run interface interface-type interface-number
The interface view is displayed.
iii. Run traffic-policy policy-name { inbound | outbound }
A traffic policy is applied to the interface.
iv. Run commit
The configuration is committed.
– Applying a traffic policy to a VLAN
i. Run system-view
The system view is displayed.
ii. Run vlan vlan-id
The VLAN view is displayed.
iii. Run traffic-policy policy-name { inbound | outbound }
A traffic policy is applied to the VLAN.
The system applies traffic policing to the packets that belong to the
VLAN and match traffic classification rules in the inbound or
outbound direction.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 409

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 7 VLAN Mapping Configuration

iv. Run commit

The configuration is committed.
– Applying a traffic policy to the system
i. Run system-view
The system view is displayed.
ii. Run traffic-policy policy-name global [ slot slot-id ] { inbound |
outbound }
A traffic policy is applied to the system.
iii. Run commit
The configuration is committed.
– Applying a traffic policy to a QoS group
i. Run system-view
The system view is displayed.
ii. Run qos group group-name
The QoS group view is displayed.
iii. Run the following commands as required:
○ Run the group-member interface { interface-type interface-
number1 [ to interface-type interface-number2 ] } &<1-8>
command to add interfaces to the QoS group.
○ Run the group-member vlan { vlan-id1 [ to vlan-id2 ] } &<1-8>
command to add VLANs to the QoS group.
○ Run the group-member ip source ip-address { mask | mask-
length } command to add source IP addresses to the QoS group.
iv. Run traffic-policy policy-name [ inbound | outbound ]
A traffic policy is applied to the QoS group.
v. Run commit
The configuration is committed.
– Applying a traffic policy to a BD
i. Run system-view
The system view is displayed.
ii. Run bridge-domain bd-id
The BD view is displayed.
iii. Run traffic-policy policy-name outbound
A traffic policy is applied to the BD.
iv. Run commit
The configuration is committed.

Verifying the Configuration

● Run the display traffic classifier [ classifier-name ] command to check the
traffic classifier configuration.
● Run the display traffic behavior [ behavior-name ] command to check the
traffic behavior configuration on the device.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 410

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 7 VLAN Mapping Configuration

● Run the display traffic policy [ policy-name [ classifier classifier-name ] ]

command to check the traffic policy configuration.
● Run the display traffic-policy applied-record [ policy-name ] [ global [ slot
slot-id ] | interface interface-type interface-number | vlan vlan-id | vpn-
instance vpn-instance-name | qos group group-id | bridge-domain bd-id ]
[ inbound | outbound ] command to check the application records of a
specified traffic policy.
NOTE

The CE6810LI does not support the vpn-instance vpn-instance-name parameter.

The CE5810EI, CE5850EI, CE5850HI, CE5855EI, CE6810LI, CE6810EI, and CE6850EI do
not support the bridge-domain bd-id command.
● Run the display system tcam fail-record [ slot slot-id ] command to display
TCAM delivery failures.
● Run the display system tcam service brief [ slot slot-id ] command to
display the group index and rule count occupied by different services.
● Run the display system tcam service { cpcar slot slot-id | service-name slot
slot-id [ chip chip-id ] } command to display IDs of entries delivered by
services on the specified chip or in the specified slot.
● Run one of the following commands to display data of a traffic policy that
has been applied:
– display system tcam service traffic-policy { global | vlan vlan-id |
interface interface-type interface-number | vpn-instance vpn-instance-
name | qos group group-id | bridge-domain bd-id } policy-name
{ inbound | outbound } [ slot slot-id [ chip chip-id ] ]
NOTE

The CE6810LI does not support the vpn-instance vpn-instance-name parameter.

The CE5810EI, CE5850EI, CE5850HI, CE5855EI, CE6810LI, CE6810EI, and CE6850EI
do not support the bridge-domain bd-id command.
– display system tcam service traffic-policy slot slot-id policy-name
{ inbound | outbound } [ chip chip-id ]
● (For the CE6870EI and CE6875EI) Run the display system tcam match-rules
slot slot-id [ [ ingress | egress | group group-id ] | [ chip chip-id ] ] *
command to display matched entries.

7.6 Configuration Examples for VLAN Mapping

This section only provides configuration examples for individual features. For
details about multi-feature configuration examples, feature-specific configuration
examples, interoperation examples, protocol or hardware replacement examples,
and industry application examples, see the Typical Configuration Examples.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 411

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 7 VLAN Mapping Configuration

7.6.1 Example for Configuring VLAN-based 1 to 1 VLAN

Mapping

Networking Requirements
As shown in Figure 7-6, on a data center network, as services increase, the
network administrator plans a new branch that belongs to VLAN 5. The
headquarters belongs to VLAN 6, and the headquarters and branch belong to the
same network segment. The new branch needs to communicate with the
headquarters.

Figure 7-6 Networking for configuring 1 to 1 VLAN mapping

VLAN6
Headqu
Server3 Server4
arters

Switch3
10GE1/0/1
10GE1/0/2

Switch2

10GE1/0/1

10GE1/0/3
Switch1
10GE1/0/1 10GE1/0/2

New branch

VLAN5

Server1 Server2

1 to 1 VLAN Mapping

Configuration Roadmap
The configuration roadmap is as follows:

1. Add the downlink interface on Switch1 connected to the new branch to VLAN
5.
2. Configure 1 to 1 VLAN mapping on Switch2 to implement communication
between the new branch and headquarters.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 412

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 7 VLAN Mapping Configuration

Procedure
Step 1 Add the downlink interface on Switch1 to VLAN 5 and configure the uplink
interfaces to allow the VLAN5.
<HUAWEI> system-view
[~HUAWEI] sysname Switch1
[*HUAWEI] commit
[~Switch1] vlan 5
[*Switch1-vlan5] quit
[*Switch1] interface 10ge 1/0/1
[*Switch1-10GE1/0/1] port default vlan 5
[*Switch1-10GE1/0/1] quit
[*Switch1] interface 10ge 1/0/2
[*Switch1-10GE1/0/2] port default vlan 5
[*Switch1-10GE1/0/2] quit
[*Switch1] interface 10ge 1/0/3
[*Switch1-10GE1/0/3] port link-type trunk
[*Switch1-10GE1/0/3] port trunk allow-pass vlan 5
[*Switch1-10GE1/0/3] quit
[*Switch1] commit

Step 2 Configure VLAN mapping on Switch2.

<HUAWEI> system-view
[~HUAWEI] sysname Switch2
[*HUAWEI] commit
[~Switch2] vlan 6
[*Switch2-vlan6] quit
[*Switch2] interface 10ge 1/0/1
[*Switch2-10GE1/0/1] port link-type trunk
[*Switch2-10GE1/0/1] port trunk allow-pass vlan 6
[*Switch2-10GE1/0/1] port vlan-mapping vlan 5 map-vlan 6
[*Switch2-10GE1/0/1] quit
[*Switch2] interface 10ge 1/0/2
[*Switch2-10GE1/0/2] port link-type trunk
[*Switch2-10GE1/0/2] port trunk allow-pass vlan 6
[*Switch2-10GE1/0/2] quit
[*Switch2] commit

Step 3 Configure Layer 2 forwarding on Swicth3.

<HUAWEI> system-view
[~HUAWEI] sysname Switch3
[*HUAWEI] commit
[~Switch3] vlan 6
[*Switch3-vlan6] quit
[*Switch3] interface 10ge 1/0/1
[*Switch3-10GE1/0/1] port link-type trunk
[*Switch3-10GE1/0/1] port trunk allow-pass vlan 6
[*Switch3-10GE1/0/1] quit
[*Switch3] commit

Step 4 Verify the configuration.

Configure servers in the new branch and headquarters on the same network
segment. For example, configure IP addresses 172.16.0.1/16 and 172.16.0.7/16 for
servers in the new branch and headquarters respectively so that the new branch
can communication with the headquarters. This example pings Server3 in the
headquarters from Server1 in the new branch.
<Server1> ping 172.16.0.7
Pinging 172.16.0.7 with 32 bytes of data:
Reply from 172.16.0.7: bytes=32 time<1ms TTL=128
Reply from 172.16.0.7: bytes=32 time<1ms TTL=128
Reply from 172.16.0.7: bytes=32 time<1ms TTL=128
Reply from 172.16.0.7: bytes=32 time<1ms TTL=128

Ping statistics for 172.16.0.7:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 413

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 7 VLAN Mapping Configuration

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

----End

Configuration Files
● Configuration file of Switch1
#
sysname Switch1
#
vlan batch 5
#
interface 10GE1/0/1
port default vlan 5
#
interface 10GE1/0/2
port default vlan 5
#
interface 10GE1/0/3
port link-type trunk
port trunk allow-pass vlan 5
#
return
● Configuration file of Switch2
#
sysname Switch2
#
vlan batch 6
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 6
port vlan-mapping vlan 5 map-vlan 6
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 6
#
return
● Configuration file of Switch3
#
sysname Switch3
#
vlan batch 6
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 6
#
return

7.6.2 Example for Configuring VLAN-based 2 to 1 VLAN

Mapping
Networking Requirements
As shown in Figure 7-7, on a data center network, the office server and
production server in the old branch belong to VLAN 2 and VLAN 3 respectively,
and the servers are connected to the core network through the access and
aggregation switches. The network administrator plans a new branch. The office
server and production server belong to VLAN 2 and VLAN 3 respectively. Devices

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 414

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 7 VLAN Mapping Configuration

transmitting the same service on old and new branches are located on the same
network segment. To ensure that the same servers can communicate and different
servers are isolated, and save VLAN resources, configure QinQ on aggregation
switches. To retain VLAN deployment of core switch, configure VLAN mapping on
the core switch.

Figure 7-7 Networking for configuring 2 to 1 VLAN mapping

Internet

10GE1/0/3
Core Switch MAC 501 2
10GE1/0/2 10GE1/0/1 MAC 502 3
Switch5

10GE1/0/2 10GE1/0/2 MAC 201 2

Switch3 Aggregation Switch4
Switch MAC 201 3
10GE1/0/1 10GE1/0/1

10GE1/0/3 10GE1/0/3
Switch1 Switch2
Access Switch

10GE1/0/1 10GE1/0/2 10GE1/0/1 10GE1/0/2

Office Production Office Production

service service service service
server1 server3 server2 server4
VLAN2 VLAN3 VLAN2 VLAN3

2 to 1 VLAN Mapping

Configuration Roadmap
The configuration roadmap is as follows:
1. Add interfaces on Switch1 and Switch2 connected to servers to VLANs.
2. Deploy QinQ on Switch3 and Switch4 to save VLAN resources.
3. Configure 2 to 1 VLAN mapping on Switch5 so that the same service can be
transmitted and different services are isolated in old and new branches.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 415

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 7 VLAN Mapping Configuration

Procedure
Step 1 Add downlink interfaces on Switch1 and Switch2 to VLANs and configure the
uplink interfaces to allow the VLANs.
# Configure Switch1.
<HUAWEI> system-view
[~HUAWEI] sysname Switch1
[*HUAWEI] commit
[~Switch1] vlan batch 2 3
[*Switch1] interface 10ge 1/0/1
[*Switch1-10GE1/0/1] port default vlan 2
[*Switch1-10GE1/0/1] quit
[*Switch1] interface 10ge 1/0/2
[*Switch1-10GE1/0/2] port default vlan 3
[*Switch1-10GE1/0/2] quit
[*Switch1] interface 10ge 1/0/3
[*Switch1-10GE1/0/3] port link-type trunk
[*Switch1-10GE1/0/3] port trunk allow-pass vlan 2 3
[*Switch1-10GE1/0/3] quit
[*Switch1] commit

# Configure Switch2.
<HUAWEI> system-view
[~HUAWEI] sysname Switch2
[*HUAWEI] commit
[~Switch2] vlan batch 2 3
[*Switch2] interface 10ge 1/0/1
[*Switch2-10GE1/0/1] port default vlan 2
[*Switch2-10GE1/0/1] quit
[*Switch2] interface 10ge 1/0/2
[*Switch2-10GE1/0/2] port default vlan 3
[*Switch2-10GE1/0/2] quit
[*Switch2] interface 10ge 1/0/3
[*Switch2-10GE1/0/3] port link-type trunk
[*Switch2-10GE1/0/3] port trunk allow-pass vlan 2 3
[*Switch2-10GE1/0/3] quit
[*Switch2] commit

Step 2 Configure QinQ on Switch3 and Switch4.

# Configure the type of 10GE1/0/1 on Switch3 as QinQ and the outer VLAN tag as
VLAN 201.
<HUAWEI> system-view
[~HUAWEI] sysname Switch3
[*HUAWEI] commit
[~Switch3] vlan batch 201
[*Switch3] interface 10ge 1/0/1
[*Switch3-10GE1/0/1] port link-type dot1q-tunnel
[*Switch3-10GE1/0/1] port default vlan 201
[*Switch3-10GE1/0/1] quit
[*Switch3] interface 10ge 1/0/2
[*Switch3-10GE1/0/2] port link-type trunk
[*Switch3-10GE1/0/2] port trunk allow-pass vlan 201
[*Switch3-10GE1/0/2] quit
[*Switch3] commit

# Configure the type of 10GE1/0/1 on Switch4 as QinQ and the outer VLAN tag as
VLAN 201.
<HUAWEI> system-view
[~HUAWEI] sysname Switch4
[*HUAWEI] commit
[~Switch4] vlan batch 201
[*Switch4] interface 10ge 1/0/1

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 416

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 7 VLAN Mapping Configuration

[*Switch4-10GE1/0/1] port link-type dot1q-tunnel

[*Switch4-10GE1/0/1] port default vlan 201
[*Switch4-10GE1/0/1] quit
[*Switch4] interface 10ge 1/0/2
[*Switch4-10GE1/0/2] port link-type trunk
[*Switch4-10GE1/0/2] port trunk allow-pass vlan 201
[*Switch4-10GE1/0/2] quit
[*Switch4] commit

Step 3 Configure VLAN mapping on Switch5.

<HUAWEI> system-view
[~HUAWEI] sysname Switch5
[*HUAWEI] commit
[~Switch5] vlan batch 501 502
[*Switch5] interface 10ge 1/0/1
[*Switch5-10GE1/0/1] port link-type trunk
[*Switch5-10GE1/0/1] port trunk allow-pass vlan 501 502
[*Switch5-10GE1/0/1] port vlan-mapping vlan 201 inner-vlan 2 map-vlan 501
[*Switch5-10GE1/0/1] port vlan-mapping vlan 201 inner-vlan 3 map-vlan 502
[*Switch5-10GE1/0/1] quit
[*Switch5] interface 10ge 1/0/2
[*Switch5-10GE1/0/2] port link-type trunk
[*Switch5-10GE1/0/2] port trunk allow-pass vlan 501 502
[*Switch5-10GE1/0/2] port vlan-mapping vlan 201 inner-vlan 2 map-vlan 501
[*Switch5-10GE1/0/2] port vlan-mapping vlan 201 inner-vlan 3 map-vlan 502
[*Switch5-10GE1/0/2] quit
[*Switch5] interface 10ge 1/0/3
[*Switch5-10GE1/0/3] port link-type trunk
[*Switch5-10GE1/0/3] port trunk allow-pass vlan 501 502
[*Switch5-10GE1/0/3] quit
[*Switch5] commit

Step 4 Verify the configuration.

● Configure office server Server1 in the new branch and office server Server2 in
the old branch on the same network segment. For example, configure IP
addresses 172.16.0.1/24 and 172.16.0.2/24 for Server1 and Server2
respectively.
● Configure production server Server3 in the new branch and production server
Server4 in the old branch on the same network segment. For example,
configure IP addresses 172.16.1.1/24 and 172.16.1.2/24 for Server3 and
Server4 respectively.
Server1 and Server2, and Server 3 and Server 4 can communicate, and Server1
and Server2 are isolated from Server3 and Server4.
This example pings Server2 in the old branch from Server1 in the new branch.
<Server1> ping 172.16.0.2
Pinging 172.16.0.2 with 32 bytes of data:
Reply from 172.16.0.2: bytes=32 time<1ms TTL=128
Reply from 172.16.0.2: bytes=32 time<1ms TTL=128
Reply from 172.16.0.2: bytes=32 time<1ms TTL=128
Reply from 172.16.0.2: bytes=32 time<1ms TTL=128

Ping statistics for 172.16.0.2:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

This example pings Server4 in the old branch from Server1 in the new branch.
<Server1> ping 172.16.1.2
Pinging 172.16.1.2 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 417

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 7 VLAN Mapping Configuration

Ping statistics for 172.16.1.2:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

----End

Configuration Files
● Configuration file of Switch1
#
sysname Switch1
#
vlan batch 2 to 3
#
interface 10GE1/0/1
port default vlan 2
#
interface 10GE1/0/2
port default vlan 3
#
interface 10GE1/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
return

● Configuration file of Switch2

#
sysname Switch2
#
vlan batch 2 to 3
#
interface 10GE1/0/1
port default vlan 2
#
interface 10GE1/0/2
port default vlan 3
#
interface 10GE1/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
return

● Configuration file of Switch3

#
sysname Switch3
#
vlan batch 201
#
interface 10GE1/0/1
port link-type dot1q-tunnel
port default vlan 201
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 201
#
return

● Configuration file of Switch4

#
sysname Switch4
#
vlan batch 201
#
interface 10GE1/0/1
port link-type dot1q-tunnel

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 418

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 7 VLAN Mapping Configuration

port default vlan 201

#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 201
#
return

● Configuration file of Switch5

#
sysname Switch5
#
vlan batch 501 to 502
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 501 to 502
port vlan-mapping vlan 201 inner-vlan 2 map-vlan 501
port vlan-mapping vlan 201 inner-vlan 3 map-vlan 502
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 501 to 502
port vlan-mapping vlan 201 inner-vlan 2 map-vlan 501
port vlan-mapping vlan 201 inner-vlan 3 map-vlan 502
#
interface 10GE1/0/3
port link-type trunk
port trunk allow-pass vlan 501 to 502
#
return

7.6.3 Example for Configuring VLAN-based 2 to 2 VLAN

Mapping
Networking Requirements
As shown in Figure 7-8, two branches of a data center are deployed in different
positions and located on the same network segment. To plan private VLAN IDs in
the data center, QinQ is used. That is, packets from Switch2 to the ISP network
carry double tags. Because the two VLAN IDs are different from VLAN IDs on the
ISP network, packets from branches cannot pass through the ISP network. As a
result, branches cannot communicate. It is required that branches 1 and 2
communicate.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 419

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 7 VLAN Mapping Configuration

Figure 7-8 Networking for configuring 2 to 2 VLAN mapping

10GE1/0/2 10GE1/0/2
ISP
Switch3 outside tag:50 Switch4
inner tag:60
10GE1/0/1 10GE1/0/1
10GE1/0/2 10GE1/0/2
Switch2 Switch5
10GE1/0/1 10GE1/0/1
10GE1/0/2 10GE1/0/2
Switch1 Switch6
10GE1/0/1 10GE1/0/1

Branch1 Branch2
Server1 Server2
VLAN 10 VLAN 30

2 to 2 VLAN Mapping

Configuration Roadmap
The configuration roadmap is as follows:
1. Add the downlink interface on Switch1 connected to branch 1 to VLAN 10 and
downlink interface on Switch6 connected to branch 2 to VLAN 30.
2. Configure QinQ on Switch2 and Switch5 so that packets sent to the ISP
network carry double tags.
3. Deploy 2 to 2 VLAN mapping on Switch3 and Switch4 to map inner and outer
VLAN IDs of packets to VLAN IDs allowed by the ISP network so that
branches can communicate.

Procedure
Step 1 Add downlink interfaces on Switch1 and Switch6 to VLANs and configure the
uplink interfaces to allow the VLANs.
# Configure Switch1.
<HUAWEI> system-view
[~HUAWEI] sysname Switch1
[*HUAWEI] commit
[~Switch1] vlan 10
[*Switch1-vlan10] quit
[*Switch1] interface 10ge 1/0/1
[*Switch1-10GE1/0/1] port default vlan 10
[*Switch1-10GE1/0/1] quit
[*Switch1] interface 10ge 1/0/2

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 420

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 7 VLAN Mapping Configuration

[*Switch1-10GE1/0/2] port link-type trunk

[*Switch1-10GE1/0/2] port trunk allow-pass vlan 10
[*Switch1-10GE1/0/2] quit
[*Switch1] commit

# Configure Switch6.
<HUAWEI> system-view
[~HUAWEI] sysname Switch6
[*HUAWEI] commit
[~Switch6] vlan 30
[*Switch6-vlan30] quit
[*Switch6] interface 10ge 1/0/1
[*Switch6-10GE1/0/1] port default vlan 30
[*Switch6-10GE1/0/1] quit
[*Switch6] interface 10ge 1/0/2
[*Switch6-10GE1/0/2] port link-type trunk
[*Switch6-10GE1/0/2] port trunk allow-pass vlan 30
[*Switch6-10GE1/0/2] quit
[*Switch6] commit

Step 2 Configure QinQ on Switch2 and Switch5 so that packets sent to the ISP network
carry double tags.
# Configure the type of 10GE1/0/1 on Switch2 as QinQ and the outer VLAN tag as
VLAN 20.
<HUAWEI> system-view
[~HUAWEI] sysname Switch2
[*HUAWEI] commit
[~Switch2] vlan 20
[*Switch2-vlan20] quit
[*Switch2] interface 10ge 1/0/1
[*Switch2-10GE1/0/1] port link-type dot1q-tunnel
[*Switch2-10GE1/0/1] port default vlan 20
[*Switch2-10GE1/0/1] quit
[*Switch2] interface 10ge 1/0/2
[*Switch2-10GE1/0/2] port link-type trunk
[*Switch2-10GE1/0/2] port trunk allow-pass vlan 20
[*Switch2-10GE1/0/2] quit
[*Switch2] commit

# Configure the type of 10GE1/0/1 on Switch5 as QinQ and the outer VLAN tag as
VLAN 40.
<HUAWEI> system-view
[~HUAWEI] sysname Switch5
[*HUAWEI] commit
[~Switch5] vlan 40
[*Switch5-vlan40] quit
[*Switch5] interface 10ge 1/0/1
[*Switch5-10GE1/0/1] port link-type dot1q-tunnel
[*Switch5-10GE1/0/1] port default vlan 40
[*Switch5-10GE1/0/1] quit
[*Switch5] interface 10ge 1/0/2
[*Switch5-10GE1/0/2] port link-type trunk
[*Switch5-10GE1/0/2] port trunk allow-pass vlan 40
[*Switch5-10GE1/0/2] quit
[*Switch5] commit

Step 3 Configure VLAN mapping on Switch3 and Switch4.

# Configure Switch3.
<HUAWEI> system-view
[~HUAWEI] sysname Switch3
[*HUAWEI] commit
[~Switch3] vlan batch 50
[*Switch3] interface 10ge 1/0/1

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 421

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 7 VLAN Mapping Configuration

[*Switch3-10GE1/0/1] port link-type trunk

[*Switch3-10GE1/0/1] port trunk allow-pass vlan 50
[*Switch3-10GE1/0/1] port vlan-mapping vlan 20 inner-vlan 10 map-vlan 50 map-inner-vlan 60
[*Switch3-10GE1/0/1] quit
[*Switch3] interface 10ge 1/0/2
[*Switch3-10GE1/0/2] port link-type trunk
[*Switch3-10GE1/0/2] port trunk allow-pass vlan 50
[*Switch3-10GE1/0/2] quit
[*Switch3] commit

# Configure Switch4.
<HUAWEI> system-view
[~HUAWEI] sysname Switch4
[*HUAWEI] commit
[~Switch4] vlan batch 50
[*Switch4] interface 10ge 1/0/1
[*Switch4-10GE1/0/1] port link-type trunk
[*Switch4-10GE1/0/1] port trunk allow-pass vlan 50
[*Switch4-10GE1/0/1] port vlan-mapping vlan 40 inner-vlan 30 map-vlan 50 map-inner-vlan 60
[*Switch4-10GE1/0/1] quit
[*Switch4] interface 10ge 1/0/2
[*Switch4-10GE1/0/2] port link-type trunk
[*Switch4-10GE1/0/2] port trunk allow-pass vlan 50
[*Switch4-10GE1/0/2] quit
[*Switch4] commit

Step 4 Verify the configuration.

Configure Server1 in branch 1 and Server2 in branch 2 on the same network
segment. For example, configure IP addresses 172.16.0.5/16 and 172.16.0.6/16 for
Server1 and Server2 respectively so that branch 1 can communication with branch
2. This example pings Server2 in branch 2 from Server1 in branch 1.
<Server1> ping 172.16.0.6
Pinging 172.16.0.6 with 32 bytes of data:
Reply from 172.16.0.6: bytes=32 time<1ms TTL=128
Reply from 172.16.0.6: bytes=32 time<1ms TTL=128
Reply from 172.16.0.6: bytes=32 time<1ms TTL=128
Reply from 172.16.0.6: bytes=32 time<1ms TTL=128

Ping statistics for 172.16.0.6:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

----End

Configuration Files
● Configuration file of Switch1
#
sysname Switch1
#
vlan batch 10
#
interface 10GE1/0/1
port default vlan 10
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 10
#
return

● Configuration file of Switch2

#
sysname Switch2

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 422

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 7 VLAN Mapping Configuration

#
vlan batch 20
#
interface 10GE1/0/1
port link-type dot1q-tunnel
port default vlan 20
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 20
#
return

● Configuration file of Switch3

#
sysname Switch3
#
vlan batch 50
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 50
port vlan-mapping vlan 20 inner-vlan 10 map-vlan 50 map-inner-vlan 60
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 50
#
return

● Configuration file of Switch4

#
sysname Switch4
#
vlan batch 50
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 50
port vlan-mapping vlan 40 inner-vlan 30 map-vlan 50 map-inner-vlan 60
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 50
#
return

● Configuration file of Switch5

#
sysname Switch5
#
vlan batch 40
#
interface 10GE1/0/1
port link-type dot1q-tunnel
port default vlan 40
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 40
#
return

● Configuration file of Switch6

#
sysname Switch6
#
vlan batch 30
#

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 423

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 7 VLAN Mapping Configuration

interface 10GE1/0/1
port default vlan 30
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 30
#
return

7.6.4 Example for Configuring MQC-based VLAN Mapping

Networking Requirements
As shown in Figure 7-9, on a data center network, servers store video and data
information. Users are classified into gold and silver users, and gold and silver
users belong to VLAN 200 and VLAN 300 respectively and access servers through
the enterprise backbone network. The enterprise backbone network allocates
VLAN 2 to gold users and VLAN 3 to silver users. Switch2 and Switch3 are edge
devices of the enterprise backbone network. VLAN IDs planned by the video and
data servers and enterprise backbone network are different. To ensure that gold
users can access the video server and silver users can access the data server,
configure MQC-based VLAN mapping on Switch2 and Switch3.

Figure 7-9 Networking for configuring MQC-based VLAN mapping

VLAN200

Video server
VLAN200
10

/2 Gold user
G

Switch1 Switch2 Switch3 Switch4 1/0

E1

GE
/0

10GE1/0/1 Enterpris backbone 10GE1/0/1 0

/2

1
network
VLAN2 VLAN3 10
Data server /3
/0 10GE1/0/1 10GE1/0/2 10GE1/0/2 10GE1/0/1 GE1/0/3
E1
10G Silver user

VLAN Mapping VLAN300

VLAN300
Traffic direction

Configuration Roadmap
The configuration roadmap is as follows:

1. Create VLAN 2 and VLAN 3 on Switch2 and Switch3.

2. Configure traffic classifiers, traffic behaviors, and traffic policies on Switch2
and Switch3.
3. Configure types of interfaces on Switch2 and Switch3, and add the interfaces
to corresponding VLANs.
4. Apply MQC to interfaces on Switch2 and Switch3 to implement VLAN
mapping.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 424

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 7 VLAN Mapping Configuration

Procedure
Step 1 Create VLANs.
# Create VLAN 200 and VLAN 300 on Switch1 and add interfaces connected to
servers to VLANs.
<HUAWEI> system-view
[~HUAWEI] sysname Switch1
[*HUAWEI] commit
[~Switch1] vlan batch 200 300
[*Switch1] interface 10ge 1/0/2
[*Switch1-10GE1/0/2] port default vlan 200
[*Switch1-10GE1/0/2] quit
[*Switch1] interface 10ge 1/0/3
[*Switch1-10GE1/0/3] port default vlan 300
[*Switch1-10GE1/0/3] quit
[*Switch1] commit

# Create VLAN 200 and VLAN 300 on Switch4 and add interfaces connected to
users to VLAN 200 and VLAN 300. The configuration of Switch1 is similar to the
configuration of Switch4, and the configuration details are not mentioned here.
# On Switch2, create VLAN 2 and VLAN 3.
<HUAWEI> system-view
[~HUAWEI] sysname Switch2
[*HUAWEI] commit
[~Switch2] vlan batch 2 3
[*Switch2] commit

# On Switch3, create VLAN 2 and VLAN 3.

<HUAWEI> system-view
[~HUAWEI] sysname Switch3
[*HUAWEI] commit
[~Switch3] vlan batch 2 3
[*Switch3] commit

Step 2 Configure traffic classifiers, traffic behaviors, and traffic policies on Switch2 and
Switch3.
# Configure traffic classifiers, traffic behaviors, and traffic policies on Switch2.
[~Switch2] traffic classifier name1
[*Switch2-classifier-name1] if-match vlan 200
[*Switch2-classifier-name1] quit
[*Switch2] traffic behavior name1
[*Switch2-behavior-name1] vlan-mapping vlan 2
[*Switch2-behavior-name1] quit
[*Switch2] traffic classifier name2
[*Switch2-classifier-name2] if-match vlan 300
[*Switch2-classifier-name2] quit
[*Switch2] traffic behavior name2
[*Switch2-behavior-name2] vlan-mapping vlan 3
[*Switch2-behavior-name2] quit
[*Switch2] traffic policy name1
[*Switch2-trafficpolicy-name1] classifier name1 behavior name1
[*Switch2-trafficpolicy-name1] classifier name2 behavior name2
[*Switch2-trafficpolicy-name1] quit
[*Switch2] commit

# Configure traffic classifiers, traffic behaviors, and traffic policies on Switch3.

[~Switch3] traffic classifier name1
[*Switch3-classifier-name1] if-match vlan 2
[*Switch3-classifier-name1] quit
[*Switch3] traffic behavior name1

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 425

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 7 VLAN Mapping Configuration

[*Switch3-behavior-name1] vlan-mapping vlan 200

[*Switch3-behavior-name1] quit
[*Switch3] traffic classifier name2
[*Switch3-classifier-name2] if-match vlan 3
[*Switch3-classifier-name2] quit
[*Switch3] traffic behavior name2
[*Switch3-behavior-name2] vlan-mapping vlan 300
[*Switch3-behavior-name2] quit
[*Switch3] traffic policy name1
[*Switch3-trafficpolicy-name1] classifier name1 behavior name1
[*Switch3-trafficpolicy-name1] classifier name2 behavior name2
[*Switch3-trafficpolicy-name1] quit
[*Switch3] commit

Step 3 Apply traffic policies to interfaces to implement VLAN mapping.

# Configure 10GE1/0/1 on Switch2.

[~Switch2] interface 10ge 1/0/1
[*Switch2-10GE1/0/1] traffic-policy name1 inbound
[*Switch2-10GE1/0/1] quit
[*Switch2] commit

# Configure 10GE1/0/2 on Switch3.

[~Switch3] interface 10ge 1/0/2
[*Switch3-10GE1/0/2] traffic-policy name1 inbound
[*Switch3-10GE1/0/2] quit
[*Switch3] commit

Step 4 Configure other interfaces.

# Add 10GE1/0/1 on Switch1 to VLAN 200 and VLAN 300. The configuration of
10GE1/0/1 on Switch4 is similar to the configuration of Switch1, and the
configuration details are not mentioned here.
[~Switch1] interface 10ge 1/0/1
[*Switch1-10GE1/0/1] port link-type trunk
[*Switch1-10GE1/0/1] port trunk allow-pass vlan 200 300
[*Switch1-10GE1/0/1] quit
[*Switch1] commit

Step 5 Verify the configuration.

After the preceding configuration is complete, gold users can access the video
server and silver users can access the data server.

----End

Configuration Files
● Configuration file of Switch1
#
sysname Switch1
#
vlan batch 200 300
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 200 300
#
interface 10GE1/0/2
port default vlan 200
#
interface 10GE1/0/3
port default vlan 300

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 426

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 7 VLAN Mapping Configuration

#
return
● Configuration file of Switch2
#
sysname Switch2
#
vlan batch 2 to 3
#
traffic classifier name1 type or
if-match vlan 200
#
traffic classifier name2 type or
if-match vlan 300
#
traffic behavior name1
vlan-mapping vlan 2
#
traffic behavior name2
vlan-mapping vlan 3
#
traffic policy name1
classifier name1 behavior name1 precedence 5
classifier name2 behavior name2 precedence 10
#
interface 10GE1/0/1
traffic-policy name1 inbound
#
return
● Configuration file of Switch3
#
sysname Switch3
#
vlan batch 2 to 3
#
traffic classifier name1 type or
if-match vlan 2
#
traffic classifier name2 type or
if-match vlan 3
#
traffic behavior name1
vlan-mapping vlan 200
#
traffic behavior name2
vlan-mapping vlan 300
#
traffic policy name1
classifier name1 behavior name1 precedence 5
classifier name2 behavior name2 precedence 10
#
interface 10GE1/0/2
traffic-policy name1 inbound
#
return
● Configuration file of Switch4
#
sysname Switch4
#
vlan batch 200 300
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 200 300
#
interface 10GE1/0/2
port default vlan 200
#

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 427

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 7 VLAN Mapping Configuration

interface 10GE1/0/3
port default vlan 300
#
return

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 428

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 8 GVRP Configuration

8 GVRP Configuration

8.1 Overview of GVRP

8.2 Understanding GVRP
8.3 Application Scenarios for GVRP
8.4 Licensing Requirements and Limitations for GVRP
8.5 Default Settings for GVRP
8.6 Configuring GVRP
8.7 Maintaining GVRP
8.8 Configuration Examples for GVRP

8.1 Overview of GVRP

Definition
The Generic Attribute Registration Protocol (GARP) provides an attribute
propagation mechanism. The GARP VLAN Registration Protocol (GVRP) is a GARP
application used to register and deregister VLAN attribute.
GARP identifies applications based on destination MAC addresses. IEEE Std 802.1Q
assigns 01-80-C2-00-00-21 to GVRP.

Purpose
To create or delete VLANs on all devices on a network, a network administrator
must manually create or delete the VLANs on each device. When a network is too
complex for a network administrator to know the network topology in a short
time or when many VLANs are configured on the network, the manual
configuration workload is enormous and configuration errors will occur. GVRP can
be configured on the network to implement automatic VLAN registration and
deregistration in this case.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 429

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 8 GVRP Configuration

Benefits
Through GVRP, VLAN attributes of one device can be propagated throughout the
entire switching network. GVRP enables network devices to dynamically deliver,
register, and propagate VLAN attributes, reducing workload of the network
administrator and ensuring correct configuration.

8.2 Understanding GVRP

8.2.1 Basic Concepts

On a switch, each GVRP-enabled interface is a GVRP participant. A GVRP
participant sends an attribute declaration or attribute reclaim declaration to
request other GVRP participants to register or deregister its attributes. A GVRP
participant can also register or deregister attributes of other GVRP participants
when receiving attribute declarations or attribute reclaim declarations from other
GVRP participants.
A manually configured VLAN is a static VLAN, and a VLAN learned through GVRP
is a dynamic VLAN.

GVRP Messages
GVRP participants exchange information by sending GVRP messages. There are
three types of GVRP messages.

Table 8-1 Types of GVRP messages

Type Function Description

Join When a GVRP participant is Join messages are classified into

message configured with VLANs and two types:
expects other devices to register ● JoinEmpty message: The
its attributes, it sends Join interface that sends GVRP
messages to other devices. messages does not join a
dynamic VLAN.
● JoinIn message: The interface
that sends GVRP messages
joins a dynamic VLAN.
Only the interface that receives a
JoinEmpty or JoinIn message can
join the dynamic VLAN.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 430

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 8 GVRP Configuration

Type Function Description

Leave When a GVRP participant where Leave messages are classified

message static VLANs are deleted expects into two types:
other devices to deregister its ● LeaveEmpty: The interface
attributes, it sends Leave that sends GVRP messages
messages to other devices. does not exist in a dynamic
VLAN.
● LeaveIn: The interface that
sends GVRP messages exists in
a dynamic VLAN.

LeaveAll A GVRP participant sends When an interface is enabled

message LeaveAll messages to deregister with GVRP, the LeaveAll timer is
all VLAN attributes so that other started. When the LeaveAll timer
GVRP participants can re-register expires, the GVRP participant
attributes. LeaveAll messages are sends LeaveAll messages to other
used to periodically delete devices.
useless attributes on a network.
For example, an attribute of a
GVRP participant is deleted. Due
to a sudden power failure, the
GVRP participant does not send
Leave messages to request other
participants to deregister the
attribute. In this case, the
attribute becomes useless,
necessitating the use of a
LeaveAll message.

Timer
GARP defines four timers.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 431

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 8 GVRP Configuration

Table 8-2 Timers

Timer Function Description

Join The Join timer controls the After sending the first Join
timer sending of Join messages. Each message, a GARP participant
interface maintains an starts the Join timer. If the
independent Join timer. participant receives a JoinIn
message before the Join timer
expires, it does not send the
second Join message. If the
GARP participant does not
receive any JoinIn message, it
sends the second Join message
when the Join timer expires. This
ensures that the Join message
can be reliably transmitted to
other GARP participants.

Hold The Hold timer controls the After a GARP participant is

timer sending of Join and Leave configured with an attribute or
messages. Each interface receives a Join or Leave message,
maintains an independent Hold it does not send the message to
timer. other GARP participants before
the Hold timer expires. The
GARP participant encapsulates
messages received into a
minimum number of packets
within the Hold timer value,
reducing the number of packets
sent to other GARP participants.

Leave The Leave timer controls the A GARP participant starts the
timer sending of Leave messages. Each Leave timer after receiving a
interface maintains an Leave or LeaveAll message. If the
independent Leave timer. GARP participant does not
receive any Join message of the
corresponding attribute before
the Leave timer expires, the
GARP participant deregisters the
attribute.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 432

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 8 GVRP Configuration

Timer Function Description

LeaveAll The LeaveAll timer controls the When a GARP participant is

timer sending of LeaveAll messages enabled, the LeaveAll timer is
and restarts all timers including started. When the LeaveAll timer
the LeaveAll timer itself. Each expires, the GARP participant
device maintains a global sends LeaveAll messages for
LeaveAll timer. other GARP participants to re-
register its attributes. Then the
LeaveAll timer started again.
Devices on a network may use
different LeaveAll timer values,
but all the devices use the
smallest LeaveAll timer value on
the network.

The relationship between four timers is as follows:

LeaveAll timer > Leave timer > 2 x Join timer >= 4 x Hold timer

Registration Modes
A GVRP interface supports three registration modes:
● In normal mode, a GVRP interface can register and deregister VLANs as well
as transmit dynamic and static VLAN registration information.
● In fixed mode, a GVRP interface is disabled from dynamically registering and
deregistering VLANs and can only transmit static VLAN information. If the
registration mode of a trunk interface is set to fixed, the interface allows only
the manually configured VLANs even if it is configured to allow all the VLANs.
● In forbidden mode, a GVRP interface is disabled from dynamically registering
and deregistering VLANs and can transmit only information about VLAN 1. If
the registration mode of a trunk interface is set to forbidden, the interface
allows only VLAN 1, even if the interface is configured to allow all the VLANs.
In Figure 8-1, GVRP is configured on SwitchA and SwitchB. Static VLANs 10 and
20 are configured on SwitchA and SwitchB respectively.

Figure 8-1 GVRP network

10GE 1/0/1 10GE 1/0/1

SwitchA SwitchB

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 433

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 8 GVRP Configuration

Table 8-3 Dynamic VLAN learned in different registration modes

Registration Mode Registration Mode Result

on SwitchA on SwitchB

Normal Normal SwitchA learns dynamic VLAN

20 and SwitchB learns dynamic
VLAN 10.

Fixed SwitchA learns dynamic VLAN

20 and SwitchB does not learn
dynamic VLAN 10.

Forbidden SwitchA and SwitchB do not

learn VLANs of each other.

Fixed Fixed SwitchA and SwitchB do not

learn VLANs of each other.

Forbidden SwitchA and SwitchB do not

learn VLANs of each other.

Forbidden Forbidden SwitchA and SwitchB do not

learn VLANs of each other.

8.2.2 Packet Format

GVRP is an application of GARP, and the GVRP packet format complies with GARP.
GARP packets are encapsulated in the IEEE 802.3 Ethernet format, as shown in
Figure 8-2.

Figure 8-2 GARP packet format

DA SA length DSAP SSAP Ctrl PDU Ethernet Frame

1 3 N
Protocol ID Message 1 … Message N End Mark GARP PDU structure

1 2 N
Attribute Type Attribute List Message structure

1 N
Attribute 1 … Attribute N End Mark Attribute List structure

1 2 3 N
Attribute Length Attribute Event Attribute Value Attribute structure

The following table describes the fields in a GARP packet.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 434

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 8 GVRP Configuration

Field Description

Protocol ID Protocol ID. The value is 1.

Message Message in a packet. A message consists of the Attribute

Type and Attribute List fields.

Attribute Type Attribute type, which is defined by the GARP application. The
value is 0x01 for GVRP, indicating that the attribute value is a
VLAN ID.

Attribute List Attribute list, containing multiple attributes.

Attribute Attribute, which consists of the Attribute Length, Attribute

Event, and Attribute Value fields.

Attribute Length of an attribute. The value is 2 to 255, in bytes.

Length

Attribute Event Event that an attribute describes:

● 0: LeaveAll Event
● 1: JoinEmpty Event
● 2: JoinIn Event
● 3: LeaveEmpty Event
● 4: LeaveIn Event
● 5: Empty Event

Attribute Value Value of an attribute, which is a VLAN ID for GVRP but is

invalid for a LeaveAll attribute.

End Mark End of a GARP PDU. The value is 0x00.

8.2.3 Working Mechanism

A simple network is used to describe how GVRP registers and deregisters dynamic
VLANs.

Two-way Registration of VLAN Attributes

Create static VLAN 2 on SwitchA and SwitchC, and enable interfaces on SwitchB to
automatically join VLAN 2 through GVRP on each GVRP participant.

Figure 8-3 Two-way Registration of VLAN Attributes

10GE1/0/1 10GE1/0/2 10GE1/0/3 10GE1/0/4

SwitchA SwitchB SwitchC

1 Send JoinEmpty message 2 Send JoinEmpty message
3 Send JoinIn message
4 Send JoinIn message

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 435

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 8 GVRP Configuration

1. After static VLAN 2 is created on SwitchA and 10GE1/0/1 joins static VLAN 2,
10GE1/0/1 automatically starts Join and Hold timers. After the Hold timer
expires, SwitchA sends a JoinEmpty message to SwitchB.
2. When 10GE1/0/2 on SwitchB receives the JoinEmpty message, SwitchB creates
dynamic VLAN 2 and adds 10GE1/0/2 to dynamic VLAN 2. SwitchB requests
10GE1/0/3 to start the Join and Hold timers. When the Hold timer expires,
SwitchB sends a JoinEmpty to SwitchC.
3. When 10GE1/0/4 on SwitchC receives the JoinEmpty message, SwitchC creates
dynamic VLAN 2 and adds 10GE1/0/4 to dynamic VLAN 2.
After one-way registration of VLAN attributes is complete, 10GE1/0/1,
10GE1/0/2, and 10GE1/0/4 are added to VLAN 2 but 10GE1/0/3 is not added
to VLAN 2. VLAN attribute registration from SwitchC to SwitchA is required so
that traffic of VLAN 2 can be bidirectionally transmitted. The process is as
follows:
Static VLAN 2 is created on SwitchC (the dynamic VLAN is replaced by the
static VLAN). 10GE1/0/4 of SwitchC starts Join and Hold timers. When the
Hold timer expires, SwitchC sends a JoinIn message to SwitchB.
4. After 10GE1/0/3 on SwitchB receives the JoinIn message, SwitchB adds
10GE1/0/3 to VLAN 2 and requests 10GE1/0/2 to start Join and Hold timers.
When the Hold timer expires, SwitchB sends a JoinIn message to SwitchA.

During two-way registration, after the Join timer expires, the switch waits for the
period of the Hold timer and sends a JoinEmpty or JoinIn message. (The switch
sends the JoinEmpty or JoinIn message twice at most.) When SwitchA receives the
JoinIn message, it stops sending JoinEmpty messages to SwitchB. Every time the
LeaveAll timer expires or a LeaveAll message is received, the switch restarts the
LeaveAll timer, Join timer, Hold timer, and Leave timer. 10GE1/0/1 on SwitchA
sends a JoinIn message to SwitchB when the Hold timer expires. SwitchB sends a
JoinIn message to SwitchC. After receiving the JoinIn message, SwitchC does not
create dynamic VLAN 2 because static VLAN 2 has been created.

NOTE

To facilitate the description, static VLAN 2 is first created on SwitchA, and then is created
on SwitchC. In practice, static VLANs can be created on devices simultaneously to
implement two-way registration.

Two-way Deregistration of VLAN Attributes

When static VLAN 2 is not required on SwitchA and SwitchC, VLAN 2 can be
deleted through the VLAN attribute deregistration process.

Figure 8-4 Two-way Deregistration of VLAN Attributes

10GE1/0/1 10GE1/0/2 10GE1/0/3 10GE1/0/4

SwitchA SwitchB SwitchC

1 Send LeaveEmpty message 2 Send LeaveIn message

3 Send LeaveEmpty message

4 Send LeaveEmpty message

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 436

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 8 GVRP Configuration

1. After static VLAN 2 is manually deleted from SwitchA, 10GE1/0/1 on SwitchA

starts the Hold timer. When the Hold timer expires, SwitchA sends a
LeaveEmpty message to SwitchB.
2. After 10GE1/0/2 on SwitchB receives the LeaveEmpty message, 10GE1/0/2
starts the Leave timer. When the Leave timer expires, 10GE1/0/2 deregisters
VLAN 2. Then 10GE1/0/2 is deleted from VLAN 2, but VLAN 2 is not deleted
from SwitchB because 10GE1/0/3 3 is still in VLAN 2. SwitchB requests
10GE1/0/3 to start Hold and Leave timers. When the Hold timer expires,
SwitchB sends a LeaveIn message to SwitchC.
3. After SwitchC receives the LeaveIn message, 10GE1/0/4 is not deleted from
VLAN 2 because static VLAN 2 on SwitchC is not deleted. VLAN 2 is a static
VLAN on SwitchC. 10GE1/0/3 can receive the JoinIn message sent from
10GE1/0/4 after the Leave timer expires. In this case, SwitchA and SwitchB
can still learn dynamic VLAN 2. To delete VLAN 2 from all the switches, delete
static VLAN 2 from SwitchC. After static VLAN 2 is deleted from SwitchC,
10GE1/0/4 on SwitchC starts the Hold timer. When the Hold timer expires,
SwitchC sends a LeaveEmpty message to SwitchB.
4. After SwitchB receives the LeaveEmpty message, 10GE1/0/3 starts the Leave
timer. When the Leave timer expires, 10GE1/0/3 deregisters VLAN 2. Then
10GE1/0/3 is deleted from VLAN 2, and dynamic VLAN 2 is deleted from
SwitchB. At this time, SwitchB requests 10GE1/0/2 to start the Hold timer.
When the Hold timer expires, 10GE1/0/2 sends a LeaveEmpty message to
SwitchA. After 10GE1/0/1 on SwitchA receives the LeaveEmpty message,
10GE1/0/1 starts the Leave timer. When the Leave timer expires, 10GE1/0/1
deregisters VLAN 2. Then 10GE1/0/1 is deleted from VLAN 2, and dynamic
VLAN 2 is deleted from SwitchA.
During two-way deregistration, after the Leave timer expires, the switch waits for
the period of the Hold timer and sends a LeaveEmpty or LeaveIn message. (The
switch sends the LeaveEmpty or LeaveIn message twice at most.)

NOTE

To facilitate the description, static VLAN 2 is first deleted from SwitchA, and then is deleted
from SwitchC. In practice, static VLANs can be deleted on devices simultaneously to
implement two-way deregistration.

8.3 Application Scenarios for GVRP

GVRP enables switches on a network to dynamically maintain and update VLAN
information. With GVRP, you can adjust VLAN deployment on the entire switching
network by configuring only a few devices. Analyzing the topology and managing
configurations are not necessary. In Figure 8-5, GVRP is enabled on all devices.
Devices are interconnected through trunk interfaces and each trunk interface
allows packets of all VLANs to pass. Using GVRP, you simply need to configure
static VLANs 100 to 200 on SwitchA and SwitchB. Other devices can then learn
VLANs 100 to 200 using GVRP. Department A then can communicate with
Department B. The VLAN deletion is similar.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 437

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 8 GVRP Configuration

Figure 8-5 Typical application

Network

SwitchA VLAN 100~VLAN 200 SwitchB VLAN 100~VLAN 200

Department A Department B

8.4 Licensing Requirements and Limitations for GVRP

Involved Network Elements

Other network elements are not required.

Licensing Requirements
GVRP is a basic function of the switch, and as such is controlled by the license for
basic software functions. The license for basic software functions has been loaded
and activated before delivery. You do not need to manually activate it.

Version Requirements

Table 8-4 Products and minimum version supporting GVRP

Product Minimum Version Required

CE8860EI V200R001C00

CE8861EI/CE8868EI V200R005C10

CE8850-32CQ-EI V200R002C50

CE8850-64CQ-EI V200R005C00

CE7850EI V200R001C00

CE7855EI V200R001C00

CE6810EI V200R001C00

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 438

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 8 GVRP Configuration

Product Minimum Version Required

CE6810-48S4Q-LI/CE6810-48S- V200R001C00
LI

CE6810-32T16S4Q-LI/ V200R001C00
CE6810-24S2Q-LI

CE6850EI V200R001C00

CE6850-48S6Q-HI V200R001C00

CE6850-48T6Q-HI/CE6850U-HI/ V200R001C00
CE6851HI

CE6857EI V200R005C10

CE6860EI V200R002C50

CE6865EI V200R005C00

CE6870-24S6CQ-EI V200R001C00

CE6870-48S6CQ-EI V200R001C00

CE6870-48T6CQ-EI V200R002C50

CE6875-48S4CQ-EI V200R003C00

CE5810EI V200R001C00

CE5850EI V200R001C00

CE5850HI V200R001C00

CE5855EI V200R001C00

NOTE

For details about the mapping between software versions and switch models, see the
Hardware Query Tool.

Feature Limitations
When many dynamic VLANs need to be registered or the network radius is large,
using default values of timers may cause VLAN flapping and high CPU usage. In
this case, increase values of the timers. The following values are recommended
depending on the number of VLANs.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 439

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 8 GVRP Configuration

Table 8-5 Relationship between GARP timer values and number of dynamic
VLANs that need to be registered
Number of Dynamic VLANs to Be Registered (N)

Timer N <= 500 < N <= 1000 1000 N>

500 < N <= 1500
1500

GARP 100 200 centiseconds (2 seconds) 800 1000

Hold centise centise centise
timer conds conds conds
(1 (8 (10
second second second
) s) s)

GARP 600 1200 centiseconds (12 seconds) 4000 6000

Join centise centise centise
timer conds conds conds
(6 (40 (1
second second minut
s) s) e)

GARP 3000 6000 centiseconds (1 minute) 20000 30000

Leave centise centise centise
timer conds conds conds
(30 (3 (5
second minut minut
s) es and es)
20
second
s)

GARP 12000 24000 centiseconds (4 minutes) 30000 32765

Leave centise centise centise
All conds conds conds
timer (2 (5 (5
minut minut minut
es) es) es and
27.65
second
s)

Configuration Notes
● GVRP can be configured on the trunk interface only.
● Switches on a network need to use the same settings of GVRP timers;
otherwise, flapping may occur in the dynamic VLAN.
● Global GVRP and VLAN-based Spanning Tree (VBST) cannot be configured
simultaneously, and GVRP and Multichassis Link Aggregation Group (M-LAG)
cannot be configured on an Eth-Trunk simultaneously.
● The blocked port of STP, RSTP, MSTI 0, ERPS, or Smart Link can block GVRP
messages.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 440

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 8 GVRP Configuration

● The dynamic VLAN that is registered through GVRP cannot be configured as a

reserved VLAN or the default VLAN configured by the port default vlan
command. Information about a reserved VLAN cannot be transmitted to other
devices through GVRP.

8.5 Default Settings for GVRP

The following describes the default GVRP configuration. You can change the
configuration as needed.
Parameter Default Setting

GVRP Disabled globally and on an interface

Registration mode on a GVRP interface Normal

LeaveAll timer 1000 centiseconds

Hold timer 10 centiseconds

Join timer 20 centiseconds

Leave timer 60 centiseconds

8.6 Configuring GVRP

8.6.1 Enabling GVRP

Context
To dynamically register or deregister VLAN attributes on a switching network,
configure GVRP on all devices of the switching network. Before enabling GVRP on
an interface, you must enable GVRP globally. GVRP can be enabled only on trunk
interfaces. Ensure that the trunk interfaces allow packets from all dynamically
registered VLANs.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run gvrp
GVRP is enabled globally.
By default, GVRP is disabled globally.
Step 3 Run interface interface-type interface-number
The interface view is displayed.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 441

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 8 GVRP Configuration

Step 4 Run port link-type trunk

The link type of the interface is set to trunk.
Step 5 Run port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all }
The interface is added to the specified VLANs.
Step 6 Run gvrp
GVRP is enabled on the interface.
By default, GVRP is disabled on an interface.

NOTE

● The VLAN configuration will trigger GVRP messages. If too many VLANs are configured,
you are advised to run the vlan batch command in the system view to configure VLANs
on switches one by one and configure timers. Otherwise, dynamic VLANs may flap.
● If an interface is changed to another type, such as access, hybrid, or dot1q-tunnel, the
system asks you to disable GVRP on the interface first.
● The blocked port of STP, RSTP, MSTI 0, ERPS, or Smart Link can block GVRP messages.
● Global GVRP and VLAN-based Spanning Tree (VBST) cannot be configured
simultaneously, and GVRP and Multichassis Link Aggregation Group (M-LAG) cannot be
configured on an Eth-Trunk simultaneously.

Step 7 (Optional) Run gvrp registration { fixed | forbidden | normal }

The registration mode of the GVRP interface is set.
By default, the registration mode of a GVRP interface is normal.
Step 8 Run commit
The configuration is committed.

----End

8.6.2 (Optional) Setting GARP Timers

Context
When many dynamic VLANs need to be registered or the network radius is large,
using default values of timers may cause VLAN flapping and high CPU usage. In
this case, increase values of the timers. The following values are recommended
depending on the number of VLANs.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 442

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 8 GVRP Configuration

Table 8-6 Relationship between GARP timer values and number of dynamic
VLANs that need to be registered
Number of Dynamic VLANs to Be Registered (N)
Timer N <= 500 500 < N <= 1000 < N <= N > 1500
1000 1500

GARP Hold 100 200 800 1000

timer centiseconds centiseconds centiseconds centiseconds
(1 second) (2 seconds) (8 seconds) (10 seconds)

GARP Join 600 1200 4000 6000

timer centiseconds centiseconds centiseconds centiseconds
(6 seconds) (12 seconds) (40 seconds) (1 minute)

GARP Leave 3000 6000 20000 30000

timer centiseconds centiseconds centiseconds centiseconds
(30 seconds) (1 minute) (3 minutes (5 minutes)
and 20
seconds)

GARP 12000 24000 30000 32765

LeaveAll centiseconds centiseconds centiseconds centiseconds
timer (2 minutes) (4 minutes) (5 minutes) (5 minutes
and 27.65
seconds)

Procedure
● Configure the LeaveAll timer.
a. Run system-view
The system view is displayed.
b. Run garp timer leaveall timer-value
The value of the LeaveAll timer is set.
By default, the value of the LeaveAll timer is 1000 centiseconds (10
seconds).
The Leave timer value on an interface is restricted by the global LeaveAll
timer value. When configuring the global LeaveAll timer, ensure that all
the interfaces configured with a GARP Leave timer are working properly.
c. Run commit
The configuration is committed.
● Configure Hold, Join, and Leave timers.
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The interface view is displayed.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 443

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 8 GVRP Configuration

c. Run garp timer { hold | join | leave } timer-value

The values of Hold, Join, and Leave timers are set.

By default, the value of the Hold timer is 10 centiseconds, the value of

the Join timer is 20 centiseconds, and the value of the Leave timer is 60
centiseconds.

When configuring GARP timers on an interface, pay attention to the

following points:

▪ The undo garp timer command restores default values of GARP

timers. If the default value of a timer is not within the allowed range,
the undo garp timer command does not take effect.

▪ The value range of each timer changes along with the values of
other timers. If the configured value of a timer is not within the
allowed range, you can change the value of the timer that
determines the value range of this timer.

▪ To restore default values of GARP timers, restore the default value of

the Hold timer, and then restore default values of Join, Leave, and
LeaveAll timers in sequence.
d. Run commit

The configuration is committed.

----End

8.6.3 Verifying the GVRP Configuration

Procedure
● Run the display gvrp status command to check the status of global GVRP.
● Run the display gvrp statistics [ interface interface-type interface-number ]
command to check GVRP statistics on an interface.
● Run the display garp timer [ interface interface-type interface-number ]
command to check values of GARP timers.
● Run the display garp statistics [ interface interface-type interface-number ]
command to check GARP statistics on an interface.
● Run the display gvrp state interface interface-type interface-number vlan
vlan-id command to check GVRP state machine.
● Run the display gvrp vlan-operation interface interface-type interface-
number command to check information about dynamic VLANs on the
specified interface.

----End

8.7 Maintaining GVRP

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 444

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 8 GVRP Configuration

8.7.1 Clearing GVRP Statistics

Context

NOTICE

The cleared GVRP statistics cannot be restored. Exercise caution when you use this
command.

Procedure
● Run the reset garp statistics [ interface interface-type interface-number ]
command in the user view to clear GARP statistics.
----End

8.8 Configuration Examples for GVRP

This section only provides configuration examples for individual features. For
details about multi-feature configuration examples, feature-specific configuration
examples, interoperation examples, protocol or hardware replacement examples,
and industry application examples, see the Typical Configuration Examples.

8.8.1 Example for Configuring GVRP

Networking Requirements
In Figure 8-6, Company A's headquarters and its branch are connected through
multiple switches. The headquarters and its branch need to communicate. As
businesses develop, Company A's sales department has business dealings with
Company B's procurement department. GVRP needs to be used to enable
Company B's procurement department (VLAN 100, VLANs 102 to 105) to
communicate with Company A's sales department (VLAN 100, VLANs 102 to 105).
Company B's other departments have no business dealings with Company A, and
they do not need to communicate with Company A.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 445

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 8 GVRP Configuration

Figure 8-6 Configuring GVRP

SwitchA
10GE1/0/1 10GE1/0/2

10GE1/0/1 10GE1/0/1
SwitchC Company A SwitchB

10GE1/0/2 10GE1/0/2

Branch of
Company B
Company A

Configuration Roadmap
The configuration roadmap is as follows:

1. Enable GVRP on SwitchA, SwitchB, and SwitchC, and enable GVRP on

connected interfaces to implement dynamic registration of VLANs.
2. Configure GVRP on all switches of Company A's headquarters and its branch
and set the registration mode to normal to simplify configurations.
3. Configure GVRP on all switches of Company B and set the registration mode
to fixed on the interface connected to Company A so that only the VLANs
configured by Company B are allowed.

Procedure
Step 1 Configure SwitchA.

# Enable GVRP globally.

<HUAWEI> system-view
[~HUAWEI] sysname SwitchA
[*HUAWEI] commit
[~SwitchA] gvrp
[*SwitchA] commit

# Configure 10GE1/0/1 as a trunk interface, configure 10GE1/0/1 to allow all

VLANs, enable GVRP, and set the registration mode to normal.
[~SwitchA] interface 10ge 1/0/1
[~SwitchA-10GE1/0/1] port link-type trunk
[*SwitchA-10GE1/0/1] port trunk allow-pass vlan all
[*SwitchA-10GE1/0/1] gvrp
[*SwitchA-10GE1/0/1] gvrp registration normal
[*SwitchA-10GE1/0/1] commit
[~SwitchA-10GE1/0/1] quit

# Configure 10GE1/0/2 as a trunk interface, configure 10GE1/0/2 to allow all

VLANs, enable GVRP, and set the registration mode to normal.
[~SwitchA] interface 10ge 1/0/2
[~SwitchA-10GE1/0/2] port link-type trunk
[*SwitchA-10GE1/0/2] port trunk allow-pass vlan all
[*SwitchA-10GE1/0/2] gvrp
[*SwitchA-10GE1/0/2] gvrp registration normal

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 446

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 8 GVRP Configuration

[*SwitchA-10GE1/0/2] commit
[~SwitchA-10GE1/0/2] quit

The configuration of SwitchC is similar to the configuration of SwitchA, and is not

mentioned here.
Step 2 Configure SwitchB.
# Enable GVRP globally and create VLAN 100 and VLANs 102 to 105.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchB
[*HUAWEI] commit
[~SwitchB] gvrp
[*SwitchB] vlan batch 100 102 to 105
[*SwitchB] commit

# Configure 10GE1/0/1 as a trunk interface, configure 10GE1/0/1 to allow all

VLANs, enable GVRP, and set the registration mode to fixed.
[~SwitchB] interface 10ge 1/0/1
[~SwitchB-10GE1/0/1] port link-type trunk
[*SwitchB-10GE1/0/1] port trunk allow-pass vlan all
[*SwitchB-10GE1/0/1] gvrp
[*SwitchB-10GE1/0/1] gvrp registration fixed
[*SwitchB-10GE1/0/1] commit
[~SwitchB-10GE1/0/1] quit

# Configure 10GE1/0/2 as a trunk interface, configure 10GE1/0/2 to allow the

VLAN that 10GE1/0/2 joins, enable GVRP, and set the registration mode to normal.
[~SwitchB] interface 10ge 1/0/2
[~SwitchB-10GE1/0/2] port link-type trunk
[*SwitchB-10GE1/0/2] port trunk allow-pass vlan all
[*SwitchB-10GE1/0/2] gvrp
[*SwitchB-10GE1/0/2] gvrp registration normal
[*SwitchB-10GE1/0/2] commit
[~SwitchB-10GE1/0/2] quit

Step 3 Verify the configuration.

After the configuration is complete, employees of Company A and its branch can
communicate. Employees of Company A in VLAN 100 and VLANs 102 to 105 can
communicate with employees of Company B.
Run the display gvrp status command on SwitchA to check whether GVRP is
enabled globally. The following information is displayed:
[~SwitchA] display gvrp status
GVRP status: enabled.

Run the display gvrp statistics command on SwitchA to check GVRP statistics on
the interface, including the GVRP status, number of GVRP registration failures,
source MAC address of the last GVRP PDU, and registration type of each interface.
[~SwitchA] display gvrp statistics

GVRP statistics on port 10GE1/0/1

GVRP status : Enabled
GVRP registrations failed :0
GVRP last PDU origin : 0000-0000-0000
GVRP registration type : Normal

GVRP statistics on port 10GE1/0/2

GVRP status : Enabled
GVRP registrations failed :0
GVRP last PDU origin : 0000-0000-0000
GVRP registration type : Normal

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 447

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 8 GVRP Configuration

The display on SwitchB and SwitchC is similar to SwitchA, and is not mentioned
here.

----End

Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
gvrp
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
gvrp
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
gvrp
#
return

● SwitchB configuration file

#
sysname SwitchB
#
vlan batch 100 102 to 105
#
gvrp
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
gvrp
gvrp registration fixed
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
gvrp
#
return

● SwitchC configuration file

#
sysname SwitchC
#
gvrp
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
gvrp
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
gvrp
#
return

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 448

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

9 STP/RSTP Configuration

This chapter describes the concepts and configuration procedures for the Spanning
Tree Protocol (STP) and Rapid Spanning Tree Protocol (RSTP), and provides
configuration examples.

9.1 Overview of STP/RSTP

9.2 Understanding STP/RSTP
9.3 Application Scenarios for STP/RSTP
9.4 Summary of STP/RSTP Configuration Tasks
9.5 Licensing Requirements and Limitations for STP/RSTP
9.6 Default Settings for STP/RSTP
9.7 Configuring STP/RSTP
9.8 Configuring STP Parameters That Affect the STP Convergence Speed
9.9 Setting RSTP Parameters That Affect RSTP Convergence
9.10 Configuring RSTP Protection Functions
9.11 Configuring Interoperability Between Huawei and Non-Huawei Devices
9.12 Maintaining STP/RSTP
9.13 Configuration Examples for STP/RSTP

9.1 Overview of STP/RSTP

Definition
Generally, redundant links are used on an Ethernet switching network to provide
link backup and enhance network reliability. The use of redundant links, however,
may produce loops, causing broadcast storms and making the MAC address table
unstable. As a result, network communication may encounter quality deterioration
or even interruption. STP solves this problem. STP refers to Spanning Tree Protocol

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 449

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

defined in IEEE 802.1D, which develops into Rapid Spanning Tree Protocol (RSTP)
in IEEE 802.1w and then Multiple Spanning Tree Protocol (MSTP) in IEEE 802.1S.

MSTP is compatible with RSTP and STP, and RSTP is compatible with STP. Figure
9-2 compares the STP, RSTP, and MSTP protocols.

Table 9-1 Comparison of STP, RSTP, and MSTP

Spanning Characteristics Usage Scenario

Tree
Protocol

STP ● A loop-free tree topology is All VLANs share one spanning

formed in an STP region to tree, and users or services do not
prevent broadcast storms need to be differentiated.
while implementing link
redundancy.
● Route convergence is slow.

RSTP ● A loop-free tree topology is

formed in an RSTP region to
prevent broadcast storms
while implementing link
redundancy.
● RSTP achieves fast network
convergence.

MSTP ● A loop-free tree topology is Traffic in different VLANs is

formed in an MSTP region to forwarded through different
prevent broadcast storms spanning trees for load
while implementing link balancing. The spanning trees
redundancy. are independent of each other.
● MSTP achieves fast network In this situation, users or services
convergence. are distinguished by VLANs.
● MSTP implements load
balancing among VLANs.
Traffic in different VLANs is
transmitted along different
paths.

Purpose
After a spanning tree protocol is configured on an Ethernet switching network, the
protocol calculates the network topology to implement the following functions:

● Loop prevention: The spanning tree protocol blocks redundant links to prevent
potential loops on the network.
● Link redundancy: If an active link fails and a redundant link exists, the
spanning tree protocol activates the redundant link to ensure network
connectivity.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 450

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

9.2 Understanding STP/RSTP

9.2.1 STP Background

STP prevents loops on a local area network (LAN). Devices running STP exchange
information with one another to discover loops on the network, and block certain
ports to eliminate loops. With the growth in scale of LANs, STP has become an
important protocol for a LAN.

Figure 9-1 Typical LAN networking

ServerA

Port1 Port1
S1 S2
Port2 Port2

ServerB
Data flow

On the network shown in Figure 9-1, the following situations may occur:
● Broadcast storms cause a breakdown of the network.
If a loop exists on the network, broadcast storms may occur, leading to a
breakdown of the network. In Figure 9-1, STP is not enabled on the switches.
If ServerA sends a broadcast request, both S1 and S2 receive the request on
port 1 and forward the request through their port 2. Then, S1 and S2 receive
the request forwarded by each other on port 2 and forward the request
through port 1. As this process repeats, resources on the entire network are
exhausted, and the network finally breaks down.
● MAC address table flapping causes unstable MAC address entries.
Assume that no broadcast storm has occurred on the network shown in
Figure 9-1. ServerA sends a unicast packet to ServerB. If ServerB is
temporarily removed from the network at this time, the MAC address entry
for ServerB will be deleted on S1 and S2. The unicast packet sent by ServerA
to ServerB is received by port 1 on S1. S1 has no matching MAC address entry,
so the unicast packet is forwarded to port 2. Then port 2 on S2 receives the
unicast packet from port 2 on S1 and sends it out through port 1. In addition,

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 451

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

port 1 on S2 also receives the unicast packet sent by ServerA to ServerB, and
sends it out through port 2. As such transmissions repeat, port 1 and port 2
on S1 and S2 continuously receive unicast packets from ServerA. S1 and S2
modify the MAC address entries continuously, causing the MAC address table
to flap. As a result, MAC address entries are damaged.

9.2.2 Basic Concepts of STP

Root Bridge
A tree topology must have a root. As defined in STP, the device that functions as
the root of a tree network is called the root bridge.

There is only one root bridge on the entire STP network. Although the root bridge
is not necessarily at the physical center of the network, it functions as its logical
center. The root bridge changes dynamically with the network topology.

After network convergence, the root bridge generates configuration BPDUs and
sends them to other devices at specific intervals. Other devices process and
forward the configuration BPDUs to communicate the topology changes to
downstream devices.

Metrics for Spanning Tree Calculation

A spanning tree is calculated based on the following metrics: ID and path cost.

● ID
– Bridge ID (BID)
According to IEEE 802.1D, a BID is composed of a bridge priority
(leftmost 16 bits) and a bridge MAC address (rightmost 48 bits).
On an STP network, the device with the smallest BID is elected as the
root bridge.
– Port ID (PID)
A PID is composed of a port priority (leftmost 4 bits) and a port number
(rightmost 12 bits).
The PID is used to select the designated port.
NOTE

The port priority affects the role of a port in a specified spanning tree instance.
For details, see 9.2.4 STP Topology Calculation.
● Path cost
The path cost is a port variable used for link selection. STP calculates path
costs to select robust links, blocks redundant links, and finally trims the
network into a loop-free tree topology.
On an STP network, a port's path cost to the root bridge is the sum of the
path costs of all ports between the port and the root bridge. This path cost is
the root path cost.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 452

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

Root Bridge, Root Port, and Designated Port

Three elements are involved in pruning a ring network into a tree network: root
bridge, root port, and designated port. Figure 9-2 shows the three elements in the
STP network architecture.

Figure 9-2 STP network architecture

Root
bridge A B
PC=100;RPC=0 PC=100;RPC=100
S1 S2
B A
PC=100;RPC=0 PC=99;RPC=100

A B
PC=100;RPC=100 PC=99;RPC=199

B A
S3 PC=200;RPC=100 PC=200;RPC=199 S4

PC: path cost

RPC: root path cost
Root port
Designated port
Blocked port

● Root bridge
The root bridge is the bridge with the smallest BID, which is discovered by
exchanging configuration BPDUs.
● Root port
The root port on an STP device is the port with the smallest path cost to the
root bridge and is responsible for forwarding data to the root bridge. An STP
device has only one root port, and there is no root port on the root bridge.
● Designated port
Table 9-2 explains the designated bridge and designated port.

Table 9-2 Designated bridge and designated port

Reference Designated Bridge Designated Port

Object

Device A directly connected The designated bridge's port

device that forwards that forwards configuration
configuration BPDUs to BPDUs to the device
the device

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 453

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

Reference Designated Bridge Designated Port

Object

LAN A device that forwards The designated bridge's port

configuration BPDUs to that forwards configuration
the LAN BPDUs to the LAN

In Figure 9-3, AP1 and AP2 are ports of S1; BP1 and BP2 are ports of S2; CP1
and CP2 are ports of S3.
– S1 sends configuration BPDUs to S2 through AP1, so S1 is the designated
bridge for S2, and AP1 is the designated port on S1.
– S2 and S3 are connected to the LAN. If S2 forwards configuration BPDUs
to the LAN, S2 is the designated bridge for the LAN, and BP2 is the
designated port on S2.

Figure 9-3 Designated bridge and designated port

S1

AP1 AP2

BP1 CP1

S2 S3

BP2 CP2

LAN

After the root bridge, root ports, and designated ports are selected successfully, a
tree topology is set up on the entire network. When the topology is stable, only
the root port and designated ports forward traffic. The other ports are in Blocking
state; they only receive STP BPDUs and do not forward user traffic.

Comparison Principles
During role election, STP devices compare four fields, which form a BPDU priority
vector {root bridge ID, root path cost, sender BID, PID}.
Table 9-3 describes the four fields carried in a configuration BPDU.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 454

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

Table 9-3 Four fields

Field Description

Root bridge ID ID of the root bridge. Each STP network has

only one root bridge.

Root path cost Path cost to the root bridge. It is determined by

the distance between the port sending the
configuration BPDU and the root bridge.

Sender BID BID of the device that sends the configuration

BPDU.

PID PID of the port that sends the configuration

BPDU.

After a device on the STP network receives a configuration BPDU, it compares the
fields listed in Table 9-3 with its own values. The four comparison principles are as
follows:
● Smallest BID: used to select the root bridge. Devices on an STP network select
the device with the smallest BID to become the root bridge. This BID is then
used as the root bridge ID field in Table 9-3.
● Smallest root path cost: used to select the root port on a non-root bridge. The
port with the smallest root path cost is selected as the root port. On the root
bridge, the path cost of each port is 0 and there is no root port.
● Smallest sender BID: used to select the root port among ports with the same
root path cost. The port with the smallest sender BID is selected as the root
port in STP calculation. For example, S2 has a smaller BID than S3 in Figure
9-2. If the BPDUs received on port A and port B of S4 contain the same root
path cost, port B becomes the root port on S4 because the BPDU received on
port B has a smaller sender BID.
● Smallest PID: used to determine which port should be blocked when multiple
ports have the same root path cost. The port with the smallest PID is not
blocked. The PIDs are compared in the scenario shown in Figure 9-4. The
BPDUs received on port A and port B of S1 contain the same root path cost
and sender BID. Port A has a smaller PID than port B. Therefore, port B is
blocked to prevent loops.

Figure 9-4 Scenario where PIDs need to be compared

S1 S2

A B

Designated port

Blocked port

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 455

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

Port States
Table 9-4 describes the possible states of ports on an STP device.

Table 9-4 STP port states

Port Purpose Description
State

Forwardi A port in Forwarding state can Only the root port and
ng forward user traffic and process designated port can enter the
BPDUs. Forwarding state.

Learning When a port is in Learning state, This is a transitional state, which

the device creates MAC address is designed to prevent temporary
entries based on user traffic loops.
received on the port but does not
forward user traffic through the
port.

Listenin All ports are in Listening state This is a transitional state.

g before the root bridge, root port,
and designated port are selected.

Blocking A port in Blocking state receives This is the final state of a

and processes only BPDUs, and blocked port.
does not forward user traffic.

Disabled A port in Disabled state does not The port is Down.

process BPDUs or forward user
traffic.

Figure 9-5 shows the state transitions of a port.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 456

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

Figure 9-5 STP state transitions of a port

5

Listening
5
3
2 4

1
Disabled or 4
Blocking Learning
Down
5

4
3
5
Forwarding

1 The port is initialized or enabled, and enters the Blocking state.

2 The port is selected as the root or designated port, and enters

the Listening state.
3 When the time for keeping the port in a temporary state is
reached, the port enters the Learning or Forwarding state. The
port is selected as the root or designated port.
4 The port is not the root or designated port, and enters the
blocking state.
5 The port is disabled or the link fails.

Table 9-5 describes the MSTP port states.

Table 9-5 MSTP port states

Port Description
State

Forwardi A port in Forwarding state can forward user traffic and process
ng BPDUs.

Learning This is a transitional state. When a port is in Learning state, the

device creates MAC address entries based on user traffic received on
the port but does not forward user traffic through the port.

Discardi A port in Discarding state can only receive BPDUs.

ng

After a Huawei device transitions from the Multiple Spanning Tree Protocol
(MSTP) mode (default mode) to the STP mode, its STP ports support only those

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 457

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

states defined in MSTP, which are Forwarding, Learning, and Discarding. The
Forwarding and Learning states are the same as the corresponding STP states. A
port in Discarding state can only receive BPDUs.
The following parameters affect the STP port states and convergence speed.
● Hello Time
The Hello Time specifies the interval at which an STP device sends
configuration BPDUs to detect link failures.
When the Hello Time is changed, the new value takes effect only after a new
root bridge is elected. The new root bridge adds the new Hello Time value in
BPDUs it sends to non-root bridges. When the network topology changes,
Topology Change Notification (TCN) BPDUs are transmitted immediately,
irrespective of the Hello Time.
● Forward Delay
The Forward Delay timer specifies the length of delay before a port state
transition. When a link fails, STP calculation is triggered and the spanning tree
structure changes. However, because new configuration BPDUs cannot be
immediately spread over the entire network, convergence takes some time. If
the new root port and designated port forward data before convergence,
transient loops may occur. Therefore, STP defines a port state transition delay
mechanism. The newly selected root port and designated port must wait for
two Forward Delay intervals before transitioning to the Forwarding state.
During this time, the new configuration BPDUs can be transmitted over the
network, preventing transient loops during convergence.
The default Forward Delay timer value is 15 seconds. This means that the port
stays in Listening state for 15 seconds and then stays in Learning state for
another 15 seconds before transitioning to the Forwarding state. The port
does not forward user traffic when it is in Listening or Learning state, which is
key to preventing transient loops.
● Max Age
The Max Age specifies the aging time of BPDUs. This parameter is
configurable on the root bridge.
The Max Age is spread to the entire network with configuration BPDUs. After
a non-root bridge receives a configuration BPDU, it either forwards or discards
the configuration BPDU by comparing the Message Age value with the Max
Age value. The details are as follows:
– If the Message Age value is less than or equal to the Max Age value, the
non-root bridge forwards the configuration BPDU.
– If the Message Age value is larger than the Max Age value, the non-root
bridge discards the configuration BPDU. When this happens, the network
size is considered too large and the non-root bridge disconnects from the
root bridge.
If the configuration BPDU is sent from the root bridge, the value of Message
Age is 0. Otherwise, the value of Message Age is the total time spent to
transmit the BPDU from the root bridge to the local bridge, including the
transmission delay. In real-world situations, the Message Age value of a
configuration BPDU increases by 1 each time the configuration BPDU passes
through a bridge.
Table 9-6 provides the timer values defined in IEEE 802.1D.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 458

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

Table 9-6 Values of STP timer parameters

Parameter Default Setting Value Range

Hello Time 200 centiseconds (2 100-1000

seconds)

Max Age 2000 centiseconds (20 600-4000

seconds)

Forward Delay 1500 centiseconds (15 400-3000

seconds)

9.2.3 STP BPDU Format

A BPDU is encapsulated in an Ethernet frame. Its destination MAC address is a
multicast MAC address 01-80-C2-00-00-00. The Length field specifies the MAC
data length, and is followed by the LLC header. Figure 9-6 shows the Ethernet
frame format.

Figure 9-6 Format of an Ethernet frame

6 bytes 6 bytes 2 bytes 3 bytes 38-1492 bytes 4 bytes
DMAC SMAC Length LLC BPDU data CRC

There are two types of STP BPDUs:

● Configuration BPDUs are heartbeat packets. STP-enabled designated ports
send configuration BPDUs at Hello intervals.
● Topology Change Notification (TCN) BPDUs are sent only after a device
detects a network topology change.

Configuration BPDU
Configuration BPDUs are used most commonly and are used for exchanging
topology information among STP devices.
Each bridge actively sends configuration BPDUs during initialization. After the
network topology becomes stable, only the root bridge actively sends
configuration BPDUs. Other bridges send configuration BPDUs only after receiving
configuration BPDUs from upstream devices. A configuration BPDU is at least 35
bytes long, and includes the parameters such as the BID, root path cost, and PID. A
bridge processes a received configuration BPDU only when it finds that at least
one of the sender BID and PID is different from that on the local receive port. If
both fields are the same as those on the receive port, the bridge drops the
configuration BPDU. This reduces the number of BPDUs that a bridge needs to
process.
A configuration BPDU is sent in the following scenarios:
● After STP is enabled on ports of a device, the designated port on the device
sends configuration BPDUs at Hello intervals.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 459

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

● When the root port on a device receives a configuration BPDU, the device
sends a copy of the configuration BPDU to each of its designated ports.
● When a designated port receives a low-priority configuration BPDU, the
designated port immediately sends its own configuration BPDU to the
downstream device.

Table 9-7 describes fields in a BPDU.

Table 9-7 Fields in a BPDU

Field Byte Description

s

Protocol Identifier 2 The value is fixed at 0.

Protocol Version 1 The value is fixed at 0.

Identifier

BPDU Type 1 Indicates the type of a BPDU:

● 0x00: configuration BPDU
● 0x80: TCN BPDU

Flags 1 Indicates whether the network topology has

changed.
● The rightmost bit is the Topology Change (TC)
flag.
● The leftmost bit is the Topology Change
Acknowledgment (TCA) flag.

Root Identifier 8 Indicates the BID of the current root bridge.

Root Path Cost 4 Indicates the accumulated path cost from a port to
the root bridge.

Bridge Identifier 8 Indicates the BID of the bridge that sends the BPDU.

Port Identifier 2 Indicates the ID of the port that sends the BPDU.

Message Age 2 Records the time that has elapsed since the original
BPDU was generated on the root bridge.
If the configuration BPDU is sent from the root
bridge, the value of Message Age is 0. Otherwise, the
value of Message Age is the total time spent to
transmit the BPDU from the root bridge to the local
bridge, including the transmission delay. In real-
world situations, the Message Age value of a
configuration BPDU increases by 1 each time the
configuration BPDU passes through a bridge.

Max Age 2 Indicates the aging time of a BPDU.

Hello Time 2 Indicates the interval at which BPDUs are sent.

Forward Delay 2 Indicates the period during which a port stays in the
Listening and Learning states.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 460

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

Figure 9-7 shows the Flags field. Only the leftmost and rightmost bits are used in
STP.

Figure 9-7 Format of the Flags field

Reserved

Bit7 Bit0

TCA flag TC flag

TCN BPDU
A TCN BPDU contains only three fields: Protocol Identifier, Version, and Type, as
described in Table 9-7. The Type field is four bytes long and is fixed at 0x80.

When the network topology changes, TCN BPDUs are transmitted upstream until
they reach the root bridge. A TCN BPDU is sent in the following scenarios:
● A port transitions to the Forwarding state.
● A designated port receives a TCN BPDU and sends a copy to the root bridge.

9.2.4 STP Topology Calculation

After STP is enabled on all devices on a network, all devices consider themselves
the root bridge. All ports on the devices are in Listening state (they only transmit
and receive configuration BPDUs and do not forward user traffic). Then the
devices select the root bridge, root ports, and designated ports based on
configuration BPDUs.

BPDU Exchange
Figure 9-8 shows the initial information exchange process. The four parameters in
a pair of brackets represent the root bridge ID (S1_MAC and S2_MAC are BIDs of
the two devices), root path cost, sender BID, and PID carried in configuration
BPDUs. Configuration BPDUs are sent at Hello intervals.

Figure 9-8 Initial BPDU exchange

{S1_MAC,0,S1_MAC,A_PID}

A B
S1 {S2_MAC,0,S2_MAC,B_PID} S2

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 461

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

STP Algorithm Implementation

1. Initialization
Because each bridge considers itself the root bridge, the BPDU sent from a
port is set as follows:
The root bridge ID is the BID of the local bridge, the root path cost is the
accumulative path cost from the port to the local bridge, the sender BID is the
BID of the local bridge, and the PID is the ID of the port that sends the BPDU.
2. Root bridge election
During network initialization, every device considers itself the root bridge and
sets the root bridge ID to its own BID. Then devices exchange configuration
BPDUs and compare their root bridge IDs to find the device with the smallest
BID, which finally becomes the root bridge.
3. Root port and designated port selection
Table 9-8 describes the process of selecting the root port and designated
port.

Table 9-8 Selecting the root port and designated port

St Process
ep

1 A non-bridge device selects the port that receives the configuration

BPDU with the highest priority as the root port. Table 9-9 describes
the process of selecting the configuration BPDU with the highest
priority.

2 The device generates a configuration BPDU for each port and

calculates the fields in the configuration BPDU based on the
configuration BPDU on the root port and path cost of the root port.
The details are as follows:
● Replaces the root bridge ID with the root bridge ID in the
configuration BPDU on the root port.
● Replaces the root path cost with the accumulated root path cost in
the configuration BPDU on the root port and the path cost of the
root port.
● Replaces the sender BID with the local BID.
● Replaces the PID with the local port ID.

3 The device selects the port state by comparing the calculated

configuration BPDU with the configuration BPDU received on the port.
The details are as follows:
● If the calculated configuration BPDU is superior, the port is selected
as the designated port and periodically sends the calculated
configuration BPDU.
● If the port's own configuration BPDU is superior, the configuration
BPDU on the port is not updated and the port is blocked. Then the
port only receives BPDUs, and does not forward data or send
BPDUs.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 462

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

Table 9-9 Selecting the configuration BPDU with the highest priority

St Process
ep

1 Each port decides how to process the received configuration BPDU by

comparing it with its own configuration BPDU. The details are as
follows:
● If the received configuration BPDU is inferior, the port discards the
received configuration BPDU and retains its own configuration
BPDU.
● If the received configuration BPDU is superior, the port replaces its
own configuration BPDU with the received one.

2 The device compares configuration BPDUs on all the ports and selects
the one with the highest priority.

Example of STP Topology Calculation

After the root bridge, root ports, and designated ports are selected successfully, a
tree topology is set up on the entire network. The following example illustrates
how STP calculation is implemented.

Figure 9-9 STP networking and calculated topology

DeviceA
Priority=0 DeviceA
Root
bridge
Port A1 Port A2
STP topology
calculation
5

Pa
st=

th
co

co
th

st=
Pa

10

Port B1 Port C1
Path cost=4
Port B2 Port C2
DeviceB DeviceC
DeviceB DeviceC
Priority=1 Priority=2
Root port
Designated port
Blocked port

As shown in Figure 9-9, DeviceA, DeviceB, and DeviceC are deployed on the
network, with priorities 0, 1, and 2, respectively. The path costs between DeviceA
and DeviceB, DeviceA and DeviceC, and DeviceB and DeviceC are 5, 10, and 4,
respectively.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 463

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

Table 9-10 Initial state of each device

Device Port Configuration BPDU

DeviceA Port A1 {0, 0, 0, Port A1}

Port A2 {0, 0, 0, Port A2}

DeviceB Port B1 {1, 0, 1, Port B1}

Port B2 {1, 0, 1, Port B2}

DeviceC Port C1 {2, 0, 2, Port C1}

Port C2 {2, 0, 2, Port C2}

NOTE
The fields that are compared in a configuration BPDU are {root bridge ID, root path cost,
sender BID, PID}.

Table 9-11 Topology calculation process and resulting configuration BPDU

Devi Process Resulting Configuration
ce BPDU

Devi ● Port A1 receives the configuration BPDU ● Port A1: {0, 0, 0, Port
ceA {1, 0, 1, Port B1} from Port B1 and finds it A1}
inferior to its own configuration BPDU {0, ● Port A2: {0, 0, 0, Port
0, 0, Port A1}, so Port A1 discards the A2}
received configuration BPDU.
● Port A2 receives the configuration BPDU
{2, 0, 2, Port C1} from Port C1 and finds its
own configuration BPDU {0, 0, 0, Port A2}
with a higher priority, so Port A2 discards
the received configuration BPDU.
● DeviceA finds that the root bridge and
designated bridge specified in the
configuration BPDUs on its ports are both
itself. Therefore, DeviceA considers itself as
the root bridge and periodically sends
configuration BPDUs from each port
without modifying the BPDUs.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 464

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

Devi Process Resulting Configuration

ce BPDU

Devi ● Port B1 receives the configuration BPDU ● Port B1: {0, 0, 0, Port
ceB {0, 0, 0, Port A1} from Port A1 and finds it A1}
superior to its own configuration BPDU {0, ● Port B2: {1, 0, 1, Port
0, 0, Port B1}, so Port B1 updates its B2}
configuration BPDU.
● Port B2 receives the configuration BPDU
{2, 0, 2, Port C2} from Port C2 and finds it
inferior to its own configuration BPDU {1,
0, 1, Port B2}, so Port B2 discards the
received configuration BPDU.

● DeviceB compares the configuration BPDU ● Root port (Port B1):

on each port and finds that Port B1 has {0, 0, 0, Port A1}
optimal configuration BPDU. DeviceB ● Designated port (Port
selects Port B1 as the root port and retains B2): {0, 5, 1, Port B2}
the configuration BPDU on Port B1.
● DeviceB calculates the configuration BPDU
{0, 5, 1, Port B2} for Port B2 based on the
configuration BPDU and path cost of the
root port, and compares the calculated
configuration BPDU with the original
configuration BPDU {1, 0, 1, Port B2} on
Port B2. The calculated configuration
BPDU is superior to the original one, so
DeviceB selects Port B2 as the designated
port, replaces Port B2's configuration
BPDU with the calculated one, and
periodically sends the configuration BPDU
from Port B2.

Devi ● Port C1 receives the configuration BPDU ● Port C1: {0, 0, 0, Port
ceC {0, 0, 0, Port A2} from Port A2 and finds it A2}
superior to its own configuration BPDU {2, ● Port C2: {1, 0, 1, Port
0, 2, Port C1}, so Port C1 updates its B2}
configuration BPDU.
● Port C2 receives the configuration BPDU
{1, 0, 1, Port B2} from Port B2 and finds it
superior to its own configuration BPDU {1,
0, 1, Port B2}, so Port C2 updates its
configuration BPDU.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 465

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

Devi Process Resulting Configuration

ce BPDU

● DeviceC compares the configuration BPDU ● Root port (Port C1):

on each port and finds that the {0, 0, 0, Port A2}
configuration BPDU on Port C1 is optimal. ● Designated port (Port
DeviceC selects Port C1 as the root port C2): {0, 10, 2, Port C2}
and retains the configuration BPDU on
Port C1.
● DeviceC calculates the configuration BPDU
{0, 10, 2, Port C2} for Port C2 based on the
configuration BPDU and path cost of the
root port, and compares the calculated
configuration BPDU with the original
configuration BPDU {1, 0, 1, Port B2} on
Port C2. The calculated configuration
BPDU is superior to the original one, so
DeviceC selects Port C2 as the designated
port and replaces its configuration BPDU
with the calculated one.

● Port C2 receives the configuration BPDU ● Port C1: {0, 0, 0, Port

{0, 5, 1, Port B2} from Port B2 and finds it A2}
superior to its own configuration BPDU {0, ● Port C2: {0, 5, 1, Port
10, 2, Port C2}, so Port C2 updates its B2}
configuration BPDU.
● Port C1 receives the configuration BPDU
{0, 0, 0, Port A2} from Port A2 and finds it
the same as its own configuration BPDU,
so Port C1 discards the received
configuration BPDU.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 466

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

Devi Process Resulting Configuration

ce BPDU

● The root path cost of Port C1 is 10 (root ● Blocked port (Port

path cost 0 in the received configuration C1): {0, 0, 0, Port A2}
BPDU plus the link path cost 10), and the ● Root port (Port C2):
root path cost of Port C2 is 9 (root path {0, 5, 1, Port B2}
cost 5 in the received configuration BPDU
plus the link path cost 4). DeviceC finds
that Port C2 has a smaller root path cost
and therefore considers the configuration
BPDU of Port C2 superior to that of Port
C1. DeviceC then selects Port C2 as the
root port and retains its configuration
BPDU.
● DeviceC calculates the configuration BPDU
{0, 9, 2, Port C1} for Port C1 based on the
configuration BPDU and path cost of the
root port, and finds the calculated
configuration BPDU inferior to the original
configuration BPDU {0, 0, 0, Port A2} on
Port C2. DeviceC blocks Port C1 and does
not update its configuration BPDU. Port C1
no longer forwards data until STP
recalculation is triggered, for example,
when the link between DeviceB and
DeviceC is Down.

After the topology becomes stable, the root bridge still sends configuration BPDUs
at intervals specified by the Hello timer. Each non-root bridge forwards the
received configuration BPDUs through its designated port. When a non-root
bridge receives a superior configuration BPDU on a port, the non-root bridge
replaces the configuration BPDU on the port with the received configuration
BPDU.

STP Topology Changes

Figure 9-10 shows the packet transmission process after an STP topology change.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 467

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

Figure 9-10 Packet transmission after a topology change

Root bridge Root bridge

T
A topology change is generated on
point T. Step 2: The root bridge advertises the
Step 1: A TCN is going up to the TC for Max Age + forward delay.
root.

The following is the process that takes place after a topology change occurs:
1. When the status of the interface at point T changes, a downstream device
continuously sends TCN BPDUs to the upstream device to inform the
upstream device and root bridge of topology changes.
2. The upstream device processes only the TCN BPDUs received on the
designated port and drops TCN BPDUs on other ports.
3. The upstream device sets the TCA bit of the Flags field in the configuration
BPDUs to 1 and returns the configuration BPDUs to instruct the downstream
device to stop sending TCN BPDUs.
4. The upstream device sends a copy of the TCN BPDUs toward the root bridge.
5. Steps 1, 2, 3 and 4 are repeated until the root bridge receives the TCN BPDUs.
6. The root bridge sets the TC and TCA bits of the Flags field in the configuration
BPDUs to 1. The TC bit of 1 informs the downstream device of topology
changes and instructs the downstream device to delete MAC address entries.
In this manner, fast network convergence is achieved. The TCA bit of 1
informs the downstream device that the topology changes are known and
instructs the downstream device to stop sending TCN BPDUs.

9.2.5 Advantages of RSTP

In 2001, IEEE 802.1w was published to introduce the Rapid Spanning Tree Protocol
(RSTP), an extension of the Spanning Tree Protocol (STP). RSTP was developed
based on STP and makes supplements and modifications to STP.

Disadvantages of STP
STP ensures a loop-free network but is slow to converge, leading to service quality
deterioration. If the network topology changes frequently, connections on the STP
network are frequently torn down, causing frequent service interruption.
STP has the following disadvantages:

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 468

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

● STP does not differentiate between port roles according to their states,
making it difficult for less experienced administrators to learn about and
deploy this protocol.
– Ports in Listening, Learning, and Blocking states are the same for users
because they are all prevented from forwarding service traffic.
– In terms of port use and configuration, the essential differences between
ports lie in the port roles but not port states.
Both root and designated ports can be in Listening state or Forwarding
state, so the port roles cannot be differentiated according to their states.
● The STP algorithm does not determine topology changes until the timer
expires, delaying network convergence.
● The STP algorithm requires the root bridge to send configuration BPDUs after
the network topology becomes stable, and other devices process and spread
the configuration BPDUs through the entire network. This also delays
convergence.

Improvements Made in RSTP

RSTP deletes three port states, defines two new port roles (alternate port and
backup port), and makes port attributes identifiable according to port states and
roles. In addition, RSTP provides enhanced features and protection measures to
ensure network stability and fast convergence.
● More port roles are defined to simplify the learning and deployment of the
STP protocol.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 469

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

Figure 9-11 Diagram of port roles

S1
root bridge

B A

S2 S3
A A a

S1
root bridge

B A

S2 S3
A B A a
b

Root port
Designated port

Alternate port
Backup port

As shown in Figure 9-11, RSTP defines four port roles: root port, designated
port, alternate port, and backup port.
The functions of the root port and designated port are the same as those
defined in STP. The alternate port and backup port are described as follows:
– During configuration BPDU transmission:

▪ An alternate port is blocked after learning a configuration BPDU sent

by another bridge.

▪ A backup port is blocked after learning a configuration BPDU sent by

itself.
– During user traffic forwarding:

▪ An alternate port acts as a backup of the root port and provides an

alternate path from the designated bridge to the root bridge.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 470

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

▪ A backup port acts as a backup of the designated port and provides

a backup path from the root bridge to the related network segment.
After roles of all RSTP ports are determined, the topology convergence is
completed.
● RSTP redefines port states.
RSTP deletes two port states defined in STP, reducing the number of port
states to three. Depending on whether a port can forward user traffic and
learn MAC addresses, the port may be in any of the following states:
– If the port does not forward user traffic or learn MAC addresses, it is in
Discarding state.
– If the port does not forward user traffic but learns MAC addresses, it is in
Learning state.
– If the port forwards user traffic and learns MAC addresses, it is in
Forwarding state.
Table 9-12 compares the port states defined in STP and RSTP. Port states are
not necessarily related to port roles. Table 9-12 lists possible states for
different port roles.

Table 9-12 Comparison between port states defined in STP and RSTP
STP Port State RSTP Port State Port Role

Forwarding Forwarding Root port or designated port

Learning Learning Root port or designated port

Listening Discarding Root port or designated port

Blocking Discarding Alternate port or backup port

Disabled Discarding Disabled port

● RSTP changes the configuration BPDU format and uses the Flags field to
describe port roles.
RSTP retains the basic configuration BPDU format defined in STP and makes
the following minor changes:
– The value of the Type field is changed from 0 to 2. Devices running STP
will drop the configuration BPDUs sent from devices running RSTP.
– The Flags field uses the six bits reserved in STP. This configuration BPDU
is called an RST BPDU. Figure 9-12 shows the Flags field in an RST BPDU.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 471

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

Figure 9-12 Format of the Flags field in an RST BPDU

Bit7 Bit6 Bit5 Bit4 Bit3 Bit2 Bit1 Bit0
TCA Agreement Forwarding Learning Port role Proposal TC

Topology Change Topology

Acknowledgment flag Change flag
Port role = 00 Unknown
01 Alternate/Backup port
10 Root port
11 Designated port

● Configuration BPDUs are processed in a different way.

– Transmission frequency of configuration BPDUs
In STP, the root bridge sends configuration BPDUs at Hello intervals after
the topology becomes stable. Non-root bridges send configuration BPDUs
only after they receive configuration BPDUs from upstream devices. This
complicates the STP calculation and slows down network convergence.
RSTP allows non-root bridges to send configuration BPDUs at Hello
intervals after the topology becomes stable, regardless of whether they
have received configuration BPDUs from the root bridge.
– BPDU timeout period
In STP, a device has to wait for one period of Max Age before
determining a negotiation failure. In RSTP, a device determines that the
negotiation between its port and the upstream device has failed if the
port does not receive any configuration BPDUs sent from the upstream
device for three consecutive Hello intervals.
– Processing of inferior BPDUs
When an RSTP port receives an RST BPDU from the upstream designated
bridge, the port compares the received RST BPDU with its own RST BPDU.
If its own RST BPDU is superior to the received one, the port discards the
received RST BPDU and immediately responds to the upstream device
with its own RST BPDU. After receiving the RST BPDU, the upstream
device replaces its own RST BPDU with the received RST BPDU.
In this manner, RSTP processes inferior BPDUs more rapidly, independent
of any timer.
● Rapid convergence
– Proposal/Agreement mechanism
In STP, a port that is selected as a designated port needs to wait at least
one Forward Delay interval (Learning state) before it enters the
Forwarding state. In RSTP, such a port enters the Discarding state, and
then the Proposal/Agreement mechanism allows the port to immediately
enter the Forwarding state. The Proposal/Agreement mechanism must be
applied on P2P links in full-duplex mode.
For details, see 9.2.6 Technical Details of RSTP.
– Fast switchover of the root port
If a root port fails, the best alternate port immediately becomes the root
port and enters the Forwarding state. This is because the network

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 472

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

segment connected to this alternate port has a designated port

connected to the root bridge.
When the port role changes, the network topology changes accordingly.
For details, see 9.2.6 Technical Details of RSTP.
– Edge ports
In RSTP, a designated port on the network edge is called an edge port. An
edge port directly connects to a terminal and does not connect to any
other switches.
An edge port cannot receive or process configuration BPDUs and does
not participate in RSTP calculation. This port can transition from Disable
to Forwarding state without a delay. An edge port becomes a common
STP port once it is connected to a switch and receives a configuration
BPDU. The spanning tree needs to be recalculated, causing network
flapping.
● Protection functions
Table 9-13 describes protection functions provided by RSTP.

Table 9-13 Protection functions

Protecti Scenario Implementation
on
Functio
n

BPDU On a switch, ports directly BPDU protection enables a switch

protectio connected to a user to set the state of an edge port to
n terminal such as a PC or error-down if the edge port receives
file server are edge ports. an RST BPDU. In this case, the port
Usually, no RST BPDUs remains the edge port, and the
are sent to edge ports. If switch sends a notification to the
a switch receives bogus NMS.
RST BPDUs on an edge
port, the switch
automatically sets the
edge port to a non-edge
port and performs STP
calculation. This causes
network flapping.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 473

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

Protecti Scenario Implementation

on
Functio
n

Root The root bridge on a If root protection is enabled on a

protectio network may receive designated port, the port role
n superior RST BPDUs due cannot be changed. When the
to incorrect designated port receives a superior
configurations or RST BPDU, the port enters the
malicious attacks. When Discarding state and does not
this occurs, the root forward packets. If the port does
bridge is incorrectly not receive any superior RST BPDUs
changed. As a result, within a period (generally two
traffic may be switched Forward Delay periods), the port
from high-speed links to automatically enters the Forwarding
low-speed links, leading state.
to network congestion. NOTE
Root protection takes effect only on
designated ports.

Loop On an RSTP network, a When loop prevention is enabled, if

preventi switch can only maintain the root port or alternate port does
on the states of the root port not receive RST BPDUs from the
and blocked ports if it is upstream switch for a long time,
continuously receiving the switch sends a notification to
RST BPDUs from the the NMS. The root port enters the
upstream switch. Discarding state, whereas the
If the ports cannot receive blocked port remains in Blocking
RST BPDUs from the state and does not forward packets,
upstream switch because preventing loops on the network.
of link congestion or The root port or alternate port
unidirectional link restores the Forwarding state after
failures, the switch re- receiving new RST BPDUs.
selects a root port. Then, NOTE
the previous root port Loop prevention takes effect only on
the root port and alternate ports.
becomes a designated
port and the blocked
ports change to the
Forwarding state. As a
result, loops may occur on
the network.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 474

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

Protecti Scenario Implementation

on
Functio
n

TC A switch deletes its MAC After enabling TC BPDU attack

BPDU address entries and ARP defense on a switch, you can set the
attack entries after receiving TC number of times the device
defense BPDUs. An attacker can processes TC BPDUs within a given
use this to their time. If this number is exceeded, the
advantages by sending a switch processes only the specified
large number of bogus TC number of TC BPDUs. Excess TC
BPDUs to the switch in a BPDUs are processed in one go by
short time, causing the the switch after the specified period
device to frequently expires. This function prevents the
delete MAC address switch from frequently deleting its
entries and ARP entries. MAC address entries and ARP
This increases the load on entries, reducing the load on the
the switch and threatens switch and guaranteeing network
network stability. stability.

9.2.6 Technical Details of RSTP

Proposal/Agreement Mechanism
The Proposal/Agreement mechanism of RSTP enables a designated port to quickly
enter the Forwarding state. In Figure 9-13, root bridge S1 establishes a link with
S2. On S2, p2 is an alternate port; p3 is a designated port and is in Forwarding
state; p4 is an edge port.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 475

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

Figure 9-13 Proposal/Agreement negotiation process

S1
p0 1 Proposal
3 Agreement

p1

S2
p2 E p4
p3

2 sync 2 sync 2 sync

(Leaves the port (Blocks the (Leaves the port
state unchanged) port) state unchanged)

Designated port
Alternate port
E Edge port

The Proposal/Agreement mechanism works as follows:

1. p0 and p1 become designated ports and send RST BPDUs to each other.
2. The RST BPDU sent from p0 is superior to that of p1, so p1 becomes a root
port and stops sending RST BPDUs.
3. p0 enters the Discarding state and sets the Proposal field in its RST BPDU to
1.
4. After S2 receives an RST BPDU with the Proposal field set to 1, it sets the sync
variable to 1 for all its ports.
5. p2 is already blocked, so its state remains unchanged. p4 is an edge port and
does not participate in calculation. Therefore, only the non-edge designated
port p3 needs to be blocked.
6. After p2 and p3 enter the Discarding state, their sync variable is set to 1. The
sync variable of the root port p1 is also set to 1, and p1 sends an RST BPDU
with the Agreement field set to S1. This RST BPDU carries the same
information as the one sent from the root bridge S1, except that the
Agreement field is set to 1 and the Proposal field is set to 0.
7. After S1 receives this RST BPDU, it identifies that the RST BPDU is a response
to the proposal that it has sent. Then p0 immediately enters the Forwarding
state.
The Proposal/Agreement process can proceed to downstream devices.
STP can select designated ports quickly; however, to prevent loops, all ports must
wait at least one Forward Delay interval before starting data forwarding. RSTP

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 476

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

blocks non-root ports to prevent loops and uses the Proposal/Agreement

mechanism to shorten the time that an upstream port waits before transitioning
to the Forwarding state.

NOTE

The Proposal/Agreement mechanism applies only to P2P full-duplex links between two
devices. When Proposal/Agreement fails, a designated port is elected after two Forward
Delay intervals, which is the same as designated port election in STP mode.

RSTP Topology Changes

RSTP considers that the network topology has changed when a non-edge port
transitions to the Forwarding state.
When detecting a topology change, RSTP devices react as follows:
● On the device with changed port states: The device starts a TC While timer on
each non-edge designated port. The TC While timer value is two times the
Hello timer value.
Within the TC While time, the device clears MAC address entries learned on
ports whose states have changed and sends out RST BPDUs with the TC bit
set to 1 from these ports.
● On other devices: When other devices receive RST BPDUs, they clear MAC
address entries learned on all their ports except the ports that receive the RST
BPDUs. These devices also start a TC While timer on each non-edge
designated port and repeat the preceding process.
RST BPDUs are then flooded on the entire network.

Interoperability with STP

Although RSTP can interoperate with STP, this will prevent its advantages such as
fast convergence from being leveraged.
On a network with both STP-capable and RSTP-capable devices, STP-capable
devices drop RST BPDUs. If a port on an RSTP-capable device receives a
configuration BPDU from an STP-capable device, the port switches to the STP
mode and starts to send configuration BPDUs after two Hello intervals.
After STP-capable devices are removed, Huawei RSTP-capable devices can switch
back to the RSTP mode.

9.3 Application Scenarios for STP/RSTP

On a complex network, multiple physical links are often deployed between two
devices to implement link redundancy. However, this may lead to loops, which can
cause broadcast storms and damage MAC address entries on network devices.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 477

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

Figure 9-14 Typical STP/RSTP application scenario

Network

Root
bridge
PE1 PE2

STP

CE1 CE2

Server1 Server2

Blocked port

As shown in Figure 9-14, STP is deployed on the devices. The devices exchange
information to discover loops on the network and block a port to trim the ring
topology into a loop-free tree topology. The tree topology prevents infinite looping
of packets on the network and ensures packet processing capabilities of the
devices.

9.4 Summary of STP/RSTP Configuration Tasks

Table 9-14 summarizes STP/RSTP configuration tasks.

Table 9-14 STP/RSTP configuration tasks

Scenario Description Task

Configuring basic STP/ Configure STP/RSTP on 9.7 Configuring STP/

RSTP functions devices on a network to RSTP
trim the network into a
tree topology free from
loops.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 478

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

Scenario Description Task

Setting STP parameters STP cannot implement 9.8 Configuring STP

that affect the STP rapid convergence. Parameters That Affect
convergence speed However, you can set the STP Convergence
STP parameters, Speed
including the network
diameter, timeout
interval, Hello timer
value, Max Age timer
value, and Forward
Delay timer value to
speed up convergence.

Setting RSTP parameters RSTP supports link type 9.9 Setting RSTP
that affect the RSTP and fast transition Parameters That Affect
convergence speed configuration on ports to RSTP Convergence
implement rapid
convergence.

Configuring RSTP You can configure one or 9.10 Configuring RSTP

protection functions more RSTP protection Protection Functions
functions on a Huawei
device.

Setting parameters for To implement 9.11 Configuring

interoperation between interoperation between a Interoperability
Huawei and non-Huawei Huawei device and a Between Huawei and
devices non-Huawei device, Non-Huawei Devices
select the fast transition
mode based on the
Proposal/Agreement
mechanism of the non-
Huawei device.

9.5 Licensing Requirements and Limitations for STP/

RSTP

Involved Network Element

Other network elements also need to support STP or RSTP.

Licensing Requirements
STP or RSTP is a basic function of the switch, and as such is controlled by the
license for basic software functions. The license for basic software functions has
been loaded and activated before delivery. You do not need to manually activate
it.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 479

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

Version Requirements

Table 9-15 Products and minimum version supporting STP or RSTP

Product Minimum Version Required

CE9860EI V200R020C00

CE8860EI V100R006C00

CE8861EI/CE8868EI V200R005C10

CE8850-32CQ-EI V200R002C50

CE8850-64CQ-EI V200R005C00

CE7850EI V100R003C00

CE7855EI V200R001C00

CE6810EI V100R003C00

CE6810-48S4Q-LI/CE6810-48S- V100R003C10
LI

CE6810-32T16S4Q-LI/ V100R005C10
CE6810-24S2Q-LI

CE6850EI V100R001C00

CE6850-48S6Q-HI V100R005C00

CE6850-48T6Q-HI/CE6850U-HI/ V100R005C10
CE6851HI

CE6855HI V200R001C00

CE6856HI V200R002C50

CE6857EI V200R005C10

CE6860EI V200R002C50

CE6865EI V200R005C00

CE6870-24S6CQ-EI V200R001C00

CE6870-48S6CQ-EI V200R001C00

CE6870-48T6CQ-EI V200R002C50

CE6875-48S4CQ-EI V200R003C00

CE6880EI V200R002C50

CE6881, CE6820, CE6863 V200R005C20

CE6881K V200R019C10

CE6881E V200R019C10

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 480

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

Product Minimum Version Required

CE6863K V200R019C10

CE5810EI V100R002C00

CE5850EI V100R001C00

CE5850HI V100R003C00

CE5855EI V100R005C10

CE5880EI V200R005C10

CE5881 V200R020C00

NOTE

For details about the mapping between software versions and switch models, see the
Hardware Query Tool.

Feature Limitations
● On networks that run STP/RSTP/MSTP/VBST, configure an optimal core switch
as the root bridge to ensure stability of the STP Layer 2 network. Otherwise,
new access devices may trigger STP root bridge switching, causing short
service interruptions.
● When STP or RSTP is enabled on a ring network, STP or RSTP immediately
starts spanning tree calculation. Parameters such as the device priority and
port priority affect spanning tree calculation, and changing these parameters
may cause network flapping. To ensure fast and stable spanning tree
calculation, perform basic configurations on the switch and interfaces before
enabling STP or RSTP.
● RSTP uses a single spanning tree instance on the entire network. As a result,
performance deterioration cannot be prevented when the network scale
grows. Therefore, the network diameter cannot be larger than 7.
● BPDU protection takes effect only for the manually configured edge port.
● Loop prevention and root protection cannot be configured on the same
interface.
● In versions earlier than V200R001C00, STP cannot be configured on a user-
side interface of a VXLAN tunnel. Starting from V200R001C00, STP can be
configured on a user-side interface of a VXLAN tunnel that accesses the
VXLAN as a VLAN. In V200R002C50 and later versions, STP can be configured
on a user-side interface of a VXLAN tunnel when the device is deployed to
provide VXLAN access through a Layer 2 sub-interface or to provide VLAN
access.
● For CE6870EI, In V200R001C00, the bpdu bridge enable command is not
supported on the VXLAN network. To enable BPDU packets to traverse the
VXLAN network, run the undo mac-address bpdu [ mac-address [ mac-
address-mask ] ] command in the system view. In this command, mac-address
specifies the MAC address of BPDU packets that need to traverse the VXLAN
network.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 481

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

For CE switches excluding CE5880EI, CE6875EI, CE6880EI, CE6870EI: in

versions earlier than V200R001C00, if the bpdu bridge enable command is
configured on an access-side port on the VXLAN network connected to an STP
network, BPDU packets cannot traverse the VXLAN network. This causes loops
on the STP network. In V200R001C00 and later versions, the bpdu bridge
enable command is not supported on the VXLAN network. If this command is
configured in a version earlier than V200R001C00, it will be deleted from the
device configurations after an upgrade to V200R001C00 or a later version. To
enable BPDU packets to traverse the VXLAN network, run the undo mac-
address bpdu [ mac-address [ mac-address-mask ] ] command in the system
view. In this command, mac-address specifies the MAC address of BPDU
packets that need to traverse the VXLAN network.

9.6 Default Settings for STP/RSTP

Parameter Default Setting

Working mode MSTP

STP/RSTP status Enabled globally and on an interface

Switching device priority 32768

Port priority 128

Algorithm used to calculate dot1t (IEEE 802.1t)

the path cost

Forward Delay 1500 centiseconds (15 seconds)

Hello Time 200 centiseconds (2 seconds)

Max Age 2000 centiseconds (20 seconds)

9.7 Configuring STP/RSTP

9.7.1 Configuring the STP/RSTP Mode

Context
Huawei devices support three working modes: STP, RSTP, and MSTP. STP and RSTP
are not compatible with each other. Therefore, on a ring network, enable either
STP or RSTP.

Procedure
Step 1 Run system-view

The system view is displayed.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 482

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

Step 2 Run stp mode { stp | rstp }

The working mode of the device is set to STP or RSTP.
By default, the working mode of a device is MSTP. MSTP is compatible with STP
and RSTP.
Step 3 Run commit
The configuration is committed.

----End

9.7.2 (Optional) Configuring the Root Bridge and Secondary

Root Bridge
Context
Typically, the root bridge of a spanning tree is automatically calculated; however,
you can also manually configure a root bridge or secondary root bridge. The
following provides more details regarding configuring a root bridge or secondary
root bridge:
● Configuring a root bridge: A spanning tree can have only one effective root
bridge. When two or more devices are specified as root bridges for a spanning
tree, the device with the smallest MAC address is elected as the root bridge.
● Configuring a secondary root bridge: You can specify multiple secondary root
bridges for each spanning tree. When the root bridge fails or is powered off, a
secondary root bridge becomes the new root bridge until a new root bridge is
specified. If there are multiple secondary root bridges, the one with the
smallest MAC address becomes the root bridge of the spanning tree.

NOTE

On networks that run STP/RSTP/MSTP/VBST, configure an optimal core switch as the root
bridge to ensure stability of the STP Layer 2 network. Otherwise, new access devices may
trigger STP root bridge switching, causing short service interruptions.
It is recommended that you specify the root bridge and secondary root bridge when
configuring STP/RSTP.

Procedure
● Configure a device as the root bridge.
a. Run system-view
The system view is displayed.
b. Run stp root primary
The device is configured as the root bridge.
By default, a device does not function as the root bridge. After you run
this command, the priority value of the device is set to 0 and cannot be
changed.
c. Run commit
The configuration is committed.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 483

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

● Configure a device as the secondary root bridge.

a. Run system-view

The system view is displayed.

b. Run stp root secondary

The device is configured as the secondary root bridge.

By default, a device does not function as the secondary root bridge. After
you run this command, the priority value of the device is set to 4096 and
cannot be changed.
c. Run commit

The configuration is committed.

----End

9.7.3 (Optional) Configuring a Priority for a Device

Context
An STP/RSTP network can have only one root bridge, which is the logical center of
the spanning tree. The root bridge should be a high-performance device deployed
at a high network layer. To ensure a certain device is selected as the root bridge,
you can set a high priority for the device.

Set low priorities for devices that are not suitable as the root bridge, such as low-
performance devices at lower network layers.

A smaller priority value indicates a higher priority of a device.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run stp priority priority

A priority is set for the device.

The default priority value of a device is 32768.

If the stp root primary or stp root secondary command has been executed to
configure the device as the root bridge or secondary root bridge, run the undo stp
root command to disable the root bridge or secondary root bridge function and
then run the stp priority priority command to set a priority.

Step 3 Run commit

The configuration is committed.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 484

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

9.7.4 (Optional) Configuring a Path Cost for a Port

Context
A path cost is the reference value used for link selection on an STP/RSTP network.
The path cost value range is determined by the calculation method. After the
calculation method is determined, it is recommended that you set smaller path
cost values for the ports with higher link rates.
In the Huawei calculation method, the link rate determines the recommended
value for the path cost. Table 9-16 lists the recommended path costs for ports
with different link rates.

Table 9-16 Recommended path costs for ports with different link rates

Link Rate Recommended Recommended Supported Path

Path Cost Path Cost Range Cost Range

10 Mbit/s 2000 200 to 20000 1 to 200000

100 Mbit/s 200 20 to 2000 1 to 200000

1 Gbit/s 20 2 to 200 1 to 200000

10 Gbit/s 2 2 to 20 1 to 200000

Over 10 Gbit/s 1 1 to 2 1 to 200000

If a network has loops, it is recommended that you set a large path cost for ports
with low link rates. STP/RSTP then blocks these ports.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 (Optional) Run stp pathcost-standard { dot1d-1998 | dot1t | legacy }
A path cost calculation method is specified.
By default, the IEEE 802.1t standard (dot1t) is used to calculate the path costs.
All devices on a network must use the same path cost calculation method.
Step 3 Run interface interface-type interface-number
The view of an interface participating in STP calculation is displayed.
Step 4 Run stp cost cost
A path cost is set for the interface.
The following describes the supported cost range for different calculation
methods:

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 485

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

● When the Huawei calculation method is used, cost ranges from 1 to 200000.
● When the IEEE 802.1d standard method is used, cost ranges from 1 to 65535.
● When the IEEE 802.1t standard method is used, cost ranges from 1 to
200000000.
● If an Eth-Trunk interface is specified as the member interface of an M-LAG
configured in V-STP mode, the path cost of the Eth-Trunk interface is fixed at
2000.
Step 5 Run commit
The configuration is committed.

----End

9.7.5 (Optional) Configuring a Priority for a Port

Context
In spanning tree calculation, priorities of the ports in a ring affect designated port
election.
To block a port on a device, set a greater priority value than the default priority
value for the port.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The view of an interface participating in STP calculation is displayed.
Step 3 Run stp port priority priority
A priority is set for the port.
The default priority value of a port on a device is 128.
Step 4 Run commit
The configuration is committed.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 486

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

9.7.6 Enabling STP/RSTP

Context

NOTICE

Before enabling STP/RSTP, ensure that you have performed all basic
configurations, such as the device priority and port priority, on the device and its
ports. After STP/RSTP is enabled on a ring network, spanning tree calculation
starts immediately on the network. Making changes to configurations will affect
spanning tree calculation and may cause network flapping.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run stp enable

STP/RSTP is enabled on the device.

By default, STP/RSTP is enabled on a switch.

Step 3 Run commit

The configuration is committed.

----End

Follow-up Procedure
When the topology of a spanning tree changes, the forwarding paths for
associated VLANs are changed. Devices need to update the ARP entries
corresponding to those VLANs. Depending on how devices process ARP entries,
STP/RSTP convergence mode can be fast or normal.

● In fast mode, ARP entries to be updated are directly deleted.

● In normal mode, ARP entries to be updated are rapidly aged.
The remaining lifetime of ARP entries to be updated is set to 0 to immediately
age the ARP entries out. If the number of ARP aging probes is greater than 0,
the device performs aging probe for these ARP entries.

Run the stp converge { fast | normal } command in the system view to configure
the STP/RSTP convergence mode.

By default, the normal STP/RSTP convergence mode is used. The normal mode is
recommended. If the fast mode is used, ARP entries will be frequently deleted,
causing a high CPU usage (even 100%). As a result, network flapping will
frequently occur.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 487

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

9.7.7 Verifying the STP/RSTP Configuration

Procedure
● Run the display stp [ interface interface-type interface-number | slot slot-id ]
[ brief ] command to check the spanning tree status and statistics.

----End

9.8 Configuring STP Parameters That Affect the STP

Convergence Speed
STP cannot implement rapid convergence. However, STP parameters including the
network diameter, timeout interval, Hello timer value, Max Age timer value, and
Forward Delay timer value can be configured to affect the STP convergence speed.

Pre-configuration Tasks
Before setting STP parameters that affect STP convergence, configure basic STP
functions.

9.8.1 Configuring the STP Network Diameter

Context
Any two terminals on a switching network are connected through a specific path
along multiple devices. The network diameter is the maximum number of devices
between any two terminals.

An improper network diameter may cause slow network convergence and affect
communication on the network. To speed up convergence, run the stp bridge-
diameter command to set an appropriate network diameter based on the
network scale. Running this command also allows the switch to calculate the
optimal Forward Delay timer value, Hello timer value, and Max Age timer value
based on the configured network diameter.

It is recommended that all devices be configured with the same network diameter.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run stp bridge-diameter diameter

The network diameter is configured.

By default, the network diameter is 7.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 488

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

NOTE

RSTP uses a single spanning tree instance on the entire network. As a result, performance
deterioration cannot be prevented when the network scale grows. Therefore, the network
diameter cannot be larger than 7.

Step 3 Run commit

The configuration is committed.

----End

9.8.2 Configuring the STP Timeout Interval

Context
If a device does not receive any BPDUs from the upstream device within the
timeout interval, the device considers the upstream device to have failed and
recalculates the spanning tree.
Sometimes, a device cannot receive the BPDU from the upstream device within
the timeout interval because the upstream device is temporarily busy. In this case,
recalculating the spanning tree will waste network resources. This can be avoided
by increasing the timeout interval. However, only set a long timeout interval if the
network is relatively stable.
The timeout interval is calculated as follows:
Timeout interval = Hello Time x 3 x Timer Factor

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run stp timer-factor factor
The Timer Factor value is set.
By default, the timeout period is 9 times the Hello timer value.
Step 3 Run commit
The configuration is committed.

----End

9.8.3 Configuring STP Timers

Context
There are three timers used in spanning tree calculation: Forward Delay, Hello
Time, and Max Age. These timers can be configured to affect STP convergence.
However, you are not advised to directly change these timers. Instead, it is
recommended that you set the network diameter so that the spanning tree
protocol automatically adjusts these timers in accordance with the network scale.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 489

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

The following timers are used in spanning tree calculation:

● Forward Delay: specifies the delay before a state transition. After the topology
of a ring network changes, it takes some time for the new configuration
BPDU to spread throughout the entire network. As a result, the original
blocked port may be unblocked before a new port is blocked, creating a loop
on the network. The purpose of the Forward Delay timer is to prevent loops.
When the topology changes, all ports will be temporarily blocked during the
Forward Delay.
● Hello Time: specifies the interval at which hello packets are sent. A device
sends configuration BPDUs at the specified interval to detect link failures. If
the switching device does not receive any BPDUs within an interval of Hello
Time x 3 x Timer Factor, the device recalculates the spanning tree.
● Max Age: determines whether a BPDU has timed out. A device determines
that a received configuration BPDU times out when the Max Age expires.
Devices on a ring network must use the same values of Forward Delay, Hello
Time, and Max Age.

NOTICE

To prevent frequent network flapping, make sure that the Hello Time, Forward
Delay, and Max Age timer values conform to the following formulas:
● 2 x (Forward Delay - 1.0 second) ≥ Max Age
● Max Age ≥ 2 x (Hello Time + 1.0 second)

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Set the Forward Delay, Hello Time, and Max Age timers.
1. Run stp timer forward-delay forward-delay
The Forward Delay timer is set for the device.
By default, the Forward Delay timer is 1500 centiseconds (15 seconds).
2. Run stp timer hello hello-time
The Hello Time is set for the device.
By default, the Hello Time is 200 centiseconds (2 seconds).
3. Run stp timer max-age max-age
The Max Age timer is set for the device.
By default, the Max Age timer is 2000 centiseconds (20 seconds).
Step 3 Run commit
The configuration is committed.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 490

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

9.8.4 Configuring the Maximum Number of Connections in an

Eth-Trunk that Affects Spanning Tree Calculation
Context
Path costs are a major factor in spanning tree calculation and changing path costs
triggers spanning tree recalculation. The path cost of an interface is affected by its
bandwidth, so you can change the interface bandwidth to affect spanning tree
calculation.
In Figure 9-15, SwitchA and SwitchB are connected through two Eth-Trunk links.
Eth-Trunk 1 has three member interfaces in Up state and Eth-Trunk 2 has two
member interfaces in Up state. Each member link has the same bandwidth, and
SwitchA is selected as the root bridge.
● Eth-Trunk 1 has higher bandwidth than Eth-Trunk 2. After STP calculation,
Eth-Trunk 1 on SwitchB is selected as the root port and Eth-Trunk 2 is selected
as the alternate port.
● If the maximum number of connections affecting bandwidth of Eth-Trunk 1 is
set to 1, the path cost of Eth-Trunk 1 is larger than the path cost of Eth-Trunk
2. Therefore, after the two devices perform spanning tree recalculation, Eth-
Trunk 1 on SwitchB becomes the alternate port and Eth-Trunk 2 becomes the
root port.

Figure 9-15 Configuring the maximum number of connections in an Eth-Trunk

SwitchA SwitchB
Before Eth-Trunk1
configuration Eth-Trunk2

Root bridge

SwitchA SwitchB
After Eth-Trunk1
configuration Eth-Trunk2

Root bridge
Alternate port
Root port
Designated port

The maximum number of connections affects only the path cost of an Eth-Trunk
interface participating in spanning tree calculation, and does not affect the actual
bandwidth of the Eth-Trunk link. The actual bandwidth for an Eth-Trunk link
depends on the number of active member interfaces in the Eth-Trunk.

Procedure
Step 1 Run system-view
The system view is displayed.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 491

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

Step 2 Run interface eth-trunk trunk-id

The Eth-Trunk interface view is displayed.
Step 3 Run max bandwidth-affected-linknumber link-number
The maximum number of connections affecting the Eth-Trunk bandwidth is set.
By default, the upper threshold for the number of interfaces that determine the
bandwidth of an Eth-Trunk is 8 on the CE5810EI, 64 on CE6880EI and CE5880EI,
and 16 on other models (excluding the CE6870EI and CE6875EI). For the CE6870EI
and CE6875EI, the upper threshold for the number of interfaces that determine
the bandwidth of an Eth-Trunk depends on the maximum number of configured
LAGs. In an SVF system, the maximum number of connections affecting the
bandwidth of an Eth-Trunk is 8.
Step 4 Run commit
The configuration is committed.

----End

9.8.5 Verifying the STP/RSTP Configuration

Procedure
● Run the display stp [ interface interface-type interface-number | slot slot-id ]
[ brief ] command to check the spanning tree status and statistics.
----End

9.9 Setting RSTP Parameters That Affect RSTP

Convergence

Pre-configuration Tasks
Before configuring RSTP parameters that affect RSTP convergence, configure basic
RSTP functions. RSTP supports link type and fast transition configuration on ports
to implement rapid convergence.

9.9.1 Setting the RSTP Network Diameter

Context
Any two terminals on a switching network are connected through a specific path
along multiple devices. The network diameter is the maximum number of devices
between any two terminals.
An improper network diameter may cause slow network convergence and affect
communication on the network. To speed up convergence, run the stp bridge-
diameter command to set an appropriate network diameter based on the
network scale. Running this command also allows the switch to calculate the
optimal Forward Delay timer value, Hello timer value, and Max Age timer value
based on the configured network diameter.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 492

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

It is recommended that all devices be configured with the same network diameter.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run stp bridge-diameter diameter

The network diameter is configured.

By default, the network diameter is 7.

NOTE

RSTP uses a single spanning tree instance on the entire network. As a result, performance
deterioration cannot be prevented when the network scale grows. Therefore, the network
diameter cannot be larger than 7.

Step 3 Run commit

The configuration is committed.

----End

9.9.2 Setting the RSTP Timeout Interval

Context
If a device does not receive any BPDUs from the upstream device within the
timeout interval, the device considers the upstream device to have failed and
recalculates the spanning tree.

Sometimes, a device cannot receive the BPDU from the upstream device within
the timeout interval because the upstream device is temporarily busy. In this case,
recalculating the spanning tree will waste network resources. This can be avoided
by increasing the timeout interval. However, only set a long timeout interval if the
network is relatively stable.

The timeout interval is calculated as follows:

Timeout interval = Hello Time x 3 x Timer Factor

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run stp timer-factor factor

The Timer Factor value is set.

By default, the timeout period is 9 times the Hello timer value.

Step 3 Run commit

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 493

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

The configuration is committed.

----End

9.9.3 Setting RSTP Timers

Context
There are three timers used in spanning tree calculation: Forward Delay, Hello
Time, and Max Age. These timers can be configured to affect STP convergence.
However, you are not advised to directly change these timers. Instead, it is
recommended that you set the network diameter so that the spanning tree
protocol automatically adjusts these timers in accordance with the network scale.
The following timers are used in spanning tree calculation:
● Forward Delay: specifies the delay before a state transition. After the topology
of a ring network changes, it takes some time for the new configuration
BPDU to spread throughout the entire network. As a result, the original
blocked port may be unblocked before a new port is blocked, creating a loop
on the network. The purpose of the Forward Delay timer is to prevent loops.
When the topology changes, all ports will be temporarily blocked during the
Forward Delay.
● Hello Time: specifies the interval at which hello packets are sent. A device
sends configuration BPDUs at the specified interval to detect link failures. If
the switching device does not receive any BPDUs within an interval of Hello
Time x 3 x Timer Factor, the device recalculates the spanning tree.
● Max Age: determines whether a BPDU has timed out. A device determines
that a received configuration BPDU times out when the Max Age expires.
Devices on a ring network must use the same values of Forward Delay, Hello
Time, and Max Age.

NOTICE

To prevent frequent network flapping, make sure that the Hello Time, Forward
Delay, and Max Age timer values conform to the following formulas:
● 2 x (Forward Delay - 1.0 second) ≥ Max Age
● Max Age ≥ 2 x (Hello Time + 1.0 second)

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Set the Forward Delay, Hello Time, and Max Age timers.
1. Run stp timer forward-delay forward-delay
The Forward Delay timer is set for the device.
By default, the Forward Delay timer is 1500 centiseconds (15 seconds).

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 494

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

2. Run stp timer hello hello-time

The Hello Time is set for the device.
By default, the Hello Time is 200 centiseconds (2 seconds).
3. Run stp timer max-age max-age
The Max Age timer is set for the device.
By default, the Max Age timer is 2000 centiseconds (20 seconds).
Step 3 Run commit
The configuration is committed.

----End

9.9.4 Configuring the Maximum Number of Connections in an

Eth-Trunk that Affects Spanning Tree Calculation
Context
Path costs are a major factor in spanning tree calculation and changing path costs
triggers spanning tree recalculation. The path cost of an interface is affected by its
bandwidth, so you can change the interface bandwidth to affect spanning tree
calculation.
In Figure 9-16, SwitchA and SwitchB are connected through two Eth-Trunk links.
Eth-Trunk 1 has three member interfaces in Up state and Eth-Trunk 2 has two
member interfaces in Up state. Each member link has the same bandwidth, and
SwitchA is selected as the root bridge.
● Eth-Trunk 1 has higher bandwidth than Eth-Trunk 2. After STP calculation,
Eth-Trunk 1 on SwitchB is selected as the root port and Eth-Trunk 2 is selected
as the alternate port.
● If the maximum number of connections affecting bandwidth of Eth-Trunk 1 is
set to 1, the path cost of Eth-Trunk 1 is larger than the path cost of Eth-Trunk
2. Therefore, after the two devices perform spanning tree recalculation, Eth-
Trunk 1 on SwitchB becomes the alternate port and Eth-Trunk 2 becomes the
root port.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 495

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

Figure 9-16 Configuring the maximum number of connections in an Eth-Trunk

SwitchA SwitchB
Before Eth-Trunk1
configuration Eth-Trunk2

Root bridge

SwitchA SwitchB
After Eth-Trunk1
configuration Eth-Trunk2

Root bridge
Alternate port
Root port
Designated port

The maximum number of connections affects only the path cost of an Eth-Trunk
interface participating in spanning tree calculation, and does not affect the actual
bandwidth of the Eth-Trunk link. The actual bandwidth for an Eth-Trunk link
depends on the number of active member interfaces in the Eth-Trunk.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface eth-trunk trunk-id
The Eth-Trunk interface view is displayed.
Step 3 Run max bandwidth-affected-linknumber link-number
The maximum number of connections affecting the Eth-Trunk bandwidth is set.
By default, the upper threshold for the number of interfaces that determine the
bandwidth of an Eth-Trunk is 8 on the CE5810EI, 64 on CE6880EI and CE5880EI,
and 16 on other models (excluding the CE6870EI and CE6875EI). For the CE6870EI
and CE6875EI, the upper threshold for the number of interfaces that determine
the bandwidth of an Eth-Trunk depends on the maximum number of configured
LAGs. In an SVF system, the maximum number of connections affecting the
bandwidth of an Eth-Trunk is 8.
Step 4 Run commit
The configuration is committed.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 496

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

9.9.5 Configuring the Link Type for a Port

Context
Configuring a link type for a port as P2P can speed up convergence. If the two
ports connected by a P2P link are root or designated ports, they can transit to the
Forwarding state quickly by sending Proposal and Agreement packets. This reduces
the forwarding delay.
By default, an interface automatically identifies whether it is connected to a P2P
link.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The view of an Ethernet interface participating in STP calculation is displayed.
Step 3 Run stp point-to-point { auto | force-false | force-true }
The link type is set for the interface.
The following describes the link type that should be set for different interface
working modes:
Step 4 Run commit
The configuration is committed.

----End

9.9.6 Configuring the Maximum Transmission Rate of an

Interface
Context
If a large number of BPDUs sent from an interface within a Hello Time interval, a
lot of system resources will be consumed. Setting a proper transmission rate
(packet-number) on an interface prevents excess bandwidth usage when network
flapping occurs.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The view of an Ethernet interface participating in STP calculation is displayed.
Step 3 Run stp transmit-limit packet-number

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 497

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

The maximum transmission rate of BPDUs (BPDUs per second) is set for the
interface.
By default, the maximum transmission rate of BPDUs on an interface is the value
configured by the stp transmit-limit (system view) command. If the stp
transmit-limit (system view) command is not configured, an interface sends a
maximum of six BPDUs per Hello Time interval.
NOTE

If the same maximum transmission rate of BPDUs needs to be set for each interface on a
device, run the stp transmit-limit (system view) command. The stp transmit-limit
(interface view) command takes precedence over the stp transmit-limit (system view)
command. If the stp transmit-limit (interface view) command is configured on an
interface, the stp transmit-limit (system view) command does not take effect on that
interface.

Step 4 Run commit

The configuration is committed.

----End

9.9.7 Switching to the RSTP Mode

Context
If an interface on an RSTP-enabled device is connected to an STP-enabled device,
the interface switches to the STP compatible mode.
If the STP-enabled device is powered off or disconnected from the RSTP-enabled
device, or the STP-enabled device is switched to the RSTP mode, the interface does
not automatically switch back to the RSTP mode. In any of these cases, run the
stp mcheck command to switch the interface to the RSTP mode.

Procedure
● Switching to the RSTP mode in the interface view
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The view of an interface participating in spanning tree calculation is
displayed.
c. Run stp mcheck
The interface is switched to the RSTP mode.
d. Run commit
The configuration is committed.
● Switching to the RSTP mode in the system view
a. Run system-view
The system view is displayed.
b. Run stp mcheck

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 498

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

The device is switched to the RSTP mode.

c. Run commit

The configuration is committed.

----End

9.9.8 Configuring Edge Ports and BPDU Filter Ports

Context
RSTP defines a port that is located at the edge of a network and directly
connected to a terminal device as an edge port.

An edge port does not process configuration BPDUs or participates in RSTP

calculation. It can transition from the Disable to Forwarding state without any
delay.

Edge ports can still send BPDUs. If the BPDUs are sent to another network, this
network may encounter network flapping. To prevent this problem, configure the
BPDU filter function on edge ports so that the edge ports do not process or send
BPDUs.

NOTICE

After a specified port is configured as an edge port and BPDU filter port in the
interface view, the port does not process or send BPDUs and cannot negotiate the
STP state with the directly connected port on the peer device. In addition, if this
command is run in the system view, all ports will go into the Forwarding state.
This may cause loops on the network, leading to broadcast storms. Exercise
caution when deciding to perform this configuration.

Procedure
● Configuring all ports as edge ports and BPDU filter ports
a. Run system-view

The system view is displayed.

b. Run stp edged-port default

All ports are configured as edge ports.

By default, all ports are non-edge ports.

c. Run stp bpdu-filter default

All ports are configured as BPDU filter ports.

By default, all ports are non-BPDU filter ports.

d. Run commit

The configuration is committed.

● Configuring a specified port as an edge port and BPDU filter port

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 499

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

a. Run system-view

The system view is displayed.

b. Run interface interface-type interface-number

The view of an Ethernet interface that participates in spanning tree

calculation is displayed.
c. Run stp edged-port enable

The port is configured as an edge port.

By default, all ports are non-edge ports.

d. Run stp bpdu-filter enable

The port is configured as a BPDU filter port.

By default, all ports are non-BPDU filter ports.

e. Run commit

The configuration is committed.

----End

9.9.9 Verifying the STP/RSTP Configuration

Procedure
● Run the display stp [ interface interface-type interface-number | slot slot-id ]
[ brief ] command to check the spanning tree status and statistics.

----End

9.10 Configuring RSTP Protection Functions

9.10.1 Configuring BPDU Protection on a Device

Context
Typically, edge ports are directly connected to user terminals and will not receive
BPDUs. However, if an edge port receives pseudo BPDUs from a malicious attacker,
the device sets the edge port as a non-edge port and triggers spanning tree
recalculation, which results in network flapping. BPDU protection can be
configured to mitigate such attacks.

NOTE

Perform the following procedure on all devices that have edge ports.
BPDU protection is only valid for the edge port manually configured by the stp edged-port
or stp edged-port default command, and is invalid for the edge port configured by the
automatic detection function.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 500

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run stp bpdu-protection
BPDU protection is enabled on the device.
By default, BPDU protection is disabled on a device.
Step 3 Run commit
The configuration is committed.

----End

Follow-up Procedure
After BPDU protection is configured, the edge port that receives BPDUs will enter
the Error-Down state and keeps its attributes. The device records the status of an
interface as Error-Down when it detects that a fault occurs. The interface in Error-
Down state cannot receive or send packets and the interface indicator is off. You
can run the display error-down recovery command to check information about
all interfaces in Error-Down state on the device.
When the interface is in Error-Down state, check the cause. You can use the
following modes to restore the interface status:
● Manual (after interfaces enter the Error-Down state)
When there are few interfaces in Error-Down state, run the shutdown and
undo shutdown commands in the interface view or run the restart command
to restore the interface.
● Auto (before interfaces enter the Error-Down state)
If there are many interfaces in Error-Down state, the manual mode brings in
heavy workload and the configuration of some interfaces may be ignored. To
prevent this problem, run the error-down auto-recovery cause bpdu-
protection interval interval-value command in the system view to enable an
interface in Error-Down state to go Up and set a recovery delay. You can run
the display error-down recovery command to view automatic recovery
information about the interface.
NOTE

This mode is invalid for the interface that has entered the Error-Down state, and is valid
only for the interface that enters the Error-Down state after the error-down auto-recovery
cause bpdu-protection interval interval-value command is run.

9.10.2 Configuring TC Protection on a Device

Context
A switch deletes its MAC address entries and ARP entries after receiving TC BPDUs.
An attacker can use this to their advantage by sending a large number of bogus
TC BPDUs to the switch in a short time, causing the device to frequently delete

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 501

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

MAC address entries and ARP entries. This increases the load on the switch and
threatens network stability.
After enabling TC BPDU protection on a switch, you can set a limit for the number
of times the device processes TC BPDUs within a given time. If this number is
exceeded, the switch processes only the specified number of TC BPDUs. Any excess
TC BPDUs are processed in one go by the switch after the specified period expires.
This function prevents the switch from frequently deleting its MAC address entries
and ARP entries, reducing the load on the switch and guaranteeing network
stability.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run stp tc-protection
TC protection is enabled for the device.
By default, TC protection is disabled on a device.
Step 3 Run either or both of the following commands to configure TC protection
parameters.
● To set the time period during which the device processes the maximum
number of TC BPDUs, run stp tc-protection interval interval-value.
By default, the time period is the Hello Time.
● To set the maximum number of TC BPDUs that the device processes within a
specified period, run stp tc-protection threshold threshold.
By default, a device processes one TC BPDU within a specified period.
NOTE

● There are two TC protection parameters: time period during which the device processes
the maximum number of TC BPDUs and the maximum number of TC BPDUs processed
within the time period. For example, if the time period is set to 10 seconds and the
maximum number of TC BPDUs is set to 5, the device processes only the first five TC
BPDUs within 10 seconds and processes the other TC BPDUs together 10 seconds later.
● The device processes only the maximum number of TC BPDUs configured by the stp tc-
protection threshold command within the time period configured by the stp tc-
protection interval command. Other packets are processed after a delay, so spanning
tree convergence speed may slow down.

Step 4 Run commit

The configuration is committed.

----End

9.10.3 Configuring Root Protection on a Port

Context
If a root bridge receives BPDUs with a higher priority than its own due to incorrect
configurations or malicious attacks, the root bridge is incorrectly changed. As a

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 502

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

result, traffic may be switched from high-speed links to low-speed links, leading to
network congestion. You can configure root protection on a designated port,
which prevents the port role from being changed.
Perform the following steps on the root bridge in an MST region.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The view of an interface participating in STP calculation is displayed.
Step 3 Run stp root-protection
Root protection is enabled on the interface.
By default, root protection is disabled on an interface. Root protection takes effect
only on designated ports. Root protection and loop protection cannot be
configured on the same interface.
Step 4 Run commit
The configuration is committed.

----End

9.10.4 Configuring Loop Prevention on a Port

Context
On an RSTP network, a switch can only maintain the states of the root port and
blocked ports if it is continuously receiving RST BPDUs from the upstream switch.
If the ports cannot receive RST BPDUs from the upstream switch due to link
congestion or unidirectional link failures, the switch re-selects a root port. The
previous root port then becomes a designated port and the blocked ports change
to the Forwarding state, potentially creating loops on the network. To prevent
such a problem, configure loop protection.
With loop prevention enabled, if the root port or alternate port does not receive
RST BPDUs from the upstream switch for a long time, the switch sends a
notification to the NMS. The root port enters the Discarding state, whereas the
blocked port remains in Blocking state and does not forward packets, preventing
loops on the network. The root port or alternate port reverts to the Forwarding
state after receiving new RST BPDUs.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The view of the root port or alternate port is displayed.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 503

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

Step 3 Run stp loop-protection

Loop prevention is enabled on the root port or alternate port.

By default, loop prevention is disabled on a port.

NOTE

An alternate port is a backup for a root port. If a device has an alternate port, configure
loop prevention on both the root port and the alternate port.
Root protection and loop prevention cannot be configured on the same port.

Step 4 Run commit

The configuration is committed.

----End

9.10.5 Verifying the STP/RSTP Configuration

Procedure
● Run the display stp [ interface interface-type interface-number | slot slot-id ]
[ brief ] command to check the spanning tree status and statistics.

----End

9.11 Configuring Interoperability Between Huawei and

Non-Huawei Devices

Context
To implement interoperability between Huawei and non-Huawei devices, select
the fast transition mode based on the Proposal/Agreement mechanism of the
non-Huawei device. A device supports the following fast transition modes:

● Enhanced mode: The device determines the root port when it calculates the
synchronization flag bit. The following describes the process:
a. An upstream device sends a Proposal message to a downstream device to
request fast state transition. After receiving the message, the downstream
device sets the port connected to the upstream device as the root port
and blocks all non-edge ports.
b. The upstream device sends an Agreement message to the downstream
device. After the downstream device receives the message, the root port
transitions to the Forwarding state.
c. The downstream device responds with an Agreement message. After
receiving the message, the upstream device sets the port connected to
the downstream device as the designated port, and then the designated
port transitions to the Forwarding state.
● Common mode: The device ignores the root port when it calculates the
synchronization flag bit. The following describes the process:

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 504

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

a. An upstream device sends a Proposal message to a downstream device to

request fast state transition. After receiving the message, the downstream
device sets the port connected to the upstream device as the root port
and blocks all non-edge ports. Then, the root port transitions to the
Forwarding state.
b. The downstream device responds with an Agreement message. After
receiving the message, the upstream device sets the port connected to
the downstream device as the designated port, and then the designated
port transitions to the Forwarding state.
On an STP network, if a Huawei device is connected to a non-Huawei device that
uses a different Proposal/Agreement mechanism, the two devices may fail to
interoperate with each other. Select the enhanced mode or common mode based
on the Proposal/Agreement mechanism of the non-Huawei device.

Pre-configuration Tasks
Before setting parameters for interoperation between Huawei and non-Huawei
devices, configure basic STP/RSTP functions.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The view of an interface participating in spanning tree calculation is displayed.
Step 3 Run stp no-agreement-check
The common fast transition mode is specified.
By default, the enhanced fast transition mode is used on a port.
Step 4 Run commit
The configuration is committed.

----End

9.12 Maintaining STP/RSTP

9.12.1 Clearing STP/RSTP Statistics

Context

NOTICE

STP/RSTP statistics cannot be restored after being cleared.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 505

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

Procedure
● Run the reset stp [ interface interface-type interface-number ] statistics
command to clear spanning tree statistics.
----End

9.12.2 Monitoring STP/RSTP Topology Change Statistics

The statistics about STP/RSTP topology changes can be viewed. If the statistics
increase, network flapping occurs.

Procedure
● Run the display stp [ process process-id ] [ instance instance-id ] topology-
change command to check statistics about STP/RSTP topology changes.
● Run the display stp [ process process-id ] [ instance instance-id ] [ interface
interface-type interface-number | slot slot-id ] tc-bpdu statistics command
to check statistics about sent and received TC/TCN packets.
----End

9.13 Configuration Examples for STP/RSTP

This section only provides configuration examples for individual features. For
details about multi-feature configuration examples, feature-specific configuration
examples, interoperation examples, protocol or hardware replacement examples,
and industry application examples, see the Typical Configuration Examples.

9.13.1 Example for Configuring STP

Networking Requirements
On a complex network, multiple physical links are often deployed between two
devices for link redundancy (one as the active link and the others as standby
links). However, redundant links may cause loops on the network, which result in
broadcast storms and unstable MAC address entries.
STP can be deployed on a network to eliminate loops by blocking ports. In Figure
9-17, a loop exists on the network, and SwitchA, SwitchB, SwitchC, and SwitchD
are all running STP. These devices exchange STP BPDUs to discover loops and
block some ports to prune the network into a loop-free tree network, improving
packet processing performance.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 506

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

Figure 9-17 Networking diagram of STP configuration

Network

10GE1/0/3 10GE1/0/3
10GE1/0/1
SwitchD SwitchA
10GE1/0/1
10GE1/0/2 Root 10GE1/0/2
bridge

STP

10GE1/0/3 10GE1/0/3
10GE1/0/1
SwitchC SwitchB
10GE1/0/1
10GE1/0/2 10GE1/0/2

Server1 Server2

Blocked port

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the STP mode for the devices on the ring network.
2. Configure the root bridge and secondary root bridge.
3. Set a path cost for the ports to be blocked.
4. Enable STP to eliminate loops.
NOTE

The ports connected to servers do not participate in STP calculation. Disable STP on
these ports.
5. Verify the configuration.

Procedure
Step 1 Configure the STP mode for the devices on the ring network. The configurations
on SwitchB, SwitchC, and SwitchD are similar to the configurations on SwitchA,
and are not mentioned here.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchA
[*HUAWEI] commit
[~SwitchA] stp mode stp
[*SwitchA] commit

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 507

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

Step 2 Configure the root bridge and secondary root bridge.

# Configure SwitchA as the root bridge.
[~SwitchA] stp root primary
[*SwitchA] commit

# Configure SwitchB as the secondary root bridge.

[~SwitchB] stp root secondary
[*SwitchB] commit

Step 3 Set a path cost for the ports to be blocked.

The path cost value range depends on path cost calculation methods, which must
be the same on all switches. This example uses the Huawei proprietary calculation
method.
# On SwitchA, set the path cost calculation method to the Huawei proprietary
method.
[~SwitchA] stp pathcost-standard legacy
[*SwitchA] commit

# On SwitchB, set the path cost calculation method to the Huawei proprietary
method.
[~SwitchB] stp pathcost-standard legacy
[*SwitchB] commit

# Set the path cost of 10GE1/0/1 on SwitchC to 20000.

[~SwitchC] stp pathcost-standard legacy
[*SwitchC] interface 10ge 1/0/1
[*SwitchC-10GE1/0/1] stp cost 20000
[*SwitchC-10GE1/0/1] commit
[~SwitchC-10GE1/0/1] quit

# On SwitchD, set the path cost calculation method to the Huawei proprietary
method.
[~SwitchD] stp pathcost-standard legacy
[*SwitchD] commit

Step 4 Enable STP to eliminate loops.

● Disable STP on the port connected to the server.
# Disable STP on 10GE1/0/2 of SwitchB.
[~SwitchB] interface 10ge 1/0/2
[~SwitchB-10GE1/0/2] stp disable
[*SwitchB-10GE1/0/2] commit
[~SwitchB-10GE1/0/2] quit

# Disable STP on 10GE1/0/2 of SwitchC.

[~SwitchC] interface 10ge 1/0/2
[~SwitchC-10GE1/0/2] stp disable
[*SwitchC-10GE1/0/2] commit
[~SwitchC-10GE1/0/2] quit

● Enable STP globally on devices.

[~SwitchA] stp enable
[*SwitchA] commit
[~SwitchB] stp enable
[*SwitchB] commit
[~SwitchC] stp enable
[*SwitchC] commit

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 508

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

[~SwitchD] stp enable

[*SwitchD] commit

Step 5 Verify the configuration.

After the preceding configuration is complete and the network becomes stable,
perform the following operations to verify the configuration:
# Run the display stp brief command on SwitchA to view the port roles and
states. The following information is displayed:
[~SwitchA] display stp brief
MSTID Port Role STP State Protection Cost Edged
0 10GE1/0/1 DESI forwarding none 2 disable
0 10GE1/0/2 DESI forwarding none 2 disable

After SwitchA is configured as the root bridge, 10GE1/0/2 and 10GE1/0/1

connected to SwitchB and SwitchD respectively are elected as designated ports
through spanning tree calculation.
# Run the display stp interface 10GE 1/0/1 brief command on SwitchB to view
the role and state of 10GE1/0/1. The following information is displayed:
[~SwitchB] display stp interface 10ge 1/0/1 brief
MSTID Port Role STP State Protection Cost Edged
0 10GE1/0/1 DESI forwarding none 2 disable

10GE1/0/1 is elected as a designated port and is in Forwarding state.

# Run the display stp brief command on SwitchC to check the port roles and
states. The following information is displayed:
[~SwitchC] display stp brief
MSTID Port Role STP State Protection Cost Edged
0 10GE1/0/1 ALTE discarding none 20000 disable
0 10GE1/0/3 ROOT forwarding none 2 disable

10GE1/0/1 is elected as an alternate port and is in Discarding state.

10GE1/0/3 is elected as a root port and is in Forwarding state.

----End

Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
stp mode stp
stp instance 0 root primary
stp pathcost-standard legacy
#
return

● SwitchB configuration file

#
sysname SwitchB
#
stp mode stp
stp instance 0 root secondary
stp pathcost-standard legacy
#
interface 10GE1/0/2
stp disable

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 509

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

#
return

● SwitchC configuration file

#
sysname SwitchC
#
stp mode stp
stp pathcost-standard legacy
#
interface 10GE1/0/1
stp instance 0 cost 20000
#
interface 10GE1/0/2
stp disable
#
return

● SwitchD configuration file

#
sysname SwitchD
#
stp mode stp
stp pathcost-standard legacy
#
return

9.13.2 Example for Configuring RSTP

Networking Requirements
On a complex network, multiple physical links are often deployed between two
devices for link redundancy (one as the active link and the others as standby
links). However, redundant links may cause loops on the network, which result in
broadcast storms and unstable MAC address entries.
RSTP can be deployed on a network to eliminate loops by blocking ports. In
Figure 9-18, a loop exists on the network, and SwitchA, SwitchB, SwitchC, and
SwitchD are all running RSTP. These devices exchange BPDUs to discover the loops
and block the appropriate ports in order to trim the ring topology into a loop-free
tree topology, improving packet processing performance.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 510

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

Figure 9-18 Networking diagram of RSTP configuration

Network

10GE1/0/3 10GE1/0/3
10GE1/0/1
SwitchD SwitchA
10GE1/0/1
10GE1/0/2 Root 10GE1/0/2
bridge

RSTP

10GE1/0/3 10GE1/0/3
10GE1/0/1
SwitchC SwitchB
10GE1/0/1
10GE1/0/2 10GE1/0/2

Server1 Server2

Blocked port

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the RSTP mode for the devices on the ring network.
2. Configure the root bridge and secondary root bridge.
3. Set a path cost for the ports to be blocked.
4. Enable RSTP to eliminate loops.
NOTE

The ports connected to servers do not participate in RSTP calculation. Disable RSTP on
these ports.
5. Configure protection functions to protect devices or links.
6. Verify the configuration.

Procedure
Step 1 Configure the RSTP mode for the devices on the ring network. The configurations
on SwitchB, SwitchC, and SwitchD are similar to the configurations on SwitchA,
and are not mentioned here.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchA
[*HUAWEI] commit

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 511

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

[~SwitchA] stp mode rstp

[*SwitchA] commit

Step 2 Configure the root bridge and secondary root bridge.

# Configure SwitchA as the root bridge.
[~SwitchA] stp root primary
[*SwitchA] commit

# Configure SwitchB as the secondary root bridge.

[~SwitchB] stp root secondary
[*SwitchB] commit

Step 3 Set a path cost for the ports to be blocked.

The path cost value range depends on path cost calculation methods, which must
be the same on all switches. This example uses the Huawei proprietary calculation
method.
# On SwitchA, set the path cost calculation method to the Huawei proprietary
method.
[~SwitchA] stp pathcost-standard legacy
[*SwitchA] commit

# On SwitchB, set the path cost calculation method to the Huawei proprietary
method.
[~SwitchB] stp pathcost-standard legacy
[*SwitchB] commit

# Set the path cost of 10GE1/0/1 on SwitchC to 20000.

[~SwitchC] stp pathcost-standard legacy
[*SwitchC] interface 10ge 1/0/1
[*SwitchC-10GE1/0/1] stp cost 20000
[*SwitchC-10GE1/0/1] commit
[~SwitchC-10GE1/0/1] quit

# On SwitchD, set the path cost calculation method to the Huawei proprietary
method.
[~SwitchD] stp pathcost-standard legacy
[*SwitchD] commit

Step 4 Enable RSTP to eliminate loops.

● Disable RSTP on the ports connected to servers.
# Disable RSTP on 10GE1/0/2 of SwitchB.
[~SwitchB] interface 10ge 1/0/2
[~SwitchB-10GE1/0/2] stp disable
[*SwitchB-10GE1/0/2] commit
[~SwitchB-10GE1/0/2] quit

# Disable RSTP on 10GE1/0/2 of SwitchC.

[~SwitchC] interface 10ge 1/0/2
[~SwitchC-10GE1/0/2] stp disable
[*SwitchC-10GE1/0/2] commit
[~SwitchC-10GE1/0/2] quit

● Enable RSTP globally on devices.

[~SwitchA] stp enable
[*SwitchA] commit
[~SwitchB] stp enable
[*SwitchB] commit

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 512

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

[~SwitchC] stp enable

[*SwitchC] commit
[~SwitchD] stp enable
[*SwitchD] commit

Step 5 Configure root protection on the designated ports of the root bridge.
# Configure root protection on 10GE1/0/1 and 10GE1/0/2 of SwitchA.
[~SwitchA] interface 10ge 1/0/1
[~SwitchA-10GE1/0/1] stp root-protection
[*SwitchA-10GE1/0/1] quit
[*SwitchA] interface 10ge 1/0/2
[*SwitchA-10GE1/0/2] stp root-protection
[*SwitchA-10GE1/0/2] quit
[*SwitchA] commit

Step 6 Verify the configuration.

After the preceding configuration is complete and the network becomes stable,
perform the following operations to verify the configuration:
# Run the display stp brief command on SwitchA to view the states and
protection type on RSTP ports. The following information is displayed:
[~SwitchA] display stp brief
MSTID Port Role STP State Protection Cost Edged
0 10GE1/0/1 DESI forwarding root 2 disable
0 10GE1/0/2 DESI forwarding root 2 disable

After SwitchA is configured as the root bridge, 10GE1/0/2 connected to SwitchB

and 10GE1/0/1 connected to SwitchD are elected as designated ports through
spanning tree calculation and configured with root protection.
# Run the display stp interface 10GE 1/0/1 brief command on SwitchB to view
the role and state of 10GE1/0/1. The following information is displayed:
[~SwitchB] display stp interface 10ge 1/0/1 brief
MSTID Port Role STP State Protection Cost Edged
0 10GE1/0/1 DESI forwarding none 2 disable

10GE1/0/1 is elected as a designated port and is in Forwarding state.

# Run the display stp brief command on SwitchC to check the port roles and
states. The following information is displayed:
[~SwitchC] display stp brief
MSTID Port Role STP State Protection Cost Edged
0 10GE1/0/1 ALTE discarding none 20000 disable
0 10GE1/0/3 ROOT forwarding none 2 disable

10GE1/0/1 is elected as an alternate port and is in Discarding state.

10GE1/0/3 is elected as a root port and is in Forwarding state.

----End

Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
stp mode rstp
stp instance 0 root primary
stp pathcost-standard legacy

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 513

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 9 STP/RSTP Configuration

#
interface 10GE1/0/1
stp root-protection
#
interface 10GE1/0/2
stp root-protection
#
return

● SwitchB configuration file

#
sysname SwitchB
#
stp mode rstp
stp instance 0 root secondary
stp pathcost-standard legacy
#
interface 10GE1/0/2
stp disable
#
return

● SwitchC configuration file

#
sysname SwitchC
#
stp mode rstp
stp pathcost-standard legacy
#
interface 10GE1/0/1
stp instance 0 cost 20000
#
interface 10GE1/0/2
stp disable
#
return

● SwitchD configuration file

#
sysname SwitchD
#
stp mode rstp
stp pathcost-standard legacy
#
return

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 514

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

10 MSTP Configuration

This chapter describes the concepts and configuration procedure of the Multiple
Spanning Tree Protocol (MSTP), and provides configuration examples.

10.1 Overview of MSTP

10.2 Understanding MSTP
10.3 Application Scenarios for MSTP
10.4 Summary of MSTP Configuration Tasks
10.5 Licensing Requirements and Limitations for MSTP
10.6 Default Settings for MSTP
10.7 Configuring Basic MSTP Functions
10.8 Configuring MSTP Multi-Process
10.9 Configuring MSTP Parameters on an Interface
10.10 Configuring MSTP Protection Functions
10.11 Configuring MSTP Interoperation Between Huawei Devices and Non-Huawei
Devices
10.12 Maintaining MSTP
10.13 Configuration Examples for MSTP

10.1 Overview of MSTP

Definition
Generally, redundant links are used on an Ethernet switching network to provide
link backup and enhance network reliability. The use of redundant links, however,
may produce loops, causing broadcast storms and rendering the MAC address
table unstable. As a result, the communication quality deteriorates, and the
communication service may even be interrupted. The Spanning Tree Protocol
(STP) is introduced to solve this problem.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 515

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

STP refers to STP defined in IEEE 802.1D, the Rapid Spanning Tree Protocol (RSTP)
defined in IEEE 802.1w, and the Multiple Spanning Tree Protocol (MSTP) defined
in IEEE 802.1s.
MSTP is compatible with RSTP and STP, and RSTP is compatible with STP. STP,
RSTP, and MSTP all prevent broadcast storms and achieve redundancy. Table 10-1
compares STP, RSTP, and MSTP.

Table 10-1 Comparison between STP, RSTP, and MSTP

Spanning Characteristics Usage Scenario
Tree
Protocol

STP ● In an STP region, a loop-free STP or RSTP is used when all

tree is generated. VLANs share one spanning tree.
● Route convergence is slow. In this situation, users or services
do not need to be differentiated.
RSTP ● In an RSTP region, a loop-
free tree is generated.
● RSTP allows fast convergence
of the network topology.

MSTP ● In an MSTP region, multiple MSTP is used when traffic in

loop-free trees are different VLANs is forwarded
generated. through different spanning trees
● MSTP achieves fast that are independent of each
convergence of the network other to implement load
topology. balancing. In this situation, users
or services are distinguished by
● MSTP implements load VLANs.
balancing among VLANs.
Traffic in different VLANs is
transmitted along different
paths.

Purpose
After a spanning tree protocol is configured on an Ethernet switching network, it
calculates the network topology and implements the following functions to
remove network loops:
● Loop cut-off: The potential loops on the network are cut off by blocking
redundant links.
● Link redundancy: If an active path becomes faulty, a redundant link can be
activated to ensure network connectivity.
In addition to the above functions, MSTP also ensures faster convergence than STP
and can load balance among multiple VLANs.

10.2 Understanding MSTP

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 516

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

10.2.1 MSTP Background

RSTP is an enhancement to STP, implementing faster convergence of the network
topology. However, RSTP and STP have a common problem: All VLANs on a LAN
use one spanning tree, and VLAN-based load balancing cannot be performed.
Once a link is blocked, it will no longer transmit traffic, wasting bandwidth and
causing the forwarding of packets from certain VLANs to fail.

Figure 10-1 STP/RSTP defect

S1 S4
VLAN 3 VLAN 2 VLAN 3 VLAN 2

ServerC ServerA
(VLAN 3) VLAN 3 VLAN 2 (VLAN 2)

VLAN 2 VLAN 3
S2 S5

ServerB VLAN 2 VLAN 2 ServerD

(VLAN 2) VLAN 3 VLAN 3 (VLAN 3)
VLAN 3
VLAN 2 VLAN 3

S3 S6
Spanning tree (root bridge: S6)

On the LAN shown in Figure 10-1, STP or RSTP is enabled. The broken line
represents the spanning tree. S6 is the root bridge. The links between S1 and S4
and between S2 and S5 are blocked. VLAN packets are transmitted using the
corresponding links marked with "VLAN 2" or "VLAN 3."
Server A and Server B belong to VLAN 2 but they cannot communicate with each
other because the link between S2 and S5 is blocked and the link between S3 and
S6 denies packets from VLAN 2.
To overcome this issue that is present in STP and RSTP, the IEEE released 802.1s in
2002, defining the Multiple Spanning Tree Protocol (MSTP). In addition to
implementing fast convergence, MSTP also provides multiple paths to load
balance VLAN traffic.
MSTP divides a switching network into multiple regions, known as Multiple
Spanning Tree (MST) regions. Each MST region has multiple spanning trees,
known as Multiple Spanning Tree Instances (MSTIs), that are independent of each
other.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 517

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

NOTE

An instance is a collection of VLANs. Binding multiple VLANs to an instance saves

communication cost and reduces resource usage. The topology of each MSTI is calculated
independently from other MSTIs, and traffic can be balanced among MSTIs. Multiple VLANs
that have the same topology can be mapped to one instance. Whether a port forwards
packets from a VLAN depends on the port status in the MSTI.

Figure 10-2 Multiple spanning trees in an MST region

S1 S4
VLAN 3 VLAN 2 VLAN 3 VLAN 2

ServerC ServerA
(VLAN 3) VLAN 3 VLAN 2 (VLAN 2)

VLAN 2 VLAN 3
S2 S5

ServerB VLAN 2 VLAN 2 ServerD

(VLAN 2) VLAN 3 VLAN 3 (VLAN 3)
VLAN 3
VLAN 2 VLAN 3

S3 S6
Spanning tree (root bridge: S4)
Spanning tree (root bridge: S6)

On the network shown in Figure 10-2, MSTP maps VLANs to MSTIs in the VLAN
mapping table. Each VLAN can be mapped to only one MSTI. This means that
traffic of a VLAN can be transmitted in only one MSTI. An MSTI, however, can
correspond to multiple VLANs.

Two spanning trees are calculated:

● MSTI 1 uses S4 as the root bridge to forward packets of VLAN 2.
● MSTI 2 uses S6 as the root bridge to forward packets of VLAN 3.

In this manner, devices within the same VLAN can communicate with each other;
packets of different VLANs are load balanced along different paths.

10.2.2 Basic Concepts of MSTP

MSTP Network Hierarchy

As shown in Figure 10-3, the MSTP network consists of one or more MST regions,
each of which contains one or more MSTIs. An MSTI is a tree network consisting
of switching devices running STP, RSTP, or MSTP.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 518

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

Figure 10-3 MSTP network hierarchy

MSTP Network

MSTI
MSTI1
1
MSTI2 MSTI0 MSTI2 MSTI0
MST Region MST Region

MSTI1

MSTI2 MSTI0
MST Region

MST Region
An MST region contains multiple switching devices and network segments
between these devices. The switching devices in one MST region have the
following characteristics:
● MSTP-enabled
● Same region name
● Same VLAN-MSTI mappings
● Same MSTP revision level
A LAN can comprise several MST regions that are directly or indirectly connected.
Multiple switching devices can be grouped into an MST region by using MSTP
configuration commands.
On the network shown in Figure 10-4, the MST region D0 contains the switching
devices S1, S2, S3, and S4, and has three MSTIs.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 519

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

Figure 10-4 MST region

D0
MSTI1
AP1 Master Bridge Root switch: S3
S1
MSTI2
Root switch: S2

S2 S3 MSTI0 (IST)
Root switch: S1

Mapping table:
S4 VLAN 1 MSTI 1
VLAN 2, VLAN 3 MSTI 2
Other VLANs MSTI 0

VLAN Mapping Table

The VLAN mapping table is an attribute of the MST region. It describes mappings
between VLANs and MSTIs.
On the network shown in Figure 10-4, the mappings in the VLAN mapping table
of the MST region D0 are as follows:
● VLAN 1 is mapped to MSTI 1.
● VLAN 2 and VLAN 3 are mapped to MSTI 2.
● Other VLANs are mapped to MSTI 0.

Regional Root
Regional roots are classified into Internal Spanning Tree (IST) and MSTI regional
roots.
In the regions B0, C0, and D0 on the network shown in Figure 10-6, the switching
devices closest to the Common and Internal Spanning Tree (CIST) root are IST
regional roots.
An MST region can contain multiple spanning trees, each called an MSTI. An MSTI
regional root is the root of the MSTI. On the network shown in Figure 10-5, each
MSTI has its own regional root.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 520

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

Figure 10-5 MSTI

MST Region
VLAN VLA
N10
10&20&30 &20
VLAN 20&30

30
VLAN VLAN VLAN
10&30 VLAN 10&30
20

VLAN 10

Root

Root

MSTI MSTI MSTI Root

corresponding to corresponding to corresponding to
VLAN 10 VLAN 20 VLAN 30
MSTI links
MSTI links blocked by the protocol

MSTIs are independent of each other. An MSTI can correspond to one or more
VLANs, but a VLAN can be mapped to only one MSTI.

Master Bridge
The master bridge is the IST master, which is the switching device closest to the
CIST root in a region, for example, S1 shown in Figure 10-4.
If an MST region contains the CIST root, the CIST root is the master bridge of the
region.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 521

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

CIST Root

Figure 10-6 MSTP network

A0
CIST Root

D0
Region Root B0

Region Root

C0
Region Root

IST
CST

On the network shown in Figure 10-6, the CIST root is the root bridge of the CIST.
The CIST root is a device in A0.

CST
A Common Spanning Tree (CST) connects all the MST regions on a switching
network.

If each MST region is considered a node, the CST is calculated by STP or RSTP
based on all the nodes.

On the network shown in Figure 10-6, the MST regions are connected to form a
CST.

IST
An IST resides within an MST region and has the MSTI ID of 0. An IST is a segment
of the CIST in an MST region.

On the network shown in Figure 10-6, the switching devices in an MST region are
connected to form an IST.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 522

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

CIST
A CIST, calculated by STP or RSTP, connects all the switching devices on a
switching network.
On the network shown in Figure 10-6, the ISTs and the CST form a complete
spanning tree, the CIST.

SST
A Single Spanning Tree (SST) is formed in either of the following situations:
● A switching device running STP or RSTP belongs to only one spanning tree.
● An MST region has only one switching device.
On the network shown in Figure 10-6, the switching device in B0 forms an SST.

Port Role
In addition to the port types in RSTP (root ports, designated ports, alternate ports,
backup ports, and edge ports), MSTP has two other port types: master ports and
regional edge ports.
The functions of root ports, designated ports, alternate ports, backup ports, and
edge ports have been defined in RSTP. Table 10-2 lists all port roles in MSTP.

NOTE

Except edge ports, all ports participate in MSTP calculation.

A port can play different roles in different spanning tree instances.

Table 10-2 Port roles

Port Description
Role

Root A root port is the non-root bridge port closest to the root bridge.
port Root bridges do not have root ports.
Root ports are responsible for sending data to root bridges.
On the network shown in Figure 10-7, S1 is the root; CP1 is the root
port on S3; BP1 is the root port on S2.

Designat The designated port on a switching device forwards BPDUs to the

ed port downstream switching device.
On the network shown in Figure 10-7, AP2 and AP3 are designated
ports on S1; CP2 is a designated port on S3.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 523

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

Port Description
Role

Alternat An alternate port serves the following functions:

e port ● From the perspective of sending BPDUs, an alternate port is
blocked after it receives a BPDU sent by another bridge.
● From the perspective of user traffic, an alternate port provides an
alternate path to the root bridge. This path is different from that
provided by the root port.
On the network shown in Figure 10-7, BP2 is an alternate port.

Backup A backup port serves the following functions:

port ● From the perspective of sending BPDUs, a backup port is blocked
after it receives a BPDU sent by itself.
● From the perspective of user traffic, a backup port provides a
backup/redundant path to a segment to which a designated port
is already connected.
On the network shown in Figure 10-7, CP3 is a backup port.

Master A master port provides the shortest path from an MST region to the
port CIST root.
BPDUs of an MST region are sent to the CIST root through the
master port.
Master ports are special regional edge ports, functioning as root
ports on ISTs or CISTs and functioning as master ports in MSTIs.
On the network shown in Figure 10-8, S1, S2, S3, and S4 form an
MST region. AP1 on S1, being the nearest port in the region to the
CIST root, is the master port.

Regional A regional edge port is located at the edge of an MST region and
edge connects to another MST region or an SST.
port During MSTP calculation, the roles of a regional edge port in the
MSTI and the CIST instance are the same. As such, if the regional
edge port is the master port in the CIST instance, it is the master
port in all the MSTIs in the region.
On the network shown in Figure 10-8, AP1, DP1, and DP2 in an MST
region are directly connected to other regions, and therefore they are
all regional edge ports of the MST region.
AP1 is a master port in the CIST. Therefore, AP1 is the master port in
every MSTI in the MST region.

Edge An edge port is located at the edge of an MST region and does not
port connect to any switching device.
Generally, edge ports are directly connected to terminals.
After MSTP is enabled on a port, edge port detection is started
automatically. If the port fails to receive BPDU packets within (2 x
Hello Timer + 1) seconds, the port is set to an edge port. Otherwise,
the port is set to a non-edge port.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 524

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

Figure 10-7 Root port, designated port, alternate port, and backup port
S1
Root
AP2 AP3

CP1 BP1
S3 S2

CP2 CP3 BP2

Root port
Designated port
Alternate port
Backup port

Figure 10-8 Master port and regional edge port

Connection to the
CIST root

AP1
Master

S1

S2 S3

S4

DP1 DP2 MST Region

Blocked

MSTP Port States

Table 10-3 lists the MSTP port states, which are the same as the RSTP port states.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 525

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

Table 10-3 Port states

Port Description
State

Forwardi A port in the Forwarding state can send and receive BPDUs as well
ng as forward user traffic.

Learning A port in the Learning state learns MAC addresses from user traffic
to build a MAC address table.
In the Learning state, the port can send and receive BPDUs, but not
forward user traffic.

Discardi A port in the Discarding state can only receive BPDUs.

ng

There is no direct link between the port state and the port role. Table 10-4 lists
the supported port states for each port role.

Table 10-4 Supported port states for each port role

Port Root Port/ Designated Regional Alternate Backup

State Master Port Edge Port Port Port
Port

Forwar Supported Supported Supported Not Not

ding supported supported

Learnin Supported Supported Supported Not Not

g supported supported

Discardi Supported Supported Supported Supported Supported

ng

10.2.3 MST BPDUs

MSTP calculates spanning trees using Multiple Spanning Tree Bridge Protocol Data
Units (MST BPDUs). MST BPDUs are transmitted to calculate spanning tree
topologies, maintain network topologies, and convey topology changes.

Table 10-5 shows differences in the protocol version and type between TCN
BPDUs, configuration BPDUs (defined by STP), RST BPDUs (defined by RSTP), and
MST BPDUs (defined by MSTP).

Table 10-5 Differences between BPDUs

Protocol Version Type Name

0 0x00 Configuration BPDU

0 0x80 TCN BPDU

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 526

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

Protocol Version Type Name

2 0x02 RST BPDU

3 0x02 MST BPDU

MST BPDU Format

Figure 10-9 shows the MST BPDU format.

Figure 10-9 MST BPDU format

Octet
Protocol Identifier 1-2
Protocol Version Identifier 3
BPDU Type 4
CIST Flags 5
CIST Root Identifier 6-13
CIST External Path Cost 14-17
CIST Regional Root Identifier 18-25
CIST Port Identifier 26-27
Message Age 28-29
Max Age 30-31
Hello Time 32-33
Forward Delay 34-35
Version 1 Length=0 36
Version 3 Length 37-38
MST Configuration Identifier 39-89
MST 90-93
CIST Internal Root Path Cost
special
CIST Bridge Identifier 94-101
fields
CIST Remaining Hops 102
MSTI Configuration Messages 103-39+Version
(may be absent) 3 Length

The first 36 bytes of an intra-region or inter-region MST BPDU are the same as
those of an RST BPDU.
Fields from the 37th byte of an MST BPDU are MSTP-specific. The field MSTI
Configuration Messages consists of configuration messages of multiple MSTIs.
Table 10-6 lists the major information carried in an MST BPDU.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 527

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

Table 10-6 Major information carried in an MST BPDU

Field Bytes Description

Protocol 2 Indicates the protocol identifier.

Identifier

Protocol 1 Indicates the protocol version identifier. 0

Version indicates STP; 2 indicates RSTP; 3 indicates
Identifier MSTP.

BPDU Type 1 Indicates the BPDU type:

● 0x00: Configuration BPDU for STP
● 0x80: TCN BPDU for STP
● 0x02: RST BPDU or MST BPDU

CIST Flags 1 Indicates the CIST flags.

CIST Root 8 Indicates the CIST root switching device ID.

Identifier

CIST External 4 Indicates the total path cost from the MST
Path Cost region where the switching device resides to the
MST region where the CIST root switching device
resides. This value is calculated based on link
bandwidth.

CIST 8 Indicates the ID of the regional root switching

Regional device on the CIST, that is, the IST master ID. If
Root the root is in this region, the CIST Regional Root
Identifier Identifier is the same as the CIST Root Identifier.

CIST Port 2 Indicates the ID of the designated port in the

Identifier IST.

Message Age 2 Indicates the lifecycle of the BPDU.

Max Age 2 Indicates the maximum lifecycle of the BPDU. If

the Max Age timer expires, it is considered that
the link to the root fails.

Hello Time 2 Indicates the Hello timer value. The default

value is 2 seconds.

Forward 2 Indicates the forwarding delay timer. The default

Delay value is 15 seconds.

Version 1 1 Indicates the BPDUv1 length, which has a fixed

Length value of 0.

Version 3 2 Indicates the BPDUv3 length.

Length

MST 51 Indicates the MST configuration identifier, which

Configuratio has four fields.
n Identifier

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 528

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

Field Bytes Description

CIST Internal 4 Indicates the total path cost from the local port
Root Path to the IST master. This value is calculated based
Cost on link bandwidth.

CIST Bridge 8 Indicates the ID of the designated switching

Identifier device on the CIST.

CIST 1 Indicates the remaining hops of the BPDU in the

Remaining CIST.
Hops

MSTI 16 Indicates an MSTI configuration message. Each

Configuratio MSTI configuration message occupies 16 bytes.
n Messages If there are n MSTIs, MSTI configuration
(may be messages occupy n x 16 bytes.
absent)

Configurable MST BPDU Formats

Currently, devices of most vendors support two MST BPDU formats:
● dot1s: BPDU format defined in IEEE 802.1s.
● legacy: private BPDU format.
There is a possible issue if a port transmits either dot1s or legacy BPDUs by
default. That is, the user needs to identify the format of BPDUs sent by the peer,
and then run a command to configure the port to support the peer BPDU format.
If the configuration is incorrect, a loop will likely occur due to incorrect MSTP
calculation.
On Huawei network devices, this issue can be overcome by using the stp
compliance command. This command configures a port to automatically adjust
the MST BPDU format. With this function, the port automatically adopts the peer
BPDU format. The following MST BPDU formats are supported by Huawei network
devices:
● auto
● dot1s
● legacy
In addition to dot1s and legacy formats, the auto mode allows a port to
automatically change to the BPDU format used by the peer based on BPDUs
received from the peer. In this manner, the two ports use the same BPDU format.
In auto mode, a port uses the dot1s BPDU format by default, and changes format
according to the peer after receiving BPDUs from the peer.

Configurable Maximum Number of BPDUs Sent by a Port at a Hello Interval

BPDUs are sent at Hello intervals to maintain the spanning tree. If a switching
device does not receive any BPDU during a certain period of time, the spanning
tree will be re-calculated.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 529

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

After a switching device becomes the root, it sends BPDUs at Hello intervals. Non-
root switching devices adopt the Hello Time value set for the root.

Huawei network devices allow the maximum number of BPDUs sent by a port at a
Hello interval to be configured as needed.

The greater the Hello Time value, the more BPDUs sent at a Hello interval. Setting
the Hello Time to a proper value limits the number of BPDUs sent by a port at a
Hello interval. This helps prevent network topology flapping and avoid excessive
use of bandwidth resources by BPDUs.

10.2.4 MSTP Topology Calculation

MSTP Principle
MSTP can divide the entire Layer 2 network into multiple MST regions and
calculate the CST. In an MST region, multiple spanning trees are calculated, each
of which is called an MSTI. Of these MSTIs, MSTI 0 is also known as the internal
spanning tree (IST). Like STP, MSTP uses configuration messages to calculate
spanning trees, but the configuration messages are MSTP-specific.

Vectors
Both MSTIs and the CIST are calculated based on vectors, which are carried in
MST BPDUs. Therefore, switching devices exchange MST BPDUs to calculate MSTIs
and the CIST.

● Vectors are described as follows:

– The following vectors participate in the CIST calculation:
{ root ID, external root path cost, regional root ID, internal root path cost,
designated switching device ID, designated port ID, receiving port ID }
– The following vectors participate in the MSTI calculation:
{ regional root ID, internal root path cost, designated switching device ID,
designated port ID, receiving port ID }
The vectors in braces are in descending order of priority, from left to right.
Table 10-7 describes the vectors.

Table 10-7 Vector description

Vector Name Description

Root ID Identifies the root switching device for the CIST. The root
ID consists of the priority value (16 bits) and MAC
address (48 bits).
The priority value is the priority of MSTI 0.

External root Indicates the path cost from a CIST regional root to the
path cost root. ERPCs saved on all switching devices in an MST
(ERPC) region are the same. If the CIST root is in an MST region,
ERPCs saved on all switching devices in the MST region
are 0s.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 530

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

Vector Name Description

Regional root Identifies the MSTI regional root. The regional root ID
ID consists of the priority value (16 bits) and MAC address
(48 bits).
The priority value is the priority of MSTI 0.

Internal root Indicates the path cost from the local bridge to the
path cost regional root. The IRPC saved on a regional edge port is
(IRPC) greater than the IRPC saved on a non-regional edge port.

Designated Identifies the nearest upstream bridge on the path from

switching the local bridge to the regional root. If the local bridge is
device ID the root or the regional root, this ID is the local bridge ID.

Designated Identifies the port on the designated switching device

port ID connected to the root port on the local bridge. The port
ID consists of the priority value (4 bits) and port number
(12 bits). The priority value must be a multiple of 16.

Receiving port Identifies the port receiving the BPDU. The port ID
ID consists of the priority value (4 bits) and port number (12
bits). The priority value must be a multiple of 16.

● The vector s are compared as follows:

For a vector, the smaller the priority value, the higher the priority.
If the priority of a vector carried in the configuration message of a BPDU
received by a port is higher than that in the configuration message saved on
the port, the port replaces the saved configuration message with the received
one. In addition, the port updates the global configuration message saved on
the device.
If the priority of a vector carried in the configuration message of a BPDU
received on a port is lower than that in the configuration message saved on
the port, the port discards the BPDU.
If the priority of a vector carried in the configuration message of a BPDU
received on a port is equal to that in the configuration message saved on the
port, the next vector is compared until one is found to be higher or lower. If
they are all equal, the port discards the BPDU.
Vectors are compared in the following order: root IDs, ERPCs, regional root
IDs, IRPCs, designated switching device IDs, designated port IDs, receiving port
IDs.

CIST Calculation
After completing the configuration message comparison, the switching device with
the highest priority on the entire network is selected as the CIST root. MSTP
calculates an IST for each MST region, and calculates a CST to interconnect MST
regions. On the CST, each MST region is considered a switching device. The CST
and ISTs constitute a CIST for the entire network.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 531

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

MSTI Calculation
In an MST region, MSTP calculates an MSTI for each VLAN based on mappings
between VLANs and MSTIs. Each MSTI is calculated independently. The calculation
process is similar to the process in which STP calculates a spanning tree. For
details, see 9.2.4 STP Topology Calculation.
MSTIs have the following characteristics:
● The spanning tree is calculated independently for each MSTI, and spanning
trees of MSTIs are independent of each other.
● Spanning trees of MSTIs can have different roots and topologies.
● Each MSTI sends BPDUs in its spanning tree.
● The topology of each MSTI is configured by commands.
● A port can be configured with different parameters for different MSTIs.
● A port can play different roles or have different states in different MSTIs.
On an MSTP-aware network, a VLAN packet is forwarded along the following
paths:
● Along an MSTI (in an MST region)
● Along a CST (between MST regions)

MSTP Response to Topology Changes

MSTP topology changes are processed in the manner similar to that in RSTP. For
details about how RSTP processes topology changes, see 9.2.6 Technical Details
of RSTP.

10.2.5 MSTP Fast Convergence

MSTP supports both ordinary and enhanced Proposal/Agreement (P/A)
mechanisms:
● Ordinary P/A
The ordinary P/A mechanism supported by MSTP is implemented in the same
manner as that supported by RSTP. For details about the P/A mechanism
supported by RSTP, see 9.2.6 Technical Details of RSTP.
● Enhanced P/A

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 532

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

Figure 10-10 Enhanced P/A mechanism

Upstream Downstream
device device

Sends a proposal so
that the port can
rapidly enter the
Forwarding state The root port blocks all
the other non-edge ports
Sends an agreement
The root port enters
The designated Sends an agreement the Forwarding state
port enters the
Forwarding state
Root port
Designated port

As shown in Figure 10-10, in MSTP, the P/A mechanism works as follows:

a. The upstream device sends a proposal to the downstream device,
indicating that the port connecting to the downstream device wants to
enter the Forwarding state as soon as possible. After receiving this BPDU,
the downstream device sets the port connected to the upstream device as
a root port and blocks all non-edge ports.
b. The upstream device sends an agreement. After receiving this BPDU, the
root port enters the Forwarding state.
c. The downstream device replies with an agreement. After receiving this
BPDU, the upstream device sets the port connected to the downstream
device as a designated port, and the designated port transitions to the
Forwarding state.

By default, Huawei network devices use the fast transition mechanism in

enhanced mode. To enable a Huawei network device to communicate with a
third-party device that uses the fast transition mechanism in common mode,
configure the Proposal/Agreement mechanism on the Huawei network device so
that it works in common mode.

10.2.6 MSTP Multi-Process

Background
The following describes the network shown in Figure 10-11:

● UPEs are deployed at the aggregation layer and are running MSTP.
● UPE1 and UPE2 are connected by a Layer 2 link.
● Multiple rings are connected to UPE1 and UPE2 through different ports.
● Switching devices on the rings reside at the access layer and are running STP
or RSTP. In addition, UPE1 and UPE2 work for different carriers, so they need

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 533

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

to reside on different spanning trees whose topology changes do not affect

each other.

Figure 10-11 Application with both MSTP and STP/RSTP

MPLS/IP Core

Core
UPE4 UPE3

Aggregation
MSTP

UPE1 UPE2

STP/RSTP

S1
Access

S4

S2 S3

On the network shown in Figure 10-11, switching devices and UPEs construct
multiple Layer 2 rings. STP must be enabled on these rings to prevent loops. UPE1
and UPE2 are connected to multiple access rings that are independent of each
other. The spanning tree protocol cannot calculate a single spanning tree for all
switching devices. Instead, the spanning tree protocol must be enabled on each
ring to calculate a separate spanning tree.

MSTP supports MSTIs, but these MSTIs must belong to one MST region in which
devices must have the same configurations. If the devices belong to different
regions, MSTP calculates the spanning tree based on only one instance. Assume
that devices on the network belong to different regions, and only one spanning
tree is calculated in one instance. In this case, the status change of any device on
the network affects the stability of the entire network. On the network shown in
Figure 10-11, the switching devices connected to UPEs support only STP or RSTP
but not MSTP. When MSTP-enabled UPEs receive RST BPDUs from the switching
devices, the UPEs consider that they and switching devices belong to different
regions. As a result, only one spanning tree is calculated for the rings composed of
UPEs and switching devices, and the rings affect each other.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 534

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

To prevent this problem, MSTP multi-process is introduced. MSTP multi-process is

an enhancement to MSTP, allowing ports on switching devices to be bound to
different processes. MSTP calculation is performed based on processes. In this
manner, only ports that are bound to a process participate in the MSTP calculation
for this process. With MSTP multi-process, spanning trees of different processes
are calculated independently and do not affect each other. The network shown in
Figure 10-11 can be divided into multiple MSTP processes by using MSTP multi-
process. Each process controls a ring composed of switching devices. The MSTP
processes have the same functions and support MSTIs. The MSTP calculation for
one process does not affect the MSTP calculation for another process.

NOTE

In addition to applying to MSTP, MSTP multi-process also applies to RSTP and STP.

Purpose
On the network shown in Figure 10-11, MSTP multi-process is configured to
implement the following:
● Allows STP to work under far more networking conditions.
To help a network running different spanning tree protocols run properly, you
can bind different spanning tree protocols to different processes. In this
manner, every process calculates a separate spanning tree.
● Improves the networking reliability. For a network composed of many Layer 2
access devices, using MSTP multi-process reduces the adverse effect of a
single node failure on the entire network.
The topology is calculated for each process. If a device fails, only the topology
corresponding to the process to which the device belongs changes.
● Reduces the network administrator workload during network expansion,
facilitating operations and maintenance (O&M).
To expand a network, all you need to do is configure new processes, connect
the processes to the existing network, and keep the existing MSTP processes
unchanged. If device expansion is performed in a process, only this process
needs to be modified.
● Implements separate Layer 2 port management
An MSTP process manages parts of ports on a device. Layer 2 ports on a
device are separately managed by multiple MSTP processes.

Implementation
● Public link status
On the network shown in Figure 10-11, the public link between UPE1 and
UPE2 is a Layer 2 link running MSTP and is different from the links
connecting switching devices to UPEs. This difference lies in the fact that ports
on the links connecting switching devices to UPEs only participate in the
calculation for a single access ring and a single MSTP process. The ports on
the public link, on the other hand, need to participate in the calculation for
multiple access rings and MSTP processes. Therefore, the UPEs must identify
the process from which MST BPDUs are sent.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 535

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

A port on the public link participates in the calculation for multiple MSTP
processes, and obtains different states. As a result, the port cannot determine
its state.
To prevent these problems from occurring, it is defined that a port on a public
link always adopts its state in MSTP process 0 when participating in the
calculation for multiple MSTP processes.
NOTE

After a device starts, MSTP process 0 exists by default, and MSTP configurations in the
system view and interface view belong to this process.
The device is incompatible with non-standard STP, RSTP, and MSTP, for example, PVST
+. It transparently forwards PVST+ packets in a VLAN as common data packets.
● Reliability
On the network shown in Figure 10-12, after the topology of a ring changes,
the MSTP multi-process mechanism helps UPEs flood a topology change (TC)
packet to all devices on the ring and prevent the TC packet from being
flooded to devices on the other ring. UPE1 and UPE2 update MAC address
and ARP entries on the ports corresponding to the changed spanning tree.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 536

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

Figure 10-12 MSTP multi-process topology change

MPLS/IP Core

Core
UPE4 UPE3

Aggregation
MSTP

UPE1 UPE2

STP/RSTP

Access
S1 S4

S2 S3

Topology change

Flood for STP/RSTP TC in access layer

Flood for STP/RSTP TC in aggregation layer

On the network shown in Figure 10-13, if the public link between UPE1 and
UPE2 fails, multiple switching devices that are connected to the UPEs will
unblock their blocked ports.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 537

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

Figure 10-13 Public link fault

MPLS/IP Core

Core
UPE4 UPE3

Aggregation
MSTP

UPE1 UPE2

STP/RSTP

S1

Access
S4

S2 S3

Assume that UPE1 is configured with the highest priority, UPE2 with the
second highest priority, and switching devices with default or lower priorities.
After the link between UPE1 and UPE2 fails, the blocked ports on switching
devices no longer receive packets of higher priorities. For this reason, these
ports re-perform state machine calculation. If the calculation changes the
blocked ports to designated ports, a permanent loop occurs, as shown in
Figure 10-14.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 538

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

Figure 10-14 Loop between access rings

MPLS/IP Core

Core
UPE4 UPE3

Aggregation
MSTP

UPE1 UPE2

STP/RSTP

Access
S1 S4

S2 S3

Topology change

Flood for STP/RSTP TC in access layer

Flood for STP/RSTP TC in aggregation layer

● Solutions
To prevent a loop between access rings, use either of the following solutions:
– Configure an Eth-Trunk between UPE1 and UPE2.
An Eth-Trunk is used as the public link between UPE1 and UPE2 to
improve link reliability, as shown in Figure 10-15.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 539

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

Figure 10-15 Eth-Trunk

MPLS/IP Core

Core
UPE4 UPE3

Aggregation
MSTP

UPE1 UPE2
Eth-Trunk

STP/RSTP

S1

Access
S4

S2 S3

– Configure root protection between UPE1 and UPE2.

If all physical links between UPE1 and UPE2 fail, configuring an Eth-Trunk
cannot prevent the loop. In this case, root protection can be configured to
prevent the loop shown in Figure 10-14.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 540

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

Figure 10-16 MSTP multi-process with root protection

MPLS/IP Core

Core
UPE4 UPE3

Aggregation
MSTP

UPE1 UPE2

Root
protection

S1

Access
S4
STP/RSTP

S2 S3

On the light blue ring shown in Figure 10-16, UPE1 is configured with
the highest priority, UPE2 with the second highest priority, and switching
devices with default or lower priorities. In addition, root protection is
enabled on UPE2.
Assume that a port on S1 is blocked. When the public link between UPE1
and UPE2 fails, the blocked port on S1 begins to calculate the state
machine because it no longer receives BPDUs of higher priorities. After
the calculation, the blocked port becomes the designated port and
performs P/A negotiation with the downstream device.
After S1, which is directly connected to UPE2, sends BPDUs of higher
priorities to the UPE2 port enabled with root protection, the port is
blocked. From then on, the port remains blocked because it continues
receiving BPDUs of higher priorities. In this manner, no loop will occur.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 541

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

10.3 Application Scenarios for MSTP

Application of MSTP

Figure 10-17 Networking diagram for a typical MSTP application

MST Region
S1 S2
All VLANs

VLANs VLANs VLANs VLANs

10 & 20 10 & 20 20 & 30 20 & 30

VLANs
S3 20 & 40 S4

MSTP allows packets in different VLANs to be forwarded by using different

spanning tree instances, as shown in Figure 10-17. The configurations are as
follows:

● All devices on the network belong to the same MST region.

● VLAN 10 packets are forwarded within MSTI 1; VLAN 30 packets are
forwarded within MSTI 3; VLAN 40 packets are forwarded within MSTI 4;
VLAN 20 packets are forwarded within MSTI 0.

In Figure 10-17, S1 and S2 are devices at the aggregation layer; S3 and S4 are
devices at the access layer. Traffic from VLAN 10 and VLAN 30 is terminated by
aggregation devices, and traffic from VLAN 40 is terminated by access devices.
Therefore, S1 and S2 can be configured as the roots of MSTI 1 and MSTI 3, and S3
can be configured as the root of MSTI 4.

Application of MSTP Multi-process

On the network shown in Figure 10-18, the UPEs are connected to each other
through Layer 2 links and enabled with MSTP. The rings connected to the UPEs
must be independent of each other. The devices on the rings connected to the
UPEs support only RSTP, not MSTP.

After MSTP multi-process is enabled, each MSTP process corresponds to a ring

connected to the UPE. The spanning tree protocol on each ring calculates a tree
independently.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 542

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

Figure 10-18 Application with both MSTP and STP/RSTP

Core
MPLS/IP Core

UPE4 UPE3

Aggregation
MSTP

UPE1 UPE2

STP/RSTP

S1 S4

Access

S2 S3

10.4 Summary of MSTP Configuration Tasks

Table 10-8 lists the MSTP configuration tasks.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 543

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

Table 10-8 MSTP configuration tasks

Item Description Task

Configuring Basic MSTP MSTP is configured on 10.7 Configuring Basic

Functions switching devices to trim MSTP Functions
a ring network to a loop-
free network. Devices
start spanning tree
calculation after the
working mode is set and
MSTP is enabled. Use
any of the following
methods if you need to
intervene in the
spanning tree
calculation:
● Manually configure
the root bridge and
secondary root bridge.
● Set a priority for a
switching device in an
MSTI.
● Set the path cost for a
port in an MSTI.
● Set a priority for a
port in an MSTI.

Configuring MSTP Multi- On a network deployed 10.8 Configuring MSTP

Process with Layer 2 single- Multi-Process
access rings and multi-
access rings, configure
multiple MSTP processes
so that spanning trees of
different processes are
calculated independently
and do not affect each
other.

Configuring MSTP Proper MSTP parameter 10.9 Configuring MSTP

Parameters on an settings achieve rapid Parameters on an
Interface convergence. Interface

Configuring MSTP One or more MSTP 10.10 Configuring

Protection Functions protection functions can MSTP Protection
be configured. Functions

Configuring MSTP To communicate with a 10.11 Configuring

Interoperation Between non-Huawei device, set MSTP Interoperation
Huawei Devices and proper parameters on Between Huawei
Non-Huawei Devices the MSTP-enabled Devices and Non-
Huawei device. Huawei Devices

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 544

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

10.5 Licensing Requirements and Limitations for MSTP

Involved Network Elements

Other network elements are not required.

Licensing Requirements
MSTP is a basic function of the switch, and as such is controlled by the license for
basic software functions. The license for basic software functions has been loaded
and activated before delivery. You do not need to manually activate it.

Version Requirements

Table 10-9 Products and minimum version supporting MSTP

Product Minimum Version Required

CE9860EI V200R020C00

CE8860EI V100R006C00

CE8861EI/CE8868EI V200R005C10

CE8850-32CQ-EI V200R002C50

CE8850-64CQ-EI V200R005C00

CE7850EI V100R003C00

CE7855EI V200R001C00

CE6810EI V100R003C00

CE6810-48S4Q-LI/CE6810-48S- V100R003C10
LI

CE6810-32T16S4Q-LI/ V100R005C10
CE6810-24S2Q-LI

CE6850EI V100R001C00

CE6850-48S6Q-HI V100R005C00

CE6850-48T6Q-HI/CE6850U-HI/ V100R005C10
CE6851HI

CE6855HI V200R001C00

CE6856HI V200R002C50

CE6857EI V200R005C10

CE6860EI V200R002C50

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 545

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

Product Minimum Version Required

CE6865EI V200R005C00

CE6870-24S6CQ-EI V200R001C00

CE6870-48S6CQ-EI V200R001C00

CE6870-48T6CQ-EI V200R002C50

CE6875-48S4CQ-EI V200R003C00

CE6880EI V200R002C50

CE6881, CE6820, CE6863 V200R005C20

CE6881K V200R019C10

CE6881E V200R019C10

CE6863K V200R019C10

CE5810EI V100R002C00

CE5850EI V100R001C00

CE5850HI V100R003C00

CE5855EI V100R005C10

CE5880EI V200R005C10

CE5881 V200R020C00

NOTE

For details about the mapping between software versions and switch models, see the
Hardware Query Tool.

Feature Limitations
● On networks that run STP, RSTP, MSTP, or VLAN-based Spanning Tree (VBST),
configure an optimal core switch as the root bridge to ensure stability of the
STP Layer 2 network. Otherwise, new access devices may trigger an STP root
bridge change, causing short service interruptions.
● When MSTP is enabled on a ring network, MSTP immediately starts spanning
tree calculation. Parameters such as the device priority and port priority affect
spanning tree calculation, and changing these parameters may cause network
flapping. To ensure fast and stable spanning tree calculation, perform basic
configurations on the switch and interfaces before enabling MSTP.
● When MSTP multi-instance is configured, more MSTIs indicate longer MSTP
BPDUs. MSTP BPDUs are sent independently in each MSTP process. When
MSTP multi-process is configured, the number of outgoing MSTP BPDUs
increases. When MSTP multi-instance and multi-process are configured, the
default CPCAR of STP cannot meet requirements. You need to increase the

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 546

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

default CPCAR of STP. If the default CPCAR of STP is not increased, MSTP
BPDUs may be discarded.
● BPDU protection takes effect for only the manually configured edge ports.
● Loop protection and root protection cannot be configured on the same
interface together.
● In versions earlier than V200R001C00, STP cannot be configured on a user-
side interface of a VXLAN tunnel. Starting from V200R001C00, STP can be
configured on a user-side interface of a VXLAN tunnel that accesses the
VXLAN as a VLAN. In V200R002C50 and later versions, STP can be configured
on a user-side interface of a VXLAN tunnel when the device is deployed to
provide VXLAN access through a Layer 2 sub-interface or to provide VLAN
access.
● For CE6870EI, In V200R001C00, the bpdu bridge enable command is not
supported on the VXLAN network. To enable BPDU packets to traverse the
VXLAN network, run the undo mac-address bpdu [ mac-address [ mac-
address-mask ] ] command in the system view. In this command, mac-address
specifies the MAC address of BPDU packets that need to traverse the VXLAN
network.
For CE switches excluding CE5880EI, CE6875EI, CE6880EI, CE6870EI in versions
earlier than V200R001C00, if the bpdu bridge enable command is configured
on an access-side port on the VXLAN network connected to an STP network,
BPDU packets cannot traverse the VXLAN network. This causes loops on the
STP network. In V200R001C00 and later versions, the bpdu bridge enable
command is not supported on the VXLAN network. If this command is
configured in a version earlier than V200R001C00, it will be deleted from the
device configurations after an upgrade to V200R001C00 or a later version. To
enable BPDU packets to traverse the VXLAN network, run the undo mac-
address bpdu [ mac-address [ mac-address-mask ] ] command in the system
view. In this command, mac-address specifies the MAC address of BPDU
packets that need to traverse the VXLAN network.

10.6 Default Settings for MSTP

Parameter Default Setting

Working mode MSTP

MSTP status MSTP is enabled globally and on an interface.

Switching device priority 32768

Port priority 128

Algorithm used to calculate dot1t (IEEE 802.1t)

the path cost

Forward Delay Time 1500 centiseconds

Hello Time 200 centiseconds

Max Age Time 2000 centiseconds

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 547

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

10.7 Configuring Basic MSTP Functions

Context
MSTP divides a switching network into multiple regions, each of which has
multiple spanning trees that are independent of each other. MSTP isolates traffic
from different VLANs and load-balances VLAN traffic.

MSTP is configured on switching devices to trim a ring network into a loop-free

network. Devices start spanning tree calculation after the working mode is set and
MSTP is enabled. Use any of the following methods if you need to intervene in the
spanning tree calculation:

● Manually configure the root bridge and secondary root bridge.

● Set a priority for a switching device in an MSTI. The lower the numerical
value, the higher the priority of the switching device and the more likely the
switching device will become a root bridge.
● Set the path cost for a port in an MSTI. The lower the numerical value, the
smaller the cost of the path from the port to the root bridge and the more
likely the port will become a root port (assuming the same calculation
method is used).
● Set a priority for a port in an MSTI. The lower the numerical value, the more
likely the port will become a designated port.

10.7.1 Configuring the MSTP Mode

Context
Before configuring basic MSTP functions, set the working mode of a switching
device to MSTP. MSTP is compatible with STP and RSTP.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run stp mode mstp

The working mode of the switching device is set to MSTP. By default, the working
mode is MSTP.

MSTP can recognize RSTP BPDUs and, conversely, RSTP can recognize MSTP
BPDUs. However, MSTP and STP cannot recognize each other's BPDUs. To enable
devices running different spanning tree protocols to interwork with each other,
interfaces of an MSTP-enabled switch connected to devices running STP
automatically transition to STP mode; other interfaces continue to work in MSTP
mode.

Step 3 Run commit

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 548

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

The configuration is committed.

----End

10.7.2 Configuring an MST Region

Context
An MST region contains multiple directly connected switching devices and network
segments between these devices. These switching devices run MSTP and have the
same MST region name, VLAN-to-MSTI mapping table, and MSTP revision level.
One switching network can have multiple MST regions. You can group multiple
switching devices into one MST region using MSTP commands.

NOTE

Two switching devices belong to the same MST region when they have the same:
● MST region name
● VLAN-to-MSTI mapping
● Revision level of the MST region

Perform the following steps on a switching device that needs to join an MST
region.

Procedure
● Configure the name of an MST region.
a. Run system-view
The system view is displayed.
b. Run stp region-configuration
The MST region view is displayed.
c. Run region-name name
The name of an MST region is configured.
By default, the name of an MST region is the MAC address of the
management network interface on the MPU of the switching device.
d. (Optional) Run check region-configuration
The device is configured to check the MST region name.
e. Run commit
The configuration is committed.
● Configure the mapping between MSTIs and VLANs.
You can configure the mapping between MSTIs and VLANs in the MST region
view and VLAN instance view.
Configure the mapping between an MSTI and VLANs in the MST region view.
a. Run system-view
The system view is displayed.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 549

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

b. Run stp region-configuration

The MST region view is displayed.

c. Run instance instance-id vlan { vlan-id1 [ to vlan-id2 ] }&<1-10>

The mapping between the MSTI and VLANs is configured.

By default, all VLANs in an MST region are mapped to MSTI 0.

NOTE

A VLAN can be mapped to only one MSTI. If you map a VLAN that has already
been mapped to an MSTI to another MSTI, the original mapping will be deleted.
d. (Optional) Run check region-configuration

The device is configured to check the mapping between the MSTI and
VLANs.
e. Run commit

The configuration is committed.

Configure the mapping between an MSTI and VLANs in the VLAN instance
view.

a. Run system-view

The system view is displayed.

b. Run vlan instance

The VLAN instance view is displayed.

c. Run instance instance-id vlan { vlan-id1 [ to vlan-id2 ] }&<1-10>

The mapping between VLANs and an MSTI is configured.

By default, all VLANs in the VLAN instance view are mapped to MSTI 0.

NOTE

The vlan instance and stp region-configuration commands cannot be used

together. If the mappings between VLANs and MSTIs have been configured by
the stp region-configuration command, you must delete the configured
mapping before using the vlan instance command.
d. (Optional) Run check vlan instance mapping

The configuration is checked.

e. Run commit

The configuration is committed.

● (Optional) Configure the revision level of the MST region.
a. Run system-view

The system view is displayed.

b. Run stp region-configuration

The MST region view is displayed.

c. Run revision-level level

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 550

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

The MSTP revision level of the MST region is configured.

By default, the revision level of an MST region is 0.
If the MSTP revision level of the MST region where a switching device
resides is not 0, perform this operation.
d. (Optional) Run check region-configuration
The device is configured to check the MSTP revision level of the MST
region.
e. Run commit
The configuration is committed.
----End

10.7.3 (Optional) Configuring the Root Bridge and Secondary

Root Bridge
Context
The root bridge can be calculated by MSTP or manually configured along with the
secondary root bridge. Manually configuring the root bridge and secondary root
bridge is recommended.
● A switch can function as a root bridge or a secondary root bridge of more
than one spanning tree. It can also function as the root bridge or secondary
root bridge of another spanning tree. However, in a particular spanning tree,
it cannot function as both the root bridge and secondary root bridge.
● In a spanning tree, there can only be one root bridge. When two or more root
bridges are specified in a spanning tree, the device with the smallest MAC
address is used as the root bridge.
● There can be multiple secondary root bridges in a spanning tree. If the root
bridge fails or is powered off and no new root bridge is specified, the
secondary root bridge with smallest MAC address will become the root bridge
of the spanning tree.

NOTE

On networks that run STP/RSTP/MSTP/VBST, configure an optimal core switch as the root
bridge to ensure stability of the STP Layer 2 network. Otherwise, new access devices may
trigger STP root bridge switching, causing short service interruptions.

Procedure
● Perform the following operations on the device to be used as the root bridge.
a. Run system-view
The system view is displayed.
b. Run stp [ instance instance-id ] root primary
The device is configured as the root bridge.
By default, a switching device does not function as the root bridge. After
the configuration is complete, the priority value of the device is 0 and this
value cannot be changed.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 551

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

If instance is not specified, the device in MSTI 0 is a root bridge.

c. Run commit
The configuration is committed.
● Perform the following operations on the device to be used as the secondary
root bridge.
a. Run system-view
The system view is displayed.
b. Run stp [ instance instance-id ] root secondary
The device is configured as the secondary root bridge.
By default, a switching device does not function as the secondary root
bridge. After the configuration is complete, the priority value of the
device is 4096 and this value cannot be changed.
If instance is not specified, the device in MSTI 0 is a secondary root
bridge.
c. Run commit
The configuration is committed.
----End

10.7.4 (Optional) Configuring a Priority for a Switching

Device in an MSTI
Context
In an MSTI, there is only one root bridge, which is the logical center of the MSTI.
To ensure that a high-performance device is selected as the root bridge, set a low
priority (higher numerical value) for low-performance switching devices, and set a
high priority (lower numerical value) for high-performance switching devices.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run stp [ instance instance-id ] priority priority
A priority is set for the switching device in an MSTI.
The default priority value of the switching device is 32768.
If instance-id is not specified, a priority is set for the switching device in MSTI 0.

NOTE

If the stp [ instance instance-id ] root primary or stp [ instance instance-id ] root
secondary command has been executed to configure the device as the root bridge or
secondary root bridge, to change the device priority, run the undo stp [ instance instance-
id ] root command to disable the root bridge or secondary root bridge function and run the
stp [ instance instance-id ] priority priority command to set a priority.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 552

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

Step 3 Run commit

The configuration is committed.

----End

10.7.5 (Optional) Configuring a Path Cost of a Port in an MSTI

Context
A path cost is port-specific and is used by MSTP to select a link on which to
forward traffic.

Path costs of ports are an important metric used in spanning tree calculation and
determine root port selection in an MSTI. The port with the lowest path cost to
the root bridge is selected as the root port. Load balancing of VLAN traffic can be
achieved by setting different path costs for a port in different MSTIs.

If loops occur on a network, it is recommended that you set a large path cost for
ports with low link rates.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run stp pathcost-standard { dot1d-1998 | dot1t | legacy }

A path cost calculation method is configured.

By default, the IEEE 802.1t standard (dot1t) is used to calculate the path cost.

All switching devices on a network must use the same path cost calculation
method.

Step 3 Run interface interface-type interface-number

The Ethernet interface view is displayed.

Step 4 Run stp [ process process-id ] [ instance instance-id ] cost cost

A path cost is set for the port in the current MSTI.

● When the Huawei calculation method is used, cost ranges from 1 to 200000.
● When the IEEE 802.1d standard method is used, cost ranges from 1 to 65535.
● When the IEEE 802.1t standard method is used, cost ranges from 1 to
200000000.
● If an Eth-Trunk interface is specified as the member interface of an M-LAG
configured in V-STP mode, the path cost of the Eth-Trunk interface is fixed at
2000.

Step 5 Run commit

The configuration is committed.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 553

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

10.7.6 (Optional) Configuring a Port Priority in an MSTI

Context
During spanning tree calculation, port priorities in MSTIs determine which ports
are selected as designated ports and which ports are blocked. To specify a port as
blocked, set the port priority to a value greater than the default value.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface interface-type interface-number

The Ethernet interface view is displayed.

Step 3 Run stp instance instance-id port priority priority

A port priority is set in an MSTI.

By default, the port priority is 128.

The value range of the priority is from 0 to 240, in increments of 16.

Step 4 Run commit

The configuration is committed.

----End

10.7.7 Enabling MSTP

Context
MSTP must be enabled for basic MSTP functions to take effect.

Enabling MSTP immediately triggers spanning tree calculation on the network.

Therefore, before enabling MSTP, perform basic configurations on switching
devices to avoid network flapping, which may occur upon changes to parameters
such as device priority and interface priority.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run stp enable

MSTP is enabled on the switching device.

By default, the MSTP function is enabled on the device.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 554

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

NOTE

After MSTP is enabled on a port, edge port detection is started automatically. If the port fails to
receive BPDU packets within (2 x Hello Timer + 1) seconds, the port is set to an edge port.
Otherwise, the port is set to a non-edge port.

Step 3 Run commit

The configuration is committed.

----End

Follow-up Procedure
If the topology of a spanning tree changes, the forwarding paths to associated
VLANs are changed. On the switching device, therefore, the ARP entries
corresponding to these VLANs need to be updated. MSTP processes ARP entries in
either fast or normal mode.

● In fast mode, ARP entries to be updated are directly deleted.

● In normal mode, ARP entries to be updated are rapidly aged.
The remaining lifetime of ARP entries to be updated is set to 0. The switching
device rapidly processes these aged entries. If the number of ARP aging probe
attempts is not set to 0, ARP implements aging probe for these ARP entries.

To specify which mode is used for STP/RSTP convergence, run the stp converge
{ fast | normal } command in the system view.

By default, the normal MSTP convergence mode is used. If fast mode is used, ARP
entries are frequently deleted. This causes high CPU usage on the device (reaching
100%) and results in frequent network flapping. Therefore, using normal mode is
recommended.

10.7.8 Verifying the Basic MSTP Configuration

Procedure
● Run the display stp [ process process-id ] [ instance instance-id ] [ interface
interface-type interface-number | slot slot-id ] [ brief ] command to view
spanning-tree status and statistics.
● Run the display stp region-configuration command to view configurations
of activated MST regions.
● Run the display stp region-configuration digest command to view the
digest configurations of activated MST regions.

----End

10.8 Configuring MSTP Multi-Process

On a network deployed with Layer 2 single-access rings and multi-access rings,
configure multiple MSTP processes so that spanning trees of different processes
are calculated independently and do not affect each other.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 555

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

Pre-configuration Tasks
MSTP ensures that spanning trees in rings are calculated independently. After
MSTP multi-process is enabled, each MSTP process can manage certain ports on a
device. Each Layer 2 interface can be managed by multiple MSTP processes.
Before configuring MSTP multi-process, complete and activate the MST region
configuration.

10.8.1 Creating an MSTP Process

Context
A process ID uniquely identifies an MSTP process. After the ports on an MSTP-
enabled device are bound to different processes, the device performs MSTP
calculation based on processes, with only relevant ports in each process taking
part in MSTP calculation. To create an MSTP process, perform the following
procedure on the devices connected to access rings.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run stp process process-id
An MSTP process is created and the MSTP process view is displayed.
Step 3 Run stp mode mstp
A working mode is configured for the MSTP process.
The default mode is MSTP.

NOTE

● A default MSTP process with the ID 0 is established when a device starts. MSTP
configurations in the system view and interface view belong to this process. The default
working mode of this process is MSTP.
● To add an interface to an MSTP process whose ID is not 0, run the stp process
command and then the stp binding process command.

Step 4 Run commit

The configuration is committed.

----End

10.8.2 Adding an Interface to an MSTP Process

Context
After being added to MSTP processes, interfaces can participate in MSTP
calculation. Interfaces can be added to one of the following two types of link:
● The links connecting MSTP-enabled devices and access rings are called access
links.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 556

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

● The link shared by multiple access rings is called a shared link. Interfaces on
this shared link participate in MSTP calculation in multiple access rings and
MSTP processes.

Procedure
● Adding an interface on an access link to an MSTP process
a. Run system-view

The system view is displayed.

b. Run interface interface-type interface-number

The Ethernet interface view is displayed.

The interface specified in this command must be the interface that

connects the device and the access ring.
c. Run stp binding process process-id

The interface is added to the specified MSTP process.

d. Run commit

The configuration is committed.

● Adding an interface on a shared link to an MSTP process
a. Run system-view

The system view is displayed.

b. Run interface interface-type interface-number

The view of the Ethernet interface that participates in spanning tree

calculation is displayed.

The interface specified in this command must be an interface on the

shared link between the devices configured with MSTP multi-process. It
cannot be an interface that connects an access ring and device.
c. Run stp binding process process-id1 [ to process-id2 ] link-share

The interface is added to multiple MSTP processes to complete MSTP

calculation.

NOTE

In an MSTP process where there are multiple shared links, run the stp enable
command in the MSTP multi-instance view. On an interface that is added to an
MSTP process in link-share mode, run the stp enable command in the interface
view.
d. Run commit

The configuration is committed.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 557

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

10.8.3 (Optional) Configuring the Root Bridge and Secondary

Root Bridge
Context
The root bridge can be calculated by MSTP or manually configured along with the
secondary root bridge. Manually configuring the root bridge and secondary root
bridge is recommended.
● A switch can function as a root bridge or a secondary root bridge of more
than one spanning tree. However, in a particular spanning tree, it cannot
function as both the root bridge and secondary root bridge.
● In a spanning tree, there can only be one root bridge. When two or more root
bridges are specified in a spanning tree, the device with the smallest MAC
address is used as the root bridge.
● There can be multiple secondary root bridges in a spanning tree. If the root
bridge fails or is powered off and no new root bridge is specified, the
secondary root bridge with smallest MAC address will become the root bridge
of the spanning tree.

NOTE

On networks that run STP/RSTP/MSTP/VBST, configure an optimal core switch as the root
bridge to ensure stability of the STP Layer 2 network. Otherwise, new access devices may
trigger STP root bridge switching, causing short service interruptions.

Procedure
● Perform the following operations on the device to be used as the root bridge.
a. Run system-view

The system view is displayed.

b. Run stp process process-id

The MSTP process view is displayed.

c. Run stp [ instance instance-id ] root primary

The device is configured as the root bridge.

By default, a switching device does not function as the root bridge. After
the configuration is complete, the priority value of the device is 0 and this
value cannot be changed.

If instance is not specified, the device in MSTI 0 is a root bridge.

d. Run commit

The configuration is committed.

● Perform the following operations on the device to be used as the secondary
root bridge.
a. Run system-view

The system view is displayed.

b. Run stp process process-id

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 558

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

The MSTP process view is displayed.

c. Run stp [ instance instance-id ] root secondary
The device is configured as the secondary root bridge.
By default, a switching device does not function as the secondary root
bridge. After the configuration is complete, the priority value of the
device is 4096 and this value cannot be changed.
If instance is not specified, the device in MSTI 0 is a secondary root
bridge.
d. Run commit
The configuration is committed.
----End

10.8.4 (Optional) Configuring a Priority for a Switching

Device in an MSTI
Context
In an MSTI, there is only one root bridge, which is the logical center of the MSTI.
To ensure that a high-performance device is selected as the root bridge, set a low
priority (higher numerical value) for low-performance switching devices, and set a
high priority (lower numerical value) for high-performance switching devices.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run stp process process-id
The MSTP process view is displayed.
Step 3 Run stp [ instance instance-id ] priority priority
A priority is set for the switching device in an MSTI.
The default priority value of the switching device is 32768.
If instance is not specified, a priority is set for the switching device in MSTI 0.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 559

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

NOTE

● To configure a switching device as the primary root bridge, run the stp [ instance
instance-id ] root primary command directly. The priority value of this switching device
is 0.
● To configure a switching device as the secondary root bridge, run the stp [ instance
instance-id ] root secondary command. The priority value of this switching device is
4096.
In an MSTI, a switching device cannot act as the primary root bridge and secondary root
bridge at the same time.
● If the stp [ instance instance-id ] root primary or stp [ instance instance-id ] root
secondary command has been executed to configure the device as the root bridge or
secondary root bridge, to change the device priority, run the undo stp [ instance
instance-id ] root command to disable the root bridge or secondary root bridge function
and run the stp [ instance instance-id ] priority priority command to set a priority.

Step 4 Run commit

The configuration is committed.

----End

10.8.5 (Optional) Configuring a Path Cost of a Port in an MSTI

Context
A path cost is port-specific and is used by MSTP to select a link on which to
forward traffic.
Path costs of ports are an important metric used in spanning tree calculation and
determine root port selection in an MSTI. The port with the lowest path cost to
the root bridge is selected as the root port. Load balancing of VLAN traffic can be
achieved by setting different path costs for a port in different MSTIs.
If loops occur on a network, it is recommended that you set a large path cost for
ports with low link rates. MSTP then blocks these ports.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run stp pathcost-standard { dot1d-1998 | dot1t | legacy }
A path cost calculation method is configured.
By default, the IEEE 802.1t standard (dot1t) is used to calculate the path cost.
All switching devices on a network must use the same path cost calculation
method.
Step 3 Run interface interface-type interface-number
The Ethernet interface view is displayed.
Step 4 Run stp binding process process-id
The port is bound to an MSTP process.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 560

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

Step 5 Run stp [ process process-id ] instance instance-id cost cost

A path cost is set for the port in the current MSTI.

● When the Huawei calculation method is used, cost ranges from 1 to 200000.
● When the IEEE 802.1d standard method is used, cost ranges from 1 to 65535.
● When the IEEE 802.1t standard method is used, cost ranges from 1 to
200000000.
● If an Eth-Trunk interface is specified as the member interface of an M-LAG
configured in V-STP mode, the path cost of the Eth-Trunk interface is fixed at
2000.

Step 6 Run commit

The configuration is committed.

----End

10.8.6 (Optional) Configuring a Port Priority in an MSTI

Context
During spanning tree calculation, port priorities in MSTIs determine which ports
are selected as designated ports and which ports are blocked. To specify a port as
blocked, set the port priority to a value greater than the default value.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface interface-type interface-number

The Ethernet interface view is displayed.

Step 3 Run stp binding process process-id

The port is bound to an MSTP process.

Step 4 Run stp [ process process-id ] instance instance-id port priority priority

A port priority is set in an MSTI.

By default, the port priority is 128.

The value range of the priority is from 0 to 240, in increments of 16.

Step 5 Run commit

The configuration is committed.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 561

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

10.8.7 Configuring TC Notification in MSTP Multi-process

Context
After the TC notification function is configured for MSTP multi-process, an MSTP
process can notify the MSTIs in other specified MSTP processes to update MAC
address entries and ARP entries after receiving a TC-BPDU. This ensures service
continuity. To configure the TC notification function for MSTP multi-process,
perform the following procedure on the devices connected to access rings.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run stp process process-id
The view of a created MSTP process is displayed.
Step 3 Run stp tc-notify process 0
TC notification is enabled in the MSTP process.
After the stp tc-notify process 0 command is run, the current MSTP process
notifies the MSTIs in MSTP process 0 to update MAC entries and ARP entries after
receiving a TC-BPDU. This prevents services from being interrupted.
Step 4 Run commit
The configuration is committed.

----End

10.8.8 Enabling MSTP

Context
After MSTP multi-process is enabled on the switching device, you must enable
MSTP in the MSTP process view so that the MSTP configuration can take effect in
the MSTP process.
Enabling MSTP immediately triggers spanning tree calculation on the network.
Therefore, before enabling MSTP, perform basic configurations on switching
devices to avoid network flapping, which may occur upon changes to parameters
such as device priority and interface priority.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run stp process process-id
The view of a created MSTP process is displayed.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 562

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

Step 3 Run stp enable

MSTP is enabled in the MSTP process.
By default, MSTP is disabled in an MSTP process.
Step 4 Run commit
The configuration is committed.

----End

10.8.9 Verifying the MSTP Multi-Process Configuration

Procedure
● Run the display stp [ process process-id ] [ instance instance-id ] [ interface
interface-type interface-number | slot slot-id ] [ brief ] command to view
spanning-tree status and statistics.
----End

10.9 Configuring MSTP Parameters on an Interface

Pre-configuration Tasks
Before configuring MSTP parameters that affect route convergence, configure
MSTP or MSTP multi-process.

10.9.1 Setting the MSTP Network Diameter

Context
Any two terminals on a switching network are connected through a specific path
along multiple devices. The network diameter is the maximum number of devices
between any two terminals.
An improper network diameter may cause slow network convergence and affect
communication on the network. To speed up convergence, run the stp bridge-
diameter command to set an appropriate network diameter based on the
network scale. Running this command also allows the switch to calculate the
optimal Forward Delay timer value, Hello timer value, and Max Age timer value
based on the configured network diameter.
It is recommended that all devices be configured with the same network diameter.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 (Optional) Run stp process process-id
The MSTP process view is displayed.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 563

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

NOTE

Skip this step if you perform configurations in the MSTP process 0.

Step 3 Run stp bridge-diameter diameter

The network diameter is configured.

By default, the network diameter is 7.

● RSTP uses a single spanning tree instance on the entire network. As a result,
performance deterioration cannot be prevented when the network scale
grows. Therefore, the network diameter cannot be larger than 7.
● It is recommended that you run the stp bridge-diameter diameter command
to set the network diameter. The switching device then calculates the optimal
Forward Delay timer value, Hello timer value, and Max Age timer value based
on the configured network diameter.

Step 4 Run commit

The configuration is committed.

----End

10.9.2 Setting the MSTP Timeout Interval

Context
If a device does not receive any BPDUs from the upstream device within the
timeout interval, the device considers the upstream device to have failed and
recalculates the spanning tree.

Sometimes, a device cannot receive the BPDU from the upstream device within
the timeout interval because the upstream device is temporarily busy. In this case,
recalculating the spanning tree will waste network resources. This can be avoided
by increasing the timeout interval. However, only set a long timeout interval if the
network is relatively stable.

The timeout interval is calculated as follows:

Timeout interval = Hello Time x 3 x Timer Factor

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 (Optional) Run stp process process-id

The MSTP process view is displayed.

NOTE

Skip this step if you perform configurations in the MSTP process 0.

Step 3 Run stp timer-factor factor

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 564

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

The timeout interval is set, specifying how long the upstream device waits for
BPDUs.

By default, the timeout interval is 9 times the Hello timer value.

Step 4 Run commit

The configuration is committed.

----End

10.9.3 Setting the Values of MSTP Timers

Context
There are three timers used in spanning tree calculation: Forward Delay, Hello
Time, and Max Age. These timers can be configured to affect STP convergence.
However, you are not advised to directly change these timers. Instead, it is
recommended that you set the network diameter so that the spanning tree
protocol automatically adjusts these timers in accordance with the network scale.

The following timers are used in spanning tree calculation:

● Forward Delay: specifies the delay before a state transition. After the topology
of a ring network changes, it takes some time for the new configuration
BPDU to spread throughout the entire network. As a result, the original
blocked port may be unblocked before a new port is blocked, creating a loop
on the network. The purpose of the Forward Delay timer is to prevent loops.
When the topology changes, all ports will be temporarily blocked during the
Forward Delay.
● Hello Time: specifies the interval at which hello packets are sent. A device
sends configuration BPDUs at the specified interval to detect link failures. If
the switching device does not receive any BPDUs within an interval of Hello
Time x 3 x Timer Factor, the device recalculates the spanning tree.
● Max Age: determines whether a BPDU has timed out. A device determines
that a received configuration BPDU times out when the Max Age expires.

Devices on a ring network must use the same values of Forward Delay, Hello
Time, and Max Age.

NOTICE

To prevent frequent network flapping, make sure that the Hello Time, Forward
Delay, and Max Age timer values conform to the following formulas:
● 2 x (Forward Delay - 1.0 second) ≥ Max Age
● Max Age ≥ 2 x (Hello Time + 1.0 second)

Procedure
Step 1 Run system-view

The system view is displayed.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 565

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

Step 2 (Optional) Run stp process process-id

The MSTP process view is displayed.

NOTE

Skip this step if you perform configurations in the MSTP process 0.

Step 3 Set Forward Delay, Hello Time, and Max Age.

1. Run stp timer forward-delay forward-delay
The value of Forward Delay of the switching device is set.
By default, the value of Forward Delay of the switching device is 1500
centiseconds.
2. Run stp timer hello hello-time
The value of Hello Time of the switching device is set.
By default, the value of Hello Time of the switching device is 200
centiseconds.
3. Run stp timer max-age max-age
The value of Max Age of the switching device is set.
By default, the value of Max Age of the switching device is 2000 centiseconds.
Step 4 Run commit
The configuration is committed.

----End

10.9.4 Configuring the Maximum Number of Connections in

an Eth-Trunk that Affects Spanning Tree Calculation
Context
Path costs are a major factor in spanning tree calculation and changing path costs
triggers spanning tree recalculation. The path cost of an interface is affected by its
bandwidth, so you can change the interface bandwidth to affect spanning tree
calculation.
In Figure 10-19, SwitchA and SwitchB are connected through two Eth-Trunk links.
Eth-Trunk 1 has three member interfaces in Up state and Eth-Trunk 2 has two
member interfaces in Up state. Each member link has the same bandwidth, and
SwitchA is selected as the root bridge.
● Eth-Trunk 1 has higher bandwidth than Eth-Trunk 2. After STP calculation,
Eth-Trunk 1 on SwitchB is selected as the root port and Eth-Trunk 2 is selected
as the alternate port.
● If the maximum number of connections affecting bandwidth of Eth-Trunk 1 is
set to 1, the path cost of Eth-Trunk 1 is larger than the path cost of Eth-Trunk
2. Therefore, after the two devices perform spanning tree recalculation, Eth-
Trunk 1 on SwitchB becomes the alternate port and Eth-Trunk 2 becomes the
root port.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 566

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

Figure 10-19 Configuring the maximum number of connections in an Eth-Trunk

SwitchA SwitchB
Before Eth-Trunk1
configuration Eth-Trunk2

Root bridge

SwitchA SwitchB
After Eth-Trunk1
configuration Eth-Trunk2

Root bridge
Alternate port
Root port
Designated port

The maximum number of connections affects only the path cost of an Eth-Trunk
interface participating in spanning tree calculation, and does not affect the actual
bandwidth of the Eth-Trunk link. The actual bandwidth for an Eth-Trunk link
depends on the number of active member interfaces in the Eth-Trunk.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface eth-trunk trunk-id
The Eth-Trunk interface view is displayed.
Step 3 Run max bandwidth-affected-linknumber link-number
The maximum number of connections affecting the Eth-Trunk bandwidth is set.
By default, the upper threshold for the number of interfaces that determine the
bandwidth of an Eth-Trunk is 8 on the CE5810EI, 64 on CE6880EI and CE5880EI,
and 16 on other models (excluding the CE6870EI and CE6875EI). For the CE6870EI
and CE6875EI, the upper threshold for the number of interfaces that determine
the bandwidth of an Eth-Trunk depends on the maximum number of configured
LAGs. In an SVF system, the maximum number of connections affecting the
bandwidth of an Eth-Trunk is 8.
Step 4 Run commit
The configuration is committed.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 567

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

10.9.5 Setting the Link Type of a Port

Context
Rapid convergence can be achieved on a P2P link. That is, if the two ports
connected to a P2P link are root or designated ports, the ports can transit to the
forwarding state quickly by sending Proposal and Agreement packets. This reduces
the forwarding delay.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The view of the Ethernet interface participating in STP calculation is displayed.
Step 3 Run stp point-to-point { auto | force-false | force-true }
The link type is configured for the interface.
By default, an interface automatically determines whether to connect to a P2P
link. The P2P link supports rapid network convergence.
Step 4 Run commit
The configuration is committed.

----End

10.9.6 Setting the Maximum Transmission Rate of an Interface

Context
A larger value of packet-number indicates more BPDUs sent within a hello
interval and therefore more system resources occupied. Setting an appropriate
value of packet-number prevents excess bandwidth usage when route flapping
occurs.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The view of the Ethernet interface that participates in spanning tree calculation is
displayed.
Step 3 Run stp transmit-limit packet-number
The maximum number of BPDUs sent by a port in a specified period is set.
By default, the maximum transmission rate of BPDUs on an interface is the value
configured by the stp transmit-limit (system view) command. If the stp

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 568

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

transmit-limit (system view) command is not configured, an interface sends a

maximum of six BPDUs per Hello Time interval.
NOTE

If the same maximum transmission rate of BPDUs needs to be set for each interface on a
device, run the stp transmit-limit (system view) command. The stp transmit-limit
(interface view) command takes precedence over the stp transmit-limit (system view)
command. If the stp transmit-limit (interface view) command is configured on an
interface, the stp transmit-limit (system view) command does not take effect on that
interface.

Step 4 Run commit

The configuration is committed.

----End

10.9.7 Changing to the MSTP Mode

Context
If an interface on an MSTP-enabled device is connected to an STP-enabled device,
the interface changes to the STP-compatible mode.
If the STP-enabled device is changed to MSTP mode, or if it is powered off or
disconnected from the MSTP-enabled device, the interface will not automatically
change to MSTP mode. In this case, use the stp mcheck command to configure
the interface to change to the MSTP mode.

Procedure
● Changing to the MSTP mode in the interface view
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The view of the Ethernet interface that participates in spanning tree
calculation is displayed.
c. Run stp mcheck
The device is changed to the MSTP mode.
d. Run commit
The configuration is committed.
● Changing to the MSTP mode in the system view
a. Run system-view
The system view is displayed.
b. (Optional) Run stp process process-id
The MSTP process view is displayed.

NOTE

Skip this step if you perform configurations in the MSTP process 0.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 569

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

c. Run stp mcheck

The device is changed to the MSTP mode.
d. Run commit
The configuration is committed.
----End

10.9.8 Configuring a Port as an Edge Port and BPDU Filter

Port
Context
If a designated port is located at the edge of a network and is directly connected
to terminal devices, this port is called an edge port.
An edge port does not receive or process configuration BPDUs and does not
participate in MSTP calculation. It can transit from Disable to Forwarding without
any delay.
After a designated port is configured as an edge port, the port can still send
BPDUs. Then BPDUs are sent to other networks, causing flapping on other
networks. To prevent a port from processing and sending BPDUs, after configuring
the port as an edge port, configure it as a BPDU filter port.

NOTICE

After all ports are configured as edge ports and BPDU filter ports in the system
view, the ports do not send BPDUs or negotiate the STP status with directly
connected ports on the peer device. All ports are in Forwarding state, which may
cause loops on the network and lead to broadcast storms. Exercise caution when
you configure a port as an edge port and BPDU filter port.
After a port is configured as an edge port and BPDU filter port in the interface
view, the port does not process or send BPDUs. The port cannot negotiate the STP
status with the directly connected port on the peer device. Exercise caution when
you configure a port as an edge port and BPDU filter port.

Procedure
● Configuring all ports as edge ports and BPDU filter ports in the system view
a. Run system-view
The system view is displayed.
b. Run stp edged-port default
All ports are configured as edge ports.
By default, all ports are non-edge ports.
c. Run stp bpdu-filter default
All ports are configured as BPDU filter ports.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 570

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

By default, a port is a non-BPDU filter port.

d. Run commit

The configuration is committed.

● Configuring a port as an edge port and BPDU filter port in the interface view
a. Run system-view

The system view is displayed.

b. Run interface interface-type interface-number

The view of the Ethernet interface that participates in spanning tree

calculation is displayed.
c. (Optional) Run stp edged-port enable

The port is configured as an edge port.

By default, all ports are non-edge ports.

d. Run stp bpdu-filter enable

The port is configured as a BPDU filter port.

By default, a port is a non-BPDU filter port.

e. Run commit

The configuration is committed.

----End

10.9.9 Setting the Maximum Number of Hops in an MST

Region

Context
To communicate with each other on a Layer 2 network running MSTP, switching
devices exchange MST BPDUs, each of which has a field that indicates the number
of remaining hops. The number of remaining hops differs depending on the role of
the switching device, as outlined below:
● The number of remaining hops in a BPDU sent by the root bridge equals the
maximum number of hops.
● The number of remaining hops in a BPDU sent by a non-root bridge equals
the maximum number of hops minus the number of hops from the non-root
bridge to the root bridge.

If a switching device receives a BPDU in which the number of remaining hops is 0,

the switching device will discard the BPDU.

From the above information, it can be seen that the maximum number of hops of
a spanning tree in an MST region determines the network scale. The stp max-
hops command can be used to set the maximum number of hops in an MST
region so that the network scale of a spanning tree can be controlled.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 571

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 (Optional) Run stp process process-id
The MSTP process view is displayed.

NOTE

Skip this step if you perform configurations in the MSTP process 0.

Step 3 Run stp max-hops hop

The maximum number of hops in an MST region is set.
By default, the maximum number of hops of the spanning tree in an MST region
is 20.
Step 4 Run commit
The configuration is committed.

----End

10.9.10 Verifying the Configuration of MSTP Parameters on an

Interface
Procedure
● Run the display stp [ process process-id ] [ instance instance-id ] [ interface
interface-type interface-number | slot slot-id ] [ brief ] command to view
spanning-tree status and statistics.
----End

10.10 Configuring MSTP Protection Functions

Pre-configuration Tasks
Before configuring MSTP protection functions, configure MSTP or MSTP multi-
process.

10.10.1 Configuring BPDU Protection on a Switching Device

Context
Edge ports are directly connected to user terminals and, in most cases, will not
receive BPDUs. However, attackers may send pseudo BPDUs to attack the
switching device with edge ports. In this case, if the edge ports receive the BPDUs,
they are then configured as non-edge ports and spanning tree recalculation is
triggered. Network flapping then occurs. Such attacks can be mitigated using
BPDU protection on switching devices with edge ports.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 572

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

NOTE

BPDU protection is only valid for the edge port manually configured by the stp edged-port
or stp edged-port default command, and is invalid for the edge port configured by the
automatic detection function.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 (Optional) Run stp process process-id

The MSTP process view is displayed.

NOTE

Skip this step if you perform configurations in the MSTP process 0.

Step 3 Run stp bpdu-protection

BPDU protection is enabled on the switching device.

By default, BPDU protection is disabled on a switching device.

Step 4 Run commit

The configuration is committed.

----End

Follow-up Procedure
After BPDU protection is configured, the edge port that receives BPDUs will enter
the Error-Down state and keeps its attributes. The device records the status of an
interface as Error-Down when it detects that a fault occurs. The interface in Error-
Down state cannot receive or send packets and the interface indicator is off. You
can run the display error-down recovery command to check information about
all interfaces in Error-Down state on the device.

When the interface is in Error-Down state, check the cause. You can use the
following modes to restore the interface status:
● Manual (after interfaces enter the Error-Down state)
When there are few interfaces in Error-Down state, run the shutdown and
undo shutdown commands in the interface view or run the restart command
to restore the interface.
● Auto (before interfaces enter the Error-Down state)
If there are many interfaces in Error-Down state, the manual mode brings in
heavy workload and the configuration of some interfaces may be ignored. To
prevent this problem, run the error-down auto-recovery cause bpdu-
protection interval interval-value command in the system view to enable an
interface in Error-Down state to go Up and set a recovery delay. You can run
the display error-down recovery command to view automatic recovery
information about the interface.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 573

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

NOTE

This mode is invalid for the interface that has entered the Error-Down state, and is valid
only for the interface that enters the Error-Down state after the error-down auto-recovery
cause bpdu-protection interval interval-value command is run.

10.10.2 Configuring TC Protection on a Switching Device

Context
If attackers forge TC BPDUs to attack a switching device, the switching device
receives a large number of TC BPDUs within a short period. If MAC address entries
and ARP entries are deleted frequently, the switching device is heavily burdened,
causing potential risks to the network.

TC protection is used to suppress TC BPDUs. This function allows you to configure

the number of TC BPDUs processed by a switching device within a given period.
Once the number of TC BPDUs received by a switching device exceeds the
specified threshold within a given period, the switching device handles only the
specified number of TC BPDUs. The processing of excess TC BPDUs is delayed until
after the specified period expires. This protects the switching device from
becoming overburdened with frequently deleting MAC entries and ARP entries.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 (Optional) Run stp process process-id

The MSTP process view is displayed.

NOTE

Skip this step if you perform configurations in the MSTP process 0.

Step 3 Run stp tc-protection

TC protection is enabled in the MSTP process.

By default, TC protection is disabled on a switching device.

Step 4 Run either or both of the following commands to configure TC protection

parameters.
● To set the time period during which the device processes the maximum
number of TC BPDUs, run stp tc-protection interval interval-value.
By default, the time period is the Hello Time.
● To set the maximum number of TC BPDUs that the device processes within a
specified period, run stp tc-protection threshold threshold.
By default, a device processes one TC BPDU within a specified period.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 574

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

NOTE

● There are two TC protection parameters: time period during which the device processes
the maximum number of TC BPDUs and the maximum number of TC BPDUs processed
within the time period. For example, if the time period is set to 10 seconds and the
maximum number of TC BPDUs is set to 5, the device processes only the first five TC
BPDUs within 10 seconds and processes the other TC BPDUs together 10 seconds later.
● The device processes only the maximum number of TC BPDUs configured by the stp tc-
protection threshold command within the time period configured by the stp tc-
protection interval command. Other packets are processed after a delay, so spanning
tree convergence speed may slow down.

Step 5 Run commit

The configuration is committed.

----End

10.10.3 Configuring Root Protection on an Interface

Context
If a root bridge receives BPDUs with a higher priority than its own due to incorrect
configurations or malicious attacks on the network, the legitimate root bridge will
no longer be able to serve as the root bridge and the network topology will be
changed, triggering spanning tree recalculation. This may also result in traffic that
should be transmitted over high-speed links being transmitted over low-speed
links, leading to congestion on the network. The root protection function on a
switch prevents this from happening by preserving the role of the designated port
in order to protect the root bridge.

NOTE

Root protection takes effect only on designated ports.

Perform the following steps on the root bridge in an MST region.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The view of the Ethernet interface that participates in spanning tree calculation is
displayed.
Step 3 (Optional) Run stp binding process process-id
The port is bound to an MSTP process.

NOTE

Skip this step if the interface belongs to process 0.

Step 4 Run stp root-protection

Root protection is configured on the switching device.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 575

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

By default, root protection is disabled.

Step 5 Run commit
The configuration is committed.

----End

10.10.4 Configuring Loop Protection on an Interface

Context
To maintain the status of root ports and blocked ports on a network running
MSTP, a switching device receives BPDUs from an upstream switching device. If the
switching device cannot receive these BPDUs because of link congestion or
unidirectional-link failure, the switching device re-selects a root port. The original
root port becomes a designated port and the original blocked ports change to the
Forwarding state. This may create loops on the network. To prevent this issue from
occurring, configure loop protection.
With loop protection enabled, if the root port or alternate port does not receive
BPDUs from the upstream device for a long period, the switch sends a notification
to the NMS. If the root port is used, the root port enters the Discarding state and
becomes the designated port. If the alternate port is used, the alternate port
remains blocked and becomes the designated port. This prevents loops from
occurring. After the link congestion subsides or unidirectional link failures are
rectified, the port receives BPDUs for negotiation and reverts to its original role
and status.

NOTE

An alternate port is a backup port for a root port. If a switching device has an alternate
port, configure loop protection on both the root port and the alternate port.

Perform the following steps on the root port and alternate port on a switching
device in an MST region.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The Ethernet interface view is displayed.
Step 3 (Optional) Run stp binding process process-id
The port is bound to an MSTP process.

NOTE

Skip this step if the interface belongs to process 0.

Step 4 Run stp loop-protection

Loop protection for the root port is configured on the switching device.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 576

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

By default, loop protection is disabled.

Root protection and loop protection cannot be configured together.

Step 5 Run commit

The configuration is committed.

----End

10.10.5 Configuring Share-Link Protection on a Switching

Device

Context
Share-link protection is used in scenarios where a switching device is dual-homed
to a network.

When a shared link fails, share-link protection forcibly changes the working mode
of a local switching device to RSTP. This function can be used together with root
protection to avoid network loops.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run stp process process-id

The MSTP process view is displayed.

Step 3 Run stp link-share-protection

Share-link protection is enabled.

Step 4 Run commit

The configuration is committed.

----End

10.10.6 Verifying the Configuration of MSTP Protection

Functions

Procedure
● Run the display stp [ process process-id ] [ instance instance-id ] [ interface
interface-type interface-number | slot slot-id ] [ brief ] command to view
spanning-tree status and statistics.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 577

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

10.11 Configuring MSTP Interoperation Between

Huawei Devices and Non-Huawei Devices

10.11.1 Configuring a Proposal/Agreement Mechanism

Context
The rapid transition mechanism is also called the Proposal/Agreement mechanism.
All switching devices support the following modes:
● Enhanced mode: The current interface includes the root port calculation when
it computes the synchronization flag bit. The following describes the Proposal/
Agreement mechanism in enhanced mode:
– An upstream device sends a Proposal message to a downstream device,
requesting rapid status transition. After receiving the message, the
downstream device sets the port connected to the upstream device as a
root port and blocks all non-edge ports.
– The upstream device then sends an Agreement message to the
downstream device. After the downstream device receives the message,
the root port transitions to the Forwarding state.
– The downstream device responds to the Proposal message with an
Agreement message. After receiving the message, the upstream device
sets the port connected to the downstream device as a designated port,
and the designated port transitions to the Forwarding state.
● Common mode: The current interface ignores the root port when it computes
the synchronization flag bit. The following describes the Proposal/Agreement
mechanism in common mode:
– An upstream device sends a Proposal message to a downstream device,
requesting rapid status transition. After receiving the message, the
downstream device sets the port connected to the upstream device as a
root port and blocks all non-edge ports. The root port then transitions to
the Forwarding state.
– The downstream device responds to the Proposal message with an
Agreement message. After receiving the message, the upstream device
sets the port connected to the downstream device as a designated port.
The designated port then transitions to the Forwarding state.
When Huawei devices are connected to non-Huawei devices, select the same
mode as that used on non-Huawei devices.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The Ethernet interface view is displayed.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 578

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

Step 3 Run stp no-agreement-check

The common rapid transition mechanism is configured.
By default, the interface uses the enhanced rapid transition mechanism.
Step 4 Run commit
The configuration is committed.

----End

10.11.2 Configuring the MSTP Protocol Packet Format on an

Interface
Context
MSTP protocol packets have two formats: dot1s (IEEE 802.1s standard packets)
and legacy (proprietary protocol packets).
You can specify the packet format or use auto mode. In auto mode, a switching
device changes the MSTP protocol packet format to match that of the received
MSTP protocol packet so that the switching device can communicate with the peer
device.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The Ethernet interface view is displayed.
Step 3 Run stp compliance { auto | dot1s | legacy }
The MSTP protocol packet format is configured on the interface.
The auto mode is used by default.
Step 4 Run commit
The configuration is committed.

----End

10.11.3 Enabling the Digest Snooping Function

Context
Interconnected Huawei and non-Huawei devices cannot communicate with each
other if they have the same region name, revision number, and VLAN-to-instance
mappings but different BPDU keys. To address this problem, enable the digest
snooping function on the Huawei device.
Perform the following steps on a switching device in an MST region to enable the
digest snooping function.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 579

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface interface-type interface-number

The Ethernet interface view is displayed.

Step 3 Run stp config-digest-snoop

The digest snooping function is enabled.

Step 4 Run commit

The configuration is committed.

----End

10.11.4 Verifying the Configuration of MSTP Interoperation

Between Huawei Devices and Non-Huawei Devices

Procedure
● Run the display stp [ process process-id ] [ instance instance-id ] [ interface
interface-type interface-number | slot slot-id ] [ brief ] command to view
spanning-tree status and statistics.

----End

10.12 Maintaining MSTP

10.12.1 Clearing MSTP Statistics

Context

NOTICE

MSTP statistics cannot be restored after being cleared.

Procedure
● Run the reset stp [ interface interface-type interface-number ] statistics
command to clear spanning-tree statistics.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 580

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

10.12.2 Monitoring the Statistics About MSTP Topology

Changes
The statistics about MSTP topology changes can be viewed. If the statistics
increase, network flapping occurs.

Procedure
● Run the display stp [ process process-id ] [ instance instance-id ] topology-
change command to view the statistics about MSTP topology changes.
In the case of a non-zero process, the stp process process-id command must
be used to create a process before the display stp [ process process-id ]
[ instance instance-id ] topology-change command is used.
● Run the display stp [ process process-id ] [ instance instance-id ] [ interface
interface-type interface-number | slot slot-id ] tc-bpdu statistics command
to view the statistics about Topology Change/Topology Change Notification
(TC/TCN) packets.
In the case of a non-zero process, the stp process process-id command must
be used to create a process before the display stp [ process process-id ]
[ instance instance-id ] [ interface interface-type interface-number | slot
slot-id ] tc-bpdu statistics command is used.
----End

10.13 Configuration Examples for MSTP

This section only provides configuration examples for individual features. For
details about multi-feature configuration examples, feature-specific configuration
examples, interoperation examples, protocol or hardware replacement examples,
and industry application examples, see the Typical Configuration Examples.

10.13.1 Example for Configuring MSTP

Networking Requirements
To implement redundancy on a complex network, network designers tend to
deploy multiple physical links between two devices, one of which is the master
and the others are the backup. Loops occur, causing broadcast storms or
damaging MAC addresses. After the network is planned, deploy MSTP on the
network to prevent loops. MSTP blocks redundant links and prunes a network into
a tree topology free from loops.
On the network shown in Figure 10-20, SwitchA, SwitchB, SwitchC, and SwitchD
run MSTP. To load balance traffic from VLANs 2 to 10 and VLANs 11 to 20, use
MSTP multi-instance. You can configure a VLAN mapping table to associate
VLANs with MSTIs.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 581

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

Figure 10-20 Networking diagram of MSTP configuration

Network

RG1
10GE1/0/2
SwitchA SwitchB
10GE1/0/2
10GE1/0/1 10GE1/0/1

10GE1/0/3 10GE1/0/3
10GE1/0/2
SwitchC SwitchD
10GE1/0/2
10GE1/0/1 10GE1/0/1

Server1 Server2

VLAN2~10 MSTI1
VLAN11~20 MSTI2

MSTI1:

Root Switch:SwitchA
Blocked port

MSTI2:

Root Switch:SwitchB
Blocked port

Configuration Roadmap
The configuration roadmap is as follows:

1. Configure basic MSTP functions on the switching device on the ring network.
2. Configure protection functions to protect devices or links. You can configure
root protection on the designated port of the root bridge.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 582

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

3. Configure Layer 2 forwarding.

Procedure
Step 1 Configure basic MSTP functions.
1. Configure SwitchA, SwitchB, SwitchC, and SwitchD in the same MST region
named RG1 and create MSTI 1 and MSTI 2.
NOTE

Two switching devices belong to the same MST region when they have the same:
– Name of the MST region
– Mapping between VLANs and MSTIs
A VLAN cannot be mapped to multiple MSTIs. If you map a VLAN that has
already been mapped to an MSTI to another MSTI, the original mapping will be
deleted.
– Revision level of the MST region
# Configure an MST region on SwitchA.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchA
[*HUAWEI] commit
[~SwitchA] stp region-configuration
[~SwitchA-mst-region] region-name RG1
[*SwitchA-mst-region] instance 1 vlan 2 to 10
[*SwitchA-mst-region] instance 2 vlan 11 to 20
[*SwitchA-mst-region] commit
[~SwitchA-mst-region] quit
# Configure an MST region on SwitchB.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchB
[*HUAWEI] commit
[~SwitchB] stp region-configuration
[~SwitchB-mst-region] region-name RG1
[*SwitchB-mst-region] instance 1 vlan 2 to 10
[*SwitchB-mst-region] instance 2 vlan 11 to 20
[*SwitchB-mst-region] commit
[~SwitchB-mst-region] quit
# Configure an MST region on SwitchC.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchC
[*HUAWEI] commit
[~SwitchC] stp region-configuration
[~SwitchC-mst-region] region-name RG1
[*SwitchC-mst-region] instance 1 vlan 2 to 10
[*SwitchC-mst-region] instance 2 vlan 11 to 20
[*SwitchC-mst-region] commit
[~SwitchC-mst-region] quit
# Configure an MST region on SwitchD.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchD
[*HUAWEI] commit
[~SwitchD] stp region-configuration
[~SwitchD-mst-region] region-name RG1
[*SwitchD-mst-region] instance 1 vlan 2 to 10
[*SwitchD-mst-region] instance 2 vlan 11 to 20
[*SwitchD-mst-region] commit
[~SwitchD-mst-region] quit
2. In the MST region RG1, configure the root bridge and secondary root bridge
in MSTI 1 and MSTI 2.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 583

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

– Configure the root bridge and secondary root bridge in MSTI 1.

# Configure SwitchA as the root bridge in MSTI 1.
[~SwitchA] stp instance 1 root primary
[*SwitchA] commit

# Configure SwitchB as the secondary root bridge in MSTI 1.

[~SwitchB] stp instance 1 root secondary
[*SwitchB] commit

– Configure the root bridge and secondary root bridge in MSTI 2.

# Configure SwitchB as the root bridge in MSTI 2.
[~SwitchB] stp instance 2 root primary
[*SwitchB] commit

# Configure SwitchA as the secondary root bridge in MSTI 2.

[~SwitchA] stp instance 2 root secondary
[*SwitchA] commit

3. Set the path costs of the ports to be blocked in MSTI 1 and MSTI 2 to be
greater than the default value.
NOTE

– The path cost values depend on path cost calculation methods. This example uses
the Huawei proprietary calculation method as an example to set the path cost to
20000 for the ports to be blocked. If another path cost calculation method is used,
see stp pathcost-standard.
– All switching devices on a network must use the same path cost calculation
method.
# Configure SwitchA to use Huawei proprietary calculation method to
calculate the path cost.
[~SwitchA] stp pathcost-standard legacy
[*SwitchA] commit

# Configure SwitchB to use Huawei proprietary calculation method to

calculate the path cost.
[~SwitchB] stp pathcost-standard legacy
[*SwitchB] commit

# Configure SwitchC to use Huawei proprietary calculation method to

calculate the path cost, and set the path cost of 10GE1/0/2 in MSTI 2 to
20000.
[~SwitchC] stp pathcost-standard legacy
[*SwitchC] interface 10ge 1/0/2
[*SwitchC-10GE1/0/2] stp instance 2 cost 20000
[*SwitchC-10GE1/0/2] commit
[~SwitchC-10GE1/0/2] quit

# Configure SwitchD to use Huawei proprietary calculation method to

calculate the path cost, and set the path cost of 10GE1/0/2 in MSTI 1 to
20000.
[~SwitchD] stp pathcost-standard legacy
[*SwitchD] interface 10ge 1/0/2
[*SwitchD-10GE1/0/2] stp instance 1 cost 20000
[*SwitchD-10GE1/0/2] commit
[~SwitchD-10GE1/0/2] quit

4. Enable MSTP to eliminate loops.

– Enable MSTP globally.
# Enable MSTP on SwitchA.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 584

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

[~SwitchA] stp enable

[*SwitchA] commit
# Enable MSTP on SwitchB.
[~SwitchB] stp enable
[*SwitchB] commit
# Enable MSTP on SwitchC.
[~SwitchC] stp enable
[*SwitchC] commit
# Enable MSTP on SwitchD.
[~SwitchD] stp enable
[*SwitchD] commit
– Disable MSTP on the interface connected to terminals.
# Disable STP on 10GE1/0/1 of SwitchC.
[~SwitchC] interface 10ge 1/0/1
[~SwitchC-10GE1/0/1] stp disable
[*SwitchC-10GE1/0/1] commit
[~SwitchC-10GE1/0/1] quit
# Disable STP on 10GE1/0/1 of SwitchD.
[~SwitchD] interface 10ge 1/0/1
[~SwitchD-10GE1/0/1] stp disable
[*SwitchD-10GE1/0/1] commit
[~SwitchD-10GE1/0/1] quit

Step 2 Configure root protection on the designated port of the root bridge.
# Enable root protection on 10GE1/0/1 of SwitchA.
[~SwitchA] interface 10ge 1/0/1
[~SwitchA-10GE1/0/1] stp root-protection
[*SwitchA-10GE1/0/1] commit
[~SwitchA-10GE1/0/1] quit

# Enable root protection on 10GE1/0/1 of SwitchB.

[~SwitchB] interface 10ge 1/0/1
[~SwitchB-10GE1/0/1] stp root-protection
[*SwitchB-10GE1/0/1] commit
[~SwitchB-10GE1/0/1] quit

Step 3 Configure Layer 2 forwarding on devices on the ring network.

● Create VLANs 2 to 20 on SwitchA, SwitchB, SwitchC, and SwitchD.
# Create VLANs 2 to 20 on SwitchA.
[~SwitchA] vlan batch 2 to 20
[*SwitchA] commit
# Create VLANs 2 to 20 on SwitchB.
[~SwitchB] vlan batch 2 to 20
[*SwitchB] commit
# Create VLANs 2 to 20 on SwitchC.
[~SwitchC] vlan batch 2 to 20
[*SwitchC] commit
# Create VLANs 2 to 20 on SwitchD.
[~SwitchD] vlan batch 2 to 20
[*SwitchD] commit
● Add ports on switching devices to VLANs.
# Add 10GE1/0/1 on SwitchA to VLANs 2 to 20.
[~SwitchA] interface 10ge 1/0/1
[~SwitchA-10GE1/0/1] port link-type trunk

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 585

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

[*SwitchA-10GE1/0/1] port trunk allow-pass vlan 2 to 20

[*SwitchA-10GE1/0/1] commit
[~SwitchA-10GE1/0/1] quit

# Add 10GE1/0/2 on SwitchA to VLANs 2 to 20.

[~SwitchA] interface 10ge 1/0/2
[~SwitchA-10GE1/0/2] port link-type trunk
[*SwitchA-10GE1/0/2] port trunk allow-pass vlan 2 to 20
[*SwitchA-10GE1/0/2] commit
[~SwitchA-10GE1/0/2] quit

# Add 10GE1/0/1 on SwitchB to VLANs 2 to 20.

[~SwitchB] interface 10ge 1/0/1
[~SwitchB-10GE1/0/1] port link-type trunk
[*SwitchB-10GE1/0/1] port trunk allow-pass vlan 2 to 20
[*SwitchB-10GE1/0/1] commit
[~SwitchB-10GE1/0/1] quit

# Add 10GE1/0/2 on SwitchB to VLANs 2 to 20.

[~SwitchB] interface 10ge 1/0/2
[~SwitchB-10GE1/0/2] port link-type trunk
[*SwitchB-10GE1/0/2] port trunk allow-pass vlan 2 to 20
[*SwitchB-10GE1/0/2] commit
[~SwitchB-10GE1/0/2] quit

# Add 10GE1/0/1 on SwitchC to VLAN 2.

[~SwitchC] interface 10ge 1/0/1
[~SwitchC-10GE1/0/1] port link-type access
[*SwitchC-10GE1/0/1] port default vlan 2
[*SwitchC-10GE1/0/1] commit
[~SwitchC-10GE1/0/1] quit

# Add 10GE1/0/2 on SwitchC to VLANs 2 to 20.

[~SwitchC] interface 10ge 1/0/2
[~SwitchC-10GE1/0/2] port link-type trunk
[*SwitchC-10GE1/0/2] port trunk allow-pass vlan 2 to 20
[*SwitchC-10GE1/0/2] commit
[~SwitchC-10GE1/0/2] quit

# Add 10GE1/0/3 on SwitchC to VLANs 2 to 20.

[~SwitchC] interface 10ge 1/0/3
[~SwitchC-10GE1/0/3] port link-type trunk
[*SwitchC-10GE1/0/3] port trunk allow-pass vlan 2 to 20
[*SwitchC-10GE1/0/3] commit
[~SwitchC-10GE1/0/3] quit

# Add 10GE1/0/1 on SwitchD to VLAN 11.

[~SwitchD] interface 10ge 1/0/1
[~SwitchD-10GE1/0/1] port link-type access
[*SwitchD-10GE1/0/1] port default vlan 11
[*SwitchD-10GE1/0/1] commit
[~SwitchD-10GE1/0/1] quit

# Add 10GE1/0/2 on SwitchD to VLANs 2 to 20.

[~SwitchD] interface 10ge 1/0/2
[~SwitchD-10GE1/0/2] port link-type trunk
[*SwitchD-10GE1/0/2] port trunk allow-pass vlan 2 to 20
[*SwitchD-10GE1/0/2] commit
[~SwitchD-10GE1/0/2] quit

# Add 10GE1/0/3 on SwitchD to VLANs 2 to 20.

[~SwitchD] interface 10ge 1/0/3
[~SwitchD-10GE1/0/3] port link-type trunk
[*SwitchD-10GE1/0/3] port trunk allow-pass vlan 2 to 20
[*SwitchD-10GE1/0/3] commit
[~SwitchD-10GE1/0/3] quit

Step 4 Verify the configuration.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 586

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

After the preceding configurations are complete and the network topology
becomes stable, perform the following operations to verify the configuration.

NOTE

MSTI 1 and MSTI 2 are used as examples. You do not need to check the interface status in
MSTI 0.

# Run the display stp brief command on SwitchA to view the status and
protection mode on the ports. Output similar to the following is displayed:
[~SwitchA] display stp brief
MSTID Port Role STP State Protection Cost Edged
0 10GE1/0/1 DESI forwarding root 2 disable
0 10GE1/0/2 DESI forwarding none 2 disable
1 10GE1/0/1 DESI forwarding root 2 disable
1 10GE1/0/2 DESI forwarding none 2 disable
2 10GE1/0/1 DESI forwarding root 2 disable
2 10GE1/0/2 ROOT forwarding none 2 disable

In MSTI 1, 10GE1/0/1 and 10GE1/0/2 are designated ports because SwitchA is the
root bridge. In MSTI 2, 10GE1/0/1 on SwitchA is the designated port and
10GE1/0/2 is the root port.
# Run the display stp brief command on SwitchB. Output similar to the following
is displayed:
[~SwitchB] display stp brief
MSTID Port Role STP State Protection Cost Edged
0 10GE1/0/1 DESI forwarding root 2 disable
0 10GE1/0/2 ROOT forwarding none 2 disable
1 10GE1/0/1 DESI forwarding root 2 disable
1 10GE1/0/2 ROOT forwarding none 2 disable
2 10GE1/0/1 DESI forwarding root 2 disable
2 10GE1/0/2 DESI forwarding none 2 disable

In MSTI 2, 10GE1/0/1 and 10GE1/0/2 are designated ports because SwitchB is the
root bridge. In MSTI 1, 10GE1/0/1 on SwitchB is the designated port and
10GE1/0/2 is the root port.
# Run the display stp interface brief command on SwitchC. Output similar to the
following is displayed:
[~SwitchC] display stp interface 10ge 1/0/3 brief
MSTID Port Role STP State Protection Cost Edged
0 10GE1/0/3 ROOT forwarding none 2 disable
1 10GE1/0/3 ROOT forwarding none 2 disable
2 10GE1/0/3 ROOT forwarding none 2 disable
[~SwitchC] display stp interface 10ge 1/0/2 brief
MSTID Port Role STP State Protection Cost Edged
0 10GE1/0/2 DESI forwarding none 2 disable
1 10GE1/0/2 DESI forwarding none 2 disable
2 10GE1/0/2 ALTE discarding none 20000 disable

10GE1/0/3 on SwitchC is the root port in MSTI 1 and MSTI 2. 10GE1/0/2 on

SwitchC is the designated port in MSTI 1 but is blocked in MSTI 2.
# Run the display stp interface brief command on SwitchD. Output similar to the
following is displayed:
[~SwitchD] display stp interface 10ge 1/0/3 brief
MSTID Port Role STP State Protection Cost Edged
0 10GE1/0/3 ALTE discarding none 2 disable
1 10GE1/0/3 ROOT forwarding none 2 disable
2 10GE1/0/3 ROOT forwarding none 2 disable

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 587

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

[~SwitchD] display stp interface 10ge 1/0/2 brief

MSTID Port Role STP State Protection Cost Edged
0 10GE1/0/2 ROOT forwarding none 2 disable
1 10GE1/0/2 ALTE discarding none 20000 disable
2 10GE1/0/2 DESI forwarding none 2 disable

10GE1/0/3 on SwitchD is the root port in MSTI 1 and MSTI 2. 10GE1/0/2 on

SwitchD is the blocked port in MSTI 1 and is the designated port in MSTI 2.

----End

Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 2 to 20
#
stp instance 1 root primary
stp instance 2 root secondary
stp pathcost-standard legacy
#
stp region-configuration
region-name RG1
instance 1 vlan 2 to 10
instance 2 vlan 11 to 20
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 20
stp root-protection
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 20
#
return
● SwitchB configuration file
#
sysname SwitchB
#
vlan batch 2 to 20
#
stp instance 1 root secondary
stp instance 2 root primary
stp pathcost-standard legacy
#
stp region-configuration
region-name RG1
instance 1 vlan 2 to 10
instance 2 vlan 11 to 20
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 20
stp root-protection
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 20
#
return
● SwitchC configuration file
#
sysname SwitchC

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 588

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 10 MSTP Configuration

#
vlan batch 2 to 20
#
stp pathcost-standard legacy
#
stp region-configuration
region-name RG1
instance 1 vlan 2 to 10
instance 2 vlan 11 to 20
#
interface 10GE1/0/1
port default vlan 2
stp disable
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 20
stp instance 2 cost 20000
#
interface 10GE1/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 20
#
return

● SwitchD configuration file

#
sysname SwitchD
#
vlan batch 2 to 20
#
stp pathcost-standard legacy
#
stp region-configuration
region-name RG1
instance 1 vlan 2 to 10
instance 2 vlan 11 to 20
#
interface 10GE1/0/1
port default vlan 11
stp disable
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 20
stp instance 1 cost 20000
#
interface 10GE1/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 20
#
return

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 589

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

11 VBST Configuration

This chapter describes how to configure VLAN-based Spanning Tree (VBST). VBST
is a spanning tree protocol developed by Huawei. It constructs a spanning tree in
each VLAN to load balance traffic from different VLANs, improving link use
efficiency.

11.1 Overview of VBST

11.2 Understanding VBST
11.3 Application Scenarios for VBST
11.4 Summary of VBST Configuration Tasks
11.5 Licensing Requirements and Limitations for VBST
11.6 Default Settings for VBST
11.7 Configuring Basic VBST Functions
11.8 Setting VBST Parameters That Affect VBST Convergence
11.9 Configuring Protection Functions of VBST
11.10 Setting Parameters for Interworking Between a Huawei Datacom Device and
a Non-Huawei Device
11.11 Maintaining VBST
11.12 Configuration Examples for VBST

11.1 Overview of VBST

Definition
VBST, a Huawei spanning tree protocol, constructs a spanning tree in each VLAN
so that traffic from different VLANs is forwarded through different spanning trees.
VBST is equivalent to STP or RSTP running in each VLAN. Spanning trees in
different VLANs are independent of each other.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 590

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

Purpose
Currently, there are three standard spanning tree protocols: Spanning Tree Protocol
(STP), Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Tree Protocol
(MSTP). STP and RSTP cannot implement VLAN-based load balancing, because all
the VLANs on a LAN share a spanning tree and packets in all VLANs are
forwarded along this spanning tree. In addition, the blocked link does not carry
any traffic, which wastes bandwidth and may cause a failure to forward packets
from some VLANs. In real-world situations, MSTP is preferred because it is
compatible with STP and RSTP, ensures fast convergence, and provides multiple
paths to load balance traffic.
On enterprise networks, enterprise users need functions that are easy to use and
maintain, whereas the configuration of MSTP multi-instance is complex and has
high requirements for engineers' skills.
To address this issue, Huawei develops VBST. VBST constructs a spanning tree in
each VLAN so that traffic from different VLANs is load balanced along different
spanning trees. In addition, VBST is easy to configure and maintain.

Benefits
VBST brings in the following benefits:
● Eliminates loops.
● Implements link multiplexing and load balancing, and therefore improves link
use efficiency.
● Reduces configuration and maintenance costs.

Comparisons Between VBST and Standard Spanning Tree Protocols

Table 11-1 lists the comparisons between VBST and STP/RSTP/MSTP.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 591

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

Table 11-1 Comparisons between VBST and STP/RSTP/MSTP

Spannin Difference
g Tree
Similarity Convergen Traffic Usage Complex
Protoco
l ce Speed Forwarding Scenario ity

VBST Forms a RSTP/ A spanning ● Service Medium

loop-free MSTP/VBST tree is traffic
tree provides formed in needs to be
topology to faster each VLAN, differentiat
prevent convergenc so that ed and load
broadcast e than STP. traffic from balanced.
storms and different ● VBST
implement VLANs is interworks
link backup. forwarded with PVST,
through PVST+, and
different Rapid PVST
spanning +.
trees that
are
independen
t of each
other.

MSTP Provides Service traffic High

mappings needs to be
between differentiated
MSTIs and and load
VLANs so balanced.
that traffic
from
different
VLANs is
forwarded
through
different
spanning
trees that
are
independen
t of each
other.

RSTP Maps all Service traffic Low

VLANs to does not need
one to be
spanning differentiated.
tree, so
traffic from
all VLANs is
forwarded
through the
same

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 592

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

Spannin Difference
g Tree
Similarity Convergen Traffic Usage Complex
Protoco
l ce Speed Forwarding Scenario ity

STP Slowest spanning Low

tree.

11.2 Understanding VBST

VBST is equivalent to running STP or RSTP in each VLAN so that spanning trees in
different VLANs are independent of each other. Though VBST does not provide
multi-instance, VBST implements load balancing of traffic from different VLANs.
VBST inherits the following concepts of STP/RSTP:
● One root bridge
● Two measurements: ID and path cost
● Three port statuses: Discarding, Learning, and Forwarding
● Five port roles: root port, alternate port, backup port, designated port, and
edge port
● Three timers: Hello Time, Forward Delay, and Max Age
Difference between VBST and STP/RSTP:
● Bridge ID (BID)
In VBST, the BID consists of the bridge priority, VLAN ID, and bridge MAC
address. The bridge priority occupies the most significant 4 bits, the VLAN ID
occupies the 12 bits following the bridge priority, and the MAC address
occupies the least significant 48 bits.
On a VBST network, the device with the smallest bridge ID will be selected as
the root bridge.
● VBST transmits VBST BPDUs in VLANs to determine the network topology.
VBST BPDUs are based on STP/RSTP BPDUs and a 4-byte 802.1q tag is added
between the source MAC address and protocol length. Figure 11-1 shows the
comparisons between the STP/RSTP BPDU and VBST BPDU.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 593

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

Figure 11-1 Comparisons between the formats of the STP/RSTP BPDU and
VBST BPDU
6 bytes 6 bytes 2 bytes 38-1492 bytes 4 bytes
STP/RSTP BPDU
encapsulation DMAC SMAC Length LLC Data CRC
format

DSAP SSAP Control

1 byte 1 byte 1 byte

VBST BPDU 6 bytes 6 bytes 4 bytes 2 bytes 38-1492 bytes 4 bytes

encapsulation
DMAC SMAC 802.1Q Tag Length LLC Data CRC
format

DSAP SSAP Control

1 byte 1 byte 1 byte

The DMAC identifies the destination MAC address of packets. The DMAC in a
VBST BPDU is 0100-0CCC-CCCD; the Data field in a standard RSTP/STP BPDU
is used as the Data field in a VBST BPDU. By default, the Data field in a
standard RSTP BPDU is used as the Data field in a VBST BPDU.
VBST implements VLAN-based spanning tree calculation, topology
convergence, and interworking with spanning tree protocols of other vendors.

VBST Topology Calculation

VBST supports VLAN-based topology calculation. Tagged VBST BPDUs are sent in
each VLAN except VLAN1 and topology calculation is performed separately. The
VBST topology calculation method is similar to the STP/RSTP calculation method.
For details, see 9.2.4 STP Topology Calculation. Different root bridges can be
selected in VLANs. Figure 11-2 shows the topology calculation results of STP/RSTP
and VBST.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 594

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

Figure 11-2 Topology calculation results of STP/RSTP and VBST

SwitchA SwitchD
VLAN3 VLAN2, 3 VLAN2

HostC HostA
(VLAN3) VLAN3 VLAN2 (VLAN2)

VLAN2
SwitchB SwitchE

HostB VLAN2, 3 VLAN2, 3 HostD

(VLAN2) (VLAN3)
VLAN3
VLAN2 VLAN3

SwitchC SwitchF

STP/RSTP spanning tree (root bridge SwitchF)

SwitchA SwitchD
VLAN3 VLAN 2, 3 VLAN2

HostC HostA
(VLAN3) VLAN3 VLAN2 (VLAN2)

VLAN2
SwitchB SwitchE

HostB VLAN 2, 3 VLAN 2, 3 HostD

(VLAN2) (VLAN3)
VLAN3
VLAN2 VLAN3

SwitchC SwitchF

Spanning tree for VBST VLAN 2 (root bridge SwitchD)

Spanning tree for VBST VLAN 3 (root bridge SwitchF)

In Figure 11-2:
● Through topology calculation, STP/RSTP generates a spanning tree with the
root bridge as SwitchF. The links between SwitchB and SwitchE and between
SwitchA and SwitchD are blocked. HostA and HostB belong to VLAN2. The
link between SwitchB and SwitchE does not permit packets of VLAN2 to pass
through because the link between SwitchB and SwitchE is blocked. Therefore,
HostA fails to communicate with HostB.
● Through topology calculation, VBST generates spanning trees VLAN2 and
VLAN3 with root bridges as SwitchD and SwitchF respectively. Traffic in
VLAN2 and VLAN3 is forwarded through their respective spanning trees so

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 595

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

that traffic is load balanced between paths SwitchB-SwitchE and SwitchC-

SwitchF.

Fast Convergence of VBST

VBST supports the Proposal/Agreement mechanism in common and enhanced
modes:
● Common mode
The Proposal/Agreement mechanism in common mode supported by VBST is
similar to that supported by RSTP. For details, see 9.2.6 Technical Details of
RSTP.
● Enhanced mode
The Proposal/Agreement mechanism in enhanced mode supported by VBST is
similar to that supported by MSTP. For details, see 10.2.5 MSTP Fast
Convergence.

Protection Mechanisms of VBST

Similar to RSTP, VBST provides BPDU protection, TC protection, root protection,
and loop protection. For details, see Protection functions.

Interworking Between VBST and Standard STP/RSTP

On a live network, VBST-enabled devices may connect to STP/RSTP-enabled
devices. VBST and STP/RSTP use different BPDU formats, so there are interworking
problems. To implement interworking between VBST and standard STP/RSTP, take
the following measures:
● On a trunk interface:
– When a VBST-enabled device connects to an RSTP-enabled device, the
VBST-enabled device uses standard RSTP BPDUs in VLAN1 and VBST
BPDUs with the Data field of RSTP BPDUs in other VLANs to exchange
with the RSTP-enabled device.
– When a VBST-enabled device connects to an STP-enabled device, the
VBST-enabled device uses standard STP BPDUs in VLAN1 and VBST
BPDUs with the Data field of STP BPDUs in other VLANs to exchange
with the STP-enabled device.
The following describes spanning tree implementation, as shown in Figure
11-3.
As shown in Figure 11-3, STP/RSTP is deployed on SwitchA and SwitchB, and
VBST is deployed on SwitchC and SwitchD. Devices are connected through
trunk interfaces, and interfaces on SwitchA through SwitchD allow packets
from VLAN1 and VLAN10 to pass through.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 596

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

Figure 11-3 Interworking between VBST and STP/RSTP on a trunk interface

SwitchA SwitchB
Trunk
STP/RSTP STP/RSTP
VLAN1, 10

Trunk VLAN1, 10 VLAN1, 10 Trunk

VLAN1, 10
VBST VBST
Trunk
SwitchC SwitchD

Spanning tree Spanning tree Spanning tree for

for VLAN 1 for VLAN 10 VLAN 1 and 10

Root bridge
Unblocked link
Blocked link
Blocked port

An STP/RSTP-enabled device can only send and receive STP/RSTP BPDUs, and
transparently transmit VBST BPDUs, so a spanning tree is formed in VLAN1 as
defined by STP/RSTP.
Assume that the congestion point of the spanning tree in VLAN1 is on
SwitchD. Because VBST runs on SwitchD, so the congestion point exists in
VLAN1. SwitchD can still receive and forward VBST BPDUs in VLAN10. Loops
occur in VLAN10, so spanning tree calculation in VLAN10 is triggered. SwitchA
and SwitchB transparently transmit VBST BPDUs in VLAN10, so only four
interfaces on SwitchC and SwitchD participate in spanning tree calculation in
VLAN10. Then the spanning trees in VLAN1 and VLAN10 are formed, as
shown in Figure 11-3.
Assume that the blocking point of the spanning tree in VLAN1 is on SwitchB.
STP/RSTP runs on SwitchB, so the blocking port exists on SwitchB. SwitchB
cannot forward VBST BPDUs from VLAN10 and no loop occurs in VLAN10, so
spanning tree calculation in VLAN10 is not triggered. VBST BPDUs from
VLAN10 can be forwarded along the spanning tree in VLAN1, that is, VLAN10
and VLAN1 share the spanning tree, as shown in Figure 11-3.
● On an access interface, a VBST-enabled device uses standard STP or RSTP
BPDUs to exchange with the remote end according to the VLAN that the
access interface belongs to. Topology calculation is performed as defined by
STP/RSTP. Because STP/RSTP does not differentiate VLANs, a spanning tree
shared by VLANs is formed.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 597

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

When a VBST-enabled device connects to an STP/RSTP-enabled device, the trunk

interface must be used to connect the two devices and the blocking point must be
located on the VBST-enabled device to implement load balancing.

Interworking Between VBST and PVST/PVST+/Rapid PVST+

On a live network, a VBST-enabled device may connect to a device enabled with
PVST/PVST+/Rapid PVST+.
● Trunk interface
– When a VBST-enabled device connects to a device enabled with Rapid
PVST+, the VBST-enabled device sends standard RSTP BPDUs (or VBST
BPDUs with the Data field of RSTP BPDUs) and VBST BPDUs with the
Data field of RSTP BPDUs in other VLANs to exchange with the device
enabled with Rapid PVST+.
– When a VBST-enabled device connects to a device enabled with PVST+,
the VBST-enabled device sends standard STP BPDUs (or VBST BPDUs with
the Data field of STP BPDUs) and VBST BPDUs with the Data field of STP
BPDUs in other VLANs to exchange with the device enabled with PVST+.
– When a VBST-enabled device connects to a PVST-enabled device, packet
exchange is similar to that in the scenario where a VBST-enabled device
connects to a device enabled with PVST+. The difference is that the VBST-
enabled device and PVST-enabled device send only VBST BPDUs with the
Data field of STP BPDUs in VLAN1.
The two devices can identify the BPDUs carrying VLAN information, so a
VLAN-based spanning tree is formed. The connection between a VBST-
enabled device and a device enabled with PVST/PVST+/Rapid PVST+ through
a trunk interface is similar to the connection between two VBST-enabled
devices.
● Access interface
A VBST-enabled device uses standard STP BPDUs to exchange with the device
enabled with PVST/PVST+ or RSTP BPDUs to exchange with the device
enabled with Rapid PVST+ according to the VLAN that the access interface
belongs to. Topology calculation is performed as defined by STP/RSTP.
Because STP/RSTP does not differentiate VLANs, a spanning tree shared by
VLANs is formed.

11.3 Application Scenarios for VBST

To improve reliability of an enterprise network, access switches often connect to
aggregation switches in dual-homing or multi-homing mode networking. In such
networking, one link is the active link, and other links are standby links. When
multiple links are used, loops may occur. As a result, broadcast storms occur and
MAC address entries are damaged. In addition, one access switch often needs to
transmit services from different VLANs.
Deploying MSTP can eliminate loops and load balance traffic from different
VLANs, whereas it is difficult to configure and maintain MSTP multi-instance and
multi-process.
You can deploy VBST. VBST constructs a spanning tree in each VLAN so that traffic
from different VLANs is forwarded through different spanning trees. This

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 598

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

eliminates loops and implements load balancing of traffic. In addition, VBST is

easy to configure and maintain.

Figure 11-4 VBST implementing load balancing

Core Network

SwitchA SwitchB
Aggregation
VLAN 10, 20, 30 switch

VLAN 10, 20 VLAN 20, 30

0 VL
,2 AN
10 20
,3
AN 0
VL
Access
switch
SwitchC SwitchD

Spanning tree Spanning tree Spanning tree

for VLAN 10 for VLAN 20 for VLAN 30
Forwarding path for
Root bridge traffic from VLAN 30
Unblocked link Forwarding path for
Blocked link traffic from VLAN 20
Blocked port Forwarding path for
traffic from VLAN 10

As shown in Figure 11-4, SwitchC and SwitchD are access switches; SwitchA and
SwitchB are aggregation switches. SwitchC and SwitchD are dual-homed to
SwitchA and SwitchB. To eliminate loops and load balance traffic from different
VLANs, deploy VBST on SwitchA, SwitchB, SwitchC, and SwitchD. Configure
SwitchA as the root bridge of VLAN 10 and VLAN 20 and SwitchB as the root
bridge of VLAN 30.
Loops are eliminated based on VLANs. Figure 11-4 shows the formed spanning
trees and forwarding paths. In Figure 11-4, traffic from VLAN 10, VLAN 20, and
VLAN 30 is forwarded through their respective spanning trees. In this manner,
traffic from VLAN 10, VLAN 20, and VLAN 30 is load balanced on paths SwitchC<-
>SwitchA, SwitchD<->SwitchA, and SwitchD<->SwitchB.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 599

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

11.4 Summary of VBST Configuration Tasks

Table 11-2 describes the VBST configuration tasks. VBST blocks redundant links
and prunes a network into a tree topology to eliminate loops and implement load
balancing. You can perform the following configurations to meet requirements in
special scenarios:
● Setting VBST parameters that affect VBST convergence
● Configuring protection functions
● Setting parameters for interworking between a Huawei datacom device and a
non-Huawei device

Table 11-2 VBST configuration tasks

Scenario Description Task

(Mandatory) Configure After you configure the 11.7 Configuring Basic

basic VBST functions operation mode of VBST VBST Functions
and start VBST, VBST
calculates the spanning
tree and prunes a
network into a tree
network to eliminate
loops. You can perform
the following
configurations to
manually adjust the
spanning tree calculation
result:
● 11.7.1 (Optional)
Configuring the Root
Bridge and
Secondary Root
Bridge
● 11.7.2 (Optional)
Setting the Device
Priority
● 11.7.3 (Optional)
Setting the Path
Cost for a Port
● 11.7.4 (Optional)
Configuring Port
Priorities

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 600

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

Scenario Description Task

(Optional) Set VBST The network diameter, 11.8 Setting VBST

parameters that affect timeout interval, Hello Parameters That Affect
VBST convergence Time, Max Age, and VBST Convergence
Forward Delay affect
VBST convergence.
Proper settings of these
parameters can speed up
VBST convergence speed.

(Optional) Configure Huawei datacom devices 11.9 Configuring

protection functions provide the following Protection Functions of
protection functions: VBST
● BPDU protection:
prevents malicious
attacks from bogus
BPDUs.
● TC protection: reduces
the impact of
malicious attacks
from bogus TCN
BPDUs.
● Root protection:
protects the role of
the root bridge by
retaining the role of
the designated port
and prevents network
congestion caused by
malicious attacks.
● Loop protection:
prevents loops caused
by link congestion.

(Optional) Set To implement 11.10 Setting

parameters for interworking between a Parameters for
interworking between a Huawei datacom device Interworking Between
Huawei datacom device and a non-Huawei a Huawei Datacom
and a non-Huawei device, configure the fast Device and a Non-
device transition mode Huawei Device
according to the
Proposal/Agreement
mechanism of the non-
Huawei device.

11.5 Licensing Requirements and Limitations for VBST

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 601

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

Involved Network Elements

Other network elements are not required.

Licensing Requirements
VBST is a basic software function of the switch. The license for basic software
functions has been loaded and activated before delivery. You do not need to
manually activate it.

Version Requirements

Table 11-3 Products and minimum version supporting VBST

Product Minimum Version Required

CE8860EI V100R006C00

CE8861EI/CE8868EI V200R005C10

CE8850-32CQ-EI V200R002C50

CE8850-64CQ-EI V200R005C00

CE7850EI V100R006C00

CE7855EI V200R001C00

CE6810EI V100R006C00

CE6810LI V100R006C00

CE6850EI V100R006C00

CE6850HI V100R006C00

CE6855HI V200R001C00

CE6856HI V200R002C50

CE6857EI V200R005C10

CE6860EI V200R002C50

CE6865EI V200R005C00

CE6863/CE6881/CE6820 V200R005C20

CE6881K V200R019C10

CE6881E V200R019C10

CE6863K V200R019C10

CE6870-24S6CQ-EI V200R001C00

CE6870-48S6CQ-EI V200R001C00

CE6870-48T6CQ-EI V200R002C50

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 602

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

Product Minimum Version Required

CE6875-48S4CQ-EI V200R003C00

CE5810EI V100R006C00

CE5850EI V100R006C00

CE5850HI V100R006C00

CE5855EI V100R006C00

NOTE

For details about the mapping between software versions and switch models, see the
Hardware Query Tool.

Feature Limitations
● Table 11-4 describes the specifications of VBST.

Table 11-4 Specifications of VBST

Item Specification

Number of protected VLANs ● Versions earlier than

V200R005C00: 128
● From V200R005C00 to
V200R019C10:
CE6875EI, CE6870EI, CE6810EI,
and CE5810EI: 240
Other switch models: 500

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 603

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

Item Specification

PV value (product of VBST-enabled ● The CPU usage of VBST is in

interface quantity and VLAN direct proportion to the PV value.
quantity) ● The CE5810EI and CE5855EI
support a maximum of 4000 PV
values. The CE6881, CE6881K,
CE6820, CE6863K, CE6881E,
CE6863 support a maximum of
8000 PV values. Other switch
models support a maximum of
16000 PV values.
● The number of PV values on a
switch is the sum of PV values of
cards installed on the switch.
● The number of PV values of a
stack is the sum of PV values of
member switches.
NOTE
If the number of PV values exceeds the
maximum value, the CPU usage may
exceed the threshold. As a result, there
is a delay in processing tasks, protocol
calculation is affected, and even the
switch may fail to be managed by the
NMS.

● On networks that run STP/RSTP/MSTP/VBST, configure an optimal core switch

as the root bridge to ensure stability of the STP Layer 2 network. Otherwise,
new access devices may trigger STP root bridge switching, causing short
service interruptions.
● When VBST is enabled on a ring network, VBST immediately starts spanning
tree calculation. Parameters such as the device priority and port priority affect
spanning tree calculation, and changes to these parameters may cause
network flapping. To ensure fast and stable spanning tree calculation, perform
basic configurations on the switch and interfaces before enabling VBST.
● VBST constructs a spanning tree in each VLAN so that traffic from different
VLANs is forwarded through different spanning trees. Performance
deterioration cannot be prevented when the network scale grows. Therefore,
the network diameter cannot be larger than 7.
● VBST cannot be enabled in the control VLAN used by ERPS or Smart Link.
● M-LAG cannot be used in VBST scenarios.
● GVRP cannot be used in VBST scenarios.
● TRILL cannot be used in VBST scenarios.
● VBST cannot be deployed on the user-side network of the VXLAN tunnel.
● VBST supports only process 0. If other processes are configured on the device,
the device cannot switch to the VBST mode.
● If VLAN mapping, MUX VLAN, or VLAN stacking is configured on an interface
corresponding to the VLAN, VBST negotiation for this VLAN will fail.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 604

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

● If 1:N (where N>1) mapping between MSTIs and VLANs has been configured
on the switch, you must delete the mapping before changing the STP working
mode to VBST.
● Instance 4094 is reserved in VBST mode to prevent temporary loops. You
cannot use the instance instance-id vlan vlan-id command to configure the
mapping between instance 4094 and a VLAN. Before switching the VBST
mode, delete the configuration of instance 4094 or use an available instance
to replace instance 4094.
● If the device has been configured as the root bridge or secondary root bridge,
run the undo stp vlan vlan-id [ to vlan-id ] [ vlan-id [ to vlan-id ] ] &<1-9>
root command to disable the root bridge or secondary root bridge function
and run the stp vlan vlan-id [ to vlan-id ] [ vlan-id [ to vlan-id ] ] &<1-9>
priority priority command to change the device priority.
● To prevent frequent network flapping, ensure that the values of Hello time,
Forward Delay, and Max Age conform to the following formulas:
– 2 x (Forward Delay -1.0 second) ≥ Max Age
– Max Age >= 2 × (Hello Time + 1.0 second)
● After all ports are configured as edge ports and BPDU filter ports in the
system view, no ports on the switch send BPDUs or negotiate the VBST status
with directly connected ports on the remote device. All ports are in forwarding
state. This may cause loops on the network, leading to broadcast storms.
Exercise caution when you configure a port as an edge port and BPDU filter
port.
● After a port is configured as an edge port and BPDU filter port in the
interface view, the port does not process or send BPDUs. The port cannot
negotiate the VBST status with the directly connected port on the peer device.
The interface directly connected to a terminal needs to be configured as the
edge port and BPDU filter port.
● Root protection takes effect only on designated ports.
● An alternate port is the backup of the root port. If a switch has an alternate
port, you need to configure loop protection on both the root port and
alternate port.
● Loop protection and root protection cannot be configured on the same
interface simultaneously.
● VBST and VPLS cannot be configured together on a switch.

11.6 Default Settings for VBST

Parameter Default Setting

Working mode MSTP

VBST Enabled globally, and VBST enabled in each VLAN

Switching device priority 32768

Port priority 128

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 605

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

Parameter Default Setting

Algorithm used to calculate Dot1t, IEEE 802.1t

the default path cost

Forward Delay 1500 centiseconds

Hello Time 200 centiseconds

Max Age 2000 centiseconds

11.7 Configuring Basic VBST Functions

After you configure the operation mode of VBST and start VBST, VBST calculates
the spanning tree and prunes a network into a tree network to eliminate loops.
Network planners can also set parameters such as the switch priority, port path
cost, and port priority to adjust the spanning tree calculation result.

Pre-configuration Tasks
Before configuring basic VBST functions, complete the following task:
● Connecting ports and setting the physical parameters of each interface to
make the physical layer in Up state (see Basic Configuration for Interfaces
and Ethernet Interface Configuration in CloudEngine 8800, 7800, 6800, and
5800 Series Switches Configuration Guide - Interface Management)

11.7.1 (Optional) Configuring the Root Bridge and Secondary

Root Bridge
Context
The root bridge of a spanning tree is automatically calculated. You can also
manually specify a root bridge or secondary root bridge.
● A spanning tree can have only one effective root bridge. When two or more
devices are specified as root bridges for a spanning tree, the device with the
smallest MAC address is elected as the root bridge.
● You can specify multiple secondary root bridges for each spanning tree. When
the root bridge fails or is powered off, a secondary root bridge becomes the
new root bridge. If a new root bridge is specified, the secondary root bridge
will not become the root bridge. If there are multiple secondary root bridges,
the one with smallest MAC address becomes the root bridge of the spanning
tree.

NOTE

On networks that run STP/RSTP/MSTP/VBST, configure an optimal core switch as the root
bridge to ensure stability of the STP Layer 2 network. Otherwise, new access devices may
trigger STP root bridge switching, causing short service interruptions.
It is recommended that you specify the root bridge and secondary root bridge when
configuring VBST.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 606

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

Procedure
● Perform the following operations on the device you want to use as the root
bridge.
a. Run system-view

The system view is displayed.

b. Run stp vlan vlan-id [ to vlan-id ] [ vlan-id [ to vlan-id ] ] &<1-9> root
primary

The device is configured as the root bridge.

By default, a switching device does not function as the root bridge. After
you run this command, the priority value of the device is set to 0 and
cannot be changed.
c. Run commit

The configuration is committed.

● Perform the following operations on the device you want to use as the
secondary root bridge.
a. Run system-view

The system view is displayed.

b. Run stp vlan vlan-id [ to vlan-id ] [ vlan-id [ to vlan-id ] ] &<1-9> root
secondary

The device is configured as the secondary root bridge.

By default, a switching device does not function as the secondary root

bridge. After you run this command, the priority value of the device is set
to 4096 and cannot be changed.
c. Run commit

The configuration is committed.

----End

11.7.2 (Optional) Setting the Device Priority

Context
The device priority is used in spanning tree calculation, and determines whether
the device can be configured as a root bridge of a spanning tree. A smaller value
indicates a higher priority.

Generally, a high-performance switch at a high network layer is required to be

selected as the root bridge. However, the high-performance switch at a high
network layer may not have a high priority. It is necessary to set the device
priority to ensure that the device functions as the root bridge. Low-performance
devices at lower network layers are not fit to serve as root bridges. Therefore, set
low priorities for these devices.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 607

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run stp vlan vlan-id [ to vlan-id ] [ vlan-id [ to vlan-id ] ] &<1-9> priority priority
The priority of the switch in a specified VLAN is set.
By default, the priority of the device is 32768.

NOTE

If the device has been configured as the root bridge or secondary root bridge, to change the
device priority, run the undo stp vlan vlan-id [ to vlan-id ] [ vlan-id [ to vlan-id ] ] &<1-9>
root command to disable the root bridge or secondary root bridge function and run the stp
vlan vlan-id [ to vlan-id ] [ vlan-id [ to vlan-id ] ] &<1-9> priority priority command to set
the device priority.

Step 3 Run commit

The configuration is committed.

----End

11.7.3 (Optional) Setting the Path Cost for a Port

Context
A path cost is port-specific and is used by VBST to select a link. A port in different
VLANs may have different path costs on a network running VBST. Traffic from
different VLANs is forwarded through different physical links by setting a proper
path cost enable, therefore implementing VLAN-based load balancing.
The path cost value range is determined by the calculation method. The following
calculation methods are used:
● dot1d-1998: IEEE 802.1d standard is used to calculate the path cost.
● dot1t: IEEE 802.1T standard is used to calculate the path cost.
● legacy: Huawei calculation method is used to calculate the path cost.
After the calculation method is determined, the path cost of a port can be set.
Generally, a higher path cost indicates higher probability of a port to be blocked. If
the link rate of a port is small, you are advised to set a large path cost so that the
port is selected as the blocking port during spanning tree calculation and its link is
blocked.
The default path cost varies according to the interface rate. Huawei calculation
method is used as an example. Table 11-5 shows the mapping between link rates
and path costs.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 608

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

Table 11-5 Mappings between link rates and path costs

Interface Rate Default Value Recommended Path Cost Range
Value Range

10 Mbit/s 2000 200-20000 1-200000

100 Mbit/s 200 20-2000 1-200000

1 Gbit/s 20 2-200 1-200000

10 Gbit/s 2 2-20 1-200000

Over 10 Gbit/s 1 1-2 1-200000

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run stp pathcost-standard { dot1d-1998 | dot1t | legacy }
A path cost calculation method is configured.
By default, IEEE 802.1T standard is used to calculate the path cost.
All switches on the same network must use the same path cost calculation
method.
Step 3 Run interface interface-type interface-number
The view of the Ethernet interface that participates in spanning tree calculation is
displayed.
Step 4 Run stp vlan vlan-id [ to vlan-id ] [ vlan-id [ to vlan-id ] ] &<1-9> cost cost
The path cost of the port in each VLAN is set.
● If Huawei calculation method is used, the path cost ranges from 1 to 200000.
● If IEEE 802.1D standard is used, the path cost ranges from 1 to 65535.
● If IEEE 802.1T standard is used, the path cost ranges from 1 to 200000000.
Step 5 Run commit
The configuration is committed.

----End

11.7.4 (Optional) Configuring Port Priorities

Context
In VBST spanning tree calculation, the port path cost, bridge ID of the sending
switch, and port priority determine whether the port can be selected as the
designated port. A smaller priority value indicates higher probability of becoming

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 609

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

the designated port, and a larger priority value indicates higher probability of
becoming the blocking port.

On a network running VBST, a port can function as different roles in different

spanning trees so that traffic from different VLANs is forwarded through different
physical paths.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface interface-type interface-number

The view of the Ethernet interface that participates in spanning tree calculation is
displayed.

Step 3 Run stp vlan vlan-id [ to vlan-id ] [ vlan-id [ to vlan-id ] ] &<1-9> port priority
priority

The priority of the port in each VLAN is set.

By default, the priority of a switch port is 128.

Step 4 Run commit

The configuration is committed.

----End

11.7.5 (Optional) Manually Configuring the Mapping

Between MSTIs and VLANs

Context
Based on the mappings between MSTIs and VLANs of MSTP, VBST maps each
MSTI to a VLAN to establish 1:1 mapping. The 1:1 mapping between MSTIs and
VLANs is used only by the switch to determine the VBST forwarding status. This
does not mean that VBST supports multi-instance.

The mapping between MSTIs and VLANs can be manually configured or

dynamically specified.
● You can manually configure the mapping between MSTIs and VLANs on the
switch. If a static mapping is also configured for a VLAN, the static mapping
takes effect.
● After VBST is enabled, the system dynamically allocates instance IDs to
existing or new VLANs in ascending order. The dynamically specified mapping
cannot be changed manually. After a VLAN is deleted or STP is disabled
globally, its mapping is automatically deleted.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 610

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

NOTE

When the number of VBST instances exceeds the capability supported by the device,
the VBST function does not take effect in a new VLAN by default, and an alarm is
generated. To enable VBST for the VLAN, run the undo vlan command to release
resources used by other VLANs. When the number of VLANs that support VBST
decreases to less than 95% of the upper limit, the alarm is cleared and the system
automatically reallocates resources.
The number of VBST instances supported by a device is calculated according to the
following formula: Number of VBST instances supported by a device = Number of
static instances + Number of dynamic instances
● The CE6875EI, CE6870EI, CE6810EI, and CE5810EI support a maximum of 240 VBST
instances, among which a maximum of 63 static instances can be configured.
● Other models support a maximum of 500 VBST instances, among which a
maximum of 63 static instances can be configured.

The following steps are performed to manually configure the mapping between
MSTIs and VLANs.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run stp region-configuration
The MST region view is displayed.
Step 3 Run instance instance-id vlan vlan-id
1:1 mapping between MSTIs and VLANs is configured.
By default, all VLANs in an MST region are mapped to MSTI 0.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 611

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

NOTE

● After this step is performed, the dynamic mapping between MSTIs and VLANs cannot be
canceled even if VLANs are deleted or STP is disabled globally.
● The 1:1 mapping between instances and VLANs is configured in the system. When the
mapping between multiple VLANs and static instances is configured at one time, the
system may display the message "Error: Can not map more than one VLAN to an
instance." This is because the mapping between multiple VLANs and instances is
submitted at one time. Actually, the mapping between multiple VLANs and instances
should be submitted one by one. In this case, resource allocation remains unchanged,
and multiple VLANs are mapped to one instance. You are advised to run the display stp
vlan instance command to check the mapping between VLANs and instances first.
● Instance 4094 are reserved in VBST mode to prevent temporary loops. You cannot use
the instance instance-id vlan vlan-id command to configure the mapping between
instance 4094 and a VLAN. Before switching the VBST mode, delete the configuration of
instance 4094 or use an available instance to replace instance 4094.
● When excess VLANs are configured and static instances are deleted, the system may
automatically allocate resources. In this case, the VLANs to which dynamic instances are
not allocated preferentially occupy idle instances. If the rollback configuration { to
{ commit-id commit-id | label label | file file-name } | last number-of-commits }
command is executed to perform rollback to reallocate resources. The configuration
rollback may fail because resource allocation has been complete. Before configuration
rollback, run the display configuration commit changes command to check the
configuration change in the configuration rollback point to determine whether the
configuration can be rolled back to the expected historical state. If some configurations
fail to be rolled back, run the display configuration rollback result command to check
these configurations and the messages generated during configuration execution. Then
manually restore the configuration.

Step 4 Run commit

The configuration is committed.

----End

11.7.6 Enabling VBST

Context
The VBST configuration takes effect only when VBST is enabled.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 612

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

NOTICE

When VBST is enabled on a ring network, VBST immediately starts spanning tree
calculation. Parameters such as the switch priority and port priority affect
spanning tree calculation, and change of these parameters may cause network
flapping. To ensure fast and stable spanning tree calculation, perform basic
configurations on the switch and ports before enabling VBST.
The PV quantity is the number of VBST-enabled interfaces multiplied by the
number of VLANs. If the PV quantity exceeds the specifications, the CPU usage
may exceed the threshold. As a result, the switch cannot process tasks in a timely
manner, protocol calculation is affected, and even the device cannot be managed
by the NMS. The PV quantity supported by the device is as follows:
● The CPU usage of VBST is in direct proportion to the PV quantity.
● The device supports a maximum of 16000 PV values. The CE5810EI and
CE5855EI support a maximum of 4000 PV values.
● The number of PV values on a switch is the sum of PV values of cards installed
on the switch.
● The number of PV values of a stack is the sum of PV values of member
switches.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run stp mode vbst

The working mode of the switch is set to VBST.

By default, the switch works in MSTP mode.

NOTE

● The VBST mode cannot be used with the STP/RSTP/MSTP mode.

● If 1:N (N>1) mapping between MSTIs and VLANs has been configured on the switch,
the mapping must be deleted before changing the STP working mode to VBST.

Step 3 Run stp enable

Global STP is enabled.

Step 4 Run undo stp vlan vlan-id [ to vlan-id ] [ vlan-id [ to vlan-id ] ] &<1-9> disable

VBST is enabled in each VLAN.

By default, VBST is enabled in a VLAN.

NOTE

VBST cannot be enabled in the control VLAN used by ERPS or Smart Link.
If VLAN mapping, MUX VLAN, or VLAN stacking is configured on an interface
corresponding to the VLAN, VBST negotiation for this VLAN will fail.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 613

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

Step 5 Run interface interface-type interface-number

The interface view is displayed.

Step 6 Run stp enable

STP is enabled on the interface.

By default, STP is enabled on each switch interface.

Step 7 Run commit

The configuration is committed.

----End

11.7.7 Verifying the Configuration of Basic VBST Functions

Procedure
● Run the display stp vlan [ vlan-id ] information [ brief | global ] command
to check the status of, statistics on, and global brief information about the
spanning tree.
● Run the display stp vlan [ vlan-id ] bridge { root | local } command to check
the spanning tree status of the local bridge and root bridge.
● Run the display stp vlan instance command to check the mapping between
instances and VLANs.

----End

11.8 Setting VBST Parameters That Affect VBST

Convergence
After basic VBST functions are configured, VBST implements fast convergence
using default parameters. To achieve better convergence, set parameters that
affect VBST convergence.

Background
All steps in this configuration task are optional. You can perform the steps as
needed.

Pre-configuration Tasks
Before configuring VBST parameters that affect VBST convergence, complete the
following task:
● Configuring Basic VBST Functions

11.8.1 Setting the Network Diameter

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 614

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

Context
Any two terminals on a switching network are connected through a specific path
along which multiple devices are located. The network diameter is the maximum
number of devices between any two terminals. A larger network diameter
indicates a larger network scale.
An improper network diameter may cause slow network convergence and affect
communication. Setting a proper network diameter according to the network scale
helps speed up network convergence.
The switch calculates the Forward Delay, Hello Time, and Max-Age based on the
configured network diameter. It is recommended that you set the network
diameter to configure timers.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run stp vlan vlan-id [ to vlan-id ] [ vlan-id [ to vlan-id ] ] &<1-9> bridge-
diameter diameter
A network diameter is set.
By default, the network diameter is 7.
● Rapid Spanning Tree Protocol (RSTP) uses a single spanning tree instance on
the entire network. As a result, performance deteriorates when the network
scale grows. Therefore, the network diameter cannot be larger than 7.
● It is recommended that all devices on a ring network use the same network
diameter.
Step 3 Run commit
The configuration is committed.

----End

11.8.2 Setting Values of VBST Timers

Context
VBST uses the following parameters in spanning tree calculation:
● Forward Delay: determines the interval for port status transition. On a
network where a spanning tree algorithm is used, when the network topology
changes, new BPDUs are transmitted throughout the network after a given
period of time. During the period, the port that should enter the blocking
state may be not blocked and the originally blocked port may be unblocked,
causing temporary loops. To address this problem, set the Forward Delay
during which all ports are blocked temporarily.
● Hello Time: is the interval at which Hello packets are sent. The switch sends
BPDUs to neighboring devices at an interval of the Hello Time to check
whether links are faulty. If the switch does not receive any BPDU at an

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 615

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

interval of Hello Time, the switch recalculates the spanning tree due to BPDU
timeout.
● Max Age: determines whether BPDUs expire. The switch determines whether
the received BPDU expires based on this value. If the received BPDU expires,
the spanning tree needs to be recalculated.
Devices on a ring network must use the same values of Forward Delay, Hello
Time, and Max Age.
Generally, you are not advised to adjust values of the three parameters. This is
because the three parameters are relevant to the network scale. It is
recommended that the network diameter be adjusted so that the spanning tree
protocol automatically adjusts the three parameters. When the default network
diameter is used, the default values of the three parameters are used.

NOTICE

To prevent frequent network flapping, ensure that the values of Hello Time,
Forward Delay, and Max Age conform to the following formulas:
● 2 x (Forward Delay - 1.0 second) >= Max Age
● Max Age >= 2 x (Hello Time + 1.0 second)

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Set values of Hello Time, Forward Delay, and Max Age.
● Run stp vlan vlan-id [ to vlan-id ] [ vlan-id [ to vlan-id ] ] &<1-9> timer
forward-delay forward-delay
The value of Forward Delay is set.
By default, the value of Forward Delay is 1500 centiseconds.
● Run stp vlan vlan-id [ to vlan-id ] [ vlan-id [ to vlan-id ] ] &<1-9> timer
hello hello-time
The value of Hello Time is set.
By default, the value of Hello Time is 200 centiseconds.
● Run stp vlan vlan-id [ to vlan-id ] [ vlan-id [ to vlan-id ] ] &<1-9> timer
max-age max-age
The value of Max Age is set.
By default, the value of Max Age is 2000 centiseconds.
Step 3 Run commit
The configuration is committed.

----End

11.8.3 Setting the VBST Timeout Interval

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 616

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

Context
The timeout interval of the switch is calculated through the following formula:
● Timeout interval = Hello Time x 3 x Timer factor

On a network running VBST, when the network topology becomes stable, the non-
root-bridge switch forwards BPDUs sent by the root bridge to neighboring
switches at an interval of Hello Time to check whether links are faulty. If the
switch does not receive any BPDU from the upstream device within the timeout
interval, the switch considers that the upstream device fails and recalculates the
spanning tree.

Sometimes, the switch may not receive BPDUs in a long time from the upstream
device because the upstream device is very busy. In this case, the device should not
recalculate its spanning tree. Therefore, you can set a long timeout interval for the
device on a stable network to reduce waste of network resources.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run stp timer-factor factor

The timeout interval for the switch to wait for BPDUs from the upstream device is
set.

By default, the timeout interval is 9 times the value of Hello Time.

Step 3 Run commit

The configuration is committed.

----End

11.8.4 Setting the Link Type of a Port

Context
Implementing fast convergence on a P2P link is easy. If the two ports connected to
a P2P link are root or designated ports, the ports can transit to the forwarding
state quickly by sending Proposal and Agreement packets. This reduces the
forwarding delay.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface interface-type interface-number

The view of the interface that participates in spanning tree calculation is

displayed.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 617

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

Step 3 Run stp point-to-point { auto | force-false | force-true }

The link type of the interface is set.
By default, the link type of a port is auto.
● If the Ethernet port works in full-duplex mode, the port is connected to a P2P
link. You can specify force-true to implement fast convergence.
● If the Ethernet port works in half-duplex mode, specify force-true to forcibly
set the link type to P2P to implement fast convergence.
● In other situations, specify auto so that the port identifies whether it is
connected to a P2P link.
Step 4 Run commit
The configuration is committed.

----End

11.8.5 Setting the Maximum Transmission Rate of a Port

Context
The maximum transmission rate of a port indicates the maximum number of
BPDUs sent per second. A larger value of the maximum transmission rate of a port
indicates more BPDUs sent at an interval of Hello Time and therefore more system
resources are occupied.
Setting the proper value of this parameter prevents excess bandwidth usage when
route flapping occurs. If network flapping occurs frequently, and the switch needs
to detect topology change in a timely manner and has sufficient bandwidth
resources, set a large value for this parameter.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The view of the interface that participates in spanning tree calculation is
displayed.
Step 3 Run stp transmit-limit packet-number
The maximum number of BPDUs that the port can send at an interval of Hello
Time is set.
By default, a port sends a maximum of 6 BPDUs per second.

NOTE

If the maximum number of BPDUs needs to be set on all ports of the switch, run the stp
transmit-limit (system view) command.

Step 4 Run commit

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 618

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

The configuration is committed.

----End

11.8.6 Configuring a Port as an Edge Port and BPDU Filter

Port

Context
If a designated port is located at the edge of a network and is directly connected
to terminals, this port is called edge port. The switch does not learn whether a
port is directly connected to terminals, the port needs to be manually configured
as an edge port.
An edge port does not receive or process configuration BPDUs, or participate in
VBST calculation. It can transit from Disable to Forwarding without any delay to
implement fast convergence.
After a designated port is configured as an edge port, the port can still send
BPDUs. Then BPDUs are sent to other networks, causing flapping on other
networks. You can configure a port as an edge port and BPDU filter port so that
the port does not process or send BPDUs.

NOTICE

● After all ports are configured as edge ports and BPDU filter ports in the system
view, none of ports on the switch send BPDUs or negotiate the VBST status
with directly connected ports on the peer device. All ports are in forwarding
state. This may cause loops on the network, leading to broadcast storms.
Exercise caution when you configure a port as an edge port and BPDU filter
port.
● After a port is configured as an edge port and BPDU filter port in the interface
view, the port does not process or send BPDUs. The port cannot negotiate the
VBST status with the directly connected port on the peer device. Exercise
caution when you configure a port as an edge port and BPDU filter port.

Procedure
● Configuring all ports as edge ports and BPDU filter ports in the system view
a. Run system-view
The system view is displayed.
b. Run stp edged-port default
All ports are configured as edge ports.
By default, a port is a non-edge port.
c. Run stp bpdu-filter default
All ports are configured as BPDU filter ports.
By default, a port is a non-BPDU-filter port.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 619

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

d. Run commit
The configuration is committed.
● Configuring a port as an edge port and BPDU filter port in the interface view
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The view of the Ethernet interface that participates in spanning tree
calculation is displayed.
c. Run stp edged-port enable
The port is configured as an edge port.
By default, a port is a non-edge port.
d. Run stp bpdu-filter enable
The port is configured as a BPDU filter port.
By default, a port is a non-BPDU-filter port.
e. Run commit
The configuration is committed.
----End

11.8.7 Setting the Maximum Number of Hops of VBST

Context
On the Layer 2 network running VBST, switches send BPDUs to exchange
information. A BPDU contains a time to live (TTL) field that indicates the number
of remaining hops of the BPDU.
● The TTL of a BPDU sent by the root switch is the maximum number of hops
of VBST.
● The TTL of a BPDU sent by a non-root switch is calculated according to the
following formula: TTL = Maximum number of hosts - Number of hops from
the root switch to the non-root switch
● If the TTL of the BPDU received by the switch is 0, the switch discards the
BPDU.
The maximum number of hops of a spanning tree determines the network scale of
the spanning tree. You can set the maximum number of hops to determine the
network scale of a spanning tree.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run stp max-hops hop
The maximum number of hops of VBST is set.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 620

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

By default, the maximum number of hops of VBST is 20.

Step 3 Run commit
The configuration is committed.

----End

11.8.8 Verifying the Configuration of VBST Parameters That

Affect VBST Convergence

Procedure
● Run the display stp vlan [ vlan-id ] information [ brief | global ] command
to check the status of, statistics on, and global brief information about the
spanning tree.
● Run the display stp vlan [ vlan-id ] bridge { root | local } command to check
the spanning tree status of the local bridge and root bridge.
● Run the display stp vlan instance command to check the mapping between
instances and VLANs.
----End

11.9 Configuring Protection Functions of VBST

VBST provides BPDU protection, TC protection, root protection, and loop
protection, and you can configure one or more protection functions as needed.

Pre-configuration Tasks
Before configuring protection functions of VBST, complete the following task:
● Configuring Basic VBST Functions
● (Optional) Perform the operation of Configuring an Edge Port before
configuring BPDU protection.

11.9.1 Configuring BPDU Protection on a Switching Device

Context
Edge ports are directly connected to user terminals and will not receive BPDUs in
normal cases. If an edge port receives pseudo BPDUs from a malicious attacker,
the switching device sets the edge port as a non-edge port and triggers spanning
tree recalculation, which results in network flapping. BPDU protection can be
configured to protect switching devices against such attacks.

NOTE

Perform the following procedure on all switching devices that have edge ports.
BPDU protection is only valid for the edge port manually configured by the stp edged-port
or stp edged-port default command, and is invalid for the edge port configured by the
automatic detection function.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 621

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run stp bpdu-protection
BPDU protection is enabled on the switching device.
By default, BPDU protection is disabled on a switching device.
Step 3 Run commit
The configuration is committed.

----End

Follow-up Procedure
After BPDU protection is configured, the edge port that receives BPDUs will enter
the Error-Down state and keeps its attributes. The device records the status of an
interface as Error-Down when it detects that a fault occurs. The interface in Error-
Down state cannot receive or send packets and the interface indicator is off. You
can run the display error-down recovery command to check information about
all interfaces in Error-Down state on the device.
When the interface is in Error-Down state, check the cause. You can use the
following modes to restore the interface status:
● Manual (after the interface enters the Error-Down state)
When there are few interfaces in Error-Down state, you can run the
shutdown and undo shutdown commands in the interface view or run the
restart command to restore the interface.
● Auto (before the interface enters the Error-Down state)
If there are many interfaces in Error-Down state, the manual mode brings in
heavy workload and the configuration of some interfaces may be ignored. To
prevent this problem, run the error-down auto-recovery cause bpdu-
protection interval interval-value command in the system view to enable an
interface in error-down state to go Up and set a recovery delay. You can run
the display error-down recovery command to view automatic recovery
information about the interface.
NOTE

This mode is invalid for the interface that has entered the Error-Down state, and is only
valid for the interface that enters the Error-Down state after the error-down auto-
recovery cause bpdu-protection interval interval-value command is used.

11.9.2 Configuring TC Protection on a Switching Device

Context
If attackers send pseudo TC BPDUs to attack a switching device, the device
receives a large number of TC BPDUs within a short time and frequently deletes
MAC address entries and ARP entries. This wastes resources on the switching
device and threatens network stability.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 622

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

To suppress TC BPDUs, enable TC protection on a switching device and set the

maximum number of TC BPDUs that the device can process within a given time
period. If the number of TC BPDUs that the switching device receives within a
given time period exceeds the specified threshold, the switching device processes
only the specified number of TC BPDUs. After the specified time period expires, the
switching devices process all the excess TC BPDUs together. This function prevents
the switching device from frequently deleting MAC entries and ARP entries,
protecting the switching device from being overburdened.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run stp tc-protection
TC protection is enabled for the switching device.
By default, TC protection is disabled on the switching device.
Step 3 Run either or both of the following commands to configure TC protection
parameters.
● To set the time period during which the device processes the maximum
number of TC BPDUs, run stp tc-protection interval interval-value command.
By default, the time period is the Hello Time.
● To set the maximum number of TC BPDUs that the device processes within a
specified period, run stp tc-protection threshold threshold.
By default, a device processes one TC BPDU within a specified period.
NOTE

● There are two TC protection parameters: time period during which the device processes
the maximum number of TC BPDUs and the maximum number of TC BPDUs processed
within the time period. For example, if the time period is set to 10 seconds and the
maximum number of TC BPDUs is set to 5, the device processes only the first five TC
BPDUs within 10 seconds and processes the other TC BPDUs together 10 seconds later.
● The device processes only the maximum number of TC BPDUs configured by the stp tc-
protection threshold command within the time period configured by the stp tc-
protection interval command. Other packets are processed after a delay, so spanning
tree convergence speed may slow down.

Step 4 Run commit

The configuration is committed.

----End

11.9.3 Configuring Root Protection on a Port

Context
Due to incorrect configurations or malicious attacks on a network, a valid root
bridge may receive BPDUs with a higher priority. Consequently, the valid root
bridge is no longer able to serve as the root bridge and the network topology is

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 623

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

changed, triggering spanning tree recalculation. As a result, traffic may be

switched from high-speed links to low-speed links, causing network congestion. To
prevent network congestion, enable root protection on the switch to protect the
role of the root switch by retaining the role of the designated port.

NOTE

Root protection takes effect only on designated ports.

Perform the following operations on the root bridge.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The Ethernet interface view is displayed.
Step 3 Run stp root-protection
Root protection is enabled on the switch.
By default, root protection is disabled on a switch port.
Step 4 Run commit
The configuration is committed.

----End

11.9.4 Configuring Loop Protection on a Port

Context
On a network running VBST, the switch maintains the root port status and status
of blocked ports by receiving BPDUs from an upstream switch. If the switch cannot
receive any BPDU from the upstream switch because of link congestion or
unidirectional link failures, the switch selects a new root port. The original root
port becomes a designated port and the original blocked ports change to the
Forwarding state. This switching may cause network loops, which can be
mitigated by configuring loop protection.
If the root port or alternate port does not receive BPDUs from the upstream device
for a long time, the switch enabled with loop protection sends a notification. If the
root port is used, the root port enters the Discarding state and becomes the
designated port. If the alternate port is used, the alternate port keeps blocked and
becomes the designated port. In this case, loops will not occur. After the link is not
congested or unidirectional link failures are rectified, the port receives BPDUs for
negotiation and restores its original role and status.

NOTE

An alternate port is the backup of the root port. If a switch has an alternate port, you need
to configure loop protection on both the root port and alternate port.
Perform the following operations on the root port and alternate port of the switch.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 624

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The view of the root port or alternate port is displayed.
Step 3 Run stp loop-protection
Loop protection is enabled.
By default, loop protection is disabled on a switch port.
Step 4 Run commit
The configuration is committed.

----End

11.9.5 Verifying the Configuration of VBST Protection

Functions

Procedure
● Run the display stp vlan [ vlan-id ] information [ brief | global ] command
to check the status of, statistics on, and global brief information about the
spanning tree.
● Run the display stp vlan [ vlan-id ] bridge { root | local } command to check
the spanning tree status of the local bridge and root bridge.
● Run the display stp vlan instance command to check the mapping between
instances and VLANs.
----End

11.10 Setting Parameters for Interworking Between a

Huawei Datacom Device and a Non-Huawei Device

Context
To implement interworking between a Huawei datacom device and a non-Huawei
device, configure the fast transition mode according to the Proposal/Agreement
mechanism of the non-Huawei device. The switch supports the following modes
on the Proposal/Agreement mechanism:
● Enhanced mode: The port participates in calculation of the root port when
calculating the synchronization flag bit.
a. An upstream device sends a Proposal message to a downstream device,
requesting fast transition. After receiving the message, the downstream
device sets the port connected to the upstream device as a root port and
blocks all non-edge ports.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 625

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

b. The upstream device then sends an Agreement message to the

downstream device. After the downstream device receives the message,
the root port transitions to the Forwarding state.
c. The downstream device sends an Agreement message to the upstream
device. After receiving the Agreement message, the upstream device sets
the port connected to the downstream device as a designated port, and
the designated port transitions to the Forwarding state.
● Common mode: The port ignores the root port when calculating the
synchronization flag bit.
a. An upstream device sends a Proposal message to a downstream device,
requesting fast transition. After receiving the Proposal message, the
downstream device sets the port connected to the upstream device as a
root port and blocks all non-edge ports. The root port then transitions to
the Forwarding state.
b. The downstream device sends an Agreement message to the upstream
device. After receiving the Agreement message, the upstream device sets
the port connected to the downstream device as a designated port, and
the designated port transitions to the Forwarding state.

On a network running VBST protocol, a Huawei datacom device and the

connected non-Huawei device may fail to communicate if they use different
Proposal/Agreement modes. The Huawei datacom device can select the same
mode as that on the non-Huawei device to implement interworking.

Pre-configuration Tasks
Before setting parameters for interworking between a Huawei datacom device and
a non-Huawei device, complete the following task:

● Configuring Basic VBST Functions

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface interface-type interface-number

The view of the interface that participates in spanning tree calculation is

displayed.

Step 3 Run stp no-agreement-check

The common mode is configured.

By default, the enhanced mode is used on a port.

Step 4 Run commit

The configuration is committed.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 626

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

11.11 Maintaining VBST

11.11.1 Displaying VBST Running Information and Statistics

Context
You can view the VBST running information and statistics on VBST BPDUs. If the
number of topology change times increases, network flapping occurs.

Procedure
● Run the display stp vlan [ vlan-id ] information [ brief | global ] command
to check the status of, statistics on, and global brief information about the
spanning tree.
● Run the display stp vlan [ vlan-id ] bridge { root | local } command to check
the spanning tree status of the local bridge and root bridge.
● Run the display stp vlan instance command to check the mapping between
instances and VLANs.
● Run the display stp vlan [ vlan-id ] bpdu statistics command to check
statistics on BPDUs on the VBST-enabled port.
● Run the display stp vlan [ vlan-id ] tc-bpdu statistics command to check
statistics on TC or TCN BPDUs on the VBST-enabled port.
● Run the display stp vlan [ vlan-id ] topology-change command to check
VBST topology change statistics.

----End

11.11.2 Clearing VBST Statistics

Context
Before recollecting statistics on VBST BPDUs in a certain period, clear existing
statistics on VBST BPDUs.

NOTICE

Cleared statistics on VBST BPDUs cannot be restored. Exercise caution when you
run the commands.

Procedure
● Run the reset stp vlan [ vlan-id | all ] tc-bpdu statistics command in the
user view to clear statistics on VBST TC BPDUs.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 627

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

● Run the reset stp vlan [ vlan-id | all ] bpdu statistics command in the user
view to clear statistics on VBST BPDUs.
----End

11.12 Configuration Examples for VBST

This section only provides configuration examples for individual features. For
details about multi-feature configuration examples, feature-specific configuration
examples, interoperation examples, protocol or hardware replacement examples,
and industry application examples, see the Typical Configuration Examples.

11.12.1 Example for Configuring VBST

Networking Requirements
As shown in Figure 11-5, SwitchC and SwitchD (access switches) are dual-homed
to SwitchA and SwitchB (aggregation switches) respectively. SwitchC transmits
traffic from VLAN 10 and VLAN 20, and SwitchD transmits traffic from VLAN 20
and VLAN 30. A ring network is formed between the access layer and aggregation
layer. The enterprise requires that service traffic in each VLAN be correctly
forwarded and service traffic from different VLANs be load balanced to improve
link use efficiency.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 628

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

Figure 11-5 VBST networking

Core Network

SwitchA SwitchB
10GE1/0/1 10GE1/0/1
VLAN 10, 20, 30
10GE1/0/3 10GE1/0/2 10GE1/0/2 10GE1/0/3

VLAN 10, 20 VLAN 20, 30

0 VL
,2 AN
10 20
N
VLA , 30
10GE1/0/3 10GE1/0/3
10GE1/0/2
SwitchC 10GE1/0/2 SwitchD

10GE1/0/4 10GE1/0/5 10GE1/0/4 10GE1/0/5

VLAN 10 VLAN 20 VLAN 20 VLAN 30

Spanning tree Spanning tree Spanning tree

for VLAN 10 for VLAN 20 for VLAN 30

Root bridge
Unblocked link
Blocked link
Blocked port

Configuration Roadmap
VBST can be used to eliminate loops between the access layer and aggregation
layer and ensures that service traffic in each VLAN is correctly forwarded. In
addition, traffic from different VLANs can be load balanced. The configuration
roadmap is as follows:
1. Configure Layer 2 forwarding on access and aggregation switches.
2. Configure basic VBST functions on SwitchA, SwitchB, SwitchC, and SwitchD.
Perform the following operations so that a spanning tree shown in Figure
11-5 is formed through calculation:
– Configure SwitchA and SwitchB as the root bridge and secondary root
bridge of VLAN 10 respectively, SwitchA and SwitchB as the root bridge

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 629

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

and secondary root bridge of VLAN 20 respectively, and configure

SwitchB and SwitchA as the root bridge and secondary root bridge of
VLAN 30 respectively, to ensure root bridge reliability.
– Set a larger path cost for 10GE1/0/2 on SwitchC in VLAN 10 and VLAN 20
so that 10GE1/0/2 is blocked in spanning trees of VLAN 10 and VLAN 20,
and set a larger path cost for 10GE1/0/2 on SwitchD in VLAN 20 and
VLAN 30 so that 10GE1/0/2 is blocked in the spanning tree of VLAN 20
and VLAN 30.

Procedure
Step 1 Configure Layer 2 forwarding on switches of the ring network.
● Create VLAN 10, VLAN 20, and VLAN 30 on SwitchA, SwitchB, SwitchC, and
SwitchD.
# Create VLAN 10, VLAN 20, and VLAN 30 on SwitchA.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchA
[*HUAWEI] commit
[~SwitchA] vlan batch 10 20 30
[*SwitchA] commit
# Create VLAN 10, VLAN 20, and VLAN 30 on SwitchB.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchB
[*HUAWEI] commit
[~SwitchB] vlan batch 10 20 30
[*SwitchB] commit
# Create VLAN 10 and VLAN 20 on SwitchC.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchC
[*HUAWEI] commit
[~SwitchC] vlan batch 10 20
[*SwitchC] commit
# Create VLAN 20 and VLAN 30 on SwitchD.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchD
[*HUAWEI] commit
[~SwitchD] vlan batch 20 30
[*SwitchD] commit
● Add ports connected to the ring to VLANs.
# Add 10GE1/0/1 on SwitchA to VLAN 10, VLAN 20, and VLAN 30.
[~SwitchA] interface 10ge 1/0/1
[~SwitchA-10GE1/0/1] port link-type trunk
[*SwitchA-10GE1/0/1] port trunk allow-pass vlan 10 20 30
[~SwitchA-10GE1/0/1] undo port trunk allow-pass vlan 1
[*SwitchA-10GE1/0/1] quit
[*SwitchA] commit
# Add 10GE1/0/2 on SwitchA to VLAN 20 and VLAN 30.
[~SwitchA] interface 10ge 1/0/2
[~SwitchA-10GE1/0/2] port link-type trunk
[*SwitchA-10GE1/0/2] port trunk allow-pass vlan 20 30
[*SwitchA-10GE1/0/2] undo port trunk allow-pass vlan 1
[*SwitchA-10GE1/0/2] quit
[*SwitchA] commit
# Add 10GE1/0/3 on SwitchA to VLAN 10 and VLAN 20.
[~SwitchA] interface 10ge 1/0/3
[~SwitchA-10GE1/0/3] port link-type trunk

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 630

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

[*SwitchA-10GE1/0/3] port trunk allow-pass vlan 10 20

[*SwitchA-10GE1/0/3] undo port trunk allow-pass vlan 1
[*SwitchA-10GE1/0/3] quit
[*SwitchA] commit
# Add 10GE1/0/1 on SwitchB to VLAN 10, VLAN 20, and VLAN 30.
[~SwitchB] interface 10ge 1/0/1
[~SwitchB-10GE1/0/1] port link-type trunk
[*SwitchB-10GE1/0/1] port trunk allow-pass vlan 10 20 30
[*SwitchB-10GE1/0/1] undo port trunk allow-pass vlan 1
[*SwitchB-10GE1/0/1] quit
[*SwitchB] commit
# Add 10GE1/0/2 on SwitchB to VLAN 10 and VLAN 20.
[~SwitchB] interface 10ge 1/0/2
[~SwitchB-10GE1/0/2] port link-type trunk
[*SwitchB-10GE1/0/2] port trunk allow-pass vlan 10 20
[*SwitchB-10GE1/0/2] undo port trunk allow-pass vlan 1
[*SwitchB-10GE1/0/2] quit
[*SwitchB] commit
# Add 10GE1/0/3 on SwitchB to VLAN 20 and VLAN 30.
[~SwitchB] interface 10ge 1/0/3
[~SwitchB-10GE1/0/3] port link-type trunk
[*SwitchB-10GE1/0/3] port trunk allow-pass vlan 20 30
[*SwitchB-10GE1/0/3] undo port trunk allow-pass vlan 1
[*SwitchB-10GE1/0/3] quit
[*SwitchB] commit
# Add 10GE1/0/2 on SwitchC to VLAN 10 and VLAN 20.
[~SwitchC] interface 10ge 1/0/2
[~SwitchC-10GE1/0/2] port link-type trunk
[*SwitchC-10GE1/0/2] port trunk allow-pass vlan 10 20
[*SwitchC-10GE1/0/2] undo port trunk allow-pass vlan 1
[*SwitchC-10GE1/0/2] quit
[*SwitchC] commit
# Add 10GE1/0/3 on SwitchC to VLAN 10 and VLAN 20.
[~SwitchC] interface 10ge 1/0/3
[~SwitchC-10GE1/0/3] port link-type trunk
[*SwitchC-10GE1/0/3] port trunk allow-pass vlan 10 20
[*SwitchC-10GE1/0/3] undo port trunk allow-pass vlan 1
[*SwitchC-10GE1/0/3] quit
[*SwitchC] commit
# Add 10GE1/0/4 on SwitchC to VLAN 10 and GE1/0/5 to VLAN 20.
[~SwitchC] interface 10ge 1/0/4
[~SwitchC-10GE1/0/4] port link-type access
[*SwitchC-10GE1/0/4] port default vlan 10
[*SwitchC-10GE1/0/4] quit
[*SwitchC] interface 10ge 1/0/5
[*SwitchC-10GE1/0/5] port link-type access
[*SwitchC-10GE1/0/5] port default vlan 20
[*SwitchC-10GE1/0/5] quit
[*SwitchC] commit
# Add 10GE1/0/2 on SwitchD to VLAN 20 and VLAN 30.
[~SwitchD] interface 10ge 1/0/2
[~SwitchD-10GE1/0/2] port link-type trunk
[*SwitchD-10GE1/0/2] port trunk allow-pass vlan 20 30
[*SwitchD-10GE1/0/2] undo port trunk allow-pass vlan 1
[*SwitchD-10GE1/0/2] quit
[*SwitchD] commit
# Add 10GE1/0/3 on SwitchD to VLAN 20 and VLAN 30.
[~SwitchD] interface 10ge 1/0/3
[~SwitchD-10GE1/0/3] port link-type trunk
[*SwitchD-10GE1/0/3] port trunk allow-pass vlan 20 30
[*SwitchD-10GE1/0/3] undo port trunk allow-pass vlan 1

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 631

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

[*SwitchD-10GE1/0/3] quit
[*SwitchD] commit

# Add 10GE1/0/4 on SwitchD to VLAN 10 and 10GE1/0/5 to VLAN 30.

[~SwitchD] interface 10ge 1/0/4
[~SwitchD-10GE1/0/4] port link-type access
[*SwitchD-10GE1/0/4] port default vlan 20
[*SwitchD-10GE1/0/4] quit
[*SwitchD] interface 10ge 1/0/5
[*SwitchD-10GE1/0/5] port link-type access
[*SwitchD-10GE1/0/5] port default vlan 30
[*SwitchD-10GE1/0/5] quit
[*SwitchD] commit

Step 2 Configure basic VBST functions.

1. Configure switches on the ring network to work in VBST mode.
# Configure SwitchA to work in VBST mode.
[~SwitchA] stp mode vbst
[*SwitchA] commit

# Configure SwitchB to work in VBST mode.

[~SwitchB] stp mode vbst
[*SwitchB] commit

# Configure SwitchC to work in VBST mode.

[~SwitchC] stp mode vbst
[*SwitchC] commit

# Configure SwitchD to work in VBST mode.

[~SwitchD] stp mode vbst
[*SwitchD] commit

2. Configure the root bridge and secondary root bridge.

– Configure the root bridge and secondary root bridge in VLAN 10.
# Configure SwitchA as the root bridge in VLAN 10.
[~SwitchA] stp vlan 10 root primary
[*SwitchA] commit

# Configure SwitchB as the secondary root bridge in VLAN 10.

[~SwitchB] stp vlan 10 root secondary
[*SwitchB] commit

– Configure the root bridge and secondary root bridge in VLAN 20.
# Configure SwitchA as the root bridge in VLAN 20.
[~SwitchA] stp vlan 20 root primary
[*SwitchA] commit

# Configure SwitchB as the secondary root bridge in VLAN 20.

[~SwitchB] stp vlan 20 root secondary
[*SwitchB] commit

– Configure the root bridge and secondary root bridge in VLAN 30.
# Configure SwitchB as the root bridge in VLAN 30.
[~SwitchB] stp vlan 30 root primary
[*SwitchB] commit

# Configure SwitchA as the secondary root bridge in VLAN 30.

[~SwitchA] stp vlan 30 root secondary
[*SwitchA] commit

3. Configure the path cost for a port in each VLAN so that the port can be
blocked.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 632

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

NOTE

– The path cost range depends on the algorithm. IEEE 802.1t standard is used as an
example. Set the path costs of the ports to be blocked to 2000000.
– All switches on the same network must use the same path cost calculation
method.
# Set the path cost of GE1/0/2 on SwitchC to 2000000 in VLAN 10 and VLAN
20.
[~SwitchC] interface 10ge 1/0/2
[~SwitchC-10GE1/0/2] stp vlan 10 cost 2000000
[*SwitchC-10GE1/0/2] stp vlan 20 cost 2000000
[*SwitchC-10GE1/0/2] quit
[*SwitchC] commit
# Set the path cost of GE1/0/2 on SwitchD to 2000000 in VLAN 20 and VLAN
30.
[~SwitchD] interface 10ge 1/0/2
[~SwitchD-10GE1/0/2] stp vlan 20 cost 2000000
[*SwitchD-10GE1/0/2] stp vlan 30 cost 2000000
[*SwitchD-10GE1/0/2] quit
[*SwitchD] commit
4. Enable VBST to eliminate loops.
– Enable VBST globally.
By default, VBST is enabled globally.
Run the display stp vlan vlan-id information command to check the
VBST status. If VBST is disabled, run the undo stp vlan vlan-id disable
command in the system view to enable VBST globally.
– Enable VBST in a VLAN.
By default, VBST is enabled in a VLAN.
Run the display stp vlan vlan-id information command to check the
VBST status. If the message "The protocol is disabled" is displayed, VBST
is disabled in the VLAN. Run the undo stp vlan vlan-id disable command
in the system view to enable VBST in the VLAN.
– Enable VBST on a port.
By default, VBST is enabled on a Layer 2 Ethernet port.
Run the display stp interface interface-type interface-number command
to check the VBST status on a port. If the message "The protocol is
disabled" is displayed, VBST is disabled on the port. Run the undo stp
vlan disable command in the interface view to enable VBST on the port.
Step 3 Verify the configuration.
After the configuration is complete and the network topology becomes stable,
perform the following operations to verify the configuration.
# Run the display stp vlan bridge local command on SwitchA to check the STP
working mode.
[~SwitchA] display stp vlan bridge local
------------------------------------------------------------------
VLANID BridgeID HelloTime MaxAge ForwardDelay Protocol
------------------------------------------------------------------
10 32869.ac94-8400-df01 2 20 15 VBST
20 32970.ac94-8400-df01 2 20 15 VBST
30 33071.ac94-8400-df01 2 20 15 VBST
------------------------------------------------------------------

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 633

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

The preceding information shows that the VBST mode is used.

# Run the display stp vlan information brief command on SwitchA to check the
port status.
[~SwitchA] display stp vlan information brief
--------------------------------------------------------------------------------
VLANID Interface Role STPState Protection Cost
Edged
--------------------------------------------------------------------------------
10 10GE1/0/1 DESI forwarding none 20000
disable
10 10GE1/0/3 DESI forwarding none 2000 disable
20 10GE1/0/1 DESI forwarding none 20000
disable
20 10GE1/0/2 DESI forwarding none 2000 disable
20 10GE1/0/3 DESI forwarding none 2000 disable
30 10GE1/0/1 ALTE discarding none 20000 disable
30 10GE1/0/2 ROOT forwarding none 2000
disable
--------------------------------------------------------------------------------

The preceding information shows that SwitchA participates in spanning tree

calculation in VLAN 10, VLAN 20, and VLAN 30. For example, SwitchA is the root
bridge in VLAN 10 and VLAN 20, so 10GE1/0/1 and 10GE1/0/3 in VLAN 10 are
selected as designated ports. 10GE1/0/1, 10GE1/0/2, and 10GE1/0/3 in VLAN 20
are selected as designated ports. SwitchA is the secondary root bridge in VLAN 30,
so 10GE1/0/2 is selected as the root port and 10GE1/0/1 is selected as the
designated port in VLAN 30.
# Run the display stp vlan 10 information command on SwitchA to check
detailed information about VLAN 10.
[~SwitchA] display stp vlan 10 information
VLAN 10 information:
--------------------------------------------------------------------------------
Global information:
Protocol Status : Enabled
Bpdu-filter Default : Disabled
Bpdu-protection : Disabled
Tc-protection : Disabled
Tc-protection Threshold : 1
Tc-protection Interval(s) : 10
Edged Port Default : Disabled
Path Cost Standard : Dot1T
Timer Factor :3
Transit Limit :6

Bridge ID : 10.ac94-8400-df01
Config Times : Hello 2s MaxAge 20s FwDly 15s MaxHop
20
Active Times : Hello 2s MaxAge 20s FwDly 15s MaxHop
20
Root ID/RPC : 10.ac94-8400-df01 / 0
RootPortId(InterfaceName) : 0.0 (This bridge is the root)
Root Type : Primary
Port information:
Port ID : 5
Interface : 10GE1/0/1
STP State : Forwarding
Port Role : Designated Port
Port Priority : 128
Path Cost Standard : Dot1T
Port Cost(Config/Active) : 0 / 20000
Desg. Bridge/Port : 10.ac94-8400-df01 / 128.5
Port Edged(Config/Active) : Default / Disabled
Point-to-point(Config/Active) : Auto / True

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 634

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

Transit Limit : 6 packets/hello

Protection Type : None
Port ID : 8
Interface : 10GE1/0/3
STP State : Forwarding
Port Role : Designated Port
Port Priority : 128
Path Cost Standard : Dot1T
Port Cost(Config/Active) : 0 / 2000
Desg. Bridge/Port : 10.ac94-8400-df01 / 128.8
Port Edged(Config/Active) : Default / Disabled
Point-to-point(Config/Active) : Auto / True
Transit Limit : 6 packets/hello
Protection Type : None
--------------------------------------------------------------------------------

The preceding information shows that SwitchA is selected as the root bridge in
VLAN 10 and 10GE1/0/1 and 10GE1/0/3 are selected as designated ports in
Forwarding state.

# Run the display stp vlan information brief command on SwitchB, SwitchC, and
SwitchD to check the port status.
[~SwitchB] display stp vlan information brief
------------------------------------------------------------------------------
VLANID Interface Role STPState Protection Cost Edged
------------------------------------------------------------------------------
10 10GE1/0/1 ALTE discarding none 20000 disable
10 10GE1/0/2 ROOT forwarding none 2000
disable
20 10GE1/0/1 ALTE discarding none 20000 disable
20 10GE1/0/2 ROOT forwarding none 2000
disable
20 10GE1/0/3 DESI forwarding none 2000 disable
30 10GE1/0/1 DESI forwarding none 20000
disable
30 10GE1/0/3 DESI forwarding none 2000 disable
------------------------------------------------------------------------------
[~SwitchC] display stp vlan information brief
------------------------------------------------------------------------------
VLANID Interface Role STPState Protection Cost Edged
------------------------------------------------------------------------------
10 10GE1/0/2 ROOT forwarding none 2000
disable
10 10GE1/0/3 DESI forwarding none 2000000
disable
10 10GE1/0/4 DESI forwarding none 2000 disable
20 10GE1/0/2 ROOT forwarding none 2000
disable
20 10GE1/0/3 DESI forwarding none 2000000
disable
20 10GE1/0/5 DESI forwarding none 2000 disable
------------------------------------------------------------------------------
[~SwitchD] display stp vlan information brief
------------------------------------------------------------------------------
VLANID Interface Role STPState Protection Cost Edged
------------------------------------------------------------------------------
20 10GE1/0/2 ALTE discarding none 2000000
disable
20 10GE1/0/3 ROOT forwarding none 2000
disable
20 10GE1/0/4 DESI forwarding none 2000 disable
30 10GE1/0/2 DESI forwarding none 2000000
disable
30 10GE1/0/3 ROOT forwarding none 2000
disable
30 10GE1/0/5 DESI forwarding none 2000 disable
------------------------------------------------------------------------------

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 635

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

The preceding information shows that SwitchB participates in spanning tree

calculation in VLAN 10, VLAN 20, and VLAN 30, SwitchC participates in spanning
tree calculation in VLAN 10 and VLAN 20, and SwitchD participates in spanning
tree calculation in VLAN 20 and VLAN 30. After the calculation is complete, ports
are selected as different roles to eliminate loops.
Different spanning trees are formed in VLAN 10, VLAN 20, and VLAN 30, and
traffic in VLAN 10, VLAN 20, and VLAN 30 is forwarded along different spanning
trees to implement load balancing.

----End

Configuration Files
● Configuration file of SwitchA
#
sysname SwitchA
#
stp vlan 30 root secondary
stp vlan 10 20 root primary
#
vlan batch 10 20 30
#
stp mode vbst
#
interface 10GE1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 20 30
#
interface 10GE1/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 30
#
interface 10GE1/0/3
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 20
#
return
● Configuration file of SwitchB
#
sysname SwitchB
#
stp vlan 10 20 root secondary
stp vlan 30 root primary
#
vlan batch 10 20 30
#
stp mode vbst
#
interface 10GE1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 20 30
#
interface 10GE1/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 20
#
interface 10GE1/0/3
port link-type trunk
undo port trunk allow-pass vlan 1

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 636

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 11 VBST Configuration

port trunk allow-pass vlan 20 30

#
return

● Configuration file of SwitchC

#
sysname SwitchC
#
vlan batch 10 20
#
stp mode vbst
#
interface 10GE1/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 20
stp vlan 10 20 cost 2000000
#
interface 10GE1/0/3
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 20
#
interface 10GE1/0/4
port link-type access
port default vlan 10
stp edged-port enable
#
interface 10GE1/0/5
port link-type access
port default vlan 20
stp edged-port enable
#
return

● Configuration file of SwitchD

#
sysname SwitchD
#
vlan batch 20 30
#
stp mode vbst
#
interface 10GE1/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 30
stp vlan 20 30 cost 2000000
#
interface 10GE1/0/3
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 30
#
interface 10GE1/0/4
port link-type access
port default vlan 20
stp edged-port enable
#
interface 10GE1/0/5
port link-type access
port default vlan 30
stp edged-port enable
#
return

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 637

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

12 ERPS (G.8032) Configuration

This chapter describes how to configure Ethernet Ring Protection Switching

(ERPS). ERPS is a protocol defined by the International Telecommunication Union
- Telecommunication Standardization Sector (ITU-T) to eliminate loops at Layer 2.
It implements convergence of carrier-class reliability standards, and allows all
ERPS-capable devices on a ring network to communicate.

12.1 Overview of ERPS

12.2 Understanding ERPS
12.3 Application Scenarios for ERPS
12.4 Summary of ERPS Configuration Tasks
12.5 Licensing Requirements and Limitations for ERPS
12.6 Default Settings for ERPS
12.7 Configuring ERPS
12.8 Maintaining ERPS
12.9 Configuration Examples for ERPS
12.10 Troubleshooting ERPS

12.1 Overview of ERPS

Definition
ERPS is a protocol defined by the International Telecommunication Union -
Telecommunication Standardization Sector (ITU-T) to eliminate loops at Layer 2.
Because the standard number is ITU-T G.8032/Y1344, ERPS is also called G.8032.
ERPS defines Ring Auto Protection Switching (RAPS) Protocol Data Units (PDUs)
and protection switching mechanisms.
ERPS has two versions: ERPSv1 released by ITU-T in June 2008 and ERPSv2
released in August 2010. EPRSv2, fully compatible with ERPSv1, provides the
following enhanced functions:

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 638

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

● Multi-ring topologies, such as intersecting rings

● RAPS PDU transmission on non-virtual-channels (NVCs) in sub-rings
● Forced Switch (FS) and Manual Switch (MS)
● Revertive and non-revertive switching

Purpose
Generally, redundant links are used on an Ethernet switching network such as a
ring network to provide link backup and enhance network reliability. The use of
redundant links, however, may produce loops, causing broadcast storms and
rendering the MAC address table unstable. As a result, communication quality
deteriorates, and communication services may even be interrupted. Table 12-1
describes ring network protocols supported by devices.

Table 12-1 Ring network protocols supported by devices

Ring Network Advantage Disadvantage

Protocol

STP/RSTP/MSTP ● Applies to all Layer 2 Provides low convergence

networks. on a large network, which
● Is a standard IEEE cannot meet the carrier-
protocol that allows class reliability requirement.
Huawei devices to
communicate with non-
Huawei devices.

ERPS ● Provides fast Requires the network

convergence and carrier- topology to be planned in
class reliability. advance. The configuration
● Is a standard ITU-T is complex.
protocol that allows
Huawei devices to
communicate with non-
Huawei devices.
● Supports single-ring and
multi-ring topologies in
ERPSv2.

Ethernet networks demand faster protection switching. STP does not meet the
requirement for fast convergence.

ERPS, a standard ITU-T protocol, prevent loops on ring networks. It optimizes

detection and performs fast convergence. ERPS allows all ERPS-capable devices on
a ring network to communicate.

Benefits
● Prevents broadcast storms and implements fast traffic switchover on a
network where there are loops.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 639

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

● Provides fast convergence and carrier-class reliability.

● Allows all ERPS-capable devices on a ring network to communicate.

12.2 Understanding ERPS

12.2.1 Basic ERPS Concepts

ERPS eliminates loops at the link layer of an Ethernet network. ERPS works for
ERPS rings. There are several nodes in an ERPS ring. ERPS blocks the RPL owner
port and controls common ports to switch the port status between Forwarding
and Discarding and eliminate loops. ERPS uses the control VLAN, data VLAN, and
Ethernet Ring Protection (ERP) instance.

On the network shown in Figure 12-1, SwitchA through SwitchD constitute a ring
and are dual-homed to the upstream network. This access mode will cause a loop
on the entire network. To eliminate redundant links and ensure link connectivity,
ERPS is used to prevent loops.

Figure 12-1 ERPS single-ring networking

Network

Router1 Router2

SwitchA SwitchD

ERPS

RPL
SwitchB SwitchC

User
network
RPL owner
RPL neighbour

ERPS can be deployed on the network shown in Figure 12-1.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 640

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

ERPS Ring
An ERPS ring consists of interconnected Layer 2 switching devices configured with
the same control VLAN.
An ERPS ring can be a major ring or a sub-ring. By default, an ERPS ring is a major
ring. The major ring is a closed ring, whereas a sub-ring is a non-closed ring. The
major ring and sub-ring are configured using commands. On the network shown
in Figure 12-2, SwitchA through SwitchD constitute a major ring, and SwitchC
through SwitchF constitute a sub-ring.
Only ERPSv2 supports sub-rings.

Figure 12-2 ERPS major ring and sub-ring networking

SwitchC
SwitchA SwitchE

Major Ring Sub-Ring

SwitchB SwitchF
SwitchD

Node
A node refers to a Layer 2 switching device added to an ERPS ring. A maximum of
two ports on each node can be added to the same ERPS ring. SwitchA through
SwitchD in Figure 12-2 are nodes in an ERPS major ring.

Port Role
ERPS defines three port roles: RPL owner port, RPL neighbor port (only in ERPSv2),
and common port.
● RPL owner port
An RPL owner port is responsible for blocking traffic over the Ring Protection
Link (RPL) to prevent loops. An ERPS ring has only one RPL owner port.
When the node on which the RPL owner port resides receives an RAPS PDU
indicating a link or node fault in an ERPS ring, the node unblocks the RPL
owner port. Then the RPL owner port can send and receive traffic to ensure
nonstop traffic forwarding.
The link where the RPL owner port resides is the RPL.
● RPL neighbor port
An RPL neighbor port is directly connected to an RPL owner port.
Both the RPL owner port and RPL neighbor ports are blocked in normal
situations to prevent loops.
If an ERPS ring fails, both the RPL owner and neighbor ports are unblocked.
The RPL neighbor port helps reduce the number of FDB entry updates on the
device where the RPL neighbor port resides.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 641

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

● Common port
Common ports are ring ports other than the RPL owner and neighbor ports.
A common port monitors the status of the directly connected ERPS link and
sends RAPS PDUs to notify the other ports of its link status changes.

Port Status
On an ERPS ring, an ERPS-enabled port has two statuses:
● Forwarding: forwards user traffic and sends and receives RAPS PDUs.
● Discarding: only sends and receives RAPS PDUs.

Control VLAN
A control VLAN is configured in an ERPS ring to transmit RAPS PDUs.
Each ERPS ring must be configured with a control VLAN. After a port is added to
an ERPS ring configured with a control VLAN, the port is added to the control
VLAN automatically.
Different ERPS rings must use different control VLANs.

Data VLAN
Unlike control VLANs, data VLANs are used to transmit data packets.

ERP Instance
On a Layer 2 device running ERPS, the VLAN in which RAPS PDUs and data
packets are transmitted must be mapped to an Ethernet Ring Protection (ERP)
instance so that ERPS forwards or blocks the packets based on configured rules. If
the mapping is not configured, the preceding packets may cause broadcast storms
on the ring network. As a result, the network becomes unavailable.

Timer
ERPS defines four timers: Guard timer, WTR timer, Holdoff timer, and WTB timer
(only in ERPSv2).
● Guard timer
After a faulty link or node recovers or a clear operation is executed, the device
sends RAPS No Request (NR) messages to inform the other nodes of the link
or node recovery and starts the Guard timer. Before the Guard timer expires,
the device does not process any RAPS (NR) messages to avoid receiving out-
of-date RAPS (NR) messages. After the Guard timer expires, if the device still
receives an RAPS (NR) message, the local port enters the Forwarding state.
● WTR timer
If an RPL owner port is unblocked due to a link or node fault, the involved
port may not go Up immediately after the link or node recovers. Blocking the
RPL owner port may cause network flapping. To prevent this problem, the
node where the RPL owner port resides starts the wait to restore (WTR) timer
after receiving an RAPS (NR) message. If the node receives an RAPS Signal
Fail (SF) message before the timer expires, it terminates the WTR timer. If the

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 642

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

node does not receive any RAPS (SF) message before the timer expires, it
blocks the RPL owner port when the timer expires and sends an RAPS (no
request, root blocked) message. After receiving this RAPS (NR, RB) message,
the nodes set their recovered ports on the ring to the Forwarding state.
● Holdoff timer
On Layer 2 networks running EPRS, there may be different requirements for
protection switching. For example, on a network where multi-layer services
are provided, after a server fails, users may require a period of time to rectify
the server fault so that clients do not detect the fault. You can set the Holdoff
timer. If the fault occurs, the fault is not immediately sent to ERPS until the
Holdoff timer expires.
● WTB timer
The wait to block (WTB) timer starts when Forced Switch (FS) or Manual
Switch (MS) is performed. Because multiple nodes on an ERPS ring may be in
FS or MS state, the clear operation takes effect only after the WTB timer
expires. This prevents the RPL owner port from being blocked immediately.
The WTB timer value cannot be configured. Its value is the Guard timer value
plus 5. The default WTB timer value is 7s.

Revertive and Non-revertive Switching

After link faults in an ERPS ring are rectified, re-blocking the RPL owner port
depends on the switching mode:
● In revertive switching, the RPL owner port is re-blocked after the WTR timer
expires, and the RPL is blocked.
● In non-revertive switching, the WTR timer is not started, and the original
faulty link is still blocked.
ERPS rings use revertive switching by default.
ERPSv1 supports only revertive switching. ERPSv2 supports both revertive and non-
revertive switching.

Port Blocking Modes

Because the Ring Protection Link (RPL) may have high bandwidth, you can block
the low-bandwidth link so that user traffic can be transmitted on the RPL. ERPSv2
supports both Forced Switch (FS) and Manual Switch (MS) modes for blocking an
ERPS port:
● FS: forcibly blocks a port immediately after FS is configured, irrespective of
whether link failures have occurred.
● MS: blocks a port on which MS is configured when the ERPS ring is in Idle or
Pending state.
In addition to FS and MS operations, ERPS also supports the clear operation. The
clear operation has the following functions:
● Clears an existing FS or MS operation.
● Triggers revertive switching before the WTR or WTB timer expires in the case
of revertive switching operations.
● Triggers revertive switching in the case of non-revertive switching operations.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 643

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

Only ERPSv2 supports port blocking modes.

RAPS PDU Transmission Mode in a Sub-ring

ERPSv2 supports single-ring and multi-ring topologies. In multi-ring topologies,
both the virtual channel (VC) and non-virtual-channel (NVC) can be used to
transmit RAPS PDUs in sub-rings.
● VC: RAPS PDUs in sub-rings are transmitted to the major ring through
interconnected nodes. The RPL owner port of the sub-ring blocks both RAPS
PDUs and data traffic.
● NVC: RAPS PDUs in sub-rings are terminated on the interconnected nodes.
The RPL owner port blocks data traffic but not RAPS PDUs in each sub-ring.
On the network shown in Figure 12-3, a major ring is interconnected with two
sub-rings. The sub-ring on the left has a VC, whereas the sub-ring on the right has
an NVC.

Figure 12-3 Interconnected rings with a VC or NVC

Major Ring
Sub-Ring Sub-Ring
with virtual without virtual
channel channel

Ethernet Ring Node

Interconnection Node

RPL owner Interface

RAPS Virtual Channel

By default, sub-rings use NVCs to transmit RAPS PDUs, except for the scenario
shown in Figure 12-4.
NOTE

When sub-ring links are incontiguous, VCs must be used.

On the network shown in Figure 12-4, links b and d belong to major rings 1 and 2
respectively; links a and c belong to the sub-ring. As links a and c are

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 644

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

incontiguous, they cannot detect the status change between each other, so VCs
must be used for RAPS PDU transmission.

Figure 12-4 VC networking

a

Sub-Ring
with virtual
channel
b d
Major Major
Ring1 Ring2
c

Ethernet Ring Node

Interconnection Node

RPL owner Interface

RAPS Virtual Channel

Table 12-2 lists the advantages and disadvantages of RAPS PDU transmission
modes in sub-rings with VCs or NVCs.

Table 12-2 Comparison between RAPS PDU transmission modes in a sub-ring with
VCs or NVCs
RAPS Advantage Disadvantage
PDU
Transmis
sion
Mode in
a Sub-
ring

VC Applies to scenarios in Requires VC resource reservation and

which sub-ring links are controls VLAN assignment from
incontiguous. adjacent rings.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 645

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

RAPS Advantage Disadvantage

PDU
Transmis
sion
Mode in
a Sub-
ring

NVC Does not need to reserve Is not applicable to scenarios in

resources or control VLAN which sub-ring links are incontiguous.
assignment from adjacent
rings.

12.2.2 RAPS PDUs

ERPS protocol packets are called Ring Auto Protection Switching (RAPS) Protocol
Data Units (PDUs), which are transmitted in ERPS rings to convey ERPS ring
information. Figure 12-5 shows the RAPS PDU format.

Figure 12-5 RAPS PDU format

1 2 3 4
8 7 6 5 4 3 2 1 8 7 6 5 4 3 2 1 8 7 6 5 4 3 2 1 8 7 6 5 4 3 2 1
1
MEL Version(0) OpCode(R-APS=40) Flags(0) TLV Offset(32)
5

... R-APS Specific Information(32 octets)

...
37
[optional TLV starts here;otherwise End TLV]
last End TLV(0)

Table 12-3 describes the fields in an RAPS PDU.

Table 12-3 Fields in an RAPS PDU

Field Leng Description

th

MEL 3 bits Identifies the maintenance entity group (MEG) level

of the RAPS PDU.

Version 5 bits ● 0x00: ERPSv1

● 0x01: EPRSv2

OpCode 8 bits Indicates an RAPS PDU. The value of this field is 0x28.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 646

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

Field Leng Description

th

Flags 8 bits Is ignored upon RAPS PDU receiving. The value of this
field is 0x00.

TLV Offset 8 bits Indicates that the TLV starts after an offset of 32
bytes. The value of this field is 0x20.

R-APS Specific 32x8 Is the core field in an RAPS PDU and carries ERPS ring
Information bits information. There are differences between sub-fields
in ERPSv1 and ERPSv2. Figure 12-6 shows the R-APS
Specific Information field format in ERPSv1. Figure
12-7 shows the R-APS Specific Information field
format in ERPSv2.

TLV Not Describes information to be loaded. The end TLV

limite value is 0x00.
d

Figure 12-6 Format of the R-APS Specific Information field in ERPSv1

1 2 3 4
8 7 6 5 4 3 2 1 8 7 6 5 4 3 2 1 8 7 6 5 4 3 2 1 8 7 6 5 4 3 2 1

Request Reserved Status Node ID(6 octets)

/State 1 R D
Status
B N
Reserved
F

(Node ID)

Reserved 2(24 octets)

Figure 12-7 Format of the R-APS Specific Information field in ERPSv2

1 2 3 4
8 7 6 5 4 3 2 1 8 7 6 5 4 3 2 1 8 7 6 5 4 3 2 1 8 7 6 5 4 3 2 1

Request Status Node ID(6 octets)

Sub-code
/State R D B
Status
B N P
Reserved
F R

(Node ID)

Reserved 2(24 octets)

Table 12-4 describes sub-fields in the R-APS Specific Information field.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 647

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

Table 12-4 Sub-fields in the R-APS Specific Information field

Sub-Field Length Description

Request/ 4 bits Indicates that this RAPS PDU is a request or state PDU.
State The value can be:
● 1101: forced switch (FS)
● 1110: Event
● 1011: signal failed (SF)
● 0111: manual switch (MS)
● 0000: no request (NR)
● Others: reserved

Reserved 4 bits Reserved 1 is used in ERPSv1 for message reply or

1 protection identifier.

Sub-code Sub-code is used in ERPSv2. The value depends on the

Request/State field value:
● If the Request/State field value is 1110, the Sub-
code value is 0000, indicating FDB entry update.
● If the Request/State field value is any other value
than 1110, the Sub-code value is 0000 and ignored
upon RAPS PDU receiving.

Status 8 bits Includes the following status information:

● RPL Blocked (RB) (1 bit): The value 1 indicates that
the RPL owner port is blocked; the value 0 indicates
that the RPL owner port is unblocked. The nodes
where the RPL owner port is not configured set this
sub-field to 0 in outgoing RAPS PDUs.
● Do Not Flush (DNF) (1 bit): The value 1 indicates
that FDB entries are not updated when RAPS PDUs
are received; the value 0 indicates that FDB entries
may be updated when RAPS PDUs are received.
● Blocked port reference (BPR) (1 bit): The value 0
indicates that ring link 0 is blocked. The value 1
indicates that ring link 1 is blocked.
BPR is valid only in ERPSv2.
● Status Reserved: This sub-field is reserved. This sub-
field is all 0s during RAPS PDU transmission, and is
ignored upon RAPS PDU receiving. In ERPSv1, this
sub-field has 6 bits. In ERPSv2, this sub-field has 5
bits.

Node ID 6 x 8 bits Identifies the MAC address of a node in an ERPS ring.

It is informational and does not affect protection
switching in the ERPS ring.

Reserved 24 x 8 bits Is reserved and ignored upon RAPS PDU receiving. The
2 value is all 0 during RAPS PDU transmission.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 648

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

12.2.3 ERPS Single-ring Principles

ERPS is a standard ring protocol used to prevent loops in ERPS rings at the
Ethernet link layer. A maximum of two ports on each Layer 2 switching device can
be added to the same ERPS ring.
To prevent loops in an ERPS ring, you can enable a loop-breaking mechanism to
block the Ring Protection Link (RPL) owner port to eliminate loops. If a link on the
ring network fails, the ERPS-enabled device immediately unblocks the blocked
port and performs link switching to restore communication between nodes on the
ring network.
This section describes how ERPS is implemented on a single-ring network when
links are normal, when a link fails, and when the link recovers (including
protection switching operations).

Links Are Normal

On the network shown in Figure 12-8, SwitchA through SwitchE constitute a ring
network, and they can communicate with each other.
1. To prevent loops, ERPS blocks the RPL owner port and also the RPL neighbor
port (if any is configured). All other ports can transmit service traffic.
2. The RPL owner port sends RAPS (NRRB) messages to all other nodes in the
ring at an interval of 5s, indicating that ERPS links are normal.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 649

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

Figure 12-8 ERPS single-ring networking (links are normal)

Network

Router1 Router2

SwitchA SwitchE

ERPS

SwitchB RPL SwitchD

RPL owner SwitchC

User
network

Blocked Interface

Data Flow

A Link Fails
As shown in Figure 12-9, if the link between SwitchD and SwitchE fails, the ERPS
protection switching mechanism is triggered. The ports on both ends of the faulty
link are blocked, and the RPL owner port and RPL neighbor port are unblocked to
send and receive traffic. This mechanism ensures nonstop traffic transmission. The
process is as follows:

1. After SwitchD and SwitchE detect the link fault, they block their ports on the
faulty link and update Filtering Database (FDB) entries.
2. SwitchD and SwitchE send three consecutive RAPS Signal Fail (SF) messages
to the other LSWs and send one RAPS (SF) message at an interval of 5s
afterwards.
3. After receiving an RAPS (SF) message, the other LSWs update their FDB
entries. SwitchC on which the RPL owner port resides and SwitchB on which
the RPL neighbor port resides unblock the respective RPL owner port and RPL
neighbor port, and update FDB entries.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 650

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

Figure 12-9 ERPS single-ring networking (unblocking the RPL owner port and RPL
neighbor port if a link fails)

Network

Router1 Router2

SwitchA SwitchE

ERPS

SwitchB RPL SwitchD

RPL owner SwitchC

User
network

Failed Link
Blocked Interface

Data Flow

The Link Recovers

After the link fault is rectified, either of two situations may occur:
● If the ERPS ring uses revertive switching, the RPL owner port is blocked again,
and the link that has recovered is used to forward traffic.
● If the ERPS ring uses non-revertive switching, the RPL remains unblocked, and
the link that has recovered is still blocked.
The following example uses revertive switching to illustrate the process after the
link recovers.
1. After the link between SwitchD and SwitchE recovers, SwitchD and SwitchE
start the Guard timer to avoid receiving out-of-date RAPS PDUs. The two
switches do not receive any RAPS PDUs before the timer expires. At the same
time, SwitchD and SwitchE send RAPS (NR) messages to the other LSWs.
2. After receiving an RAPS (NR) message, SwitchC on which the RPL owner port
resides starts the WTR timer. After the WTR timer expires, SwitchC blocks the
RPL owner port and sends RAPS (NR, RB) messages.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 651

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

3. After receiving an RAPS (NR, RB) message, SwitchD and SwitchE unblock the
ports at the two ends of the link that has recovered, stop sending RAPS (NR)
messages, and update FDB entries. The other LSWs also update FDB entries
after receiving an RAPS (NR, RB) message.

Protection Switching
● Forced switch
On the network shown in Figure 12-10, SwitchA through SwitchE in the ERPS
ring can communicate with each other. A forced switch (FS) operation is
performed on the SwitchE's port that connects to SwitchD, and the SwitchE's
port is blocked. Then the RPL owner port and RPL neighbor port are
unblocked to send and receive traffic. This mechanism ensures nonstop traffic
transmission. The process is as follows:
a. After the SwitchD's port that connects to SwitchE is forcibly blocked,
SwitchE update FDB entries.
b. SwitchE sends three consecutive RAPS (SF) messages to the other LSWs
and sends one RAPS (SF) message at an interval of 5s afterwards.
c. After receiving an RAPS (SF) message, the other LSWs update their FDB
entries. SwitchC on which the RPL owner port resides and SwitchB on
which the RPL neighbor port resides unblock the respective RPL owner
port and RPL neighbor port, and update FDB entries.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 652

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

Figure 12-10 Layer 2 ERPS ring networking (blocking a port in FS mode)

Network

Router1 Router2

SwitchA SwitchE

ERPS

SwitchB RPL SwitchD

RPL owner SwitchC

User
network

Blocked Interface

Data Flow

● Clear
After a clear operation is performed on SwitchE, the port that is forcibly
blocked by FS sends RAPS (NR) messages to all other ports in the ERPS ring.
– If the ERPS ring uses revertive switching, the RPL owner port starts the
WTB timer after receiving an RAPS (NR) message. After the WTB timer
expires, the FS operation is cleared. Then the RPL owner port is blocked,
and the blocked port on SwitchE is unblocked. If you perform a clear
operation on SwitchC on which the RPL owner port resides before the
WTB timer expires, the RPL owner port is immediately blocked, and the
blocked port on SwitchE is unblocked.
– If the ERPS ring uses non-revertive switching and you want to block the
RPL owner port, perform a clear operation on SwitchC on which the RPL
owner port resides.
● Manual switch
The MS process in an ERPS ring is similar to the FS process. The difference is
that the MS operation does not take effect when the ERPS ring is not idle or
pending.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 653

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

12.2.4 ERPS Multi-ring Principles

Ethernet Ring Protection Switching Version 1 (ERPSv1) supports only single-ring
topology, whereas ERPSv2 supports single-ring and multi-ring topologies.
In a multi-ring topology, there are major rings and sub-rings. Depending on
whether Ring Auto Protection Switching Protocol Data Units (R-APS PDUs) on a
sub-ring are transmitted to a major ring, a sub-ring can either have or not have a
virtual channel (VC). If R-APS PDUs on a sub-ring are transmitted to a major ring,
the sub-ring has a virtual channel; otherwise, the sub-ring does not have a virtual
channel.
This section describes how ERPS is implemented on a multi-ring network when
links are normal, when a link fails, and when the link recovers.

Sub-rings Do Not Have VCs

Links Are Normal
On the multi-ring network shown in Figure 12-11, SwitchA through SwitchE
constitute a major ring; SwitchB, SwitchC, and SwitchF constitute sub-ring 1, and
SwitchC, SwitchD, and SwitchG constitute sub-ring 2. The LSWs in each ring can
communicate with each other.
1. To prevent loops, each ring blocks its RPL owner port. All other ports can
transmit service traffic.
2. The RPL owner port on each ring sends RAPS (NRRB) messages to all other
nodes in the same ring at an interval of 5s. The RAPS (NRRB) messages in the
major ring are transmitted only in this ring. The RAPS (NRRB) messages in
each sub-ring are terminated on the interconnected nodes and therefore are
not transmitted to the major ring.
Traffic between PC1 and the upper-layer network travels along the path PC1 ->
SwitchF -> SwitchB -> SwitchA -> Router1; traffic between PC2 and the upper-
layer network travels along the path PC2 -> SwitchG -> SwitchD -> SwitchE ->
Router2.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 654

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

Figure 12-11 ERPS multi-ring networking with sub-rings that do not have VCs
(links are normal)

Network

Router1 Router2

SwitchA SwitchE

Major Ring
SwitchB SwitchD
L
RP

Sub-Ring1 Sub-Ring2
RP
L SwitchC L
RP

SwitchF SwitchG

PC1
PC2

RPL owner
Data Flow

A Link Fails
As shown in Figure 12-12, if the link between SwitchD and SwitchG fails, the ERPS
protection switching mechanism is triggered. The ports on both ends of the faulty
link are blocked, and the RPL owner port in sub-ring 2 is unblocked to send and
receive traffic. In this situation, traffic from PC1 still travels along the original
path. SwitchC and SwitchD inform the other nodes in the major ring of the
topology change so that traffic from PC2 is also not interrupted. Traffic between
PC2 and the upper-layer network travels along the path PC2 -> SwitchG ->
SwitchC -> SwitchB -> SwitchA -> SwitchE -> Router2. The process is as follows:
1. After SwitchD and SwitchG detect the link fault, they block their ports on the
faulty link and update Filtering Database (FDB) entries.
2. SwitchG sends three consecutive RAPS (SF) messages to the other LSWs and
sends one RAPS (SF) message at an interval of 5s afterwards.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 655

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

3. SwitchG then unblocks the RPL owner port and updates FDB entries.
4. After the interconnected node SwitchC receives an RAPS (SF) message, it
updates FDB entries. SwitchC and SwitchD then send RAPS Event messages
within the major ring to notify the topology change in sub-ring 2.
5. After receiving an RAPS Event message, the other LSWs in the major ring
update FDB entries.
Then traffic from PC2 is switched to a normal link.

Figure 12-12 ERPS multi-ring networking (unblocking the RPL owner port if a link
fails)

Network

Router1 Router2

SwitchA SwitchE

Major Ring
SwitchB SwitchD
RPL

Sub-Ring2
Sub-Ring1 RP
L L
RP SwitchC

SwitchF SwitchG

PC1
PC2

Blocked Interface
Data Flow

The Link Recovers

After the link fault is rectified, either of two situations may occur:
● If the ERPS ring uses revertive switching, the RPL owner port is blocked again,
and the link that has recovered is used to forward traffic.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 656

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

● If the ERPS ring uses non-revertive switching, the RPL remains unblocked, and
the link that has recovered is still blocked.
The following example uses revertive switching to illustrate the process after the
link recovers.
1. After the link between SwitchD and SwitchG recovers, SwitchD and SwitchG
start the Guard timer to avoid receiving out-of-date RAPS PDUs. The two
devices do not receive any RAPS PDUs before the timer expires. Then SwitchD
and SwitchG send RAPS (NR) messages within sub-ring 2.
2. SwitchG on which the RPL owner port resides starts the WTR timer. After the
WTR timer expires, SwitchG blocks the RPL owner port and unblocks its port
on the link that has recovered and then sends RAPS (NR, RB) messages within
sub-ring 2.
3. After receiving an RAPS (NR, RB) message from SwitchG, SwitchD unblocks its
port on the recovered link, stops sending RAPS (NR) messages, and updates
FDB entries. SwitchC also updates FDB entries.
4. SwitchC and SwitchD (interconnected nodes) send RAPS Event messages
within the major ring to notify the link recovery of sub-ring 2.
5. After receiving an RAPS Event message, the other LSWs in the major ring
update FDB entries.
Then traffic changes to the normal state, as shown in Figure 12-11.

Sub-rings Have VCs

When sub-rings have VCs, the R-APS PDUs of the sub-rings are transmitted to the
major ring through the interconnection nodes. In other words, the interconnection
nodes do not terminate the R-APS PDUs of the sub-rings. The blocked ports of
sub-rings block both R-APS PDUs and data traffic.
Links Are Normal
On the multi-ring network shown in Figure 12-13, Switch A, Switch B, and Switch
E constitute major ring 1; Switch C, Switch D, and Switch F constitute major ring 2;
Switch A through Switch D constitute a sub-ring. The two major rings are
interconnected with the sub-ring. The devices on each ring can communicate with
each other.
1. To prevent loops, each ring blocks its RPL owner port. All other ports can
transmit data traffic.
2. The RPL owner port on each ring sends R-APS (NR) messages to all other
nodes on the same ring at an interval of 5s. The R-APS (NR) messages of
each major ring are transmitted only within the same major ring, whereas the
R-APS (NR) messages of the sub-ring are transmitted to the major rings over
the interconnection nodes.
Traffic between PC1 and PC2 travels along the path PC1 <-> Switch E <-> Switch B
<-> Switch C <-> Switch F <-> PC2.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 657

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

Figure 12-13 ERPS multi-ring networking with a sub-ring that has VCs (links are
normal)

SwitchE SwitchF
RPL SwitchA RPL SwitchD RPL
PC1 PC2
Ma
jor g2
Rin Rin
g1 jor
Ma
Sub- Ring

SwitchB SwitchC

RPL owner
Data Flow

A Link Fails
As shown in Figure 12-14, if the link between Switch B and Switch C fails, ERPS is
triggered. Specifically, the ports on both ends of the faulty link are blocked, and
the RPL owner port on the sub-ring is unblocked to send and receive user traffic.
Switch B and Switch C inform the other nodes on the major rings of the topology
change so that traffic between PCs is not interrupted. Traffic between PC1 and
PC2 then travels along the path PC1 <-> Switch E <-> Switch B <-> Switch A <->
Switch D <-> Switch C <-> Switch F <-> PC2. The detailed process is as follows:
1. After Switch B and Switch C detect the link fault, they both block their ports
on the faulty link and perform an FDB flush.
2. Switch B sends three consecutive R-APS (SF) messages to the other devices on
the sub-ring and then sends one R-APS (SF) message at an interval of 5s
afterwards. The R-APS (SF) messages then arrive at major ring 1.
3. After receiving an R-APS (SF) message, Switch A on major ring 1 unblocks its
RPL owner port and performs an FDB flush.
4. The other major ring nodes also perform an FDB flush. Traffic between PCs is
then rapidly switched to a normal link.

Figure 12-14 ERPS multi-ring networking with a sub-ring that has VCs (a link
fails)

SwitchE SwitchF
RPL SwitchA RPL SwitchD RPL
PC1 PC2
Ma
jor g2
Rin Rin
g1 jor
Ma
Sub- Ring

SwitchB SwitchC

Blocked Interface
Data Flow

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 658

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

The Link Recovers

After the link fault is rectified, either of the following situations may occur:
● If the revertive switching mode is configured for the ERPS major rings and
sub-ring, the RPL owner port is blocked again, and the link that has recovered
is used to forward traffic.
● If the non-revertive switching is configured for the ERPS major rings and sub-
ring, the RPL owner port remains unblocked, but the link that has recovered
remains blocked.
The following example uses revertive switching to describe the process after the
link recovers.
1. After the link between Switch B and Switch C recovers, Switch B and Switch C
start a guard timer to avoid receiving out-of-date R-APS PDUs. The two
routers do not receive any R-APS PDUs before the timer expires. Then Switch
B and Switch C send R-APS (NR) messages, which are transmitted within the
major rings and sub-ring.
2. Switch A starts the WTR timer. After the WTR timer expires, Switch A blocks
the RPL owner port and then sends R-APS (NR, RB) messages to other
connected devices.
3. After receiving an R-APS (NR, RB) message from Switch A, Switch B and
Switch C unblock its port on the recovered link, stop sending R-APS (NR)
messages, and perform an FDB flush.
4. After receiving an R-APS (NR, RB) message from Switch A, other devices also
perform an FDB flush.
Traffic then travels in the same way as that shown in Figure 12-13.

12.2.5 ERPS Multi-instance

On a common ERPS network, a physical ring can be configured with a single ERPS
ring, and only one blocked port can be specified in the ring. When the ERPS ring is
in normal state, the blocked port prohibits all service packets from passing
through. As a result, all service data is transmitted through one path over the
ERPS ring, and the other link on the blocked port becomes idle, wasting
bandwidth. As shown in Figure 12-15, when only ERPS Ring1 is configured,
Interface1 is blocked and data is forwarded through the path where Data Flow1
travels. The link SwitchC -> SwitchD -> SwitchE is idle.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 659

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

Figure 12-15 Networking diagram of ERPS multi-instance

Network

Router1 Router2

SwitchE
SwitchA
ERPS Ring2

ERPS Ring1

SwitchB SwitchD

Interface2 Interface1

SwitchC

CE1 Ring1 Blocked Port

Ring2 Blocked Port
Data Flow1
VLAN100-200
and VLAN300- Data Flow2
400

To improve link use efficiency, only two logical rings can be configured in the
same physical ring in the ERPS multi-instance. A port may have different roles in
different ERPS rings and different ERPS rings use different control VLANs. A
physical ring can have two blocked ports accordingly. Each blocked port
independently monitors the physical ring status and is blocked or unblocked. An
ERPS ring must be configured with an ERP instance, and each ERP instance
specifies a range of VLANs. The topology calculated for a specific ERPS ring only
takes effect in the ERPS ring. Different VLANs can use separate paths,
implementing traffic load balancing and link backup.
As shown in Figure 12-15, you can configure ERPS Ring1 and ERPS Ring2 in the
physical ring consisting of SwitchA through SwitchE. Interface1 is the blocked port
in ERPS Ring1. The VLANs mapping to the ERP instance is VLANs 100 to 200.
Interface2 is the blocked port in ERPS Ring2. The VLANs mapping to the ERP
instance is VLANs 300 to 400. After the configuration is completed, data from
VLANs 100 to 200 is forwarded through Data Flow1, and data from VLANs 300 to
400 is forwarded through Data Flow2. In this manner, load balancing is
implemented and link use efficiency is improved.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 660

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

12.3 Application Scenarios for ERPS

Generally, redundant links are used on an Ethernet switching network to provide
link backup and enhance network reliability. The use of redundant links, however,
may produce loops, causing broadcast storms and rendering the MAC address
table unstable. As a result, communication quality deteriorates, and
communication services may even be interrupted.
To prevent loops caused by redundant links, enable ERPS on the nodes of the ring
network. ERPS is a Layer 2 loop-breaking protocol defined by the ITU-T, and
provides fast convergence of carrier-class reliability standards.

Figure 12-16 Layer 2 application of ERPS

Network

Router1 Router2

SwitchA SwitchE

ERPS
SwitchB SwitchD

RPL

RPL Owner
SwitchC
User User
network1 network3

User
network2
Blocked Port
Data Flow1
Data Flow2
Data Flow3

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 661

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

As shown in Figure 12-16, SwitchA through SwitchE constitute a ring. The ring
runs ERPS to provide protection switching for Layer 2 redundant links and prevent
loops that cause broadcast storms and render the MAC address table unstable.
Generally, the RPL owner port is blocked and does not forward service packets,
preventing loops. If a fault occurs on the link between SwitchA and SwitchB, ERPS
will unblock the blocked RPL owner port and traffic from User network1 and User
network2 is forwarded through the path SwitchC ->SwitchD ->SwitchE.

12.4 Summary of ERPS Configuration Tasks

After a single ERPS ring or intersecting ERPS ring is configured, a specified port
can be blocked to remove loops. Table 12-5 describes the ERPS configuration
tasks.

Table 12-5 ERPS configuration tasks

Scenario Description Task

Configure ERPS single- You can configure ERPS 12.7.1 Configuring

ring networking single-ring networking ERPSv1
when there is only one
ring in the network
topology.

Configure ERPS You can configure ERPS 12.7.2 Configuring

intersecting-ring intersecting-ring ERPSv2
networking networking when there
are two or more rings in
the network topology
and many common
nodes between two
rings.

12.5 Licensing Requirements and Limitations for ERPS

Involved Network Elements

Other network elements are required to support ERPS functions.

Licensing Requirements
ERPS is a basic function of the switch, and as such is controlled by the license for
basic software functions. The license for basic software functions has been loaded
and activated before delivery. You do not need to manually activate it.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 662

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

Version Requirements

Table 12-6 Products and minimum version supporting ERPS

Product Minimum Version Required

CE5850EI V100R003C10

CE5810EI V100R003C10

CE5850HI V100R003C10

CE5855EI V100R005C10

CE6850EI V100R003C10

CE6850HI V100R005C00

CE6850U-HI V100R005C10

CE6851HI V100R005C10

CE6810EI V100R003C10

CE6810LI V100R003C10

CE6855HI V200R001C00

CE6856HI V200R002C50

CE6857EI V200R005C10

CE6870-24S6CQ-EI V200R001C00

CE6870-48S6CQ-EI V200R001C00

CE6870-48T6CQ-EI V200R002C50

CE6860-48S8CQ-EI V200R002C50

CE6865EI V200R005C00

CE6875-48S4CQ-EI V200R003C00

CE7850EI V100R003C10

CE7855EI V200R001C00

CE8860EI V100R006C00

CE8861EI/CE8868EI V200R005C10

CE8850-32CQ-EI V200R002C50

CE8850-64CQ-EI V200R005C00

CE9860EI V200R020C00

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 663

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

NOTE

For details about the mapping between software versions and switch models, see the
Hardware Query Tool.

Feature Limitations
● In ERPSv2, sub-rings can interlock in multi-ring topologies. The sub-rings
attached to other sub-rings must use non-virtual channels.
● A VLAN cannot be mapped to multiple MSTIs. If you map a VLAN that has
already been mapped to an MSTI to another MSTI, the original mapping will
be deleted.
● To configure the mapping between an ERP instance and a MUX VLAN, please
configure the principal VLAN, subordinate group VLANs, and subordinate
separate VLANs of the MUX VLAN in the same ERP instance. Otherwise, loops
may occur.
● A port can be added to a maximum of two ERPS rings.
● An ERPS-enabled port needs to allow packets of control VLANs and data
VLANs to pass through, so the link type of the port must be configured as
trunk or hybrid.
● Flush-FDB packets for updating MAC addresses cannot be separately sent, so
do not configure a direct link between two upstream nodes as the RPL.
● If the virtual-channel enable command is used to set the VC mode for RAPS
PDU transmission in a sub-ring, ensure that the control VLAN of the major
ring is used to transmit only the RAPS PDUs of the sub-ring. Otherwise,
attacks may use bogus RAPS PDUs of the sub-ring to form loops or even fault
in the major ring.
● ERPS cannot be applied simultaneously with Selective QinQ, VLAN mapping,
or Port Security on a port.
● Before adding a port to an ERPS ring, ensure that the STP/RSTP/MSTP/VBST
or Smart Link is not enabled on the port.
● ERPS packets may be discarded by the interface with multicast traffic
suppression enabled using the storm suppression multicast command.

12.6 Default Settings for ERPS

Table 12-7 describes default ERPS settings.

Table 12-7 ERPS default setting

Parameter Default Setting

ERPS ring Not created

Guard timer 200 centiseconds

Wait to restore (WTR) timer 5 minutes

Holdoff timer 0 deciseconds

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 664

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

Parameter Default Setting

ERPS version ERPSv1

12.7 Configuring ERPS

12.7.1 Configuring ERPSv1

If there is no link fault on a ring network, ERPS can eliminate loops on the
Ethernet network. If a link fault occurs on the ring network, ERPS can quickly
restore communication between nodes on the ring network.

12.7.1.1 Creating an ERPS Ring

Context
ERPS works for ERPS rings. An ERPS ring consists of interconnected Layer 2
switching devices configured with the same control VLAN and data VLAN. Before
configuring other ERPS functions, you must configure an ERPS ring.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run erps ring ring-id
An ERPS ring is created and the ERPS ring view is displayed.
Step 3 (Optional) Run description
The description of the device is configured. The description can contain the ERPS
ring ID, which facilitates device maintenance in an ERPS ring.
By default, the description of an ERPS ring is the ERPS ring name, for example,
Ring 1.
Step 4 Run commit
The configuration is committed.

----End

12.7.1.2 Configuring the Control VLAN

Context
In an ERPS ring, the control VLAN is used only to forward RAPS PDUs but not
service packets, so the security of ERPS is improved. All the devices in an ERPS ring

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 665

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

must be configured with the same control VLAN, and different ERPS rings must
use different control VLANs.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run erps ring ring-id
The ERPS ring view is displayed.
Step 3 Run control-vlan vlan-id
The control VLAN of the ERPS ring is configured.
● The control VLAN specified by vlan-id must be a VLAN that has not been
created or used.
● If you run the control-vlan command multiple times, only the latest
configuration takes effect.
● If the ERPS ring contains ports, the control VLAN cannot be changed. To
delete the configured control VLAN, run the undo erps ring command in the
interface view or the undo port command in the ERPS ring view to delete
ports from the ERPS ring, and run the undo control-vlan command to delete
the control VLAN.
● After a control VLAN is created, the vlan batch vlan-id1 [ to vlan-id2 ]
&<1-10> command used to create common VLANs is displayed in the
configuration file.
● After a port is added to an ERPS ring configured with a control VLAN, the port
is added to the control VLAN.
– If the port is a trunk port, the port trunk allow-pass vlan vlan-id
command is displayed in the record of the port that has been added to
the ERPS ring in the configuration file.
– If the port is a hybrid port, the port hybrid tagged vlan vlan-id
command is displayed in the record of the port that has been added to
the ERPS ring in the configuration file.
Step 4 Run commit
The configuration is committed.

----End

12.7.1.3 Configuring an ERP Instance and Activating the Mapping Between

the ERP Instance and VLAN

Context
On a Layer 2 device running ERPS, the VLAN in which RAPS PDUs and data
packets are transmitted must be mapped to an ERP instance so that ERPS
forwards or blocks the packets based on configured rules. If the mapping is not
configured, the preceding packets may cause broadcast storms on the ring
network. As a result, the network becomes unavailable.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 666

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run erps ring ring-id
The ERPS ring view is displayed.
Step 3 Run protected-instance { all | { instance-id1 [ to instance-id2 ] &<1-10> } }
An ERP instance is created for the ERPS ring.
By default, no ERP instance is configured in an ERPS ring.

NOTE

● If you run the protected-instance command multiple times in the same ERPS ring,
multiple ERP instances are configured.
● If the ERPS ring contains ports, the ERP instance cannot be changed. To delete the
configured ERP instance, run the undo erps ring command in the interface view or the
undo port command in the ERPS ring view to delete ports from the ERPS ring, and run
the undo protected instance command to delete the ERP instance.

Step 4 Run commit

The configuration is committed.
Step 5 Run quit
The system view is displayed.
Step 6 Configure the mapping between an ERP instance and VLAN.
1. Run stp region-configuration
The Multiple Spanning Tree (MST) region view is displayed.
2. Run instance instance-id vlan { vlan-id [ to vlan-id ] } &<1-10>
The mapping between the ERP instance and VLAN is configured.
By default, all VLANs in an MST region are mapped to instance 0.
instance-id in this command must be the same as instance-id used by the
protected-instance command.
NOTE

– A VLAN cannot be mapped to multiple MSTIs. If you map a VLAN that has already
been mapped to an MSTI to another MSTI, the original mapping will be deleted.
– The vlan-mapping modulo modulo command configures the mapping between
MSTIs and VLANs based on the default algorithm. However, the mapping
configured using this command cannot always meet the actual demand. Therefore,
running this command is not recommended.
– To configure the mapping between an ERP instance and a MUX VLAN, you are
advised to configure the principal VLAN, subordinate group VLANs, and
subordinate separate VLANs of the MUX VLAN in the same ERP instance.
Otherwise, loops may occur.
3. Run commit
The configuration is committed.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 667

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

12.7.1.4 Adding a Layer 2 Port to an ERPS Ring and Configuring the Port
Role

Context
After ERPS is configured, add Layer 2 ports to an ERPS ring and configure port
roles so that ERPS can work properly.

You can add a Layer 2 port to an ERPS ring in either of the following ways:
● In the ERPS ring view, add a specified port to the ERPS ring and configure the
port role.
● In the interface view, add the current port to the ERPS ring and configure the
port role.

NOTE

● A port can be added to a maximum of two ERPS rings.

● An ERPS-enabled port needs to allow packets of control VLANs and data VLANs to pass
through, so the link type of the port must be configured as trunk or hybrid.
● Flush-FDB packets for updating MAC addresses cannot be separately sent, so do not
configure a direct link between two upstream nodes as the RPL.
● Before changing the port role, use the shutdown command to disable the port. When
the port role is changed, use the undo shutdown command to enable the port. This
prevents traffic interruptions.

Prerequisites
● The port is not a Layer 3 port. If the port is a Layer 3 port, run the portswitch
command to switch the port to the Layer 2 mode.
● Spanning Tree Protocol (STP) or Smart Link is not enabled on the port.
– If the port has STP enabled, run the stp disable command in the
interface view to disable STP.
– If the port has Smart Link enabled, run the undo port command in the
Smart Link group view to disable Smart Link.
● The control-vlan command has been executed to configure a control VLAN
and the protected-instance command has been executed to configure an
ERP instance.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Add a Layer 2 port to an ERPS ring and configure the port role in either of the
following ways.
● In the ERPS ring view, add a specified port to the ERPS ring and configure the
port role.
a. Run interface interface-type interface-number
The interface view is displayed.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 668

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

b. Run stp disable

STP is disabled on the ERPS-enabled port.
c. Run port link-type trunk
The link type of the ERPS-enabled port is configured as trunk.
d. Run port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> |
all }
The VLANs allowed by the ERPS-enabled port are specified.
After the control-vlan command is used in the ERPS ring view to
configure a control VLAN and the port interface-type interface-number
[ rpl owner ] command is configured, the ports in the ERPS ring allow
packets of the control VLAN to pass through. Therefore, you need to
specify only the IDs of data VLANs in this step.
e. Run quit
Return to the system view.
f. Run erps ring ring-id
The ERPS ring view is displayed.
g. Run port interface-type interface-number [ rpl owner ]
The port is added to the ERPS ring and its role is configured. If rpl owner
is specified, the port is configured as an RPL owner port. If rpl owner is
not specified, the port is a common port.
● In the interface view, add the current port to the ERPS ring and configure the
port role.
a. Run interface interface-type interface-number
The specified interface view is displayed.
b. Run stp disable
STP is disabled on the ERPS-enabled port.
c. Run port link-type trunk
The link type of the ERPS-enabled port is configured as trunk.
d. Run port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> |
all }
The VLANs allowed by the ERPS-enabled port are specified.
After the control-vlan command is used in the ERPS ring view to
configure a control VLAN and the port interface-type interface-number
[ rpl owner ] command is configured, the ports in the ERPS ring allow
packets of the control VLAN to pass through. Therefore, you need to
specify only the IDs of data VLANs in this step.
e. Run erps ring ring-id [ rpl owner ]
The current port is added to the ERPS ring and its role is configured. If rpl
owner is specified, the port is configured as an RPL owner port. If rpl
owner is not specified, the port is a common port.

Step 3 Run commit

The configuration is committed.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 669

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

12.7.1.5 (Optional) Configuring Timers in an ERPS Ring

Context
After a link or node failure in an ERPS ring recovers, the device starts timers in the
ERPS ring to reduce traffic interruptions. This prevents network flapping.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run erps ring ring-id

The ERPS ring view is displayed.

Step 3 Configure the WTR timer, Guard timer, and Holdoff timer in the ERPS ring
according to actual networking.
● Run wtr-timer time-value
The WTR timer is set.
By default, the WTR timer is 5 minutes in an ERPS ring.
● Run guard-timer time-value
The Guard timer is set.
By default, the Guard timer is 200 centiseconds in an ERPS ring.
● Run holdoff-timer time-value
The Holdoff timer is set.
By default, the Holdoff timer is 0 deciseconds in an ERPS ring.

Step 4 Run commit

The configuration is committed.

----End

12.7.1.6 (Optional) Configuring the MEL Value

Context
On a Layer 2 network running ERPS, if another fault detection protocol (for
example, CFM) is enabled, the MEL field in RAPS PDUs determines whether the
RAPS PDUs can be forwarded. If the MEL value in an ERPS ring is smaller than the
MEL value of the fault detection protocol, the RAPS PDUs have a lower priority
and are discarded. If the MEL value in an ERPS ring is larger than the MEL value of
the fault detection protocol, the RAPS PDUs can be forwarded. In addition, the
MEL value can also be used for interworking with other vendors' devices in an
ERPS ring. The same MEL value ensures smooth communication between devices.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 670

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run erps ring ring-id
The ERPS ring view is displayed.
Step 3 Run raps-mel level-id
The MEL value in the ERPS ring is set.
By default, the MEL value in RAPS PDUs is 7.
Step 4 Run commit
The configuration is committed.

----End

12.7.1.7 Verifying the ERPS Configuration

Procedure
● Run the display erps [ ring ring-id ] [ verbose ] command to check the
device ports added to an ERPS ring and ERPS ring configurations.
● Run the display erps interface interface-type interface-number [ ring ring-
id ] command to check physical configurations of the port added to an ERPS
ring.
----End

12.7.2 Configuring ERPSv2

When there is no faulty link on a ring network, Ethernet Ring Protection Switching
(ERPS) can eliminate loops on the network. When a link fails on the ring network,
ERPS can immediately restore communication between nodes on the network.
ERPSv2, compatible with ERPSv1, supports multi-ring topologies, in addition to
ERPSv1 functions such as single ring topologies and multi-instance.

12.7.2.1 Creating an ERPS Ring

Context
ERPS works for ERPS rings. An ERPS ring consists of interconnected Layer 2
switching devices configured with the same control VLAN and data VLAN. Before
configuring other ERPS functions, configure an ERPS ring.

Procedure
Step 1 Run system-view
The system view is displayed.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 671

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

Step 2 Run erps ring ring-id

An ERPS ring is created and the ERPS ring view is displayed.

By default, an ERPS ring configured using the erps ring ring-id command is a
major ring.

Step 3 Run version v2

ERPSv2 is specified.

By default, ERPSv1 is used.

Before specifying ERPSv1 for an ERPSv2-enabled device, delete all ERPS

configurations that ERPSv1 does not support.

Step 4 (Optional) Run sub-ring

The ERPS ring is configured as a sub-ring.

By default, an ERPS ring is a major ring. Major rings are closed, and sub-rings are
open. This step is performed only when an existing ERPS ring needs to be used as
a sub-ring.

An ERPS ring that has a port cannot be configured as a sub-ring. Before

configuring an ERPS ring that has a port as a sub-ring, run the undo erps ring
command in the interface view or the undo port command in the ERPS ring view
to delete the port from the ERPS ring. Then run the sub-ring command to
configure the ERPS ring as a sub-ring.

Step 5 (Optional) Run virtual-channel { enable | disable }

The RAPS PDU transmission mode is specified in the sub-ring.

By default, sub-rings use non-virtual-channels (NVCs) to transmit RAPS PDUs. The

default transmission mode is recommended. This step takes effect only in a sub-
ring.

NOTE

If the virtual-channel enable command is used to set the VC mode for RAPS PDU
transmission in a sub-ring, it is recommended that the control VLAN of the major ring be
used to transmit only the RAPS PDUs of the sub-ring. Otherwise, attacks may use bogus
RAPS PDUs of the sub-ring to form loops or even fault in the major ring.

Step 6 (Optional) Run description text

The description is configured for the ERPS ring.

By default, the description of an ERPS ring is the ERPS ring name, for example,
Ring 1.

Step 7 Run commit

The configuration is committed.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 672

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

12.7.2.2 Configuring the Control VLAN

Context
In an ERPS ring, the control VLAN is used only to forward RAPS PDUs but not
service packets, so the security of ERPS is improved. All the devices in an ERPS ring
must be configured with the same control VLAN, and different ERPS rings must
use different control VLANs.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run erps ring ring-id

The ERPS ring view is displayed.

Step 3 Run control-vlan vlan-id

The control VLAN of the ERPS ring is configured.

● The control VLAN specified by vlan-id must be a VLAN that has not been
created or used.
● If you run the control-vlan command multiple times, only the latest
configuration takes effect.
● If the ERPS ring contains ports, the control VLAN cannot be changed. To
delete the configured control VLAN, run the undo erps ring command in the
interface view or the undo port command in the ERPS ring view to delete
ports from the ERPS ring, and run the undo control-vlan command to delete
the control VLAN.
● After a control VLAN is created, the vlan batch vlan-id1 [ to vlan-id2 ]
&<1-10> command used to create common VLANs is displayed in the
configuration file.
● After a port is added to an ERPS ring configured with a control VLAN, the port
is added to the control VLAN.
– If the port is a trunk port, the port trunk allow-pass vlan vlan-id
command is displayed in the record of the port that has been added to
the ERPS ring in the configuration file.
– If the port is a hybrid port, the port hybrid tagged vlan vlan-id
command is displayed in the record of the port that has been added to
the ERPS ring in the configuration file.

Step 4 Run commit

The configuration is committed.

----End

12.7.2.3 Configuring an ERP Instance and Activating the Mapping Between

the ERP Instance and VLAN

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 673

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

Context
On a Layer 2 device running ERPS, the VLAN in which RAPS PDUs and data
packets are transmitted must be mapped to an ERP instance so that ERPS
forwards or blocks the packets based on configured rules. If the mapping is not
configured, the preceding packets may cause broadcast storms on the ring
network. As a result, the network becomes unavailable.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run erps ring ring-id
The ERPS ring view is displayed.
Step 3 Run protected-instance { all | { instance-id1 [ to instance-id2 ] &<1-10> } }
An ERP instance is created for the ERPS ring.
By default, no ERP instance is configured in an ERPS ring.

NOTE

● If you run the protected-instance command multiple times in the same ERPS ring,
multiple ERP instances are configured.
● If the ERPS ring contains ports, the ERP instance cannot be changed. To delete the
configured ERP instance, run the undo erps ring command in the interface view or the
undo port command in the ERPS ring view to delete ports from the ERPS ring, and run
the undo protected instance command to delete the ERP instance.

Step 4 Run commit

The configuration is committed.
Step 5 Run quit
The system view is displayed.
Step 6 Configure the mapping between an ERP instance and VLAN.
1. Run stp region-configuration
The Multiple Spanning Tree (MST) region view is displayed.
2. Run instance instance-id vlan { vlan-id [ to vlan-id ] } &<1-10>
The mapping between the ERP instance and VLAN is configured.
By default, all VLANs in an MST region are mapped to instance 0.
instance-id in this command must be the same as instance-id used by the
protected-instance command.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 674

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

NOTE

– A VLAN cannot be mapped to multiple MSTIs. If you map a VLAN that has already
been mapped to an MSTI to another MSTI, the original mapping will be deleted.
– The vlan-mapping modulo modulo command configures the mapping between
MSTIs and VLANs based on the default algorithm. However, the mapping
configured using this command cannot always meet the actual demand. Therefore,
running this command is not recommended.
– To configure the mapping between an ERP instance and a MUX VLAN, you are
advised to configure the principal VLAN, subordinate group VLANs, and
subordinate separate VLANs of the MUX VLAN in the same ERP instance.
Otherwise, loops may occur.
3. Run commit
The configuration is committed.

----End

12.7.2.4 Adding a Layer 2 Port to an ERPS Ring and Configuring the Port
Role

Context
After ERPS is configured, add Layer 2 ports to an ERPS ring and configure port
roles so that ERPS can work properly.

You can add a Layer 2 port to an ERPS ring in either of the following ways:
● In the ERPS ring view, add a specified port to the ERPS ring and configure the
port role.
● In the interface view, add the current port to the ERPS ring and configure the
port role.

NOTE

● A port can be added to a maximum of two ERPS rings.

● An ERPS-enabled port needs to allow packets of control VLANs and data VLANs to pass
through, so the link type of the port must be configured as trunk or hybrid.
● Flush-FDB packets for updating MAC addresses cannot be separately sent, so do not
configure a direct link between two upstream nodes as the RPL.
● Before changing the port role, use the shutdown command to disable the port. When
the port role is changed, use the undo shutdown command to enable the port. This
prevents traffic interruptions.

Prerequisites
● The port is not a Layer 3 port. If the port is a Layer 3 port, run the portswitch
command to switch the port to the Layer 2 mode.
● Spanning Tree Protocol (STP) or Smart Link is not enabled on the port.
– If the port has STP enabled, run the stp disable command in the
interface view to disable STP.
– If the port has Smart Link enabled, run the undo port command in the
Smart Link group view to disable Smart Link.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 675

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

● The control-vlan command has been executed to configure a control VLAN

and the protected-instance command has been executed to configure an
ERP instance.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Add a Layer 2 port to an ERPS ring and configure the port role in either of the
following ways.
● In the ERPS ring view, add a specified port to the ERPS ring and configure the
port role.
a. Run interface interface-type interface-number
The interface view is displayed.
b. Run stp disable
STP is disabled on the ERPS-enabled port.
c. Run port link-type trunk
The link type of the ERPS-enabled port is configured as trunk.
d. Run port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> |
all }
The VLANs allowed by the ERPS-enabled port are specified.
After the control-vlan command is used in the ERPS ring view to
configure a control VLAN and the port interface-type interface-number
[ rpl { owner | neighbour } ] command is configured, the ports in the
ERPS ring allow packets of the control VLAN to pass through. Therefore,
you need to specify only the IDs of data VLANs in this step.
e. Run quit
The system view is displayed.
f. Run erps ring ring-id
The ERPS ring view is displayed.
g. Run port interface-type interface-number [ rpl { owner | neighbour } ]
The port is added to the ERPS ring and its role is configured.
● In the interface view, add the current port to the ERPS ring and configure the
port role.
a. Run interface interface-type interface-number
The specified interface view is displayed.
b. Run stp disable
STP is disabled on the ERPS-enabled port.
c. Run port link-type trunk
The link type of the ERPS-enabled port is configured as trunk.
d. Run port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> |
all }
The VLANs allowed by the ERPS-enabled port are specified.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 676

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

After the control-vlan command is used in the ERPS ring view to

configure a control VLAN and the port interface-type interface-number
[ rpl { owner | neighbour } ] command is configured, the ports in the
ERPS ring allow packets of the control VLAN to pass through. Therefore,
you need to specify only the IDs of data VLANs in this step.
e. Run erps ring ring-id [ rpl { owner | neighbour } ]
The current port is added to the ERPS ring and its role is configured.

Step 3 Run commit

The configuration is committed.

----End

12.7.2.5 Configuring the Topology Change Notification Function

Context
If an upper-layer Layer 2 network is not notified of the topology change in an
ERPS ring, the MAC address entries remain unchanged on the upper-layer network
and therefore user traffic is interrupted. To ensure nonstop traffic transmission,
configure the topology change notification function and specify the ERPS rings
that will be notified of the topology change.

In addition, if an ERPS ring frequently receives topology change notifications, its

nodes will have lower CPU processing capability and repeatedly update Flush-FDB
packets, consuming much bandwidth. To resolve this problem, set the topology
change protection interval at which topology change notifications are sent to
suppress topology change notification transmission, and set the maximum number
of topology change notifications that can be processed during the topology
change protection interval to prevent frequent MAC address and ARP entry
updates.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run erps ring ring-id

The ERPS ring view is displayed.

Step 3 Run tc-notify erps ring { ring-id1 [ to ring-id2 ] } &<1-10>

The ERPS ring is configured to notify other ERPS rings of its topology change.

ring-id1 [ to ring-id2 ] specifies the start and end ring IDs of the ERPS rings that
will be notified of the topology change. Ensure that the ERPS rings specified by
ring-id1 and ring-id2 exist. If the specified rings do not exist, the topology change
notification function does not take effect.

After the ERPS rings receive the topology change notification from an ERPS ring,
they send Flush-FDB messages on their separate rings to instruct their nodes to
update MAC addresses so that user traffic is not interrupted.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 677

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

Step 4 (Optional) Run tc-protection interval interval-value

The topology change protection interval at which topology change notification
messages are sent is set.
Step 5 (Optional) Run tc-protection threshold threshold-value
The number of times ERPS parses topology change notifications and updates
forwarding entries in the topology change protection interval is set.
The topology change protection interval is the one specified by the tc-protection
interval command.
Step 6 Run commit
The configuration is committed.

----End

12.7.2.6 (Optional) Configuring ERPS Protection Switching

Context
To ensure that ERPS rings function normally when a node or link fails, configure
revertive/non-revertive switching, port blocking mode, and timers.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run erps ring ring-id
The ERPS ring view is displayed.
Step 3 Run revertive { enable | disable }
The protection switching mode is specified.
By default, ERPS rings use revertive switching.
Step 4 Run quit
Return to the system view.
Step 5 Perform either of the following operations to configure a port blocking mode.
● To configure a port blocking mode for a port in the ERPS ring view, perform
the following steps:
a. Run the erps ring ring-id command to enter the ERPS ring view.
b. Run the port interface-type interface-number protect-switch { force |
manual } command to configure a port blocking mode for an ERPS port.
● To configure a port blocking mode in the interface view, perform the
following steps:
a. Run the interface interface-type interface-number command to enter the
interface view.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 678

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

b. Run the erps ring ring-id protect-switch { force | manual } command to

configure a port blocking mode for the port.
The ERPS ring specified by ring ring-id must be the one to which the port
belongs.

To delete the specified port blocking mode, run the clear command in the ERPS
ring view.

Step 6 Run quit

Return to the system view.

Step 7 Run commit

The configuration is committed.

----End

12.7.2.7 (Optional) Configuring Timers in an ERPS Ring

Context
After a link or node failure in an ERPS ring recovers, the device starts timers in the
ERPS ring to reduce traffic interruptions. This prevents network flapping.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run erps ring ring-id

The ERPS ring view is displayed.

Step 3 Configure the WTR timer, Guard timer, and Holdoff timer in the ERPS ring
according to actual networking.
● Run wtr-timer time-value
The WTR timer is set.
By default, the WTR timer is 5 minutes in an ERPS ring.
● Run guard-timer time-value
The Guard timer is set.
By default, the Guard timer is 200 centiseconds in an ERPS ring.
● Run holdoff-timer time-value
The Holdoff timer is set.
By default, the Holdoff timer is 0 deciseconds in an ERPS ring.

Step 4 Run commit

The configuration is committed.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 679

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

12.7.2.8 Verifying the ERPS Configuration

Procedure
● Run the display erps [ ring ring-id ] [ verbose ] command to check the
device ports added to an ERPS ring and ERPS ring configurations.
● Run the display erps interface interface-type interface-number [ ring ring-
id ] command to check physical configurations of the port added to an ERPS
ring.
----End

12.8 Maintaining ERPS

12.8.1 Clearing ERPS Statistics

Context
Before recollecting ERPS statistics, run the reset erps command to clear existing
ERPS statistics.

NOTICE

The cleared ERPS statistics cannot be restored. Exercise caution when you run this
command.

Procedure
Step 1 Run the reset erps [ ring ring-id ] statistics command to clear packet statistics in
an ERPS ring.

----End

12.9 Configuration Examples for ERPS

12.9.1 Example for Configuring ERPS Multi-instance

Networking Requirements
Generally, redundant links are used on an Ethernet switching network to provide
link backup and enhance network reliability. The use of redundant links, however,
may produce loops, causing broadcast storms and rendering the MAC address
table unstable. As a result, communication quality deteriorates, and
communication services may even be interrupted.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 680

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

To prevent loops caused by redundant links, enable ERPS on the nodes of the ring
network. ERPS is a Layer 2 loop-breaking protocol defined by the ITU-T, and
provides fast convergence of carrier-class reliability standards.
Figure 12-17 shows a network on which a multi-instance ERPS ring is used.
SwitchA through SwitchD constitute a ring network at the aggregation layer to
implement service aggregation at Layer 2 and process Layer 3 services. ERPS is
used on the ring network to provide protection switching for Layer 2 redundant
links. ERPS ring 1 and ERPS ring 2 are configured on SwitchA through SwitchD. P1
on SwitchB is a blocked port in ERPS ring 1, and P2 on SwitchA is a blocked port in
ERPS ring 2, implementing load balancing and link backup.

Figure 12-17 ERPS multi-instance networking

Network

Router1 Router2

SwitchC 10GE1/0/1 SwitchD

10GE1/0/2
10GE1/0/1 10GE1/0/2

ERPS

10GE1/0/2 10GE1/0/1
P2
SwitchA 10GE1/0/2

P1 SwitchB
10GE1/0/1

VLAN: VLAN:
100~200 300~400

ERPS ring1
ERPS ring2
Blocked Port1
Blocked Port2
Data Flow1
Data Flow2

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 681

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the link type of all ports to be added to ERPS rings as trunk.
2. Create ERPS rings and configure control VLANs and Ethernet Ring Protection
(ERP) instances in the ERPS rings.
3. Add Layer 2 ports to ERPS rings and specify port roles.
4. Configure the Guard timers and WTR timers in the ERPS rings.
5. Configure Layer 2 forwarding on SwitchA through SwitchD.

Procedure
Step 1 Configure the link type of all ports to be added to an ERPS ring as trunk.
# Configure SwitchA.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchA
[*HUAWEI] commit
[~SwitchA] interface 10ge 1/0/1
[~SwitchA-10GE1/0/1] port link-type trunk
[*SwitchA-10GE1/0/1] commit
[~SwitchA-10GE1/0/1] quit
[~SwitchA] interface 10ge 1/0/2
[~SwitchA-10GE1/0/2] port link-type trunk
[*SwitchA-10GE1/0/2] commit
[~SwitchA-10GE1/0/2] quit

# Configure SwitchB.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchB
[*HUAWEI] commit
[~SwitchB] interface 10ge 1/0/1
[~SwitchB-10GE1/0/1] port link-type trunk
[*SwitchB-10GE1/0/1] commit
[~SwitchB-10GE1/0/1] quit
[~SwitchB] interface 10ge 1/0/2
[~SwitchB-10GE1/0/2] port link-type trunk
[*SwitchB-10GE1/0/2] commit
[~SwitchB-10GE1/0/2] quit

# Configure SwitchC.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchC
[*HUAWEI] commit
[~SwitchC] interface 10ge 1/0/1
[~SwitchC-10GE1/0/1] port link-type trunk
[*SwitchC-10GE1/0/1] commit
[~SwitchC-10GE1/0/1] quit
[~SwitchC] interface 10ge 1/0/2
[~SwitchC-10GE1/0/2] port link-type trunk
[*SwitchC-10GE1/0/2] commit
[~SwitchC-10GE1/0/2] quit

# Configure SwitchD.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchD
[*HUAWEI] commit
[~SwitchD] interface 10ge 1/0/1
[~SwitchD-10GE1/0/1] port link-type trunk

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 682

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

[*SwitchD-10GE1/0/1] commit
[~SwitchD-10GE1/0/1] quit
[~SwitchD] interface 10ge 1/0/2
[~SwitchD-10GE1/0/2] port link-type trunk
[*SwitchD-10GE1/0/2] commit
[~SwitchD-10GE1/0/2] quit

Step 2 Create ERPS ring 1 and ERPS ring 2 and configure ERP instances in the two rings.
Set the control VLAN ID of ERPS ring 1 to 10 and the control VLAN ID of ERPS ring
2 to 20. Enable ERPS ring 1 to transmit data packets from VLANs 100 to 200 and
enable ERPS ring 2 to transmit data packets from VLANs 300 to 400.
# Configure SwitchA.
[~SwitchA] erps ring 1
[*SwitchA-erps-ring1] control-vlan 10
[*SwitchA-erps-ring1] protected-instance 1
[*SwitchA-erps-ring1] commit
[~SwitchA-erps-ring1] quit
[~SwitchA] stp region-configuration
[~SwitchA-mst-region] instance 1 vlan 10 100 to 200
[*SwitchA-mst-region] commit
[~SwitchA-mst-region] quit
[~SwitchA] erps ring 2
[*SwitchA-erps-ring2] control-vlan 20
[*SwitchA-erps-ring2] protected-instance 2
[*SwitchA-erps-ring2] commit
[~SwitchA-erps-ring2] quit
[~SwitchA] stp region-configuration
[~SwitchA-mst-region] instance 2 vlan 20 300 to 400
[*SwitchA-mst-region] commit
[~SwitchA-mst-region] quit

# Configure SwitchB.
[~SwitchB] erps ring 1
[*SwitchB-erps-ring1] control-vlan 10
[*SwitchB-erps-ring1] protected-instance 1
[*SwitchB-erps-ring1] commit
[~SwitchB-erps-ring1] quit
[~SwitchB] stp region-configuration
[~SwitchB-mst-region] instance 1 vlan 10 100 to 200
[*SwitchB-mst-region] commit
[~SwitchB-mst-region] quit
[~SwitchB] erps ring 2
[*SwitchB-erps-ring2] control-vlan 20
[*SwitchB-erps-ring2] protected-instance 2
[*SwitchB-erps-ring2] commit
[~SwitchB-erps-ring2] quit
[~SwitchB] stp region-configuration
[~SwitchB-mst-region] instance 2 vlan 20 300 to 400
[*SwitchB-mst-region] commit
[~SwitchB-mst-region] quit

# Configure SwitchC.
[~SwitchC] erps ring 1
[*SwitchC-erps-ring1] control-vlan 10
[*SwitchC-erps-ring1] protected-instance 1
[*SwitchC-erps-ring1] commit
[~SwitchC-erps-ring1] quit
[~SwitchC] stp region-configuration
[~SwitchC-mst-region] instance 1 vlan 10 100 to 200
[*SwitchC-mst-region] commit
[~SwitchC-mst-region] quit
[~SwitchC] erps ring 2
[*SwitchC-erps-ring2] control-vlan 20
[*SwitchC-erps-ring2] protected-instance 2
[*SwitchC-erps-ring2] commit

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 683

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

[~SwitchC-erps-ring2] quit
[~SwitchC] stp region-configuration
[~SwitchC-mst-region] instance 2 vlan 20 300 to 400
[*SwitchC-mst-region] commit
[~SwitchC-mst-region] quit

# Configure SwitchD.
[~SwitchD] erps ring 1
[*SwitchD-erps-ring1] control-vlan 10
[*SwitchD-erps-ring1] protected-instance 1
[*SwitchD-erps-ring1] commit
[~SwitchD-erps-ring1] quit
[~SwitchD] stp region-configuration
[~SwitchD-mst-region] instance 1 vlan 10 100 to 200
[*SwitchD-mst-region] commit
[~SwitchD-mst-region] quit
[~SwitchD] erps ring 2
[*SwitchD-erps-ring2] control-vlan 20
[*SwitchD-erps-ring2] protected-instance 2
[*SwitchD-erps-ring2] commit
[~SwitchD-erps-ring2] quit
[~SwitchD] stp region-configuration
[~SwitchD-mst-region] instance 2 vlan 20 300 to 400
[*SwitchD-mst-region] commit
[~SwitchD-mst-region] quit

Step 3 Add Layer 2 ports to ERPS rings and specify port roles. Configure 10GE 1/0/1 on
SwitchA and 10GE 1/0/2 on SwitchB as their respective RPL owner ports.
# Configure SwitchA.
[~SwitchA] interface 10ge 1/0/1
[~SwitchA-10GE1/0/1] stp disable
[*SwitchA-10GE1/0/1] erps ring 1
[*SwitchA-10GE1/0/1] erps ring 2 rpl owner
[*SwitchA-10GE1/0/1] commit
[~SwitchA-10GE1/0/1] quit
[~SwitchA] interface 10ge 1/0/2
[~SwitchA-10GE1/0/2] stp disable
[*SwitchA-10GE1/0/2] erps ring 1
[*SwitchA-10GE1/0/2] erps ring 2
[*SwitchA-10GE1/0/2] commit
[~SwitchA-10GE1/0/2] quit

# Configure SwitchB.
[~SwitchB] interface 10ge 1/0/1
[~SwitchB-10GE1/0/1] stp disable
[*SwitchB-10GE1/0/1] erps ring 1
[*SwitchB-10GE1/0/1] erps ring 2
[*SwitchB-10GE1/0/1] commit
[~SwitchB-10GE1/0/1] quit
[~SwitchB] interface 10ge 1/0/2
[~SwitchB-10GE1/0/2] stp disable
[*SwitchB-10GE1/0/2] erps ring 1 rpl owner
[*SwitchB-10GE1/0/2] erps ring 2
[*SwitchB-10GE1/0/2] commit
[~SwitchB-10GE1/0/2] quit

# Configure SwitchC.
[~SwitchC] interface 10ge 1/0/1
[~SwitchC-10GE1/0/1] stp disable
[*SwitchC-10GE1/0/1] erps ring 1
[*SwitchC-10GE1/0/1] erps ring 2
[*SwitchC-10GE1/0/1] commit
[~SwitchC-10GE1/0/1] quit
[~SwitchC] interface 10ge 1/0/2
[~SwitchC-10GE1/0/2] stp disable

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 684

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

[*SwitchC-10GE1/0/2] erps ring 1

[*SwitchC-10GE1/0/2] erps ring 2
[*SwitchC-10GE1/0/2] commit
[~SwitchC-10GE1/0/2] quit

# Configure SwitchD.
[~SwitchD] interface 10ge 1/0/1
[~SwitchD-10GE1/0/1] stp disable
[*SwitchD-10GE1/0/1] erps ring 1
[*SwitchD-10GE1/0/1] erps ring 2
[*SwitchD-10GE1/0/1] commit
[~SwitchD-10GE1/0/1] quit
[~SwitchD] interface 10ge 1/0/2
[~SwitchD-10GE1/0/2] stp disable
[*SwitchD-10GE1/0/2] erps ring 1
[*SwitchD-10GE1/0/2] erps ring 2
[*SwitchD-10GE1/0/2] commit
[~SwitchD-10GE1/0/2] quit

Step 4 Configure the Guard timers and WTR timers in the ERPS rings.
# Configure SwitchA.
[~SwitchA] erps ring 1
[~SwitchA-erps-ring1] wtr-timer 6
[*SwitchA-erps-ring1] guard-timer 100
[*SwitchA-erps-ring1] commit
[~SwitchA-erps-ring1] quit
[~SwitchA] erps ring 2
[~SwitchA-erps-ring2] wtr-timer 6
[*SwitchA-erps-ring2] guard-timer 100
[*SwitchA-erps-ring2] commit
[~SwitchA-erps-ring2] quit

# Configure SwitchB.
[~SwitchB] erps ring 1
[~SwitchB-erps-ring1] wtr-timer 6
[*SwitchB-erps-ring1] guard-timer 100
[*SwitchB-erps-ring1] commit
[~SwitchB-erps-ring1] quit
[~SwitchB] erps ring 2
[~SwitchB-erps-ring2] wtr-timer 6
[*SwitchB-erps-ring2] guard-timer 100
[*SwitchB-erps-ring2] commit
[~SwitchB-erps-ring2] quit

# Configure SwitchC.
[~SwitchC] erps ring 1
[~SwitchC-erps-ring1] wtr-timer 6
[*SwitchC-erps-ring1] guard-timer 100
[*SwitchC-erps-ring1] commit
[~SwitchC-erps-ring1] quit
[~SwitchC] erps ring 2
[~SwitchC-erps-ring2] wtr-timer 6
[*SwitchC-erps-ring2] guard-timer 100
[*SwitchC-erps-ring2] commit
[~SwitchC-erps-ring2] quit

# Configure SwitchD.
[~SwitchD] erps ring 1
[~SwitchD-erps-ring1] wtr-timer 6
[*SwitchD-erps-ring1] guard-timer 100
[*SwitchD-erps-ring1] commit
[~SwitchD-erps-ring1] quit
[~SwitchD] erps ring 2
[~SwitchD-erps-ring2] wtr-timer 6

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 685

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

[*SwitchD-erps-ring2] guard-timer 100

[*SwitchD-erps-ring2] commit
[~SwitchD-erps-ring2] quit

Step 5 Configure Layer 2 forwarding on SwitchA through SwitchD.

# Configure SwitchA.
[~SwitchA] vlan batch 100 to 200 300 to 400
[*SwitchA] commit
[~SwitchA] interface 10ge 1/0/1
[~SwitchA-10GE1/0/1] port trunk allow-pass vlan 100 to 200 300 to 400
[*SwitchA-10GE1/0/1] commit
[~SwitchA-10GE1/0/1] quit
[~SwitchA] interface 10ge 1/0/2
[~SwitchA-10GE1/0/2] port trunk allow-pass vlan 100 to 200 300 to 400
[*SwitchA-10GE1/0/2] commit
[~SwitchA-10GE1/0/2] quit

# Configure SwitchB.
[~SwitchB] vlan batch 100 to 200 300 to 400
[*SwitchB] commit
[~SwitchB] interface 10ge 1/0/1
[~SwitchB-10GE1/0/1] port trunk allow-pass vlan 100 to 200 300 to 400
[*SwitchB-10GE1/0/1] commit
[~SwitchB-10GE1/0/1] quit
[~SwitchB] interface 10ge 1/0/2
[~SwitchB-10GE1/0/2] port trunk allow-pass vlan 100 to 200 300 to 400
[*SwitchB-10GE1/0/2] commit
[~SwitchB-10GE1/0/2] quit

# Configure SwitchC.
[~SwitchC] vlan batch 100 to 200 300 to 400
[*SwitchC] commit
[~SwitchC] interface 10ge 1/0/1
[~SwitchC-10GE1/0/1] port trunk allow-pass vlan 100 to 200 300 to 400
[*SwitchC-10GE1/0/1] commit
[~SwitchC-10GE1/0/1] quit
[~SwitchC] interface 10ge 1/0/2
[~SwitchC-10GE1/0/2] port trunk allow-pass vlan 100 to 200 300 to 400
[*SwitchC-10GE1/0/2] commit
[~SwitchC-10GE1/0/2] quit

# Configure SwitchD.
[~SwitchD] vlan batch 100 to 200 300 to 400
[*SwitchD] commit
[~SwitchD] interface 10ge 1/0/1
[~SwitchD-10GE1/0/1] port trunk allow-pass vlan 100 to 200 300 to 400
[*SwitchD-10GE1/0/1] commit
[~SwitchD-10GE1/0/1] quit
[~SwitchD] interface 10ge 1/0/2
[~SwitchD-10GE1/0/2] port trunk allow-pass vlan 100 to 200 300 to 400
[*SwitchD-10GE1/0/2] commit
[~SwitchD-10GE1/0/2] quit

Step 6 Verify the configuration.

# After the network becomes stable, run the display erps command to check brief
information about the ERPS ring and ports added to the ERPS ring. SwitchB is used
as an example.
[~SwitchB] display erps
D : Discarding
F : Forwarding
R : RPL Owner
N : RPL Neighbour

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 686

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

FS : Forced Switch
MS : Manual Switch
Total number of rings configured = 2
Ring Control WTR Timer Guard Timer Port 1 Port 2
ID VLAN (min) (csec)
--------------------------------------------------------------------------------
1 10 6 100 (F)10GE1/0/1 (D,R)10GE1/0/2
2 20 6 100 (F)10GE1/0/1 (F)10GE1/0/2
--------------------------------------------------------------------------------

# Run the display erps verbose command to check detailed information about
the ERPS ring and ports added to the ERPS ring. SwitchB is used as an example.
[~SwitchB] display erps verbose
Ring ID :1
Description : Ring 1
Control Vlan : 10
Protected Instance :1
Service Vlan : 100 to 200
WTR Timer Setting (min) :6 Running (s) :0
Guard Timer Setting (csec) : 100 Running (csec) :0
Holdoff Timer Setting (deciseconds) : 0 Running (deciseconds) : 0
WTB Timer Running (csec) :0
Ring State : Idle
RAPS_MEL :7
Revertive Mode : Revertive
R-APS Channel Mode :-
Version :1
Sub-ring : No
Forced Switch Port :-
Manual Switch Port :-
TC-Notify :-
Time since last topology change : 0 days 0h:35m:5s
--------------------------------------------------------------------------------
Port Port Role Port Status Signal Status
--------------------------------------------------------------------------------
10GE1/0/1 Common Forwarding Non-failed
10GE1/0/2 RPL Owner Discarding Non-failed

Ring ID :2
Description : Ring 2
Control Vlan : 20
Protected Instance :2
Service Vlan : 300 to 400
WTR Timer Setting (min) :6 Running (s) :0
Guard Timer Setting (csec) : 100 Running (csec) :0
Holdoff Timer Setting (deciseconds) : 0 Running (deciseconds) : 0
WTB Timer Running (csec) :0
Ring State : Idle
RAPS_MEL :7
Revertive Mode : Revertive
R-APS Channel Mode :-
Version :1
Sub-ring : No
Forced Switch Port :-
Manual Switch Port :-
TC-Notify :-
Time since last topology change : 0 days 0h:35m:30s
--------------------------------------------------------------------------------
Port Port Role Port Status Signal Status
--------------------------------------------------------------------------------
10GE1/0/1 Common Forwarding Non-failed
10GE1/0/2 Common Forwarding Non-failed

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 687

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 20 100 to 200 300 to 400
#
stp region-configuration
instance 1 vlan 10 100 to 200
instance 2 vlan 20 300 to 400
#
erps ring 1
control-vlan 10
protected-instance 1
wtr-timer 6
guard-timer 100
#
erps ring 2
control-vlan 20
protected-instance 2
wtr-timer 6
guard-timer 100
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 100 to 200 300 to 400
stp disable
erps ring 1
erps ring 2 rpl owner
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 10 20 100 to 200 300 to 400
stp disable
erps ring 1
erps ring 2
#
return

● SwitchB configuration file

#
sysname SwitchB
#
vlan batch 10 20 100 to 200 300 to 400
#
stp region-configuration
instance 1 vlan 10 100 to 200
instance 2 vlan 20 300 to 400
#
erps ring 1
control-vlan 10
protected-instance 1
wtr-timer 6
guard-timer 100
#
erps ring 2
control-vlan 20
protected-instance 2
wtr-timer 6
guard-timer 100
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 100 to 200 300 to 400
stp disable
erps ring 1
erps ring 2
#

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 688

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 10 20 100 to 200 300 to 400
stp disable
erps ring 1 rpl owner
erps ring 2
#
return
● SwitchC configuration file
#
sysname SwitchC
#
vlan batch 10 20 100 to 200 300 to 400
#
stp region-configuration
instance 1 vlan 10 100 to 200
instance 2 vlan 20 300 to 400
#
erps ring 1
control-vlan 10
protected-instance 1
wtr-timer 6
guard-timer 100
#
erps ring 2
control-vlan 20
protected-instance 2
wtr-timer 6
guard-timer 100
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 100 to 200 300 to 400
stp disable
erps ring 1
erps ring 2
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 10 20 100 to 200 300 to 400
stp disable
erps ring 1
erps ring 2
#
return
● SwitchD configuration file
#
sysname SwitchD
#
vlan batch 10 20 100 to 200 300 to 400
#
stp region-configuration
instance 1 vlan 10 100 to 200
instance 2 vlan 20 300 to 400
#
erps ring 1
control-vlan 10
protected-instance 1
wtr-timer 6
guard-timer 100
#
erps ring 2
control-vlan 20
protected-instance 2
wtr-timer 6
guard-timer 100
#
interface 10GE1/0/1

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 689

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

port link-type trunk

port trunk allow-pass vlan 10 20 100 to 200 300 to 400
stp disable
erps ring 1
erps ring 2
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 10 20 100 to 200 300 to 400
stp disable
erps ring 1
erps ring 2
#
return

12.9.2 Example for Configuring an ERPS Multi-ring Network

Networking Requirements
Generally, redundant links are used on an Ethernet switching network to provide
link backup and enhance network reliability. The use of redundant links, however,
may produce loops, causing broadcast storms and rendering the MAC address
table unstable. As a result, communication quality deteriorates, and
communication services may even be interrupted.
To prevent loops caused by redundant links, enable ERPS on the nodes of the ring
network. ERPS is a Layer 2 loop-breaking protocol defined by the ITU-T, and
provides fast convergence of carrier-class reliability standards.
On the ERPS multi-ring network shown in Figure 12-18, SwitchA, SwitchB, and
SwitchD constitute a major ring, and SwitchA, SwitchC, and SwitchD constitute a
sub-ring.

Figure 12-18 ERPS multi-ring networking

Network

Router1 Router2

10GE1/0/2
SwitchA SwitchD
10GE1/0/3 10GE1/0/1

10GE1/0/1 10GE1/0/3

sub-ring major ring

10GE1/0/2
10GE1/0/2

10GE1/0/1 10GE1/0/1
SwitchC SwitchB

RPL owner

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 690

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the link type of all ports to be added to ERPS rings as trunk.
2. Create ERPS rings and configure control VLANs and Ethernet Ring Protection
(ERP) instances in the ERPS rings.
3. Specify the ERPS version and configure a sub-ring.
4. Add Layer 2 ports to ERPS rings and specify port roles.
5. Configure the topology change notification and TC protection.
6. Configure the Guard timers and WTR timers in the ERPS rings.
7. Configure Layer 2 forwarding on SwitchA through SwitchD.

Procedure
Step 1 Configure the link type of all ports to be added to ERPS rings as trunk.
# Configure SwitchA.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchA
[*HUAWEI] commit
[~SwitchA] interface 10ge 1/0/1
[~SwitchA-10GE1/0/1] port link-type trunk
[*SwitchA-10GE1/0/1] commit
[~SwitchA-10GE1/0/1] quit
[~SwitchA] interface 10ge 1/0/2
[~SwitchA-10GE1/0/2] port link-type trunk
[*SwitchA-10GE1/0/2] commit
[~SwitchA-10GE1/0/2] quit
[~SwitchA] interface 10ge 1/0/3
[~SwitchA-10GE1/0/3] port link-type trunk
[*SwitchA-10GE1/0/3] commit
[~SwitchA-10GE1/0/3] quit

# Configure SwitchB.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchB
[*HUAWEI] commit
[~SwitchB] interface 10ge 1/0/1
[~SwitchB-10GE1/0/1] port link-type trunk
[*SwitchB-10GE1/0/1] commit
[~SwitchB-10GE1/0/1] quit
[~SwitchB] interface 10ge 1/0/2
[~SwitchB-10GE1/0/2] port link-type trunk
[*SwitchB-10GE1/0/2] commit
[~SwitchB-10GE1/0/2] quit

# Configure SwitchC.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchC
[*HUAWEI] commit
[~SwitchC] interface 10ge 1/0/1
[~SwitchC-10GE1/0/1] port link-type trunk
[*SwitchC-10GE1/0/1] commit
[~SwitchC-10GE1/0/1] quit
[~SwitchC] interface 10ge 1/0/2
[~SwitchC-10GE1/0/2] port link-type trunk

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 691

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

[*SwitchC-10GE1/0/2] commit
[~SwitchC-10GE1/0/2] quit

# Configure SwitchD.
<HUAWEI> system-view
[~HUAWEI] sysname SwitchD
[*HUAWEI] commit
[~SwitchD] interface 10ge 1/0/1
[~SwitchD-10GE1/0/1] port link-type trunk
[*SwitchD-10GE1/0/1] commit
[~SwitchD-10GE1/0/1] quit
[~SwitchD] interface 10ge 1/0/2
[~SwitchD-10GE1/0/2] port link-type trunk
[*SwitchD-10GE1/0/2] commit
[~SwitchD-10GE1/0/2] quit
[~SwitchD] interface 10ge 1/0/3
[~SwitchD-10GE1/0/3] port link-type trunk
[*SwitchD-10GE1/0/3] commit
[~SwitchD-10GE1/0/3] quit

Step 2 Create ERPS ring 1 and ERPS ring 2 and configure ERP instances in the two rings.
Set the control VLAN ID of ERPS ring 1 to 10 and the control VLAN ID of ERPS ring
2 to 20. Enable ERPS ring 1 to transmit data packets from VLANs 100 to 200 and
enable ERPS ring 2 to transmit data packets from VLANs 300 to 400.
NOTE

A VLAN cannot be mapped to multiple MSTIs. If you map a VLAN that has already been
mapped to an MSTI to another MSTI, the original mapping will be deleted.

# Configure SwitchA.
[~SwitchA] erps ring 1
[*SwitchA-erps-ring1] control-vlan 10
[*SwitchA-erps-ring1] protected-instance 1
[*SwitchA-erps-ring1] commit
[~SwitchA-erps-ring1] quit
[~SwitchA] stp region-configuration
[~SwitchA-mst-region] instance 1 vlan 10 100 to 200
[*SwitchA-mst-region] commit
[~SwitchA-mst-region] quit
[~SwitchA] erps ring 2
[*SwitchA-erps-ring2] control-vlan 20
[*SwitchA-erps-ring2] protected-instance 2
[*SwitchA-erps-ring2] commit
[~SwitchA-erps-ring2] quit
[~SwitchA] stp region-configuration
[~SwitchA-mst-region] instance 2 vlan 20 300 to 400
[*SwitchA-mst-region] commit
[~SwitchA-mst-region] quit

# Configure SwitchB.
[~SwitchB] erps ring 1
[*SwitchB-erps-ring1] control-vlan 10
[*SwitchB-erps-ring1] protected-instance 1
[*SwitchB-erps-ring1] commit
[~SwitchB-erps-ring1] quit
[~SwitchB] stp region-configuration
[~SwitchB-mst-region] instance 1 vlan 10 100 to 200
[*SwitchB-mst-region] commit
[~SwitchB-mst-region] quit

# Configure SwitchC.
[~SwitchC] erps ring 2
[*SwitchC-erps-ring2] control-vlan 20
[*SwitchC-erps-ring2] protected-instance 2

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 692

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

[*SwitchC-erps-ring2] commit
[~SwitchC-erps-ring2] quit
[~SwitchC] stp region-configuration
[~SwitchC-mst-region] instance 2 vlan 20 300 to 400
[*SwitchC-mst-region] commit
[~SwitchC-mst-region] quit

# Configure SwitchD.
[~SwitchD] erps ring 1
[*SwitchD-erps-ring1] control-vlan 10
[*SwitchD-erps-ring1] protected-instance 1
[*SwitchD-erps-ring1] commit
[~SwitchD-erps-ring1] quit
[~SwitchD] stp region-configuration
[~SwitchD-mst-region] instance 1 vlan 10 100 to 200
[*SwitchD-mst-region] commit
[~SwitchD-mst-region] quit
[~SwitchD] erps ring 2
[*SwitchD-erps-ring2] control-vlan 20
[*SwitchD-erps-ring2] protected-instance 2
[*SwitchD-erps-ring2] commit
[~SwitchD-erps-ring2] quit
[~SwitchD] stp region-configuration
[~SwitchD-mst-region] instance 2 vlan 20 300 to 400
[*SwitchD-mst-region] commit
[~SwitchD-mst-region] quit

Step 3 Specify ERPSv2 and configure ERPS ring 2 as a sub-ring.

# Configure SwitchA.
[~SwitchA] erps ring 1
[~SwitchA-erps-ring1] version v2
[*SwitchA-erps-ring1] commit
[~SwitchA-erps-ring1] quit
[~SwitchA] erps ring 2
[~SwitchA-erps-ring2] version v2
[*SwitchA-erps-ring2] sub-ring
[*SwitchA-erps-ring2] commit
[~SwitchA-erps-ring2] quit

# Configure SwitchB.
[~SwitchB] erps ring 1
[~SwitchB-erps-ring1] version v2
[*SwitchB-erps-ring1] commit
[~SwitchB-erps-ring1] quit

# Configure SwitchC.
[~SwitchC] erps ring 2
[~SwitchC-erps-ring2] version v2
[*SwitchC-erps-ring2] sub-ring
[*SwitchC-erps-ring2] commit
[~SwitchC-erps-ring2] quit

# Configure SwitchD.
[~SwitchD] erps ring 1
[~SwitchD-erps-ring1] version v2
[*SwitchD-erps-ring1] commit
[~SwitchD-erps-ring1] quit
[~SwitchD] erps ring 2
[~SwitchD-erps-ring2] version v2
[*SwitchD-erps-ring2] sub-ring
[*SwitchD-erps-ring2] commit
[~SwitchD-erps-ring2] quit

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 693

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

Step 4 Add the ports to ERPS rings and specify port roles. Configure 10GE 1/0/1 on
SwitchB and 10GE 1/0/1 on SwitchC as their respective RPL owner ports.
# Configure SwitchA.
[~SwitchA] interface 10ge 1/0/1
[~SwitchA-10GE1/0/1] stp disable
[*SwitchA-10GE1/0/1] erps ring 1
[*SwitchA-10GE1/0/1] commit
[~SwitchA-10GE1/0/1] quit
[~SwitchA] interface 10ge 1/0/2
[~SwitchA-10GE1/0/2] stp disable
[*SwitchA-10GE1/0/2] erps ring 1
[*SwitchA-10GE1/0/2] erps ring 2
[*SwitchA-10GE1/0/2] commit
[~SwitchA-10GE1/0/2] quit
[~SwitchA] interface 10ge 1/0/3
[~SwitchA-10GE1/0/3] stp disable
[*SwitchA-10GE1/0/3] erps ring 2
[*SwitchA-10GE1/0/3] commit
[~SwitchA-10GE1/0/3] quit

# Configure SwitchB.
[~SwitchB] interface 10ge 1/0/1
[~SwitchB-10GE1/0/1] stp disable
[*SwitchB-10GE1/0/1] erps ring 1 rpl owner
[*SwitchB-10GE1/0/1] commit
[~SwitchB-10GE1/0/1] quit
[~SwitchB] interface 10ge 1/0/2
[~SwitchB-10GE1/0/2] stp disable
[*SwitchB-10GE1/0/2] erps ring 1
[*SwitchB-10GE1/0/2] commit
[~SwitchB-10GE1/0/2] quit

# Configure SwitchC.
[~SwitchC] interface 10ge 1/0/1
[~SwitchC-10GE1/0/1] stp disable
[*SwitchC-10GE1/0/1] erps ring 2 rpl owner
[*SwitchC-10GE1/0/1] commit
[~SwitchC-10GE1/0/1] quit
[~SwitchC] interface 10ge 1/0/2
[~SwitchC-10GE1/0/2] stp disable
[*SwitchC-10GE1/0/2] erps ring 2
[*SwitchC-10GE1/0/2] commit
[~SwitchC-10GE1/0/2] quit

# Configure SwitchD.
[~SwitchD] interface 10ge 1/0/1
[~SwitchD-10GE1/0/1] stp disable
[*SwitchD-10GE1/0/1] erps ring 1
[*SwitchD-10GE1/0/1] commit
[~SwitchD-10GE1/0/1] quit
[~SwitchD] interface 10ge 1/0/2
[~SwitchD-10GE1/0/2] stp disable
[*SwitchD-10GE1/0/2] erps ring 1
[*SwitchD-10GE1/0/2] erps ring 2
[*SwitchD-10GE1/0/2] commit
[~SwitchD-10GE1/0/2] quit
[~SwitchD] interface 10ge 1/0/3
[~SwitchD-10GE1/0/3] stp disable
[*SwitchD-10GE1/0/3] erps ring 2
[*SwitchD-10GE1/0/3] commit
[~SwitchD-10GE1/0/3] quit

Step 5 Configure the topology change notification function and TC protection on SwitchA
and SwitchD (interconnecting nodes).

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 694

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

# Configure SwitchA.
[~SwitchA] erps ring 1
[~SwitchA-erps-ring1] tc-protection interval 200
[*SwitchA-erps-ring1] tc-protection threshold 60
[*SwitchA-erps-ring1] commit
[~SwitchA-erps-ring1] quit
[~SwitchA] erps ring 2
[~SwitchA-erps-ring2] tc-notify erps ring 1
[*SwitchA-erps-ring2] commit
[~SwitchA-erps-ring2] quit

# Configure SwitchD.
[~SwitchD] erps ring 1
[~SwitchD-erps-ring1] tc-protection interval 200
[*SwitchD-erps-ring1] tc-protection threshold 60
[*SwitchD-erps-ring1] commit
[~SwitchD-erps-ring1] quit
[~SwitchD] erps ring 2
[~SwitchD-erps-ring2] tc-notify erps ring 1
[*SwitchD-erps-ring2] commit
[~SwitchD-erps-ring2] quit

Step 6 Configure the Guard timers and WTR timers in the ERPS rings.

# Configure SwitchA.
[~SwitchA] erps ring 1
[~SwitchA-erps-ring1] wtr-timer 6
[*SwitchA-erps-ring1] guard-timer 100
[*SwitchA-erps-ring1] commit
[~SwitchA-erps-ring1] quit
[~SwitchA] erps ring 2
[~SwitchA-erps-ring2] wtr-timer 6
[*SwitchA-erps-ring2] guard-timer 100
[*SwitchA-erps-ring2] commit
[~SwitchA-erps-ring2] quit

# Configure SwitchB.
[~SwitchB] erps ring 1
[~SwitchB-erps-ring1] wtr-timer 6
[*SwitchB-erps-ring1] guard-timer 100
[*SwitchB-erps-ring1] commit
[~SwitchB-erps-ring1] quit

# Configure SwitchC.
[~SwitchC] erps ring 2
[~SwitchC-erps-ring2] wtr-timer 6
[*SwitchC-erps-ring2] guard-timer 100
[*SwitchC-erps-ring2] commit
[~SwitchC-erps-ring2] quit

# Configure SwitchD.
[~SwitchD] erps ring 1
[~SwitchD-erps-ring1] wtr-timer 6
[*SwitchD-erps-ring1] guard-timer 100
[*SwitchD-erps-ring1] commit
[~SwitchD-erps-ring1] quit
[~SwitchD] erps ring 2
[~SwitchD-erps-ring2] wtr-timer 6
[*SwitchD-erps-ring2] guard-timer 100
[*SwitchD-erps-ring2] commit
[~SwitchD-erps-ring2] quit

Step 7 Configure Layer 2 forwarding on SwitchA through SwitchD.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 695

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

# Configure SwitchA.
[~SwitchA] vlan batch 100 to 200 300 to 400
[*SwitchA] commit
[~SwitchA] interface 10ge 1/0/1
[~SwitchA-10GE1/0/1] port trunk allow-pass vlan 100 to 200
[*SwitchA-10GE1/0/1] commit
[~SwitchA-10GE1/0/1] quit
[~SwitchA] interface 10ge 1/0/2
[~SwitchA-10GE1/0/2] port trunk allow-pass vlan 100 to 200 300 to 400
[*SwitchA-10GE1/0/2] commit
[~SwitchA-10GE1/0/2] quit
[~SwitchA] interface 10ge 1/0/3
[~SwitchA-10GE1/0/3] port trunk allow-pass vlan 300 to 400
[*SwitchA-10GE1/0/3] commit
[~SwitchA-10GE1/0/3] quit

# Configure SwitchB.
[~SwitchB] vlan batch 100 to 200
[*SwitchB] commit
[~SwitchB] interface 10ge 1/0/1
[~SwitchB-10GE1/0/1] port trunk allow-pass vlan 100 to 200
[*SwitchB-10GE1/0/1] commit
[~SwitchB-10GE1/0/1] quit
[~SwitchB] interface 10ge 1/0/2
[~SwitchB-10GE1/0/2] port trunk allow-pass vlan 100 to 200
[*SwitchB-10GE1/0/2] commit
[~SwitchB-10GE1/0/2] quit

# Configure SwitchC.
[~SwitchC] vlan batch 300 to 400
[*SwitchC] commit
[~SwitchC] interface 10ge 1/0/1
[~SwitchC-10GE1/0/1] port trunk allow-pass vlan 300 to 400
[*SwitchC-10GE1/0/1] commit
[~SwitchC-10GE1/0/1] quit
[~SwitchC] interface 10ge 1/0/2
[~SwitchC-10GE1/0/2] port trunk allow-pass vlan 300 to 400
[*SwitchC-10GE1/0/2] commit
[~SwitchC-10GE1/0/2] quit

# Configure SwitchD.
[~SwitchD] vlan batch 100 to 200 300 to 400
[*SwitchD] commit
[~SwitchD] interface 10ge 1/0/1
[~SwitchD-10GE1/0/1] port trunk allow-pass vlan 100 to 200
[*SwitchD-10GE1/0/1] commit
[~SwitchD-10GE1/0/1] quit
[~SwitchD] interface 10ge 1/0/2
[~SwitchD-10GE1/0/2] port trunk allow-pass vlan 100 to 200 300 to 400
[*SwitchD-10GE1/0/2] commit
[~SwitchD-10GE1/0/2] quit
[~SwitchD] interface 10ge 1/0/3
[~SwitchD-10GE1/0/3] port trunk allow-pass vlan 300 to 400
[*SwitchD-10GE1/0/3] commit
[~SwitchD-10GE1/0/3] quit

Step 8 Verify the configuration.

# After the network becomes stable, run the display erps command to check brief
information about the ERPS ring and ports added to the ERPS ring. SwitchB is used
as an example.
[~SwitchB] display erps
D : Discarding
F : Forwarding

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 696

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

R : RPL Owner
N : RPL Neighbour
FS : Forced Switch
MS : Manual Switch
Total number of rings configured = 1
Ring Control WTR Timer Guard Timer Port 1 Port 2
ID VLAN (min) (csec)
--------------------------------------------------------------------------------
1 10 6 100 (D,R)10GE1/0/1 (F)10GE1/0/2
--------------------------------------------------------------------------------

# Run the display erps verbose command to check detailed information about
the ERPS ring and ports added to the ERPS ring. SwitchB is used as an example.
[~SwitchB] display erps verbose
Ring ID :1
Description : Ring 1
Control Vlan : 10
Protected Instance :1
Service Vlan : 100 to 200
WTR Timer Setting (min) :6 Running (s) :0
Guard Timer Setting (csec) : 100 Running (csec) :0
Holdoff Timer Setting (deciseconds) : 0 Running (deciseconds) : 0
WTB Timer Running (csec) :0
Ring State : Idle
RAPS_MEL :7
Revertive Mode : Revertive
R-APS Channel Mode :-
Version :2
Sub-ring : No
Forced Switch Port :-
Manual Switch Port :-
TC-Notify :-
Time since last topology change : 0 days 4h:12m:20s
--------------------------------------------------------------------------------
Port Port Role Port Status Signal Status
--------------------------------------------------------------------------------
10GE1/0/1 RPL Owner Discarding Non-failed
10GE1/0/2 Common Forwarding Non-failed

----End

Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 20 100 to 200 300 to 400
#
stp region-configuration
instance 1 vlan 10 100 to 200
instance 2 vlan 20 300 to 400
#
erps ring 1
control-vlan 10
protected-instance 1
wtr-timer 6
guard-timer 100
version v2
tc-protection interval 200
tc-protection threshold 60
#
erps ring 2
control-vlan 20
protected-instance 2

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 697

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

wtr-timer 6
guard-timer 100
version v2
sub-ring
tc-notify erps ring 1
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 10 100 to 200
stp disable
erps ring 1
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 10 20 100 to 200 300 to 400
stp disable
erps ring 1
erps ring 2
#
interface 10GE1/0/3
port link-type trunk
port trunk allow-pass vlan 20 300 to 400
stp disable
erps ring 2
#
return
● SwitchB configuration file
#
sysname SwitchB
#
vlan batch 10 100 to 200
#
stp region-configuration
instance 1 vlan 10 100 to 200
#
erps ring 1
control-vlan 10
protected-instance 1
wtr-timer 6
guard-timer 100
version v2
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 10 100 to 200
stp disable
erps ring 1 rpl owner
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 10 100 to 200
stp disable
erps ring 1
#
return
● SwitchC configuration file
#
sysname SwitchC
#
vlan batch 20 300 to 400
#
stp region-configuration
instance 2 vlan 20 300 to 400
#
erps ring 2
control-vlan 20
protected-instance 2
wtr-timer 6

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 698

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

guard-timer 100
version v2
sub-ring
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 20 300 to 400
stp disable
erps ring 2 rpl owner
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 20 300 to 400
stp disable
erps ring 2
#
return

● SwitchD configuration file

#
sysname SwitchD
#
vlan batch 10 20 100 to 200 300 to 400
#
stp region-configuration
instance 1 vlan 10 100 to 200
instance 2 vlan 20 300 to 400
#
erps ring 1
control-vlan 10
protected-instance 1
wtr-timer 6
guard-timer 100
version v2
tc-protection interval 200
tc-protection threshold 60
#
erps ring 2
control-vlan 20
protected-instance 2
wtr-timer 6
guard-timer 100
version v2
sub-ring
tc-notify erps ring 1
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 10 100 to 200
stp disable
erps ring 1
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 10 20 100 to 200 300 to 400
stp disable
erps ring 1
erps ring 2
#
interface 10GE1/0/3
port link-type trunk
port trunk allow-pass vlan 20 300 to 400
stp disable
erps ring 2
#
return

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 699

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 12 ERPS (G.8032) Configuration

12.10 Troubleshooting ERPS

12.10.1 Traffic Forwarding Fails in an ERPS Ring

Fault Description
After ERPS is configured, user traffic cannot be properly forwarded due to
abnormal ERPS ring status.

Procedure
Step 1 Check the port roles in the ERPS ring and status of each device in the ring.
In an ERPS ring, there should be only one RPL owner port. Other ports are
common ports or RPL neighbor ports.
Run the display erps [ ring ring-id ] verbose command in any view to check
whether the value of Ring State is Idle. (Perform this operation on each device in
the ERPS ring.)
If the ERPS ring is incomplete or its status is abnormal, perform the following
operations:
1. Verify that all nodes in the ERPS ring are added to the ERPS ring.
2. Check whether the ERPS ring configuration including the ERPS version
number and major ring/sub-ring on devices in the ERPS ring are the same.
3. Verify that port roles, control VLANs, and protected instances are correctly
configured on all nodes in the ERPS ring.
4. Verify that ports can allow packets of the specified VLANs to pass.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 700

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 13 Loopback Detection Configuration

13 Loopback Detection Configuration

Loopback detection can detect loops on the network connected to the device and
reduce impacts on the network.

13.1 Overview of Loopback Detection

13.2 Application Scenarios for Loopback Detection
13.3 Licensing Requirements and Limitations for Loopback Detection
13.4 Default Settings for Loopback Detection
13.5 Configuring Loopback Detection
13.6 Configuration Examples for Loopback Detection

13.1 Overview of Loopback Detection

Loopback detection sends loopback detection packets periodically to detect loops
on the network connected to the device. When a loop occurs on a network,
broadcast, multicast, and unknown unicast packets are repeatedly transmitted on
the network. This wastes network resources or even causes service interruption on
the entire network. To protect the network, certain actions should be taken on the
interface where the loop occurs, and the administrator needs to check the network
connection and configuration to solve the problem soon. Therefore, a mechanism
is required on a Layer 2 network to detect loops and notify the administrator.
Loopback detection is such a mechanism. It sends detection packets from an
interface at intervals and checks whether the packets are sent back to the
interface. If the packets are sent back, a loopback occurs on the interface.

13.2 Application Scenarios for Loopback Detection

Using a Loopback Detection to Detect a Self-loop on an Interface

TX-RX (RX indicates the receiving end, and TX indicates the sending end) self-
loops occur on an interface usually because optical fibers are connected incorrectly

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 701

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 13 Loopback Detection Configuration

or the interface is damaged by high voltage. As shown in Figure 13-1, self-loops

may occur on the network connected to a Switch interface. When a self-loop
occurs, packets sent from the interface are sent back to this interface. This causes
traffic forwarding errors or MAC address flapping on the interface.

Figure 13-1 Loopback detection application 1

Switch

TX RX

Using a Loopback Detection to Detect a Loop on the Downstream Network

As shown in Figure 13-2, loops may occur on the network connected to a Switch
interface. When a loop occurs, packets sent from the interface are sent back to
this interface.

Figure 13-2 Loopback detection application 2

Switch

You can configure loopback detection on the interface of the Switch in the
preceding scenarios. When a loopback is detected on the interface, the system
sends an alarm. You can set the action to perform on an interface to error-down
when a loopback is detected on the interface or set the time after which the
interface in error-down state automatically recovers. Only users connected to the
interface on which a loopback is detected and is in error-down state are affected,
and other users connected to the Switch can still communicate.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 702

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 13 Loopback Detection Configuration

NOTE

● Loopback detection cannot prevent loops on the entire network. It only detects loops on
a single node.
● A large number of packets are sent during loopback detection, occupying CPU resources;
therefore, disable loopback detection if it is not required.
● Loopback detection cannot be used with ring network technologies including ERPS,
Smart Link, STP, RSTP, MSTP, and VBST. Do not configure ring network technologies on
an interface of the LBDT-enabled VLAN. If LBDT has been enabled globally and a ring
network technology need to be configured on an interface, disable LBDT on that
interface first.

13.3 Licensing Requirements and Limitations for

Loopback Detection

Involved Network Elements

Other network elements are not required.

Licensing Requirements
Loopback detection is a basic function of the switch, and as such is controlled by
the license for basic software functions. The license for basic software functions
has been loaded and activated before delivery. You do not need to manually
activate it.

Version Requirements

Table 13-1 Products and minimum version supporting loopback detection

Product Model Minimum Version Required

CE9860EI V200R020C00

CE8860EI V100R006C00

CE8861EI/CE8868EI V200R005C10

CE8850-32CQ-EI V200R002C50

CE8850-64CQ-EI V200R005C00

CE7850EI V100R003C00

CE7855EI V200R001C00

CE6810EI V100R003C00

CE6810-48S4Q-LI/CE6810-48S- V100R003C10
LI

CE6810-32T16S4Q-LI/ V100R005C10
CE6810-24S2Q-LI

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 703

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 13 Loopback Detection Configuration

Product Model Minimum Version Required

CE6850EI V100R001C00

CE6850-48S6Q-HI V100R005C00

CE6850-48T6Q-HI/CE6850U-HI/ V100R005C10
CE6851HI

CE6855HI V200R001C00

CE6856HI V200R002C50

CE6857EI V200R005C10

CE6860EI V200R002C50

CE6865EI V200R005C00

CE6870-24S6CQ-EI V200R001C00

CE6870-48S6CQ-EI V200R001C00

CE6870-48T6CQ-EI V200R002C50

CE6875-48S4CQ-EI V200R003C00

CE6881/CE6863/CE6820 V200R020C00

CE6881K/CE6881E/CE6863K V200R020C00

CE5810EI V100R002C00

CE5850EI V100R001C00

CE5850HI V100R003C00

CE5855EI V100R005C10

CE5881 V200R020C00

NOTE

For details about the mapping between software versions and switch models, see the
Hardware Query Tool.

Feature Limitations
● LBDT needs to send a large number of detection packets to detect loops,
occupying system resources. Therefore, disable LBDT if loops do not need to
be detected.
● LBDT is a ring network protocol that conflicts with ring network functions
such as Smart Link, ERPS, and STP/RSTP/MSTP/VBST. You are advised not to
configure these ring network functions on an LBDT-enabled interface. In
contrary, if these ring network functions are configured, disable LBDT on the
interface.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 704

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 13 Loopback Detection Configuration

● In V100R005C00 and earlier versions, LBDT cannot be configured on an Eth-

Trunk or its member interfaces.
● When two or more LBDT-enabled interfaces are added to the same VLAN, if
loops occur on the network, the hwLdtPortLoop alarm may be frequently
generated or cleared on some interfaces, and MAC address flapping may
occur between these interfaces. In this case, you are advised to configure the
interfaces to enter the Error-Down state or manually check the network to
eliminate loops after an alarm is generated.

13.4 Default Settings for Loopback Detection

Table 13-2 Default settings for loopback detection

Parameter Default Setting

Loopback Detection Disabled

Interval between sending loopback 5 seconds

detection packets

13.5 Configuring Loopback Detection

13.5.1 Enabling LBDT

Context
To detect loopbacks on an interface, enable LBDT on the interface. To detect loops
on the downstream network, enable LBDT on an interface, add the interface to
the VLAN where loops need to be detected, and configure LBDT in a specified
VLAN to detect loops.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The interface view is displayed.
Step 3 Run loopback-detect enable
LBDT is enabled on the interface.
By default, LBDT is disabled on an interface.
Step 4 Run the following commands as required.
To use LBDT to detect loopbacks on an interface, skip this step.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 705

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 13 Loopback Detection Configuration

To use LBDT to detect loops on the downstream network, perform this step.
1. Run the following commands as required.
– Add the access interface to the VLAN where loops need to be detected.
i. Run port link-type access
The interface is configured as the access interface.
ii. Run port default vlan vlan-id
The access interface is added to the VLAN where loops need to be
detected.
– Add the hybrid interface to the VLAN where loops need to be detected.
i. Run port link-type hybrid
The interface is configured as the hybrid interface.
ii. Run port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> |
all }
The hybrid interface is added to the VLAN where loops need to be
detected.
– Add the trunk interface to the VLAN where loops need to be detected.
i. Run port link-type trunk
The interface is configured as the trunk interface.
ii. Run port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] }&<1-40>
| all }
The trunk interface is added to the VLAN where loops need to be
detected.
2. Run loopback-detect vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
LBDT is configured to detect loops in the specified VLAN.
By default, LBDT is not configured to detect loops in the specified VLAN.
NOTE

An interface can send LBDT packets with the specified VLAN tag only when the
specified VLAN has been created.

Step 5 Run commit

The configuration is committed.

----End

13.5.2 (Optional) Configuring an Action to Perform After a

Loopback Is Detected

Context
After loopback detection is enabled on an interface, the interface periodically
sends detection packets and checks whether loopback packets are received. When
a loopback is detected on an interface, the system sets the interface status to
loopback, minimizing impact on the system and the entire network.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 706

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 13 Loopback Detection Configuration

Procedure
● Configuring an action to perform after a loopback is detected in the system
view
a. Run system-view
The system view is displayed.
b. Run loopback-detect action error-down
The action to perform on the interface is set to error-down when a
loopback is detected on the interface.
The default action is alarm.
When the system detects a loopback on an interface, the interface enters
the Error-Down state and the system sends an alarm to the NMS.

NOTE

If the action to perform on the interface is alarm, inter-device loopback may suppress
loopback detection on other interfaces on the local device. In this situation, set the
action to error-down or use STP to prevent loopback.
c. Run commit
The configuration is committed.
● Configuring an action to perform after a loopback is detected in the interface
view
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The interface view is displayed.
c. Run loopback-detect action { error-down | alarm }
The action to perform on the interface is set when a loopback is detected
on the interface.
By default, when a loopback is detected on an interface, the action is as
follows:

▪ If the loopback-detect action error-down command is not used in

the system view, an alarm is generated.

▪ If the loopback-detect action error-down command is used in the

system view, the interface is shut down.
NOTE

If the loopback-detect action (interface view) and loopback-detect action

error-down commands are executed in the interface view and system view
respectively, the configuration in the interface view takes effect.
d. Run commit
The configuration is committed.
----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 707

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 13 Loopback Detection Configuration

Follow-up Procedure
When the action is set to error-down, if a loopback occurs on the interface, the
interface enters the Error-Down state. The device records the status of an interface
as Error-Down when it detects that a fault occurs. The interface in Error-Down
state cannot receive or send packets and the interface indicator is off. You can run
the display error-down recovery command to check information about all
interfaces in Error-Down state on the device.
When the interface is in Error-Down state, check the cause. You can use the
following modes to restore the interface status:
● Manual (after the interface enters the Error-Down state)
When there are few interfaces in Error-Down state, you can run the
shutdown and undo shutdown commands in the interface view or run the
restart command to restore the interface.
● Auto (before the interface enters the Error-Down state)
If there are many interfaces in Error-Down state, the manual mode brings in
heavy workload and the configuration of some interfaces may be ignored. To
prevent this problem, run the error-down auto-recovery cause loopback-
detect interval interval-value command in the system view to enable an
interface in error-down state to go Up and set a recovery delay. You can run
the display error-down recovery command to view automatic recovery
information about the interface.
NOTE

This mode is invalid for the interface that has entered the Error-Down state, and is only
valid for the interface that enters the Error-Down state after the error-down auto-
recovery cause loopback-detect interval interval-value command is used.

13.5.3 (Optional) Setting the Interval Between Sending

Loopback Detection Packets on an Interface

Context
An interface sends loopback detection packets at intervals.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run loopback-detect transmit interval packet-interval-time
The interval between sending loopback detection packets is set.
By default, the interval between sending loopback detection packets is 5 seconds.
Step 3 Run commit
The configuration is committed.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 708

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 13 Loopback Detection Configuration

13.5.4 Verifying the Loopback Detection Configuration

Procedure
● Run the display loopback-detect command to check the loopback detection
configuration and status of loopback detection enabled interfaces.
----End

13.6 Configuration Examples for Loopback Detection

This section describes configuration examples of loopback detection including
networking requirements, configuration roadmap, and configuration procedure.
This section only provides configuration examples for individual features. For
details about multi-feature configuration examples, feature-specific configuration
examples, interoperation examples, protocol or hardware replacement examples,
and industry application examples, see the Typical Configuration Examples.

13.6.1 Example for Configuring Loopback Detection

Networking Requirements
As shown in Figure 13-3, if there is a loop on the network connected to the
10GE1/0/1 interface, broadcast storms will occur on the Switch or even the entire
network.
To detect loops on the network connected to the switch and disabled downlink
interfaces to reduce impacts on the switch and other networks, enable loopback
detection on the Switch.

Figure 13-3 Loopback detection network diagram

Switch

10GE1/0/1

Configuration Roadmap
The configuration roadmap is as follows:

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 709

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 13 Loopback Detection Configuration

1. Enable loopback detection on the interface to detect loops on downlink

networks.
2. Specify the VLAN ID for loopback detection packets.
3. Set loopback detection parameters to enable the interface automatic recovery.

Procedure
Step 1 Enable loopback detection on the interface.
<HUAWEI> system-view
[~HUAWEI] sysname Switch
[*HUAWEI] commit
[~Switch] interface 10ge 1/0/1
[~Switch-10GE1/0/1] loopback-detect enable
[*Switch-10GE1/0/1] commit
[~Switch-10GE1/0/1] quit

Step 2 Specify the VLAN ID for loopback detection packets.

[~Switch] vlan 100
[*Switch-vlan100] quit
[*Switch] interface 10ge 1/0/1
[*Switch-10GE1/0/1] port link-type trunk
[*Switch-10GE1/0/1] port trunk allow-pass vlan 100
[*Switch-10GE1/0/1] loopback-detect vlan 100
[*Switch-10GE1/0/1] commit
[~Switch-10GE1/0/1] quit

Step 3 Set loopback detection parameters.

# Configure the action the interface when a loopback is detected.
[~Switch] loopback-detect action error-down
[*Switch] commit

# Set the interval between sending loopback detection packets.

[~Switch] loopback-detect transmit interval 10
[*Switch] commit

Step 4 Check the configuration.

Run the display loopback-detect command to check the configuration.
[~Switch] display loopback-detect
------------------------------------------------------------
Loopback-detect transmit interval: 10s
------------------------------------------------------------
------------------------------------------------------------
Interface Action Status
------------------------------------------------------------
10GE1/0/1 Error-Down ErrorDown

----End

Configuration Files
Configuration file of the Switch
#
sysname Switch
#
loopback-detect transmit interval 10
loopback-detect action error-down
#
vlan batch 100

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 710

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 13 Loopback Detection Configuration

#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 100
loopback-detect enable
loopback-detect vlan 100
#
return

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 711

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

14 Layer 2 Protocol Tunneling

Configuration

This chapter describes the concept, configuration procedure, and configuration

examples of Layer 2 protocol tunneling.

14.1 Overview of Layer 2 Protocol Tunneling

14.2 Understanding Layer 2 Protocol Tunneling
14.3 Application Scenarios for Layer 2 Protocol Tunneling
14.4 Summary of Layer 2 Protocol Tunneling Configuration Tasks
14.5 Licensing Requirements and Limitations for Layer 2 Protocol Tunneling
14.6 Configuring Interface-based Layer 2 Protocol Tunneling
14.7 Configuring VLAN-based Layer 2 Protocol Tunneling
14.8 Configuring Basic QinQ-based Layer 2 Protocol Tunneling
14.9 Configuring the Device to Transparently Transmit BPDUs
14.10 Maintaining Layer 2 Protocol Tunneling
14.11 Configuration Examples for Layer 2 Protocol Tunneling

14.1 Overview of Layer 2 Protocol Tunneling

Definition
Layer 2 protocol tunneling is a Layer 2 tunneling technology that transparently
transmits BPDUs between private networks at different locations over a specified
tunnel on a public Internet Service Provider (ISP) network.

Purpose
Leased lines of ISPs are often used to establish Layer 2 networks. As a result,
private networks of a user can be located at two sides of the ISP network. As

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 712

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

shown in Figure 14-1, User A has two networks: network1 and network2. The two
networks are connected through the ISP network. When network1 and network2
run the same Layer 2 protocol (such as MSTP), Layer 2 protocol packets from
network1 and network2 must be transmitted through the ISP network to perform
Layer 2 protocol calculation (for example, calculating a spanning tree). Generally,
the destination MAC addresses in Layer 2 protocol packets of the same Layer 2
protocol are the same. For example, the MSTP PDUs are BPDUs with the
destination MAC address 0180-C200-0000. Therefore, when a Layer 2 protocol
packet reaches an edge device on the ISP network, the edge device cannot identify
whether the Layer 2 protocol packet comes from a user network or the ISP
network and sends the Layer 2 protocol packets to the CPU to calculate a
spanning tree.
In Figure 14-1, devices on user network1 build a spanning tree together with PE1
but not with devices on user network2. As a result, the Layer 2 protocol packets
on user network1 cannot traverse the ISP network to reach user network2.

Figure 14-1 Transparent transmission of Layer 2 protocol packets on the ISP

network

PE1 ISP PE2

network
CE1 CE2

User A User A
Network1 network2

You can use Layer 2 protocol tunneling to transparently transmit Layer 2 protocol
packets from the user network for the ISP network. This addresses the network
identity issue. The procedure is as follows:
1. After receiving Layer 2 protocol packets sent from CE1, PE1 replaces the
destination MAC address with a specified multicast MAC address. Then PE1
forwards the packets on the ISP network.
2. The Layer 2 protocol packets are forwarded to PE2. PE2 restores the original
destination MAC address of the packets, and sends the packets to CE2.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 713

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

NOTE

A Huawei device can transparently transmit packets of the following Layer 2 protocols:
● Spanning Tree Protocol (STP)
● Link Aggregation Control Protocol (LACP)
● Ethernet Operation, Administration, and Maintenance 802.3ah (EOAM3ah)
● Link Layer Discovery Protocol (LLDP)
● GARP VLAN Registration Protocol (GVRP)
● GARP Multicast Registration Protocol (GMRP)
● HUAWEI Group Management Protocol (HGMP)
● VLAN Trunking Protocol (VTP)
● Unidirectional Link Detection (UDLD)
● Port Aggregation Protocol (PAGP)
● Cisco Discovery Protocol (CDP)
● Per VLAN Spanning Tree Plus (PVST+)
● Dynamic Trunking Protocol (DTP)
● Device Link Detection Protocol (DLDP)
● User-defined protocols

14.2 Understanding Layer 2 Protocol Tunneling

Layer 2 protocol packets are transparently transmitted based on the following
principles:
● On the ingress Provider Edge (PE) of the ISP network, the destination
multicast MAC address of a Layer 2 protocol packet is replaced with a
specified multicast MAC address.
● The devices on the ISP network determine whether to process the protocol
packet based on the configured transparent transmission mode.
● When the Layer 2 protocol packet reaches the egress, the PE restores the
destination multicast MAC address of the Layer 2 protocol packet to the
standard destination multicast MAC address based on the mapping between
the specified destination multicast MAC address and the Layer 2 protocol
configured on the device. The egress PE also determines whether to process
the packet based on the configured transparent transmission mode.
To transparently transmit Layer 2 protocol packets on the ISP network, ensure that
the following requirements are met:
● Each branch of a user network must be able to receive the Layer 2 protocol
packets from other branches.
● The CPUs of the devices on the ISP network must not process Layer 2 protocol
packets from a user network.
● Layer 2 protocol packets from different user networks must be isolated and
not affect each other.
Huawei devices support the following Layer 2 protocol tunneling modes in
different scenarios:
● Interface-based Layer 2 protocol tunneling

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 714

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

● VLAN-based Layer 2 protocol tunneling

● Basic QinQ-based Layer 2 protocol tunneling

Interface-based Layer 2 Protocol Tunneling

Figure 14-2 Interface-based Layer 2 protocol tunneling

ISP
Network
PE1 BPDU Tunnel PE2

Port based Port based

VLAN 300 VLAN 300
LAN-A LAN-A
MSTP MSTP

As shown in Figure 14-2, each interface on a PE connects to one user network.

The user networks do not belong to the same LAN. If BPDUs received from user
networks do not carry any VLAN tag, the PE must identify the LAN that the
BPDUs come from. BPDUs of a user network in LAN-A must be sent to other user
networks in LAN-A. In addition, BPDUs must not be processed by devices on the
ISP network. To meet the preceding requirements, configure interface-based Layer
2 protocol tunneling on backbone network edge devices and replace the original
multicast MAC address of Layer 2 protocol packets from user networks with a
specified multicast MAC address.

1. On the device of the ISP network, add the interfaces that connect to the same
user network to the same VLAN. After receiving and identifying the Layer 2
protocol packet (such as a BPDU of the STP protocol) from the user network,
the device on the ISP network adds the default VLAN ID of the interface to
the Layer 2 protocol packet.
2. Based on the mapping between the specified destination multicast MAC
address and the Layer 2 protocol, the ingress PE on the ISP network replaces
the standard destination multicast MAC address of the Layer 2 protocol
packet with the specified destination multicast MAC address.
3. Internal nodes on the ISP network forward the packet through the ISP
network as a common Layer 2 packet.
4. The egress PE on the ISP network restores the original standard destination
MAC address of the packet based on the mapping between the specified
destination multicast MAC address and the Layer 2 protocol and forwards the
packet to the CE.

1. On the device of the ISP network, add the interfaces that connect to the same
user network to the same VLAN. After receiving and identifying the Layer 2
protocol packet (such as a BPDU of the STP protocol) from the user network,
the device on the ISP network adds the default VLAN ID of the interface to
the Layer 2 protocol packet.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 715

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

2. Based on the mapping between the specified destination multicast MAC

address and the Layer 2 protocol, the ingress PE on the ISP network replaces
the standard destination multicast MAC address of the Layer 2 protocol
packet with the specified destination multicast MAC address.
3. Internal nodes on the ISP network forward the packet through the ISP
network as a common Layer 2 packet.
4. The egress PE on the ISP network restores the original standard destination
MAC address of the packet based on the mapping between the specified
destination multicast MAC address and the Layer 2 protocol and forwards the
packet to the CE.

VLAN-based Layer 2 Protocol Tunneling

Figure 14-3 VLAN-based Layer 2 protocol tunneling

LAN-B LAN-B
MSTP MSTP

CE-VLAN 100 CE-VLAN 100

PE 1 ISP Network PE 2

BPDU Tunnel

CE-VLAN 200 CE-VLAN 200

Trunk Link Trunk Link
100-200 100-200

LAN-A LAN-A
MSTP MSTP

In most cases, a PE serves as an aggregation device. As shown in Figure 14-3, the

aggregation interface on PE1 receives Layer 2 protocol packets from LAN-A and
LAN-B. To differentiate BPDUs from two LANs, BPDUs sent from CEs to PEs must
have VLAN tags. Packets sent from LAN-A contain VLAN ID 200 and packets sent
from LAN-B contain VLAN ID 100. BPDUs of a user network in LAN-A must be
forwarded to other user networks in LAN-A, but not to user networks in LAN-B. In
addition, BPDUs cannot be processed by PEs on the ISP network. In this case, you
can configure VLAN-based Layer 2 protocol tunneling on PEs, so that Layer 2
protocol packets can traverse the ISP network through Layer 2 tunnels.
Similar to interface-based Layer 2 protocol tunneling, you can use the following
methods to implement VLAN-based Layer 2 protocol tunneling:
1. Set specified VLAN IDs for Layer 2 protocol packets sent from user networks
to the ISP network.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 716

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

NOTE

When STP BPDUs are sent from the user network to the backbone network, run the
stp bpdu vlan command to enable the CE to encapsulate the specified VLAN ID in
outgoing STP BPDUs.
2. Enable the devices on the ISP network to identify Layer 2 protocol packets
with the specified VLAN IDs and allow these packets to pass.
3. Based on the mapping between the specified destination multicast MAC
address and the Layer 2 protocol, the ingress PE on the ISP network replaces
the standard destination multicast MAC address of the Layer 2 protocol
packet with the specified destination multicast MAC address.
4. Internal nodes on the ISP network forward the packets through the ISP
network as common Layer 2 packets.
5. The egress PE on the ISP network restores the original standard destination
MAC address of the packet based on the mapping between the specified
destination multicast MAC address and the Layer 2 protocol and forwards the
packet to the CE.

Basic QinQ-based Layer 2 Protocol Tunneling

If Layer 2 protocol packets are still transmitted transparently in VLAN-based mode
when many user networks are connected to the ISP network, a large number of
VLAN IDs of the ISP network are required. This may result in insufficient VLAN ID
resources. To conserve VLAN IDs, you can configure QinQ-based Layer 2 protocol
tunneling to forward Layer 2 protocol packets on the ISP network.
The QinQ protocol is a Layer 2 tunneling protocol based on IEEE 802.1Q. QinQ
technology improves utilization of VLANs by adding another 802.1Q tag to a
packet, allowing services on a private VLAN to be transparently transmitted to the
public network.

Figure 14-4 Basic QinQ-based Layer 2 protocol tunneling

LAN-B LAN-B
MSTP MSTP

PE-VLAN20:CE-VLAN 100~199

PE1 ISP PE2

Network
CE-VLAN 100 BPDU Tunnel CE-VLAN 100
BPDU Tunnel
CE-VLAN 200 CE-VLAN 200

PE-VLAN30:CE-VLAN 200~299

LAN-A LAN-A
MSTP MSTP

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 717

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

As shown in Figure 14-4, after QinQ is configured, a PE adds an outer VLAN ID of

20 to the received Layer 2 protocol packets that carry VLAN IDs in the range 100
to 199 and an outer VLAN ID of 30 to the received Layer 2 protocol packets that
carry VLAN IDs in the range 200 to 299 before transmitting these Layer 2 protocol
packets across the backbone network. To tunnel Layer 2 protocol packets from the
user networks across the backbone network, configure QinQ-based Layer 2
protocol tunneling on PEs' aggregation interfaces.
1. The ingress device on the backbone network adds a different outer VLAN tag
(public VLAN ID) to the received Layer 2 protocol packets based on the inner
VLAN IDs (user VLAN IDs) carried in the Layer 2 protocol packets.
2. The ingress device replaces the multicast destination MAC address in the
Layer 2 protocol packets with a specified multicast MAC address based on the
configured mapping between the multicast destination MAC address and the
specified multicast MAC address.
3. The ingress device transmits the Layer 2 protocol packets with a specified
multicast MAC address through different Layer 2 tunnels based on the outer
VLAN IDs. The internal devices on the backbone network forward the Layer 2
protocol packets with a specified multicast MAC address to the egress devices.
4. The egress devices restore the original destination MAC address in the Layer 2
protocol packets based on the configured mapping between the multicast
destination MAC address and the specified multicast address, remove the
outer VLAN tags, and send the Layer 2 protocol packets to the user networks
based on the inner VLAN IDs.

14.3 Application Scenarios for Layer 2 Protocol

Tunneling
As shown in Figure 14-5, CE1 and CE2 are edge devices on private networks of
User A in different locations. The two private networks connect to the ISP network
through PE1 and PE2. Networks of User A have redundant links, so MSTP is used
to remove loops on the Layer 2 network. When MSTP packets sent by CEs reach
PEs, PEs send the packets to the CPUs for processing because they cannot identify
the network that MSTP packets come from. Layer 2 protocol calculations on the
user network and ISP network affect each other and cannot be implemented
independently.
You can configure Layer 2 protocol tunneling on PEs, so that MSTP packets are not
sent to the CPUs of PEs for processing. This prevents PEs from participating in
spanning tree calculation.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 718

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

Figure 14-5 Interface-based transparent transmission of Layer 2 protocol packets

on a Layer 2 network

PE1 ISP PE2

network
CE1 CE2

User A User A
Network1 network2

14.4 Summary of Layer 2 Protocol Tunneling

Configuration Tasks
Table 14-1 lists the configuration task summary of Layer 2 protocol tunneling.

Table 14-1 Layer 2 protocol tunneling configuration tasks

Item Description Task

Configuring interface- When each interface of a 14.6 Configuring

based Layer 2 protocol backbone device is Interface-based Layer 2
tunneling connected to only one Protocol Tunneling
user network and Layer
2 protocol packets sent
from the user network
do not need VLAN tags,
configure interface-
based Layer 2 protocol
tunneling on the
interface connected to
the user network. This
configuration allows
Layer 2 protocol packets
to be transparently
transmitted on the
backbone network.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 719

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

Item Description Task

Configuring VLAN-based When each interface of a 14.7 Configuring VLAN-

Layer 2 protocol backbone device is based Layer 2 Protocol
tunneling connected to multiple Tunneling
user networks and Layer
2 protocol packets sent
from user networks
contain VLAN tags,
configure VLAN-based
Layer 2 protocol
tunneling. This
configuration allows
Layer 2 protocol packets
to be transparently
transmitted on the
backbone network.

Configuring basic QinQ- When each interface of a 14.8 Configuring Basic

based Layer 2 protocol backbone device is QinQ-based Layer 2
tunneling connected to multiple Protocol Tunneling
user networks and Layer
2 protocol packets sent
from user networks
contain VLAN tags, you
can configure basic
QinQ-based Layer 2
protocol tunneling. This
configuration allows
Layer 2 protocol packets
to be transparently
transmitted on the
backbone network and
reduces VLAN IDs that
the carrier uses.

14.5 Licensing Requirements and Limitations for Layer

2 Protocol Tunneling
Involved Network Elements
Other network elements are not required.

License Requirements
Layer 2 protocol tunneling is a basic function of the switch, and as such is
controlled by the license for basic software functions. The license for basic
software functions has been loaded and activated before delivery. You do not need
to manually activate it.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 720

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

Version Requirements

Table 14-2 Products and minimum version supporting Layer 2 protocol tunneling
Product Minimum Version Required

CE9860EI V200R020C00

CE8860EI V100R006C00

CE8861EI/CE8868EI V200R005C10

CE8850-32CQ-EI V200R002C50

CE8850-64CQ-EI V200R005C00

CE7850EI V100R003C00

CE7855EI V200R001C00

CE6810EI V100R003C00

CE6810-48S4Q-LI/CE6810-48S- V100R003C10
LI

CE6810-32T16S4Q-LI/ V100R005C10
CE6810-24S2Q-LI

CE6850EI V100R002C00

CE6850-48S6Q-HI V100R005C00

CE6850-48T6Q-HI/CE6850U-HI/ V100R005C10
CE6851HI

CE6855HI V200R001C00

CE6856HI V200R002C50

CE6857EI V200R005C10

CE6860EI V200R002C50

CE6865EI V200R005C00

CE6865SI V200R019C10

CE6870-24S6CQ-EI V200R001C00

CE6870-48S6CQ-EI V200R001C00

CE6870-48T6CQ-EI V200R002C50

CE6875-48S4CQ-EI V200R003C00

CE6880EI V200R002C50

CE6881, CE6820, CE6863 V200R005C20

CE6881K V200R019C10

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 721

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

Product Minimum Version Required

CE6881E V200R019C10

CE6863K V200R019C10

CE5810EI V100R002C00

CE5850EI V100R002C00

CE5850HI V100R003C00

CE5855EI V100R005C10

CE5880EI V200R005C10

CE5881 V200R020C00

NOTE

For details about the mapping between software versions and switch models, see the
Hardware Query Tool.

Feature Limitations
● The CE6850HI, CE6851HI, CE6850U-HI, CE5810EI, CE5850HI, CE5855EI and
CE6810LI transparently transmit a maximum of 256 Layer 2 protocol packets
per second, and other models transparently transmit a maximum of 512 Layer
2 protocol packets per second. Excess packets are discarded.
● Do not replace the destination MAC addresses of STP, GVRP, and GMRP
packets with the same multicast MAC address.
● Do not replace the destination MAC addresses of EOAM3ah, LACP, and DLDP
packets with the same multicast MAC address.
● When configuring Layer 2 protocol tunneling, do not use the following
multicast MAC addresses to replace the destination MAC address of Layer 2
protocol packets:
– Destination MAC addresses of BPDUs: 0180-C200-0000 to 0180-
C200-002F
– Destination MAC address of Smart Link packets: 010F-E200-0004
– Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD
– Common multicast MAC addresses that have been used on the device
● CE6881, CE6820, CE6863, CE5880EI, and CE6880EI only support configuring
the device to transparently transmit BPDUs.

14.6 Configuring Interface-based Layer 2 Protocol

Tunneling
When each interface of a backbone device is connected to only one user network
and Layer 2 protocol packets sent from the user network do not need VLAN tags,
configure interface-based Layer 2 protocol tunneling on the interface connected to

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 722

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

the user network. This configuration allows Layer 2 protocol packets to be

transparently transmitted on the backbone network.

Pre-configuration Tasks
Before configuring interface-based Layer 2 protocol tunneling, complete the
following task:
● Setting link layer protocol parameters and IP addresses for interfaces to
ensure that the link layer protocol on the interfaces is Up

14.6.1 (Optional) Defining Characteristic Information About a

Layer 2 Protocol

Context
When non-standard Layer 2 protocol packets with a specified multicast
destination MAC address need to be transparently transmitted on the backbone
network, define characteristic information about the Layer 2 protocol on the PE.
The characteristics of the Layer 2 protocol include the protocol name, Ethernet
encapsulation format, destination MAC address, and MAC address that replaces
the destination MAC address of Layer 2 protocol packets.

When defining characteristic information about a Layer 2 protocol, do not use the
following multicast MAC addresses to replace the destination MAC address of
Layer 2 protocol packets:

● Destination MAC addresses of BPDUs: 0180-C200-0000 to 0180-C200-002F

● Destination MAC address of Smart Link packets: 010F-E200-0004
● Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD
● Common multicast MAC addresses that have been used on the device

Perform the following operations on PEs.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run l2protocol-tunnel user-defined-protocol protocol-name protocol-mac

protocol-mac [ encap-type { { ethernetii | snap } protocol-type protocol-type-
value | llc dsap dsap-value ssap ssap-value } ] group-mac { group-mac | default-
group-mac }

Characteristic information about a Layer 2 protocol is defined.

Step 3 Run commit

The configuration is committed.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 723

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

14.6.2 Configuring the Multicast MAC Address for Layer 2

Protocol Tunneling

Context
To prevent a backbone network edge device from sending the received Layer 2
protocol packets to its CPU for processing and ensure that the Layer 2 protocol
packets are tunneled across the backbone network, configure the edge device to
replace the multicast destination MAC address in Layer 2 protocol packets with a
specified multicast MAC address.
Perform the following operations on PEs.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run l2protocol-tunnel protocol-type group-mac { group-mac | default-group-
mac }
The original multicast destination MAC address of Layer 2 protocol packets is
replaced with a specified multicast MAC address.
Most Layer 2 protocols can be identified by protocol type. You can configure a
group MAC address for this type of protocol to reduce configuration workload. The
default group MAC address is 0100-0ccd-cdd0.

NOTE

Do not replace the destination MAC addresses of STP, GVRP, and GMRP packets with the
same multicast MAC address.
Do not replace the destination MAC addresses of EOAM3ah, LACP, and DLDP packets with
the same multicast MAC address.
When configuring Layer 2 protocol tunneling, do not use the following multicast MAC
addresses to replace the destination MAC address of Layer 2 protocol packets:
● Destination MAC addresses of BPDUs: 0180-C200-0000 to 0180-C200-002F
● Destination MAC address of Smart Link packets: 010F-E200-0004
● Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD
● Common multicast MAC addresses that have been used on the device

Step 3 Run commit

The configuration is committed.

----End

14.6.3 Enabling Layer 2 Protocol Tunneling on an Interface

Context
Perform the following operations on PEs based on the required Layer 2 protocol
tunneling mode.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 724

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

NOTE

The l2protocol-tunnel and l2protocol-tunnel vlan commands cannot specify the same
protocol type on the same interface. Otherwise, the configurations conflict.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The user-side interface view is displayed.
Step 3 Run port link-type hybrid
The link type of the interface is set to hybrid.
Step 4 Run port hybrid pvid vlan vlan-id
The default VLAN of the interface is configured.
Step 5 Run port hybrid untagged vlan vlan-id
The interface is added to the default VLAN in untagged mode.

NOTE

The VLAN tag specified in step 5 must be the same as that specified in step 4.

Step 6 Run l2protocol-tunnel { all | protocol-type | user-defined-protocol protocol-

name } enable
Layer 2 protocol tunneling is enabled on the interface.
Step 7 (Optional) Run l2protocol-tunnel drop-threshold
The drop threshold for Layer 2 protocol packets is configured.
By default, the drop threshold is 0, meaning that interfaces enabled with Layer 2
protocol tunneling do not limit the volume of received Layer 2 protocol packets.
Configuring a drop threshold for Layer 2 protocol packets protects interfaces
enabled with Layer 2 protocol tunneling against protocol packet attacks. The
interfaces drop excess Layer 2 protocol packets when the number of Layer 2
protocol packets received in 1s exceeds the configured drop threshold.
Step 8 Run commit
The configuration is committed.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 725

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

14.6.4 Verifying the Configuration of Interface-based Layer 2

Protocol Tunneling

Procedure
● Run the display l2protocol-tunnel group-mac { all | protocol-type | user-
defined-protocol protocol-name } command to check information about
transparent transmission of specified or all Layer 2 protocol packets.

----End

14.7 Configuring VLAN-based Layer 2 Protocol

Tunneling
When each interface of a backbone device is connected to multiple user networks
and Layer 2 protocol packets sent from user networks contain VLAN tags,
configure VLAN-based Layer 2 protocol tunneling. This configuration allows Layer
2 protocol packets to be transparently transmitted on the backbone network.

Pre-configuration Tasks
Before configuring interface-based Layer 2 protocol tunneling, complete the
following task:
● Setting link layer protocol parameters and IP addresses for interfaces to
ensure that the link layer protocol on the interfaces is Up

14.7.1 (Optional) Defining Characteristic Information About a

Layer 2 Protocol

Context
When non-standard Layer 2 protocol packets with a specified multicast
destination MAC address need to be transparently transmitted on the backbone
network, define characteristic information about the Layer 2 protocol on the PE.
The characteristics of the Layer 2 protocol include the protocol name, Ethernet
encapsulation format, destination MAC address, and MAC address that replaces
the destination MAC address of Layer 2 protocol packets.

When defining characteristic information about a Layer 2 protocol, do not use the
following multicast MAC addresses to replace the destination MAC address of
Layer 2 protocol packets:

● Destination MAC addresses of BPDUs: 0180-C200-0000 to 0180-C200-002F

● Destination MAC address of Smart Link packets: 010F-E200-0004
● Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD
● Common multicast MAC addresses that have been used on the device

Perform the following operations on PEs.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 726

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run l2protocol-tunnel user-defined-protocol protocol-name protocol-mac
protocol-mac [ encap-type { { ethernetii | snap } protocol-type protocol-type-
value | llc dsap dsap-value ssap ssap-value } ] group-mac { group-mac | default-
group-mac }
Characteristic information about a Layer 2 protocol is defined.
Step 3 Run commit
The configuration is committed.

----End

14.7.2 Configuring the Multicast MAC Address for Layer 2

Protocol Tunneling

Context
To prevent a backbone network edge device from sending the received Layer 2
protocol packets to its CPU for processing and ensure that the Layer 2 protocol
packets are tunneled across the backbone network, configure the edge device to
replace the multicast destination MAC address in Layer 2 protocol packets with a
specified multicast MAC address.
Perform the following operations on PEs.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run l2protocol-tunnel protocol-type group-mac { group-mac | default-group-
mac }
The original multicast destination MAC address of Layer 2 protocol packets is
replaced with a specified multicast MAC address.
Most Layer 2 protocols can be identified by protocol type. You can configure a
group MAC address for this type of protocol to reduce configuration workload. The
default group MAC address is 0100-0ccd-cdd0.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 727

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

NOTE

Do not replace the destination MAC addresses of STP, GVRP, and GMRP packets with the
same multicast MAC address.
Do not replace the destination MAC addresses of EOAM3ah, LACP, and DLDP packets with
the same multicast MAC address.
When configuring Layer 2 protocol tunneling, do not use the following multicast MAC
addresses to replace the destination MAC address of Layer 2 protocol packets:
● Destination MAC addresses of BPDUs: 0180-C200-0000 to 0180-C200-002F
● Destination MAC address of Smart Link packets: 010F-E200-0004
● Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD
● Common multicast MAC addresses that have been used on the device

Step 3 Run commit

The configuration is committed.

----End

14.7.3 Enabling VLAN-based Layer 2 Protocol Tunneling on an

Interface

Context
Perform the following operations on PEs according to the type of Layer 2 protocol
packets to be transparently transmitted.

NOTE

The l2protocol-tunnel vlan and l2protocol-tunnel commands cannot specify the same
protocol type on the same interface. Otherwise, the configurations conflict.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The user-side interface view is displayed.
Step 3 Configure the link type of the interface as trunk or hybrid.
● Set the link type of the interface to trunk.
a. Run port link-type trunk
The link type of the interface is set to trunk.
b. Run port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] } &<1-40> |
all }
The interface is added to a VLAN.
● Set the link type of the interface to hybrid.
a. Run port link-type hybrid

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 728

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

The link type of the interface is set to hybrid.

b. Run port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
The interface is added to the specified VLANs in tagged mode.
NOTE

The range of VLAN IDs specified in this step must include VLAN IDs of Layer 2 protocol
packets from user networks.

Step 4 Run l2protocol-tunnel { all | protocol-type | user-defined-protocol protocol-

name } vlan { low-id [ to high-id ] } &<1-10>
VLAN-based Layer 2 protocol tunneling is enabled on the interface.
Step 5 (Optional) Run l2protocol-tunnel drop-threshold
The drop threshold for Layer 2 protocol packets is configured.
By default, the drop threshold is 0, meaning that interfaces enabled with Layer 2
protocol tunneling do not limit the volume of received Layer 2 protocol packets.
Configuring a drop threshold for Layer 2 protocol packets protects interfaces
enabled with Layer 2 protocol tunneling against protocol packet attacks. The
interfaces drop excess Layer 2 protocol packets when the number of Layer 2
protocol packets received in 1s exceeds the configured drop threshold.
Step 6 Run commit
The configuration is committed.

----End

14.7.4 Verifying the Layer 2 Protocol Tunneling Configuration

Procedure
● Run the display l2protocol-tunnel group-mac { all | protocol-type | user-
defined-protocol protocol-name } command to check information about
transparent transmission of specified or all Layer 2 protocol packets.
----End

14.8 Configuring Basic QinQ-based Layer 2 Protocol

Tunneling
When each interface of a backbone device is connected to multiple user networks
and Layer 2 protocol packets sent from user networks contain VLAN tags, you can
configure basic QinQ-based Layer 2 protocol tunneling. This configuration allows
Layer 2 protocol packets to be transparently transmitted on the backbone network
and reduces VLAN IDs that the carrier uses.

Pre-configuration Tasks
Before configuring interface-based Layer 2 protocol tunneling, complete the
following task:

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 729

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

● Setting link layer protocol parameters and IP addresses for interfaces to

ensure that the link layer protocol on the interfaces is Up

14.8.1 (Optional) Defining Characteristic Information About a

Layer 2 Protocol

Context
When non-standard Layer 2 protocol packets with a specified multicast
destination MAC address need to be transparently transmitted on the backbone
network, define characteristic information about the Layer 2 protocol on the PE.
The characteristics of the Layer 2 protocol include the protocol name, Ethernet
encapsulation format, destination MAC address, and MAC address that replaces
the destination MAC address of Layer 2 protocol packets.
When defining characteristic information about a Layer 2 protocol, do not use the
following multicast MAC addresses to replace the destination MAC address of
Layer 2 protocol packets:
● Destination MAC addresses of BPDUs: 0180-C200-0000 to 0180-C200-002F
● Destination MAC address of Smart Link packets: 010F-E200-0004
● Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD
● Common multicast MAC addresses that have been used on the device
Perform the following operations on PEs.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run l2protocol-tunnel user-defined-protocol protocol-name protocol-mac
protocol-mac [ encap-type { { ethernetii | snap } protocol-type protocol-type-
value | llc dsap dsap-value ssap ssap-value } ] group-mac { group-mac | default-
group-mac }
Characteristic information about a Layer 2 protocol is defined.
Step 3 Run commit
The configuration is committed.

----End

14.8.2 Configuring the Multicast MAC Address for Layer 2

Protocol Tunneling

Context
To prevent a backbone network edge device from sending the received Layer 2
protocol packets to its CPU for processing and ensure that the Layer 2 protocol

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 730

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

packets are tunneled across the backbone network, configure the edge device to
replace the multicast destination MAC address in Layer 2 protocol packets with a
specified multicast MAC address.

Perform the following operations on PEs.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run l2protocol-tunnel protocol-type group-mac { group-mac | default-group-

mac }

The original multicast destination MAC address of Layer 2 protocol packets is

replaced with a specified multicast MAC address.

Most Layer 2 protocols can be identified by protocol type. You can configure a
group MAC address for this type of protocol to reduce configuration workload. The
default group MAC address is 0100-0ccd-cdd0.

NOTE

Do not replace the destination MAC addresses of STP, GVRP, and GMRP packets with the
same multicast MAC address.
Do not replace the destination MAC addresses of EOAM3ah, LACP, and DLDP packets with
the same multicast MAC address.
When configuring Layer 2 protocol tunneling, do not use the following multicast MAC
addresses to replace the destination MAC address of Layer 2 protocol packets:
● Destination MAC addresses of BPDUs: 0180-C200-0000 to 0180-C200-002F
● Destination MAC address of Smart Link packets: 010F-E200-0004
● Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD
● Common multicast MAC addresses that have been used on the device

Step 3 Run commit

The configuration is committed.

----End

14.8.3 Enabling Basic QinQ-based Layer 2 Transparent

Transmission on an Interface

Context
Perform the following operations on PEs based on the required Layer 2 protocol
tunneling mode.

NOTE

The l2protocol-tunnel vlan and l2protocol-tunnel commands cannot specify the same
protocol type on the same interface. Otherwise, the configurations conflict.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 731

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface interface-type interface-number

The user-side interface view is displayed.

Step 3 Run port link-type dot1q-tunnel

The link type of the interface is set to dot1q-tunnel.

Step 4 Run port default vlan vlan-id

The Dot1q tunnel interface is enabled to add an outer VLAN tag to Layer 2
protocol packets from user networks.

Step 5 Run l2protocol-tunnel { all | protocol-type | user-defined-protocol protocol-

name } vlan { low-id [ to high-id ] } &<1-10>

Basic QinQ-based Layer 2 protocol tunneling is enabled on the interface.

NOTE

The outer VLAN tag specified in step 4 must be included in the VLAN range specified in
step 5.

Step 6 (Optional) Run l2protocol-tunnel drop-threshold

The drop threshold for Layer 2 protocol packets is configured.

By default, the drop threshold is 0, meaning that interfaces enabled with Layer 2
protocol tunneling do not limit the volume of received Layer 2 protocol packets.

Configuring a drop threshold for Layer 2 protocol packets protects interfaces

enabled with Layer 2 protocol tunneling against protocol packet attacks. The
interfaces drop excess Layer 2 PDUs when the number of Layer 2 protocol packets
received in 1s exceeds the configured drop threshold.

Step 7 Run commit

The configuration is committed.

----End

14.8.4 Verifying the Layer 2 Protocol Tunneling Configuration

Procedure
● Run the display l2protocol-tunnel group-mac { all | protocol-type | user-
defined-protocol protocol-name } command to check information about
transparent transmission of specified or all Layer 2 protocol packets.

----End

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 732

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

14.9 Configuring the Device to Transparently Transmit

BPDUs

Context
When the backbone edge device connects to many user edge devices, to improve
efficiency in forwarding BPDUs, the backbone edge device forwards BPDUs
through the hardware. By default, a Layer 2 interface is not allowed to forward
BPDUs when the device forwards BPDUs through the hardware. User edge devices
connected to the backbone edge device cannot communicate. A Layer 2 interface
can be enabled to forward BPDUs when the device forwards BPDUs through the
hardware.

To ensure that tagged BPDUs are forwarded by a Layer 2 interface and untagged
BPDUs are sent to the CPU for processing, enable the device to forward only
tagged BPDUs through the hardware.

Procedure
● Configure the device to transparently transmit all BPDUs.
a. Run system-view

The system view is displayed.

b. Run interface interface-type interface-number

The interface view is displayed.

c. Run bpdu bridge enable

A Layer 2 interface is enabled to forward BPDUs when the device

forwards BPDUs through the hardware.

By default, a Layer 2 interface is not allowed to forward BPDUs when the

device forwards BPDUs through the hardware.
NOTE

To use the hardware to forward BPDUs of a protocol such as STP, disable this
protocol before running the bpdu bridge enable command.
d. Run commit

The configuration is committed.

● Configure the device to transparently transmit tagged BPDUs. (Only the
CE6870EI and CE6875EI support this function.)
a. Run system-view

The system view is displayed.

b. Run bpdu bridge tagged-packet enable

A Layer 2 interface is enabled to forward tagged BPDUs when the device

forwards BPDUs through the hardware.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 733

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

By default, a Layer 2 interface is not allowed to forward tagged BPDUs

when the device forwards BPDUs through the hardware.
c. Run commit

The configuration is committed.

----End

14.10 Maintaining Layer 2 Protocol Tunneling

Maintaining Layer 2 protocol tunneling includes displaying and clearing statistics
about Layer 2 protocol packets that are transparently transmitted on an interface.

14.10.1 Displaying Statistics About Layer 2 Protocol Packets

That Are Transparently Transmitted on an Interface

Context
You can run the display l2protocol-tunnel statistics command in any view to
check the statistics about Layer 2 protocol packets that are transparently
transmitted on an interface, which helps you locate faults.

Procedure
● Run the display l2protocol-tunnel statistics command in any view to check
the statistics about Layer 2 protocol packets that are transparently
transmitted on an interface.

----End

14.10.2 Clearing Statistics About Layer 2 Protocol Packets

That Are Transparently Transmitted on an Interface

Context
Before recollecting statistics about Layer 2 protocol packets transparently
transmitted on an interface in a certain period, clear existing statistics on the
interface.

NOTICE
The cleared statistics cannot be restored. Exercise caution when you run this
command.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 734

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

Procedure
● Run the reset l2protocol-tunnel statistics command in any view to clear the
statistics about Layer 2 protocol packets that are transparently transmitted on
an interface.
----End

14.11 Configuration Examples for Layer 2 Protocol

Tunneling
This section only provides configuration examples for individual features. For
details about multi-feature configuration examples, feature-specific configuration
examples, interoperation examples, protocol or hardware replacement examples,
and industry application examples, see the Typical Configuration Examples.

14.11.1 Example for Configuring Interface-based Layer 2

Protocol Tunneling

Networking Requirements
As shown in Figure 14-6, CEs are edge devices on two private networks of an
enterprise located in different areas, and PE1 and PE2 are edge devices on the ISP
network. The two private networks of the enterprise are Layer 2 networks and
they are connected through the ISP network. STP is run on the Layer 2 networks
to prevent loops. Enterprise users require that STP run only on the private
networks so that spanning trees can be generated correctly.

Figure 14-6 Networking diagram for configuring interface-based Layer 2 protocol

tunneling

ISP
network
10GE1/0/1 10GE1/0/1

PE1 PE2
10GE1/0/1 CE1 CE2 10GE1/0/1

User A User A
network1 network2

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure STP on CEs to prevent loops on Layer 2 networks.
2. Add PE interfaces connected to CEs to specified VLANs so that PEs forward
packets from the VLANs.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 735

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

3. Configure interface-based Layer 2 protocol tunneling on PEs so that STP

packets are not sent to the CPUs of PEs for processing.

Procedure
Step 1 Enable STP on CEs.
# Configure CE1.
<HUAWEI> system-view
[~HUAWEI] sysname CE1
[*HUAWEI] commit [~CE1] vlan 100
[*CE1-vlan100] quit
[*CE1] stp enable
[*CE1] interface 10ge 1/0/1
[*CE1-10GE1/0/1] port link-type access [*CE1-10GE1/0/1] port default vlan 100 [*CE1-10GE1/0/1] quit
[*CE1] commit

# Configure CE2.
<HUAWEI> system-view
[~HUAWEI] sysname CE2
[*HUAWEI] commit
[~CE2] vlan 100
[*CE2-vlan100] quit
[*CE2] stp enable
[*CE2] interface 10ge 1/0/1
[*CE2-10GE1/0/1] port link-type access
[*CE2-10GE1/0/1] port default vlan 100
[*CE2-10GE1/0/1] quit
[*CE2] commit

Step 2 Add 10GE1/0/1 on PE1 and PE2 to VLAN 100 and enable Layer 2 protocol
tunneling on PEs.
# Configure PE1.
<HUAWEI> system-view
[~HUAWEI] sysname PE1
[*HUAWEI] commit
[~PE1] stp enable
[*PE1] commit
[~PE1] vlan 100
[*PE1-vlan100] quit
[*PE1] interface 10ge 1/0/1
[*PE1-10GE1/0/1] port link-type access
[*PE1-10GE1/0/1] port default vlan 100
[*PE1-10GE1/0/1] stp disable
[*PE1-10GE1/0/1] l2protocol-tunnel stp enable
[*PE1-10GE1/0/1] quit
[*PE1] commit

# Configure PE2.
<HUAWEI> system-view
[~HUAWEI] sysname PE2
[*HUAWEI] commit
[~PE2] stp enable
[*PE2] commit
[~PE2] vlan 100
[*PE2-vlan100] quit
[*PE2] interface 10ge 1/0/1
[*PE2-10GE1/0/1] port link-type access
[*PE2-10GE1/0/1] port default vlan 100
[*PE2-10GE1/0/1] stp disable
[*PE2-10GE1/0/1] l2protocol-tunnel stp enable
[*PE2-10GE1/0/1] quit
[*PE2] commit

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 736

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

NOTE

If the remote device sends packets of non-standard protocols, first run the l2protocol-
tunnel user-defined-protocol protocol-name protocol-mac protocol-mac [ encap-type
{ { ethernetii | snap } protocol-type protocol-type-value | llc dsap dsap-value ssap ssap-
value } ] group-mac { group-mac | default-group-mac } command to define characteristics
information about the Layer 2 transparent transmission protocol. Then run the l2protocol-
tunnel user-defined-protocol protocol-name enable command to enable Layer 2 protocol
tunneling.

Step 3 Configure PEs to replace the destination MAC address of STP packets received
from CEs.
# Configure PE1.
[~PE1] l2protocol-tunnel stp group-mac 0100-5e00-0011
[*PE1] commit

# Configure PE2.
[~PE2] l2protocol-tunnel stp group-mac 0100-5e00-0011
[*PE2] commit

Step 4 Configure CE2 to the priority of a switching device is 4096.

[~CE2] stp priority 4096
[*CE2] commit

Step 5 Verify the configuration.

# After the configuration is complete, run the display l2protocol-tunnel group-
mac command on PEs. You can view the protocol type or name, multicast
destination MAC address, group MAC address, and priority of Layer 2 protocol
packets to be transparently transmitted.
The display on PE1 is used as an example.
[~PE1] display l2protocol-tunnel group-mac stp
Protocol EncapeType ProtocolType Protocol-MAC Group-MAC Pri
-----------------------------------------------------------------------------
stp llc dsap 0x42 0180-c200-0000 0100-5e00-0011 0
ssap 0x42

# After 30s, Run the display stp brief command on CE1 and CE2 to view the root
in the MSTP region. You can find that a spanning tree is calculated between CE1
and CE2. 10GE1/0/1 on CE1 is the root port and 10GE1/0/1 on CE2 is the
designated port.
[~CE1] display stp brief
MSTID Port Role STP State Protection Cost Edged
0 10GE1/0/1 ROOT forwarding none 2000 disable
[~CE2] display stp brief
MSTID Port Role STP State Protection Cost Edged
0 10GE1/0/1 DESI forwarding none 2000 disable

----End

Configuration Files
● CE1 configuration file
#
sysname CE1
#
vlan batch 100
#

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 737

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

interface 10GE1/0/1
port default vlan 100
#
return

● CE2 configuration file

#
sysname CE2
#
vlan batch 100
#
stp instance 0 priority 4096
#
interface 10GE1/0/1
port default vlan 100
#
return

● PE1 configuration file

#
sysname PE1
#
vlan batch 100
#
l2protocol-tunnel stp group-mac 0100-5e00-0011
#
interface 10GE1/0/1
port default vlan 100
stp disable
l2protocol-tunnel stp enable
#
return

● PE2 configuration file

#
sysname PE2
#
vlan batch 100
#
l2protocol-tunnel stp group-mac 0100-5e00-0011
#
interface 10GE1/0/1
port default vlan 100
stp disable
l2protocol-tunnel stp enable
#
return

14.11.2 Example for Configuring VLAN-based Layer 2 Protocol

Tunneling

Networking Requirements
As shown in Figure 14-7, CEs are edge devices on two private networks of an
enterprise located in different areas, and PE1 and PE2 are edge devices on the ISP
network. VLAN 100 and VLAN 200 are Layer 2 networks for different users and
are connected through the ISP network. STP is run on the Layer 2 networks to
prevent loops. Enterprise users require that STP run only on the private networks
so that spanning trees can be generated correctly.

● All the devices in VLAN 100 participate in calculation of a spanning tree.

● All the devices in VLAN 200 participate in calculation of a spanning tree.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 738

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

Figure 14-7 Networking diagram for configuring VLAN-based Layer 2 protocol

tunneling
PE1 PE2
ISP
network
10GE1/0/2 10GE1/0/3 10GE1/0/2 10GE1/0/3

10GE1/0/1 10GE1/0/1 10GE1/0/1 10GE1/0/1

CE1 CE3 CE2 CE4
VLAN 100 VLAN 200 VLAN 100 VLAN 200
User A User B User A User B

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure STP on CEs to prevent loops on Layer 2 networks.
2. Configure CEs to send STP packets with specified VLAN tags to PEs so that
calculation of a spanning tree is complete independently in VLAN 100 and
VLAN 200.
3. Configure VLAN-based Layer 2 protocol tunneling on PEs so that STP packets
are not sent to the CPUs of PEs for processing.

Procedure
Step 1 Enable STP on CEs.
# Configure CE1.
<HUAWEI> system-view
[~HUAWEI] sysname CE1
[*HUAWEI] commit [~CE1] stp enable
[*CE1] commit

# Configure CE2.
<HUAWEI> system-view
[~HUAWEI] sysname CE2
[*HUAWEI] commit
[~CE2] stp enable
[*CE2] commit

# Configure CE3.
<HUAWEI> system-view
[~HUAWEI] sysname CE3
[*HUAWEI] commit
[~CE3] stp enable
[*CE3] commit

# Configure CE4.
<HUAWEI> system-view
[~HUAWEI] sysname CE4

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 739

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

[*HUAWEI] commit
[~CE4] stp enable
[*CE4] commit

Step 2 Configure CE1 and CE2 to send STP packets with VLAN tag 100 to PEs, and
configure CE3 and CE4 to send STP packets with VLAN tag 200 to PEs.
# Configure CE1.
[~CE1] vlan 100
[*CE1-vlan100] quit
[*CE1] interface 10ge 1/0/1
[*CE1-10GE1/0/1] port link-type trunk
[*CE1-10GE1/0/1] port trunk allow-pass vlan 100
[*CE1-10GE1/0/1] stp bpdu vlan 100
[*CE1-10GE1/0/1] quit
[*CE1] commit

# Configure CE2.
[~CE2] vlan 100
[*CE2-vlan100] quit
[*CE2] interface 10ge 1/0/1
[*CE2-10GE1/0/1] port link-type trunk
[*CE2-10GE1/0/1] port trunk allow-pass vlan 100
[*CE2-10GE1/0/1] stp bpdu vlan 100
[*CE2-10GE1/0/1] quit
[*CE2] commit

# Configure CE3.
[~CE3] vlan 200
[*CE3-vlan200] quit
[*CE3] interface 10ge 1/0/1
[*CE3-10GE1/0/1] port link-type trunk
[*CE3-10GE1/0/1] port trunk allow-pass vlan 200
[*CE3-10GE1/0/1] stp bpdu vlan 200
[*CE3-10GE1/0/1] quit
[*CE3] commit

# Configure CE4.
[~CE4] vlan 200
[*CE4-vlan200] quit
[*CE4] interface 10ge 1/0/1
[*CE4-10GE1/0/1] port link-type trunk
[*CE4-10GE1/0/1] port trunk allow-pass vlan 200
[*CE4-10GE1/0/1] stp bpdu vlan 200
[*CE4-10GE1/0/1] quit
[*CE4] commit

Step 3 Configure PE interfaces to transparently transmit STP packets of CEs to the peer
ends.
# Configure PE1.
<HUAWEI> system-view
[~HUAWEI] sysname PE1
[~PE1] vlan 100
[*PE1-vlan100] quit
[*PE1] vlan 200
[*PE1-vlan200] quit
[*PE1] interface 10ge 1/0/2
[*PE1-10GE1/0/2] port link-type trunk
[*PE1-10GE1/0/2] port trunk allow-pass vlan 100
[*PE1-10GE1/0/2] l2protocol-tunnel stp vlan 100
[*PE1-10GE1/0/2] quit
[*PE1] interface 10ge 1/0/3
[*PE1-10GE1/0/3] port link-type trunk

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 740

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

[*PE1-10GE1/0/3] port trunk allow-pass vlan 200

[*PE1-10GE1/0/3] l2protocol-tunnel stp vlan 200
[*PE1-10GE1/0/3] quit

[*PE1] commit

# Configure PE2.
<HUAWEI> system-view
[~HUAWEI] sysname PE2
[~PE2] vlan 100
[*PE2-vlan100] quit
[*PE2] vlan 200
[*PE2-vlan200] quit
[*PE2] interface 10ge 1/0/2
[*PE2-10GE1/0/2] port link-type trunk
[*PE2-10GE1/0/2] port trunk allow-pass vlan 100
[*PE2-10GE1/0/2] l2protocol-tunnel stp vlan 100
[*PE2-10GE1/0/2] quit
[*PE2] interface 10ge 1/0/3
[*PE2-10GE1/0/3] port link-type trunk
[*PE2-10GE1/0/3] port trunk allow-pass vlan 200
[*PE2-10GE1/0/3] l2protocol-tunnel stp vlan 200
[*PE2-10GE1/0/3] quit
[*PE2] commit

NOTE

If the remote device sends packets of non-standard protocols, first run the l2protocol-
tunnel user-defined-protocol protocol-name protocol-mac protocol-mac [ encap-type
{ { ethernetii | snap } protocol-type protocol-type-value | llc dsap dsap-value ssap ssap-
value } ] group-mac { group-mac | default-group-mac } command to define characteristics
information about the Layer 2 transparent transmission protocol. Then run the l2protocol-
tunnel user-defined-protocol protocol-name vlan { low-id [ to high-id ] } &<1-10>
command to enable VLAN-based Layer 2 protocol tunneling.

Step 4 Configure PEs to replace the destination MAC address of STP packets received
from CEs.
# Configure PE1.
[~PE1] l2protocol-tunnel stp group-mac 0100-5e00-0011
[*PE1] commit

# Configure PE2.
[~PE2] l2protocol-tunnel stp group-mac 0100-5e00-0011
[*PE2] commit

Step 5 Configure CE2 and CE4 to the priority of a switching device is 4096.
# Configure CE2.
[~CE2] stp priority 4096
[*CE2] commit

# Configure CE4.
[~CE4] stp priority 4096
[*CE4] commit

Step 6 Verify the configuration.

# After the configuration is complete, run the display l2protocol-tunnel group-
mac command on PEs. You can view the protocol type or name, multicast
destination MAC address, group MAC address, and priority of Layer 2 protocol
packets to be transparently transmitted.

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 741

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

The display on PE1 is used as an example.

[~PE1] display l2protocol-tunnel group-mac stp
Protocol EncapeType ProtocolType Protocol-MAC Group-MAC Pri
-----------------------------------------------------------------------------
stp llc dsap 0x42 0180-c200-0000 0100-5e00-0011 0
ssap 0x42

# After 30s, run the display stp brief command on CE1 and CE2 to view the root
in the MSTP region. You can find that a spanning tree is calculated between CE1
and CE2. 10GE1/0/1 on CE1 is the root port and 10GE1/0/1 on CE2 is the
designated port.
[~CE1] display stp brief
MSTID Port Role STP State Protection Cost Edged
0 10GE1/0/1 ROOT forwarding none 2000 disable
[~CE2] display stp brief
MSTID Port Role STP State Protection Cost Edged
0 10GE1/0/1 DESI forwarding none 2000 disable

# After 30s, run the display stp brief command on CE3 and CE4 to view the root
in the MSTP region. You can find that a spanning tree is calculated between CE3
and CE4. 10GE1/0/1 on CE3 is the root port and 10GE1/0/1 on CE4 is the
designated port.
[~CE3] display stp brief
MSTID Port Role STP State Protection Cost Edged
0 10GE1/0/1 ROOT forwarding none 2000 disable
[~CE4] display stp brief
MSTID Port Role STP State Protection Cost Edged
0 10GE1/0/1 DESI forwarding none 2000 disable

----End

Configuration Files
● Configuration file of CE1
#
sysname CE1
#
vlan batch 100
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 100
stp bpdu vlan 100
#
return
● Configuration file of CE2
#
sysname CE2
#
vlan batch 100
#
stp instance 0 priority 4096
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 100
stp bpdu vlan 100
#
return
● Configuration file of CE3
#
sysname CE3

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 742

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

#
vlan batch 200
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 200
stp bpdu vlan 200
#
return

● Configuration file of CE4

#
sysname CE4
#
vlan batch 200
#
stp instance 0 priority 4096
#
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 200
stp bpdu vlan 200
#
return

● Configuration file of PE1

#
sysname PE1
#
vlan batch 100 200
#
l2protocol-tunnel stp group-mac 0100-5e00-0011
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 100
l2protocol-tunnel stp vlan 100
#
interface 10GE1/0/3
port link-type trunk
port trunk allow-pass vlan 200
l2protocol-tunnel stp vlan 200
#
return

● Configuration file of PE2

#
sysname PE2
#
vlan batch 100 200
#
l2protocol-tunnel stp group-mac 0100-5e00-0011
#
interface 10GE1/0/2
port link-type trunk port trunk allow-pass vlan 100 l2protocol-tunnel stp vlan 100
#
interface 10GE1/0/3
port link-type trunk port trunk allow-pass vlan 200 l2protocol-tunnel stp vlan 200
#
return

14.11.3 Example for Configuring Basic QinQ-based Layer 2

Protocol Tunneling

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 743

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

Networking Requirements
As shown in Figure 14-8, CEs are edge devices on two private networks of an
enterprise located in different areas, and PE1 and PE2 are edge devices on the
enterprise backbone network. VLAN 100 and VLAN 200 are Layer 2 networks for
different users and are connected through the ISP network. STP is run on the
Layer 2 networks to prevent loops. Enterprise users require that STP run only on
the private networks so that spanning trees can be generated correctly.
● All the devices in VLAN 100 participate in calculation of a spanning tree.
● All the devices in VLAN 200 participate in calculation of a spanning tree.
Because of shortage of public VLAN resources, VLAN IDs on carrier networks must
be saved.

Figure 14-8 Networking diagram for configuring basic QinQ-based Layer 2

protocol tunneling

User A User A
VLAN100 VLAN100
10GE1/0/1 10GE1/0/1
10GE1/0/2 10GE1/0/2
CE1 CE2
ISP
PE1 PE2
network
CE3 CE4
10GE1/0/3 10GE1/0/3
10GE1/0/1 10GE1/0/1
User B User B
VLAN200 VLAN200

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure STP on CEs to prevent loops on Layer 2 networks.
2. Configure CEs to send STP packets with specified VLAN tags to PEs so that
calculation of a spanning tree is complete independently in VLAN 100 and
VLAN 200.
3. Configure VLAN-based Layer 2 protocol tunneling on PEs so that STP packets
are not sent to the CPUs of PEs for processing.
4. Configure basic QinQ on PEs so that PEs add outer VLAN tag 10 to STP
packets sent from CEs, saving public network VLAN IDs.

Procedure
Step 1 Enable STP on CEs.
# Configure CE1.
<HUAWEI> system-view
[~HUAWEI] sysname CE1

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 744

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

[*HUAWEI] commit
[~CE1] stp enable
[*CE1] commit

# Configure CE2.
<HUAWEI> system-view
[~HUAWEI] sysname CE2
[*HUAWEI] commit
[~CE2] stp enable
[*CE2] commit

# Configure CE3.
<HUAWEI> system-view
[~HUAWEI] sysname CE3
[*HUAWEI] commit
[~CE3] stp enable
[*CE3] commit

# Configure CE4.
<HUAWEI> system-view
[~HUAWEI] sysname CE4
[*HUAWEI] commit
[~CE4] stp enable
[*CE4] commit

Step 2 Configure CE1 and CE2 to send STP packets with VLAN tag 100 to PEs, and
configure CE3 and CE4 to send STP packets with VLAN tag 200 to PEs.
# Configure CE1.
[~CE1] vlan 100
[*CE1-vlan100] quit
[*CE1] interface 10ge 1/0/1
[*CE1-10GE1/0/1] port link-type trunk
[*CE1-10GE1/0/1] port trunk allow-pass vlan 100
[*CE1-10GE1/0/1] stp bpdu vlan 100
[*CE1-10GE1/0/1] quit
[*CE1] commit

# Configure CE2.
[~CE2] vlan 100
[*CE2-vlan100] quit
[*CE2] interface 10ge 1/0/1
[*CE2-10GE1/0/1] port link-type trunk
[*CE2-10GE1/0/1] port trunk allow-pass vlan 100
[*CE2-10GE1/0/1] stp bpdu vlan 100
[*CE2-10GE1/0/1] quit
[*CE2] commit

# Configure CE3.
[~CE3] vlan 200
[*CE3-vlan200] quit
[*CE3] interface 10ge 1/0/1
[*CE3-10GE1/0/1] port link-type trunk
[*CE3-10GE1/0/1] port trunk allow-pass vlan 200
[*CE3-10GE1/0/1] stp bpdu vlan 200
[*CE3-10GE1/0/1] quit
[*CE3] commit

# Configure CE4.
[~CE4] vlan 200
[*CE4-vlan200] quit
[*CE4] interface 10ge 1/0/1
[*CE4-10GE1/0/1] port link-type trunk

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 745

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

[*CE4-10GE1/0/1] port trunk allow-pass vlan 200

[*CE4-10GE1/0/1] stp bpdu vlan 200
[*CE4-10GE1/0/1] quit
[*CE4] commit

Step 3 Configure basic QinQ-based Layer 2 protocol tunneling on PEs so that STP packets
with VLAN tags 100 and 200 are tagged with outer VLAN 10 by PEs and can be
transmitted on the ISP network.
# Configure PE1.
[~PE1] vlan 10
[*PE1-vlan10] quit
[*PE1] interface 10ge 1/0/2
[*PE1-10GE1/0/2] port link-type dot1q-tunnel
[*PE1-10GE1/0/2] port default vlan 10
[*PE1-10GE1/0/2] l2protocol-tunnel stp vlan 10
[*PE1-10GE1/0/2] quit
[*PE1] interface 10ge 1/0/3
[*PE1-10GE1/0/3] port link-type dot1q-tunnel
[*PE1-10GE1/0/3] port default vlan 10
[*PE1-10GE1/0/3] l2protocol-tunnel stp vlan 10
[*PE1-10GE] quit
[*PE1] commit

# Configure PE2.
[~PE2] vlan 10
[*PE2-vlan10] quit
[*PE2] interface 10ge 1/0/2
[*PE2-10GE1/0/2] port link-type dot1q-tunnel
[*PE2-10GE1/0/2] port default vlan 10
[*PE2-10GE1/0/2] l2protocol-tunnel stp vlan 10
[*PE2-10GE1/0/2] quit
[*PE2] interface 10ge 1/0/3
[*PE2-10GE1/0/3] port link-type dot1q-tunnel
[*PE2-10GE1/0/3] port default vlan 10
[*PE2-10GE1/0/3] l2protocol-tunnel stp vlan 10
[*PE2-10GE1/0/3] quit
[*PE2] commit

NOTE

If the remote device sends packets of non-standard protocols, first run the l2protocol-
tunnel user-defined-protocol protocol-name protocol-mac protocol-mac [ encap-type
{ { ethernetii | snap } protocol-type protocol-type-value | llc dsap dsap-value ssap ssap-
value } ] group-mac { group-mac | default-group-mac } command to define characteristics
information about the Layer 2 transparent transmission protocol. Then run the l2protocol-
tunnel user-defined-protocol protocol-name vlan { low-id [ to high-id ] } &<1-10>
command to enable basic QinQ-based Layer 2 protocol tunneling.

Step 4 Configure PEs to replace the destination MAC address of STP packets received
from CEs.
# Configure PE1.
[~PE1] l2protocol-tunnel stp group-mac 0100-5e00-0011
[*PE1] commit

# Configure PE2.
[~PE2] l2protocol-tunnel stp group-mac 0100-5e00-0011
[*PE2] commit

Step 5 Verify the configuration.

After the configuration is complete, run the display l2protocol-tunnel group-
mac command on PEs. You can view the protocol type or name, multicast

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 746

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

destination MAC address, group MAC address, and priority of Layer 2 protocol
packets to be transparently transmitted.

The display on PE1 is used as an example.

[~PE1] display l2protocol-tunnel group-mac stp
Protocol EncapeType ProtocolType Protocol-MAC Group-MAC Pri
-----------------------------------------------------------------------------
stp llc dsap 0x42 0180-c200-0000 0100-5e00-0011 0
ssap 0x42

Run the display stp brief command on CE1 and CE2 to view the root in the MSTP
region. You can find that a spanning tree is calculated between CE1 and CE2.
10GE1/0/1 on CE1 is the root port and 10GE1/0/1 on CE2 is the designated port.
[~CE1] display stp brief
MSTID Port Role STP State Protection Cost Edged
0 10GE1/0/1 ROOT forwarding none 2000 disable
[~CE2] display stp brief
MSTID Port Role STP State Protection Cost Edged
0 10GE1/0/1 DESI forwarding none 2000 disable

Run the display stp brief command on CE3 and CE4 to view the root in the MSTP
region. You can find that a spanning tree is calculated between CE3 and CE4.
10GE1/0/1 on CE3 is the root port and 10GE1/0/1 on CE4 is the designated port.
[~CE3] display stp brief
MSTID Port Role STP State Protection Cost Edged
0 10GE1/0/1 ROOT forwarding none 2000 disable
[~CE4] display stp brief
MSTID Port Role STP State Protection Cost Edged
0 10GE1/0/1 DESI forwarding none 2000 disable

Run the display vlan command on PEs to view the QinQ configuration.

The display on PE1 is used as an example.

[~PE1] display vlan 10 verbose
* : Management-VLAN
---------------------
VLAN ID : 10
VLAN Name :
VLAN Type : Common
Description : VLAN 0010
Status : Enable
Broadcast : Enable
MAC Learning : Enable
Smart MAC Learning : Disable
Current MAC Learning Result : Enable
Statistics : Disable
Property : Default
VLAN State : Up
----------------
Untagged Port: 10GE1/0/1 10GE1/0/2
----------------
Active Untag Port: 10GE1/0/1 10GE1/0/2
-------------------
Interface Physical
10GE1/0/1 Up
10GE1/0/2 Up

----End

Configuration Files
● Configuration file of CE1

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 747

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

#
sysname CE1
#
vlan batch 100
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 100
stp bpdu vlan 100
#
return
● Configuration file of CE2
#
sysname CE2
#
vlan batch 100
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 100
stp bpdu vlan 100
#
return
● Configuration file of CE3
#
sysname CE3
#
vlan batch 200
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 200
stp bpdu vlan 200
#
return
● Configuration file of CE4
#
sysname CE4
#
vlan batch 200
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 200
stp bpdu vlan 200
#
return
● Configuration file of PE1
#
sysname PE1
#
vlan batch 10
#
l2protocol-tunnel stp group-mac 0100-5e00-0011
#
interface 10GE1/0/2
port link-type dot1q-tunnel
port default vlan 10
l2protocol-tunnel stp vlan 10
#
interface 10GE1/0/3
port link-type dot1q-tunnel
port default vlan 10
l2protocol-tunnel stp vlan 10
#
return

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 748

CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Tunneling Configuration

● Configuration file of PE2

#
sysname PE2
#
vlan batch 10
#
l2protocol-tunnel stp group-mac 0100-5e00-0011
#
interface 10GE1/0/2
port link-type dot1q-tunnel
port default vlan 10
l2protocol-tunnel stp vlan 10
#
interface 10GE1/0/3
port link-type dot1q-tunnel
port default vlan 10
l2protocol-tunnel stp vlan 10
#
return

Issue 09 (2021-06-03) Copyright © Huawei Technologies Co., Ltd. 749