H3C S5120-SI Series Ethernet Switches Layer 2 LAN Switching Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com
Copyright 2003-2010, Hangzhou H3C Technologies Co., Ltd. and its licensors All Rights Reserved No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. Trademarks H3C,, Aolynk,, H 3 Care,, TOP G,, IRF, NetPilot, Neocean, NeoVTL, SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V 2 G, V n G, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. Notice All other trademarks that may be mentioned in this manual are the property of their respective owners. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied. Environmental Protection This product has been designed to comply with the requirements on environmental protection. The storage, use, and disposal of this product must meet the applicable national laws and regulations.
Preface The H3C S5120-SI documentation set includes 13 configuration guides, which describe the software features for the H3C S5120-SI Series Routing Switches and guide you through the software configuration procedures. These configuration guides also provide configuration examples to help you apply software features to different network scenarios. This preface includes: Audience Conventions About the H3C S5120-SI Documentation Set Obtaining Documentation Documentation Feedback Audience This documentation is intended for: Network planners Field technical support and servicing engineers Network administrators working with the S5120-SI series
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Boldface italic [ ] { x y... } [ x y... ] { x y... } * [ x y... ] * &<1-n> Description Bold text represents commands and keywords that you enter literally as shown. Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which you select one. Square brackets enclose a set of optional syntax choices separated by vertical bars, from which you select one or none. Asterisk marked braces enclose a set of required syntax choices separated by vertical bars, from which you select at least one. Asterisk marked square brackets enclose optional syntax choices separated by vertical bars, from which you may select multiple choices or none. The argument or keyword and argument combination before the ampersand (&) sign can be entered 1 to n times. # A line that starts with a pound (#) sign is comments. GUI conventions Convention Description < > Button names are inside angle brackets. For example, click <OK>. [ ] / Window names, menu items, data table and field names are inside square brackets. For example, pop up the [New User] window. Multi-level menus are separated by forward slashes. For example, [File/Create/Folder]. Symbols Convention Description Means reader be extremely careful. Improper operation may cause bodily injury. Means reader be careful. Improper operation may cause data loss or damage to equipment. Means an action or information that needs special attention to ensure successful configuration or good performance. Means a complementary description. Means techniques helpful for you to make configuration with ease. 4
Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. 5
About the H3C S5120-SI documentation set Category Documents Purposes Marketing brochures Describe product specifications and benefits. Product description and specifications Hardware specifications and installation Software configuration Operations and maintenance Technology white papers Card datasheets Compliance and safety manual Quick start Installation guide Card manuals H3C Cabinet Installation and Remodel Introduction H3C Pluggable SFP [SFP+][XFP] Transceiver Modules Installation Guide Adjustable Slider Rail Installation Guide H3C High-End Network Products Hot-Swappable Module Manual Configuration guides Command references Configuration examples System log messages Trap messages MIB Companion Release notes Error code reference Provide an in-depth description of software features and technologies. Describe card specifications, features, and standards. Provides regulatory information and the safety instructions that must be followed during installation. Guides you through initial installation and setup procedures to help you quickly set up and use your device with the minimum configuration. Provides a complete guide to hardware installation and hardware specifications. Provide the hardware specifications of cards. Guides you through installing and remodeling H3C cabinets. Guides you through installing SFP/SFP+/XFP transceiver modules. Guides you through installing adjustable slider rails to a rack. Describes the hot-swappable modules available for the H3C high-end network products, their external views, and specifications. Describe software features and configuration procedures. Provide a quick reference to all available commands. Describe typical network scenarios and provide configuration examples and instructions. Explains the system log messages. Explains the trap messages. Describes the MIBs for the software release. Provide information about the product release, including the version history, hardware and software compatibility matrix, version upgrade information, technical support information, and software upgrading. Explains the error codes. 6
Obtaining documentation You can access the most up-to-date H3C product documentation on the World Wide Web at http://www.h3c.com. Click the links on the top navigation bar to obtain different categories of product documentation: [Technical Support & Documents > Technical Documents] Provides hardware installation, software upgrading, and software feature configuration and maintenance documentation. [Products & Solutions] Provides information about products and technologies, as well as solutions. [Technical Support & Documents > Software Download] Provides the documentation released with the software version. Documentation feedback You can e-mail your comments about product documentation to info@h3c.com. We appreciate your comments. 7
Table of Contents Preface 3 Audience 3 Conventions 4 About the H3C S5120-SI documentation set 6 Ethernet interface configuration 12 Configuring basic settings of an Ethernet interface 12 Setting speed options for auto negotiation on an Ethernet interface 13 Configuring flow control on an Ethernet interface 14 Performing loopback testing on an Ethernet interface 14 Enabling auto power down on an Ethernet port 16 Configuring a port group 16 Configuring traffic storm protection 17 Configuring storm suppression 17 Configuring the storm constrain function on an Ethernet interface 18 Setting the statistics polling interval on an Ethernet interface 19 Enabling forwarding of jumbo frames 20 Enabling loopback detection on an Ethernet interface 20 Configuring the MDI mode for an Ethernet interface 21 Enabling Bridging on an Ethernet Port 22 Testing the cable on an Ethernet interface 23 Displaying and maintaining an Ethernet interface 23 Loopback interface and null interface configuration 24 Loopback interface 24 Introduction to loopback interface 24 Configuring a loopback interface 25 Null interface 25 Introduction to null interface 25 Configuring null 0 interface 26 Displaying and maintaining loopback and null interfaces 26 MAC address table configuration 27 Introduction to MAC address table 27 How a MAC address table entry is generated 27 Types of MAC address table entries 28 MAC address table-based frame forwarding 28 Configuring MAC address table 29 Configuring MAC address table entries 29 Configuring the aging timer for dynamic MAC address entries 30 Configuring the MAC learning limit 31 8
Displaying and maintaining MAC address table 31 MAC address table configuration example 32 Ethernet link aggregation configuration 33 Overview 33 Basic concepts 33 Aggregating links in static mode 36 Aggregating links in dynamic mode 38 Configuring an aggregation group 40 Configuration Guidelines 40 Configuring a static aggregation group 40 Configuring a dynamic aggregation group 41 Configuring an aggregate interface 42 Configuring the description of an aggregate interface 42 Enabling link state trapping for an aggregate interface 42 Shutting down an aggregate interface 43 Displaying and maintaining Ethernet link aggregation 43 Ethernet link aggregation configuration examples 44 Static aggregation configuration example 44 Dynamic aggregation configuration example 46 Port isolation configuration 49 Introduction to port isolation 49 Configuring an isolation group for a multiple-isolation-group device 49 Assigning a port to the isolation group 49 Displaying and maintaining isolation groups 50 Port isolation configuration example 50 MSTP configuration 52 Overview 52 Introduction to STP 52 Protocol packets of STP 52 Basic concepts in STP 52 How STP works 54 Introduction to RSTP 60 Introduction to MSTP 60 Why MSTP 60 Basic concepts in MSTP 61 How MSTP works 65 Implementation of MSTP on devices 65 Protocols and standards 66 Configuring MSTP 66 Configuring an MST region 66 Configuring the root bridge or a secondary root bridge 67 Configuring the work mode of an MSTP device 69 9
Configuring the priority of a device 69 Configuring the maximum hops of an MST region 70 Configuring the network diameter of a switched network 70 Configuring MSTP timers 71 Configuring the timeout factor 72 Configuring the maximum port rate 72 Configuring ports as edge ports 73 Configuring path costs of ports 74 Configuring port priority 76 Configuring the link type of ports 77 Configuring the mode a port uses to recognize/send MSTP packets 77 Enabling the output of port state transition information 78 Enabling the MSTP feature 79 Performing mcheck 79 Configuring the VLAN Ignore feature 80 Configuring Digest Snooping 82 Configuring No Agreement Check 84 Configuring protection functions 86 Displaying and maintaining MSTP 89 MSTP configuration example 90 VLAN configuration 94 Introduction to VLAN 94 VLAN overview 94 VLAN fundamentals 95 Types of VLAN 96 Configuring basic VLAN settings 96 Configuring basic settings of a VLAN interface 97 Port-based VLAN configuration 98 Introduction to Port-Based VLAN 98 Assigning an access port to a VLAN 100 Assigning a trunk port to a VLAN 101 Assigning a hybrid port to a VLAN 102 Displaying and maintaining VLAN 103 VLAN configuration example 104 Voice VLAN configuration 107 Overview 107 OUI addresses 107 Voice VLAN assignment modes 108 Security mode and normal mode of voice VLANs 110 Configuring a voice VLAN 111 Configuration prerequisites 111 Setting a port to operate in automatic voice VLAN assignment mode 112 Setting a port to operate in manual voice VLAN assignment mode 113 10
Displaying and maintaining Voice VLAN 114 Voice VLAN configuration examples 114 Automatic voice VLAN mode configuration example 114 Manual voice VLAN assignment mode configuration example 116 LLDP configuration 118 Overview 118 Background 118 Basic concepts 119 How LLDP works 123 Protocols and standards 124 Performing basic LLDP configuration 125 Enabling LLDP 125 Setting the LLDP operating mode 125 Setting the LLDP re-initialization delay 126 Enabling LLDP polling 126 Configuring the advertisable TLVs 127 Configuring the management address and its encoding format 127 Setting other LLDP parameters 128 Setting an encapsulation format for LLDPDUs 129 Configuring CDP compatibility 129 Configuration prerequisites 130 Configuring CDP compatibility 130 Configuring LLDP trapping 131 Displaying and maintaining LLDP 131 LLDP configuration examples 132 Basic LLDP configuration example 132 CDP-compatible LLDP configuration example 135 Obtaining support for your product 137 Register your product 137 Purchase value-added services 137 Troubleshoot online 137 Access software downloads 138 Telephone technical support and repair 138 Contact us 138 Acronyms 139 Index 157 11
Ethernet interface configuration Configuring basic settings of an Ethernet interface Three types of duplex modes are available to Ethernet interfaces: Full-duplex mode (full). Interfaces operating in this mode can send and receive packets simultaneously. Half-duplex mode (half). Interfaces operating in this mode can either send or receive packets at a given time. Auto-negotiation mode (auto). Interfaces operating in this mode determine their duplex mode through auto-negotiation. If you configure the transmission rate for an Ethernet interface by using the speed command with the auto keyword specified, the transmission rate is determined through auto-negotiation too. For a Gigabit Ethernet interface, you can specify the transmission rate by its auto-negotiation capacity. For details, refer to Setting speed options for auto negotiation on an Ethernet interface. To configure an Ethernet interface: To do Use the command Remarks 1. Enter system view system-view 2. Enter Ethernet interface view 3. Set the description string interface interface-type interfacenumber description text Optional By default, the description of an interface is the interface name followed by the Interface string, GigabitEthernet1/0/1 Interface for example. 4. Set the duplex mode duplex { auto full half } Optional auto by default. The optical interface of an SFP port does not support the half keyword. 5. Set the transmission rate 6. Shut down the Ethernet interface speed { 10 100 1000 auto } shutdown Optional The optical interface of an SFP port does not support the 10 or 100 keyword. By default, the port speed is in the autonegotiation mode. Optional By default, an Ethernet interface is in up state. To bring up an Ethernet interface, use the undo shutdown command. 12
10-Gigabit Ethernet ports do not support the duplex command or the speed command. Setting speed options for auto negotiation on an Ethernet interface Speed auto negotiation enables an Ethernet port to negotiate with its peer for the highest speed supported by both ends by default. If the highest speed is not desirable, you can narrow down the speed option list for negotiation. Figure 1 Speed auto negotiation application scenario As shown in Figure 1, the network card transmission rate of the server group (Server 1, Server 2, and Server 3) is 1000 Mbps, and the transmission rate of GigabitEthernet 1/0/4, which provides access to the external network for the server group, is 1000 Mbps too. If you do not specify an auto-negotiation range on the device, the transmission rate on GigabitEthernet 1/0/1, GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3 through negotiation with the servers is 1000 Mbps, which may cause congestion on the egress port GigabitEthernet 1/0/4. To solve the problem, configure 100 Mbps as the only speed option available for negotiation on ports GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3. To set speed options for auto negotiation on an Ethernet port: To do Use the command Remarks 1. Enter system view system-view 2. Enter Ethernet interface view 3. Set speed options for auto negotiation interface interface-type interfacenumber speed auto [ 10 100 1000 ] * Optional 13
This function is available for auto-negotiation-capable Gigabit Layer-2 Ethernet electrical ports only. The speed and speed auto commands supersede each other, and whichever is configured last takes effect. Configuring flow control on an Ethernet interface You can avoid packet drops on a link by enabling flow control at both ends of the link. When flow control is enabled at both ends, if traffic congestion occurs at the receiving end, it sends a Pause frame to require the sending end to suspend sending packets. The sending end is expected to stop sending any new packet after it receives the Pause frame. In this way, flow control helps avoid packet drops. To enable flow control on an Ethernet interface: To do Use the command Remarks 1. Enter system view system-view 2. Enter Ethernet interface view interface interface-type interfacenumber 3. Enable flow control flow-control Required Disabled by default Performing loopback testing on an Ethernet interface Loopback testing is performed when you enter the command. It is not recorded in the configuration file. You can perform loopback testing on an Ethernet interface to check whether the interface functions properly. Note that the Ethernet interface cannot forward data packets during the testing. Loopback testing falls into the following two categories: Internal loopback testing, which tests all on-chip functions related to Ethernet interfaces. As shown in Figure 2, internal loopback testing is performed on Port 1. During internal loopback testing, the port sends out a certain number of test packets, which are looped back to the port over the self-loop created on the switching chip. Figure 2 Internal loopback testing 14
External loopback testing, which tests the hardware of Ethernet interfaces. As shown in Figure 3, external loopback testing is performed on Port 1. To perform external loopback testing on an Ethernet interface, insert a loopback plug into the port. During external loopback testing, the port sends out a certain number of test packets, which are looped over the plug and back to the interface. If the interface fails to receive any test packet, the hardware of the interface is faulty. Figure 3 External loopback testing To enable Ethernet interface loopback testing: To do Use the command Remarks 1. Enter system view system-view 2. Enter Ethernet interface view 3. Perform loopback testing interface interface-type interfacenumber loopback { external internal } Required For the internal loopback test and external loopback test, if a port is down (port state shown as DOWN), only the internal loopback test is available on it; if the port is shut down (port state shown as ADM or Administratively DOWN), both the internal loopback test and external loopback test are unavailable. The speed, duplex, mdi, and shutdown commands are not available during loopback testing. During loopback testing, the Ethernet interface operates in full duplex mode. When you disable loopback testing, the port returns to its configured duplex setting. Loopback testing is a one-time operation, and is not recorded in the configuration file. 15
Enabling auto power down on an Ethernet port If auto power down is enabled, an Ethernet port automatically enters power save mode if it does not receive any packet for a certain period of time. The port resumes its normal state when a packet arrives. To enable auto power down on an Ethernet port: To do Use the command Remarks 1. Enter system view system-view 2. Enter Ethernet port view or port group view Enter Ethernet port view Enter port group view interface interface-type interfacenumber port-group manual port-groupname Use either command. If configured in Ethernet port view, this feature takes effect on the current port only; if configured in port group view, this feature takes effect on all ports in the port group. 3. Enable auto power down on an Ethernet port port auto-power-down Required Disabled by default Configuring a port group The device allows you to configure some functions on multiple interfaces at the same time by assigning the interfaces to a port group, as an alternative to configuring them on a per-interface basis. This is helpful when you have to configure a feature in the same way on multiple interfaces. A port group is created manually, and the settings you configure on it apply to all group member interfaces. Note that even though the settings are made on the port group, they are saved on each interface, rather than on a port group basis. Therefore, you can only view the settings in the view of each interface, using the display current-configuration command or the display this command. To configure a manual port group: To do Use the command Remarks 1. Enter system view system-view 2. Create a manual port group and enter manual port group view 3. Add Ethernet interfaces to the manual port group port-group manual port-group-name group-member interface-list Required Required 16
Configuring traffic storm protection A traffic storm occurs when a large amount of broadcast, multicast, or unicast packets congest a network. The S5120-EI switches provide two storm protection approaches: Storm suppression, which enables you to set a traffic threshold that limits the size of monitored traffic passing through an Ethernet port. The port discards all traffic that exceeds the threshold. Storm constrain, which enables you to shut down Ethernet ports or block traffic when monitored traffic exceeds the traffic threshold. Depending on your configuration, storm constrain can also enable a port to send trap or log messages when monitored traffic exceeds or drops below set traffic thresholds. For a particular type of traffic, configure either storm suppression or storm control, but not both. If both of them are configured, you may fail to achieve the expected storm control effect. Configuring storm suppression You can use the storm suppression function to limit the size of a particular type of traffic (currently broadcast, multicast and unknown unicast traffic) on a per-port basis in Ethernet port view or port group view. In port or port group view, you set the maximum broadcast, multicast or unknown unicast traffic allowed to pass through a port or each port in a port group. When the broadcast, multicast, or unknown unicast traffic on the port exceeds the threshold, the system discards packets until the traffic drops below the threshold. To set storm suppression ratios for one or multiple Ethernet interfaces: To do Use the command Remarks 1. Enter system view system-view 2. Enter Ethernet interface view or port group view Enter Ethernet interface view Enter port group view interface interface-type interface-number port-group manual portgroup-name Use either command. If configured in Ethernet interface view, this feature takes effect on the current port only; if configured in port group view, this feature takes effect on all ports in the port group. 3. Set the broadcast storm suppression ratio 4. Set the multicast storm suppression ratio 5. Set the unknown unicast storm suppression ratio broadcast-suppression { ratio pps max-pps kbps max-bps } multicast-suppression { ratio pps max-pps kbps max-bps } unicast-suppression { ratio pps max-pps kbps max-bps } Optional By default, all broadcast traffic is allowed to pass through an interface, that is, broadcast traffic is not suppressed. Optional By default, all multicast traffic is allowed to pass through an interface, that is, multicast traffic is not suppressed. Optional By default, all unknown unicast traffic is allowed to pass through an interface, that is, unknown unicast traffic is not suppressed. 17
If you set storm suppression ratios for the interface in both Ethernet port view and port group view, the one configured the last takes effect. Configuring the storm constrain function on an Ethernet interface The storm constrain function suppresses packet storms in an Ethernet. With this function enabled on an interface, the system detects unicast traffic, multicast traffic, or broadcast traffic passing through the interface periodically and takes action (that is, blocking or shutting down the interface and sending trap messages and logs) when the traffic detected exceeds the threshold. Alternatively, you can configure the storm suppression function to control a specific type of traffic. As the function and the storm constrain function are mutually exclusive, do not enable them at the same time on an Ethernet interface. For example, with broadcast storm suppression ratio set on an Ethernet interface, do not enable the storm constrain function for broadcast traffic on the interface. Refer to Configuring storm suppression for information about the storm suppression function. With the storm constrain function enabled on an Ethernet interface, you can specify the system to act as follows when the traffic detected exceeds the threshold. Blocking the interface. In this case, the interface is blocked, so it stops forwarding the traffic of this type till the traffic detected is lower than the threshold. Note that an interface blocked by the storm constrain function can still forward other types of traffic and monitor the blocked traffic. Shutting down the interface. In this case, the interface is shut down and stops forwarding all types of traffic. Interfaces shut down by the storm constrain function can only be brought up by using the undo shutdown command or disabling the storm constrain function. To configure the storm constrain function on an Ethernet interface: To do Use the command Remarks 1. Enter system view system-view 2. Set the interval for generating traffic statistics 3. Enter Ethernet interface view 4. Enable the storm constrain function and set the lower threshold and the upper threshold storm-constrain interval seconds interface interface-type interfacenumber storm-constrain { broadcast multicast unicast } pps maxpps-values min-pps-values Optional 10 seconds by default Required Disabled by default 18
To do Use the command Remarks 5. Set the action to be taken when the traffic exceeds the upper threshold storm-constrain control { block shutdown } Optional Disabled by default 6. Specify to send trap messages when the traffic detected exceeds the upper threshold or drops down below the lower threshold from a point higher than the upper threshold 7. Specify to send log when the traffic detected exceeds the upper threshold or drops down below the lower threshold from a point higher than the upper threshold storm-constrain enable trap storm-constrain enable log Optional By default, the system sends trap messages when the traffic detected exceeds the upper threshold or drops down below the lower threshold from a point higher than the upper threshold. Optional By default, the system sends log when the traffic detected exceeds the upper threshold or drops down below the lower threshold from a point higher than the upper threshold. For network stability, configure the interval for generating traffic statistics to a value that is not shorter than the default. After the storm constrain function is enabled, uses a complete statistical period (specified by the stormconstrain interval command) to collect traffic data. During the following period it analyzes the data it has collected. Therefore, if you enable the storm constrain function while a packet storm is present, it will normally take longer than one statistic period for a control action to occur. However, the action will be taken within two periods. The storm constrain function is applicable to unicast packets, multicast packets and broadcast packets. You can specify the upper and lower threshold for any of the three types of packets. Setting the statistics polling interval on an Ethernet interface You can use the reset counters interface command to clear interface statistics To set the statistics polling interval on an Ethernet interface: To do Use the command Remarks 1. Enter system view system-view 2. Enter Ethernet interface view interface interface-type interface-number 3. Set the statistics polling interval on the Ethernet interface flow-interval interval Optional The default interface statistics polling interval is 300 seconds. 19
Enabling forwarding of jumbo frames Due to tremendous amount of traffic occurring on an Ethernet interface, it is likely that some frames greater than the standard Ethernet frame size are received. Such frames (called jumbo frames) will be dropped. With forwarding of jumbo frames enabled, the system does not drop all the jumbo frames. Instead, it continues to process jumbo frames with a size greater than the standard Ethernet frame size and yet within the specified parameter range. In global configuration mode (system view), you can set the length of jumbo frames that can pass through the Ethernet port. To enable the forwarding of jumbo frames: To do Use the command Remarks 1. Enter system view system-view 2. Enable the forwarding of jumbo frames jumboframe enable Optional. By default, the device allows jumbo frames with the length of 10240 bytes to pass through all Layer 2 Ethernet ports. Enabling loopback detection on an Ethernet interface If an interface receives a packet that it sent out, a loop occurs. Loops may cause broadcast storms. The purpose of loopback detection is to detect loops on an interface. If loopback detection is enabled on an Ethernet port, the device periodically checks for loops on the interface. If a loop is detected on the interface, the device operates on the port according to the preconfigured loopback detection actions, and sends a trap message to the terminal. When a loop is detected on an access port, the device puts the port in control mode. In this mode, inbound packets on the port are all discarded, while outbound packets on the port are forwarded normally. Meanwhile, the device sends trap messages to the terminal, and deletes the corresponding MAC address forwarding entry. When a loop is detected on a trunk port or a hybrid port, the device sends a trap message to the terminal. If loopback detection control is enabled on the port, the device places the port in control mode and discards all inbound packets on the port while normally forwarding outbound packets on it. Meanwhile, the device sends trap messages to the terminal, and deletes the corresponding MAC address forwarding entry. To configure loopback detection: To do Use the command Remarks 1. Enter system view system-view 2. Enable global loopback detection loopback-detection enable Required Disabled by default 20
To do Use the command Remarks 3. Configure the interval for port loopback detection 4. Enter Ethernet interface view 5. Enable loopback detection on a port 6. Enable loopback detection control on a trunk port or a hybrid port 7. Enable loopback detection in all the VLANs permitted on the trunk or hybrid port loopback-detection intervaltime time interface interface-type interfacenumber loopback-detection enable loopback-detection control enable loopback-detection per-vlan enable Optional 30 seconds by default Required Disabled by default Optional Optional Enabled only in the default VLAN(s) with trunk port or hybrid ports Loopback detection on a given port is enabled only after the loopback-detection enable command has been configured in both system view and the interface view of the port. Using the undo loopback-detection enable command in system view disables loopback detection on all ports. Configuring the MDI mode for an Ethernet interface Optical interfaces of SFP ports do not support this function. Two types of Ethernet cables can be used to connect Ethernet devices: crossover cable and straightthrough cable. To accommodate these two types of cables, an Ethernet interface on a device can operate in one of the following three MDI modes: Across mode Normal mode Auto mode An Ethernet interface is composed of eight pins. By default, each pin has its particular role. For example, pin 1 and pin 2 are used for transmitting signals; pin 3 and pin 6 are used for receiving signals. You can change the pin roles by setting the MDI mode. For an Ethernet interface in normal mode, the pin roles are not changed. For an Ethernet interface in across mode, pin 1 and pin 2 are used for receiving signals; pin 3 and pin 6 are used for transmitting signals. To enable normal communication, you should connect the local transmit pins to the remote receive pins. Therefore, you should configure the MDI mode depending on the cable types. 21
Normally, H3C recommends using auto mode. The other two modes are useful only when the device cannot determine the cable type. When straight-through cables are used, the local MDI mode must be different from the remote MDI mode. When crossover cables are used, the local MDI mode must be the same as the remote MDI mode, or the MDI mode of at least one end must be set to auto. To configure the MDI mode for an Ethernet interface: To do Use the command Remarks 1. Enter system view system-view 2. Enter Ethernet interface view 3. Configure the MDI mode for the Ethernet interface interface interface-type interfacenumber mdi { across auto normal } Optional Defaults to auto. That is, the Ethernet interface determines the physical pin roles (transmit or receive) through negotiation. Enabling Bridging on an Ethernet Port After an Ethernet port receives a data packet, it looks in the MAC address table of the device for an entry that contains the destination MAC address of the packet. If such an entry exists but the egress interface in the entry is the receiving interface itself, the device discards this packet. However, if bridging is enabled on the receiving interface, the device does not discard the packet. Instead, it sends the packet out the receiving interface. To enable bridging on an Ethernet port: To do Use the command Remarks Enter system view system-view Enter Ethernet port view Enable bridging on the Ethernet port interface interface-type interfacenumber port bridge enable Required Disabled by default. 22
Testing the cable on an Ethernet interface Optical interfaces of SFP ports do not support this feature. A link in the up state goes down and then up automatically if you perform the operation described in this section on one of the Ethernet interfaces forming the link. To test the current operating state of the cable connected to an Ethernet interface: To do Use the command Remarks 1. Enter system view system-view 2. Enter Ethernet interface view 3. Test the cable connected to the Ethernet interface once interface interface-type interfacenumber virtual-cable-test Required Displaying and maintaining an Ethernet interface To do Use the command Remarks Display the current state of an interface and the related information Display the summary of an interface Clear the statistics of an interface Display the information about a manual port group or all the port groups Display the information about the loopback function Display the information about storm constrain display interface [ interface-type [ interface-number ] ] display brief interface [ interface-type [ interface-number ] ] [ { begin exclude include } regular-expression ] reset counters interface [ interface-type [ interface-number ] ] display port-group manual [ all name port-group-name ] display loopback-detection display storm-constrain [ broadcast multicast unicast ] [ interface interfacetype interface-number ] Available in any view Available in any view Available in user view Available in any view Available in any view Available in any view 23
Loopback interface and null interface configuration Loopback interface Introduction to loopback interface A loopback interface is a software-only virtual interface. It delivers the following benefits: The physical layer state and link layer protocols of a loopback interface are always up unless the loopback interface is manually shut down. You can assign a loopback interface an IP address with an all-f mask, thus saving the IP address resources. When you assign an IPv4 address whose mask is not 32-bit, the system automatically changes the mask into a 32-bit mask. When you assign an IPv6 address whose mask is not 128- bit, the system automatically changes the mask into a 128-bit mask. You can enable routing protocols on a loopback interface, and a loopback interface can send and receive routing protocol packets. Because of the benefits mentioned above, loopback interfaces are widely used in the following scenarios: You can configure a loopback interface address as the source address of the IP packets that the device generates. Because loopback interface addresses are stable unicast addresses, they are usually used as device identifications. Therefore, when you configure a rule on an authentication or security server to permit or deny packets generated by a device, you can streamline the rule by configuring it to permit or deny packets carrying the loopback interface address identifying the device. Note that, when you use a loopback interface address as the source address of IP packets, make sure that the route from the loopback interface to the peer is reachable by performing routing configuration. All data packets sent to the loopback interface are considered as packets sent to the device itself, so the device does not forward these packets. Because a loopback interface is always up, it can be used in dynamic routing protocols. For example, if no router ID is configured for a dynamic routing protocol, the highest loopback interface IP address is selected as the router ID. 24
Configuring a loopback interface Follow these steps to configure a loopback interface: To do Use the command Remarks Enter system view system-view Create a Loopback interface and enter Loopback interface view Set a description for the loopback interface Shut down the loopback interface interface loopback interfacenumber description text shutdown Optional By default, the description of an interface is the interface name followed by the Interface string. Optional A loopback interface is up on being created. Parameters such as IP addresses and IP routes can be configured on Loopback interfaces. Refer to the Layer 3 - IP Services Configuration Guide for detailed configurations. Null interface Introduction to null interface A null interface is a completely software-based logical interface. A null interface is always up. However, you can neither use it to forward data packets, nor configure an IP address or link layer protocol on it. With a null interface specified as the next hop of a static route to a specific network segment, any packets routed to the network segment are dropped. The null interface provides you a simpler way to filter packets than ACL. That is, you can filter uninteresting traffic by transmitting it to a null interface instead of applying an ACL. For example, by executing the ip route-static 92.101.0.0 255.255.0.0 null 0 command (which configures a static route leading to null interface 0), you can have all the packets destined to the network segment 92.101.0.0/16 discarded. Currently, only one null interface, that is, Null 0 is supported on your device. You can neither remove this null interface nor create a new one. 25
Configuring null 0 interface To enter null interface view: To do Use the command Remarks Enter system view system-view Enter null interface view interface null 0 Required The Null 0 interface is the default null interface on your device. It cannot be manually created or removed. Set a description for the null interface description text Optional By default, the description of an interface is the interface name followed by the Interface string. Displaying and maintaining loopback and null interfaces To do Use the command Remarks Display information about loopback interfaces display interface loopback [ interface-number ] Available in any view Display information about the null interface Clear the statistics on a loopback interface or the null interface display interface null [ 0 ] reset counters interface [ interface-type [ interface-number ] ] Available in any view Available in user view 26
MAC address table configuration Currently, interfaces involved in MAC address table configuration can only be Layer 2 Ethernet ports and Layer 2 aggregate interfaces. Introduction to MAC address table Each entry in a MAC address table includes the MAC address of a connected device, the ID of the interface to which this device is connected, and the ID of the VLAN to which the interface belongs. When forwarding a frame, the device looks up the destination MAC address of the frame in the MAC address table, to quickly determine the egress port. If the outgoing port is found, the frame is forwarded rather than broadcast. This reduces broadcasts. How a MAC address table entry is generated A MAC address table entry can be dynamically learned or manually configured. Dynamically learned MAC address table entry Usually, MAC address tables are automatically generated through the source MAC address learning process of devices. The MAC address learning process starts when a device receives a frame from a port. For example, having received a frame from Port 1, from the source MAC-SOURCE, the device will: 1. Check the source MAC address of the frame, that is, the MAC address of the device that sent the frame: in this example, MAC-SOURCE. 2. Look for address MAC-SOURCE in the MAC address table, and do the following: If an entry is found for MAC-SOURCE, update the entry, which restarts the aging timer. If no entry is found, add an entry for the address MAC-SOURCE, indicating that it is connected to Port 1, the port from which the frame was received. 3. Now when receiving a frame destined for MAC-SOURCE, the device will forward the frames from Port 1 based on the information in the MAC-SOURCE entry in the MAC address table. To adapt to network changes, MAC address table entries need to be constantly updated. Each dynamically learned MAC address table entry has a life period, that is, an aging timer. Each time an entry is updated, the aging timer is reset. If the aging timer expires before the entry is updated, the entry is deleted ( ages out ). 27
Manually configured MAC address table entry When a device dynamically learns MAC address table entries through source MAC address learning, it cannot tell frames of legal users from those of hackers, which raises potential security risks. For example, if a hacker forges the MAC address of a legal user and uses it as the source MAC address of attack frames while accessing the device from a different port than that used by the legal user, the device will learn a forged MAC address entry, and forward frames destined for the legal user to the hacker instead. To enhance the security of a port, you can bind specific user devices to the port by manually adding MAC address entries into the MAC address table of the device. This prevents hackers from stealing data using forged MAC addresses. Manually configured MAC address table entries have a higher priority than dynamically learned ones. Types of MAC address table entries A MAC address table may contain the following types of entries: Static entries, which are manually configured and never age out. Dynamic entries, which can be manually configured or dynamically learned and can age out. Blackhole entries, which are manually configured and never age out. Blackhole entries are configured to filter frames with specific destination MAC addresses. For example, to block all packets destined for a specific user for security concerns, you can configure the MAC address of this user as a blackhole destination MAC address entry. Dynamically-learned MAC addresses cannot overwrite static or blackhole MAC address entries, but static and blackhole MAC addresses can overwrite dynamically-learned MAC addresses. MAC address table-based frame forwarding When forwarding a frame, the device adopts the following two forwarding modes based on the MAC address table: Unicast mode: If an entry is available for the destination MAC address, the device forwards the frame out the outgoing interface indicated by the MAC address table entry. Broadcast mode: If the device receives a frame with the destination address being all ones, or no entry is available for the destination MAC address, the device broadcasts the frame to all the interfaces except the receiving interface. 28
Figure 4 Forward frames using the MAC address table Configuring MAC address table The following configuration tasks are all optional and order independent. You can perform them as needed in any order. Configuring MAC address table entries To improve port security, you can manually add MAC address entries to the MAC address table to bind ports with MAC addresses, fending off MAC address spoofing attacks. In addition, you can configure blackhole MAC address entries to filter out packets with certain source or destination MAC addresses. Making changes in system view To add, modify, or remove entries in the MAC address table globally: To do Use the command Remarks 1. Enter system view system-view 2. Add/modify a MAC address entry mac-address blackhole macaddress vlan vlan-id mac-address { dynamic static } mac-address interface interface-type interface-number vlan vlan-id Required When using the mac-address command to add a MAC address entry, the interface specified by the interface keyword must belong to the VLAN specified by the vlan keyword, and the VLAN must already exist. Otherwise, you will fail to add this MAC address entry. 29
Making changes in interface view To add, modify, or remove entries in the MAC address table on an interface: To do Use the command Remarks 1. Enter system view system-view 2. Enter interface view interface interface-type interfacenumber 3. Add/modify MAC address entries under the specified interface view mac-address { dynamic static } mac-address vlan vlan-id Required When using the mac-address command to add a MAC address entry, the current interface must belong to the VLAN specified by the vlan keyword, and the VLAN must already exist. Otherwise, you will fail to add this MAC address entry. Configuring the aging timer for dynamic MAC address entries The MAC address table on your device is available with an aging mechanism for dynamic entries to prevent its resources from being exhausted, and to ensure that the address table is updated. Set the aging timer appropriately: an aging interval that is too long may cause the MAC address table to retain outdated entries and fail to accommodate the latest network changes; an aging interval that is too short may result in removal of valid entries, causing unnecessary broadcasts, which may affect device performance. However, in a stable network, when there has been no traffic activity for a long time, all the dynamic entries in the MAC address table maintained by the device will be deleted. When this happens, the device broadcasts a large quantity of data packets, which may be listened to by unwanted users, resulting in security hazards. To avoid this, you can configure mac-address timer no-aging for dynamic MAC address entries, that is, not to age out dynamic MAC address entries, thus reducing broadcasts and ensuring the stability and security of the network. To configure the aging timer for dynamic MAC address entries: To do Use the command Remarks 1. Enter system view system-view 2. Configure the aging timer for dynamic MAC address entries mac-address timer { aging seconds no-aging } Optional 300 by default. The aging timer for dynamic MAC address entries takes effect globally only on dynamic MAC address entries (learned or administratively configured). 30
Configuring the MAC learning limit To prevent a MAC address table from getting so large that it may degrade forwarding performance, you may restrict the number of MAC addresses that can be learned on a per-port or port group basis. To configure the MAC learning limit on an Ethernet port, Layer 2 aggregate interface, or the Ethernet ports in a port group: To do Use the command Remarks Enter system view system-view Enter Ethernet interface view, port group view, or Layer 2 aggregate interface view Enter Ethernet interface view Enter port group view Enter Layer 2 aggregate interface view interface interface-type interface-number port-group manual port-group-name interface bridgeaggregation interfacenumber Use any of these three commands. The configuration you make in Ethernet interface view or Layer 2 aggregate interface view takes effect on the current interface only; the configuration you make in port group view takes effect on all the member ports in the port group. Configure the MAC learning limit on an Ethernet port, Layer 2 aggregate interface or port group, and configure whether frames with unknown source MAC addresses can be forwarded or not when the MAC learning limit is reached mac-address maxmac-count { count disable-forwarding } Required The default maximum number of MAC addresses that can be learned is not configured. When the MAC learning limit is reached, frames with unknown source MAC addresses are forwarded by default. Displaying and maintaining MAC address table To do Use the command Remarks Display MAC address table information Display the aging timer for dynamic MAC address entries Display MAC address statistics display mac-address [ macaddress [ vlan vlan-id ] [ dynamic static ] [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] ] display mac-address agingtime display mac-address statistics Available in any view 31
MAC address table configuration example Network requirements A host with MAC address 000f-e235-dc71 and belonging to VLAN 1 is connected to GigabitEthernet1/0/1 of the device. To prevent MAC address spoofing, add a static entry into the MAC address table of the device for the host. Another host with MAC address 000f-e235-abcd and belongs to VLAN 1. For security sake, add a destination blackhole MAC address entry on the device to prevent the host from receiving packets. Set the aging timer for dynamic MAC address entries to 500 seconds. Configuration procedure Add a static MAC address entry. <Sysname> system-view [Sysname] mac-address static 000f-e235-dc71 interface igabitethernet1/0/1 vlan 1 Add a destination blackhole MAC address entry. [Sysname] mac-address blackhole 000f-e235-abcd vlan 1 Set the aging timer for dynamic MAC address entries to 500 seconds. [Sysname] mac-address timer aging 500 Display the MAC address entry for port GigabitEthernet1/0/1. [Sysname] display mac-address interface igabitethernet1/0/1 MAC ADDR VLAN ID STATE PORT INDEX AGING TIME 000f-e235-dc71 1 Config static GigabitEthernet1/0/1 NOAGED --- 1 mac address(es) found --- Display information about the destination blackhole MAC address table. [Sysname] display mac-address blackhole MAC ADDR VLAN ID STATE PORT INDEX AGING TIME 000f-e235-abcd 1 Blackhole N/A NOAGED --- 1 mac address(es) found --- View the aging time of dynamic MAC address entries. [Sysname] display mac-address aging-time Mac address aging time: 500s 32