Contents

1 FAQ

1.1 Hardware

1.1.1 How Do I View the Transmit and Receive Optical Power of an Optical Module?

1.1.1.1 Fixed or Modular Switch V100R006C03 or V100R006C05

1.1.1.2 Fixed Switch V200R001

1.1.1.3 Modular Switch V200R001

1.1.1.4 Fixed Switch V200R002&V200R003

1.1.1.5 Modular Switch V200R002&V200R003

1.1.2 How Do I Identify Combo Interfaces of a Switch?

1.1.3 Why Are Only Two Optical Interfaces Displayed After a 4-Port Front Subcard Is Installed in an S5700?

1.1.4 When and How Should a Surge Protector Be Used on a Fixed Switch?

1.1.5 What Are Similarities and Differences Between the Console and Mini USB Interfaces?

1.1.6 Are Subcards of Fixed Switches Hot Swappable?

1.1.7 Can AC and DC Power Supplies Be Installed on the Same Switch?

1.1.8 Can a 10GE Optical Interface Use a GE Optical Module?

1.1.9 Can a GE Optical Interface Use a 100M Optical Module?

1.1.10 Can a GE Optical Interface Use a 10GE Optical Module?

1.1.11 Which Product Models Support Copper Transceiver Modules?

1.1.12 Can a GE Optical Interface Be Manually Configured as a 100M Interface to Work with Another 100M Optical Interface?

1.1.13 Can Two GE Interfaces Be Connected Using a 100M Network Cable?

1.2 DHCP

1.2.1 What are functions of DHCP?

1.2.2 How Do I Configure a DHCP Server?

1.2.3 How Do I Configure the DHCP Relay Agent?

1.2.4 How Do I Configure DHCP Snooping?

1.2.5 How Do I Maintain DHCP?

1.2.6 How Can I Use the Extended DHCP Functions?

1.2.7 How Does a Switch Support DHCP?

1.3 PoE

1.3.1 How Much Power Does a PoE Power Module Provide?

1.3.2 Which Switch Models Support the PoE Function?

1.3.3 Why Can't a PoE Card Be Registered?

1.4 NAT

1.4.1 Do Huawei Switches Support NAT?

1.4.2 How Do I Configure Outbound NAT to Enable Private Network Users to Access the Internet?

1.4.3 How Do I Configure a NAT Server to Enable Internet Users to Access Private Servers?

1.5 Web System

1.5.1 What Web-based Management Features Do Switches (Excluding the S1700) Support?

1.5.2 What Web-based Management Features Does S1700 V100R006 Support?

1.5.3 What Web-based Management Features Does S1700 V100R007 Support?

1.5.4 How Do I Obtain a Web File and Configure the Web System?

1.5.5 What Rights Do Web Management Accounts Have?

1.6 NAC

1.6.1 What Is the Difference Between 802.1x and DOT1x?

1.6.2 Must a Shared Key Be Configured for Portal Authentication?

1.6.3 Why Does a User Go Offline 10 Seconds After Passing 802.1x Authentication?

1.6.4 Why Does 802.1x or MAC Address Authentication Not Take Effect After Being Enabled and the Configuration Is Displayed in the Configuration File?

1.6.5 From Which VLAN Do DHCP Users Connected to a Switch Interface Obtain IP Addresses If MAC Address Authentication Is Enabled and a Guest VLAN Is Configured on the Interface?

1.7 Loop Detection

1.7.1 Which Switch Models Support Loop Detection?

1.7.2 How Do I Configure Single-Interface Loop Detection?

1.7.3 How Do I Configure Multi-Interface Loop Detection?

1.7.4 What Is the Default Interval for Sending LBDT Packets on an Interface?

1.7.5 How Do I Differentiate LBDT Packets Sent by Different Interfaces?

1.8 How Do I Configure a Static Binding Entry (user-bind static) for IPSG?

1.9 VLAN

1.9.1 How Do I Change the Link Type of an Interface?

1.9.2 Which VLAN Assignment Methods Do S Series Switches Support?

1.9.3 The Link Type of an Interface Cannot Be Changed from Hybrid to Access. How Is This Problem Solved?

1.9.4 Why Is the VLAN Priority Configured on the S5700 Invalid?

1.10 Password

1.10.1 Which Default Passwords Are Used on S Series Switches?

1.10.2 How Can I Delete a Console Login Password?

1.11 Eth-Trunk

1.11.1 What Is Eth-Trunk?

1.11.2 What Are the Types of Eth-Trunk Load Balancing?

1.11.3 What Are the Types of Eth-Trunks?

1.11.4 How Long Is the LACP Timeout Period?

1.11.5 How Do I Check Interface Negotiation Information When the Eth-Trunk Is Working in LACP Mode?

1.11.6 Which Measures Can Be Taken to Fix an Eth-Trunk Unidirectional Communication Fault?

1.12 How Do I Restore the Factory Settings on the CLI?

1.13 Using the display elabel Command to Obtain the Serial Number

1.13.1 How Do I Obtain the Serial Number of a Fixed Switch?

1.13.2 How Do I Obtain the Serial Number of a Modular Switch?

1.14 Software and Hardware Requirements for Stacks

1.14.1 What Are the Software and Hardware Requirements for Stack Card Stacking?

1.14.2 What Are the Software and Hardware Requirements for Service Port Stacking?

1.15 CSS Software and Hardware Requirements

1.15.1 What Are the Software and Hardware Requirements for CSS Card Clustering?

1.15.2 What Are the Software and Hardware Requirements for Service Port Clustering?

1.16 Rate Limiting

1.16.1 How Do I Configure Port Rate Limiting on a Modular Switch?

1.16.2 Can Rate Limiting Be Configured for an Eth-Trunk on a Modular Switch and How Does the Configuration Take Effect?

1.16.3 How Do I Configure Rate Limiting?

1.16.4 Why Cannot Traffic Rates Be Limited Accurately After CAR Is Configured?

1.16.5 How Do I Configure Aggregated CAR on the S7700 and S9700?

1.17 Port Isolation

1.17.1 In What Scenarios Can Port Isolation Be Used?

1.17.2 How Do I Configure Port Isolation?

1.17.3 What Precautions Should Be Taken to Configure Port Isolation?

1.18 Layer 2 Transparent Transmission

1.18.1 Can a Switch Transparently Transmit BPDUs?

1.19 Basic Configuration

1.19.1 How Do I Delete Files from the Recycle Bin?

1.19.2 How Do I Increase a Command Level?

1.19.3 What Are the Differences Between the Tracert Functions of a Network Device and a PC?

1.20 Interface Management

1.20.1 Can a GE Optical Module Be Installed on a 10GE Optical Port of S6700?

1.20.2 How Do I Restore the Default Configurations on an Interface?

1.20.3 Why Do Two GE Interfaces with Auto-Negotiation Enabled Work at 100 Mbit/s?

1.20.4 How Do I Configure Edge Ports for Fixed Switches in a Batch?

1.20.5 Why Can't Connected Optical Ports Go Up After Single-Fiber Bidirectional Optical Modules Are Used?

1.21 MIB

1.21.1 Which MIB Objects Correspond to CPU Usage and Entity Memory Usage?

1.22 Information Center

1.22.1 How Can I Hide Console Port Information?

1.23 MAC

1.23.1 What Is the Purpose of the Function of ARP Update upon MAC Entry Changes?

1.23.2 Does a Switch Support MAC Address Flapping Detection?

1 FAQ

1.1 Hardware

1.1.1 How Do I View the Transmit and Receive Optical Power of an Optical Module?

Run the display transceiver verbose command.

1.1.1.1 Fixed or Modular Switch V100R006C03 or V100R006C05

The RX Power(dBM) field in the command output indicates the receive power of the optical module, and the TX Power(dBM) field indicates the transmit power.
<Quidway> display transceiver interface gigabitethernet 0/0/1 verbose
GigabitEthernet0/0/1 transceiver information:                                   
-------------------------------------------------------------
Common information:
  Transceiver Type               :1000_BASE_SX_SFP
  Connector Type                 :LC
  Wavelength(nm)                 :850
  Transfer Distance(m)           :300(50um),150(62.5um)
  Digital Diagnostic Monitoring  :YES
  Vendor Name                    :SumitomoElectric
  Vendor Part Number             :HFBR-5710L 
  Ordering Name                  :
-------------------------------------------------------------
Manufacture information:
  Manu. Serial Number            :88K056C10353
  Manufacturing Date             :2008-08-08
  Vendor Name                    :SumitomoElectric
-------------------------------------------------------------
Diagnostic information: //The diagnostic information is displayed only in V100R006C03.
  Temperature(°C)              :26.00
  Temp High Threshold(°C)      :85.00
  Temp Low  Threshold(°C)      :-40.00
  Voltage(V)                    :3.29
  Volt High Threshold(V)        :3.64
  Volt Low  Threshold(V)        :2.95
  Bias Current(mA)              :4.57
  Bias High Threshold(mA)       :9.00
  Bias Low  Threshold(mA)       :2.00
  RX Power(dBM)                 :-40.00
  RX Power High Threshold(dBM)  :0.00
  RX Power Low  Threshold(dBM)  :-16.99
  TX Power(dBM)                 :-5.03
  TX Power High Threshold(dBM)  :-2.22
  TX Power Low  Threshold(dBM)  :-6.99
------------------------------------------------------------- 
User information:
  THIS_IS_A_TEST
-------------------------------------------------------------
Diagnostic information:
  Temperature(°C)                      :40.21
  Temp High Warning Threshold(°C)      :93.00
  Temp Low  Warning Threshold(°C)      :-30.00
  Temp High Alarm   Threshold(°C)      :110.00
  Temp Low  Alarm   Threshold(°C)      :-40.00

  Voltage(V)                            :3.26
  Volt High Warning Threshold(V)        :3.70
  Volt Low  Warning Threshold(V)        :2.90
  Volt High Alarm   Threshold(V)        :3.90
  Volt Low  Alarm   Threshold(V)        :2.70

  Bias Current(mA)                      :23.78
  Bias High Warning Threshold(mA)       :70.00
  Bias Low  Warning Threshold(mA)       :4.00
  Bias High Alarm   Threshold(mA)       :80.00
  Bias Low  Alarm   Threshold(mA)       :2.00

  RX Power(dBM)                         :-31.10
  RX Power High Warning Threshold(dBM)  :-1.00
  RX Power Low  Warning Threshold(dBM)  :-20.00
  RX Power High Alarm   Threshold(dBM)  :0.75
  RX Power Low  Alarm   Threshold(dBM)  :-23.97

  TX Power(dBM)                         :-5.78
  TX Power High Warning Threshold(dBM)  :-1.00
  TX Power Low  Warning Threshold(dBM)  :-11.50
  TX Power High Alarm   Threshold(dBM)  :0.99
  TX Power Low  Alarm   Threshold(dBM)  :-13.50
-------------------------------------------------------------

1.1.1.2 Fixed Switch V200R001

The RX Power(dBM) field in the command output indicates the receive power of the optical module, and the TX Power(dBM) field indicates the transmit power.
<Quidway> display transceiver interface gigabitethernet 0/0/1 verbose
Gigabitethernet0/0/1 transceiver information:

-------------------------------------------------------------
Common information:
  Transceiver Type               :OC3_INTER_REACH_SFP
  Connector Type                 :LC
  Wavelength(nm)                 :1310
  Transfer Distance(m)           :15000(9um)
  Digital Diagnostic Monitoring  :YES
  Vendor Name                    :HUAWEI
  Vendor Part Number             :34060358
  Ordering Name                  : 
-------------------------------------------------------------
Manufacture information:
  Manu. Serial Number            :EH1048220807
  Manufacturing Date             :2010-12-06
  Vendor Name                    :HUAWEI
-------------------------------------------------------------
Alarm information:
  RX loss of signal
  RX power low
-------------------------------------------------------------
Diagnostic information:
  Temperature(°C)              :26.00
  Temp High Threshold(°C)      :85.00
  Temp Low  Threshold(°C)      :-40.00
  Voltage(V)                    :3.29
  Volt High Threshold(V)        :3.64
  Volt Low  Threshold(V)        :2.95
  Bias Current(mA)              :4.57
  Bias High Threshold(mA)       :9.00
  Bias Low  Threshold(mA)       :2.00
  RX Power(dBM)                 :-40.00
  RX Power High Threshold(dBM)  :0.00
  RX Power Low  Threshold(dBM)  :-16.99
  TX Power(dBM)                 :-5.03
  TX Power High Threshold(dBM)  :-2.22
  TX Power Low  Threshold(dBM)  :-6.99
------------------------------------------------------------- 

1.1.1.3 Modular Switch V200R001

The Current Rx Power(dBM) field in the command output indicates the current receive power of the optical module, and the Current Tx Power(dBM) field indicates the current transmit power.
<Quidway> display transceiver interface gigabitethernet 3/1/4 verbose
GigabitEthernet3/1/4 transceiver information:

-------------------------------------------------------------
Common information:
  Transceiver Type               :OC3_INTER_REACH_SFP
  Connector Type                 :LC
  Wavelength(nm)                 :1310
  Transfer Distance(m)           :15000(9um)
  Digital Diagnostic Monitoring  :YES
  Vendor Name                    :HUAWEI
  Vendor Part Number             :34060358
  Ordering Name                  :
-------------------------------------------------------------
Manufacture information:
  Manu. Serial Number            :EH1048220807
  Manufacturing Date             :2010-12-06
  Vendor Name                    :HUAWEI
-------------------------------------------------------------
Alarm information:
  RX loss of signal
  RX power low
-------------------------------------------------------------                   
Diagnostic information:
  Temperature(°C)                       :18
  Voltage(V)                            :3.32
  Bias Current(mA)                      :8.12
  Bias High Threshold(mA)               :27.34
  Bias Low  Threshold(mA)               :2.17
  Current Rx Power(dBM)                 :-30.00
  Default Rx Power High Threshold(dBM)  :0.00
  Default Rx Power Low  Threshold(dBM)  :-16.99
  Current Tx Power(dBM)                 :-4.42
  Default Tx Power High Threshold(dBM)  :0.00
  Default Tx Power Low  Threshold(dBM)  :-9.50
  User Set Rx Power High Threshold(dBM) :0.00
  User Set Rx Power Low Threshold(dBM)  :-16.99
  User Set Tx Power High Threshold(dBM) :0.00
  User Set Tx Power Low Threshold(dBM)  :-9.50
-------------------------------------------------------------

1.1.1.4 Fixed Switch V200R002&V200R003

The RX Power(dBM) field in the command output indicates the receive power of the optical module, and the TX Power(dBM) field indicates the transmit power.
<Quidway> display transceiver interface gigabitethernet 0/0/1 verbose
Gigabitethernet0/0/1 transceiver information:
-------------------------------------------------------------
Common information:
  Transceiver Type               :1000_BASE_SX_SFP
  Connector Type                 :LC
  Wavelength(nm)                 :850
  Transfer Distance(m)           :300(50um),150(62.5um)
  Digital Diagnostic Monitoring  :YES
  Vendor Name                    :SumitomoElectric
  Vendor Part Number             :HFBR-5710L 
  Ordering Name                  :
-------------------------------------------------------------
Manufacture information:
  Manu. Serial Number            :88K056C10353
  Manufacturing Date             :2008-08-08
  Vendor Name                    :SumitomoElectric
-------------------------------------------------------------
Diagnostic information:
  Temperature(°C)              :26.00
  Temp High Threshold(°C)      :85.00
  Temp Low  Threshold(°C)      :-40.00
  Voltage(V)                    :3.29
  Volt High Threshold(V)        :3.64
  Volt Low  Threshold(V)        :2.95
  Bias Current(mA)              :4.57
  Bias High Threshold(mA)       :9.00
  Bias Low  Threshold(mA)       :2.00
  RX Power(dBM)                 :-40.00
  RX Power High Threshold(dBM)  :0.00
  RX Power Low  Threshold(dBM)  :-16.99
  TX Power(dBM)                 :-5.03
  TX Power High Threshold(dBM)  :-2.22
  TX Power Low  Threshold(dBM)  :-6.99
------------------------------------------------------------- 

1.1.1.5 Modular Switch V200R002&V200R003

The Current Rx Power(dBM) field in the command output indicates the current receive power of the optical module, and the Current Tx Power(dBM) field indicates the current transmit power.
<Quidway> display transceiver interface gigabitethernet 3/0/0 verbose
GigabitEthernet3/0/0 transceiver information:                        
------------------------------------------------------------- 
Common information:
  Transceiver Type               :1000_BASE_SX_SFP
  Connector Type                 :LC
  Wavelength(nm)                 :850
  Transfer Distance(m)           :500(50um),300(62.5um)
  Digital Diagnostic Monitoring  :YES
  Vendor Name                    :FINISAR CORP.
  Vendor Part Number             :FTLF8519P2BNL-HW
  Ordering Name                  :
-------------------------------------------------------------
Manufacture information:
  Manu. Serial Number            :PEP3L5D
  Manufacturing Date             :2008-12-05
  Vendor Name                    :FINISAR CORP.
-------------------------------------------------------------
Alarm information:
  TX power low
-------------------------------------------------------------                   
Diagnostic information:
  Temperature(°C)                       :39
  Voltage(V)                            :3.31
  Bias Current(mA)                      :6.59
  Bias High Threshold(mA)               :10.50
  Bias Low  Threshold(mA)               :2.50
  Current Rx Power(dBM)                 :-2.23
  Default Rx Power High Threshold(dBM)  :3.01
  Default Rx Power Low  Threshold(dBM)  :-15.02
  Current Tx Power(dBM)                 :-2.45
  Default Tx Power High Threshold(dBM)  :3.01
  Default Tx Power Low  Threshold(dBM)  :-9.00
  User Set Rx Power High Threshold(dBM) :3.01
  User Set Rx Power Low Threshold(dBM)  :-15.02
  User Set Tx Power High Threshold(dBM) :3.01
  User Set Tx Power Low Threshold(dBM)  :-9.00
-------------------------------------------------------------

1.1.2 How Do I Identify Combo Interfaces of a Switch?

A combo interface is a dual-purpose interface consisting of an Ethernet optical interface and an Ethernet electrical interface on the panel. The electrical and optical interfaces of a combo interface are multiplexed, and only one of them can work at a time.

NOTE:

In V100R003 and earlier versions, a combo interface works as an optical interface by default.

In V100R005 and later versions, a combo interface works in auto mode by default and automatically determines the interface type depending on whether the optical interface has an optical module installed:

  • If the optical interface has no optical module installed and the electrical interface has no network cable connected, the interface type depends on which interface is connected first. If the electrical interface is connected by a network cable first, the electrical interface is used for data switching. If the optical interface has an optical module installed first, the optical interface is used for data switching.
  • If the electrical interface has a network cable connected and is in Up state, the electrical interface is still used for data switching when the optical interface has an optical module installed.
  • If the optical interface has an optical module installed and is in Up state, the optical interface is still used for data switching when the electrical interface has a network cable connected.
  • If the optical interface has an optical module installed (with optical fibers connected) and the electrical interface has a network cable connected, the optical interface is used for data switching after the switch restarts.

Use the combo-port command to configure a combo interface to work as an electrical or optical interface.

Use one of the following methods to identify a combo interface on a switch:

  • Identify a combo interface based on the interface identifier on the switch panel. If two interfaces have the same ID but connect to different transmission media, the two interfaces are multiplexed as a combo interface. As shown in Figure 1-1, interfaces 1 and 2 are combo interfaces.
    Figure 1-1 Combo interfaces on a switch
  • Run the display interface command to check whether an interface is a combo interface.
    <HUAWEI> display interface gigabitethernet 1/0/1
    ...
    IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0025-9e80-2494
    Port Mode: COMBO AUTO
    Speed : 100,  Loopback: NONE

1.1.3 Why Are Only Two Optical Interfaces Displayed After a 4-Port Front Subcard Is Installed in an S5700?

This is because there is no extended channel rear card installed in the switch.

An S5700SI or S5700EI switch can provide only two optical interfaces for a front subcard. If a 4-port front subcard is installed, the switch must use an ES5D00ETPB00 extended channel rear subcard to provide the other two interfaces. Without an extended channel rear subcard, only two optical interfaces are displayed.

  • If a 4-port GE front subcard (ES5D000G4S01/ES5D00G4SA01) and an ES5D00ETPC00 rear stack card (working normally) are used together in a switch, only the first and second interfaces on the front card can work normally, and the other two interfaces cannot be used.

  • If a 4-port 10GE front subcard (ES5D000X4S01) and an ES5D00ETPC00 rear stack card (working normally) are used together in a switch, only the first and third interfaces on the front subcard can work normally, and the other two interfaces cannot be used.

NOTE:

The available interfaces on the ES5D000X4S01 front subcard are displayed as XGigabitEthernet */1/1 and XGigabitEthernet */1/2 on the CLI, corresponding to physical interfaces 1 and 3 on the front subcard.

* indicates a slot ID on the switch.

1.1.4 When and How Should a Surge Protector Be Used on a Fixed Switch?

Common Causes of Lightning Strikes

  • Outdoor network cables or power cables are routed overhead.
  • A switch is deployed outdoors but is not properly grounded.

Damages from Lightning Strikes

  • If the power cables of a switch are routed overhead in an outdoor environment, lightning strikes may burn the power supplies.
  • If the network cables of a switch are routed overhead in an outdoor environment, lightning strikes may burn interfaces of the switch.

When a switch is struck by lightning, the lightning induces overvoltage on the network cables, which is then transmitted to the interior of the chassis. Surge protection measures such as lightning rods and chassis grounding cannot prevent the damage. Therefore, surge protectors or surge protection circuits are recommended.

Surge Protector Use Precautions

Take the following precautions to protect a switch from lightning:

  • Ensure that the ground cable is connected to a ground bar or a ground point on the cabinet.
  • Avoid routing cables overhead in an outdoor environment. Bury cables underground or route them in steel tubes.
  • To protect network interfaces against lightning, use 8-line surge protectors (or Huawei certified 4-line surge protectors).
  • When installing a network interface surge protector, connect the IN end to the terminal and the OUT end to the network interface of the switch.

If a fixed switch is installed in a network box, as shown in Figure 1-2, follow the instructions :

  • Connect the ground cables of the switch and surge protectors to the ground bar in the network box.
  • The maximum length of a ground cable cannot exceed 40 cm, and a length of smaller than 15 cm is recommended.
  • If the network box is located outdoors and power cables are routed aerially over a long distance (more than 300 m) to the network box, it is recommended that you install a power supply surge protector in the network box. The decoupled power cable must be at least 3 m long.
    Figure 1-2 Cable connection in a network box

1.1.5 What Are Similarities and Differences Between the Console and Mini USB Interfaces?

The console interface can be connected to an operation terminal for onsite configuration. It must be used with a console cable. After a switch is powered on for the first time, you need to log in to the switch through the console interface to configure the switch.

The Mini USB interface is also used to connect an operation terminal to the switch. The Mini USB and console interfaces are logically the same interface. Only one of the Mini USB and console interfaces can be used at a time. The Mini USB interface is preferred.

1.1.6 Are Subcards of Fixed Switches Hot Swappable?

Subcards of the S5700-SI, S5700-EI, and S5710-LI are not hot swappable. Subcards of the S3700-HI, S5700-HI, S5710-EI, and S5710-HI are hot swappable.

1.1.7 Can AC and DC Power Supplies Be Installed on the Same Switch?

Fixed Switches

Product Type

Model

AC and DC Power Supplies Installed on the Same Switch?

S3700/S5700/S6700

S3700-26C-HI

Yes

S5710-28C-EI

Yes

S5710-52C-EI

Yes

S5700-28C-HI

Yes

S5700-28C-HI-24S

Yes

S5700-EI (non-PoE)

No

S5700-SI (non-PoE)

No

S6700

No

S5710-HI

No, but 350 W and 1150 W AC power supplies can be used on one switch.

Modular Switches

AC and DC power supplies cannot be installed in the slots of the same type on the same switch, and the different power supply types cannot be installed on the same switch.

1.1.8 Can a 10GE Optical Interface Use a GE Optical Module?

Fixed Switches

10GE XFP interfaces cannot use GE optical modules. Only 10GE SFP+ interfaces on certain switch models and versions can use GE optical modules. For details, see Table 1-1.

Table 1-1 10GE interface support for GE optical modules

Series

Support for 10GE Interface

Support for GE Optical Module on 10GE Optical Interface

S2700

Not supported

NA

S2750

S3700

S5700-LI

Supported (fixed interfaces of the models with an X in product names, for example, S5700-28X-LI-AC)

Supported

S5700S-LI

Not supported

Not supported

S5700-SI

Supported by all models except the TP models(fixed interfaces or interfaces on 10GE interface cards)

Supported

S5700-EI

Supported (10GE interface cards)

Not supported

S5700-HI

Supported (10GE interface cards)

Supported

S5710-LI

Supported (10GE interface cards)

Supported

S5710-EI

Supported (fixed interfaces or interfaces on 10GE interface cards)

Supported

S5710-HI

Supported (fixed interfaces or interfaces on 10GE interface cards)

Supported by fixed 10GE interfaces

Not supported by interfaces on 10GE interface cards

S6700

Supported (fixed interfaces)

Supported

On the S6700 of V100R006C00SPC800, when a GE optical module is installed on a 10GE optical interface, the interface speed automatically changes to 1000 Mbit/s and the interface works in non-auto-negotiation mode. If the 10GE interface connects to a GE interface, the GE interface must also work in non-auto-negotiation mode. Otherwise, the two interfaces cannot go Up. After patch V100R006SPH005 is loaded, the 10GE optical interface with a GE optical module installed can be switched to the auto-negotiation mode using the negotiation auto command. The interface can then communicate with an optical interface that works at 1000 Mbit/s in auto-negotiation mode.

In versions later than V100R006C00SPC800, a 10GE interface automatically works at 1000 Mbit/s in auto-negotiation mode after a GE optical module is installed.

Modular Switches

10GE interfaces on the following cards support GE optical modules:

  • S7700: ES1D2X16SFC0, ES1D2X40SFC0
  • S9700: EH1D2X16SFC0, EH1D2X40SFC0, EH1D2X48SEC0
NOTE:

You are not advised to install a low-speed optical module on a high-speed optical interface.

1.1.9 Can a GE Optical Interface Use a 100M Optical Module?

Fixed Switches

Whether a GE interface can use a 100M optical module depends on device models and software version, as shown in Table 1-2.

Table 1-2 GE interface support for 100M optical modules

Series

Support for GE Optical Interface

Support for 100M Optical Module on GE Optical Interface

S2700

Supported (fixed interfaces)

Supported only on combo optical interfaces and 100/1000BASE-X optical interfaces

S2750

Supported (fixed interfaces)

Supported only on combo optical interfaces

S3700

Supported (fixed interfaces)

Supported only on combo optical interfaces and 100/1000BASE-X optical interfaces

S5700-LI

Supported (fixed interfaces)

Supported only on combo optical interfaces and 100/1000BASE-X optical interfaces

S5700S-LI

Supported (fixed interfaces)

Not supported

S5700-SI

Supported (fixed interfaces or interfaces on GE interface cards)

Supported only on combo optical interfaces and 100/1000BASE-X optical interfaces, not on interface cards

S5700-EI

S5700-HI

Supported (fixed interfaces or interfaces on GE interface cards)

Supported only on 100/1000BASE-X optical interfaces, not on interface cards

S5710-LI

Supported (fixed interfaces or interfaces on GE interface cards)

Supported only on combo optical interfaces, not on interface cards

S5710-EI

Supported (fixed interfaces or interfaces on GE interface cards)

Supported only on combo optical interfaces, not on interface cards

S5710-HI

Supported

Not supported

S6700

10GE interfaces can be configured as GE interfaces

Not supported

Modular Switches

All GE optical interfaces on modular switches support 100M optical modules.

NOTE:

You are not advised to install a low-speed optical module on a high-speed optical interface.

1.1.10 Can a GE Optical Interface Use a 10GE Optical Module?

GE optical ports on the switch cannot use 10GE optical modules. Similarly, 100M optical ports cannot use GE optical modules.

1.1.11 Which Product Models Support Copper Transceiver Modules?

Fixed Switches

Huawei fixed switches support only one type of copper transceiver module: SFP-1000BaseT, a GE copper transceiver module that has been certified by Huawei.

Table 1-3 describes the fixed switches' support for copper transceiver modules.

Table 1-3 Fixed switches' support for copper transceiver modules

Series

Support for GE Copper Transceiver Module

S2700

Not supported

S2750

Supported on all optical interfaces except the combo optical interfaces

S3700

Not supported

S5700-LI

Supported on all optical interfaces except the combo optical interfaces, in V200R002C00 and later versions

S5700S-LI

Supported on all optical interfaces, in V200R002C00 and later versions

S5700-SI

Supported on all optical interfaces except the combo optical interfaces

NOTE:

10GE interface cards are supported in V200R002C00 and later versions.

When interfaces on a GE interface card use GE copper transceiver modules, the interfaces can go Up, but the commands used to configure the interface speed, duplex mode, auto-negotiation, MDI, flow control, and virtual cable test cannot be used on the interfaces.

S5700-EI

Supported on all optical interfaces except the combo optical interfaces and interfaces on 10GE interface cards

NOTE:

When interfaces on a GE interface card use GE copper transceiver modules, the interfaces can go Up, but the commands used to configure the interface speed, duplex mode, auto-negotiation, MDI, flow control, and virtual cable test cannot be used on the interfaces.

S5700-HI

Supported on all optical interfaces

NOTE:

10GE interface cards are supported in V200R002C00 and later versions.

When interfaces on a GE interface card use GE copper transceiver modules, the interfaces can go Up, but the commands used to configure the interface speed, duplex mode, auto-negotiation, MDI, flow control, and virtual cable test cannot be used on the interfaces.

S5710-LI

Supported on GE interface cards

NOTE:

When interfaces on a GE interface card use GE copper transceiver modules, the interfaces can go Up, but the commands used to configure the interface speed, duplex mode, auto-negotiation, MDI, flow control, and virtual cable test cannot be used on the interfaces.

S5710-EI

Supported on all optical interfaces except the combo optical interfaces, in V200R002C00 and later versions

S5710-HI

Supported on GE optical interface cards and fixed 10GE optical interfaces

S6700

Supported on all optical interfaces, in V200R001C01 and later versions

Modular Switches

GE copper transceiver modules can be used on all GE optical interface cards and the 10GE optical interface cards that support GE optical modules.

GE optical interface cards of modular switches support only Huawei-certified copper transceiver modules. When non-Huawei-certified copper transceiver modules are installed on interfaces of Huawei switches, the interfaces still work as optical interfaces.

1.1.12 Can a GE Optical Interface Be Manually Configured as a 100M Interface to Work with Another 100M Optical Interface?

It depends on the installed optical module. However, this method is not recommended even if it is feasible.

1.1.13 Can Two GE Interfaces Be Connected Using a 100M Network Cable?

In V100R006SPC800 and later versions, switch interfaces cannot work at a lower speed through auto-negotiation by default. If two GE interfaces are connected using a 100M network cable (Category-5 or lower category cable), the interface speed cannot be negotiated as 100 Mbit/s and the two interfaces are in Down state. You can manually set the speed of the two interfaces to 100 Mbit/s or replace the 100M network cable with a 1000M cable.

1.2 DHCP

1.2.1 What are functions of DHCP?

Dynamic Host Configuration Protocol (DHCP)dynamically manages and configures user IP addresses based on the client/server model. DHCP clients request network configuration parameters from a DHCP server, and the DHCP server returns the parameters (including IP addresses, subnet masks, and default gateway addresses)in accordance with configured policies. DHCP supports Option fields. For details about Option fields, see RFC2132.

The DHCP protocol structure involves the following roles:

  • DHCP Server

A DHCP server processes requests for address allocation, address renewal, and address release from DHCP clients or DHCP relay agents, and allocates IP addresses and other network configuration parameters to DHCP clients.

  • DHCP Relay

A DHCP relay agent forwards DHCP packets between clients and the server to help them complete address configuration. The request packets sent by DHCP clients are broadcast on the network. If the server and client are located on different links, the DHCP relay agent is required to forward packets between the server and client. It is unnecessary to deploy a DHCP server on each network segment. This reduces network deployment costs and implements centralized device management.

The DHCP relay agent is optional in a DHCP protocol structure. It is required only when DHCP clients and server are on different network segments.

  • DHCP Client

DHCP clients obtain IP addresses and other network configuration parameters by exchanging DHCP packets with the DHCP server. After the DHCP client function is configured on an interface, the interface can function as a DHCP client to dynamically obtain configuration parameters such as an IP address from a DHCP server. This facilitates device configurations and centralized management.

1.2.2 How Do I Configure a DHCP Server?

A switch functioning as a DHCP server can allocate IP addresses to clients in either of the following methods:

  • Use a global address pool to allocate IP addresses

An IP address pool is created in the system view on a DHCP server. In the interface view, the server is configured to allocate IP addresses, gateway addresses, and DNS server addresses to clients based on the global address pool.

  • Use an interface address pool to allocate IP addresses

An IP address pool is created in the interface view on a DHCP server. In the interface view, the server is configured to allocate IP addresses, gateway addresses, and DNS server addresses to clients based on the interface address pool.

NOTE:

In the preceding configurations, the interface can be a VLANIF interface or a physical interface working in Layer 3 mode. Since V200R005C00, the physical interfaces working in Layer 3 mode have supported the preceding configurations.

Depending on creation methods, address pools are classified into interface address pools and global address pools.

  • Interface address pool

    An IP address is allocated to the interface of the server connecting to clients. The address pool is on the same network segment as the interface address, and the IP addresses in the address pool can only be allocated to the clients connected to this interface. This method is applicable only when the DHCP clients and server are on the same network segment. For example, when a switch functions as a DHCP server, the switch can allocate IP addresses to only the clients connected to one interface or allocate IP addresses of different network segments to clients on different interfaces.

  • Global address pool
    An address pool of the specified network segment is created in the system view. The IP addresses in the address pool can be allocated to the clients connected to all interfaces on the server. This method is applicable when:
    • The DHCP server and clients are on different network segments, and a DHCP relay agent is deployed.
    • The DHCP server and clients are on the same network segment, and the server needs to allocate IP addresses to only the clients connected to one interface or allocate IP addresses of different network segments to clients on different interfaces.

As shown in Figure 1-3, the switch functions as a DHCP server to allocate IP addresses and DNS address to the PC. Both the global and interface address pools can be used in this scenario.

Figure 1-3 A switch functions as a DHCP server
  • Configure the DHCP server to use a global address pool:
    1. Create an IP address pool.
      <HUAWEI> system-view
      [HUAWEI] ip pool 1 //Create an IP address pool.
      [HUAWEI-ip-pool-1] network 10.10.10.0 mask 255.255.255.0 //Configure a network segment.
      [HUAWEI-ip-pool-1] gateway-list 10.10.10.1 //Configure the gateway address.
      [HUAWEI-ip-pool-1] excluded-ip-address 10.10.10.10 10.10.10.50  //Configure a reserved IP address.
      [HUAWEI-ip-pool-1] dns-list 10.8.8.8 //Configure a DNS server address.
      [HUAWEI-ip-pool-1] lease day 0 hour 8 minute 0 //Configure the lease period.
      [HUAWEI-ip-pool-1] quit
    2. Enable the DHCP function.
      [HUAWEI] dhcp enable //Enable DHCP globally.
    3. Enable DHCP server on VLANIF10 and configure the server to use the global address pool.
      [HUAWEI] interface vlanif10 //Enter the VLANIF interface view.
      [HUAWEI-Vlanif10] ip address 10.10.10.1 255.255.255.0 //Configure IP addresses.
      [HUAWEI-Vlanif10] dhcp select global //Configure the DHCP server to use the global address pool.
  • Configure the DHCP server to use an interface address pool:
    1. Enable the DHCP function.
      <HUAWEI> system-view
      [HUAWEI] dhcp enable
    2. Enable DHCP server on VLANIF10 and configure the server to use the interface address pool.
      NOTICE:

      Before running the dhcp select interface command, allocate an IP address to the VLANIF interface.

      [HUAWEI] interface vlanif 10
      [HUAWEI-Vlanif10] ip address 10.10.10.1 255.255.255.0 //Configure a network segment.
      [HUAWEI-Vlanif10] dhcp select global //Configure the DHCP server to use the interface address pool.
      [HUAWEI-Vlanif10] dhcp server dns-list 10.8.8.8 //Configure a DNS server address.
      [HUAWEI-Vlanif10] dhcp server excluded-ip-address 10.10.10.10 10.10.10.50  //Configure a reserved IP address.
      [HUAWEI-Vlanif10] dhcp server lease day 0 hour 8 minute 0 //Configure the lease period.
      [HUAWEI-Vlanif10] quit

1.2.3 How Do I Configure the DHCP Relay Agent?

When DHCP clients and the server are on different network segments, a switch (which cannot be a DHCP server) needs to be configured as the DHCP relay agent to forward request packets from clients to the DHCP server.

NOTE:

Before configuring a DHCP relay agent, ensure that reachable routes exist between clients and the DHCP server.

The procedure for configuring DHCP relay agent is as follows:

  1. Configure a destination DHCP server group.
    <HUAWEI> system-view
    [HUAWEI] dhcp server group group1
    [HUAWEI-dhcp-server-group-group1] dhcp-server 10.10.10.1
    [HUAWEI-dhcp-server-group-group1] quit
  2. Enable the DHCP function.
    [HUAWEI] dhcp enable
  3. Configure DHCP relay on VLANIF100 and bind VLANIF100 to group1.
    [HUAWEI] interface vlanif 100
    [HUAWEI-Vlanif100] ip address 10.20.20.1 24
    [HUAWEI-Vlanif100] dhcp select relay
    [HUAWEI-Vlanif100] dhcp relay server-select group1
    [HUAWEI-Vlanif100] quit

1.2.4 How Do I Configure DHCP Snooping?

DHCP snooping is a DHCP security feature that intercepts and analyzes DHCP packets transmitted between DHCP clients and a DHCP server. DHCP snooping creates and maintains a DHCP snooping binding table, and filters untrusted DHCP packets according to the table. The binding table contains the MAC address, IP address, lease, binding type, VLAN ID, and interface information.

The DHCP snooping binding entries are dynamically generated based on the DHCP ACK packets received by trusted interfaces. The entries record the mappings between clients' IP addresses and MAC addresses. DHCP snooping is equivalent to a firewall between DHCP clients and the DHCP server to prevent DHCP Denial of Service (DoS) attacks, bogus DHCP server attacks, and bogus DHCP request packet attacks, and ensure that only authorized users can access the network.

Figure 1-4 Prevention against bogus DHCP server attacks

In the scenario shown in Figure 1-4, the procedure for configuring prevention against bogus DHCP server attacks is as follows:

  1. Enable DHCP snooping globally.
<Quidway> system-view
[Quidway] dhcp enable
[Quidway] dhcp snooping enable
  1. Enable DHCP snooping on user-side interfaces GE0/0/2 and GE0/0/3.
[Quidway] interface gigabitethernet 0/0/2
[Quidway-GigabitEthernet0/0/2] dhcp snooping enable
[Quidway-GigabitEthernet0/0/2] quit
[Quidway] interface gigabitethernet 0/0/3
[Quidway-GigabitEthernet0/0/3] dhcp snooping enable
[Quidway-GigabitEthernet0/0/3] quit
  1. Configure the DHCP server-side interface GE0/0/1 as a trusted interface.
[Quidway] interface gigabitethernet 0/0/1
[Quidway-GigabitEthernet0/0/1] dhcp snooping trusted
[Quidway-GigabitEthernet0/0/1] quit

1.2.5 How Do I Maintain DHCP?

  1. Check whether the IP addresses have been allocated.

Run the ping ip-address command to test whether an IP address is allocated to a client. If the ping operation is successful, the IP address has been allocated. If the ping operation fails, the IP address is idle.

  1. Check IP addresses that are dynamically allocated.

Run the display ip pool name ip-pool-name used command on the DHCP server to check allocated IP addresses.

  1. Reclaim IP addresses.

Run the reset ip pool { interface pool-name | name ip-pool-name } { start-ip-address [ end-ip-address ] | all | conflict | expired | used } command in the user view to manually reclaim IP addresses in the address pool.

If an IP address has been manually bound to a MAC address, the binding is still valid after this command is executed and the IP address cannot be allocated to other clients. To unbind the IP address from the MAC address, run the following commands as required:
  • For a global address pool
undo static-bind [ ip-address ip-address | mac-address mac-address ]
  • For an interface address pool

undo dhcp server static-bind [ ip-address ip-address | mac-address mac-address ]

1.2.6 How Can I Use the Extended DHCP Functions?

  • How to bind a fixed IP address to a specified MAC address

    There are two methods:

    • Based on a global address pool
      <HUAWEI> system-view
      [HUAWEI] ip pool 1
      [HUAWEI-ip-pool-1] static-bind ip-address X.X.X.X mac-address H-H-H
    • Based on an interface address pool
      <HUAWEI> system-view
      [HUAWEI] interface vlanif 10
      [HUAWEI-Vlanif10] dhcp server static-bind ip-address X.X.X.X mac-address H-H-H
    NOTE:

    The IP address to be bound to a specified MAC address cannot be occupied. If the IP address is being occupied, run the reset ip pool { interface pool-name | name ip-pool-name } { start-ip-address [ end-ip-address ] | all | conflict | expired | used } command in the user view to reclaim the IP address in the address pool.

  • How to enable authorized users with static IP addresses to go online

    After the DHCP snooping and IPSG functions are enabled (using the ip source check user-bind enable command), the switch discards packets from the authorized users with static IP addresses because the switch does not have the dynamic DHCP snooping entries matching the packets. As a result, the users cannot go online. To address this problem, configure static binding entries for these users.

    Run the following command.

    In the system view:

    user-bind static { { { ip-address | ipv6-address } { start-ip [ to end-ip ] } &<1-10> | ipv6-prefix prefix/prefix-length } | mac-address mac-address } * [ interface interface-type interface-number ] [ vlan vlan-id [ ce-vlan ce-vlan-id ] ]

    At least two attributes among IP address, MAC address, interface, and VLAN need to be specified in a static binding entry. The effect varies depending on the bound attributes. At most four attributes can be bound.

    After the static binding entries are configured, authorized users with static IP addresses can go online. If a static user changes the IP address, the user cannot go online because the device has neither the dynamic nor static DHCP snooping binding entry of the user.

1.2.7 How Does a Switch Support DHCP?

  • Modular switch

    All models and versions support DHCP server, DHCP relay, and DHCP snooping. The DHCP client has been supported since V200R005C00.

  • Fixed switch
    • In the versions earlier than V200R005C00, S2700SI, S2700EI, and S5700LI support only DHCP client, but do not support DHCP server or DHCP relay.
    • In the versions later than V200R005C00, all models except S5306LI, support DHCP server, DHCP relay, and DHCP client. The S5306LI supports only DHCP clients.
    • All models except S2700SI support DHCP snooping.

1.3 PoE

1.3.1 How Much Power Does a PoE Power Module Provide?

Power over Ethernet (PoE) refers to a power supply over a 10Base-T, 100Base-TX, or 1000Base-T Ethernet cable.

PoE provides power for terminals such as IP phones, access points (APs), portable device chargers, point-of-sale (POS) machines, cameras, and data collectors. These terminals are powered when they connect to the network, so the indoor power supply systems are not required. IEEE 802.3af and IEEE 802.3at are PoE standards defined to provide remote power supply for the devices from different vendors. IEEE 802.3af supports a maximum of 15.4 W power and IEEE 802.3at supports a maximum of 30 W power.

Fixed switch

Fixed switches support 250 W (sales part number 02130878), 500 W (sales part number 02130879), 580 W (sales part number 02130953), and 1150 W(sales part number 02130984) PoE power modules. The actual available power of a 250 W PoE power module is around 120 W (measured 123.2 W). The actual available power of a 500 W PoE power module is around 370 W (measured 369.6 W). The actual available power of a 580 W PoE power module is around 380 W (measured 369.6 W). The actual available power of a 1150 W PoE power module is around 800 W (measured 785.4 W).

A 250 W PoE power module can provide 802.3af full power on 8 interfaces or 802.3at full power on 4 interfaces.

A 500 W PoE power module can provide 802.3af full power on 24 interfaces or 802.3at full power on 12 interfaces.

A 580 W PoE power module can provide 802.3af full power on 24 interfaces or 802.3at full power on 12 interfaces.

A 1150 W PoE power module can provide 802.3af full power on 48 interfaces or 802.3at full power on 26 interfaces.

PoE supports remote power supply over a distance of up to 100 m.

Modular switch

Table 1-4 lists the PoE power modules supported by the S7700 series switches and the available power they can provide.

NOTICE:

Different types of power modules cannot be used in the same switch.

Table 1-4 PoE power modules supported by the S7700 series switches and their available power

PoE Power Module Supported

Maximum Available Power

800 W AC power module (sales part number 02130979)

800 W

2200 W AC power module (sales part number 02130977)

2200 W

2200 W DC power module (sales part number 02270117)

Table 1-5 lists the PoE power that the S7700 series switches can provide and the number of PoE interfaces they support.

Table 1-5 PoE power provided by the S7700 series switches and the number of PoE interfaces supported

Chassis

Number of PoE Power Modules Supported

Maximum Power

Number of PoE Interfaces Supported

S7703

1

2200 W

144

S7706

4

8800 W

288

S7712

576

1.3.2 Which Switch Models Support the PoE Function?

Fixed switches

Use the display device command to check a switch's product name and determine whether the switch supports the PoE function based on its product name.

  • If the product name contains PWR, this switch model supports the PoE function.
  • If the product name does not contain PWR, this switch model does not support the PoE function.

Modular switches

Among modular switches, only the S7700 series switches support the PoE function. The PoE card of an S7700 is ES0D0G48VA00.

1.3.3 Why Can't a PoE Card Be Registered?

The PoE card of an S7700 is ES0D0G48VA00. The possible causes are as follows: 1. The PoE power module is not installed in the PoE power slot. 2. The PoE power module is not powered on. 3. The DIMM is faulty. For the handling methods, see "Cards Cannot Be Registered" in the Hardware Troubleshooting.

1.4 NAT

1.4.1 Do Huawei Switches Support NAT?

Fixed switches in all versions do not support NAT.

Modular switches in V100R003 and later versions support NAT after an SPU is installed.

1.4.2 How Do I Configure Outbound NAT to Enable Private Network Users to Access the Internet?

Applicable Products and Versions

This configuration applies to modular switches in V100R006C00 and later versions.

Networking Requirements

The SPU is installed in slot 5 of the switch in Figure 1-5. Hosts on the internal networks of company A and company B use private IP addresses. Company A has 100 hosts and 101 idle public IP addresses (202.169.10.100 to 202.169.10.200). Hosts in company B are on a VPN and company B does not have idle public IP addresses.

Company A and company B require that internal hosts access the Internet.

Figure 1-5 Configuring outbound NAT to allow private network users to access the Internet

Configuration Roadmap

The configuration roadmap is as follows:

  1. Direct flows from the Switch to the SPU.
  2. On the switch, configure outbound NAT with an address pool for hosts in company A. The switch maps each private IP address to a public IP address so that hosts in company A can successfully access the Internet.
  3. On the switch, configure Easy IP without an address pool for hosts in company B. The switch maps each private IP address to the public IP address of the outbound interface so that hosts in company B can successfully access the Internet.

Procedure

  1. Configure Layer 2 flow import to direct flows from the switch to the SPU. GE2/0/1 and GE2/0/3 are inbound interfaces, and GE2/0/2 is the outbound interface.
    # Configure the switch.
    <HUAWEI> system-view
    [HUAWEI] sysname Switch
    [Switch] vlan batch 101 to 103
    [Switch] interface eth-trunk 1
    [Switch-Eth-Trunk1] port link-type trunk
    [Switch-Eth-Trunk1] port trunk allow-pass vlan 101 to 103
    [Switch-Eth-Trunk1] quit
    [Switch] interface gigabitethernet 2/0/1
    [Switch-GigabitEthernet2/0/1] port link-type trunk
    [Switch-GigabitEthernet2/0/1] port trunk allow-pass vlan 101
    [Switch-GigabitEthernet2/0/1] quit
    [Switch] interface gigabitethernet 2/0/2
    [Switch-GigabitEthernet2/0/2] port link-type trunk
    [Switch-GigabitEthernet2/0/2] port trunk allow-pass vlan 102
    [Switch-GigabitEthernet2/0/2] quit
    [Switch] interface gigabitethernet 2/0/3
    [Switch-GigabitEthernet2/0/3] port link-type trunk
    [Switch-GigabitEthernet2/0/3] port trunk allow-pass vlan 103
    [Switch-GigabitEthernet2/0/3] quit
    [Switch] interface xgigabitethernet 5/0/0
    [Switch-XGigabitEthernet5/0/0] eth-trunk 1
    [Switch-XGigabitEthernet5/0/0] quit
    [Switch] interface xgigabitethernet 5/0/1
    [Switch-XGigabitEthernet5/0/1] eth-trunk 1
    [Switch-XGigabitEthernet5/0/1] quit
    # On the SPU, configure IP addresses for interfaces and add interfaces to VLANs.
    <HUAWEI> system-view
    [HUAWEI] sysname SPU
    [SPU] interface eth-trunk 1
    [SPU-Eth-Trunk1] quit
    [SPU] interface eth-trunk 1.1
    [SPU-Eth-Trunk1.1] control-vid 101 dot1q-termination
    [SPU-Eth-Trunk1.1] dot1q termination vid 101
    [SPU-Eth-Trunk1.1] ip address 192.168.20.1 255.255.255.0
    [SPU-Eth-Trunk1.1] arp broadcast enable
    [SPU-Eth-Trunk1.1] quit
    [SPU] interface eth-trunk 1.2
    [SPU-Eth-Trunk1.2] control-vid 102 dot1q-termination
    [SPU-Eth-Trunk1.2] dot1q termination vid 102
    [SPU-Eth-Trunk1.2] ip address 202.169.10.1 255.255.255.0
    [SPU-Eth-Trunk1.2] arp broadcast enable
    [SPU-Eth-Trunk1.2] quit
    [SPU] ip vpn-instance vpn_b
    [SPU-vpn-instance-vpn_b] route-distinguisher 0:1
    [SPU-vpn-instance-vpn_b] quit
    [SPU] interface eth-trunk 1.3
    [SPU-Eth-Trunk1.3] control-vid 103 dot1q-termination
    [SPU-Eth-Trunk1.3] dot1q termination vid 103
    [SPU-Eth-Trunk1.3] ip binding vpn-instance vpn_b
    [SPU-Eth-Trunk1.3] ip address 10.0.0.1 255.255.255.0
    [SPU-Eth-Trunk1.3] arp broadcast enable
    [SPU-Eth-Trunk1.3] quit
    [SPU] ip route-static vpn-instance vpn_b 0.0.0.0 0.0.0.0 eth-trunk 1.2 202.169.10.2
    [SPU] interface xgigabitethernet 0/0/1
    [SPU-XGigabitEthernet0/0/1] eth-trunk 1
    [SPU-XGigabitEthernet0/0/1] quit
    [SPU] interface xgigabitethernet 0/0/2
    [SPU-XGigabitEthernet0/0/2] eth-trunk 1
    [SPU-XGigabitEthernet0/0/2] quit
  2. Configure outbound NAT on the SPU.
    [SPU] nat address-group 1 202.169.10.100 202.169.10.200    
    [SPU] acl 2000 
    [SPU-acl-basic-2000] rule 5 permit source 192.168.20.0 0.0.0.255 
    [SPU-acl-basic-2000] quit 
    [SPU] acl 2001 
    [SPU-acl-basic-2001] rule 5 permit vpn-instance vpn_b source 10.0.0.0 0.0.0.255 
    [SPU-acl-basic-2001] quit 
    [SPU] interface eth-trunk 1.2 
    [SPU-Eth-Trunk1.2] nat outbound 2000 address-group 1 no-pat 
    [SPU-Eth-Trunk1.2] nat outbound 2001 
    [SPU-Eth-Trunk1.2] quit
  3. Verify the configuration.

Run the display nat outbound interface eth-trunk 1.2 command on the SPU to view the outbound NAT configuration.

[SPU] display nat outbound interface eth-trunk 1.2
 NAT Outbound Information:                                                                                                          
 --------------------------------------------------------------------------                                                         
 Interface                     Acl     Address-group/IP/Interface      Type                                                         
 --------------------------------------------------------------------------                                                         
 Eth-Trunk1.2                 2000                              1    no-pat                                                         
 Eth-Trunk1.2                 2001                   202.169.10.1    easyip                                                         
 --------------------------------------------------------------------------                                                         
  Total : 2                                                          

After the configuration is complete, hosts in company A and company B can access the Internet.

Take company A as an example. On the host with the private IP address 192.168.20.2, ping the public IP address 202.169.10.2 on the Internet. The ping is successful.

Run the display nat session destination 202.169.10.2 command on the SPU to view the source IP address before and after the NAT operation.

[SPU] display nat session destination 202.169.10.2
  The operation may take a few minutes, please wait...                                                                              
  NAT Session Table Information:                                                                                                    
     Protocol          : ICMP(1)                                                                                                    
     SrcAddr   Vpn     : 192.168.20.2                                                                                               
     DestAddr  Vpn     : 202.169.10.2                                                                                               
     Type Code IcmpId  : 8   0   44006                                                                                              
     NAT-Info                                                                                                                       
       New SrcAddr     : 202.169.10.100                                                                                             
       New DestAddr    : ----                                                                                                       
       New IcmpId      : ----                                                                                                       
                                                                                                                                    
  Total : 1                       

Take company B as an example. On the host with the private IP address 10.0.0.2, ping the public IP address 202.169.10.2 on the Internet. The ping is successful.

Run the display nat session destination 202.169.10.2 command on the SPU to view the source IP address before and after the NAT operation.

[SPU] display nat session destination 202.169.10.2
  The operation may take a few minutes, please wait...                                                                              
  NAT Session Table Information:                                                                                                    
     Protocol          : ICMP(1)                                                                                                    
     SrcAddr   Vpn     : 10.0.0.2        vpn_b                                                                                      
     DestAddr  Vpn     : 202.169.10.2                                                                                               
     Type Code IcmpId  : 8   0   44028                                                                                              
     NAT-Info                                                                                                                       
       New SrcAddr     : 202.169.10.1                                                                                               
       New DestAddr    : ----                                                                                                       
       New IcmpId      : 10240                                                                                                      
                                                                                                                                    
  Total : 1                    

Configuration Files

  • Configuration file of the SPU
    #
    sysname SPU
    #
    ip vpn-instance vpn_b
    route-distinguisher 0:1
    #
    acl number 2000
     rule 5 permit source 192.168.20.0 0.0.0.255
    #
    acl number 2001
     rule 5 permit vpn-instance vpn_b source 10.0.0.0 0.0.0.255
    # 
    nat address-group 1 202.169.10.100 202.169.10.200
    # 
    interface Eth-Trunk1
    #
    interface Eth-Trunk1.1
     control-vid 101 dot1q-termination
     dot1q termination vid 101
     ip address 192.168.20.1 255.255.255.0 
     arp broadcast enable
    #
    interface Eth-Trunk1.2
     control-vid 102 dot1q-termination
     dot1q termination vid 102
     ip address 202.169.10.1 255.255.255.0 
     arp broadcast enable
     nat outbound 2000 address-group 1 no-pat
     nat outbound 2001     
    #
    interface Eth-Trunk1.3
     control-vid 103 dot1q-termination
     dot1q termination vid 103
     ip binding vpn-instance vpn_b
     ip address 10.0.0.1 255.255.255.0 
     arp broadcast enable
    #
    interface XGigabitEthernet0/0/1
     eth-trunk 1
    #
    interface XGigabitEthernet0/0/2
     eth-trunk 1
    #
    ip route-static vpn-instance vpn_b 0.0.0.0 0.0.0.0 Eth-Trunk1.2 202.169.10.2
    #
    return
  • Configuration file of the switch
    #
    sysname Switch
    #
    vlan batch 101 to 103
    #
    interface Eth-Trunk1
     port link-type trunk
     port trunk allow-pass vlan 101 to 103
    #
    interface GigabitEthernet2/0/1
     port link-type trunk
     port trunk allow-pass vlan 101
    #
    interface GigabitEthernet2/0/2
     port link-type trunk
     port trunk allow-pass vlan 102
    # 
    interface GigabitEthernet2/0/3
     port link-type trunk
     port trunk allow-pass vlan 103
    # 
    interface XGigabitEthernet5/0/0
     eth-trunk 1
    #
    interface XGigabitEthernet5/0/1
     eth-trunk 1
    #
    return

1.4.3 How Do I Configure a NAT Server to Enable Internet Users to Access Private Servers?

Applicable Products and Versions

This configuration applies to modular switches in V100R006C00 and later versions.

Networking Requirements

The SPU is installed in slot 5 of the switch in Figure 1-6. Company A provides a web server for users to access from the Internet. The private IP address of the web server is 192.168.20.2:8080 and its public IP address is 202.169.10.5. Company B provides an FTP server on a VPN for users to access from the Internet. The private IP address of the FTP server is 10.0.0.3 and its public IP address is 202.169.10.33.

Internet users need to use public IP addresses to access company A's web server and company B's FTP server.

Figure 1-6 Networking diagram for NAT server configuration

Configuration Roadmap

The configuration roadmap is as follows:

  1. Direct flows from the Switch to the SPU.
  2. Configure the NAT server function so that Internet users can access company A's web server and company B's FTP server using public IP addresses.
  3. Enable the NAT ALG function to implement address translation for FTP packets.

Procedure

  1. Configure Layer 2 flow import to direct flows from the switch to the SPU. GE2/0/2 is the inbound interface, and GE2/0/1 and GE2/0/3 are outbound interfaces.
    # Configure the switch.
    <HUAWEI> system-view 
    [HUAWEI] vlan batch 101 to 103 
    [HUAWEI] interface eth-trunk 1 
    [HUAWEI-Eth-Trunk1] port link-type trunk 
    [HUAWEI-Eth-Trunk1] port trunk allow-pass vlan 101 to 103 
    [HUAWEI-Eth-Trunk1] quit 
    [HUAWEI] interface gigabitethernet 2/0/1 
    [HUAWEI-GigabitEthernet2/0/1] port link-type trunk 
    [HUAWEI-GigabitEthernet2/0/1] port trunk allow-pass vlan 101 
    [HUAWEI-GigabitEthernet2/0/1] quit 
    [HUAWEI] interface gigabitethernet 2/0/2 
    [HUAWEI-GigabitEthernet2/0/2] port link-type trunk 
    [HUAWEI-GigabitEthernet2/0/2] port trunk allow-pass vlan 102 
    [HUAWEI-GigabitEthernet2/0/2] quit    
    [HUAWEI] interface gigabitethernet 2/0/3 
    [HUAWEI-GigabitEthernet2/0/3] port link-type trunk 
    [HUAWEI-GigabitEthernet2/0/3] port trunk allow-pass vlan 103 
    [HUAWEI-GigabitEthernet2/0/3] quit    
    [HUAWEI] interface xgigabitethernet 5/0/0 
    [HUAWEI-XGigabitEthernet5/0/0] eth-trunk 1 
    [HUAWEI-XGigabitEthernet5/0/0] quit 
    [HUAWEI] interface xgigabitethernet 5/0/1 
    [HUAWEI-XGigabitEthernet5/0/1] eth-trunk 1 
    [HUAWEI-XGigabitEthernet5/0/1] quit
    # On the SPU, configure IP addresses for interfaces and add interfaces to VLANs.
    <SPU> system-view 
    [SPU] interface eth-trunk 1 
    [SPU-Eth-Trunk1] quit 
    [SPU] interface eth-trunk 1.1 
    [SPU-Eth-Trunk1.1] control-vid 101 dot1q-termination 
    [SPU-Eth-Trunk1.1] dot1q termination vid 101 
    [SPU-Eth-Trunk1.1] ip address 192.168.20.1 255.255.255.0     
    [SPU-Eth-Trunk1.1] arp broadcast enable 
    [SPU-Eth-Trunk1.1] quit 
    [SPU] interface eth-trunk 1.2 
    [SPU-Eth-Trunk1.2] control-vid 102 dot1q-termination 
    [SPU-Eth-Trunk1.2] dot1q termination vid 102 
    [SPU-Eth-Trunk1.2] ip address 202.169.10.1 255.255.255.0    
    [SPU-Eth-Trunk1.2] arp broadcast enable 
    [SPU-Eth-Trunk1.2] quit 
    [SPU] ip vpn-instance vpn_b 
    [SPU-vpn-instance-vpn_b] route-distinguisher 0:1 
    [SPU-vpn-instance-vpn_b] quit 
    [SPU] interface eth-trunk 1.3 
    [SPU-Eth-Trunk1.3] control-vid 103 dot1q-termination 
    [SPU-Eth-Trunk1.3] dot1q termination vid 103 
    [SPU-Eth-Trunk1.3] ip binding vpn-instance vpn_b 
    [SPU-Eth-Trunk1.3] ip address 10.0.0.1 255.255.255.0     
    [SPU-Eth-Trunk1.3] arp broadcast enable 
    [SPU-Eth-Trunk1.3] quit 
    [SPU] ip route-static vpn-instance vpn_b 0.0.0.0 0.0.0.0 eth-trunk 1.2 202.169.10.2 
    [SPU] interface xgigabitethernet 0/0/1 
    [SPU-XGigabitEthernet0/0/1] eth-trunk 1 
    [SPU-XGigabitEthernet0/0/1] quit 
    [SPU] interface xgigabitethernet 0/0/2 
    [SPU-XGigabitEthernet0/0/2] eth-trunk 1 
    [SPU-XGigabitEthernet0/0/2] quit
  2. Configure the internal servers on the SPU.
    [SPU] interface eth-trunk 1.2 
    [SPU-Eth-Trunk1.2] nat server protocol tcp global 202.169.10.5 www inside 192.168.20.2 8080 
    [SPU-Eth-Trunk1.2] nat server protocol tcp global 202.169.10.33 ftp inside 10.0.0.3 ftp vpn-instance vpn_b
  3. On the SPU, enable the NAT ALG function for FTP.
    [SPU] nat alg ftp enable
  4. Verify the configuration.

    Run the display nat server interface eth-trunk 1.2 command on the SPU to view the NAT server configuration.

    [SPU] display nat server interface eth-trunk 1.2
     Nat Server Information:
      Interface  : Eth-Trunk1.2
        Global IP/Port     : 202.169.10.5/80(www)
        Inside IP/Port     : 192.168.20.2/8080
        Protocol : 6(tcp)
        VPN instance-name  : ----
        Description : ---- 
    
        Global IP/Port     : 202.169.10.33/21(ftp)
        Inside IP/Port     : 10.0.0.3/21(ftp)
        Protocol : 6(tcp)
        VPN instance-name  : vpn_b
    
      Total :    2   

    After the configuration is complete, Internet users can access company A's web server and company B's FTP server using public IP addresses.

Configuration Files

  • Configuration file of the SPU
    #
    sysname SPU
    #
    ip vpn-instance vpn_b
    route-distinguisher 0:1
    #
    nat alg ftp enable
    #
    interface Eth-Trunk1
    #
    interface Eth-Trunk1.1
     control-vid 101 dot1q-termination
     dot1q termination vid 101
     ip address 192.168.20.1 255.255.255.0 
     arp broadcast enable
    #
    interface Eth-Trunk1.2
     control-vid 102 dot1q-termination
     dot1q termination vid 102
     ip address 202.169.10.1 255.255.255.0 
     arp broadcast enable
     nat server protocol tcp global 202.169.10.5 www inside 192.168.20.2 8080
     nat server protocol tcp global 202.169.10.33 ftp inside 10.0.0.3 ftp vpn-instance vpn_b
    #
    interface Eth-Trunk1.3
     control-vid 103 dot1q-termination
     dot1q termination vid 103
     ip binding vpn-instance vpn_b
     ip address 10.0.0.1 255.255.255.0 
     arp broadcast enable
    #
    interface XGigabitEthernet0/0/1
     eth-trunk 1
    #
    interface XGigabitEthernet0/0/2
     eth-trunk 1
    #
    ip route-static vpn-instance vpn_b 0.0.0.0 0.0.0.0 Eth-Trunk1.2 202.169.10.2
    #
    return
  • Configuration file of the switch
    #
    vlan batch 101 to 103
    #
    interface Eth-Trunk1
     port link-type trunk
     port trunk allow-pass vlan 101 to 103
    #
    interface GigabitEthernet2/0/1
     port link-type trunk
     port trunk allow-pass vlan 101
    #
    interface GigabitEthernet2/0/2
     port link-type trunk
     port trunk allow-pass vlan 102
    # 
    interface GigabitEthernet2/0/3
     port link-type trunk
     port trunk allow-pass vlan 103
    # 
    interface XGigabitEthernet5/0/0
     eth-trunk 1
    #
    interface XGigabitEthernet5/0/1
     eth-trunk 1
    #
    return

1.5 Web System

1.5.1 What Web-based Management Features Do Switches (Excluding the S1700) Support?

Table 1-6 lists the web-based management features supported by S series switches.

Table 1-6 Web-based management features supported by switches

Category

Function

System management

Upgrade, patch loading, PoE, DNS, stacking, viewing log files, and setting the system time, SNMP parameters, and EasyDeploy parameters

NOTE:

Switches in V200R002 and later versions support SNMP and EasyDeploy parameter configuration.

Interface management

Viewing/configuring basic interface attributes and viewing statistics on an interface

Service management

VLAN, MAC address, STP, voice VLAN, DHCP, ARP, VRRP, and IGMP snooping

ACL management

Creating/modifying/deleting ACL rules and effective periods

QoS

Priority mapping, traffic policy, rate limit on an interface, traffic shaping, and congestion management

Route management

Viewing IPv4 routes, configuring static routes, and setting the preference of static routes

Security management

Port isolation, static user binding, AAA, 802.1x authentication, and MAC address authentication

Tools

Ping, Tracert, and VCT

1.5.2 What Web-based Management Features Does S1700 V100R006 Support?

Among all S1700 models of V100R006C00, only the S1728GWR-4P supports web management.

Table 1-7 lists the web-based management features that S1700 V100R006 supports.

Table 1-7 Web-based management features that S1700 V100R006 supports

Menu

Submenu

Description

System

General

Displays system description and runtime, enables a switch to transmit jumbo frames, enables energy efficient Ethernet (EEE), and sets the system name, location, and contact information.

IP

Displays the management VLAN, local management IP address, and local MAC address, and sets the management VLAN and local management IP address.

File

  • Upgrade: upgrades a switch's firmware version.
  • Set Start-Up: sets a switch's startup file.
  • Show/Delete: displays files stored in a switch's system and deletes the files.
  • Config File: saves, uploads, or downloads a switch's configuration file.

Time

Current time: sets the system time.

CPU Utilization

Displays CPU utilization.

Memory Status

Displays memory utilization.

Reset

Resets a switch.

RFID

Huawei checks every device before delivery to ensure that the device is running the correct version and functioning properly.

Interface

Port

  • General: displays connection status of each port and configures one or more ports.
  • Mirror: specifies the source and destination ports of mirrored packets and displays mirroring configuration.
  • Statistics: displays statistics on a port.
  • Cable Test: performs cable tests for specified ports to locate cable faults.

Trunk

  • System Priority: configures the system priority.
  • Static: configures trunks in manual load balancing mode or static LACP mode.
  • Statistics: displays traffic statistics on a trunk.

Transceiver

Displays information about a GE transceiver.

Green Ethernet

Enables or disables the power-saving mode on a specified port.

VLAN

Static

Creates, displays, deletes, and modifies static VLANs, edits/displays member interfaces by VLAN/interface, and edits member interfaces by interface range.

MAC Address

Static

Adds, displays, and deletes static MAC addresses.

Dynamic

Displays and clears dynamic MAC addresses and configures the aging time.

Spanning Tree

STP

Configures STP parameters in the system and on specified interfaces.

Traffic

Rate Limit

Configures rate limit on the outbound interface.

Storm Control

Configures the storm control function.

Priority

Configures the default priority, queue mode, trust mode, mappings from DSCP priorities to DSCP priorities, mappings from CoS priorities to DSCP priorities, and mappings from PHBs to queues.

Voice VLAN

Configures the voice VLAN function.

Security

AAA

Configures system authentication and authentication servers.

User Accounts

Configures user accounts and related parameters.

Network Access

Configures parameters for user access.

IP Filter

Configures IP address filtering.

Port Isolation

Configures the port isolation function.

Port Authentication

Configures the port authentication function.

Administration

Log

Provides information for system diagnosis and maintenance.

LLDP

Configures LLDP parameters.

IP

General

Configures ping.

ARP

Configures ARP.

Multicast

IGMP Snooping

Configures general settings, multicast routing interfaces, IGMP members, interfaces, and forwarding entries.

1.5.3 What Web-based Management Features Does S1700 V100R007 Support?

Among all S1700 models of V100R007C00, only the S1700-28FR-2T2P-AC, S1700-28GFR-4P-AC, S1700-52FR-2T2P-AC, and S1700-52GFR-4P-AC support web management.

S1700 V100R007 supports web-managed and unmanaged switches. Table 1-8 lists the web-based management features that S1700 web-managed switches support in V100R007.

Table 1-8 Web-based management features that S1700 web-managed switches support in V100R007

Menu

Submenu

Description

Device Summary

Device Summary

Displays a switch's front panel, device information, and running status.

System Management

Reset Factory

Restores the factory settings.

Reboot

Restarts a switch with the specified software version and configuration file.

Software Upgrade

Use HTTP or FTP to upgrade a switch's firmware version.

File System Management

Uploads, downloads, or deletes files in a switch's flash memory.

System Configuration

Sets the system name and connection timeout period for a switch.

SNTP

  • SNTP Server Configuration: sets SNTP server parameters.
  • Time Configuration: manually sets the system time.

IP Management

Views and configures the management VLAN and management IPv4/IPv6 address for a switch.

ARP

Configures ARP.

IPv6 Neighbor

Configures static IPv6 neighbor relationships, views dynamic neighbor relationships, and views/configures route advertisement information.

Interface Management

Ethernet Interface

  • Basic Attributes: displays connection status of each Ethernet interface, and configures basic attributes of one or more Ethernet interfaces.
  • Statistics on Interface: displays traffic statistics on each Ethernet interface.

Eth-Trunk

  • Priority: configures the system priority.
  • Load Balancing Mode: specifies the mode in which traffic is load balanced.
  • Trunk: views and configures a trunk.
  • Trunk Member: views information about trunk member interfaces.

Service Management

VLAN

Creates, deletes and edits VLANs, displays member interfaces by VLAN, and edits member interfaces by interface/interface range.

MAC VLAN

Creates and deletes MAC VLANs, displays MAC VLAN lists by VLAN/MAC address, and enables/disables MAC VLAN by interface/interface range.

Voice VLAN

Configures the voice VLAN function.

MAC

  • MAC Address List: views or deletes dynamic MAC address entries.
  • MAC Aging Time: sets the aging time for dynamic MAC address entries.
  • Static MAC Address: creates or deletes static MAC address entries.
  • Blackhole MAC Address: creates or deletes blackhole MAC address entries.
  • MAC Address Filter: enables or disables MAC address filtering on a specified interface.
  • Flapping MAC Address: displays information about MAC address flapping.

STP

Configures STP parameters in the system and on specified interfaces.

IGMP Snooping

Configures global IGMP snooping parameters, VLAN-based IGMP snooping parameters, router interface learning, multicast group policies, static groups, multicast groups, queriers, router interfaces, and views the multicast forwarding table.

ACL

Effective Period

Specifies the period in which an ACL rule is effective.

ACL Profile

Creates ACL rules.

ACL Application

Applies an ACL rule to a specified interface or VLAN.

HTTP ACL

Applies an ACL rule to HTTP packets received by a switch.

QoS

QoS Interface

Configures the trust mode and default CoS value for a specified interface.

CoS Mapping

Maps CoS values to service levels.

DSCP Mapping

Maps DSCP values to service levels.

IP Precedence Mapping

Maps IP precedence values to service levels.

Service Level Mapping

Maps service levels to queues.

QoS Scheduler

Configures the QoS scheduling algorithm and weight for WRR scheduling.

SRED

Configures Simple Random Early Detection (SRED).

Traffic Management

Creates traffic classifiers to control traffic.

Traffic Shaping

Sets the maximum rate of outgoing traffic on an interface.

IP Routing

IPv4 Route

Adds and views static IPv4 routes.

IPv6 Route

Adds and views static IPv6 routes.

Security

User Management

Configures user accounts.

802.1x

Configures 802.1x authentication.

Guest VLAN

Configures a guest VLAN.

Storm Suppression

Configures storm suppression.

Port Security

Controls access on specified interfaces.

MAC-based Access Control

Configures MAC address authentication.

Attack Prevent

Configures attack defense functions.

DHCP Snooping

Configures DHCP snooping.

IPSG

Configures IP source guard.

DAI

Configures dynamic ARP inspection (DAI).

MAC Attack

Configures defense against packets with forged MAC addresses and MAC address spoofing attacks.

Port Isolation

Configures the port isolation function.

AAA

Configures authentication and accounting functions.

RADIUS

Configures RADIUS server parameters.

SSL Settings

Configures SSL parameters.

Network

SNMP

Configures SNMP parameters.

RMON

Configures RMON parameters.

LLDP

Configures LLDP parameters.

LLDP-MED

Configures LLDP-MED parameters.

Device Management

Device Management

Views device hardware information. Huawei checks every device before delivery to ensure that the device is running the correct version and functioning properly.

Device Diagnostics

  • Interface Loopback Test: performs loopback diagnosis on specified interfaces.
  • VCT Cable Diagnostics: performs VCT diagnosis on specified interfaces to locate cable faults.

DDM

Views parameters on optical interfaces.

Information Center

Manages system logs.

Power Saving Management

Enables or disables the power-saving mode and EEE function.

Mirror

Specifies the source and destination interfaces for mirrored packets and displays mirroring configuration.

Tools

  • Ping Test: performs ping tests to check network connectivity.
  • Tracert: performs tracert tests to collect routing information.
  • One Key Information: clicks the button to download all configurations, logs, and error information.

Save Running-config

Save Running-config

Saves modified parameter settings.

1.5.4 How Do I Obtain a Web File and Configure the Web System?

Obtaining a Web File

The web file is released with the system software package and varies depending on software versions. The following uses S7700V200R003 as an example to describe how to obtain a web file.

  1. Open the Internet Explorer and enter http://e.huawei.com/en/ in the address box.

    NOTE:

    You must have permission to obtain the web file. To obtain the permission, choose My Huawei > Permissions.

  2. Choose Support > Product Support.
  3. Choose Software > Enterprise Networking > Switch > Campus Switch.
  4. In the navigation tree on the left, choose S7700.
  5. Select Quidway S7700 V200R003C00SPC500 and click the version number to view details.
  6. Under Version and Patch Software, find the web file with the file name extension .web.7z and download the web file.

Loading the Web File and Configuring an HTTP User

The following uses S7700 V200R003 as an example.

  1. Run the system-view command to enter the system view.
  2. Run the http server load file-name command to load the web file.

    NOTE:

    Before loading a web file, upload the web file to the switch through FTP, SFTP, or TFTP. The web file must be loaded to the root directory of the switch's storage medium; otherwise, the web file cannot be loaded.

  3. Run the http secure-server enable command to enable the HTTPS server function.
  4. Run the http server enable command to enable the HTTP server function.
  5. Run the aaa command to enter the AAA view.
  6. Run the local-user user-name password { cipher | irreversible-cipher } password command to configure an AAA local user name and password.
  7. Run the local-user user-name privilege level level command to set the local user level.

    NOTE:

    HTTP users of level 3 or higher can manage the switch on the web system, whereas HTTP users of level 2 or lower can only view the switch configuration.

  8. Run the local-useruser-nameservice-type http command to set the service type to HTTP.

Logging In to the Web System

  1. Open the Internet Explorer on a PC, enter http://IP address (for example, https://10.164.19.131) in the address box, and press Enter. The login dialog box is displayed.

    NOTE:

    The IP address is the management address of a device, and can be an IPv4 or IPv6 address depending on the HTTPS type (HTTPS IPv4 or IPv6) you have selected.

    To ensure compatibility, the system converts http://IP address you entered into https://IP address.

  2. Enter the HTTP user name, password, and verification code, and select a language for the web system.
  3. Click Login or press Enter. The web system home page is displayed.

You can manage and maintain the switch after logging in to the web system.

1.5.5 What Rights Do Web Management Accounts Have?

Web management accounts are local AAA users whose service type is HTTP.

HTTP users of level 3 or higher can manage the switch on the web system, whereas HTTP users of level 2 or lower can only view the switch configuration.

1.6 NAC

1.6.1 What Is the Difference Between 802.1x and DOT1x?

They are different names for the same function.

1.6.2 Must a Shared Key Be Configured for Portal Authentication?

On a switch in V100R006 or a later version, a shared key must be configured for information exchange with the Portal server during External Portal authentication. The shared key configured on the switch must be the same as that on the Portal server.

1.6.3 Why Does a User Go Offline 10 Seconds After Passing 802.1x Authentication?

If handshake with online 802.1x users is enabled on a switch, the switch periodically sends handshake packets to a user client after the client is authenticated. If the client sends no handshake packet to the switch, the switch forces the user offline.

If the user goes offline 10 seconds after being authenticated, a handshake failure may have occurred.

To solve this problem, run the undo dot1x handshake command to disable the handshake function.

1.6.4 Why Does 802.1x or MAC Address Authentication Not Take Effect After Being Enabled and the Configuration Is Displayed in the Configuration File?

If ACL resources are all in use, the dot1x enable or mac-authen command run globally or on an interface does not take effect.

1.6.5 From Which VLAN Do DHCP Users Connected to a Switch Interface Obtain IP Addresses If MAC Address Authentication Is Enabled and a Guest VLAN Is Configured on the Interface?

When a user without a VLAN tag passes MAC address authentication, the user obtains an IP address from the VLAN matching the interface PVID. When a user with a VLAN tag passes MAC address authentication, the user obtains an IP address from the VLAN matching the VLAN tag.

If a user fails MAC address authentication, the user obtains an IP address from the guest VLAN on the interface where the user has accessed.

1.7 Loop Detection

1.7.1 Which Switch Models Support Loop Detection?

Among the S series switches, the S2700SI does not support loop detection, and the S2700EI does not support loop detection in a link aggregation group (does not support the loopback-detect packet vlan command). Other models support loop detection.

1.7.2 How Do I Configure Single-Interface Loop Detection?

Switches can detect only external loops that occur on a single interface. After external loop detection is enabled, the switch sends packets periodically to check whether an external loop occurs on an interface. When a loop is found on an interface, the switch performs the specified action on the interface. In versions earlier than V200R002, the switch sets the interface state to blocking by default. In V200R002 and later versions, the switch sets the interface state to shutdown by default.

Usage Scenario

Generally, single-interface loop detection is used on downlink interfaces of newly deployed switches to help field engineers discover incorrect cable connections. It is recommended that you set the action for interfaces with loops to block.

Configuration Procedure

After you enable loop detection globally, this function is enabled on all interfaces.

[Quidway] loopback-detect enable

Modular switches of V200R001 and later versions support loop detection in eight VLANs on an interface.

Fixed switches of V100R005 and later versions support loop detection in eight VLANs on an interface. In addition to trap, shutdown, and block, the action for interfaces with loops can be set to nolearn (stop learning MAC addresses).

The following configuration is performed on fixed switches:

[Quidway-Ethernet0/0/1] loopback-detect packet vlan 20 21 22 23 24 25 26 27 
[Quidway-Ethernet0/0/1] loopback-detect action nolearn

Modular switches of V200R001 and later versions and fixed switches of V100R005 and later versions can generate loop traps, and the traps contain VLANs where loops have occurred.

The following is an example of loop trap:

#Jan  1 2008 06:43:54-08:00 Quidway LDT/4/Porttrap:OID1.3.6.1.4.1.2011.5.25.174.3.3 Loopback does exist on interface(5) Ethernet0/0/1 ( VLAN 20 ) , loopback detect status: 4.(1:normal; 2:block;3:shutdown; 4:trap; 5:nolearn)

Precautions

Loop detection is an auxiliary tool and consumes system resources. When loop detection is complete, run the undo loopback-detect enable command to disable this function.

1.7.3 How Do I Configure Multi-Interface Loop Detection?

S series switches support MAC address flapping detection. MAC address flapping detection can detect loops formed between multiple interfaces. It is recommended that you configure multi-interface loop detection on downlink interfaces and set the action for interfaces with loops to alarm-only. When a loop is detected, the system sends a trap to the network management system to help locate the fault.

Enable MAC address flapping detection in a VLAN to detect loops in the VLAN. All software versions support MAC address flapping detection in up to 32 VLANs.

[Quidway] vlan 3
[Quidway-vlan-3] loop-detect eth-loop block-time 30 retry-times 3

The alarm information includes the interface number, VLAN ID, and time. The system can display consecutive alarms and specific MAC addresses where flapping occurs.

#Jan  1 2008 06:53:12-08:00 Quidway L2IFPPI/4/MFLPIFRESUME:OID1.3.6.1.4.1.2011.5.25.160.3.2 Loop does not exist in vlan 3, Interface Ethernet0/0/1 resumed, block-time is 30 for mac-flapping disappeared.
#Jan  1 2008 06:52:22-08:00 Quidway L2IFPPI/4/MFLPIFBLOCK:OID1.3.6.1.4.1.2011.5.25.160.3.1 Loop exist in vlan 3, InterfaceEthernet0/0/1 blocked, block-time is 30 for mac-flapping, Mac Address is 00e0-fc22-765a.

In V200R003 and later versions, a switch considers a loop to have occurred on the network connected to an interface if detection packets sent from the interface are sent back to another interface. This mechanism can also be used for multi-interface loop detection.

1.7.4 What Is the Default Interval for Sending LBDT Packets on an Interface?

Run the loopback-detect packet-interval packet-interval-time command in the system view to set the interval for sending LBDT packets.

  • V100R005: The default interval for sending LBDT packets is 30s.
  • V100R006 and later versions: The default interval for sending LBDTpackets is 5s.
NOTE:

A shorter interval indicates that the system sends more LBDT packets in a given period and detects loops more accurately. However, more system resources are consumed.

1.7.5 How Do I Differentiate LBDT Packets Sent by Different Interfaces?

The LBDT-enabled interface sends an LBDT packet at intervals to detect loops. If the LBDT packet is received by the same interface, a loopback occurs on the interface or loops occur on the network connected to the interface. Then the interface switches to the loopback detection state. The interface automatically restores after three detection intervals.

NOTE:

LBDT packets are sent frequently; therefore, the CPU usage will increase if the LBDT function is enabled on all interfaces.

  • V100R005

    LBDT packets sent by different interfaces are distinguished by the protocol ID. By default, the system assigns a protocol ID to each interface in ascending order.

    You can run the loopback-detect protocol protocol-id command to configure a protocol ID in LBDT packets.

    NOTE:
    • The protocol ID in LBDT packets can be configured only when LBDT is disabled.
    • The protocol ID in LBDT packets must be unique on an interface.
  • V100R006 and later versions

    LBDT packets sent by different interfaces are distinguished by the interface index.

1.8 How Do I Configure a Static Binding Entry (user-bind static) for IPSG?

IP Source Guard (IPSG) is a feature used to defend against source IP address spoofing attacks.

IPSG checks the validity of IP packets against DHCP dynamic or static binding entries. The IPSG function works only when binding entries are available. Before a switch forwards an IP packet, it compares the source IP address, source MAC address, inbound interface, and VLAN ID of the IP packet with DHCP binding entries. If the IP packet matches a binding entry, the switch considers the IP packet valid and forwards it. Otherwise, the switch considers the IP packet as an attack packet and discards it.

You can configure static binding entries on a switch when the switch connects to a LAN with only a few hosts using static IP addresses. All the S series switches support configuration of static DHCP binding entries.

The configuration procedure is as follows:

# Create static binding entries by specifying the bound IP addresses and MAC addresses in the system view.

[Quidway] user-bind static ip-address 10.1.1.1 mac-address 00E0-1011-0001
[Quidway] user-bind static ip-address 10.1.1.2 mac-address 00E0-1011-0002

# Enable IPSG on specified interfaces.

[Quidway] interface Ethernet0/0/1
[Quidway-Ethernet0/0/1] ip source check user-bind enable
[Quidway-Ethernet0/0/1] quit
[Quidway] interface Ethernet0/0/2
[Quidway-Ethernet0/0/2] ip source check user-bind enable
[Quidway-Ethernet0/0/2] quit

1.9 VLAN

1.9.1 How Do I Change the Link Type of an Interface?

Four link types are defined: access, trunk, hybrid, and dot1q-tunnel. The following provides the methods to set different link types.

  1. Access
    [Quidway-GigabitEthernet1/0/1] port link-type access
    [Quidway-GigabitEthernet1/0/1] port default vlan 10

    The preceding configuration changes the link type of the interface to access.

    An access interface processes packets as follows:

    • When receiving an untagged packet, the interface accepts the packet and tags it with the default VLAN ID.
    • When receiving a tagged packet, the interface:

      Accepts the packet if the VLAN ID of the packet is the same as the default VLAN ID of the interface.

      Drops the packet if the VLAN ID of the packet is different from the default VLAN ID of the interface.

    • Before sending a packet, the interface removes the VLAN tag from the packet.
  2. Trunk
    [Quidway-GigabitEthernet1/0/1] port link-type trunk
    [Quidway-GigabitEthernet1/0/1] port trunk pvid vlan 20
    [Quidway-GigabitEthernet1/0/1] port trunk allow-pass vlan 2 10 20

    The preceding configuration changes the link type of the interface to trunk.

    A trunk interface processes packets as follows:

    • When receiving an untagged packet, the interface tags the packet with the default VLAN ID:

      If the default VLAN ID is in the list of allowed VLAN IDs, the interface accepts the packet.

      If the default VLAN ID is not in the list of allowed VLAN IDs, the interface drops the packet.

    • When receiving a tagged packet:

      If the VLAN ID of the packet is in the list of allowed VLAN IDs, the interface accepts the packet.

      If the VLAN ID of the packet is not in the list of allowed VLAN IDs, the interface drops the packet.

    • When sending a packet:

      If the VLAN ID of the packet is the same as the default VLAN and is in the list of allowed VLAN IDs, the interface removes the tag from the packet and sends the packet.

      If the VLAN ID of the packet is different from the default VLAN and is in the list of allowed VLAN IDs, the interface retains the tag and sends the packet.

  3. Hybrid
    [Quidway-GigabitEthernet1/0/1] port link-type hybrid
    [Quidway-GigabitEthernet1/0/1] port hybrid pvid vlan 10
    [Quidway-GigabitEthernet1/0/1] port hybrid untagged vlan 2 10
    [Quidway-GigabitEthernet1/0/1] port hybrid tagged vlan 20

    The preceding configuration changes the link type of the interface to hybrid.

    A hybrid interface processes packets as follows:

    • When receiving a tagged packet:

      The interface tags the packet with the default VLAN ID. If the default VLAN ID is in the list of allowed VLAN IDs, the interface accepts the packet.

      The interface tags the packet with the default VLAN ID. If the default VLAN ID is not in the list of allowed VLAN IDs, the interface drops the packet.

    • When receiving a tagged packet:

      If the VLAN ID of the packet is in the list of allowed VLAN IDs, the interface accepts the packet.

      If the VLAN ID of the packet is not in the list of allowed VLAN IDs, the interface drops the packet.

    • When sending a packet:

      If the VLAN ID of the packet is in the list of allowed VLAN IDs, the interface sends the packet. Run the port hybrid untagged vlan command to configure the interface to remove tags of packets or run the port hybrid tagged vlan command to configure the interface to send tagged packets.

  4. Dot1q-tunnel
    [Quidway-GigabitEthernet1/0/1] port link-type dot1q-tunnel
    [Quidway-GigabitEthernet1/0/1] port default vlan 20

    The preceding configuration changes the link type of the interface to dot1q-tunnel. A dot1q-tunnel interface adds a VLAN tag to packets before forwarding them, regardless of the original VLAN IDs of the packets. Before sending a packet, a dot1q-tunnel interface removes the tag with the default VLAN ID from the packet.

1.9.2 Which VLAN Assignment Methods Do S Series Switches Support?

Table 1-9 lists the VLAN assignment methods supported by different switch models for different versions.

Table 1-9 VLAN assignment methods

VLAN Assignment Method

V100R006C03

V100R006C05

V200R001/V200R002/V200R003

Port-based VLAN assignment

Supported by all models

Supported by all models

Supported by all models

MAC address-based VLAN assignment

Not supported by the S2700SI and S2710SI-52P

Not supported by the S2700SI and S2710SI

Supported by all models

IP subnet-based VLAN assignment

Not supported by the S2700 and S2752

Not supported by the S2700

Supported by all models

Protocol-based VLAN assignment

Not supported by the S2700 and S2752

Not supported by the S2700

Supported by all models

Policy-based VLAN assignment

Not supported by the S3700, S2700, and S2752

Not supported

Supported by all models

1.9.3 The Link Type of an Interface Cannot Be Changed from Hybrid to Access. How Is This Problem Solved?

Before using the port link-type command to change the link type of an interface, restore the default configuration of the interface.

You can run the display the display this command in the interface view to view the interface configuration. Assume that the following configuration is used:

#
interface GigabitEthernet0/0/1
undo port hybrid vlan 1
port hybrid tagged vlan 10
#

Run the port hybrid untagged vlan 1 and undo port hybrid tagged vlan 10 commands to restore the default configuration of the interface. Then change the link type of the interface.

1.9.4 Why Is the VLAN Priority Configured on the S5700 Invalid?

Fault Symptom

The outbound interface of the switch joins a VLAN in untagged mode. When the remark 802.1p command is configured on the outbound interface, the configuration is invalid.

Cause Analysis

The configuration of the S5700 is as follows:

:
traffic classifier test
 if-match any
traffic behavior test
 remark 8021p 2
traffic policy test
 classifier test behavior test
:
interface GigabitEthernet1/0/1
  port link-type access
  port default vlan 10
  traffic-policy test outbound
:

The outbound interface joins a VLAN in untagged mode, so VLAN tags are removed from packets sent by the interface.

Conclusion

To apply traffic policy defining remark vlan to the outbound interface, ensure that the interface joins a VLAN in tagged mode.

1.10 Password

1.10.1 Which Default Passwords Are Used on S Series Switches?

On the S series switches of all versions:

  • When you log in a switch through a console port, no default user name or password is provided. The system asks you to set the user name and password when you log in to the switch for the first time.
  • Before you log in to a switch through Telnet, create a Telnet account.

    You can set the Telnet login authentication method in the VTY. If the password authentication mode is configured, set a password in the VTY. If the AAA local authentication mode is configured, set the user name and password in the AAA view. If the remote AAA authentication mode is configured, set the user name and password on the AAA server.

For other default passwords, see Table 1-10.

NOTE:

By default, the console login password, BootROM password, and Telnet password are case-sensitive.

The S12700&S5720EI&S5720HI use the BootLoad menu, but not the BootROM menu.

When you log in to a switch through web, your default user level is 0: visit level.

Table 1-10 Default passwords used by S series switches

Series

Type

Version

BootROM Password

Web User Name and Password

S7700

N/A

V100R003-V100R006

9300

admin/admin

V200R001&V200R002

Admin@huawei.com

After the system software is upgraded, the default password may be changed to 9300.

V200R003 and later versions

admin/admin@huawei.com

After the system software is upgraded, the default password may be changed to admin.

S9700

N/A

V200R001&V200R002

Admin@huawei.com

After the system software is upgraded, the default password may be changed to 9300.

admin/admin

V200R003 and later versions

admin/admin@huawei.com

After the system software is upgraded, the default password may be changed to admin.

S12700

N/A

All versions

Admin@huawei.com

admin/admin@huawei.com

S1720

N/A

All versions

Admin@huawei.com

admin/admin@huawei.com

S2700

S2750EI/S2720EI

All versions

Admin@huawei.com

admin/admin@huawei.com

S2710SI

V100R006C03

Admin@huawei.com

After the system software is upgraded, the default password may be changed to huawei.

admin/admin

  

V100R006C05

admin/admin@huawei.com

After the system software is upgraded, the default password may be changed to admin.

S2752EI/S2700EI/S2700SI

V100R005&V100R006(C00&C01)

huawei

If you forget the password, use the super password www.huawei.com to log in to the switch.

admin/admin

V100R006C03

Admin@huawei.com

After the system software is upgraded, the default password may be changed to huawei.

V100R006C05

admin/admin@huawei.com

After the system software is upgraded, the default password may be changed to admin.

S3700

S3700HI

V100R006

huawei

If you forget the password, use the super password www.huawei.com to log in to the switch.

admin/admin

V200R001

Admin@huawei.com

After the system software is upgraded, the default password may be changed to huawei.

S3700EI/S3700SI

V100R005&V100R006(C00&C01)

huawei

If you forget the password, use the super password www.huawei.com to log in to the switch.

admin/admin

V100R006C03

Admin@huawei.com

After the system software is upgraded, the default password may be changed to huawei.

V100R006C05

admin/admin@huawei.com

After the system software is upgraded, the default password may be changed to admin.

S5700

S5700LI/S5700S-LI/S5710EI

V200R001&V200R002

Admin@huawei.com

admin/admin

V200R003 and later versions

admin/admin@huawei.com

After the system software is upgraded, the default password may be changed to admin.

S5700EI/S5700SI

V100R005&V100R006

huawei

If you forget the password, use the super password www.huawei.com to log in to the switch.

admin/admin

V200R001&V200R002

Admin@huawei.com

After the system software is upgraded, the default password may be changed to huawei.

V200R003 and later versions

admin/admin@huawei.com

After the system software is upgraded, the default password may be changed to admin.

S5720HI/S5720EI/S5710HI

All versions

Admin@huawei.com

admin/admin@huawei.com

S5710LI

All versions

Admin@huawei.com

admin/admin

S5700HI

V100R006

huawei

If you forget the password, use the super password www.huawei.com to log in to the switch.

admin/admin

V200R001&V200R002

Admin@huawei.com

After the system software is upgraded, the default password may be changed to huawei.

V200R003 and later versions

admin/admin@huawei.com

After the system software is upgraded, the default password may be changed to admin.

S6700EI

N/A

V100R006

huawei

If you forget the password, use the super password www.huawei.com to log in to the switch.

admin/admin

V200R001&V200R002

Admin@huawei.com

After the system software is upgraded, the default password may be changed to huawei.

V200R003 and later versions

admin/admin@huawei.com

After the system software is upgraded, the default password may be changed to admin.

1.10.2 How Can I Delete a Console Login Password?

Deleting the Console Login Password of a Fixed Switch Running V100R002/V100R003

  1. Restart the switch. When the BootROM menu is displayed, choose option 5. Enter filesystem submenu to display the file system submenu.
  2. When the file system submenu is displayed, choose option 4. Rename file from flash to rename the default configuration file vrpcfg.zip. For example, change the file name to vrptest.zip.
  3. Log in to the switch after the restart. The system now uses the factory settings.
  4. Decompress the vrptest file and name the decompressed file vrpcfg.bat.
    <Quidway> unzip vrptest vrpcfg.bat
  5. Run the execute command to invoke the original configuration and delete the console login password.
    <Quidway> system-view
    [Quidway] execute vrpcfg.bat
    [Quidway] user-interface console 0
    [Quidway-ui-console0] undo authentication-mode
    [Quidway-ui-console0] quit
    [Quidway] quit
  6. Save the configuration in the vrpcfg.zip file.
    <Quidway> save                                            
    The current configuration will be written to the device. Continue? [Y/N]:y      
    Info: Please input the file name(*.cfg,*.zip)[vrpcfg.zip]:                      
    Jun 25 2010 11:41:59 Quidway %%01CFM/4/SAVE(l): The user chose Y when deciding w
    hether to save the configuration to the device.    vrpcfg.zip   //Enter the default configuration file name vrpcfg.zip.
  7. After the switch restarts, the console login password is deleted, and the original service configurations are retained.

Deleting the Console Login Password of a Fixed Switch Running V100R005/V200R001/V200R002/V200R003

During a startup process, a switch loads the BootROM program and the system software in sequence. When the following information is displayed, press Ctrl+B within 2 seconds to display the BootROM menu.

BIOS LOADING ...
Copyright (c) 2008-2010 HUAWEI TECH CO., LTD.
CX22EFFE (Ver124, Jun  9 2010, 17:41:46)

Press Ctrl+B to enter BOOTROM menu ... 0 
password:    //Enter the BootROM password. The default password is Admin@huawei.com.

After you enter the correct BootROM password, the following BootROM menu is displayed:

          BOOTROM  MENU

    1. Boot with default mode
    2. Enter serial submenu
    3. Enter startup submenu
    4. Enter ethernet submenu
    5. Enter filesystem submenu
    6. Modify BOOTROM password
    7. Clear password for console user
    8. Reboot
Enter your choice(1-8): 7
Note: Clear password for console user? Yes or No(Y/N): y    

Clear password for console user successfully. Choose "1" to boot, then set a new  password
Note: Do not choose "Reboot" or power off the device, otherwise this operation will not take effect 

Choose option 7. Clear password for console user and then choose option 1. Boot with default mode. The console login password is then deleted.

NOTICE:

After clearing the console login password, choose option 1. Boot with default mode in the BootROM menu to restart the system. Do not choose option 8. Reboot or power off the switch, or else the configuration will be lost.

Deleting the Console Login Password of a Modular Switch Running V100R001/V100R002/V100R003

  1. Restart the switch. When the BootROM menu is displayed, press CTRL+Z to display the hidden menu.
  2. Choose option 8-Rename file in CFCard to rename the default configuration file vrpcfg.zip. For example, change the file name to vrptest.zip.
  3. Log in to the switch after the restart. The system now uses the factory settings.
  4. Decompress the vrptest file and name the decompressed file vrpcfg.bat.
    <Quidway> unzip vrptest vrpcfg.bat
  5. Run the execute command to invoke the original configuration and delete the console login password.
    <Quidway> system-view
    [Quidway] execute vrpcfg.bat
    [Quidway] user-interface console 0
    [Quidway-ui-console0] undo authentication-mode
    [Quidway-ui-console0] quit
    [Quidway] quit
  6. Save the configuration in the vrpcfg.zip file.
    <Quidway> save                                            
    The current configuration will be written to the device. Continue? [Y/N]:y      
    Info: Please input the file name(*.cfg,*.zip)[vrpcfg.zip]:                      
    Jun 25 2010 11:41:59 Quidway %%01CFM/4/SAVE(l): The user chose Y when deciding w
    hether to save the configuration to the device.    vrpcfg.zip   //Enter the default configuration file name vrpcfg.zip.
  7. After the switch restarts, the console login password is deleted, and the original service configurations are retained.

Deleting the Console Login Password of a Fixed Switch Running V100R006/V200R001/V200R002/V200R003

When you attempt to log in to a new switch through the console port for the first time, the system prompts you to enter the console login password. You can also run the set authentication password [ cipher password ] command in the console login user interface to set the console login password. If you forget the Telnet or console login password, clear the console login password in the BootROM menu as follows.

During the startup process, press Ctrl+B as prompted and enter the password to enter the BootROM menu. Choose option 8 in the BootROM menu to clear the console login password.

            MAIN  MENU

    1. Boot with default mode
    2. Boot from Flash
    3. Boot from CFCard
    4. Enter serial submenu
    5. Enter ethernet submenu
    6. Modify Flash description area
    7. Modify BootROM password
    8. Clear password for console user
    9. Reboot

Enter your choice(1-9):8
Note: Clear password for console user? Yes or No(Y/N): y    

Clear password for console user successfully. Choose "1" to boot, then set a new  password
Note: Do not choose "Reboot" or power off the device, otherwise this operation will not take effect 
NOTICE:

After clearing the console login password, choose option 1. Boot with default mode in the BootROM menu to restart the system. Do not choose option 9. Reboot or power off the switch, or else the configuration will be lost.

1.11 Eth-Trunk

1.11.1 What Is Eth-Trunk?

Link aggregation technology bundles multiple physical links into a logical link to increase link bandwidth. For the protocol standards, see IEEE 802.3ad.

As the network scale expands increasingly, users require higher bandwidth and reliability of backbone links. Traditional technologies often use high-speed interface cards or devices supporting high-speed interface cards to increase the bandwidth. This method, however, is costly and inflexible.

Link aggregation technology bundles multiple physical interfaces into a logical interface to increase the bandwidth without upgrading the hardware. In addition, link aggregation uses the link backup mechanism to improve reliability of links between devices.

Link aggregation has the following advantages:

  • Increasing Bandwidth

    The maximum bandwidth of a link aggregation interface is the total bandwidth of member interfaces.

  • Improving Reliability

    When an active link fails, traffic on the link is switched to another member link, ensuring high reliability of the link aggregation interface.

  • Load Balancing

    In a link aggregation group, traffic is load balanced among active member links.

1.11.2 What Are the Types of Eth-Trunk Load Balancing?

There are two types of load balancing: flow-based load balancing and packet-based load balancing. Switches support only flow-based load balancing. You can run the load-balance command to configure an appropriate Eth-Trunk load balancing mode. This configuration ensures that outgoing traffic is properly load balanced among physical links, preventing congestion on these links.

You can set the load balancing mode based on the network condition. When a parameter in traffic changes frequently, you can set the load balancing mode based on this parameter to ensure that the traffic is load balanced evenly.

For known unicast packets, the switch supports the following load balancing modes:

  • dst-ip mode

    The system obtains the specified three bits from each of the destination IP address and destination TCP or UDP port number to perform the Exclusive-OR calculation, and selects the outbound interface from the Eth-Trunk table based on the result of the calculation.

  • src-ip mode

    The system obtains the specified three bits from each of the source IP address and source TCP or UDP port number to perform the Exclusive-OR calculation, and selects the outbound interface from the Eth-Trunk table based on the result of the calculation.

  • src-dst-ip mode

    The system uses the calculation results of the dst-ip and src-ip modes to perform the Exclusive-OR calculation, and selects the outbound interface from the Eth-Trunk table based on the result of the calculation.

  • dst-mac mode

    The system obtains the specified three bits from each of the destination MAC address, VLAN ID, Ethernet type, and inbound interface information to perform the Exclusive-OR calculation, and selects the outbound interface from the Eth-Trunk table based on the result of the calculation.

  • src-mac mode

    The system obtains the specified three bits from each of the source MAC address, VLAN ID, Ethernet type, and inbound interface information to perform the Exclusive-OR calculation, and selects the outbound interface from the Eth-Trunk table based on the result of the calculation.

  • src-dst-mac mode

    The system obtains the specified three bits from each of the source MAC address, destination MAC address, VLAN ID, Ethernet type, and inbound interface information to perform the Exclusive-OR calculation, and selects the outbound interface from the Eth-Trunk table based on the result of the calculation.

  • Enhanced mode

    The system uses an enhanced load balancing profile to select outbound interfaces for different packets.

NOTE:

Modular switches: All cards, excluding the SA series cards, support enhanced load balancing mode.

Fixed switches:

V200R001C01: Only the S5700HI supports enhanced load balancing mode.

V200R002: Only the S5710EI and S5700HI support enhanced load balancing mode.

V200R003: Only the S5710EI, S5700HI, and S5710HI support enhanced load balancing mode.

By default, unknown unicast packets are load balanced based on the source and destination MAC addresses. To configure the load balancing mode for unknown unicast packets, run the unknown-unicast load-balance { dmac | smac | smacxordmac | enhanced } command in the system view.
[Quidway]unknown-unicast load-balance ?                                                                                     
  dmac         Destination MAC hash arithmetic                                                                                      
  enhanced     Enhanced hash arithmetic                                                                                             
  smac         Source MAC hash arithmetic                                                                                           
  smacxordmac  According to MAC hash arithmetic

1.11.3 What Are the Types of Eth-Trunks?

Eth-Trunks are classified into Eth-Trunks in manual load balancing mode and Eth-Trunks in Link Aggregation Control Protocol (LACP) mode. In both modes, you must manually create an Eth-Trunk, add member interfaces to the Eth-Trunk.

  • Eth-Trunk in manual load balancing mode

    The manual load balancing mode is the basic link aggregation mode. In this mode, you must specify active member interfaces. In this mode, LACP is not required. In manual load balancing mode, all active member interfaces forward data and load balance traffic. All active member interfaces load balance the traffic evenly. If an active link fails, the remaining active links load balance the traffic evenly.

  • Eth-Trunk in LACP mode

    LACP mode differs from manual load balancing mode in that active member interfaces are selected by sending LACP data units (LACPDUs). When a group of interfaces is added to an Eth-Trunk, the devices at both ends determine active interfaces and inactive interfaces by sending LACPDUs to each other.

    The LACP mode is also called M:N mode. It implements both load balancing and link backup. M active links in the link aggregation group forward data and load balance traffic, while the N links, which are inactive, are standby links and do not forward data. If an active link fails, the system selects the link with the highest priority from the N inactive links. The inactive link becomes active and starts to forward data.

1.11.4 How Long Is the LACP Timeout Period?

IEEE802.3ad defines two intervals for sending LACPDUs: 1 second and 30 seconds.

To set the LACP timeout period, run the lacp timeout { fast | slow } command. After the command is used, the local end sends LACPDUs to inform the remote end of the timeout period.

  • If the fast keyword is specified, the interval is 1 second.
  • If the slow keyword is specified, the interval is 30 seconds.

The LACP timeout period is three times the interval for sending LACPDUs:

  • When the fast keyword is specified, the LACP timeout period is 3 seconds.
  • When the slow keyword is specified, the LACP timeout period is 90 seconds.

You can set different timeout periods on the two ends. To facilitate maintenance, you are advised to set the same LACP timeout period on the two ends.

1.11.5 How Do I Check Interface Negotiation Information When the Eth-Trunk Is Working in LACP Mode?

Run the display eth-trunk command to check the negotiation information of the Eth-Trunk.

<Quidway> display eth-trunk 1
Eth-Trunk1's state information is:
Local:
LAG ID: 1                   WorkingMode: STATIC                      
Preempt Delay: Disabled     Hash arithmetic: According to SA-XOR-DA  
System Priority: 32768      System ID: 4c1f-cc45-a8f8                
Least Active-linknumber: 1  Max Active-linknumber: 8                 
Operate status: up          Number Of Up Port In Trunk: 2            
--------------------------------------------------------------------------------------------------------
ActorPortName         Status   PortType PortPri PortNo PortKey PortState Weight
GigabitEthernet1/0/1  Selected 1GE      32768   513    561     10111100  1     
GigabitEthernet1/0/2  Selected 1GE      32768   514    561     10111100  1    
Partner:
------------------------------------------------------------------------------------------------------------
ActorPortName         SysPri    SystemID        PortPri PortNo  PortKey   PortState
GigabitEthernet1/0/1  32768     5489-98f5-a433  32768   1025    561       10111100
GigabitEthernet1/0/2  32768     5489-98f5-a433  32768   1026    561       10111100

Local device information is displayed in the Local section, and the peer remote information is displayed in the Partner section (the interface name is displayed as the corresponding local interface name). The PortState field contains the following information:

Each bit has the following values:

LACP_Activity: has a fixed value of 1 (this interface remains in active state), indicating that the interface can send LACPDUs as long as it joins the Eth-Trunk and goes Up.

LACP_TimeOut: indicates the timeout interval of the LACPDUs. It is set to 1 for fast and 0 for slow. You can determine the timeout interval of LACPDUs on both ends based on the value of this bit.

Aggregation: indicates whether the local interface can be aggregated with other member interfaces in an Eth-Trunk. This bit is set to 1 for switch interfaces that have joined the Eth-Trunk and are in Up state, and is set to 0 for interfaces that are in Down state.

Synchronization: synchronization flag. Interfaces that can enter the Selected state are determined based on the interface rate, duplex mode, and packet exchange. This bit is set to 1 for interfaces in Selected state and to 0 for other interfaces.

Collecting and Distributing: These two bits are set to all 1s only when the local end and remote end negotiate successfully.

Defaulted: This bit is set to 1 when the interface is added to the Eth-Trunk and starts negotiation, and is set to 0 when the negotiation is successful.

Expired: indicates the timeout bit. This bit is set to 1 if LACPDUs are not received within the timeout interval. This bit is set to 0 if negotiation is successful.

The PortState field should contain 11111100 or 10111100 if negotiation is successful.

1.11.6 Which Measures Can Be Taken to Fix an Eth-Trunk Unidirectional Communication Fault?

To rectify a unidirectional communication fault of an Eth-Trunk, use the following features:

  • EFM: tests link connectivity continuously. When a unidirectional communication fault occurs, the two ends of the Eth-Trunk can keep consistent status.
  • LACP: The two ends of the Eth-Trunk can keep consistent status by exchanging LACPDUs. When a unidirectional communication fault occurs, LACP can detect the fault in a timely manner and transfer the selected status to the other side, thus solving the traffic loss problem.
NOTE:

In V100R005 and later versions, DLDP can monitor the link status of optical fibers or copper twisted-pair cables. If DLDP detects a unidirectional link, it automatically shuts down the port on the unidirectional link or requests users to manually shut down the port, to prevent interruption of traffic forwarding.

1.12 How Do I Restore the Factory Settings on the CLI?

To restore the factory settings, perform the following operations on the Command-Line Interface (CLI):

<Quidway> reset saved-configuration  //Clear current configurations.
Warning: The action will delete the saved configuration in the device.
The configuration will be erased to reconfigure. Continue? [Y/N]:y
Warning: Now clearing the configuration in the device.
Info: Succeeded in clearing the configuration in the device.
<Quidway> reboot                    //Restart the switch.
Info: The system is now comparing the configuration, please wait.
Warning: The configuration has been modified, and it will be saved to the next startup saved-configuration file . Continue? [Y/N]:N     //Select N to ignore configuration saving.
Info: If want to reboot with saving diagnostic information, input 'N' and then execute 'reboot save diagnostic-information'.
System will reboot! Continue?[Y/N]:y            //Select Y to restart the switch.

After the switch restarts, the factory settings are restored. You can configure the switch based on new service requirements.

NOTE:

If you configure a new switch or a restarted switch without any configuration, enter Y twice according to the command output displayed on the CLI to save the new configuration. The command output displayed on the CLI is as follows:

<Quidway> save
The current configuration will be written to the device.
Are you sure to continue?[Y/N]y
Info: Please input the file name ( *.cfg, *.zip ) [vrpcfg.zip]:
flash:/vrpcfg.zip exists, overwrite?[Y/N]:y 
Now saving the current configuration to the slot 0.
Save the configuration successfully.

1.13 Using the display elabel Command to Obtain the Serial Number

1.13.1 How Do I Obtain the Serial Number of a Fixed Switch?

Log in to the switch through Telnet or the console interface, and then run the display elabel slot slot-id command (slot-id specifies the slot ID of the switch) in the user view to display the electronic label information. In the command output, the BarCode field shows the serial number of the switch.

<Quidway> display elabel slot 0
/$[System Integration Version]  
/$SystemIntegrationVersion=3.0   
      
      
[Slot_0]      
/$[Board Integration Version]  
/$BoardIntegrationVersion=3.0  
    
    
[Main_Board]    
      
/$[ArchivesInfo Version]      
/$ArchivesInfoVersion=3.0       
                 
           
[Board Properties]   
BoardType=CX22EFGEA      
BarCode=2102351820109C000451 
Item=02351820 
……………

1.13.2 How Do I Obtain the Serial Number of a Modular Switch?

Obtaining the Chassis Serial Number

  • In a standalone switch:

    Log in to the switch through Telnet or the console interface, and then run the display elabel backplane command in the user view to display the electronic label information. The BarCode field in the command output shows the chassis serial number.

    <Quidway> display elabel backplane
    Info: It is executing, please wait...
    
    [BackPlane_1]
    /$[ArchivesInfo Version]
    /$ArchivesInfoVersion=3.0
    
    [Board Properties]
    BoardType=EH02BAKK
    BarCode=2102113089P0BB000881
    Item=02113089
    ……………
  • In a cluster:

    Log in to the master switch through Telnet or the console interface, and then run the display elabel backplane chassischassis-id command (chassis-id specifies the CSS ID of a member chassis) in the user view to display the electronic label information. The BarCode field in the command output shows the serial number of the specified chassis.

    <Quidway> display elabel backplane chassis ?
      INTEGER<1-2>  Chassis ID                                                     
     
    <Quidway> display elabel backplane chassis 2
    Info: It is executing, please wait...                                           
                                                                                    
    [BackPlane_2]                                                                  
    /$[ArchivesInfo Version]
    /$ArchivesInfoVersion=3.0
    
    [Board Properties]                                                              
    BoardType=EH02BAKK
    BarCode=2102113089P0BB000881                                                       
    Item=02113549                                                                   
    ……………
    NOTE:

    The command syntax may differ in different software versions. To obtain help information about the command, enter a question mark (?) and set the chassis ID according to the help information.

Obtaining the Serial Number of a Card

Log in to the master switch through Telnet or the console interface, and then run the display elabel command in the user view and specify a slot ID according to help information to display the electronic label of a card. The BarCode field in the command output shows the serial number of the card.

<Quidway> display elabel ?
  <1-1>      The present chassis                                                
  backplane  Backplane                                                          
  brief      Display information briefly                                        
<Quidway> display elabel 1/?
  <4,6-8>                              <CMU1>
  <FAN1-FAN2>                          <PWR1-PWR2>
<Quidway> display elabel 1/6 brief
Info: It is executing, please wait...                                           
                                                                                
                                                                                
[Slot_6]                                                                       
/$[Board Integration Version]                                                   
/$BoardIntegrationVersion=3.0                                                   
                                                                                
                                                                                
[Main_Board]                                                                    
/$[ArchivesInfo Version]                                                        
/$ArchivesInfoVersion=3.0                                                       
                                                                                
                                                                                
[Board Properties]                                                              
BoardType=ET1D2S08SX1E
BarCode=020LVF6TBB000043                                                 
Item=03020LVF                                                                    
……………
NOTE:

The command syntax may differ in different software versions. To obtain help information about the command, enter a question mark (?) and set the slot ID according to the help information.

Obtaining the Serial Number of a Power Module

Log in to the master switch through Telnet or the console interface, and then run the display elabel command in the user view and specify a slot ID according to help information to display the electronic label of a power module. The BarCode field in the command output shows the serial number of the power module.

<Quidway> display elabel ?
  <1-1>      The present chassis                                                
  backplane  Backplane                                                          
  brief      Display information briefly                                        
<Quidway> display elabel 1/?
  <5,8,13,16>                             <CMU1>
  <FAN1-FAN5>                             <PWR1-PWR4>
<Quidway> display elabel 1/PWR1
Info: It is executing, please wait...                                           
                                                                                
[Slot_21]                                                                       
/$[Board Integration Version]                                                   
/$BoardIntegrationVersion=3.0                                                   
                                                                                
                                                                                
[Main_Board]                                                                    
DATE=13_02_08                                                                   
SN=A664A0212080086V0.9A
NOTE:

The command syntax may differ in different software versions. To obtain help information about the command, enter a question mark (?) and set the slot ID according to the help information.

Obtaining the Serial Number of a Fan Module

Log in to the master switch through Telnet or the console interface, and then run the display elabel command in the user view and specify a slot ID according to help information to display the electronic label of a fan module. The BarCode field in the command output shows the serial number of the fan module.

<Quidway> display elabel ?
  <1-1>      The present chassis                                                
  backplane  Backplane                                                          
  brief      Display information briefly                                        
<Quidway> display elabel 1/?
  <5,8,13,16>                             <CMU1>
  <FAN1-FAN5>                             <PWR1-PWR4>
<Quidway> display elabel 1/FAN2
Info: It is executing, please wait...                                           
                                                                                
[Slot_18]                                                                       
/$[Board Integration Version]                                                   
/$BoardIntegrationVersion=3.0                                                   
                                                                                
                                                                                
[Main_Board]                                                                    
/$[ArchivesInfo Version]                                                        
/$ArchivesInfoVersion=3.0                                                       
                                                                                
                                                                                
[Board Properties]                                                              
BoardType=LE02FCMC                                                              
BarCode=2103010JTF0123456789                                             
Item=02120995                                                                   
……………
NOTE:

The command syntax may differ in different software versions. To obtain help information about the command, enter a question mark (?) and set the slot ID according to the help information.

1.14 Software and Hardware Requirements for Stacks

A stack can be set up through stack cards or service ports. If switches run software versions that are incompatible with one another, they cannot set up a stack. Therefore, you are advised to upgrade the software of member switches to the same version before setting up a stack.

1.14.1 What Are the Software and Hardware Requirements for Stack Card Stacking?

The stack card ES5D00ETPC00 and PCIe cable are used for stack card stacking. Table 1-11 lists the devices that support stack card stacking and describes their software and hardware requirements.

Table 1-11 Software and hardware requirements for stack card stacking

Series

Maximum Number of Member Devices

Number of Ports That Support Stack

Stack Cable

Remarks

S5700-SI

9

Two ports on a stack card

  • 1 m PCIe cable
  • 3 m PCIe cable (supported in V200R003 and later versions)

Any models of the S5700-SI series can set up a stack.

NOTE:

The S5700-26X-SI-12S-AC does not support the stacking function.

S5710-LI

9

Two ports on a stack card

1 m PCIe cable

Any models of the S5710-LI series can set up a stack.

S5700-EI

9

Two ports on a stack card

  • 1 m PCIe cable
  • 3 m PCIe cable (supported in V200R002 and later versions. In V200R002, only S5700-52C-EI and S5700-28C-EI-24S support the 3 m PCIe cable. In V200R003 and later versions, all the S5700-EI series support the 3 m PCIe cable.)

Any models of the S5700-EI series can set up a stack.

1.14.2 What Are the Software and Hardware Requirements for Service Port Stacking?

Table 1-12 lists the devices that support service port stacking and describes their software and hardware requirements.

Table 1-12 Software and hardware requirements for service port stacking

Series

Maximum Number of Members

Ports Supporting Stack

Stack Cable

Remarks

S2700-52P

8

Two GE SFP optical ports (ID: 49/50)

1.5 m SFP cable

-

S2710-52P

8

Two GE SFP optical ports (ID: 49/50)

1.5 m SFP cable

-

S3700-28TP

9

Two GE SFP optical ports (ID: 25/26)

1.5 m SFP cable

-

S3700-52P

8

Two GE SFP optical ports (ID: 49/50)

1.5 m SFP cable

-

S2750

(V200R003 and later versions)

9

Two SFP optical ports (not combo ports)

NOTE:

On an S2750 switch, only the third and forth service ports counted from the right can be configured as physical member ports of a stack port.

  • 1 m passive SFP+ cable
  • 10 m active SFP+ cable
  • 3 m, 10 m AOC cable
  • 6GE stack optical module (SFP-6GE-LR) and optical fiber

Any models of the S2750 series can set up a stack.

S5700-P-LI (with GE uplink ports)

9

  • V200R001: last two SFP ports
  • V200R002 and later versions: last four SFP ports
  • 1 m passive SFP+ cable
  • 10 m active SFP+ cable
  • 3 m, 10 m AOC cables (applicable in V200R003C00 and later versions)

  • V200R001: A switch supports at most two logical stack ports, and each logical stack port can have only one physical member port. Each switch can use a maximum of two service ports as physical member ports.
  • V200R002 and later versions: A switch supports at most two logical stack ports, and each logical stack port can have at most two physical member ports. Each switch can use a maximum of four service ports as physical member ports. When two physical member ports are included in a logical stack port, either stack ports 1 and 2 or stack ports 3 and 4 can be included. When two physical member ports are included in a logical stack port, either stack ports 1 and 2 or stack ports 3 and 4 can be included.

Any models of the S5700-P-LI series can set up a stack, but S5700-P-LI models cannot set up a stack with S5700-TP-LI or S5700-X-LI models.

NOTE:

S5700-10P-LI-AC, S5700-28P-LI-BAT, S5700-28P-LI-24S-BAT, and S5700-10P-PWR-LI-AC do not support stacking.

S5700-TP-LI (with GE uplink ports)

9

Two SFP optical ports (not combo ports)

  • 1 m passive SFP+ cable
  • 10 m active SFP+ cable
  • 3 m, 10 m AOC cable

A switch supports at most two logical stack ports, and each logical stack port can have at most two physical member ports. Each switch can use a maximum of two service ports as physical member ports.

Any models of the S5700-TP-LI series can set up a stack, but S5700-TP-LI models cannot set up a stack with S5700-P-LI or S5700-X-LI models.

S5700-X-LI (with 10GE uplink ports)

9

Four SFP+ optical ports

  • 1 m passive SFP+ cable
  • 3 m passive SFP+ cable
  • 10 m active SFP+ cable
  • 3 m, 10 m AOC cables (applicable in V200R003C00 and later versions)
  • 10GE SFP+ optical module and optical fiber

A switch supports at most two logical stack ports, and each logical stack port can have at most two physical member ports. Each switch can use a maximum of four service ports as physical member ports.

Any models of the S5700-X-LI series can set up a stack, but S5700-P-LI models cannot set up a stack with S5700-X-LI models.

NOTE:

Four SFP+ optical ports can be used as stack ports. When two physical member ports are included in a logical stack port, either stack ports 1 and 2 or stack ports 3 and 4 can be included.

S5710-EI

9

Any 10GE ports, including the four fixed 10GE SFP+ optical ports on the front panel and ports on the ES5D21X02S00 rear card (A switch supports a maximum of two rear cards, and each card provides two 10GE SFP+ optical ports.)

NOTE:

Each logical stack port can have a maximum of four physical member ports. Ports on different rear cards can be added to the same logical stack port, but ports on a rear card and fixed ports on the front panel cannot be added to the same logical stack port.

  • 1 m passive SFP+ cable
  • 3 m passive SFP+ cable
  • 10 m active SFP+ cable
  • 3 m, 10 m AOC cables (applicable in V200R003C00 and later versions)
  • 10GE SFP+ optical module and optical fiber
  • V200R001: A switch supports at most two logical stack ports, and each logical stack port can have at most three physical member ports. Each switch can use a maximum of four service ports as physical member ports. All physical member ports in a stack port must reside on either front panel or rear subcard.
  • V200R002 and later versions: A switch supports at most two logical stack ports, and each logical stack port can have at most four physical member ports. Each switch can use a maximum of eight service ports as physical member ports.

Any models of the S5710-EI series can set up a stack.

S5700-HI

9

10GE ports on front subcards: The S5700-HI supports ES5D00X2SA00 and ES5D00X4SA00 front subcards, which provide two and four 10GE SFP+ optical ports respectively.

NOTE:

After a front subcard is replaced, the stack becomes invalid and needs to be reconfigured.

  • 1 m passive SFP+ cable
  • 3 m passive SFP+ cable
  • 10 m active SFP+ cable
  • 3 m, 10 m AOC cable
  • 10GE SFP+ optical module and optical fiber

Any models of the S5700-HI series can set up a stack.

NOTE:

The versions earlier than V200R003C00 do not support the stacking function.

S6700

9

All 10GE ports on the switch

NOTE:

A maximum of eight service ports can be used as physical member ports. Four ports with contiguous IDs must be configured together, and the last ID of the service ports must be a multiple of 4. For example, ports 1 to 4, or 5 to 8 can be configured as physical member ports together, but ports 2 to 5 cannot.

  • 1 m passive SFP+ cable
  • 3 m passive SFP+ cable
  • 10 m passive SFP+ cable
  • 10 m active SFP+ cable (supported in V200R001 and later versions)
  • 3 m, 10 m AOC cables (applicable in V200R003C00 and later versions)
  • 10GE SFP+ optical module and optical fiber

Any models of the S6700 series can set up a stack. The ports cannot be used as stack ports when they work as GE ports.

S5710-HI

Stacking incapable

S5700S-LI

Stacking incapable

1.15 CSS Software and Hardware Requirements

Member switches can set up a cluster switch system (CSS) through CSS cards or service ports.

1.15.1 What Are the Software and Hardware Requirements for CSS Card Clustering?

Table 1-13 lists the devices that support CSS card clustering and describes software and hardware requirements for these devices.

Table 1-13 Software and hardware requirements for CSS card clustering

Device Model

  • S9706
  • S9712
  • S7706
  • S7712

Software Version

V200R003C00 and later versions

V200R001C00 and later versions

License Required

No

No

CSS Card Model

EH1D2VS08000

ES02VSTSA

CSS Card Slot

EH1D2SRUC000 subcard slot

  • ES0D00SRUA00 subcard slot
  • ES0D00SRUB00 subcard slot

Hot Swapping

  • CSS card: not hot swappable
  • MPU: hot swappable. Before removing the active EH1D2SRUC000 card, run the slave switchover command to perform an active/standby switchover.
  • CSS card: not hot swappable
  • MPU: hot swappable. Before removing the active ES0D00SRUA00 or ES0D00SRUB00 card, run the slave switchover command to perform an active/standby switchover.

Hardware Configuration

  • Only two S9706s, one S9706 and one S9712, or two S9712s can set up a CSS.
  • Switches to set up a CSS must have both active and standby MPUs installed.
  • Only two S7706s, one S7706 and one S7712, or two S7712s can set up a CSS.
  • Switches to set up a CSS must have both active and standby SRUs installed. The SRUs can be of different models.

Pluggable Modules for Ports on CSS Cards

Copper cable:

  • 1 m SFP+ high-speed cable
  • 3 m SFP+ high-speed cable
  • 10 m SFP+ active high-speed cable

Optical module and fiber:

10G SFP+ optical module. The required optical fiber depends on the optical module used. The maximum transmission distance is 80 km.

Active optical cable:

  • SFP-10G-A0C3M
  • SFP-10G-A0C10M

Copper cable:

  • 3 m QSFP+ high-speed cable
  • 10 m QSFP+ high-speed cable

Optical module and fiber:

40G QSFP+ optical module. The required optical fiber depends on the optical module used. When OM3 optical fibers are used, the maximum transmission distance is 100 m. When OM4 optical fibers are used, the maximum transmission distance is 150 m.

Active optical cable:

Not supported

1.15.2 What Are the Software and Hardware Requirements for Service Port Clustering?

Table 1-14 lists the devices that support service port clustering and describes software and hardware requirements for these devices.

Table 1-14 Software and hardware requirements for service port clustering

Device Model

  • S9706
  • S9712
  • S7706
  • S7712

LPU Model

  • EH1D2X08SED4
  • EH1D2X08SED5
  • EH1D2X12SSA0
  • EH1D2X16SFC0
  • EH1D2X40SFC0
  • EH1D2L02QFC0
  • EH1D2L08QFC0
  • ES1D2X08SED4
  • ES1D2X08SED5
  • ES0D0X12SA00
  • ES1D2X16SFC0
  • ES1D2X40SFC0

ES1D2L02QFC0

Pluggable Modules on Service Ports

Copper cable:

  • 1 m SFP+ high-speed cable
  • 3 m SFP+ high-speed cable
  • 10 m SFP+ active high-speed cable
NOTE:

The EH1D2X12SSA0 does not support the 3 m SFP+ high-speed cable.

Optical module and fiber: 10G SFP+ optical module. The required optical fiber depends on the optical module used. The maximum transmission distance is 80 km.

Active optical cable:

  • SFP-10G-A0C3M
  • SFP-10G-A0C10M

Copper cable:

  • 1 m QSFP+ high-speed cable
  • 3 m QSFP+ high-speed cable
  • 5 m QSFP+ high-speed cable

Optical module and fiber: 40G QSFP+ optical module. The required optical fiber depends on the optical module used. The maximum transmission distance is 10 km.

Active optical cable:

Not supported

Cooper cable:

  • 1 m SFP+ high-speed cable
  • 3 m SFP+ high-speed cable
  • 10 m SFP+ active high-speed cable
NOTE:

The ES0D0X12SA00 does not support the 3 m SFP+ high-speed cable.

Optical module and fiber: 10G SFP+ optical module. The required optical fiber depends on the optical module used. The maximum transmission distance is 80 km.

Active optical cable:

  • SFP-10G-A0C3M
  • SFP-10G-A0C10M

Copper cable:

  • 1 m QSFP+ high-speed cable
  • 3 m QSFP+ high-speed cable
  • 5 m QSFP+ high-speed cable

Optical module and fiber: 40G QSFP+ optical module. The required optical fiber depends on the optical module used. The maximum transmission distance is 10 km.

Active optical cable:

Not supported

Constraints

  • On the EH1D2X08SED4 and EH1D2X08SED5, at most four ports can be configured as CSS physical member ports. The four physical member ports must be the first four ports (numbered 0 to 3) or the last four ports (numbered 4 to 7) on the LPUs.
  • On an EH1D2X16SFC0 or EH1D2X40SFC0, a group of four contiguous ports must be configured as CSS physical member ports. The start port number must be 4*N and the end port number must be 4*N+3 (N = 0, 1, 2...). For example, service ports 0 to 3 or 4 to 7 can be configured as contiguous CSS physical member ports, but service ports 2 to 5 cannot be configured together. When any service port in a group is configured as a CSS physical member port, the other three service ports in the group must also be configured as CSS physical member ports. The EH1D2X40SFC0 allows a maximum of 32 member ports in a logical CSS port.

The interconnected CSS physical member ports on the two member switches must both be 40GE ports. 10GE ports derived from a 40GE port cannot be added to a logical CSS port.

  • On the ES1D2X08SED4 and ES1D2X08SED5, at most four ports can be configured as CSS physical member ports. The four physical member ports must be the first four ports (numbered 0 to 3) or the last four ports (numbered 4 to 7) on the LPUs.
  • On an ES1D2X16SFC0 or ES1D2X40SFC0, a group of four contiguous ports must be configured as CSS physical member ports. The start port number must be 4*N and the end port number must be 4*N+3 (N = 0, 1, 2...). For example, service ports 0 to 3 or 4 to 7 can be configured as contiguous CSS physical member ports, but service ports 2 to 5 cannot be configured together. When any service port in a group is configured as a CSS physical member port, the other three service ports in the group must also be configured as CSS physical member ports. The ES1D2X40SFC0 allows a maximum of 32 member ports in a logical CSS port.

The interconnected CSS physical member ports on the two member switches must both be 40GE ports. 10GE ports derived from a 40GE port cannot be added to a logical CSS port.

Requirement on MPU

Each CSS member switch must have at least one MPU. If both member switches have one MPU, the MPUs in the two chassis can be different models.

Each CSS member switch must have at least one MPU. If both member switches have one MPU, the MPUs in the two chassis can be different models.

Software Version

V200R002C00 and later versions

V200R002C00 and later versions

License Required

No

No

Hardware Configuration

  • Only two S9706s, one S9706 and one S9712, or two S9712s can set up a CSS.
  • Two CSS cards can be installed in a chassis. It is recommended that the two CSS cards be the same model. The two chassis must use the same type of ports for CSS connection, for example, 10G SFP+ optical ports.
  • Each LPU allows only one logical CSS port.
  • Only two S7706s, one S7706 and one S7712, or two S7712s can set up a CSS.
  • Two CSS cards can be installed in a chassis. It is recommended that the two CSS cards be the same model. The two chassis must use the same type of ports for CSS connection, for example, 10G SFP+ optical ports.
  • Each LPU allows only one logical CSS port.

1.16 Rate Limiting

1.16.1 How Do I Configure Port Rate Limiting on a Modular Switch?

Configure QoS CAR on an interface to implement rate limiting in the inbound direction. Alternatively, configure a traffic policy with an ACL-based traffic classifier to limit the rate of packets matching the ACL.

QoS CAR cannot be applied to outbound traffic, but you can limit the rate of outbound traffic using a traffic policy or traffic shaping.

1.16.2 Can Rate Limiting Be Configured for an Eth-Trunk on a Modular Switch and How Does the Configuration Take Effect?

Modular switches support rate limiting for inbound traffic on an Eth-Trunk. This function can be configured using the qos car command. After this command is executed:

  • If the member interfaces of the Eth-Trunk are located on different LPUs, the configured rate limit applies to each interface individually.
  • If the member interfaces of the Eth-Trunk are located on the same LPU, the member interfaces share the bandwidth specified by the rate limit. The bandwidth is distributed on the member interfaces randomly.

1.16.3 How Do I Configure Rate Limiting?

Configuring Interface-based or Flow-based Rate Limiting on the S7700 and S9700

  • Configuring rate limiting on an interface
    # Set the rate limit for inbound packets on the interface to 10 Mbit/s.
    [Quidway] qos car car1 cir 10240 cbs 1024000
    [Quidway] interface GigabitEthernet1/0/0
    [Quidway-GigabitEthernet1/0/0] qos car inbound car1
    # Set the rate limit for outbound packets on the interface to 10 Mbit/s.
    [Quidway] interface gigabitethernet1/0/0
    [Quidway-GigabitEthernet1/0/0] qos lr cir 10240 pir 10240
  • Configuring rate limiting for a flow
    # Set the rate limit for any inbound and outbound flows on an interface to 10 Mbit/s.
    [Quidway] traffic classifier c1 operator and
    [Quidway-classifier-c1] if-match any
    [Quidway-classifier-c1] quit
    [Quidway] traffic behavior b1
    [Quidway-behavior-b1] car cir 10240 pir 10240 green pass yellow pass red discard
    [Quidway-behavior-b1] quit
    [Quidway] traffic policy p1
    [Quidway-trafficpolicy-p1] classifier c1 behavior b1
    [Quidway-trafficpolicy-p1] quit
    [Quidway] interface gigabitethernet1/0/1
    [Quidway-GigabitEthernet1/0/1] traffic-policy p1 inbound
    [Quidway-GigabitEthernet1/0/1] traffic-policy p1 outbound 
    NOTE:

    A traffic policy can be used in the inbound and outbound directions in the system view, interface view, and VLAN view.

Configuring Rate Limiting on the S2700, S3700, and S5700

The following rate limiting configuration is recommended:

  • Set the CIR, CBS, and PBS and do not set the PIR.
  • Set the CBS to 200 times the CIR.
  • Set the PBS to 2 times the CBS, that is, 400 times the CIR.

The CIR is expressed in kbit/s (1024 bit/s), and the CBS and PBS are expressed in bytes.

  • Set the rate limit for outbound packets on the interface to 10 Mbit/s.
    [HUAWEI] interface ethernet 0/0/1
    [HUAWEI-Ethernet0/0/1] qos lr outbound cir 10240 cbs 2048000
  • Set the rate limit for inbound packets on the interface to 10 Mbit/s.
    [HUAWEI] interface ethernet 0/0/1
    [HUAWEI-Ethernet0/0/1] qos lr inbound cir 10240 cbs 2048000
NOTE:

A traffic policy can be used in the physical interface view, Eth-Trunk interface view, and VLAN view. When a traffic policy is used in the VLAN view, interfaces in the VLAN share the bandwidth specified by the rate limit specified by the traffic policy.

On the S5700, a physical interface is a GE interface.

Configuring Rate Limiting on the S6700

The following rate limiting configuration is recommended:

  • Set the CIR, CBS, and PBS and do not set the PIR.
  • Set the CBS to 200 times the CIR.
  • Set the PBS to 2 times the CBS, that is, 400 times the CIR.

The CIR is expressed in kbit/s (1024 bit/s), and the CBS and PBS are expressed in bytes.

  • Set the rate limit for outbound packets on the interface to 10 Mbit/s.
    [HUAWEI] interface XGigabitEthernet 1/0/1
    [HUAWEI-XGigabitEthernet1/0/1] qos lr outbound cir 10240 cbs 2048000
  • Set the rate limit for inbound packets on the interface to 10 Mbit/s.
    [HUAWEI] interface XGigabitEthernet 1/0/1
    [HUAWEI-XGigabitEthernet1/0/1] qos lr inbound cir 10240 cbs 2048000

1.16.4 Why Cannot Traffic Rates Be Limited Accurately After CAR Is Configured?

A switch counts lengths of the inter-frame gaps and VLAN tags when limiting the traffic rate based on CAR. It is recommended that you use packets of over 1000 bytes in CAR tests to minimize the impact of inter-frame gaps and VLAN tags.

For example, a 64-byte packet usually has a 20-byte inter-frame gap and a 4-byte VLAN tag. Therefore, the total packet length is 88 bytes (64 bytes + 20 bytes + 4 bytes = 88 bytes). During CAR rate limiting, the switch calculates the traffic rate based on the packet length of 88 bytes, so the rate limiting result is inaccurate. If the switch uses large packets, the lengths of inter-frame gap and the VLAN tag account for a small proportion of the total packet length and cause little impact on the packet rate. Therefore, the rate limiting result is more accurate.

1.16.5 How Do I Configure Aggregated CAR on the S7700 and S9700?

Aggregated CAR can be implemented in 1-level or 2-level mode.

  • 1-level CAR: limits the total rate of outbound data flows destined for MAC addresses 1-1-1 and 2-2-2 to 100 kbit/s on GE1/0/1. To configure the 1-level CAR rate limiting policy, run the car cir 100 command in the traffic behavior view. The configuration is as follows:
    #
    acl number 4999
     rule 5 permit destination-mac 0001-0001-0001
     rule 10 permit destination-mac 0002-0002-0002
    #
    traffic classifier 2 operator or precedence 40
     if-match acl 4999
    #
    traffic behavior 2
     car cir 100 pir 100 cbs 18800 pbs 31300 mode color-blind green pass yellow pass red discard
    #
    traffic policy p1
     classifier 2 behavior 2
    #
    interface gigabitethernet1/0/1
     traffic-policy p1 outbound
    #
  • 2-level CAR: The first level limits the CIR and PIR of each of the outbound flows destined for MAC addresses 1-1-1 and 2-2-2 to 100 kbit/s and 200 kbit/s on GE1/0/1. The second level limits the total rate of the two flows to 300 kbit/s. The configuration is as follows:
    NOTE:

    The CIR set in the CAR profile must be larger than the sum of the CIR values for the two flows and smaller than the sum of the PIR values. Otherwise, aggregated CAR is meaningless.

    #
    qos car car1 cir 300 cbs 56400
    #
    traffic classifier 1 operator or precedence 45
     if-match destination-mac 0001-0001-0001
    traffic classifier 2 operator or precedence 40
     if-match destination-mac 0002-0002-0002
    #
    traffic behavior 1
     permit
     car cir 100 pir 200 cbs 12500 pbs 25000 mode color-blind green pass yellow pass red discard
     car car1 share
    traffic behavior 2
     permit
     car cir 100 pir 200 cbs 12500 pbs 25000 mode color-blind green pass yellow pass red discard
     car car1 share
    #
    traffic policy 1 match-order config
     classifier 2 behavior 2
     classifier 1 behavior 1

1.17 Port Isolation

1.17.1 In What Scenarios Can Port Isolation Be Used?

Port isolation provides secure and flexible networking schemes. Port isolation can also isolate interfaces in the same VLAN. You can add interfaces to a port isolation group to implement Layer 2 isolation between these interfaces. You can also add interfaces to different VLANs. However, this latter method consumes many VLAN resources.

Figure 1-7 shows the port isolation method and application scenario. PC1, PC2, and PC3 belong to VLAN 10. After GE1/0/1 and GE1/0/2 connected to PC1 and PC2 are added to a port isolation group, PC1 and PC2 cannot communicate with each other in VLAN 10. PC3 can still communicate with PC1 and PC2.

Figure 1-7 Port isolation example

You can configure unidirectional port isolation in the following situation: Multiple hosts connect to a device through different interfaces. One of the hosts may send a large number of broadcast packets to other hosts, causing security risks. You can configure unidirectional port isolation to isolate the risky host from other hosts.

As show in Figure 1-8, PC4 may threaten network security by sending a large number of broadcast packets to other hosts. You can configure unidirectional port isolation on GE1/0/4 connected to PC4 to block packets sent from this interface to GE1/0/5 and GE1/0/6. In this way, broadcast packets sent from PC4 cannot reach PC5 or PC6, but broadcast packets sent from PC5 and PC6 can reach PC4.

Figure 1-8 Unidirectional port isolation example

1.17.2 How Do I Configure Port Isolation?

The port isolation feature isolates interfaces in a VLAN. To configure port isolation, run the port-isolate enable [ group group-id ] command in the interface view. For example, configure port isolation on GigabitEthernet1/0/1:

[Quidway] interface gigabitethernet1/0/1 
[Quidway-GigabitEthernet1/0/1] port-isolate enable

To configure unidirectional port isolation, run the am isolate { interface-type interface-number }&<1-8> or am isolate interface-type interface-number1 [ to interface-number2 ] command in the interface view. For example, configure unidirectional isolation on GigabitEthernet1/0/1 and GigabitEthernet1/0/2:

[Quidway] interface gigabitethernet 1/0/1
[Quidway-GigabitEthernet1/0/1] am isolate gigabitethernet 1/0/2

1.17.3 What Precautions Should Be Taken to Configure Port Isolation?

  • Port isolation applies only to interfaces of the same device and cannot isolate interfaces on different devices.
  • Interfaces in a port isolation group are isolated from each other, but interfaces in different port isolation groups can communicate. If group-id is not specified, an interface is added to port isolation group 1.
  • By default, port isolation blocks Layer 2 communication but allows Layer 3 communication. To isolate interfaces at both Layer 2 and Layer 3, run the port-isolate mode all command in the system view.

1.18 Layer 2 Transparent Transmission

1.18.1 Can a Switch Transparently Transmit BPDUs?

  • After the bpdu enable command is run on an interface, the interface sends received BPDUs to the CPU for processing.

    The local device determines whether to process BPDUs of a protocol depending on whether the protocol is enabled. For example, whether STP BPDUs on an interface are sent to the CPU depends on whether STP has been enabled on the interface using the stp enable command.

  • After the bpdu disable command is run on an interface, the interface discards BPDUs.

By default, an interface discards received BPDUs.

To configure a switch to transparently transmit BPDUs, enable Layer 2 protocol transparent transmission on an interface by running the l2protocol-tunnel all enable command in the interface view. To ensure successful forwarding of packets, configure the default VLAN on the inbound and outbound interfaces of all devices on the forwarding path.

1.19 Basic Configuration

1.19.1 How Do I Delete Files from the Recycle Bin?

NOTICE:

Files that are deleted from the recycle bin cannot be recovered.

To delete files from the recycle bin in the specified path, run the reset recycle-bin [ filename ] command in the user view.

1.19.2 How Do I Increase a Command Level?

A user level matches a certain command privilege level. After logging in to a switch, a user can run only those commands in which the levels are the same as or lower than the user level. For example, a user at level 2 can run only the commands at levels 0, 1, and 2.

By default, the command privilege level ranges from 0 to 3, and the user level ranges from 0 to 15. An administrator can change the command level as required so that users of different levels can execute commands correspondingly.

The administrator at user level 15 can run the following command to increase command privilege levels:

  • Run the command-privilege level level view view-name command-key command with the command-key parameter specified.
  • Run the command-privilege level rearrange command to increase command privilege levels in batches.

    If the levels of commands have not been changed using the command-privilege level level view view-name command-key command, the levels of all level-2 and level-3 commands will be increased to level 10 and level 15 after the preceding command is executed, whereas the levels of level-0 and level-1 commands are unchanged.

1.19.3 What Are the Differences Between the Tracert Functions of a Network Device and a PC?

The tracert command is used to discover the gateways that packets actually pass through from the source to the destination. The tracert command is used to check the network connectivity and locate network faults.

The process of a tracert command is as follows:

The sender sends a packet with TTL 1. When the TTL expires, the first hop returns an ICMP error message indicating that the message cannot be forwarded anymore.

The sender sends a packet with TTL 2. When the TTL expires, the second hop returns an ICMP error message indicating that the message cannot be forwarded anymore.

The sender sends a packet with TTL 3. When the TTL expires, the third hop returns an ICMP error message indicating that the message cannot be forwarded anymore.

The sender repeats the preceding process by increasing the TTL value until the packet reaches the destination.

  • When performing the tracert operation, a network device sends UDP packets. The UDP port number of the three UDP packets starts from 33434 and is incremented by 1 every time the packets pass a hop. When one node on the path has equal-cost routes, the node performs a hash operation based on flows. Therefore, the UDP packets are distributed to different routes, and a maximum of three IP addresses on the equal-cost routes are shown each time.

    The following figure shows information about tracert packets sent by a network device. The first hop has only one route, so only one next-hop 192.168.2.1 is displayed. The second hop has two next hops (192.168.11.2 and 192.168.21.2), so the three packets are distributed to two links.

  • When performing a tracert operation, a PC sends ICMP packets, which are irrelevant to port numbers. If a network device on the path has equal-cost routes, the ICMP packets are distributed to only one link, and only one next-hop IP address is displayed. However, if the network device performs load balancing based on packets, the ICMP packets are distributed to different links.

    The following figure shows information about the tracert packets sent by a PC. Three packets arrive at each hop together. For example, three packets have TTL 5.

1.20 Interface Management

1.20.1 Can a GE Optical Module Be Installed on a 10GE Optical Port of S6700?

Yes.

In V100R006C00SPC800, when a 10GE optical port of an S6700 connects to a GE optical module, the port rate switches to 1000 Mbit/s and operates in non-auto-negotiation mode. If the 10GE optical port connects to a 1000M optical port on the peer device, the two ports can go Up only when the 1000M optical port on the peer device operates in non-auto-negotiation mode.

After the switch has V100R006SPH005 installed and the 10GE optical port of the switch connects to a GE optical module, you can run the negotiation auto command to switch the port status to auto-negotiation. In this situation, the 10GE optical port can connect to a GE optical port in auto-negotiation mode.

In versions later than V100R006C00SPC800, a 10GE interface of S6700 automatically works at 1000 Mbit/s in auto-negotiation mode after a GE optical module is installed.

1.20.2 How Do I Restore the Default Configurations on an Interface?

Some interface configurations cannot be modified directly. To modify these configurations, you must first restore the default values, and then reconfigure them.

Restore the default interface configurations as follows:

1. In V100R006 and earlier versions, run the undo commands in the interface view to restore the default value of each configuration. The following is an example:

[HUAWEI-GigabitEthernet1/0/2]display this  //Check whether non-default configurations exist on an interface.
#
interface GigabitEthernet1/0/2
port link-type trunk                          //The interface type has been set to Trunk.
undo port trunk allow-pass vlan 1             //The interface has been deleted from VLAN 1.
port trunk allow-pass vlan 20                 //The interface has been added to VLAN 20.
#
[HUAWEI-GigabitEthernet1/0/2]port link-type access //An error message is displayed when you modify configurations on GE1/0/2.
Error: Please renew the default configurations.      //You are requested to restore the default configurations.
[HUAWEI-GigabitEthernet1/0/2]undo port trunk allow-pass vlan 20 //Delete the interface from VLAN 20.
[HUAWEI-GigabitEthernet1/0/2]port trunk allow-pass vlan 1    //Add the interface to VLAN 1.
[HUAWEI-GigabitEthernet1/0/2]port link-type access                   //The configurations can be modified now.

2. In V200R001C00 and later versions, you can run the clear configuration interface GigabitEthernet 1/0/2 command in the system view to clear all interface configurations. However, this command will shut down the interface. To enable the interface, run the undo shutdown command in the interface view.

1.20.3 Why Do Two GE Interfaces with Auto-Negotiation Enabled Work at 100 Mbit/s?

The link between the two interfaces is unstable during auto-negotiation, so negotiation packets are lost. As a result, the negotiated rate is lower than the maximum rates supported by the two interfaces. The reason the link is unstable may be that the network cable is loose, the RJ45 connector on one end is not properly connected, or the network cable is faulty. To enable the two interfaces to negotiate a specified speed, run the auto speed command on the interfaces.

1.20.4 How Do I Configure Edge Ports for Fixed Switches in a Batch?

Run the port-group command, for example:

[HUAWEI] port-group group1
[HUAWEI-port-group-group1] group-member GigabitEthernet 0/0/1 to GigabitEthernet 0/0/24
[HUAWEI-port-group-group1] stp edged-port enable   //The following information is automatically displayed.
[HUAWEI-GigabitEthernet0/0/1]stp edged-port enable
…………
[HUAWEI-GigabitEthernet0/0/24]stp edged-port enable

In the port group view, you can configure interface attributes and interface services.

1.20.5 Why Can't Connected Optical Ports Go Up After Single-Fiber Bidirectional Optical Modules Are Used?

The single-fiber bidirectional optical (BIDI) modules must be used in pairs; otherwise, the two ports cannot be connected. For example, if one end uses the TX1310/RX1490 module, the other end must use the TX1490/RX1310 module.

1.21 MIB

1.21.1 Which MIB Objects Correspond to CPU Usage and Entity Memory Usage?

Table 1-15 lists the MIB objects that correspond to CPU usage and entity memory usage.

Table 1-15 MIB objects that correspond to CPU usage and entity memory usage

Item

MIB Object Name

OID

CPU usage

hwEntityCpuUsage

1.3.6.1.4.1.2011.5.25.31.1.1.1.1.5

Entity memory usage

hwEntityMemUsage

1.3.6.1.4.1.2011.5.25.31.1.1.1.1.7

1.22 Information Center

1.22.1 How Can I Hide Console Port Information?

Some messages are displayed for configuration changes, but not for errors. For example, when you run a command, the following message is displayed:

DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 1, the change loop count is 64, and the maximum number of records is 1.

To hide this message, run the following commands:

  • Disable the DSA module in the Console information channel from sending traps.
    <HUAWEI> system-view
    [HUAWEI] info-center source dsa channel console trap level warning state off
  • Disable display of logs, traps, and debugging message output for user terminals.
    <HUAWEI> undo terminal monitor
    NOTE:

    This command is valid for only the current login.

1.23 MAC

1.23.1 What Is the Purpose of the Function of ARP Update upon MAC Entry Changes?

Principles

Each network device uses an IP address to communicate with other devices. On an Ethernet network, a device, which may be a user host, switching device, or routing device, sends and receives Ethernet data frames based on MAC addresses. The ARP protocol maps IP addresses to MAC addresses. When a device communicates with a device on a different network segment, it finds the MAC address and outbound interface of a packet according to the corresponding ARP entry.

If a user host moves from one interface to another, the MAC address of the host is learned by the new interface, so the outbound interface mapping the MAC address changes. The corresponding ARP entry, however, is updated until the aging time expires. Before the ARP entry aging time expires, the device sends data frames based on the original ARP entry.

After the mac-address update arp command is executed on a switch to enable this function, the switch updates outbound interfaces in ARP entries immediately when outbound interfaces in MAC address entries change.

NOTE:

This function is unavailable in versions earlier than V100R006C00.

Configuration Impact

After this command is executed, the gratuitous ARP function becomes ineffective.

Precautions

The mac-address update arp command takes effect only for dynamic ARP entries. Static ARP entries are not updated when the corresponding MAC address entries change.

The mac-address update arp command does not take effect after ARP anti-spoofing is enabled using the arp anti-attack entry-check enable command.

After the mac-address update arp command is run, the switch updates an ARP entry only if the outbound interface in the corresponding MAC address entry changes.

Example

# Enable a switch to update outbound interfaces in ARP entries when outbound interfaces in MAC address entries change.

<Quidway> system-view
[Quidway] mac-address update arp

1.23.2 Does a Switch Support MAC Address Flapping Detection?

Modular and fixed switches support MAC address flapping detection in different situations.

  • Modular switches

    In V100R002, the switch supports global MAC address flapping detection on all LPUs except the S series. After global detection is enabled, the switch can only send traps if MAC address flapping is detected.

    In V100R002, run the mac-flapping alarm enable command to enable MAC address flapping detection.

    Compared with V100R002, V100R003 and later versions also support VLAN-based MAC address flapping detection and actions performed when MAC address flapping is detected.

    In V100R003 and later versions, the loop-detect eth-loop alarm-only command can be run in the system or VLAN view to enable MAC address flapping detection.

    By default, global MAC address flapping detection is disabled in V100R003 and enabled in V100R006 and later versions.

    Since V200R001, switches have supported global MAC address flapping detection, VLAN whitelist, and quit-vlan action.

  • Fixed switches

    Fixed switches (excluding S2700) of V100R003 and later versions do not support global MAC address flapping detection. They support only VLAN-based MAC address flapping detection and actions such as sending traps and blocking interfaces when MAC address flapping is detected.

    Run the following command in the VLAN view to enable MAC address flapping detection:

    loop-detect eth-loop alarm-only

    Since V200R001, switches have supported global MAC address flapping detection, VLAN whitelist, and quit-vlan action.