ATN 910&910I&910B&950B V200R003C00 Configuration Guide 02 (CLI)

ATN 910&910I&910B&950B Multi-Service Access
Equipment
V200R003C00
Configuration Guide(CLI)
Issue
02
Date
2013-12-31
HUAWEI TECHNOLOGIES CO., LTD.
Copyright Huawei Technologies Co., Ltd. 2013. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address:
Huawei Industrial Base

Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website:
http://www.huawei.com
Email:
support@huawei.com
Issue 02 (2013-12-31)
Huawei Proprietary and Confidential

Copyright Huawei Technologies Co., Ltd.

Equipment
About This Document
About This Document

Purpose
This document provides features supported by the ATN device.
The usage precautions are as follows:
l
A device can store keys in plaintext, reversible algorithm encryption, or irreversible

algorithm encryption mode. The plaintext mode has the low security level, and the
irreversible algorithm encryption mode has the highest security level. Use different storage
modes for different scenarios. Exercise caution when using an insecure storage mode. The
system automatically selects the irreversible algorithm encryption mode to store local user
keys. Generally, the reversible algorithm encryption mode is used to store protocol keys to
meet interworking requirements.
If the plaintext mode is used, a password is stored in plaintext in the configuration file. This
results in high security risks. The plaintext mode applies only to scenarios with special
requirements, such as compatibility and interworking requirements.
Related Version
The following table lists the product version related to this document.
Product Name
Version
l ATN 910
V200R003C00
l ATN 910I
l ATN 910B
l ATN 950B
Intended Audience
This document is intended for:
l
Commissioning Engineer
Data Configuration Engineer
Network Monitoring Engineer
System Maintenance Engineer
Issue 02 (2013-12-31)

ii

Equipment
About This Document
Symbol Conventions
Symbol
Description
Indicates an imminently hazardous situation which, if not
avoided, will result in death or serious injury.
Indicates a potentially hazardous situation which, if not
avoided, could result in death or serious injury.
avoided, may result in minor or moderate injury.
avoided, could result in equipment damage, data loss,
performance deterioration, or unanticipated results.
NOTICE is used to address practices not related to personal
injury.
Calls attention to important information, best practices and
tips.
NOTE is used to address information not related to personal
injury, equipment damage, and environment deterioration.
Command Conventions
Issue 02 (2013-12-31)
Convention
Description
Boldface
The keywords of a command line are in boldface.
Italic
Command arguments are in italics.
[]
Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... }
Optional items are grouped in braces and separated by

vertical bars. One item is selected.
[ x | y | ... ]
Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.
{ x | y | ... }*
Optional items are grouped in braces and separated by

vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]*
Optional items are grouped in brackets and separated by

vertical bars. Several items or no item can be selected.

iii

Equipment
About This Document
GUI Conventions
Convention
Description
Boldface
Buttons, menus, parameters, tabs, window, and dialog titles

are in boldface. For example, click OK.
>
Multi-level menus are in boldface and separated by the ">"

signs. For example, choose File > Create > Folder.
Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
Changes in Issue 02 (2013-12-31)

This document has the following updates:
Known bugs are fixed.
Changes in Issue 01 (2013-10-31)

This document is the first release of the V200R003C00 version.
Issue 02 (2013-12-31)

iv

Equipment
Contents
Contents
About This Document.....................................................................................................................ii
1 Basic Configurations.....................................................................................................................1
1.1 Logging In to the System for the First Time..................................................................................................................3
1.1.1 Introduction.................................................................................................................................................................3
1.1.2 Logging In to the Device Through the Console Port...................................................................................................3
1.2 CLI Overview.................................................................................................................................................................7
1.2.1 CLI Introduction..........................................................................................................................................................7
1.2.2 Online Help................................................................................................................................................................12
1.2.3 CLI Features..............................................................................................................................................................14
1.2.4 Shortcut Keys............................................................................................................................................................21
1.2.5 Configuration Examples............................................................................................................................................23
1.3 Basic Configuration......................................................................................................................................................27
1.3.1 Configuring the Basic System Environment.............................................................................................................27
1.3.2 Displaying System Status Messages..........................................................................................................................38
1.4 Configuring User Interfaces.........................................................................................................................................39
1.4.1 User Interface Overview............................................................................................................................................39
1.4.2 Configuring the Console User Interface....................................................................................................................41
1.4.3 Configuring the VTY User Interface.........................................................................................................................47
1.5 Configuring User Login................................................................................................................................................60
1.5.1 User Login Overview................................................................................................................................................60
1.5.2 Logging In to Devices Through the Console Port.....................................................................................................62
1.5.3 Using Telnet to Log In to Devices.............................................................................................................................67
1.5.4 Using STelnet to Log In to Devices..........................................................................................................................76
1.5.5 Common Operations After Login..............................................................................................................................93
1.6 Managing the File System..........................................................................................................................................106
1.6.1 File System Overview.............................................................................................................................................106
1.6.2 Using the File System to Manage Files...................................................................................................................108
1.6.3 Using FTP to Manage Files.....................................................................................................................................112
1.6.4 Using SFTP to Manage Files...................................................................................................................................120
1.6.5 Configuration Examples..........................................................................................................................................136
Issue 02 (2013-12-31)


Equipment
Contents
1.7 Configuring System Startup.......................................................................................................................................143

1.7.1 System Startup Overview........................................................................................................................................143
1.7.2 Managing Configuration Files.................................................................................................................................144
1.7.3 Specifying a File for System Startup.......................................................................................................................149
1.8 Accessing Another Device.........................................................................................................................................153
1.8.1 Accessing Another Device......................................................................................................................................153
1.8.2 Using Telnet to Log In to Other Devices................................................................................................................157
1.8.3 Using STelnet to Log In to Another Device............................................................................................................160
1.8.4 Using TFTP to Access Files on Another Device.....................................................................................................165
1.8.5 Using FTP to Access Files on Another Device.......................................................................................................169
1.8.6 Using SFTP to Access Files on Another Device.....................................................................................................175
1.9 Device Maintenance...................................................................................................................................................230
1.9.1 Introduction of Device Maintenance.......................................................................................................................230
1.9.2 Monitoring the Device Status..................................................................................................................................231
1.9.3 Board Maintence .....................................................................................................................................................235
1.10 Patch Management...................................................................................................................................................236
1.10.1 Patch Management Introduction............................................................................................................................236
1.10.2 Checking Whether a Patch is Running in the System...........................................................................................238
1.10.3 Loading a Patch.....................................................................................................................................................240
1.10.4 Installing a Patch...................................................................................................................................................242
1.10.5 (Optional) Deactivating the Patch.........................................................................................................................244
1.10.6 Configuration Examples for Patch Management...................................................................................................245
1.11 Glossary....................................................................................................................................................................247
1.12 Acronyms and Abbreviations...................................................................................................................................252
2 System Management.................................................................................................................257
2.1 Information Center Configuration..............................................................................................................................259
2.1.1 Information Center Overview..................................................................................................................................259
2.1.2 Enabling Log Output...............................................................................................................................................265
2.1.3 Enabling Alarm Output...........................................................................................................................................272
2.1.4 Enabling the Output of Debugging Information......................................................................................................279
2.1.5 Maintaining Information Center..............................................................................................................................285
2.1.6 Information Center Configuration Examples..........................................................................................................286
2.2 SNMP Configuration..................................................................................................................................................297
2.2.1 Introduction.............................................................................................................................................................298
2.2.2 Configuring a Device to Communicate with an NM Station by Running SNMPv1...............................................304
2.2.3 Configuring a Device to Communicate with an NM Station by Running SNMPv2c.............................................313
2.2.4 Configuring a Device to Communicate with an NM Station by Running SNMPv3...............................................323
2.2.5 SNMP Configuration Examples..............................................................................................................................334
2.3 RMON and RMON2 Configuration...........................................................................................................................345
Issue 02 (2013-12-31)

vi

Equipment
Contents
2.3.1 Overview of RMON and RMON2..........................................................................................................................345

2.3.2 Configuring RMON.................................................................................................................................................348
2.3.3 Configuring RMON2...............................................................................................................................................354
2.3.4 RMON And RMON2 Configuration Examples......................................................................................................357
2.4 IP FPM Configuration................................................................................................................................................363
2.4.1 Overview.................................................................................................................................................................364
2.4.2 Configuring IP FPM End-to-End Performance Statistics Collection......................................................................367
2.4.3 Configuring IP FPM Hop-by-Hop Performance Statistics Collection....................................................................377
2.4.4 Maintaining IP FPM................................................................................................................................................386
2.5 NQA Configuration....................................................................................................................................................431
2.5.1 Overview of NQA...................................................................................................................................................431
2.5.2 Configuring the ICMP Test.....................................................................................................................................435
2.5.3 Configuring the FTP Download Test......................................................................................................................438
2.5.4 Configuring the FTP Upload Test...........................................................................................................................441
2.5.5 Configuring the Traceroute Test..............................................................................................................................444
2.5.6 Configuring the SNMP Query Test.........................................................................................................................446
2.5.7 Configuring the TCP Test........................................................................................................................................449
2.5.8 Configuring the UDP Test.......................................................................................................................................452
2.5.9 Configuring the Jitter Test.......................................................................................................................................455
2.5.10 Configuring a Jitter Test Based on the Mechanism That the LPU Sends Packets................................................459
2.5.11 Configuring the LSP Ping Test..............................................................................................................................463
2.5.12 Configuring the LSP Jitter Test.............................................................................................................................469
2.5.13 Configuring the LSP Trace Test............................................................................................................................474
2.5.14 Configuring an ICMP Jitter Test...........................................................................................................................480
2.5.15 Configuring an ICMP Jitter Test Based on the Mechanism that the LPU Sends Packets.....................................483
2.5.16 Configuring a Path Jitter Test................................................................................................................................487
2.5.17 Configuring a Path MTU Test...............................................................................................................................490
2.5.18 Configuring the PWE3 Ping Test to Check the Single-segment PW....................................................................492
2.5.19 Configuring the PWE3 Trace Test to Check the single-segment PW...................................................................495
2.5.20 Configuring Universal NQA Test Parameters.......................................................................................................497
2.5.21 Configuring Round-Trip Transmission Delay Thresholds....................................................................................504
2.5.22 Configuring Uni-directional Transmission Delay Thresholds..............................................................................506
2.5.23 Configuring the Trap Function..............................................................................................................................508
2.5.24 Configuring Test Results to Be Sent to the FTP Server........................................................................................512
2.5.25 Configuring a Threshold for the NQA Alarm.......................................................................................................517
2.5.26 Configuring a MAC Ping Test...............................................................................................................................520
2.5.27 Configuring a VPLS MAC Ping Test....................................................................................................................525
2.5.28 Configuring a VPLS MAC Trace Test..................................................................................................................527
2.5.29 Configuring VPLS PW Ping and VPLS PW Trace Test Instances.......................................................................530
2.5.30 Configuring a General Flow Test Instance............................................................................................................536
Issue 02 (2013-12-31)

vii

Equipment
Contents
2.5.31 Maintaining NQA..................................................................................................................................................545

2.5.32 NQA Configuration Examples..............................................................................................................................546
2.6 Ping and Tracert..........................................................................................................................................................642
2.6.1 Ping and Tracert Overview......................................................................................................................................642
2.6.2 Configuring Ping and Tracert..................................................................................................................................642
2.6.3 Detecting the LDP LSP Through the Ping or Tracert Operation.............................................................................645
2.6.4 Detecting the TE Tunnel Through the Ping or Tracert Operation...........................................................................647
2.6.5 Detecting the PWE3 Network Through the Ping or Tracert Operation...................................................................649
2.6.6 Detecting the VPLS Network Through the Ping or Tracert Operation...................................................................652
2.6.7 Detecting the BGP or MPLS IP VPN Through the Ping or Tracert Operation.......................................................654
2.6.8 Checking Layer 2+Layer 3 Network Connectivity Using a Ping Operation...........................................................656
2.6.9 Checking the VPLS Network Through VPLS MAC Ping......................................................................................659
2.6.10 Detecting Trunk Member Links Through a Ping Operation.................................................................................662
2.6.11 Configuring Ping/Tracert to Locate a Connection Fault in a Multicast Network.................................................663
2.6.12 Configuring CE Ping to Detect the Connectivity Between the PE and CE...........................................................666
2.7 Fault Management......................................................................................................................................................668
2.7.1 Introduction.............................................................................................................................................................668
2.7.2 Configuring Alarm Management.............................................................................................................................668
2.7.3 Configuring Event Management.............................................................................................................................671
2.7.4 Maintenance.............................................................................................................................................................673
2.8 Performance Management..........................................................................................................................................675
2.8.1 Configuring the Performance Management function..............................................................................................675
2.9 PoE Configurations.....................................................................................................................................................683
2.9.1 Configuring PoE......................................................................................................................................................683
2.10 Glossary....................................................................................................................................................................686
3 Reliability....................................................................................................................................695
3.1 Reliability Overview...................................................................................................................................................697
3.1.1 Introduction.............................................................................................................................................................697
3.1.2 Reliability Technologies for IP Networks...............................................................................................................699
3.1.3 Reliability Technologies Supported by the ATN....................................................................................................700
3.1.4 Networking of Reliability over an IP Network.......................................................................................................703
3.2 VRRP Configuration..................................................................................................................................................706
3.2.1 VRRP Overview......................................................................................................................................................706
3.2.2 Configuring Basic Functions of a VRRP IPv4 Backup Group...............................................................................713
3.2.3 Configuring an mVRRP IPv4 Backup Group.........................................................................................................723
3.2.4 Configuring VRRP IPv4 Association......................................................................................................................730
3.2.5 Maintaining VRRP..................................................................................................................................................734
3.3 Bit-Error-Triggered Protection Switching Configuration..........................................................................................749
Issue 02 (2013-12-31)

viii

Equipment
Contents
3.3.1 Bit-Error-Triggered Protection Switching Overview..............................................................................................749

3.3.2 Configuring TE Bit-Error-Triggered Tunnel Switching.........................................................................................751
3.3.3 Configuring Bit-Error-Triggered Route Switching.................................................................................................758
3.3.4 Configuring Bit-Error-Triggered Section-Layer Protection Switching...................................................................762
3.4 BFD Configuration.....................................................................................................................................................797
3.4.1 Introduction.............................................................................................................................................................797
3.4.2 Configuring Single-hop BFD..................................................................................................................................803
3.4.3 Configuring the Association Between the BFD Status and the Interface Status.....................................................806
3.4.4 Configuring the Association Between the BFD Status and the Sub-Interface Status.............................................810
3.4.5 Configuring the BFD to Modify the PST................................................................................................................813
3.4.6 Configuring the Multi-Hop BFD.............................................................................................................................815
3.4.7 Configuring a BFD Session with Automatically Negotiated Discriminators..........................................................818
3.4.8 Configuring the Delay of a BFD Session to Go Up................................................................................................820
3.4.9 Adjusting BFD Parameters......................................................................................................................................822
3.4.10 Globally Configuring the Destination Port Number for the Multi-Hop BFD Control Packet..............................827
3.4.11 Configuring the TTL Function Globally...............................................................................................................829
3.4.12 Configuring the Interval for Trap Messages Are Sent...........................................................................................830
3.4.13 Maintaining BFD...................................................................................................................................................832
3.4.14 Configuration Examples........................................................................................................................................833
3.5 GR Configuration.......................................................................................................................................................859
3.5.1 GR Introduction.......................................................................................................................................................859
3.5.2 Configuring the System-Level GR..........................................................................................................................868
3.5.3 Maintaining HA.......................................................................................................................................................870
3.6 Ethernet OAM Configuration.....................................................................................................................................870
3.6.1 CFM Configuration.................................................................................................................................................870
3.6.2 Configuring Basic Ethernet CFM............................................................................................................................875
3.6.3 Configuring Related Parameters of Ethernet CFM.................................................................................................885
3.6.4 Fault Verification on the Ethernet...........................................................................................................................889
3.6.5 Locating the Fault on the Ethernet..........................................................................................................................891
3.6.6 Configuring Association Between Ethernet CFM and an Interface........................................................................893
3.6.7 Associating EFM OAM with Ethernet CFM...........................................................................................................896
3.6.8 Configuring Association Between Ethernet CFM and an Interface (Triggering the Physical Status of the Interface
Associated with Ethernet CFM to Become Down)..........................................................................................................898
3.6.9 Associating Ethernet CFM with VLL.....................................................................................................................901
3.6.10 Associating Ethernet CFM with VPLS.................................................................................................................907
3.6.11 Maintaining Ethernet OAM...................................................................................................................................912
3.7 EFM Configuration.....................................................................................................................................................960
3.7.1 EFM Overview........................................................................................................................................................960
3.7.2 Configuring Basic EFM Functions..........................................................................................................................966
3.7.3 Configuring Link Monitoring..................................................................................................................................971
Issue 02 (2013-12-31)

ix

Equipment
Contents
3.7.4 Configuring Remote Loopback...............................................................................................................................973

3.7.5 Configuring Remote Fault Indication......................................................................................................................976
3.7.6 Configuring EFM Association Functions................................................................................................................977
3.7.7 Maintaining EFM....................................................................................................................................................984
3.8 Y.1731 Configuration...............................................................................................................................................1002
3.8.1 Y.1731 Overview...................................................................................................................................................1002
3.8.2 Configuring Y.1731 Functions in VLL Networking.............................................................................................1008
3.8.3 Configuring Y.1731 Functions in VPLS Networking...........................................................................................1040
3.8.4 Configuring Y.1731 Functions in VLAN Networking..........................................................................................1071
3.9 MPLS-TP OAM Configuration................................................................................................................................1143
3.9.1 Introduction...........................................................................................................................................................1143
3.9.2 Configuring MPLS-TP OAM for an LSP..............................................................................................................1146
3.9.3 Configuring MPLS-TP OAM for a PW................................................................................................................1155
3.10 ISSU Configuration................................................................................................................................................1199
3.10.1 Introduction.........................................................................................................................................................1199
3.10.2 Implementing ISSU.............................................................................................................................................1200
3.10.3 Maintaining ISSU................................................................................................................................................1207
3.10.4 Configuration Examples......................................................................................................................................1207
3.11 Glossary..................................................................................................................................................................1209
3.12 Acronyms and Abbreviations.................................................................................................................................1210
4 Interface Management............................................................................................................1212
4.1 Interface Basic Configuration...................................................................................................................................1213
4.1.1 Interface Basic Configuration Overview...............................................................................................................1213
4.1.2 Configuring an Interface Description....................................................................................................................1222
4.1.3 Configuring the Hold-Time Interval After an Interface Becomes Up/Down........................................................1223
4.1.4 Configuring the Interval for Collecting Traffic Statistics on an Interface.............................................................1225
4.1.5 Enabling the Alarm Function on an Interface........................................................................................................1228
4.1.6 Disabling a Device from Sending Traps to an NMS When an Interface Flaps.....................................................1230
4.1.7 Maintaining Interface Basic Configuration...........................................................................................................1231
4.2 Logical Interface Configuration...............................................................................................................................1232
4.2.1 Logical Interface Configuration Overview............................................................................................................1233
4.2.2 Configuring a Loopback Interface.........................................................................................................................1233
4.2.3 Configuring a NULL Interface..............................................................................................................................1235
4.3 Fast Feeling Configuration.......................................................................................................................................1236
4.3.1 Fast Feeling Configuration Overview...................................................................................................................1236
4.3.2 Configuring Fast Feeling.......................................................................................................................................1237
4.3.3 Maintaining Fast Feeling.......................................................................................................................................1238
4.4 Flapping Control Configuration...............................................................................................................................1238
Issue 02 (2013-12-31)


Equipment
Contents
4.4.1 Flapping Control Configuration Overview............................................................................................................1238

4.4.2 Configuring the Interface Flapping Control..........................................................................................................1240
4.4.3 Maintaining the Flapping Control Feature............................................................................................................1242
4.5 Transmission Alarm Configuration..........................................................................................................................1243
4.5.1 Transmission Alarm Configuration Overview......................................................................................................1243
4.5.2 Configuring Transmission Alarm Customization..................................................................................................1244
4.5.3 Configuring the Interval for Filtering Transmission Alarms.................................................................................1247
4.5.4 Configuring Transmission Alarm Suppression Function......................................................................................1249
4.5.5 Maintaining............................................................................................................................................................1251
4.6 Glossary....................................................................................................................................................................1251
5 LAN Access and MAN Access..............................................................................................1262

5.1 MAC Address Table Configuration.........................................................................................................................1264
5.1.1 MAC Address Table Introduction.........................................................................................................................1264
5.1.2 Configuring the MAC Address Table Based on the VLAN and Layer 2 Interface..............................................1265
5.1.3 Configuring the MAC Address Table Based on the VSI and Layer 3 Interface...................................................1268
5.1.4 Configuring the Aging Time of a MAC Address Table........................................................................................1270
5.1.5 Maintaining MAC Address Table.........................................................................................................................1272
5.1.6 Configuring the Usage Threshold for a MAC Address Table...............................................................................1273
5.2 Ethernet Interface Configuration..............................................................................................................................1277
5.2.1 Ethernet Interface Introduction..............................................................................................................................1277
5.2.2 Configuring Ethernet Interfaces of the Interface Board........................................................................................1278
5.2.3 Configuring an Ethernet Sub-interface..................................................................................................................1283
5.2.4 Configuring the Alarm Thresholds and Log Thresholds for Inbound and Outbound Bandwidth Usage for an Interface
........................................................................................................................................................................................1288
5.2.5 Maintaining Ethernet Interfaces............................................................................................................................1289
5.3 Eth-Trunk Interface Configuration...........................................................................................................................1292
5.3.1 Overview of Eth-Trunk Interfaces.........................................................................................................................1292
5.3.2 Configuring an Eth-Trunk Interface to Work in Static LACP Mode....................................................................1295
5.3.3 Configuring an Eth-Trunk Interface to Work in Manual Load Balancing Mode..................................................1309
5.4 VLAN Configuration................................................................................................................................................1329
5.4.1 VLAN Introduction...............................................................................................................................................1329
5.4.2 Dividing a LAN into VLANs................................................................................................................................1337
5.4.3 Configuring a VLANIF Interface..........................................................................................................................1340
5.4.4 Configuring Inter-VLAN Communication............................................................................................................1344
5.4.5 Configuring VLAN Security Attributes................................................................................................................1352
5.4.6 Configuring VLAN Aggregation to Save IP Addresses........................................................................................1356
5.4.7 Configuring VLAN Policy-based VPN Access.....................................................................................................1362
Issue 02 (2013-12-31)

xi

Equipment
Contents
5.4.8 Configuring Interface Isolation in a VLAN..........................................................................................................1366

5.4.9 Maintaining VLAN................................................................................................................................................1368
5.5 QinQ Configuration..................................................................................................................................................1393
5.5.1 QinQ Introduction..................................................................................................................................................1394
5.5.2 Configuring the QinQ Tunnel Function................................................................................................................1396
5.5.3 Configuring Selective QinQ on a Layer 2 Interface..............................................................................................1399
5.5.4 Configuring the Sub-interface for VLAN Tag Termination to Access the IP Service..........................................1402
5.5.5 Configuring the Sub-interface for VLAN Tag Termination to Access the VPN Service.....................................1407
5.5.6 Configuring the Sub-interface for QinQ Stacking to Access an L2VPN..............................................................1412
5.5.7 Maintaining QinQ..................................................................................................................................................1416
5.6 STP/RSTP Configuration.........................................................................................................................................1478
5.6.1 STP/RSTP Overview.............................................................................................................................................1478
5.6.2 Configuring Basic STP/RSTP Functions..............................................................................................................1485
5.6.3 Configuring STP/RSTP Parameters on an Interface.............................................................................................1491
5.6.4 Configuring RSTP Protection Functions...............................................................................................................1499
5.6.5 Configuring STP/RSTP Interoperability Between Huawei Devices and Non-Huawei Devices...........................1503
5.6.6 Maintaining STP/RSTP.........................................................................................................................................1506
5.7 MSTP Configuration................................................................................................................................................1520
5.7.1 MSTP Overview....................................................................................................................................................1520
5.7.2 Configuring Basic MSTP Functions......................................................................................................................1530
5.7.3 Configuring MSTP Parameters on an Interface....................................................................................................1538
5.7.4 Configuring MSTP Protection Functions..............................................................................................................1543
5.7.5 Configuring MSTP Interoperability Between Huawei Devices and Non-Huawei Devices..................................1548
5.7.6 Maintaining MSTP................................................................................................................................................1551
5.8 RRPP Configuration.................................................................................................................................................1561
5.8.1 RRPP Introduction.................................................................................................................................................1561
5.8.2 Configuring RRPP Functions................................................................................................................................1565
5.8.3 Configuring the Monitoring Interface...................................................................................................................1572
5.8.4 Maintaining RRPP.................................................................................................................................................1574
5.9 LLDP Configuration.................................................................................................................................................1588
5.9.1 Introduction...........................................................................................................................................................1588
5.9.2 Configuring LLDP.................................................................................................................................................1590
5.9.3 Maintaining LLDP.................................................................................................................................................1597
5.10 Automatic Link Discovery Configuration..............................................................................................................1608
5.10.1 Overview.............................................................................................................................................................1608
Issue 02 (2013-12-31)

xii

Equipment
Contents
5.10.2 Configuring Automatic Link Discovery..............................................................................................................1610

5.10.3 Maintenance.........................................................................................................................................................1613
5.11 Transparent Transmission of Layer 2 Protocol Packets Configuration..................................................................1613
5.11.1 Overview of Transparent Transmission of Layer 2 Protocol Packets.................................................................1613
5.11.2 Configuring Interface-based Transparent Transmission of Layer 2 Protocol Packets........................................1621
5.11.3 Configuring VLAN-based Transparent Transmission of Layer 2 Protocol Packets...........................................1626
5.11.4 Configuring QinQ-based Transparent Transmission of Layer 2 Protocol Packets.............................................1631
5.11.5 Configuring Hybrid VLAN-based Transparent Transmission of Layer 2 Protocol Packets...............................1636
5.12 ERPS (G.8032) Configuration................................................................................................................................1672
5.12.1 Introduction.........................................................................................................................................................1672
5.12.2 Configuring ERPSv1...........................................................................................................................................1685
5.12.3 Configuring ERPSv2...........................................................................................................................................1694
5.12.4 Maintaining EPRS...............................................................................................................................................1704
6 WAN Access.............................................................................................................................1725
6.1 E-Carrier and T-Carrier Interfaces Configuration....................................................................................................1727
6.1.1 Introduction to the E-Carrier and T-Carrier Interfaces..........................................................................................1727
6.1.2 Configuring E1 Interfaces.....................................................................................................................................1730
6.1.3 Configuring CT1 Interfaces...................................................................................................................................1734
6.1.4 Maintaining E-Carrier or T-Carrier Interface Configuration.................................................................................1738
6.2 Serial Interface Configuration..................................................................................................................................1744
6.2.1 Introduction to the Serial Interface........................................................................................................................1744
6.2.2 Configuring the Link Layer Attributes for a Serial Interface................................................................................1744
6.2.3 Maintaining Serial Interface Configuration...........................................................................................................1748
6.3 POS and CPOS Interface Configuration..................................................................................................................1749
6.3.1 Introduction to the POS and CPOS Interfaces.......................................................................................................1749
6.3.2 Configuring POS Interfaces...................................................................................................................................1754
6.3.3 Configuring STM-1 CPOS Interfaces...................................................................................................................1757
6.3.4 Configuring a CPOS-Trunk Interface....................................................................................................................1760
6.3.5 Configuring E1 Channels of the CPOS Interface..................................................................................................1763
6.3.6 Maintaining CPOS Interface Configuration..........................................................................................................1767
6.3.7 Configuration Examples .......................................................................................................................................1768
6.4 APS Configuration...................................................................................................................................................1770
6.4.1 APS Overview.......................................................................................................................................................1770
6.4.2 Configuring Single-Device APS...........................................................................................................................1773
6.5 PPP and MP Configuration.......................................................................................................................................1781
6.5.1 Introduction...........................................................................................................................................................1781
6.5.2 Encapsulating an Interface with PPP.....................................................................................................................1782
Issue 02 (2013-12-31)

xiii

Equipment
Contents
6.5.3 Configuring PPP Optional Parameters..................................................................................................................1783

6.5.4 Configuring MP Binding Using an MP-Group.....................................................................................................1785
6.5.5 Configuring MP Limiting Parameters...................................................................................................................1789
6.5.6 Configuring MP Fragmentation.............................................................................................................................1793
6.5.7 Configuring Global-MP-Group Interfaces ...........................................................................................................1794
6.6 ATM IMA Configuration.........................................................................................................................................1800
6.6.1 ATM IMA Overview.............................................................................................................................................1800
6.6.2 Configuring ATM Services on a Serial Interface..................................................................................................1802
6.6.3 Configuring IMA Groups......................................................................................................................................1807
6.6.4 Configuring IMAoPSN Functions(1-to-1 and N-to-1 ATM Transparent Cell Transport)....................................1813
6.6.5 Configuring ATM-Bundle Group Members..........................................................................................................1820
6.6.6 Configuring ATM Bundle.....................................................................................................................................1826
6.6.7 Configuring ATM OAM.......................................................................................................................................1831
6.7 TDM Configuration..................................................................................................................................................1854
6.7.1 CES Overview.......................................................................................................................................................1854
6.7.2 Configuring a Serial Interface...............................................................................................................................1856
6.7.3 Configuring a CES Service....................................................................................................................................1858
6.8 xDSL Configuration.................................................................................................................................................1869
6.8.1 Introduction to xDSL.............................................................................................................................................1869
6.8.2 Configuring xDSL Logical Interfaces...................................................................................................................1872
6.9 Glossary....................................................................................................................................................................1901
7 IP Services.................................................................................................................................1909
7.1 IP Addresses Configuration......................................................................................................................................1910
7.1.1 IP Addresses Overview.........................................................................................................................................1910
7.1.2 Configuring IP Addresses for Interfaces...............................................................................................................1911
7.1.3 Maintaining IP Addresses......................................................................................................................................1913
7.2 ARP Configuration...................................................................................................................................................1918
7.2.1 Introduction...........................................................................................................................................................1918
7.2.2 Configuring Static ARP.........................................................................................................................................1920
7.2.3 Optimizing Dynamic ARP.....................................................................................................................................1923
7.2.4 Configuring Routed Proxy ARP............................................................................................................................1927
7.2.5 Configuring ARP-Ping IP......................................................................................................................................1929
7.2.6 Configuring ARP-Ping MAC................................................................................................................................1931
7.2.7 Maintaining ARP...................................................................................................................................................1932
Issue 02 (2013-12-31)

xiv

Equipment
Contents
7.3 IP Performance Configuration..................................................................................................................................1936

7.3.1 IP Performance Overview.....................................................................................................................................1936
7.3.2 Improving IP Performance....................................................................................................................................1937
7.3.3 Configuring TCP...................................................................................................................................................1941
7.3.4 Maintaining IP Performance..................................................................................................................................1943
7.4 ACL Configuration...................................................................................................................................................1947
7.4.1 Introduction...........................................................................................................................................................1947
7.4.2 Configuring a Basic ACL......................................................................................................................................1951
7.4.3 Configuring an Advanced ACL.............................................................................................................................1960
7.4.4 Configuring an Ethernet Frame Header-based ACL.............................................................................................1971
7.4.5 Maintaining an ACL..............................................................................................................................................1975
7.5 Basic IPv6 Configuration.........................................................................................................................................1979
7.5.1 Basic IPv6 Overview.............................................................................................................................................1979
7.5.2 Configuring an IPv6 Address for an Interface.......................................................................................................1981
7.5.3 Configuring an IPv6 Address Selection Policy Table...........................................................................................1986
7.5.4 Configuring IPv6 Neighbor Discovery..................................................................................................................1987
7.5.5 Configuring PMTU................................................................................................................................................1995
7.5.6 Configuring TCP6.................................................................................................................................................1998
7.5.7 Configuring ICMPv6 Message Control.................................................................................................................2001
7.5.8 Maintaining IPv6...................................................................................................................................................2003
7.6 ACL6 Configuration.................................................................................................................................................2016
7.6.1 Introduction...........................................................................................................................................................2016
7.6.2 Configuring a Basic ACL6....................................................................................................................................2020
7.6.3 Configuring an Advanced ACL6...........................................................................................................................2026
7.6.4 Configuring an Interface-based ACL6..................................................................................................................2033
7.6.5 Maintaining ACL6.................................................................................................................................................2036
7.7 Glossary....................................................................................................................................................................2040
8 IP Routing.................................................................................................................................2046
8.1 IP Routing Basic Configuration...............................................................................................................................2048
8.1.1 Routing Management............................................................................................................................................2048
8.1.2 Configuring Public Network IP FRR....................................................................................................................2050
8.1.3 Configuring the Advertisement of IPv4 ARP Vlink Direct Routes on the Public Network.................................2053
8.1.4 Configuring the Advertisement of IPv6 NDP Vlink Direct Routes on the Public Network.................................2056
8.1.5 Maintaining the Route Management Module........................................................................................................2059
8.1.6 Configuration Example..........................................................................................................................................2062
8.2 IP Static Route Configuration...................................................................................................................................2073
Issue 02 (2013-12-31)

xv

Equipment
Contents
8.2.1 Introduction...........................................................................................................................................................2073
8.2.2 Configuring an IPv4 Static Route..........................................................................................................................2074
8.2.3 Configuring an IPv6 Static Route..........................................................................................................................2078
8.2.4 Configuring BFD for IPv4 Static Routes on the Public Network.........................................................................2080
8.2.5 Configuring NQA for IPv4 Static Routes..............................................................................................................2084
8.3 RIP Configuration.....................................................................................................................................................2093
8.3.1 Introduction...........................................................................................................................................................2093
8.3.2 Configuring Basic RIP Functions..........................................................................................................................2094
8.3.3 Configuring RIP Route Attributes.........................................................................................................................2100
8.3.4 Controlling the Advertising of RIP Routing Information.....................................................................................2104
8.3.5 Controlling the Receiving of RIP Routing Information........................................................................................2109
8.3.6 Configuring RIP-2 Features...................................................................................................................................2114
8.3.7 Optimizing a RIP Network....................................................................................................................................2118
8.3.8 Configuring RIP GR..............................................................................................................................................2125
8.3.9 Configuring BFD for RIP......................................................................................................................................2127
8.3.10 Configuring Static BFD for RIP..........................................................................................................................2129
8.3.11 Configuring the Network Management Function in RIP....................................................................................2132
8.3.12 Maintaining RIP..................................................................................................................................................2133
8.4 RIPng Configuration.................................................................................................................................................2141
8.4.1 Introduction...........................................................................................................................................................2141
8.4.2 Configuring Basic RIPng Functions......................................................................................................................2142
8.4.3 Configuring RIPng Route Attributes.....................................................................................................................2145
8.4.4 Controlling the Advertising of RIPng Routing Information.................................................................................2148
8.4.5 Controlling the Receiving of RIPng Routing Information....................................................................................2153
8.4.6 Optimizing a RIPng Network................................................................................................................................2156
8.4.7 Maintaining RIPng................................................................................................................................................2160
8.5 OSPF Configuration.................................................................................................................................................2161
8.5.1 Introduction...........................................................................................................................................................2161
8.5.2 Configuring Basic OSPF Functions......................................................................................................................2168
8.5.3 Configuring OSPF on the NBMA or P2MP Network...........................................................................................2178
8.5.4 Configuring an OSPF Route Selection Rule.........................................................................................................2185
8.5.5 Controlling OSPF Routing Information................................................................................................................2191
8.5.6 Configuring an OSPF Dynamic Hostname...........................................................................................................2209
8.5.7 Configuring an OSPF Stub Area...........................................................................................................................2210
8.5.8 Configuring an NSSA............................................................................................................................................2212
8.5.9 Configuring BFD for OSPF...................................................................................................................................2215
8.5.10 Configuring OSPF IP FRR..................................................................................................................................2220
8.5.11 Configuring OSPF GR.........................................................................................................................................2224
8.5.12 Configuring the Network Management Function of OSPF.................................................................................2229
Issue 02 (2013-12-31)

xvi

Equipment
Contents
8.5.13 Maintaining OSPF...............................................................................................................................................2231

8.6 OSPFv3 Configuration.............................................................................................................................................2275
8.6.1 Introduction...........................................................................................................................................................2275
8.6.2 Configuring Basic OSPFv3 Functions..................................................................................................................2276
8.6.3 Establishing or Maintaining OSPFv3 Neighbor Relationship...............................................................................2279
8.6.4 Configuring OSPFv3 Areas...................................................................................................................................2282
8.6.5 Configuring OSPFv3 NSSA Areas........................................................................................................................2285
8.6.6 Configuring OSPFv3 Route Attributes..................................................................................................................2287
8.6.7 Controlling OSPFv3 Routing Information............................................................................................................2289
8.6.8 Optimizing an OSPFv3 Network...........................................................................................................................2302
8.6.9 Configuring the Network Management Function of OSPFv3...............................................................................2308
8.6.10 Maintaining OSPFv3...........................................................................................................................................2310
8.7 IS-IS Configuration..................................................................................................................................................2310
8.7.1 Introduction...........................................................................................................................................................2310
8.7.2 Configuring Basic IPv4 IS-IS Functions...............................................................................................................2318
8.7.3 Establishing or Maintaining IS-IS Neighbor Relationships or Adjacencies.........................................................2330
8.7.4 Configuring IPv4 IS-IS Route Selection...............................................................................................................2336
8.7.5 Configuring IPv4 IS-IS Route Summarization......................................................................................................2348
8.7.6 Configuring IPv4 IS-IS to Interact with Other Routing Protocols........................................................................2349
8.7.7 Configuring the IPv4 IS-IS Route Convergence Speed........................................................................................2357
8.7.8 Configuring Basic IPv6 IS-IS Functions...............................................................................................................2367
8.7.9 Configuring IPv6 IS-IS Route Selection...............................................................................................................2379
8.7.10 Configuring IPv6 IS-IS Route Summarization....................................................................................................2392
8.7.11 Configuring IPv6 IS-IS to Interact with Other Routing Protocols......................................................................2393
8.7.12 Configuring the IPv6 IS-IS Route Convergence Speed......................................................................................2401
8.7.13 Configuring Static IPv4 BFD for IS-IS...............................................................................................................2411
8.7.14 Configuring Dynamic IPv4 BFD for IS-IS..........................................................................................................2413
8.7.15 Configuring IPv4 IS-IS Auto FRR......................................................................................................................2416
8.7.16 Configuring IS-IS GR..........................................................................................................................................2419
8.7.17 Improving Security of an IS-IS Network............................................................................................................2422
8.7.18 Maintaining IS-IS................................................................................................................................................2427
8.8 BGP Configuration...................................................................................................................................................2461
8.8.1 Introduction...........................................................................................................................................................2461
8.8.2 Configuring Basic BGP Functions........................................................................................................................2469
8.8.3 Configuring BGP Route Attributes.......................................................................................................................2475
8.8.4 Configuring BGP to Advertise Routes..................................................................................................................2488
8.8.5 Configuring BGP to Receive Routes.....................................................................................................................2502
8.8.6 Configuring BGP Route Aggregation...................................................................................................................2517
8.8.7 Configuring BGP Peer Groups..............................................................................................................................2519
Issue 02 (2013-12-31)

xvii

Equipment
Contents
8.8.8 Configuring BGP Route Reflectors.......................................................................................................................2523

8.8.9 Configuring a BGP Confederation........................................................................................................................2530
8.8.10 Configuring BGP Community Attributes............................................................................................................2532
8.8.11 Configuring Prefix-based BGP ORF...................................................................................................................2535
8.8.12 Configuring to Adjust the BGP Network Convergence Speed...........................................................................2538
8.8.13 Configuring BGP Route Dampening...................................................................................................................2547
8.8.14 Configuring a BGP Device to Send a Default Route to Its Peer.........................................................................2549
8.8.15 Configuring BGP Load Balancing......................................................................................................................2552
8.8.16 Configuring Path MTU Auto Discovery.............................................................................................................2557
8.8.17 Configuring the BGP Next Hop Delayed Response............................................................................................2559
8.8.18 Configuring BFD for BGP..................................................................................................................................2562
8.8.19 Configuring BGP Auto FRR...............................................................................................................................2564
8.8.20 Configuring BGP GR..........................................................................................................................................2567
8.8.21 Configuring BGP Security...................................................................................................................................2571
8.8.22 Maintaining BGP.................................................................................................................................................2575
8.8.23 Applying BGP AS_Path Regular Expressions....................................................................................................2576
8.9 BGP4+ Configuration...............................................................................................................................................2624
8.9.1 Introduction...........................................................................................................................................................2624
8.9.2 Configuring Basic BGP4+ Functions....................................................................................................................2625
8.9.3 Configuring BGP4+ Route Attributes...................................................................................................................2629
8.9.4 Controlling the Advertising and Receiving of BGP4+ Routing Information........................................................2638
8.9.5 Configuring Parameters of a Connection Between BGP4+ Peers.........................................................................2648
8.9.6 Configuring BGP4+ PeerTracking........................................................................................................................2656
8.9.7 Configuring BGP4+ Route Dampening................................................................................................................2657
8.9.8 Configuring a BGP4+ Peer Group.........................................................................................................................2659
8.9.9 Configuring a BGP4+ Route Reflector.................................................................................................................2662
8.9.10 Configuring a BGP4+ Confederation..................................................................................................................2667
8.9.11 Configuring BGP4+ Security..............................................................................................................................2669
8.9.12 Maintaining BGP4+.............................................................................................................................................2672
8.10 Routing Policy Configuration.................................................................................................................................2673
8.10.1 Introduction.........................................................................................................................................................2674
8.10.2 Configuring the IP-Prefix List.............................................................................................................................2676
8.10.3 Configuring the Route-Policy..............................................................................................................................2679
8.10.4 Applying Filters to Received Routes...................................................................................................................2685
8.10.5 Applying Filters to Advertised Routes................................................................................................................2697
8.10.6 Applying Filters to Imported Routes...................................................................................................................2710
8.10.7 Controlling the Valid Time of the Routing policy..............................................................................................2713
8.10.8 Maintaining the Routing Policy...........................................................................................................................2715
8.11 A Glossary..............................................................................................................................................................2720
Issue 02 (2013-12-31)

xviii

Equipment
Contents
9 IP Multicast...............................................................................................................................2728
9.1 Multicast Configuration Guide.................................................................................................................................2730
9.1.1 Multicast Introduction...........................................................................................................................................2730
9.1.2 IPv4 Multicast-related Concepts...........................................................................................................................2733
9.2 IGMP Configuration.................................................................................................................................................2737
9.2.1 IGMP Introduction................................................................................................................................................2738
9.2.2 Configuring Basic IGMP Functions......................................................................................................................2740
9.2.3 Configuring Options of an IGMP Packet..............................................................................................................2746
9.2.4 Configuring IGMP Query Control........................................................................................................................2751
9.2.5 Configuring SSM Mapping...................................................................................................................................2757
9.2.6 Configuring the IGMP Limit Function..................................................................................................................2760
9.2.7 Maintaining IGMP.................................................................................................................................................2764
9.3 Layer 2 Multicast Configuration..............................................................................................................................2779
9.3.1 Configuring IGMP Snooping................................................................................................................................2779
9.3.2 Configuring Static Layer 2 Multicast....................................................................................................................2789
9.3.3 Configuring Layer 2 SSM Mapping......................................................................................................................2793
9.3.4 Configuring IGMP Snooping Proxy......................................................................................................................2796
9.3.5 Configuring Layer 2 Multicast Replication...........................................................................................................2801
9.3.6 Configuring the Network Management Function for Layer 2 Multicast...............................................................2804
9.3.7 Maintaining Static Layer 2 Multicast....................................................................................................................2805
9.4 PIM-DM (IPv4) Configuration.................................................................................................................................2819
9.4.1 PIM-DM (IPv4) Introduction................................................................................................................................2819
9.4.2 Configuring Basic PIM-DM Functions.................................................................................................................2821
9.4.3 Adjusting Control Parameters of a Multicast Source............................................................................................2824
9.4.4 Adjusting Control Parameters for Maintaining Neighbor Relationships..............................................................2827
9.4.5 Adjusting Control Parameters for Prune...............................................................................................................2832
9.4.6 Adjusting Control Parameters for State-Refresh...................................................................................................2836
9.4.7 Adjusting Control Parameters for Graft................................................................................................................2840
9.4.8 Adjusting Control Parameters for Assert...............................................................................................................2842
9.4.9 Configuring PIM Silent Function..........................................................................................................................2845
9.4.10 Maintaining PIM-DM (IPv4)...............................................................................................................................2847
9.4.11 Configuration Example........................................................................................................................................2848
9.5 PIM-SM (IPv4) Configuration.................................................................................................................................2853
9.5.1 PIM-SM (IPv4) Introduction.................................................................................................................................2853
9.5.2 Configuring Basic PIM-SM Functions..................................................................................................................2856
9.5.3 Adjusting Control Parameters for a Multicast Source...........................................................................................2865
9.5.4 Adjusting Control Parameters of the C-RP and C-BSR........................................................................................2869
9.5.5 Configuring a BSR Administrative Domain.........................................................................................................2875
Issue 02 (2013-12-31)

xix

Equipment
Contents
9.5.6 Adjusting Control Parameters for Establishing the Neighbor Relationship..........................................................2879

9.5.7 Adjusting Control Parameters for Source Registering..........................................................................................2885
9.5.8 Adjusting Control Parameters for Forwarding......................................................................................................2889
9.5.9 Adjusting Control Parameters for Assert...............................................................................................................2896
9.5.10 Configuring the SPT Switchover.........................................................................................................................2899
9.5.11 Configuring PIM for Anycast RP........................................................................................................................2902
9.5.12 Configuring BFD for IPv4 PIM...........................................................................................................................2906
9.5.13 Configuring PIM Silent.......................................................................................................................................2909
9.5.14 Maintaining PIM-SM (IPv4)...............................................................................................................................2911
9.6 MSDP Configuration................................................................................................................................................2926
9.6.1 MSDP Introduction................................................................................................................................................2926
9.6.2 Configuring PIM-SM Inter-domain Multicast......................................................................................................2928
9.6.3 Configuring an Anycast RP in a PIM-SM Domain...............................................................................................2933
9.6.4 Managing MSDP Peer Connections......................................................................................................................2939
9.6.5 Configuring SA Cache...........................................................................................................................................2941
9.6.6 Configuring the SA Request..................................................................................................................................2944
9.6.7 Transmitting Burst Multicast Data Between Domains..........................................................................................2947
9.6.8 Configuring the Filtering Rules for SA Messages.................................................................................................2950
9.6.9 Configuring MSDP Authentication.......................................................................................................................2955
9.6.10 Maintaining MSDP..............................................................................................................................................2958
9.7 MBGP Configuration...............................................................................................................................................2960
9.7.1 MBGP Introduction...............................................................................................................................................2960
9.7.2 Configuring Basic MBGP Functions.....................................................................................................................2960
9.7.3 Configuring the Policy for Advertising MBGP Routes.........................................................................................2966
9.7.4 Configuring the Policy for Exchanging Routes Between MBGP Peers................................................................2971
9.7.5 Configuring MBGP Route Attributes....................................................................................................................2980
9.7.6 Configuring MBGP Route Dampening.................................................................................................................2985
9.7.7 Maintaining MBGP...............................................................................................................................................2987
9.8 IPv4 Multicast Routing Management.......................................................................................................................2997
9.8.1 IPv4 Multicast Routing Management Introduction...............................................................................................2997
9.8.2 Configuring a Static Multicast Route....................................................................................................................2999
9.8.3 Configuring the Multicast Routing Policy.............................................................................................................3002
9.8.4 Configuring the Multicast Forwarding Scope.......................................................................................................3005
9.8.5 Configuring Control Parameters of the Multicast Forwarding Table....................................................................3008
9.8.6 Maintaining the Multicast Policy..........................................................................................................................3010
9.8.8 Troubleshooting of Static Multicast Routes..........................................................................................................3022
9.9 Multicast Network Management..............................................................................................................................3022
9.9.1 Multicast Network Management Introduction......................................................................................................3022
Issue 02 (2013-12-31)

xx

Equipment
Contents
9.9.2 Configuring Multicast Network Management.......................................................................................................3023

9.9.3 Adjusting the Frequency for Multicast Protocols to Send Trap Messages............................................................3027
9.10 Glossary..................................................................................................................................................................3029
10 MPLS........................................................................................................................................3039
10.1 Static LSPs Configuration......................................................................................................................................3040
10.1.1 Introduction.........................................................................................................................................................3040
10.1.2 Configuring Static LSPs......................................................................................................................................3040
10.1.3 Configuring Static BFD for Static LSP...............................................................................................................3045
10.1.4 Maintaining Static LSPs......................................................................................................................................3050
10.2 MPLS LDP Configuration......................................................................................................................................3065
10.2.1 MPLS LDP Overview.........................................................................................................................................3065
10.2.2 Configuring a Local LDP Session.......................................................................................................................3069
10.2.3 Configuring a Remote LDP Session....................................................................................................................3077
10.2.4 Configuring LDP LSPs........................................................................................................................................3087
10.2.5 Configuring LDP Extension for Inter-Area LSP.................................................................................................3093
10.2.6 Configuring LDP LSP Load Balancing...............................................................................................................3095
10.2.7 Configuring Static BFD for LDP LSP.................................................................................................................3096
10.2.8 Configuring Dynamic BFD for LDP LSP...........................................................................................................3102
10.2.9 Configuring LDP Auto FRR................................................................................................................................3107
10.2.10 Configuring Manual LDP FRR.........................................................................................................................3109
10.2.11 Configuring Synchronization Between LDP and IGP.......................................................................................3112
10.2.12 Configuring Synchronization Between LDP and Static Routes........................................................................3119
10.2.13 Configuring LDP Security Features..................................................................................................................3122
10.2.14 Configuring LDP GR.........................................................................................................................................3126
10.2.15 Maintaining MPLS LDP....................................................................................................................................3129
10.2.16 Configuration Examples....................................................................................................................................3131
10.3 MPLS TE Configuration........................................................................................................................................3214
10.3.1 Introduction.........................................................................................................................................................3214
10.3.2 Configuring Static CR-LSP.................................................................................................................................3218
10.3.3 Configuring a Static Bidirectional Co-routed LSP..............................................................................................3225
10.3.4 Configuring an RSVP-TE Tunnel.......................................................................................................................3234
10.3.5 Configuring a Tunnel Protection Group..............................................................................................................3246
10.3.6 Referencing the CR-LSP Attribute Template to Set Up a CR-LSP....................................................................3250
10.3.7 Configuring an Associated Bidirectional Dynamic LSP.....................................................................................3255
10.3.8 Adjusting RSVP Signaling Parameters...............................................................................................................3257
10.3.9 Configuring RSVP Authentication......................................................................................................................3263
10.3.10 Adjusting the Path of CR-LSP...........................................................................................................................3270
10.3.11 Adjusting the Establishment of MPLS TE Tunnels..........................................................................................3280
10.3.12 Importing Traffic to an MPLS TE Tunnel.........................................................................................................3286
Issue 02 (2013-12-31)

xxi

Equipment
Contents
10.3.13 Adjusting Flooding Threshold of Bandwidth Change.......................................................................................3290

10.3.14 Configuring the Limit Rate of MPLS TE Traffic..............................................................................................3292
10.3.15 Configuring TE Manual FRR............................................................................................................................3294
10.3.16 Configuring MPLS TE Auto FRR.....................................................................................................................3300
10.3.17 Configuring CR-LSP Backup............................................................................................................................3304
10.3.18 Configuring Synchronization of the Bypass Tunnel and the Backup CR-LSP.................................................3312
10.3.19 Configuring RSVP GR......................................................................................................................................3314
10.3.20 Configuring Static BFD for CR-LSP.................................................................................................................3319
10.3.21 Configuring Static BFD for TE.........................................................................................................................3327
10.3.22 Configuring Dynamic BFD for CR-LSP...........................................................................................................3333
10.3.23 Configuring Dynamic BFD for RSVP...............................................................................................................3340
10.3.24 Maintaining MPLS TE......................................................................................................................................3345
10.4 MPLS Common Configuration..............................................................................................................................3554
10.4.1 Introduction.........................................................................................................................................................3554
10.4.2 Configuring the Mode in Which MPLS Handles the TTL..................................................................................3555
10.4.3 Optimizing MPLS................................................................................................................................................3558
10.4.4 Maintaining MPLS Common Configuration.......................................................................................................3560
10.5 Seamless MPLS Configuration..............................................................................................................................3561
10.5.1 Introduction.........................................................................................................................................................3561
10.5.2 Configuring Intra-AS Seamless MPLS...............................................................................................................3563
10.5.3 Configuring Inter-AS Seamless MPLS...............................................................................................................3573
10.5.4 Configuring Inter-AS Seamless MPLS+HVPN..................................................................................................3585
10.5.5 Maintaining Seamless MPLS..............................................................................................................................3596
11 VPN..........................................................................................................................................3645
11.1 Tunnel Management Configuration........................................................................................................................3647
11.1.1 Tunnel Management Overview...........................................................................................................................3647
11.1.2 Configuring and Applying a Tunnel Policy........................................................................................................3649
11.1.3 Maintaining VPN Tunnels...................................................................................................................................3656
11.2 GRE Configuration.................................................................................................................................................3681
11.2.1 Configuring GRE.................................................................................................................................................3681
11.2.2 Configuring the Keepalive Function...................................................................................................................3683
11.3 BGP MPLS IP VPN Configuration........................................................................................................................3688
11.3.1 BGP MPLS IP VPN Overview............................................................................................................................3688
11.3.2 Configuring Basic BGP/MPLS IP VPN..............................................................................................................3690
11.3.3 Configuring Hub and Spoke................................................................................................................................3708
11.3.4 Configuring OSPF Sham Link............................................................................................................................3717
11.3.5 Configuring a Multi-VPN-Instance CE...............................................................................................................3721
Issue 02 (2013-12-31)

xxii

Equipment
Contents
11.3.6 Configuring VPN GR..........................................................................................................................................3724

11.3.7 Maintaining BGP/MPLS IP VPN........................................................................................................................3732
11.4 BGP MPLS IPv6 VPN Configuration....................................................................................................................3746
11.4.1 BGP MPLS IPv6 VPN Overview........................................................................................................................3746
11.4.2 Configuring a Basic BGP/MPLS IPv6 VPN.......................................................................................................3748
11.4.3 Configuring Hub and Spoke................................................................................................................................3766
11.4.4 Maintaining BGP/MPLS IPv6 VPN....................................................................................................................3775
11.5 VLL Configuration.................................................................................................................................................3792
11.5.1 VLL Overview.....................................................................................................................................................3792
11.5.2 Configuring CCC VLL........................................................................................................................................3797
11.5.3 Configuring the SVC VLL..................................................................................................................................3799
11.5.4 Configuring Martini VLL....................................................................................................................................3801
11.5.5 Configuring VLL IP Interworking......................................................................................................................3805
11.5.6 Maintaining VLL.................................................................................................................................................3808
11.6 PWE3 Configuration..............................................................................................................................................3825
11.6.1 PWE3 Overview..................................................................................................................................................3826
11.6.2 Configuring the Attributes of a PW Template.....................................................................................................3836
11.6.3 Configuring a Static PW......................................................................................................................................3839
11.6.4 Configuring a Dynamic PW................................................................................................................................3841
11.6.5 Configuring a Backup PW...................................................................................................................................3843
11.6.6 Configuring Static BFD for PW..........................................................................................................................3846
11.6.7 Configuring Dynamic BFD for PW.....................................................................................................................3848
11.6.8 Configuring Heterogeneous Transport in PWE3.................................................................................................3852
11.6.9 Maintaining PWE3..............................................................................................................................................3855
11.7 PWE3 Reliability Configuration............................................................................................................................3885
11.7.1 PWE3 Reliability Overview................................................................................................................................3885
11.7.2 Configuring PW Redundancy in a Scenario Where CEs Asymmetrically Access Three PEs............................3887
11.7.3 Configuring PW APS..........................................................................................................................................3891
11.7.4 Maintaining PWE3 Reliability............................................................................................................................3898
11.8 VPLS Configuration...............................................................................................................................................3922
11.8.1 VPLS Overview...................................................................................................................................................3922
11.8.2 Configuring Martini VPLS..................................................................................................................................3928
11.8.3 Configuring Related Parameters of a VSI...........................................................................................................3933
11.8.4 Maintaining VPLS...............................................................................................................................................3938
12 QoS...........................................................................................................................................3967
Issue 02 (2013-12-31)

xxiii

Equipment
Contents
12.1 QoS Overview........................................................................................................................................................3969

12.1.1 Introduction.........................................................................................................................................................3969
12.1.2 End-to-End QoS Model.......................................................................................................................................3970
12.1.3 Techniques Used for the QoS Application..........................................................................................................3976
12.1.4 QoS Supported by the ATN.................................................................................................................................3981
12.2 Traffic Policing and Shaping Configuration..........................................................................................................3981
12.2.1 Introduction.........................................................................................................................................................3981
12.2.2 Configuring Interface-based Traffic Policing......................................................................................................3986
12.2.3 Configuring Traffic Shaping...............................................................................................................................3990
12.3 Congestion Avoidance Configuration....................................................................................................................3995
12.3.1 Introduction.........................................................................................................................................................3995
12.3.2 Configuring WRED.............................................................................................................................................3997
12.4 Class-Based QoS Configuration.............................................................................................................................4000
12.4.1 Class-Based QoS Overview.................................................................................................................................4000
12.4.2 Configuring Precedence Mapping Based on Simple Traffic Classification........................................................4002
12.4.3 Configuring a Traffic Policy Based on Complex Traffic Classification.............................................................4011
12.5 VPN Traffic Statistics Configuration.....................................................................................................................4041
12.5.1 Traffic Statistics Supported by the ATN.............................................................................................................4041
12.5.2 Configuring BGP/MPLS IP VPN Traffic Statistics............................................................................................4041
12.5.3 Configuring Traffic Statistics of the Single-hop VLL.........................................................................................4042
12.5.4 Configuring Traffic Statistics of the VPLS.........................................................................................................4044
12.5.5 Maintaining Traffic Statistics..............................................................................................................................4045
12.6 MPLS DiffServ-Mode Configuration.....................................................................................................................4046
12.6.1 Introduction.........................................................................................................................................................4046
12.6.2 Configuring Uniform/Pipe Model for MPLS TE................................................................................................4049
12.6.3 Configuring DiffServ Model Based on VPN......................................................................................................4050
12.7 HQoS Configuration...............................................................................................................................................4062
12.7.1 HQoS Overview..................................................................................................................................................4062
12.7.2 Configuring Profile-based HQoS........................................................................................................................4068
12.7.3 Configuring HQoS on an Ethernet Interface.......................................................................................................4075
12.7.4 Maintaining HQoS...............................................................................................................................................4078
12.8 QoS Remarking Configuration...............................................................................................................................4083
12.9 Glossary..................................................................................................................................................................4084
12.10 Acronyms and Abbreviations...............................................................................................................................4091
13 Clock........................................................................................................................................4095
13.1 Clock Synchronization Configuration....................................................................................................................4096
13.1.1 Introduction to Clock Synchronization Configuration........................................................................................4096
Issue 02 (2013-12-31)

xxiv

Equipment
Contents
13.1.2 Setting Basic Clock Synchronization Configurations.........................................................................................4096

13.1.3 Configuring an External BITS Clock Source......................................................................................................4099
13.1.4 Configuring a Clock Reference Source Manually or Forcibly............................................................................4100
13.1.5 Configuring Clock Protection Switching Based on Priorities.............................................................................4102
13.1.6 Configuring Ethernet Clock Synchronization.....................................................................................................4105
13.1.7 Configuring NTR Clock Synchronization...........................................................................................................4108
13.2 NTP Configuration.................................................................................................................................................4117
13.2.1 Overview of NTP.................................................................................................................................................4117
13.2.2 Configuring Basic NTP Functions......................................................................................................................4121
13.2.3 Configuring NTP Security Mechanisms..............................................................................................................4129
13.2.4 Configuring KOD................................................................................................................................................4136
13.2.5 Maintaining NTP.................................................................................................................................................4138
13.2.6 NTP Configuration Examples.............................................................................................................................4138
13.3 1588v2 Configuration.............................................................................................................................................4148
13.3.1 Overview of 1588v2............................................................................................................................................4149
13.3.2 Configuring 1588v2 on OC.................................................................................................................................4155
13.3.3 Configuring 1588v2 on BC.................................................................................................................................4162
13.3.4 Configuring 1588v2 on TC..................................................................................................................................4168
13.3.5 Configuring 1588v2 on TCandBC......................................................................................................................4174
13.3.6 Configuring the 1588v2 Time Source.................................................................................................................4182
13.3.7 Maintaining 1588v2.............................................................................................................................................4185
13.4 1588 ACR Configuration........................................................................................................................................4192
13.4.1 Configuring 1588 ACR.......................................................................................................................................4193
13.4.2 1588 ACR Maintenance......................................................................................................................................4198
13.5 CES ACR Configuration........................................................................................................................................4208
13.5.1 Configuring CES ACR........................................................................................................................................4208
14 Security....................................................................................................................................4218
14.1 L2 Limit Configuration..........................................................................................................................................4220
14.1.1 Overview to L2 Limit..........................................................................................................................................4220
14.1.2 Configuring MAC Address Learning Limit........................................................................................................4222
14.1.3 Deleting Dynamic MAC Entries.........................................................................................................................4224
14.1.4 Configuring a MAC Address Whitelist or Blacklist to Filter out Packets..........................................................4226
14.1.5 Configuring BPDU Discard.................................................................................................................................4228
14.2 ARP Security Configuration...................................................................................................................................4231
14.2.1 Overview to ARP Security..................................................................................................................................4231
Issue 02 (2013-12-31)

xxv

Equipment
Contents
14.2.2 Preventing Attacks on ARP Entries.....................................................................................................................4233

14.2.3 Preventing Scanning Attacks...............................................................................................................................4237
14.2.4 Maintaining the ARP Security.............................................................................................................................4239
14.3 URPF Configuration...............................................................................................................................................4240
14.3.1 Overview to URPF..............................................................................................................................................4240
14.3.2 Configuring URPF...............................................................................................................................................4242
14.3.3 Maintaining the URPF.........................................................................................................................................4245
14.4 Local Attack Defense Configuration......................................................................................................................4247
14.4.1 Overview to Local Attack Defense......................................................................................................................4247
14.4.2 Configuring Attack Defense Tracing and Enabling Alarming for Packet Discarding........................................4248
14.4.3 Configuring Management/Control Plane Protection...........................................................................................4253
14.4.4 Maintainning Local Attack Defense....................................................................................................................4257
14.5 Mirroring Configuration.........................................................................................................................................4260
14.5.1 Overview to Mirroring.........................................................................................................................................4260
14.5.2 Configuring Local Port Mirroring.......................................................................................................................4261
14.5.3 Configuring Local Traffic Mirroring...................................................................................................................4264
14.6 Configuring the Online Packet Capture Function..................................................................................................4271
14.6.1 Introduction.........................................................................................................................................................4271
14.6.2 Configuring the Online Packet Capture Function...............................................................................................4272
14.6.3 Maintaining the Online Packet Capture Function...............................................................................................4276
14.7 Keychain Configuration.........................................................................................................................................4284
14.7.1 Overview.............................................................................................................................................................4285
14.7.2 Configuring Basic Keychain Functions...............................................................................................................4286
14.7.3 Configuring TCP Authentication parameters......................................................................................................4294
14.7.4 Maintaining Keychain.........................................................................................................................................4296
15 User Management..................................................................................................................4302
15.1 AAA Configuration................................................................................................................................................4303
15.1.1 AAA Overview....................................................................................................................................................4303
15.1.2 Configuring AAA Schemes.................................................................................................................................4305
15.1.3 Configuring a RADIUS Server............................................................................................................................4310
15.1.4 Configuring an HWTACACS Server..................................................................................................................4319
15.1.5 Configuring a Domain.........................................................................................................................................4326
15.1.6 Maintaining AAA................................................................................................................................................4332
15.1.7 Configuring and Managing Users........................................................................................................................4332
15.2 DHCPv4 Configuration..........................................................................................................................................4357
Issue 02 (2013-12-31)

xxvi

Equipment
Contents
15.2.1 Introduction.........................................................................................................................................................4357
15.2.2 DHCPv4 Supported by the ATN.........................................................................................................................4357
15.2.3 Configuring DHCPv4 Relay on the Network Side..............................................................................................4357
15.2.4 Maintaining DHCPv4..........................................................................................................................................4360
15.3 DCN Configuration................................................................................................................................................4362
15.3.1 Introduction.........................................................................................................................................................4363
15.3.2 Configuring DCN on a GNE...............................................................................................................................4364
15.3.3 Configuring DCN on an NE................................................................................................................................4374
15.3.4 DCN Configuration Examples.............................................................................................................................4381
15.4 PPPoE Configuration..............................................................................................................................................4385
15.4.1 Introduction to PPPoE.........................................................................................................................................4385
15.4.2 Configuring the Device as a PPPoE Client.........................................................................................................4385
16 Security Hardening...............................................................................................................4390
16.1 Overview................................................................................................................................................................4391
16.1.1 Introduction.........................................................................................................................................................4391
16.1.2 Basic Network Security Principles......................................................................................................................4392
16.2 Network Security Analysis.....................................................................................................................................4393
16.2.1 DoS Attack..........................................................................................................................................................4393
16.2.2 Information Disclosure........................................................................................................................................4393
16.2.3 Damage to Information Integrity.........................................................................................................................4393
16.2.4 Unauthorized Access...........................................................................................................................................4393
16.2.5 Identity Spoofing.................................................................................................................................................4394
16.2.6 Replay Attack......................................................................................................................................................4394
16.2.7 Computer Viruses................................................................................................................................................4394
16.2.8 Engineer Errors....................................................................................................................................................4394
16.2.9 Physical Intrusion................................................................................................................................................4394
16.3 Analysis of Router Security Vulnerabilities...........................................................................................................4394
16.3.1 Limited Processing Capabilities of Control and Management Planes................................................................4395
16.3.2 Insecure Access Channels...................................................................................................................................4395
16.3.3 Potential Security Risks Caused by the Openness of IP Networks.....................................................................4395
16.3.4 Telecom Network Complexity............................................................................................................................4395
16.3.5 Router Complexity..............................................................................................................................................4396
16.4 Evaluation of Router Security Risks......................................................................................................................4396
16.5 Security Defense Architecture................................................................................................................................4399
16.5.1 Overview.............................................................................................................................................................4399
16.5.2 Using Three-Layer and Three-Plane Security Isolation and Defense of the X.805............................................4402
16.5.3 Security Defense Capability on the ATN Control Plane.....................................................................................4403
16.5.4 Security Defense Capabilities of the Forwarding Plane......................................................................................4404
16.5.5 Security Defense Capabilities of the Management Plane....................................................................................4409
Issue 02 (2013-12-31)

xxvii

Equipment
Contents
16.6 Security Hardening Policies of the Router.............................................................................................................4409

16.6.1 Access Control.....................................................................................................................................................4410
16.6.2 Protection Against Attacks..................................................................................................................................4424
Issue 02 (2013-12-31)

xxviii

Equipment
1 Basic Configurations
Basic Configurations
About This Chapter

The document describes the configuration methods of basic configurations in terms of basic
principles, implementation of protocols, configuration procedures and configuration examples
for the basic configurations of the ATN equipment.
1.1 Logging In to the System for the First Time
This chapter describes how to log in to a new ATN and configure it through the console port or
with the plug-and-play function.
1.2 CLI Overview
The command line interface (CLI) is used to configure and maintain devices.
1.3 Basic Configuration
This chapter describes how to configure the ATN to suit your network environment.
1.4 Configuring User Interfaces
When a user uses a console port, Telnet, or SSH (STelnet) to log in to a ATN, the system manages
the session between the user and the ATN on the corresponding user interface.
1.5 Configuring User Login
A user can log in to the ATN through a console port, or by using Telnet or SSH (STelnet). The
user can maintain the ATN locally or remotely after login.
1.6 Managing the File System
The file system manages the files and directories on the storage devices of the ATN. It can move
or delete a file or directory, or display the contents of a file.
1.7 Configuring System Startup
When the ATN is powered on, system software starts and configuration files are loaded. To
ensure that the ATN runs smoothly, you need to manage system software and configuration files
efficiently.
1.8 Accessing Another Device
To manage configurations or operate files on another device, you can use Telnet, STelnet, TFTP,
FTP, or SFTP to access the device from the device that you have logged in to.
1.9 Device Maintenance
Issue 02 (2013-12-31)


Equipment
With routine device maintenance, you can detect potential operation threats on devices and then
eradicate the potential threats in time to ensure that the system runs securely, stably, and reliably.
1.10 Patch Management
Patch management includes checking the running patch, loading patch files, and installing
patches.
1.11 Glossary
This appendix collates frequently used terms in this document.
1.12 Acronyms and Abbreviations
This appendix collates frequently used acronyms and abbreviations in this document.
Issue 02 (2013-12-31)


Equipment
1.1 Logging In to the System for the First Time

This chapter describes how to log in to a new ATN and configure it through the console port or
with the plug-and-play function.
1.1.1 Introduction
You can configure a device that is powered on for the first time by logging in through the console
port.
A main control board provides a NM port/Console port. To configure a device, connect the user
terminal serial port to the device console port or log in to the device through Telnet after
connecting the network port of the terminal to a NM port of the device.
NOTE
The console port applies the non-standard serial port communication cable sequence. For details, see
Management Cables.
1.1.2 Logging In to the Device Through the Console Port

This section describes how to establish the configuration environment by using the console port
to connect a terminal to a ATN.
Before You Start

Before logging in to the ATN through the console port, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain any data required for the
configuration. This preparation will help you complete the configuration task quickly and
accurately.
Applicable Environment
When you power on the ATN for the first time, use the console port to log in to, configure, and
manage the ATN.
Pre-configuration Tasks
Before logging in to the ATN through the console port, complete the following tasks:
l
Install a terminal emulation program, for example, Windows XP HyperTerminal, on the

PC.
Preparing the console cable
Data Preparation
To log in to the ATN through the console port, you need the following data.
Issue 02 (2013-12-31)


Equipment
No.
Data
Terminal communication parameters
l Baud rate
l Data bit
l Parity
l Stop bit
l Flow-control mode
NOTE
The system automatically uses default parameter values for the first login.
Establishing the Physical Connection

Use a console cable to connect the console port of the ATN to the COM port of a terminal.
Procedure
Step 1 Power on all devices and perform a self-check.
Step 2 Use a cable to connect the COM port on the PC with the console port on the ATN.
----End
Logging In to the Device

To manage a ATN that is being powered on for the first time, you can use the console port to
log in to it.
Context
PC terminal attributes, including the transmission rate, data bit, parity bit, stop bit, and flow
control mode must be configured to match those configured for the console port. Default values
for terminal attributes are used when first logging in to the device.
Procedure
Step 1 Start a terminal emulator on the PC and create a connection, as shown in Figure 1-1.
Issue 02 (2013-12-31)


Equipment
Figure 1-1 Creating a connection
Step 2 Set an interface, as shown in Figure 1-2.

Figure 1-2 Settings an interface
Step 3 Set communication parameters to match the ATN defaults, as shown in Figure 1-3.
Issue 02 (2013-12-31)


Equipment
Figure 1-3 Setting communication parameter
Step 4 Press Enter. At the following command-line prompt, set an authentication password. The system
automatically saves the new password.
An initial password is required for the first login via the console.
Set a password and keep it safe! Otherwise you will not be able to login via the
console.
Please configure the login password (8-16)
Enter Password:
Confirm Password:
Issue 02 (2013-12-31)


Equipment
NOTE
l If the device has the default password before delivery, enter the default password Admin@huawei.com
to log in. The password is insecure, so you must change it immediately. For details on how to change
the password, see Configuring the User Authentication Mode of the Console User Interface.
l After you set the password for the user interface, you must use this user interface to log in to the system
again. Use password authentication mode and enter the new password.
l The passwords must meet the following requirements:
l The password input is in man-machine interaction mode, and the system does not display the
entered password.
l The password is a string of 8 to 16 case-sensitive characters. The password must contain at least
two of the following characters: upper-case characters, lower-case characters, numbers, and special
characters.
Special character except the question mark (?) and space.
The configured password is displayed in the configuration file in ciphertext.
l After you restart the device using the console port, press Enter after the following information is
displayed.
Recover configuration...OK!
Press ENTER to get started.
----End
1.2 CLI Overview

The command line interface (CLI) is used to configure and maintain devices.
1.2.1 CLI Introduction

After you log in to the ATN, a prompt is displayed, informing you that you can interact with the
router through the command line interface (CLI).
Command Line Interface

You can use CLI commands to configure and manage the ATN.
The CLI enables you to access the following features and capabilities:
l
Local or remote configuration through the AUX port.
Local configuration through the console port.
Local or remote configuration through Telnet or Secure Shell (SSH).
Remote configuration by using Modem dialup to log in to an asynchronous serial interface

on the ATN.
The telnet command for directly logging in to and managing other ATNs.
FTP service for uploading and downloading files.
A user interface view for specific configuration management.
A hierarchical command protection structure, which givs certain levels of users permission
to run certain levels of commands.
The ability to enter "?" anytime for online help.
Issue 02 (2013-12-31)


Equipment
Two authentication modes, namely, password authentication, and Authentication,

Authorization, and Accounting (AAA) authentication. Password and AAA authentication
protect system security by prohibiting unauthorized users from logging in to the ATN.
A command line interpreter, which provides intelligent text entry methods such as key word
fuzzy match and context conjunction. These methods help users to enter commands easily
and correctly.
Network test commands such as tracert and ping, and abundant debugging information
for fast network diagnostics.
The ability to run a command, such as DosKey, that was used previously on the device.
NOTE
l The system supports commands that contain a maximum of 510 characters. A command does not have
to be entered in full, as long as the part of the command entered is unique within the system. For
example, to run the display current-configuration command, enter d cu, di cu, or dis cu. Entering
d c or dis c will not run the command because these entries are not unique to the command.
l The system saves the complete form of incomplete commands to configuration files. Saved commands
may have more than 510 characters. When the system restarts, incomplete commands cannot be
restored. Therefore, pay attention to the length of incomplete commands before saving them.
Command Levels
The system hierarchically structures access to command functions to protect system security.
The system administrator sets user access levels that grant specific users access to specific
command levels.
By default, the user command level is a value ranging from 0 to 3, and the user access level is
a value ranging from 0 to 15. Table 1-1 lists the association between user access levels and
command levels.
Table 1-1 Association between user access levels and command levels
User
Level
Com
man
d
Level
Level
Name
Description
Visiting
level
This level gives users access to commands that run network

diagnostic tools (such as ping and tracert) and commands that
start from a local device, visit external devices (such as Telnet
client side ), and are a part of display commands.
0 and
1
Monitor
ing
level
This level gives access to commands, like the display command,

that are used for system maintenance and fault diagnosis.
Configu
ration
level
This level gives access to commands that configure network

services provided directly to users, including routing and
network layer commands.
Issue 02 (2013-12-31)
0, 1,
and 2
NOTE
Some display commands are not found at this level. For example, the
display current-configuration and display saved-configuration
commands are found in level 3. For details about command levels, see
Command Reference.


Equipment
User
Level
Com
man
d
Level
Level
Name
Description
3-15
0, 1,
2, and
3
Manage
ment
level
These levels give access to commands that control basic system

operations and provide support for services, such as the
following command types: file system , FTP , TFTP ,
configuration file switching , power supply control , user
management , level setting , and debugging for fault diagnosis.
To manage efficiently, you can increase the command levels to 0-15..

NOTE
l The default command level may be higher than the actual command level.
l The level of command a user can run is determined by the user level.
l The user level is corresponding with command level. The login users can only use the commands in
levels that are less than or equal to theirs. The user privilege level level command sets the user level.
Searching Commands Based on Command Levels

You can search for all commands at a specific level by performing the following steps:
1.
Open the command reference (.chm.) file.
2.
Click the "Search" tab. The search window is displayed, as shown in Figure 1-4.
Issue 02 (2013-12-31)


Equipment
Figure 1-4 Search window
3.
Issue 02 (2013-12-31)
Enter the desired command level in the "Type in the word(s) to search for" textbox and
click "List Topics". All commands in the specified level are displayed as shown in Figure
1-5.

10

Equipment
Figure 1-5 Searching for commands in a specific level
Command Line Views

The command line interface has different command views. Each command is registered to run
in one or more command views. You can run a command only after you enter an appropriate
command view.
The following example describes how you can open the BFD views.
# Establish a connection to the ATN. If the ATN is using the default configurations, the
<HUAWEI> prompt indicates that you have entered the user view.
<HUAWEI>
# Run the system-view command to enter the system view.

<HUAWEI> system-view
[HUAWEI]
# Run the aaa command in the system view to enter the AAA view.
[HUAWEI] aaa
[HUAWEI-aaa]
Issue 02 (2013-12-31)

11

Equipment
NOTE
The command prompt "HUAWEI" is the default host name.
The prompt indicates a specific view. For example, "HUAWEI" indicates the user view, and
"[HUAWEI-ui-console0]" indicates the console user interface view.
Some commands can be used in more than one view, but their effects vary from view to view.
For example, the mpls command can be run in the system view to enable MPLS globally or in
the interface view to enable MPLS only on this interface.
1.2.2 Online Help

When inputting command lines or configuring services, you can use the online help to obtain
immediate assistance.
Full Help
When inputting a command, you can use the full help function to obtain keywords or parameters
for the command.
Procedure
l
When you are inputting commands, you can use any of the following methods to obtain
full help:
Enter a question mark (?) in any command line view to display command names and
descriptions for all commands in that view.
<HUAWEI> ?
User view commands:
arp-ping
backup
batch-cmd
board-channel-check
capture-packet
cd
...
...
ARP-ping
Backup information
Batch commands
Board-Channel-Check enable/disable
enable capturing packet
Change current directory
Enter a command and a question mark (?) separated by a space. All keywords associated
with this command, as well as simple descriptions, are displayed. For example:
<HUAWEI> language-mode ?
Chinese Chinese environment
English English environment
Chinese and English are keywords; Chinese environment and English

environment describe the keywords.
Enter a command and a question mark (?) separated by a space. Parameter names for
this command, as well as parameter descriptions, are displayed. For example:
[HUAWEI] ftp timeout ?
INTEGER<1-35791> The value of FTP timeout, the default value is 30 minutes
[HUAWEI] ftp timeout 35 ?
<cr>
[HUAWEI] ftp timeout 35
In this command output, INTEGER<1-35791> describes the parameter value and The
value of FTP timeout, the default value is 30 minutes is a simple description of what
Issue 02 (2013-12-31)

12

Equipment
the parameter sets. <cr> indicates that no parameters are associated with this command,
which is repeated in the next command line. You can press Enter to run the command.
----End
Partial Help
If you enter only the first or first character several characters of a command, partial help provides
keywords that begin with this character or character string.
Procedure
l
Use any of the following methods to obtain partial help from a command line.
Enter a character string followed directly by a question mark (?) to display all commands
that begin with this character string.
<HUAWEI> d?
debugging
dir
delete
display
Enter a command and a character string followed directly by a question mark (?) to
display all key words that begin with this character string.
<HUAWEI> display b?
bfd
bootrom
bulk-stat
bgp
buffer
Enter the first several letters of a key word in the command and then press Tab to display
a complete key word. A complete keyword is displayed only if the partial string of letters
uniquely identifies a specific key word. If they do not identify a specific key word,
continue pressing Tab to display different key words. You can then select the desired
key word.
----End
Command Line Interface Error Messages

If you enter a command and it passes the syntax check, the system executes it. Otherwise, the
system reports an error message.
Table 1-2 lists common error messages.
Table 1-2 Common command line error messages
Error message
Cause of the error
Unrecognized command
The command cannot be found.

The key word cannot be found.
Wrong parameter
The wrong parameter type is entered.

The parameter value is out of range.
Issue 02 (2013-12-31)
Incomplete command
An incomplete command is entered.
Too many parameters
Too many parameters are entered.

13

Equipment
Error message
Cause of the error
Ambiguous command
Ambiguous parameters are entered.
1.2.3 CLI Features

The CLI provides several features that make it easy to use.
Editing
The command line editing function allows you to use certain keys to edit command lines or
obtain help.
Keys that are frequently used for command line editing are shown in Table 1-3.
Table 1-3 Command line editing keys
Key
Function
Common key
Inserts a character at the current cursor position as long as the

editing buffer is not full. The cursor then moves to the right. If the
buffer is full, an alarm is generated.
Backspace
Moves the cursor to the left and deletes the character in that
position. When the cursor reaches the head of the command, an
alarm is generated.
Left cursor key or

Ctrl_B
Moves the cursor to the left one space at a time. When the cursor
reaches the head of the command, an alarm is generated.
Right cursor key or

Ctrl_F
Moves the cursor to the right one space at a time. When the cursor
reaches the end of the command, an alarm is generated.
Tab
Press Tab after typing a partial key word and the system runs
partial help:
l If the matching key word is unique, the system replaces the
typed character string with a complete key word and displays
it in a new line with the cursor placed at the end of the word.
l If there are several matches or no match, the system displays
the prefix first. Then you can press Tab to view any matching
key words one at a time. The cursor directly follows the end of
the word. You can press the spacebar to enter the next word.
l If a non-existent or incorrect key word is entered, press Tab
and the word is displayed on a new line.
Displaying
Command lines have a feature thats control how they are displayed.
Issue 02 (2013-12-31)

14

Equipment
You can enable this feature on the CLI as follows:

l
You can use the language-mode language-name command to change the language mode
to display prompts and help information in Chinese or English.
If output information cannot be displayed on a full screen, you have three viewing options,
as shown in Table 1-4.
Table 1-4 Display keys

Key
Function
Ctrl_C
Stops the display and running of a command.

NOTE
You can also press any key except the spacebar and Enter to stop the
display and running of a command.
Space
Displays information on the next screen.
Enter
Displays information on the next line.
Regular Expressions
A regular expression describes a set of strings. It consists of common characters (such as letters
from "a" to "z") and special characters (called metacharacters). The regular expression is a
template that enables you to search for required strings. You can use regular expressions to filter
output to locate needed information quickly.
A regular expression provides the following functions:
l
Searches for sub-strings that match a rule in the main string.
Substitutes strings based on specific matching rules.
Formal Language Theory of the Regular Expression

A regular expression consists of common characters and special characters.
l
Common characters
Common characters, including all upper-case and lower-case letters, digits, underline,
punctuation marks, and special symbols, match themselves in a string. For example, "a"
matches the letter "a" in "abc", "202" matches the digit "202" in "202.113.25.155", and
"@" matches the symbol "@" in "xxx@xxx.com".
Special characters
Special characters are used together with common characters to match complex or special
string combinations. Table 1-5 describes special characters and their syntax.
Issue 02 (2013-12-31)

15

Equipment
Table 1-5 Description of special characters

Special
characte
r
Syntax
Example
Defines an escape character, which

is used to mark the next character
(common or special) as the common
character.
\* matches "*".
Matches the starting position of the

string.
^10 matches "10.10.10.1" instead of

"20.10.10.1".
Matches the ending position of the

string.
1$ matches "10.10.10.1" instead of

"10.10.10.2".
Matches the preceding element zero

or more times.
10* matches "1", "10", "100", and

"1000".
(10)* matches "null", "10", "1010",
and "101010".
Matches the preceding element one

or more times
10+ matches "10", "100", and

"1000".
(10)+ matches "10", "1010", and
"101010".
Matches the preceding element zero

or one time.
10? matches "1" and "10".

(10)? matches "null" and "10".
NOTE
Huawei datacom devices do not support
regular expressions with ?. When
regular expressions with ? are entered
on Huawei datacom devices, helpful
information is provided.
Matches any single character.
0.0 matches "0x0" and "020".

.oo matches "book", "look", and
"tool".
()
Defines a subexpression, which can

be null. Both the expression and the
subexpression should be matched.
100(200)+ matches "100200" and

"100200200".
x|y
Matches x or y.
100|200 matches "100" or "200".

1(2|3)4 matches "124" or "134",
instead of "1234", "14", "1224", and
"1334".
Issue 02 (2013-12-31)
[xyz]
Matches any single character in the

regular expression.
[123] matches the character 2 in

"255".
[^xyz]
Matches any character that is not

contained within the brackets.
[^123] matches any character except

for "1", "2", and "3".

16

Equipment
Special
characte
r
Syntax
Example
[a-z]
Matches any character within the

specified range.
[0-9] matches any character ranging

from 0 to 9.
[â-z]
Matches any character beyond the

specified range.
[^0-9] matches all non-numeric

characters.
NOTE
Unless otherwise specified, all characters in the preceding table are displayed on the screen.
Degeneration of special characters

A special character becomes a common character when following \. In the following
situations, the special characters listed in Table 1-6 function as common characters.
If the special character "*", "+", or "?" is placed at the beginning of a regular expression,
a special character becomes a common character. For example, +45 matches "+45" and
abc(*def) matches "abc*def".
If the special character "^" is placed in any position except for the beginning of a regular
expression, a special character becomes a common character. For example, abc^
matches "abc^".
If the special character "$" is placed in any position except for the end of a regular
expression, a special character becomes a common character. For example, 12$2
matches "12$2".
If a right parenthesis ")" or right bracket "]" is not paired with a corresponding left
parenthesis "(" or bracket "[", a special character becomes a common character. For
example, abc) matches "abc)" and 0-9] matches "0-9]".
NOTE
Unless otherwise specified, degeneration rules also apply when the preceding regular expressions
are subexpressions within parentheses.
Combinations of common and special characters

In actual usage, regular expressions combine multiple common and special characters to
match certain strings.
Regular Expression Examples

The key to using regular expressions is to design them accurately. Table 1-6 shows how to
design regular expressions using special characters and describes the meaning of those regular
expressions.
Table 1-6 Regular expression examples
Issue 02 (2013-12-31)
Regular
Expression
Description
^100
Matches strings beginning with 100, for example, 100085.

17

Equipment
Regular
Expression
Description
200$
Matches strings ending with 200, for example, 255.255.100.200.
[0-9]+
Matches strings of repeated digits ranging from 0 to 9, for example,

007.
(abc)*
Matches strings with abc occurring zero or more times, for example,
d and dabc.
^100([0-9]+)*200$
Matches strings beginning with 100 and ending with 200, including
those with zero or several digits in the middle, for example, 100200.
Windows_(95|98|
2000|XP))
Matches Windows 95, Windows 98, Windows 2000, or Windows XP.
100[^0-9]?
Matches strings beginning with 100 followed by zero or one non-digit

character, for example, 100 or 100@.
.\.\*
Matches a string beginning with a single character except \n followed

by . and *, for example, 1.* or a.*.
^172\.18\.(10)\.
([0-9]+)$
Matches an IP address in a line, for example, 172.18.10.X.
Specifying a Filtering Mode in a Command
NOTICE
The ATN uses a regular expression to implement the pipe character filtering function. A display
command supports the pipe character only when there is excessive output information.
When filtering conditions are set to query output, the first line of the command output starts with
information containing the regular expression.
Some commands can carry the parameter | count to display the number of matching entries. The
parameter | count can be used together with other parameters.
For commands that support regular expressions, three filtering methods are available:
l
| begin regular-expression: displays information that begins with the line that matches
regular expression.
| exclude regular-expression: displays information that excludes the lines that match
regular expression.
| include regular-expression: displays information that includes the lines that match regular
expression.
NOTE
The value of regular-expression is a string of 1 to 255 characters.
Issue 02 (2013-12-31)

18

Equipment
Specify a Filtering Mode When Information Is Displayed Screen by Screen

NOTE
When the output of the following commands is displayed screen by screen, you can specify a filtering
mode:
l
display current-configuration
display saved-configuration
display interface
display arp
When a large amount of information is displayed screen by screen, you can specify a filtering
mode in the prompt "---- More ----".
l
/regular-expression: displays the information that begins with the line that matches regular
expression.
-regular-expression: displays the information that excludes lines that match regular
expression.
+regular-expression: displays the information that includes lines that match regular
expression.
Previously-Used Commands
The CLI provides a function similar to DosKey that automatically saves any command used on
the device. If you need to run a command that has been previously executed, you can use this
function to recall the command.
By default, the system saves 10 previously-used commands for each user. You can run the
history-command max-size size-value command in the user view to set the number of
previously-used commands saved by the system. A maximum of 256 previously-used commands
can be saved.
NOTE
Set the number of saved previously-used commands to a reasonably low value. If a large number of
previously-used commands are saved, locating a command can be time-consuming and inefficient.
The keys and commands for accessing previously-used commands are shown in Table 1-7
Table 1-7 Keys and commands for accessing previously-used commands
Issue 02 (2013-12-31)
Action
Key or Command
Result
Display
previouslyused
commands.
display historycommand [ allusers ]
Display previously-used commands entered by

users.
Access the last

previouslyused
command.
Up arrow key () or
Ctrl_P
Display the last previously-used command if there

are more than one. Otherwise, an alarm is
generated.

19

Equipment
Action
Key or Command
Result
Access the next

previouslyused
command.
Down arrow key ()

or Ctrl_N
Display the next previously-used command if there

are more than one. Otherwise, the command is
cleared and an alarm is generated.
NOTE
Windows 9X defines keys differently and the arrow key cannot be used with Windows 9X
HyperTerminals. You can use Ctrl_P instead.
When you use previously-used commands, note the following points:

l
Previously-used commands are saved exactly as they are entered by users. For example, if
a user enters an incomplete command, the saved command is also incomplete.
A command is only saved the first time it is run. If a command is entered in different forms
or with different parameters, each entry is considered to be a different command.
For example, if the display ip routing-table command is run several times, only one
previously-used command is saved. If the disp ip routing command and the display ip
routing-table command are run, two previously-used commands are saved.
Batch Command Execution

If multiple commands are frequently used consecutively, you can edit these commands to be
executed in batches. This simplifies command input and improves efficiency.
Procedure
Step 1 Manually execute the commands in batches.
1.
In the user view, run:

batch-cmd edit
Commands are edited to be executed in batches.

The batch-cmd edit command can be used by only one user at a time.
The maximum length of a command (including the incomplete command) to be entered is
510 characters.
When editing commands, press Enter to complete the editing of each command.
NOTE
l After the batch-cmd edit command is run successfully to edit the commands to be executed in
batches, the system deletes the original commands to be run in batches.
l The commands that are already edited are saved in memory and are deleted for ever when the
system is restarted.
2.
After all commands are edited, you can press the shortcut buttons Ctrl_Z to exit the editing
state and return to the user view.
3.
In the user view, run:

batch-cmd execute
Issue 02 (2013-12-31)

20

Equipment
The commands are executed in batches.

The batch-cmd execute command can be used by only one user at a time.
The sequence of running commands is the same as the sequence of editing commands. You
can view the execution of these commands on the CLI. After the execution is complete,
the user view is displayed.
NOTE
If the batch-cmd edit or batch-cmd execute command is among the commands to be executed in
batches, the system displays an error when executing the batch-cmd edit or batch-cmd execute
command and continues to execute the following commands.
----End
1.2.4 Shortcut Keys

System or user-defined shortcut keys make it easier to enter commands.
Classifying Shortcut Keys

There are two types of shortcut keys: system shortcut keys and user-defined shortcut keys.
Familiarize yourself with the shortcut keys so you can use them correctly.
The shortcut keys in the system are classified into the following two types:
l
User-defined shortcut keys: CTRL_G, CTRL_L, CTRL_O, and CTRL_U. The user can
assign these shortcut keys to any commands. When a shortcut key is pressed, the system
automatically runs the assigned command. For details about defining the shortcut keys, see
section Defining Shortcut Keys.
System-defined shortcut keys: The system defines a number of shortcut keys with fixed
functions. Table 1-8 lists the system-defined shortcut keys.
NOTE
Different terminal software defines these keys differently. The shortcut keys on your terminal may be
different from those listed in this section.
Table 1-8 System-defined shortcut keys
Issue 02 (2013-12-31)
Key
Function
CTRL_A
The cursor moves to the beginning of the current line.
CTRL_B
The cursor moves to the left one space at a time.
CTRL_C
Terminates the running function.
CTRL_D
Deletes the character where the cursor lies.
CTRL_E
The cursor moves to the end of the current line.
CTRL_F
The cursor moves to the right one space at a time.
CTRL_H
Deletes the character to the left of the cursor.

21

Equipment
Key
Function
CTRL_K
Stops the creation of the outbound connection.
CTRL_N
Displays the next command in the previously-used command

buffer.
CTRL_P
Displays the previous command in the previously-used

command buffer.
CTRL_R
Repeats the information displayed on the current line.
CTRL_T
Terminates the outbound connection.
CTRL_V
Pastes the contents onto the clipboard.
CTRL_W
Deletes the character string or character to the left of the cursor.
CTRL_X
Deletes all the characters to the left of the cursor.
CTRL_Y
Deletes all the characters to the right of the cursor.
CTRL_Z
Returns to the user view.
CTRL_]
Terminates the inbound or redirection connections.
ESC_B
The cursor moves one word to the left.
ESC_D
Deletes the word to the right of the cursor.
ESC_F
The cursor moves to the end of the word to the right.
ESC_N
The cursor moves downward to the next line.
ESC_P
The cursor moves upward to the previous line.
ESC_SHIFT_<
Sets the position of the cursor to the beginning of the clipboard.
ESC_SHIFT_>
Sets the position of the cursor to the end of the clipboard.
Defining Shortcut Keys

If you regularly use one or more commands, you can assign shortcut keys to run them, which
facilitates user operations and improves efficiency. Only management-level users have the right
to define shortcut keys.
Configure the following shortcut keys in the system view.
Issue 02 (2013-12-31)
Action
Command
Define shortcut keys
hotkey { CTRL_G | CTRL_L | CTRL_O | CTRL_U }

command-text

22

Equipment
CTRL_G, CTRL_L, CTRL_O and CTRL_U are assigned to run the following commands by
default:
l
CTRL_G: display current-configuration
CTRL_L: display ip routing-table
CTRL_O: undo debugging all
CTRL_U: By default, CTRL_U is not assigned to any command. If no command is

specified for CTRL_U, this shortcut key deletes an entered character or command.
When defining shortcut keys, mark the command with double quotation marks if the command
consists of more than one word or includes spaces.
Using Shortcut Keys

You can use a shortcut key in any position you can enter a command. The system executes the
entered shortcut key and displays the corresponding command on the screen exactly as if you
had entered the complete command.
l
If you have typed part of a command and have not pressed Enter, you can press the shortcut
keys to clear what you have entered or display the full command. This operation has the
same effect as that of deleting a command and then re-entering the complete command.
The shortcut keys are run like the commands. The syntax is recorded in the command buffer
and logged for fault location and querying.
NOTE
The terminal being used may affect the shortcut key functions. For example, if shortcut keys customized
for the terminal conflict with those for the ATN, the input shortcut keys are captured by the terminal program
and do not function.
Run the following command in any view to display the shortcut keys being used.
Action
Command
Check the shortcut keys being used.
display hotkey
1.2.5 Configuration Examples

This section provides several examples that illustrate the use of command lines.
Running Commands in Batches

In this example, you can edit the commands to be run in batches to configure the system to
automatically run them in batches.
Context
If you frequently run commands in a particular order, you can run them in batches to improve
efficiency. This is particularly effective if you run a large number of commands in a row.
Issue 02 (2013-12-31)

23

Equipment
For example, you can run commands in batches during a preventive maintenance inspection
(PMI). By running commands in batches, you can enter all PMI commands at once and then
send all the command output information to the PMI tool, which can improve the PMI efficiency.
To run commands in batches, log in to the ATN and perform the following:
Procedure
Step 1 Edit the display users, display startup, and display clock commands to be run in batches.
<HUAWEI> batch-cmd edit
Info: Begin editing batch commands. Press "Ctrl+Z" to abort this session.
display users
display startup
display clock
<HUAWEI>
Step 2 Run the commands in batches.

<HUAWEI> batch-cmd execute
<HUAWEI>batch-cmd execute command: display users
User-Intf
Delay
Type
Network Address
AuthenStatus
35 VTY 1
00:00:00 TEL
190.120.2.19
Username : Unspecified
<HUAWEI>batch-cmd execute command: display startup
MainBoard:
Configured startup system software:
Startup system software:
Next startup system software:
Startup saved-configuration file:
Next startup saved-configuration file:
Startup paf file:
Next startup paf file:
Startup license file:
Next startup license file:
Startup patch package:
Next startup patch package:
<HUAWEI>
batch-cmd execute command: display clock
AuthorcmdFlag
no
cfcard:/V200R003C00.cc
cfcard:/vrp.cfg
cfcard:/vrp.cfg
default
default
default
default
NULL
NULL
2011-01-27 01:25:24
Thursday
Time Zone(DefaultZoneName) : UTC
<HUAWEI>
batch-cmd execute finished.
----End
Using the Tab Key

After inputting part of a keyword, you can press Tab to obtain all the related keywords or check
the accuracy of the input keyword.
Context
You do not always need to input complete keywords. Instead, input one or more of the first
characters of a keyword and press Tab to complete the keyword. The Tab key helps search for
and use commands.
Issue 02 (2013-12-31)

24

Equipment
Procedure
l
Tab can be used in three ways as shown in the following example.

After you enter part of a key word and press the Tab key, a unique matching key word
is displayed.
1.
Input part of a key word.

[HUAWEI] info-
2.
Press Tab.
The system replaces the incomplete key word with a complete key word and
displays it on a new line followed by a cursor.
[HUAWEI] info-center
After you enter part of a key word and press the Tab key, several matches or no matches
are displayed.
# info-center can be followed by three key words.
[HUAWEI] info-center log?
logbuffer
logfile
loghost
1.
Input the incomplete key word.

[HUAWEI] info-center l
2.
Press Tab.
The system displays the prefix first. In this example, the prefix is "log".
[HUAWEI] info-center log
Continue pressing Tab. The cursor comes right after the end of the word.
[HUAWEI] info-center loghost
[HUAWEI] info-center logbuffer
[HUAWEI] info-center logfile
When you find the key word you need, for example, logfile, stop pressing Tab.
3.
Enter a space and the next word, channel, is displayed.

[HUAWEI] info-center logfile channel
Input an incorrect keyword and press Tab to check the accuracy of the keyword.
1.
For example, input the incorrect keyword loglog.

[HUAWEI] info-center loglog
2.
Press Tab.
[HUAWEI] info-center loglog
The system displays information on a new line, but the keyword loglog remains
unchanged and there is no space between the cursor and the keyword. This result
indicates that this keyword is non-existent.
----End
Using Shortcut Keys

In this example, you assign shortcut keys to frequently-used commands. Then, you can press
the shortcut keys instead of inputting the commands to facilitate user operations and improve
efficiency.
Context
If the login ATN supports shortcut keys, any user, regardless of their user level, can use them.
Issue 02 (2013-12-31)

25

Equipment
Procedure
Step 1 Correlate Ctrl_U with the display local-user command and run the shortcut keys.
[HUAWEI] hotkey ctrl_u "display local-user"
NOTE
When defining shortcut keys for a command, use double quotation marks to quote the command
if the command consisting of multiple words, which are separated by spaces. No double
quotation marks are required for single-word commands.
Step 2 Press Ctrl_U when the prompt [HUAWEI] appears.
[HUAWEI] display local-user
---------------------------------------------------------------------------Username
State Type
Access-limit Online
---------------------------------------------------------------------------admin
Active All
No
0
root
Active F
No
0
huawei
Active All
No
2
---------------------------------------------------------------------------Total 3,3 printed
----End
Copying Commands Using Shortcut Keys

In this example, you can use shortcut keys to copy a specified command and then use the shortcut
keys Ctrl_Shift_V to paste the command.
Context
If you need to repeatedly run a command, you can use shortcut keys to copy the command.
The copied command is saved on the clipboard and is available only for the current user. After
the user logs out, the clipboard is cleared.
You can use shortcut keys to copy a command in any view.
Procedure
Step 1 Move the cursor to the beginning of the command and press Esc_Shift_<. Move the cursor to
the end of the command and press Esc_Shift_>.
<HUAWEI> display ip routing-table
Step 2 Run the display clipboard command to view the contents on the clipboard.
<HUAWEI> display clipboard
---------------- CLIPBOARD----------------display ip routing-table
Step 3 Enter the command in any view, and press Ctrl_Shift_V to paste the contents of clipboard.
Issue 02 (2013-12-31)

26

Equipment
NOTE
If you press shortcut keys to copy a new command, you can use shortcut keys to paste only the new
command.
----End
1.3 Basic Configuration

This chapter describes how to configure the ATN to suit your network environment.
1.3.1 Configuring the Basic System Environment

This section describes how to configure the basic system environment.
Before You Start

Before configuring the basic system environment, familiarize yourself with the applicable
configuration. This will help you complete the configuration task quickly and correctly.
Before configuring services, you need to configure the basic system environment (for example,
the language mode, system time, device name, login information, and command level) to meet
environmental requirements.
Before configuring the basic system environment, power on the ATN.
Data Preparation
To configure the basic system environment, you need the following data.
No.
Data
Language mode
System time
Host name
Login information
Command level
Switching the Language Mode

You can switch between the Chinese mode and the English mode as needed.
Issue 02 (2013-12-31)

27

Equipment
Context
After the language mode is switched, the system displays prompts and command line outputs in
the specified language.
Language information (Chinese and English) has been stored in the system software and does
not need to be loaded.
In the user view, perform the following:
Procedure
l
Run:
language-mode { chinese | english }
The language mode is switched.

By default, the English mode is used.
The help information on the ATN can be in English or in Chinese. The language mode is
stored in the system software and does not need to be loaded.
----End
Configuring the Equipment Name

If multiple devices on a network need to be managed, set equipment names to identify each
device.
Context
New equipment names take effect immediately.
Procedure
Step 1 Run:
system-view
The system view is displayed.

Step 2 Run:
sysname host-name
The equipment name is set.

By default, the equipment name of the ATN is HUAWEI.
You can change the name of the ATN that appears in the command prompt.
----End
Setting the System Clock

The system clock must be correctly set to ensure synchronization with other devices.
Issue 02 (2013-12-31)

28

Equipment
Context
The system clock is the time indicated by the system timestamp. Because the rules governing
local time differ in different regions, the system clock can be configured to comply with the
rules of any given region.
The system clock is calculated using the following formula: System clock = Coordinated
Universal Time (UTC) + Time zone offset + Daylight saving time offset.
Set the system clock to the correct time to ensure that the device effectively operates with other
devices.
Setting the system clocks of all the devices on a network manually is time-consuming and cannot
ensure the clock accuracy. Network Time Protocol (NTP) can address this problem by
synchronizing all clocks of devices on the network so that the devices can provide uniform timebased applications.
NOTE
A local system running NTP can be synchronized by other clock sources or acts as a clock source to
synchronize other clocks. In addition, mutual synchronization can be implemented through NTP packet
exchanges.
By default, the system clock of NTP-enabled devices is UTC. The time zone and daylight saving
time vary with the country and region, and if a time zone and daylight saving time are configured
on an NTP server, the same time zone and daylight saving time must be configured on NTP
clients.
For details about NTP, see the NTP chapter in Feature Description - Clock.
For details about NTP configurations, see the 13.2 NTP Configuration chapter in Configuration
Guide - Clock.
Perform the following steps in the user view to set the system clock:
Procedure
Step 1 Run:
clock datetime HH:MM:SS YYYY-MM-DD
The current date and time are set.

NOTE
If the time zone has not been configured or is set to 0, the date and time set by this command are considered
to be UTC. Set the time zone and UTC correctly.
Step 2 Run:
system-view

Step 3 Run:
clock timezone time-zone-name { add | minus } offset
The time zone is set.

l If add is configured, the current time is the UTC time plus the time offset. That is, the default
UTC time plus offset is equal to the time of time-zone-name.
Issue 02 (2013-12-31)

29

Equipment
l If minus is configured, the current time is the UTC time minus the time offset. That is, the
default UTC time minus offset is equal to the time of time-zone-name.
NOTE
UTC stands for the Universal Time Coordinated.

After the time zone is set:
l The time format of local logs is Original system time zone-offset, for example, Oct 30 2013 22:21:11
+08:00.
l The time format of logs sent to the log host is the UTC time, for example, Oct 30 2013 07:58:20. After
the info-center loghost local-time command is run to set the time format to local time, the time format
of user logs is Original system time zone-offset, for example, Oct 30 2013 22:21:11+08:00.
Step 4 Run:
clock daylight-saving-time time-zone-name one-year start-time start-date end-time
end-date offset
or
clock daylight-saving-time time-zone-name repeating start-time { { first | second
| third | fourth | last } weekday month | start-date } end-time { { first |
second | third | fourth | last } weekday month | end-date } offset [ start-year
[ end-year ] ]
Daylight saving time is set.

By default, daylight saving time is not set.
The start time is the local mean time (LMT), and the end time is the daylight saving time (DST).
The start time and end time can be set to date+data, week+week, date+week, or week+date
format. To configure the daylight saving time, run the clock daylight-saving-time command.
NOTICE
When the device is upgraded from an earlier version to the V200R003C00 version, the
configured daylight saving time does not take effect and needs to be reconfigured.
----End
System Clock Display

The system clock is determined by the clock datetime, clock timezone, and clock daylightsaving-time commands.
l
If none of the preceding three commands have been run, the original system time is
displayed after you run the display clock command.
You can also run the three preceding commands in combination with one another to
configure the system clock, as listed in Table 1-9.
In the following examples, the original system time is 08:00:00 January 1, 2010.
l
1: Run the clock datetime command to set the current date and time to date-time.
2: Run the clock timezone command to configure the time zone with the time zone offset
zone-offset.
Issue 02 (2013-12-31)

30

Equipment
3: Run the clock daylight-saving-time command to configure the daylight saving time
with the offset offset.
[1]: The clock datetime command configuration is optional.
Table 1-9 System clock configuration examples

Operation
Configured System
Time
Example
date-time
Run the clock datetime 8:0:0 2011-11-12

command.
Configured system time:
2011-11-12 08:00:03
Saturday
Time Zone(DefaultZoneName): UTC
Original system time +/zone-offset
Run the clock timezone BJ add 8 command.

2010-01-01 16:00:20+08:00
Friday
Time Zone(BJ): UTC+08:00
1, 2
date-time +/- zone-offset
Run the clock datetime 8:0:0 2011-11-12 and

clock timezone BJ add 8 commands.
2011-11-12 16:00:13+08:00
Saturday
[1], 2, 1
date-time
Run the lock timezone NJ add 8 and clock

datetime 9:0:0 2011-11-12 commands.
2011-11-12 09:00:02+08:00
Saturday
Time Zone(NJ): UTC+08:00
Issue 02 (2013-12-31)
Original system time if

the original system time
is not during the
configured daylight
saving time period
Run the clock daylight-saving-time BJ one-year

6:0 2011-8-1 6:0 2011-10-01 1 command.
2010-01-01 08:00:51
Friday
Daylight saving time :
Name
: BJ
Repeat mode : one-year
Start year : 2011
End year
: 2011
Start time : 08-01 06:00:00
End time
: 10-01 06:00:00
Saving time : 01:00:00

31

Equipment
Operation
1, 3
Configured System
Time
Example
Original system time +

offset if the original
system time is during the
configured daylight
saving time period

6:0 2011-1-1 6:0 2011-9-1 2 command.
date-time if date-time is
not during the configured
daylight saving time
period

clock daylight-saving-time BJ one-year 6:0
2012-8-1 6:0 2012-10-01 1 commands.

2010-01-01 10:00:34 DST
Friday
Time Zone(BJ): UTC
Name
: BJ
Start year : 2011
End year
: 2011
Start time : 01-01 06:00:00
End time
: 09-01 06:00:00

2011-11-12 09:00:26
Saturday
Name
: BJ
Start year : 2012
End year
: 2012
Start time : 08-01 06:00:00
End time
: 10-01 06:00:00
date-time + offset if datetime is during the

configured daylight
saving time period

clock daylight-saving-time BJ one-year 9:0
2011-11-12 6:0 2011-12-01 2 commands.
2011-11-12 11:02:21 DST
Saturday
Time Zone(BJ): UTC
Name
: BJ
Start year : 2011
End year
: 2011
Start time : 11-12 09:00:00
End time
: 12-01 06:00:00
Issue 02 (2013-12-31)

32

Equipment
Operation
Configured System
Time
Example
[1], 3, 1
period

6:0 2012-8-1 6:0 2012-10-01 1 and clock datetime
9:0 2011-11-12 commands.
2011-11-12 09:00:02
Saturday
Name
: BJ
Start year : 2012
End year
: 2012
Start time : 08-01 06:00:00
End time
: 10-01 06:00:00
during the configured
period

1:0 2011-1-1 1:0 2011-9-1 2 and clock datetime
3:0 2011-1-1 commands.
2011-01-01 03:00:19 DST
Saturday
Time Zone(BJ): UTC
Name
: BJ
Start year : 2011
End year
: 2011
Start time : 01-01 01:00:00
End time
: 09-01 01:00:00
2, 3 or 3, 2
Issue 02 (2013-12-31)
Original system time +/zone-offset if the value of

Original system time +/zone-offset is not during
the configured daylight
saving time period
Run the clock timezone BJ add 8 and clock

daylight-saving-time BJ one-year 6:0 2011-1-1
6:0 2011-9-1 2 commands.
2010-01-01 16:01:29+08:00
Friday
Name
: BJ
Start year : 2011
End year
: 2011
Start time : 01-01 06:00:00
End time
: 09-01 06:00:00

33

Equipment
Operation
1, 2, 3, or 1,
3, 2
Issue 02 (2013-12-31)
Configured System
Time
Example
Original system time +/zone-offset +/- offset if

the value of Original
system time +/- zoneoffset is during the
configured daylight
saving time period

1:0 2010-1-1 1:0 2010-9-1 2 and clock timezone
BJ add 8 commands.

if the value of date-time
+/- zone-offset is not
period
Run the clock datetime 8:0:0 2011-11-12, clock

timezone BJ add 8, and clock daylight-savingtime BJ one-year 6:0 2012-1-1 6:0 2012-9-1 2
commands.

+ offset if the value of
is during the configured
period
Run the clock datetime 8:0:0 2011-1-1, clock

daylight-saving-time BJ one-year 6:0 2011-1-1
6:0 2011-9-1 2, and clock timezone BJ add 8
commands.

2010-01-01 18:05:31+08:00 DST
Friday
Name
: BJ
Start year : 2010
End year
: 2010
Start time : 01-01 01:00:00
End time
: 09-01 01:00:00

2011-11-12 16:01:40+08:00
Saturday
Name
: BJ
Start year : 2012
End year
: 2012
Start time : 01-01 06:00:00
End time
: 09-01 06:00:00

2011-01-01 18:00:43+08:00 DST
Saturday
Name
: BJ
Start year : 2011
End year
: 2011
Start time : 01-01 06:00:00
End time
: 09-01 06:00:00

34

Equipment
Operation
Configured System
Time
Example
[1], 2, 3, 1
or [1], 3, 2,
1
period

6:0 2012-1-1 6:0 2012-9-1 2, clock timezone BJ
add 8, and clock datetime 8:0:0 2011-11-12
commands.
2011-11-12 08:00:03+08:00
Saturday
Name
: BJ
Start year : 2012
End year
: 2012
Start time : 01-01 06:00:00
End time
: 09-01 06:00:00
period
Run the clock timezone BJ add 8, clock daylightsaving-time BJ one-year 1:0 2011-1-1 1:0
2011-9-1 2, and clock datetime 3:0:0 2011-1-1
commands.
2011-01-01 03:00:03+08:00 DST
Saturday
Name
: BJ
Start year : 2011
End year
: 2011
Start time : 01-01 01:00:00
End time
: 09-01 01:00:00
Configuring a Header
If you need to provide information for users logging in, you can configure a header that the
system displays during or after login.
Context
A header is a text message displayed by the system at the time a user logs in to the ATN.
Procedure
Step 1 Run:
system-view

Step 2 Run:
header login { information text | file file-name }
Issue 02 (2013-12-31)

35

Equipment
A header displayed during login is set.

Step 3 Run:
header shell { information text | file file-name }
A header displayed after login is set.

To display the header when the terminal connection has been activated but the user has not been
authenticated, configure the parameter login.
To display the header after the user has logged in, configure the parameter shell.
NOTICE
l The header message starts and ends with the same character. Enter the first character of the
header and press Enter. An interactive interface for setting the header is displayed. Input the
required information and, when you are finished, end the header by entering the first character
again. The system then exits from the interactive interface.
l If a user logs in to the ATN using SSH1.X, the login header is not displayed during login,
but the shell header is displayed after login.
l If a user logs in to the ATN using SSH2.0, both the login and shell headers are displayed.
----End
Configuring Command Levels

This section describes how to configure command levels to ensure device security or allow lowlevel users to run high-level commands. By default, commands are registered in the sequence
of Level 0 to Level 3. If refined rights management is required, you can divide commands in to
16 levels, that is, from Level 0 to Level 15.
Context
If you do not adjust a command level, after the command level is updated, all originallyregistered command lines adjust automatically according to the following rules:
l
The Level 0 and Level 1 commands remain unchanged.
The Level 2 commands are updated to Level 10 and the Level 3 commands are updated to
Level 15.
No command lines exist in Level 2 to Level 9 or in Level 11 to Level 14. You can adjust
the command lines to these levels to refine the management of privileges.
NOTICE
Do not change the default level of a command. Otherwise, some users may be unable to continue
using the command.
Issue 02 (2013-12-31)

36

Equipment
Procedure
Step 1 Run:
system-view

Step 2 Run:
command-privilege level rearrange
Update the command levels in batches.

If no password is configured for a Level 15 user, the system prompts you to set a super-password
and asks if you want to continue updating the command line level. Select "N" to set a password.
If you select "Y", the command level can be updated in batches directly. This results in the user
not logging in through the Console port and failing to update the level.
Before running the command, confirm that the user level is 15. Otherwise, this command cannot
be run.
Step 3 Run:
command-privilege level level view view-name command-key
The command level is configured. With this command, you can specify the level for each
command and view multiple commands at one time (command-key).
All commands have default command views and levels. You do not need to reconfigure them.
----End
Configuring the undo Command to Automatically Match the Higher-Level View

After performing this configuration, if a user runs the undo command but it is not registered in
the current view, the system automatically switches to the view one level up from the current
view to search for this command. If the command is found, the undo command takes effect. If
the undo command does not exist in this view, the system progressively searches higher-level
views for the command until it reaches the system view. If the undo command is not found in
the higher-level view, it will not be executed.
Context
NOTICE
The undo command has disadvantages due to automatic matching. For example, when the user
runs the undo ospf command in the interface view where the command is not registered, the
system automatically searches the system view. This may lead to the global deletion of the OSPF
feature.
Procedure
Step 1 Run:
system-view
Issue 02 (2013-12-31)

37

Equipment

Step 2 Run:
matched upper-view
The undo command is configured to automatically search higher-level views if it is run in a

view where it is not registered.
By default, the undo command does not automatically search higher-level views.
NOTE
l The matched upper-view command is valid for current login users who run this command.
l Configuring the undo command to automatically match the upper level view is recommended only if
necessary.
----End
1.3.2 Displaying System Status Messages

This section describes how to use display commands to check basic system configurations.
Context
You can use display commands to collect information about the system status. The display
commands display the following information:
l
System configurations
System running status
Diagnostic information about a system.
Restart information about the main control board
See related sections concerning display commands for information on protocols and interfaces.
This section only shows system-level display commands.
Displaying System Configuration

This section describes how to use command lines to check the system version, system time,
original configuration, and current configuration.
Context
Run the following commands in any view:
Procedure
l
Run the display version command to display the system version.
Run the display clock [ utc ] command to display the system time.
Run the display calendar command to display system calendar.
Run the display saved-configuration command to display the original configuration.
Run the display current-configuration command to display the current configuration.
Issue 02 (2013-12-31)

38

Equipment
NOTE
l The display version command displays the software version of the system.
l The original configuration refers to information about configuration files the device uses when
it powers on and initializes. The current configuration refers to the configuration files that take
effect when the device is in use. For details, see the chapter "Configuring System Startup" in the
Basic-Configuration.
----End
Displaying the System Status

This section describes how to use command lines to check the system operating status (the
configuration of the current view).
Procedure
l
Run the display this command to display the configuration of the current view.
----End
Collecting System Diagnostic Information

This section describes how to collect information about system modules.
Context
If you cannot perform routine maintenance, run the various display commands to collect the
information you need to locate faults. The display diagnostic-information command gathers
information about all currently running system modules.
Procedure
l
Run:
display diagnostic-information [ file-name ]
System diagnostic information is displayed.

The display diagnostic-information command collects the same information as many
other individual commands, such as display clock, display version, display cpu-usage,
display interface, display current-configuration, display saved-configuration, and
display history-command.
----End
1.4 Configuring User Interfaces

When a user uses a console port, Telnet, or SSH (STelnet) to log in to a ATN, the system manages
the session between the user and the ATN on the corresponding user interface.
1.4.1 User Interface Overview

The system supports console and Virtual Type Terminal (VTY) user interfaces.
Issue 02 (2013-12-31)

39

Equipment
Each user interface has a user interface view. A user interface view is a command line view the
system provides to configure and manage all the physical and logical interfaces in asynchronous
mode.
User Interfaces Supported by the System

l
Console port (CON)

The console port is a serial port provided by the main control board of the device.
The main control board provides one console port. A terminal can use this port to connect
directly to a device to perform local configurations.
Virtual type terminal (VTY)

A VTY is a logical terminal line. A VTY connection is set up when a device uses Telnet
to connect to a terminal. This kind of connection is used to locally or remotely access a
device.
Numbering of a User Interface

After a user logs in to the device, the system assigns the user the lowest numbered idle user
interface. The type of interface assigned depends on the user's login mode. There are two ways
to number user interfaces:
l
Relative numbering
Relative numbering uses a user interface type + number format.
Relative numbering is used to specify user interfaces of a particular type. It can be used to
number single user interfaces or user interface groups and must adhere to the following
rules:
Number of the console port: CON 0
Number of the VTY: VTY 0 for the first line, VTY 1 for the second line, and so on
Absolute numbering
Absolute numbering is used to give a single user interface or a group of user interfaces a
unique number.
Absolute numbering starts with 0. Ports are numbered in a sequence beginning with CON
-> VTY. There is only one console port, and 0-15 VTY interfaces. You can use the userinterface maximum-vty command to set the maximum number of user interfaces.
By default, the system supports three types of user interfaces: CON and VTY.
Table 1-10 shows absolute numbers for the user interfaces in this system.
Table 1-10 Description of absolute and relative numbers for user interfaces
Issue 02 (2013-12-31)
User
interface
Description
Absolute
Number
Relative Number
Console user
interface
Manages and
monitors users that
log in through the
console port.

40

Equipment
User
interface
Description
Absolute
Number
Relative Number
VTY user
interface
Manages and
monitors users that
use Telnet or SSH to
log in.
34 to 48, and 50
to 54
l Absolute numbers 34 to
48 correspond to relative
numbers TTY 0 to TTY
14.
Among the
absolute
numbers, 49 is
reserved for
future use and
50 to 54 are
reserved for the
network
management
system.
l Absolute numbers 50 to
54 correspond to relative
numbers TTY 16 to TTY
20.
Among the relative numbers,
VTY 15 is reserved for
future use and VTY 16 to
VTY 20 are reserved for the
network management
system.
NOTE
The absolute numbers allocated for VTY interfaces are device-specific.
Run the display user-interface command to view the absolute number of user interfaces.
Authentication of a User Interface

After a user is configured, the system authenticates the user during login.
There are two user authentication modes: password and AAA, which are described as follows:
l
Password authentication: Users must enter a password, but not a username, during the login
process.
AAA authentication: Users must enter a password and a username during the login process.
Telnet/SSH users are usually authenticated in this mode.
Priority of a User Interface

Users logged in to the ATN are managed according to their levels.
A user's level determines the level of commands the user is authorized to run.
l
In the case of password authentication, the level of the command the user can run is
determined by the level of the user interface.
In the case of AAA authentication, the level of the command the user can run is determined
by the level of the local user specified in the AAA configuration.
1.4.2 Configuring the Console User Interface

If you log in to the device through a console port to perform local maintenance, you can configure
attributes for the console user interface as needed.
Issue 02 (2013-12-31)

41

Equipment
Before You Start

Before configuring the console user interface, familiarize yourself with the applicable
If you need to log in to the ATN through a console port to perform local maintenance, you can
configure the corresponding console user interface, including the physical attributes, terminal
attributes, user priority, and user authentication mode. These parameters have default values that
require no additional configuration, but you may modify these parameters as needed.
Before configuring a console user interface, use a terminal to log in to the ATN.
Data Preparation
To configure a console user interface, you need the following data.
No.
Data
Baud rate, flow-control mode, parity, stop bit, and data bit
Idle timeout period, terminal screen length, number of characters in each line
displayed in a terminal screen,and the size of the history command buffer
User priority
User authentication method, username, and password
NOTE
All the default values (excluding the password and username) are stored on the ATN and do not need
additional configuration.
Setting Terminal Attributes of the Console User Interface

This section describes how to set terminal attributes of the console user interface, including the
user timeout disconnection function, number of lines or number of characters in each line
displayed on a terminal screen, and size of the history command buffer.
Context
Terminal attributes of the console user interface have default values on the ATN that you may
modify as needed.
Procedure
Step 1 Run:
system-view
Issue 02 (2013-12-31)

42

Equipment

Step 2 Run:
user-interface console interface-number
The console user interface view is displayed.

Step 3 Run:
shell
The terminal service is started.

Step 4 Run:
idle-timeout minutes [ seconds ]
The idle timeout period is set.

If a connection remains idle for the timeout period, the system automatically terminates the
connection.
By default, the idle timeout period on the user interface is 10 minutes.
Step 5 Run:
screen-length screen-length [ temporary ]
The terminal screen length is set.

The parameter temporary is used to display the number of lines to be temporarily displayed on
a terminal screen.
By default, the terminal screen length is 24 lines.
Step 6 Run:
screen-widthscreen-width
The maximum number of characters in each line displayed on a terminal screen is set.
By default, each line displayed on a terminal screen has a maximum of 80 characters.
Step 7 Run:
history-command max-size size-value
The history command buffer is set.

By default, the size of the history command buffer is 10 entries.
----End
Configuring the User Privilege of the Console User Interface

This section describes how to control a user's authority to log in to the ATN and how to configure
a user's priority to improve ATN security.
Context
l
Issue 02 (2013-12-31)
Users are classified into 16 levels (numbered 0 to 15). The greater the number, the higher
the user level.
43

Equipment
This procedure sets the priority of a user who logs in through the console port. A user's
level determines the level of commands the user is authorized to run.
For details about command levels, see section 2.1.2 "Command Levels".
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
user privilege level level
The user privilege is set.

NOTE
l By default, users that log in through the console user interface can use level 15 commands, and users
logging in through other user interfaces can use commands at level 0.
l If the command level and user level are inconsistent, the user level takes precedence.
----End
Configuring the User Authentication Mode of the Console User Interface

The system provides two authentication modes: AAA and password. Configuring user
authentication modes improves ATN security.
Context
The system provides two authentication modes, as described in Table 1-11.
Table 1-11 Authentication Modes
Authen
tication
Mode
Advantage
Disadvantage
AAA
AAA provides user authentication with high

security.
The configuration is complex.

The user name and password for
AAA authentication must be
created.
The user name and password must be entered

for login.
Passwor
d
authenti
cation
Issue 02 (2013-12-31)
Password authentication is based on VTY

channels, which provides security. The
configuration is simple and only the login
password is needed.

It provides less security than

AAA.
All users can use the login
password to log in to a device.
44

Equipment
Procedure
l
Configure AAA authentication

1.
Run:
system-view

2.
Run:
aaa
The AAA view is displayed.

3.
Run:
local-user user-name password cipher password
A username and password are created for the local user.

4.
Run:
quit
Exit the AAA view.

5.
Run:

6.
Run:
authentication-mode aaa
The authentication mode is set to AAA authentication.

l
Configure password authentication

1.
Run:
system-view

2.
Run:

3.
Run:
authentication-mode password
The authentication mode is set to password authentication.

4.
Run:
set authentication password [ cipher password ]
A password for password authentication is set.
Issue 02 (2013-12-31)

45

Equipment
NOTE
Passwords must meet the following requirements:

l If you do not enter cipher, the password is input in man-machine interaction mode, and
the system does not display the entered password.
The password is a string of 8 to 16 case-sensitive characters. The password must contain
at least two of the following characters: upper-case characters, lower-case characters,
numbers, and special characters.
l When you enter cipher, the password is displayed in either plaintext or ciphertext.
l When you input the password in plaintext, the password requirements are the same as
those when you do not enter cipher.
l When you input the password in ciphertext, the password must be a string of 56
consecutive characters.
The password is displayed in ciphertext in the configuration file regardless of whether you
input it in plaintext or ciphertext.
----End
Checking the Configuration

After configuring the console user interface, you can view information about the user interface,
physical attributes and configurations of the user interface, local user list, and online users.
Prerequisites
The configurations of the user management function are complete.
Procedure
l
Run the display users [ all ] command to check information about the user interface.
Run the display user-interface console ui-number1 [ summary ] command to check

physical attributes and configurations of the user interface.
Run the display local-user command to check the local user list.
----End
Example
Run the display users command to view information about the current user interface.
<HUAWEI> display users
User-Intf
Delay
0
CON 0
00:00:44
Type
Network Address
AuthenStatus
pass
AuthorcmdFlag
no
Run the display user-interface console ui-number1 [ summary ] command to view the physical
attributes and configurations of the user interface.
<HUAWEI> display user-interface console 0
Idx Type
Tx/Rx
Modem Privi ActualPrivi Auth
0
CON 0
9600
3
N
+
: Current UI is active.
F
: Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Issue 02 (2013-12-31)

Int
-
46

Equipment
Privi: The privilege of UIs.

ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of UIs.
A: Authenticate use AAA.
N: Current UI need not authentication.
P: Authenticate use current UI's password.
Int : The physical location of UIs.
Run the display local-user command to view the local user list.
<HUAWEI> display local-user
---------------------------------------------------------------------------Username
State Type
CAR Access-limit Online
---------------------------------------------------------------------------user123
Active All
Dft
No
0
ll
Active F
Dft
No
0
user1
Active F
Dft
No
0
---------------------------------------------------------------------------Total 3,3 printed
1.4.3 Configuring the VTY User Interface

If you need to use Telnet or SSH to log in to the ATN and perform local or remote maintenance,
you can configure the VTY user interface as needed.
Before You Start

Before configuring a VTY user interface, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain any data required for the configuration. This
will help you complete the configuration task quickly and correctly.
If you need to use Telnet or SSH to log in to the ATN and perform local or remote maintenance,
you can configure a VTY user interface. You can configure the maximum number of VTY user
interfaces, restrictions on incoming and outgoing calls, terminal property, user priority, and user
authentication mode.
Before configuring a VTY user interface, use a terminal to log in to the ATN.
Data Preparation
To configure a VTY user interface, you need the following data.
Issue 02 (2013-12-31)
No.
Data
Maximum VTY user interfaces
(Optional) ACL code to restrict incoming and outgoing calls on VTY user interfaces
Idle timeout period, number of characters in each line displayed on a terminal screen,
and size of the history command buffer
User priority
47

Equipment
No.
Data
User authentication method, username, and password
NOTE
All of the preceding parameters (excluding the ACL for limiting incoming and outgoing calls in VTY user
interfaces, user authentication method, username, and password) have default values that require no
additional configuration.
Setting the User Priority of the VTY User Interface

This section describes how to control a user's authority to log in to the ATN and how to configure
a user's priority to improve ATN security.
Context
l
Users are classified into 16 levels (numbered 0 to 15). The greater the number, the higher
the user level.
This procedure sets the priority of a user who logs in through the console port. A user's
level determines the level of commands the user is authorized to run.
For details about command levels, see section 2.1.2 "Command Levels".
Procedure
Step 1 Run:
system-view

Step 2 Run:
user-interface vty interface-number
The VTY user interface view is displayed.

Step 3 Run:
The user priority is set.

By default, users who log in through the VTY user interface can use commands at level 0.
NOTE
If the command level configured in the VTY user interface view and user priority are inconsistent, user
priority takes precedence.
----End
Setting the User Authentication Mode of the VTY User Interface

The system provides two authentication modes: AAA and password. Configuring user
authentication modes improves ATN security.
Issue 02 (2013-12-31)

48

Equipment
Context
The system provides two authentication modes, as described in Table 1-12.
Table 1-12 Authentication Modes
Authen
tication
Mode
Advantage
Disadvantage
AAA
AAA provides user authentication with high

security.
The configuration is complex.

The user name and password for
AAA authentication must be
created.
The user name and password must be entered

for login.
Passwor
d
authenti
cation
Password authentication is based on VTY

channels, which provides security. The
configuration is simple and only the login
password is needed.
It provides less security than

AAA.
All users can use the login
password to log in to a device.
Procedure
l
Configuring AAA authentication

NOTE
Before the authentication mode setting to AAA authentication, the priority of the local user should be
seted to level 2.
1.
Run:
system-view

2.
Run:
user-interface vty number1 [ number2 ]

3.
Run:

4.
Run:
quit
You have exited the VTY user interface view.

5.
Run:
aaa

6.
Run:
A username and password are created for the local user.

Issue 02 (2013-12-31)

49

Equipment
7.
Run:
local-user user-name level value
A priority for the local user is set.

l
Configuring password authentication

1.
Run:
system-view

2.
Run:

3.
Run:

4.
Run:
A password is set.
NOTE

l If you do not enter cipher, the password is input in man-machine interaction mode, and
the system does not display the entered password.
l When you input the password in plaintext, the password requirements are the same as
those when you do not enter cipher.
The password is displayed in ciphertext in the configuration file regardless of whether you
input it in plaintext or ciphertext.
----End
Setting the Terminal Attributes of the VTY User Interface

This section describes how to configure the terminal attributes of a VTY user interface, including
the user idle timeout, number of lines or characters displayed in each line in a terminal screen,
and size of the history command buffer.
Context
On the ATN, the terminal attributes of the VTY user interface have default values, which you
can reconfigure as needed.
Issue 02 (2013-12-31)

50

Equipment
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
shell
The VTY terminal service is enabled.

Step 4 Run:
idle-timeout minutes [ seconds ]
The user idle timeout is enabled.

If the connection remains idle for the timeout period, the system automatically terminates the
connection.
By default, the timeout period is 10 minutes.
Step 5 Run:
screen-length screen-length [ temporary ]
The terminal screen length is set.

The parameter temporary is used to display the number of lines to be temporarily displayed on
the terminal screen.
By default, the terminal screen length is 24 lines.
Step 6 Run:
history-command max-size size-value
Set the size of the history command buffer.

By default, a maximum number of 10 commands can be cached in the history command buffer.
----End
Configuring the Maximum Number of VTY User Interfaces

This section describes how to configure the maximum number of VTY user interfaces to limit
the number of users that log in to the ATN.
Context
The maximum number of VTY user interfaces equals the total number of users that can use
Telnet or SSH to log in to the ATN.
Issue 02 (2013-12-31)

51

Equipment
Procedure
Step 1 Run:
system-view

Step 2 Run:
user-interface maximum-vty number
The maximum number of VTY user interfaces is set.

NOTE
When the maximum number of VTY user interfaces is set to zero, no user (including the network
administrator) can use a VTY user interface to log in to the ATN.
If the set maximum number of VTY user interfaces is less than the maximum number of online
users, a message is displayed indicating that the configuration failed.
If the set maximum number of VTY user interfaces is greater than the maximum number of
current interfaces, the authentication mode and password must be set for the newly added user
interfaces.
Consider, for example, a system that permits a maximum of five users to be online. To enable
15 VTY users to be online at the same time, run the authentication-mode command to configure
authentication modes for VTY user interfaces from 5 to 14. The commands are run as follows:
[HUAWEI] user-interface maximum-vty 15
[HUAWEI] user-interface vty 5 14
[HUAWEI-ui-vty5-14] authentication-mode password
----End
(Optional) Setting Restrictions for Incoming and Outgoing Calls on VTY User
Interfaces
This section describes how to configure an ACL to restrict access of incoming and outgoing
calls on a VTY user interface to specific IP addresses or address segments.
Context
Perform the following steps on the device that functions as a server:
Procedure
Step 1 Run:
system-view

Step 2 Compared to a basic ACL that filters packets based on source addresses, an advanced ACL
supports richer filtering rules: not only based on packet source addresses but also based on packet
destination address or priorities. Run either of the following commands:
l For a basic ACL:
Issue 02 (2013-12-31)

52

Equipment
To enter the ACL view, run the acl { [ number ] acl-number1 | name acl-name [ basic ]
[ number acl-number2 ] } [ match-order { auto | config } ] command.
To enter the ACL6 view, run the acl ipv6 { [ number ] acl6-number1 | name acl-name
l For an advanced ACL:
To enter the ACL view, run the acl { [ number ] acl-number1 | name acl-name
[ advance ] [ number acl-number2 ] } [ match-order { auto | config } ] command.
The user interface supports the basic ACL ranging from 2000 to 2999 and the advanced ACL
ranging from 3000 to 3999.
Step 3 Run either of the following commands:
l For a basic ACL:
To configure a basic ACL rule, run the rule [ rule-id ] { deny | permit } [ fragment-type
fragment-type-name | source { source-ip-address source-wildcard | any } | time-range timename | vpn-instance vpn-instance-name ] * command.
To configure a basic ACL6 rule, run the rule [ rule-id ] { deny | permit } [ fragmenttype fragment-type-name | source { source-ip-address source-wildcard | any } | timerange time-name | vpn-instance vpn-instance-name ] * command.
To configure an advanced ACL rule, run the rule [ rule-id ] { deny | permit } protocol
[ [ dscp dscp | [ precedence precedence | tos tos ] * ] | destination { destination-ip-address
destination-wildcard | any } | fragment-type fragment-type-name | source { source-ipaddress source-wildcard | any } | time-range time-name | vpn-instance vpn-instancename ] * command.
To configure an advanced ACL6 rule, run the rule [ rule-id ] { deny | permit } protocol
[ [ traffic-class traffic-class | dscp dscp | [ precedence precedence | tos tos ] * ] |
destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefixlength | any } | fragment | source { source-ipv6-address 3prefix-length | source-ipv6address/prefix-length | any } | time-range time-name | vpn-instance vpn-instance-name ]
* command.
NOTE
l By default, the deny action in an ACL rule is taken for all the login user packets. Only users whose
source IP addresses match the ACL rule with a permit action can log in to the device.
In the following example, two rules are configured to prohibit users with the IP address 10.1.1.10 from
logging in to the device while allowing the other users to log in to the device:
l rule deny source 10.1.1.10 0
l rule permit source any
If the rule permit source any command is not configured, users whose source IP addresses are not
10.1.1.10 will also be prohibited from logging in to the device.
l If a user's source IP address does not match the ACL rule that allows login, the user is prohibited from
logging in to the device.
l If the ACL referenced by VTY does not contain any rules or does not exist, any user can log in to the
device.
Step 4 Run:
Issue 02 (2013-12-31)

53

Equipment
quit

Step 5 Run:
user-interface vty first-ui-number [ last-ui-number ]

Step 6 Run:
acl [ ipv6 ] acl-number { inbound | outbound }
Restrictions for incoming and outgoing calls on the VTY interface are configured.
l If you want to prevent a user with a specific address or segment address from logging in to
the ATN, use the inbound command.
l If you want to enable a user to log in to the ATN but prevent the user from accessing other
ATNs, use the outbound command.
----End
(Optional) Configuring NMS Users to Log In Through VTY User Interfaces

Network Management System (NMS) users can log in to a device through VTY user interfaces
to set device parameters.
Context
NMS users can log in to the ATN through VTY user interfaces to set ATN parameters.
Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:
A local user is created.

Step 4 Run:
local-user user-name user-type netmanager
The local user is set as an NM user.

Step 5 Run:
quit

Issue 02 (2013-12-31)

54

Equipment
Step 6 Run:
The user interface view is displayed.

Step 7 Run:
An authentication mode for logging in to the user interface is configured.

NOTE
The system reserves five VTYs (VTY 16-VTY 20) for an NMS user. The five VTYs are used as special
network management channels. The channels do not support the RSA authentication mode, but they do
support password authentication.
Step 8 Run:
quit

Step 9 Run:
mmi-mode enable
The system is switched to the machine-to-machine mode.

NOTE
l This command is invisible to terminals and cannot be obtained by using the online help. In man-tomachine mode, exercise caution when using this command.
l In the VTY machine-to-machine mode, the system reserves five user interfaces to which an NMS user
can log in through VTYs. A common user cannot log in through Telnet but can log in by using the five
reserved user interfaces.
l In the machine-to-machine mode, the system does not output logs, alarms, or debugging information
to the screen.
l In the machine-to-machine mode, the save and reboot commands can be used directly.
l In the machine-to-machine mode, a maximum of 512 lines are displayed by default. You can use the
screen-length command to adjust this value. In addition, you can run the screen-length temporary
command to adjust the number of lines temporarily displayed on the screen.
----End

After configuring a VTY user interface, you can view the maximum number of VTY user
interfaces, and physical attributes and configurations of user interfaces.
Prerequisites
The configurations of the VTY user interface are complete.
Procedure
l
Run the display users [ all ] command to check information about user interfaces.
Run the display user-interface maximum-vty command to check the maximum number
of VTY user interfaces.
Issue 02 (2013-12-31)

55

Equipment
Run the display user-interface [ ui-type ui-number1 | ui-number ] [ summary ] command

to check the physical attributes and configurations of user interfaces.
Run the display vty mode command to check the VTY mode.
----End
Example
Run the display users command to view information about current user interfaces.
User-Intf
Delay
Type
34 VTY 0
00:00:12 TEL
+ 35 VTY 1
00:00:00 TEL
Network Address
10.138.77.38
AuthenStatus
10.138.77.57
AuthorcmdFlag
no
no
Run the display user-interface maximum-vty command to view the maximum number of VTY
user interfaces.
<HUAWEI> display user-interface maximum-vty
Maximum of VTY user:15
Run the display user-interface vty [ ui-number1 | ui-number ] [ summary ] command to check
the physical attributes and configurations of user interfaces.
<HUAWEI> display user-interface vty 0
Idx Type
Tx/Rx
+ 34
VTY 0
14
14
N
+
F
Int
-
---------------------------------------------------------------------------Username
State Type
---------------------------------------------------------------------------user123
Active All
Dft
No
0
ll
Active F
Dft
No
0
user1
Active F
Dft
No
0
---------------------------------------------------------------------------Total 3,3 printed
Run the display vty mode command to view the message indicating that the machine-to-machine
interface is enabled. For example:
<HUAWEI> display vty mode
current VTY mode is Machine-Machine interface
Issue 02 (2013-12-31)

56

Equipment

This section provides examples for configuring console and VTY user interfaces. These
configuration examples explain the networking requirements and provide configuration
roadmaps and notes.
Example for Configuring the Console User Interface

In this example, a console user interface is configured to allow a user in password authentication
mode to log in to the ATN. The physical attributes, terminal attributes, user priority, user
authentication mode, and password are set for the interface.
Networking Requirements
A user uses the console user interface to log in to the ATN to initialize ATN configurations or
perform local router maintenance. You can set console user interface attributes (for example,
security considerations) to allow user logins.
In the console user interface view, the user priority is set to 15, and the password authentication
mode is set (the password is huawei@123).
If no user activity occurs and a connection is idle for more than 30 minutes after login, the
connection is torn down.
Configuration Roadmap
The configuration roadmap is as follows:
1.
Set terminal attributes of the console user interface.
2.
Set the user priority of the console user interface.
3.
Set the user authentication mode and password of the console user interface.
Data Preparation
To complete the configuration, you need the following data:
l
Timeout period for disconnecting from the console user interface: 30 minutes
Number of lines a terminal screen displays: 30
Number of characters a terminal screen displays: 60
Size of the history command buffer: 20
User priority: 15
User authentication mode: password (password: huawei@123)
Procedure
Step 1 Set terminal attributes of the console user interface.
[HUAWEI-ui-console0]
Issue 02 (2013-12-31)
shell
idle-timeout 30
screen-length 30
screen-width 60
history-command max-size 20

57

Equipment
Step 2 Set the user priority of the console user interface.

[HUAWEI-ui-console0] user privilege level 15
Step 3 Set the user authentication mode in the console user interface to password.
[HUAWEI-ui-console0] authentication-mode password
[HUAWEI-ui-console0] set authentication password cipher huawei@123
[HUAWEI-ui-console0] quit
After the console user interface is configured, a user in password authentication mode can use
a console port to log in and perform local maintenance on the ATN. For details on how a user
logs in to the ATN, see chapter 1.5 Configuring User Login.
----End
Configuration Files
#
sysname HUAWEI
#
user-interface con 0
user privilege level 15
set authentication password cipher %@%@Cj+WL0Fp7Jds;@:9{6%5,"OpW%*U6"M&|')[9dQM
qc$O"Os,%@
idle-timeout 30 0
screen-length 30
#
return
Example for Configuring a VTY User Interface

In this example, a VTY user interface is configured to enable a user in password authentication
mode to use Telnet or SSH (Stelnet) to log in to the ATN. The maximum number of VTY user
interfaces permitted, restrictions for incoming and outgoing calls, terminal attributes,
authentication mode, and password are set for the interface.
A user uses Telnet or SSH to log in to the ATN using a VTY channel. You can set VTY user
interface attributes as needed (for example, security considerations) to enable user logins.
In the VTY user interface, the user priority is set to 15, the authentication mode is set to password
authentication, and the password is "huawei@123". A user with the IP address of 10.1.1.1 is
prohibited from logging in to the ATN.
If no user activity occurs and a connection is idle for more than 30 minutes after login, the
connection is torn down.
1.
Enter the interface view and set the maximum number of VTY user interfaces to 15.
2.
Set restrictions for incoming and outgoing calls on the VTY user interface to prevent an IP
address or an IP address segment for accessing the ATN.
3.
Set terminal attributes of the VTY user interface.
Issue 02 (2013-12-31)

58

Equipment
4.
Set the user priority of the VTY user interface.
5.
Set the authentication mode and password of the VTY user interface.
Data Preparation
l
Maximum number of VTY user interfaces: 15
ACL applied to restrict incoming calls on the VTY user interface: 2000
Timeout period for disconnecting from the VTY user interface: 30 minutes
Number of characters a terminal screen displays: 60
User priority: 15
User authentication mode: password (password: huawei@123)
Procedure
Step 1 Set the maximum number of VTY user interfaces.
Step 2 Set the limit on call-in and call-out in the VTY user interface.
[HUAWEI] acl 2000
[HUAWEI-acl-basic-2000]
[HUAWEI-acl-basic-2000]
[HUAWEI] user-interface
[HUAWEI-ui-vty0-14] acl
rule deny source 10.1.1.1 0

quit
vty 0 14
2000 inbound
Step 3 Set terminal attributes of the VTY user interface.

[HUAWEI-ui-vty0-14]
[HUAWEI-ui-vty0-14]
[HUAWEI-ui-vty0-14]
[HUAWEI-ui-vty0-14]
[HUAWEI-ui-vty0-14]
shell
idle-timeout 30
screen-length 30
screen-width 60
Step 4 Set the user priority of the VTY user interface.

[HUAWEI-ui-vty0-14] user privilege level 15
Step 5 Set the authentication mode and password of the VTY user interface.
[HUAWEI-ui-vty0-14] authentication-mode password
[HUAWEI-ui-vty0-14] set authentication password cipher huawei@123
[HUAWEI-ui-vty0-14] quit
After the VTY user interface is configured, a user authenticated in password mode can use Telnet
or SSH (Stelnet) to log in to the ATN and perform local or remote maintenance on the ATN.
For details on how a user logs in to the ATN, see the 1.5 Configuring User Login.
----End
Configuration Files
#
sysname HUAWEI
#
Issue 02 (2013-12-31)

59

Equipment
acl number 2000

rule 5 deny source 10.1.1.1 0
rule permit source any
#
user-interface maximum-vty 15
user-interface vty 0 14
acl 2000 inbound
user privilege level 15
set authentication password cipher %@%@1hG-2Z>g0GbO,b4AEnC/.HD{DMZ@*Gsm4-nwZ3EP
_IF;HD!.%@%@
idle-timeout 30 0
screen-length 30
#
return
1.5 Configuring User Login

A user can log in to the ATN through a console port, or by using Telnet or SSH (STelnet). The
user can maintain the ATN locally or remotely after login.
1.5.1 User Login Overview

When the device works as the server, a user can log in to the device through a console port,
Telnet, STelnet, or web.
A user can manage devices by using either of the following methods:
l
Command line: After logging in to the device through the console port, Telnet, or STelnet,
the user runs command lines provided by the devices to manage and configure the devices.
The user interface must be configured for the corresponding login mode.
Table 1-13 lists the modes by which users can log in to the device to configure and manage
the device using command lines.
Issue 02 (2013-12-31)

60

Equipment
Table 1-13 User login modes

Login Mode
Applicable Scenario
Remarks
1.5.2 Logging In
to Devices
Through the
Console Port
A user logs in to the device

using the console port on
the user terminal to power
on and configure the
device for the first time.
By default, a user can use the console

port to directly log in to the device. The
authentication mode is password
authentication, which indicates that a
password is required for
authentication. The command access
level is 3.
l If a user cannot access

the device remotely,
the user can use the
console port to log in to
the device locally.
l A user can use the
console port to log in to
diagnose a fault if the
device fails to start or
to enter the BootROM
to upgrade the system.
1.5.3 Using
Telnet to Log In
to Devices
A user uses a terminal to

access the network and
then uses Telnet to log in
to the device to perform
local or remote
configuration. The target
device uses the configured
login parameters to
authenticate the user.
The Telnet login mode
facilitates remote device
management and
maintenance.
By default, a user cannot use Telnet to

log in to the device directly. To enable
Telnet login, use the console port to log
in to the device locally and then
perform the following configuration
tasks:
l Configure the IP address of the
management network port on the
device and ensure that a reachable
route exists between the user
terminal and the device. By default,
an IP address is not configured on
the device.
l Configure the user authentication
mode of the VTY user interface. By
default, the user authentication
mode of the VTY user interface is
not configured. Administrators
must manually set a user
authentication mode for the VTY
user interface.
l Configure the user access level of
the VTY user interface. By default,
the user access level of the VTY
user interface is 0.
l Enable the Telnet server function.
Issue 02 (2013-12-31)

61

Equipment
Login Mode
Applicable Scenario
Remarks
1.5.4 Using
STelnet to Log
In to Devices
A user uses a terminal to

access the network. If the
network is insecure, use
the Secure Shell (SSH)
protocol to increase the
security of the
transmission and utilize a
powerful authentication
mechanism. SSH protects
the device system against
attacks, such as IP
proofing and plain text
password interception.
By default, a user can use use STelnet

to directly log in to the device. The
authentication mode is password
authentication, which indicates that a
password is required for
authentication. The command access
level is 3.
The STelnet login mode

better ensures the security
of the exchanged data.
NOTE
Using Telnet to log in is an insecure method because no secure authentication mechanism is used
and data is transmitted over TCP in plain text mode. Unlike Telnet, SSH authenticates clients and
encrypts data in both directions to guarantee secure transmissions on a conventional insecure network.
SSH supports security Telnet (STelnet).
For detailed information about SSH, see Feature Description - Basic Configurations.
1.5.2 Logging In to Devices Through the Console Port

When a user needs to maintain a router locally or configure a ATN that is being powered on for
the first time, the user can log in through a console port.
Before You Start

Before configuring user login through a console port, familiarize yourself with the applicable
A user can locally log in to a device through a console port. The user must log in through a
console port when a router is being powered on for the first time.
l
If a user cannot access the device remotely, the user can use the console port to log in to
the device locally.
A user can use the console port to log in to diagnose a fault if the device fails to start or to
enter the BootROM to upgrade the system.
Issue 02 (2013-12-31)

62

Equipment
Before configuring user login through a console port, complete the following tasks:
l
Configure the PC/terminal (including the serial port and console cable)
Install the terminal emulator (for example, the Windows XP HyperTerminal) to the PC
Data Preparation
To configure user login through a console port, you need the following data.
No.
Data
l Transmission rate, flow control mode, parity mode, stop bit, and data bit
l Number of lines displayed in a terminal screen, number of characters displayed
in a terminal screen, and size of the history command buffer
l User priority
l User authentication mode, username, and password
Logging In to the Device Using a Console Port

A user can log in by using a console port to connect a terminal to the device.
Context
l
Communication parameters of the user terminal must match physical attribute parameters
of the console user interface on the device.
A user authentication mode must be configured on the console user interface.

Authentication enhances network security because a user can log in to the device only after
being successfully authenticated.
Procedure
Step 1 Start a terminal emulator on the PC and create a connection, as shown in Figure 1-6.
Issue 02 (2013-12-31)

63

Equipment
Figure 1-6 Creating a connection
Step 2 Set an interface, as shown in Figure 1-7.

Figure 1-7 Settings an interface
Step 3 Set communication parameters to match the ATN defaults, as shown in Figure 1-8.
Issue 02 (2013-12-31)

64

Equipment
Figure 1-8 Setting communication parameter
Step 4 Press Enter. At the following command-line prompt, set an authentication password. The system
automatically saves the new password.
An initial password is required for the first login via the console.
Set a password and keep it safe! Otherwise you will not be able to login via the
console.
Enter Password:
Confirm Password:
Issue 02 (2013-12-31)

65

Equipment
NOTE
l If the device has the default password before delivery, enter the default password Admin@huawei.com
to log in. The password is insecure, so you must change it immediately. For details on how to change
the password, see Configuring the User Authentication Mode of the Console User Interface.
l After you set the password for the user interface, you must use this user interface to log in to the system
again. Use password authentication mode and enter the new password.
l The passwords must meet the following requirements:
l The password input is in man-machine interaction mode, and the system does not display the
entered password.
l The password is a string of 8 to 16 case-sensitive characters. The password must contain at least
two of the following characters: upper-case characters, lower-case characters, numbers, and special
characters.
The configured password is displayed in the configuration file in ciphertext.
l After you restart the device using the console port, press Enter after the following information is
displayed.
Recover configuration...OK!
Press ENTER to get started.
----End
(Optional) Configuring the Console User Interface

If you log in to the device through a console port to perform local maintenance, you can configure
attributes for the console user interface as needed.
Context
Console user interface attributes have default values on the device, and generally need no
modification. To meet specific user requirements or ensure network security, you can modify
console user interface attributes, such as terminal attributes and the user authentication mode.
For detailed settings, see section 4.2 Configuring Console User Interface.
NOTE
Changes to console user interface attributes take effect immediately. Therefore, the connection may be
interrupted if console user interface attributes are modified when you log in to the device through the
console port. For this reason, use another login mode to log into the device when you modify console user
interface attributes. To log in to the device through the console port after you chang the default console
user interface attributes, ensure that the configuration of the terminal emulator running on the PC is
consistent with the console user interface attributes configured on the device.

After logging in through a console port, a user can view the usage information, physical attributes
and configurations, local user list, and online users on the console user interface.
Prerequisites
Configurations that enable a user to log in through a console port are complete.
Issue 02 (2013-12-31)

66

Equipment
Procedure
l
Run the display users [ all ] command to check information about the user interface.
Run the display user-interface console ui-number1 [ summary ] command to check

physical attributes and configurations of the user interface.
----End
Example
Run the display users command to view information about the current user interface.
User-Intf
Delay
0
CON 0
00:00:44
Type
Network Address
AuthenStatus
pass
AuthorcmdFlag
no
Run the display user-interface console ui-number1 [ summary ] command to view the physical
attributes and configurations of the user interface.
<HUAWEI> display user-interface console 0
Idx Type
Tx/Rx
0
CON 0
9600
3
N
+
F
Int
-
---------------------------------------------------------------------------Username
State Type
---------------------------------------------------------------------------user123
Active All
Dft
No
0
ll
Active F
Dft
No
0
user1
Active F
Dft
No
0
---------------------------------------------------------------------------Total 3,3 printed
1.5.3 Using Telnet to Log In to Devices

When multiple ATNs need to be configured and managed, you do not need to maintain each
ATN locally. Instead, you can use Telnet to remotely log in to the ATNs and perform
maintenance, which greatly facilitates device management.
Context
The Telnet protocol poses a security risk, and therefore the STelnet protocol is recommended.
Issue 02 (2013-12-31)

67

Equipment
Before You Start

Before using Telnet to configure user login, familiarize yourself with the applicable
If you know the IP address of a remote ATN, you can use Telnet to log in to the ATN from a
local terminal. Telnet login allows you to maintain multiple remote ATNs from one local
terminal, which greatly facilitates device management.
Note that ATN IP addresses must be preset through console ports.
Before using Telnet to configure user login, you must log in to the device through the console
port to change the following default configurations on the device. Then users can use Telnet to
remotely log in to the device to manage and maintain it.
l
Configure the IP address of the management network port on the device and ensure that a
reachable route exists between the user terminal and the device
Configuring the User Access Level and User Authentication Mode of the VTY User
Interface for remote device management and maintenance
Enabling the Telnet Service so that users can remotely log in to the device through Telnet
Data Preparation
Before configuring Telnet user login, you need the following data.
No.
Data
l User priority
l User authentication mode, username, and password
l (Optional) Maximum number of VTY user interfaces permitted
l (Optional) ACL to restrict incoming and outgoing calls on VTY user interfaces
l (Optional) Connection timeout period of terminal users, number of lines displayed
in a terminal screen, number of characters displayed in a terminal screen, and size
of the history command buffer
IPv4/IPv6 address or host name of the ATN
TCP port number the remote device uses to provide Telnet services, and the VPN
instance name
Interface
By default, the user access level of the VTY user interface is 0. To enable a user terminal to use
Telnet to remotely log in to the device for maintenance and management, log in to the device
Issue 02 (2013-12-31)

68

Equipment
using the console port, change the user access level, and set a user authentication mode for the
VTY user interface.
Context
In general, the default values of other VTY user interface attributes do not need to be modified.
These attributes can be changed if necessary. For details, see section 4.4 Configuring the VTY
User Interface.
The sequence of the following steps is not fixed but all the configurations are mandatory.
Procedure
l
Configure the user access level of the VTY user interface.

1.
Run:
system-view

2.
Run:

3.
Run:
The user access level is set.

By default, the user access level of the VTY user interface is 0. Table 1-14 describes
the relationship between the user access levels and command levels.
User
Lev
el
Co
mm
and
Lev
el
Level
Name
Description
Visit
level
This level gives access to commands that run network

diagnostic tools, such as ping and tracert, and commands
that start from a local device and visit external devices,
such as Telnet client side.
0 and
1
Monit
oring
level
This level gives access to commands, such as the

display command, that are used for system maintenance
and fault diagnosis.
NOTE
Some display commands are not at this level. For example, the
display current-configuration and display savedconfiguration commands are at level 3. For details about
command levels, see ATN Command Reference.
Issue 02 (2013-12-31)

69

Equipment
User
Lev
el
Co
mm
and
Lev
el
Level
Name
Description
0, 1,
and 2
Config
uration
level
This level gives access to commands that configure

network services provided directly to users, including
routing and network layer commands.
3-15
0, 1,
2,
and 3
Manag
ement
level
This level gives access to commands that control basic

system operations and provide support for services. These
commands include file system commands, FTP
commands, TFTP commands, configuration file
switching commands, power supply control commands,
user management commands, level setting commands,
and debugging commands for fault diagnosis.
NOTE
l Different user access levels are associated with different command levels. A user at a certain
access level can use only commands that have a level less than or equal to the command
level of the user. This helps ensure the security of the device.
l If the configured command level of the user interface conflicts with the operation rights of
the username, the operation rights of the username take precedence.
Configure the user authentication mode of the VTY user interface.

Two authentication modes are available: password authentication, and AAA
authentication.
Configuring Password Authentication
1.
Run:
system-view

2.
Run:

3.
Run:

4.
Run:
A password in the encrypted text for password authentication is set.
Issue 02 (2013-12-31)

70

Equipment
NOTE

l If you do not enter cipher, the password is input in man-machine interaction mode,
and the system does not display the entered password.
l When you input the password in plaintext, the password requirements are the same
as those when you do not enter cipher.
The password is displayed in ciphertext in the configuration file regardless of whether
you input it in plaintext or ciphertext.
Configuring AAA Authentication

When the user authentication mode of the VTY user interface is set to AAA
authentication, the access type of the local user must be specified. A management user
belongs to the default_admin domain by default.
1.
Run:
system-view

2.
Run:
aaa

3.
Run:
A username and password for the local user are created.

4.
Run:
local-user user-name service-type telnet
The access type of the local user is set to Telnet.

5.
Run:
quit
You have exited the AAA view.

6.
Run:

7.
Run:

----End
Issue 02 (2013-12-31)

71

Equipment
Enabling the Telnet Service

Before a user terminal establishes a Telnet connection with the device, log in to the device
through the console interface to enable the Telnet server function on the device. Then the user
terminal can use Telnet to remotely log in to the device.
Context
Do as follows on the device that serves as an Telnet server.
On the device that serves as a Telnet server, select and perform the following steps for either
IPv4 or IPv6.
Procedure
l
For the IPv4 network

1.
Run:
system-view

2.
Run:
telnet server enable
The Telnet service is enabled.

l
For the IPv6 network

1.
Run:
system-view

2.
Run:
telnet ipv6 server enable
The Telnet service is enabled.

NOTE
l If the undo telnet [ipv6] server enable command is run when a user uses Telnet to log in,
the command does not take effect.
l After the Telnet server function is disabled, you can only use SSH or an asynchronous
serial port (rather than Telnet) to log in to the device.
----End
Using Telnet to Log In to the Device

After a remote device is configured, use Telnet to log in to the device from a terminal and perform
remote maintenance on the device.
Context
Use either the Windows CLI or third-party software in the terminal to log in to the ATN through
Telnet. This section describes how to use the Windows command line prompt.
On the user terminal, perform the following steps::
Issue 02 (2013-12-31)

72

Equipment
Procedure
Step 1 Open the Windows CLI.
Step 2 Run the telnet ip-address command to Telnet the device.
1.
Input the IP address of the Telnet server, as shown in Figure 5-10.

Figure 1-9 Windows CLI
2.
Press Enter to display the command line prompt, such as <HUAWEI>, for the system
view. This indicates that you have accessed the Telnet server.
If the password or AAA authentication mode has been set on the device, you must enter
the login user name and password, and press Enter. The command line prompt of the user
view is displayed, as shown in Figure 1-10.
Figure 1-10 Login
----End
(Optional) Configuring the Listening Port Number of the Telnet Server

Setting appropriate parameters for the Telnet server, such as the listening port number and source
interface, improves network security.
Context
l
Listening port number

By default, the listening port number of a Telnet server is 23. Users can use the default
listening port number to directly log in to the ATN. Attackers may access the default
Issue 02 (2013-12-31)

73

Equipment
listening port, which consumes bandwidth, deteriorates server performance, and causes
authorized users to be unable to access the server. After the listening port number of the
Telnet server is changed, attackers do not know the new listening port number. This
effectively prevents attackers from accessing the listening port.
l
Source interface
By default, a Telnet server receives connection requests from all interfaces, and therefore,
the system is vulnerable to attacks. To enhance system security, you can specify the source
interface of the Telnet server. This sets a login condition, and then only authorized users
can log in to the Telnet server.
After the source interface is specified, the system only allows Telnet users to log in to the
Telnet server through this source interface, and Telnet users logging in through other
interfaces are denied. Note that setting this parameter only affects Telnet users that attempt
to log in to the Telnet server, and it does not affect Telnet users that have logged in to the
server.
Perform the following on the ATN that functions as a Telnet server:
Procedure
Step 1 Run:
system-view

Step 2 Configure Telnet server parameters.
l Run:
telnet server port port-number
The listening port number of the Telnet server is set.

If a new listening port number is set, the Telnet server terminates all established Telnet
connections, and uses the new port number to listen to new requests for Telnet connections.
l Run:
telnet server-source -i loopback interface-number
The source interface of the Telnet server is set.

NOTE
Before specifying the source interface of the Telnet server, ensure that the loopback interface to be
specified as the source interface has been created. If the loopback interface has not been created, the
telnet server-source command cannot be correctly executed.
----End
(Optional) Configuring Telnet Access Control

An ACL can be configured to allow only specified clients to access an Telnet server.
Context
When a device functions as an Telnet server, you can configure an ACL to allow only the clients
that meet the rules specified in the ACL to access the Telnet server.
Do as follows on the device that functions as an Telnet server:
Issue 02 (2013-12-31)

74

Equipment
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl { [ number ] acl-number1 | name acl-name [ basic ] [ number acl-number2 ] }
[ match-order { auto | config } ] or acl ipv6 { [ number ] acl6-number1 | name aclname [ number acl-number2 ] } [ match-order { auto | config } ]
The ACL or ACL6 view is displayed.

Step 3 Run:
rule [ rule-id ] { deny | permit } [ fragment-type fragment-type-name | source
{ source-ip-address source-wildcard | any } | time-range time-name | vpn-instance
vpn-instance-name ] * or rule [ rule-id ] { deny | permit } [ fragment | source
{ source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } |
time-range time-name | vpn-instance vpn-instance-name ] *
The ACL or ACL6 rule is configured.

NOTE
l If the ACL referenced by FTP does not contain any rules or does not exist, any user can log in to the
device.
Step 4 Run:
quit

Step 5 Run:
telnet [ ipv6 ] server acl { acl-number | acl-name }
An ACL is configured to filter Telnet users.

----End

After you use Telnet to log in to the system, you can view the connection status of each user
interface, including the current user interface, and the status of all established TCP connections.
Prerequisites
Telnet login configurations are complete.
Issue 02 (2013-12-31)

75

Equipment
Procedure
l
Run the display users [ all ] command to check information about users logged in to user
interfaces.
Run the display tcp status command to check TCP connections.
Run the display telnet server status command to check the configuration and status of the
Telnet server.
----End
Example
Run the display users command to view information about the currently-used user interface.
User-Intf
Delay
34 VTY 0
00:00:12
+ 35 VTY 1
00:00:00
Type
TEL
Network Address
10.138.77.38
TEL
10.138.77.57
AuthenStatus
AuthorcmdFlag
no
no
Run the display tcp status command to view TCP connections. In the command output,
Established indicates that a TCP connection has been established.
<HUAWEI> display tcp status
TCPCB
Tid/Soid
Local Add:port
State
39952df8
36 /1509
0.0.0.0:0
Closed
32af9074
59 /1
0.0.0.0:21
Listening
34042c80
73 /17
10.164.39.99:23
Established
Foreign Add:port
VPNID
0.0.0.0:0
0.0.0.0:0
14849
10.164.6.13:1147
Run the display telnet server status command to view the configuration and status of the Telnet
server.
<HUAWEI> display telnet server status
TELNET IPV4 server
TELNET IPV6 server
TELNET server port
TELNET Server Source address
ACL4 number
ACL6 number
:Enable
:Enable
:23
:0.0.0.0
:0
:0
1.5.4 Using STelnet to Log In to Devices

STelnet provides secure remote access over an insecure network. After the client/server
negotiation is complete and a secure connection is established, STelnet login is similar to Telnet
login.
Before You Start

Before configuring users to log in using STelnet, familiarize yourself with the applicable
Issue 02 (2013-12-31)

76

Equipment
Telnet logins present security risks because no secure authentication mechanism exists and data
is transmitted over TCP in plain text mode. Unlike Telnet, SSH authenticates clients and encrypts
data in both directions to guarantee secure transmissions on a conventional insecure network.
SSH supports STelnet, and SFTP.
l
Configure the IP address of the management network port on the device and ensure that a
reachable route exists between the user terminal and the device
Configure the user access level and authentication mode of the VTY user interface for
remote device management and maintenance.
Configure the VTY user interface to support the SSH protocol, configure the SSH
user and specify STelnet as a service mode for the SSH user, and enable the STelnet
server function so that the user can remotely log in to the device through STelnet
Data Preparation
To configure users to log in using STelnet, you need the following data:
No.
Data
User authentication mode, username, password, (optional)maximum number of VTY

user interfaces permitted, (optional) ACL for restricting incoming and outgoing calls
on VTY user interfaces, (optional)connection timeout period for terminal users,
number of rows displayed in a terminal screen, and size of the history command buffer
Username, password, authentication mode, and service type of an SSH user, and
remote public Revest-Shamir-Adleman Algorithm (RSA) or Digital Signature
Algorithm (DSA) or Elliptic Curves Cryptography (ECC) key pair allocated to the
SSH user
(Optional) Name of an SSH server, number of the port monitored by the SSH server,
preferred encryption algorithm from the STelnet client to the SSH server, preferred
encryption algorithm from the SSH server to the STelnet client, preferred Hashed
message authentication code (HMAC) algorithm from the STelnet client to the SSH
server, preferred HMAC algorithm from the SSH server to the STelnet client,
preferred algorithm for key exchange, name of the outgoing interface, and source
address
Interface
By default, the user access level is 0. Before logging in to the device using STelnet for
maintenance and management, you must log in to the device through the console port to change
the user access level, and set a user authentication mode.
Issue 02 (2013-12-31)

77

Equipment
Context
User Interface.
The sequence of the following steps is not fixed but all the configurations are mandatory.
Procedure
l
Configure the user access level of the VTY user interface.

1.
Run:
system-view

2.
Run:

3.
Run:
The user access level is set.

By default, the user access level of the VTY user interface is 0. Table 1-15 describes
the relationship between the user access levels and command levels.
User
Lev
el
Co
mm
and
Lev
el
Level
Name
Description
Visit
level
This level gives access to commands that run network

diagnostic tools, such as ping and tracert, and commands
that start from a local device and visit external devices,
such as Telnet client side.
0 and
1
Monit
oring
level
This level gives access to commands, such as the

display command, that are used for system maintenance
and fault diagnosis.
NOTE
Some display commands are not at this level. For example, the
display current-configuration and display savedconfiguration commands are at level 3. For details about
command levels, see ATN Command Reference.
Issue 02 (2013-12-31)
0, 1,
and 2
Config
uration
level
This level gives access to commands that configure

network services provided directly to users, including
routing and network layer commands.

78

Equipment
User
Lev
el
Co
mm
and
Lev
el
Level
Name
Description
3-15
0, 1,
2,
and 3
Manag
ement
level
This level gives access to commands that control basic

system operations and provide support for services. These
commands include file system commands, FTP
commands, TFTP commands, configuration file
switching commands, power supply control commands,
user management commands, level setting commands,
and debugging commands for fault diagnosis.
NOTE
l Different user access levels are associated with different command levels. A user at a certain
access level can use only commands that have a level less than or equal to the command
level of the user. This helps ensure the security of the device.
l If the configured command level of the user interface conflicts with the operation rights of
the username, the operation rights of the username take precedence.
Configure the user authentication mode of the VTY user interface.

When the authentication mode of the VTY user interface is set to AAA authentication, the
access type of the local user must be specified.
1.
Run:
system-view

2.
Run:
A username and password for the local user are created.

3.
Run:
local-user user-name service-type ssh
The access type of the local user is set to SSH.

4.
Run:

5.
Run:

----End
Configuring SSH for the VTY User Interface

For users to log in to the device using STelnet, VTY user interfaces must be configured to support
SSH.
Issue 02 (2013-12-31)

79

Equipment
Context
By default, user interfaces support Telnet. A user interface must be configured to support SSH
for users to log in to the device using STelnet.
NOTE
A VTY user interface configured to support SSH must also be configured with AAA authentication.
Otherwise, the protocol inbound ssh command cannot be configured.
Perform the following on the ATN that serves as an SSH server:
Procedure
Step 1 Run:
system-view

Step 2 Run:
user-interface [ vty ] first-ui-number [ last-ui-number ]
The VTY user interface is displayed.

Step 3 Run:
The AAA authentication mode is configured.

Step 4 Run:
protocol inbound ssh
The VTY user interface is configured to support SSH.

----End
Configuring an SSH User and Specifying the Service Types

To implement STelnet access, configure a Secure Shell (SSH) user, create a local Revist-ShamirAdleman algorithm (RSA) or digital signature algorithm (DSA) key pair, configure a user
authentication mode, and specify a service type for the SSH user.
Context
l
These SSH user authentication modes are available: RSA, DSA, ECC, password, passwordRSA, password-DSA, password-ECC, and all. Password authentication depends on
Authentication, Authorization and Accounting (AAA). Before a user logs in to the device
in password, password-RSA, password-ECC, or password-DSA authentication mode, you
must create a local user with the specified username in the AAA view.
Password-RSA authentication depends on both password authentication and RSA
authentication.
Password-DSA authentication depends on both password authentication and DSA
authentication.
Password-ECC authentication depends on both password authentication and ECC
authentication.
Issue 02 (2013-12-31)

80

Equipment
All authentication depends on either of the following authentications: password

authentication, or DSA authentication or RSA authentication and ECC authentication.
l
The device must be configured to generate local RSA, ECC, or DSA key pairs, which are
a key part of the SSH login process. If an SSH user logs in to an SSH server in password
authentication mode, configure the server to generate a local RSA, ECC,or DSA key pair.
If an SSH user logs in to an SSH server in RSA, ECC, or DSA authentication mode,
configure both the server and the client to generate local RSA, ECC, or DSA key pairs.
RSA key and DSA key are algorithms for user authentication in SSH. Compared with RSA
authentication, DSA authentication adopts the DSA encryption mode and is widely used.
In many cases, SSH only supports DSA to authenticate the server and the client. When the
RSA or DSA authentication mode is used, the priority of the users depends on the priority
of the VTY user interfaces used for login.
Perform the following operations on the ATN that functions as an SSH server:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ssh user user-name
An SSH user is created.

If password authentication is configured for the SSH user, create the same SSH user in the AAA
view
1.
Run the aaa command to enter the AAA view.
2.
Run the local-user user-name password cipher password command to configure a local
username and a password.
Step 3 Create an RSA, DSA, or ECC key pair.

Two methods are available.
Method 1:
l Run the rsa local-key-pair create command to create a local RSA key pair.
NOTE
l Configure the rsa local-key-pair create command to generate a local key pair before completing
other SSH configurations. The minimum length of the server key pair and the host key pair is 512
bits, and the maximum length is 2048 bits.
l After a local key pair is generated, you can run the display rsa local-key-pair public command
to view the public key in the local key pair.
l To clear the local RSA key pair, run the rsa local-key-pair destroy command to destroy all local
RSA key-pairs, including the local key-pair and server key-pair.
Check whether all local RSA key pairs are destroyed after running the rsa local-key-pair
destroy command. The rsa local-key-pair destroy command configuration takes effect only once
and therefore will not be saved in the configuration file.
l Run the dsa local-key-pair create command to generate the RSA local-key-pair.
Issue 02 (2013-12-31)

81

Equipment
NOTE
l You must configure the dsa local-key-pair create command to generate a local key pair before
completing other SSH configurations. The length of the server key pair and the host key pair can
be 512 bits, 1024 bits and 2048 bits. By default, the length of the key pair is 2048 bits.
l After a local key pair is generated, you can run the display dsa local-key-pair public command
l To clear the local DSA key pair, run the dsa local-key-pair destroy command to destroy all local
DSA key-pairs, including the local key-pair and server key-pair.
Check whether all local DSA key pairs are destroyed after running the dsa local-key-pair
destroy command. The dsa local-key-pair destroy command configuration takes effect only once
l Run the ecc local-key-pair create command to generate the ECC local-key-pair.
NOTE
l You must configure the ecc local-key-pair create command to generate a local key pair before
l After a local key pair is generated, you can run the display ecc local-key-pair public command
l To clear the local ECC key pair, run the display ecc local-key-pair public command to destroy
all local ECC key-pairs, including the local key-pair and server key-pair.
Check whether all local ECC key pairs are destroyed after running the ecc local-key-pair
destroy command. The ecc local-key-pair destroy command configuration takes effect only once
Method 2:
1.
Run the rsa key-pair label, dsa key-pair label, or ecc key-pair label command in the
system view to create an RSA, DSA, or ECC key pair.
2.
Run the ssh server assign { rsa-host-key | rsa-server-key | dsa-host-key | ecc-hostkey } key-name command in the system view to assign an RSA host key, RSA server key,
DSA host key, or ECC host key to an SSH server.
After the key pair is generated, run the display rsa key-pair, display dsa key-pair, or display
ecc key-pair command to check information about the RSA, DSA, or ECC key pair.
Step 4 Perform the operations as described in Table 1-16 based on the configured SSH user
Table 1-16 Configuring an authentication mode for the SSH user
Issue 02 (2013-12-31)
Operation
Command
Description
Configure
Password
Authentication
1. Run the ssh user user-name

authentication-type password
command
If local or HuaWei Terminal

Access Controller Access Control
System (HWTACACS)
authentication is used and there
are only a few users, use password
authentication.
2. Run the aaa command to enter

the AAA view.

82

Equipment
Operation
Configure RSA
authentication
Command
Description
3. Run the local-user user-name

password cipher password
command to configure the
username and the password for the
local user.
The username must be the same to

the SSH user.

service-type ssh command to set
the access type of the local user to
SSH.

authentication-type rsa command
to configure RSA authentication.
2. Run the rsa peer-public-key keyname [ encoding-type { der |

openssh | pem } ] command to
configure an encoding format for an
RSA public key and enter the RSA
public key view.
Huawei data communications

devices support only the DER
format for RSA keys before VRP
V500R012C01 version. If you use
an RSA key in non-DER format,
use a third-party tool to convert
the key into a key in DER format.
The default encoding format is

distinguished encoding rules (DER)
for an RSA public key.
By default, the administrators are

all in the domain default_admin.
Because a third-party tool is not

released with Huawei system
software, RSA usability is
unsatisfactory. In addition to
DER, RSA keys need to support
the privacy-enhanced mail (PEM)
and OpenSSH formats to improve
RSA usability after VRP
V500R012C01 version.
Third-party software, such as
SecureCRT, PuTTY, OpenSSH,
and OpenSSL, can be used to
generate RSA keys in different
formats. The details are as
follows:
l The SecureCRT and PuTTY
generate RSA keys in PEM
format.
l The OpenSSH generates RSA
keys in OpenSSH format.
l The OpenSSL generates RSA
keys in DER format.
3. Run the public-key-code begin

command to enter the public key
edit view.
Issue 02 (2013-12-31)

83

Equipment
Operation
Command
Description
4. Enter hex-data to edit the public

key.
l In the public key edit view,

only hexadecimal strings
complying with the public key
format can be typed in. Each
string is randomly generated
on an SSH client. For detailed
operations, see manuals for
SSH client software.
l After entering the public key
edit view, paste the RSA
public key generated on the
client to the server.
5. Run the public-key-code end

command to exit from the public
key edit view.
6. Run the peer-public-key end

command to return to the system
view.
l Running the peer-public-key

end command generates a key
only after a valid hex-data
format is entered.
l If the peer-public-key end
command is used after the key
key-name specified in Step 2 is
deleted in another window, the
system prompts a message,
indicating that the key does
not exist, and the system view
is displayed.

authentication-type dsa command
to configure DSA authentication.
Issue 02 (2013-12-31)

84

Equipment
Operation
Command
Description
2. Run the dsa peer-public-key

key-name encoding-type { der |
openssh | pem } command to
configure an encoding format for a
DSA public key and enter the DSA
public key view.

devices support the DER and
PEM formats for DSA keys
before VRP V500R012C01
version. If you use an RSA key in
non-DER/PEM format, use a
third-party tool to convert the key
into a key in DER or PEM format.
software, DSA usability is
unsatisfactory. In addition to DER
and PEM, DSA keys need to
support the OpenSSH format to
improve DSA usability after VRP

edit view.

key.


key edit view.
Issue 02 (2013-12-31)

85

Equipment
Operation
Command
Description

view.

format is entered.
is displayed.
Configure ECC
authentication

assign dsa-key key-name command
to assign the SSH user a public key.

assign rsa-key key-name command

authentication-type ecc command
to configure ECC authentication.
2. Run the ecc peer-public-key keyname encoding-type { der | pem |

openssh } command to configure an
encoding format for a ECC public
key and enter the ECC public key
view.

edit view.

key.

Issue 02 (2013-12-31)

86

Equipment
Operation
Command
Description

key edit view.

view.

format is entered.
is displayed.

assign ecc-key key-name command
Step 5 (Optional) Use command lines to authorize SSH users.

Run:
ssh user user-name authorization-cmd aaa
The command line authorization is configured for the specified SSH user.
After configuring the authorization through command lines for the SSH user to perform RSA
authentication, you have to configure the AAA authorization. Otherwise, the command line
authorization for the SSH user does not take effect.
Step 6 Run:
ssh user username service-type { stelnet | all }
The service type of the SSH user is configured.

By default, the service type of the SSH user is not configured.
----End
Enabling the STelnet Server Function

Enable the STelnet server function on the device, and then the user terminal can use STelnet to
remotely log in to the device.
Context
By default, the device is enabled with the STelnet server function.
Do as follows on the device that serves as an SSH server:
Issue 02 (2013-12-31)

87

Equipment
Procedure
Step 1 Run:
system-view

Step 2 Run:
stelnet server enable
The STelnet server function is enabled.

By default, the STelnet server function is disabled.
----End
Using STelnet to Log In to the Device

Users can remotely log in to the device using the Secure Shell (SSH) protocol from remote user
terminals to remotely maintain the device.
Context
Third-party software can be used on a terminal for STelnet login. This section describes the use
of third-party software OpenSSH and the Windows CLI.
After installing OpenSSH on the user terminal, perform the following on the user terminal:
NOTE
For details about how to install OpenSSH, refer to the software installation guide.
For details about how to use OpenSSH commands to log in to the system, see the software help document.
Procedure
Step 2 Run required OpenSSH commands to log in to the ATN in STelnet mode, as shown in Figure
5-12.
Issue 02 (2013-12-31)

88

Equipment
Figure 1-11 Logging in to the device in STelnet mode
----End
(Optional) Configuring the STelnet Server Parameters

You can configure a device to be compatible with earlier versions of the SSH protocol, configure
or change the listening port number of an SSH server, set an interval at which the key pair of
the SSH server is updated, and specify the source interface.
Procedure
Step 1 Run:
system-view

Step 2 Perform any of the operations shown in Table 1-17 as needed.
Issue 02 (2013-12-31)

89

Equipment
Table 1-17 Server parameters
Issue 02 (2013-12-31)
Server
parameters
Command
Description
Configure the
interval at
which the key
pair of the
SSH server is
updated
Run the ssh server rekey-interval

interval command.
You can set an interval at which the

key pair of an SSH server is updated.
When the timer expires, the key pair
is automatically updated, improving
security.
Configure the
timeout
period of SSH
authentication
Run the ssh server timeout

seconds command.
Configure the
number of
times that
SSH
authentication
is retried
Run the ssh server authenticationretries times command.
Configure
earlier SSH
version
compatibility
Run the ssh server compatiblessh1x enable command.
By default, the interval is 0,

indicating that the key is never
updated.
By default, the timeout period is 60

seconds.
By default, SSH authentication

retries a maximum of 3 times.
By default, an SSH server running

SSH2.0 is compatible with SSH1.X.
To prevent clients running SSH1.3 to
SSH1.99 from logging in, run the
undo ssh server compatible-ssh1x
enable command to disable support
for earlier SSH protocol versions.
If a user fails to log in when the

timeout period of SSH
authentication expires, the system
disconnects the current connection
to ensure the system security.
The number of times that SSH
authentication is retried is set to deny
access of invalid users.
There are two SSH versions:

SSH1.X (earlier than SSH2.0) and
SSH2.0. SSH2.0 has an extended
structure and supports more
authentication modes and key
exchange methods than SSH1.X,
SSH 2.0 can eliminate the security
risks that SSH 1.X has. SSH 2.0 is
more secure and therefore is
recommended. SSH2.0 also
supports more advanced services
such as SFTP. The ATN supports
SSH versions ranging from 1.3 to
2.0.

90

Equipment
Server
parameters
Command
Description
Configure the
listening port
number of the
SSH server
Run the ssh server port portnumber command.
The default listening port number of

an SSH server is 22. Users can log in
to the device by using the default
listening port number. Attackers
may access the default listening port,
which consumes bandwidth,
deteriorates server performance, and
causes authorized users to be unable
to access the server. After the
listening port number of the SSH
server is changed, attackers do not
know the new port number. This
effectively prevents attackers from
accessing the listening port and
improves security.
By default, the listening port number

is 22.
If a new listening port is set, the SSH
server cuts off all established STelnet
and SFTP connections, and uses the
new port number to listen to
connection requests.
Source
interface
Run the ssh server-source -i

loopback interface-number
command.
Before the source interface of an
SSH server is specified, ensure that
the loopback interface to be specified
as the source interface has been
created. If the loopback interface is
not created, the ssh server-source
command cannot be correctly
executed.
Configuring
an ACL on the
SSH server
Run the ssh server acl acl-number or

ssh ipv6 server acl acl-number
command.
By default, an SSH server receives

connection requests from all
interfaces, and therefore, the system
is vulnerable to attacks. To enhance
system security, you can specify the
source interface of the SSH server.
This sets a login condition after
which only authorized users can log
in to the SSH server.
After the source interface is
specified, the system only allows
SFTP or STelnet users to log in to the
SSH server through this source
interface. Any SFTP or STelnet
users that log in through other
interfaces are denied. Note that
setting this parameter only affects
SFTP or STelnet users that attempt
to log in to the SSH server, but it does
not affect SFTP or STelnet users that
have already logged in to the server.
This command specifies the clients
that can access the SSH server
running IPv4/IPv6. This
configuration prevents unauthorized
users from accessing the SSH server,
ensuring data security.
----End
Issue 02 (2013-12-31)

91

Equipment

After configuring users to log in using STelnet, you can view the SSH server configuration.
Prerequisites
STelnet login configurations are complete.
Procedure
l
Run the display ssh user-information username command on the SSH server to check
information about SSH users.
Run the display ssh server status command on the SSH server to check its configurations.
Run the display ssh server session command on the SSH server to check sessions for SSH
users.
----End
Example
Run the display ssh user-information username command to view information about a
specified SSH user.
<HUAWEI> display ssh user-information client001
User Name
: client001
Authentication-type
: password
User-public-key-name
: Sftp-directory
: Service-type
: stelnet
If no SSH user is specified, information about all SSH users logged in to an SSH server will be
displayed.
Run the display ssh server status command to view SSH server configurations.
<HUAWEI> display ssh server status
SSH version
SSH connection timeout
SSH server key generating interval
SSH authentication retries
SFTP server
Stelnet server
SSH server source
ACL4 number
ACL6 number
:1.99
:60 seconds
:0 hours
:3 times
:Disable
:Enable
:0.0.0.0
:0
:0
Run the display ssh server session command. The command output shows information about
a session between the SSH server and client.
<HUAWEI> display ssh server session
Session 1:
Conn
: VTY 3
Version
: 2.0
State
: started
Username
: client001
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96
Issue 02 (2013-12-31)

92

Equipment
Kex
Service Type
Authentication Type
: diffie-hellman-group-exchange-sha1
: stelnet
: password
1.5.5 Common Operations After Login

After logging in to the ATN, you can perform user priority switching, terminal window locking,
and other operations as needed.
Before You Start

Before performing any operations after login, familiarize yourself with the applicable
Configure user level switching and enable messaging between user interfaces to ensure that
operators can manage ATNs safely.
Before performing operations after login, connect the terminal to the ATN
Data Preparations
Before performing operations after login, you need the following data:
No.
Data
Password used for switching user levels
Type and number of the user interface
Contents of the message to be sent
Locking User Interfaces

If you must be away from your work area, you can lock the user interface on a terminal to prevent
unauthorized access.
Context
The user interface can be a console user interface or VTY user interface.
Procedure
Step 1 Run:
lock
The user interface is locked.

Issue 02 (2013-12-31)

93

Equipment
Step 2 Follow the system prompts and input a password to unlock the user interface.
<HUAWEI> lock
Enter Password:
Confirm Password:
If the locking is successful, the system prompts that the user interface is locked.
You must enter the previously set password to unlock the user interface.
NOTE
The passwords must meet the following requirements:

l The password is a string of 8 to 16 case-sensitive characters.
l The password must contain at least two of the following characters: upper-case characters, lower-case
characters, numbers, and special characters (excluding question marks and spaces).
----End
Sending Messages to Other User Interfaces

Users logged in to different interfaces can send messages to each other.
Context
Users logged in to the ATN can send messages from their user interface to users on other user
interfaces.
Procedure
Step 1 Run:
send { all | ui-type ui-number | ui-number1 }
You can enable messages to be sent between user interfaces.

Step 2 Follow the prompt to view the message to be sent. You can press Ctrl_Z or Enter to end the
display or Ctrl_C to abort the display.
----End
Displaying Login Users

You can query information about login users.
Context
You can query the user name, address, and authentication and authorization information.
Procedure
l
Run the display users [ all ] command to view information about logged-in users.
If all is configured, information about all users logged in to user interfaces is displayed.
----End
Issue 02 (2013-12-31)

94

Equipment
Clearing Logged-in Users

If you want to force a logged-in user to log out of the ATN, you can tear down the connection
between the ATN and the user.
Context
You can run the display users command to view users logged in to the ATN.
Procedure
Step 1 Run:
kill user-interface { ui-number | ui-type ui-number1 }
Online users are cleared.

Step 2 Based on the displayed information, you can confirm whether specified logged-in users have
been cleared.
----End
Configuring Configuration Locking

When multiple users log in to the ATN to configure the device, configuration conflict may occur.
To prevent these conflicts from affecting services, you can enable the configuration locking
function. This allows only one user to configure the device at a time.
Context
Before configuring configuration locking, check whether the configuration set is locked by
another user. If no user has locked the configuration set, you can exclusively lock the
configuration.
Procedure
Step 1 Run:
configuration exclusive
You have obtained exclusive configuration access.

After enabling the configuration locking function, you have the exclusive authority to perform
configurations on the ATN.
NOTE
You can run this command in any view.

You can run the display configuration-occupied user command to see which user has locked the
configuration.
If the configuration set is already locked, you can not relock it.
Step 2 Run:
system-view

Issue 02 (2013-12-31)

95

Equipment
Step 3 Run:
configuration-occupied timeout timeout-value
The timeout period for automatically unlocking the configuration is set.

After the timeout period expires, the configuration is automatically unlocked, and other users
can configure the device.
By default, the timeout period is 30s.
NOTE
l If a user without exclusive configuration access, this command cannot be confiured.

l If the configuration set is locked by another user, this command cannot be configured.
l If the configuration set is locked by the current user, the current user can run this command.
----End

This section provides several examples describing how to configure users to log in through a
console port, Telnet, or STelnet. The configuration examples provide information and diagrams
for networking requirements, configuration notes, and configuration roadmaps.
Example for Using a Console Port to Configure User Login

This example describes how to use a console port to configure user login. Login settings that
enable access to the ATN using a console port are configured on a PC.
If default values for console user interface parameters are modified, you must reset the
corresponding parameters on the PC before you can log in to the ATN again.
Figure 1-12 Networking diagram for using a console port to log in
PC
ATN
1.
Connect a PC to the ATN through a console port.
2.
Set login parameters on the PC.
3.
Log in to the ATN.

NOTE
In this example, a terminal emulator is used.
Issue 02 (2013-12-31)

96

Equipment
Data Preparation
Communication parameters for the PC (baud rate: 38400 bps, data bit: 8, stop bit: 1, parity: none,
flow control mode: none)
Procedure
Step 1 Use a cable to connect the serial port of the PC to the console port of the ATN.
Step 2 Run the terminal emulator on the PC. As shown in Figure 1-13, set communication parameters
for the PC to Figure 1-15. Set the transmission rate to 38400 bit/s, data bit to 8, parity bit to
none, stop bit to 1, and flow control mode to none.
Figure 1-13 Connection creation
Issue 02 (2013-12-31)

97

Equipment
Figure 1-14 Interface setting
Issue 02 (2013-12-31)

98

Equipment
Figure 1-15 Communication parameter settings
Step 3 Power on the ATN. The system starts an automatic configuration and self-check. After the selfcheck is complete, at the prompt "Password:," enter the correct authentication password and
press Enter. If a message (such as <HUAWEI>) is displayed, the login to the system is complete.
Then, you can enter a command to view the operating status of the ATN or configure the
ATN.
----End
Example for Configuring User Login Through Telnet

This example describes how to set parameters for using Telnet to log in to the ATN. In this
configuration example, a user logs in to the ATN after setting the VTY user interface and user
login parameters.
Issue 02 (2013-12-31)

99

Equipment
You can use a PC or other terminal to log in to a ATN on another network segment to perform
remote maintenance.
Figure 1-16 Networking diagram for login using Telnet
GE0/2/0
10.137.217.221/16
NetWork
PC
ATN
After a Telnet user logs in to the ATN in AAA authentication mode, the Telnet user is prohibited
from using this ATN to log in to another ATN.
1.
Establish a physical connection.
2.
Assign IP addresses to interfaces on the ATN.
3.
Set parameters of the VTY user interface, including limit on call-in and call-out.
4.
Set user login parameters.
5.
Log in to the ATN.
Data Preparation
l
IP address of the PC
IP address of the Ethernet interface on the ATN: 10.137.147.91/16
Maximum number of VTY user interfaces: 10
Number of the ACL that is used to prohibit users from logging into another ATN: 3001
Timeout period for disconnecting from the VTY user interface: 20 minutes
Telnet user information (authentication mode: AAA, username: huawei, password:

Hello@123)
Procedure
Step 1 Connect the PC and the ATN to the network.
Step 2 Configure a login address.
[HUAWEI] interface gigabitethernet 0/2/0
[HUAWEI-GigabitEthernet0/2/0] undo shutdown
[HUAWEI-GigabitEthernet0/2/0] ip address 10.137.217.221 255.255.0.0
Issue 02 (2013-12-31)

100

Equipment
[HUAWEI-GigabitEthernet0/2/0] quit
Step 3 Configure the VTY user interface on the ATN.

# Set the maximum number of VTY user interfaces.
# Configure an ACL that is used to prohibit users from logging into another ATN.
[HUAWEI]acl 3001
[HUAWEI-acl-adv-3001]rule deny tcp source any destination-port eq telnet
[HUAWEI-acl-adv-3001]quit
[HUAWEI] user-interface vty 0 9
[HUAWEI-ui-vty0-9] acl 3001 outbound
# Set terminal attributes of the VTY user interface.

[HUAWEI-ui-vty0-9]
[HUAWEI-ui-vty0-9]
[HUAWEI-ui-vty0-9]
[HUAWEI-ui-vty0-9]
shell
idle-timeout 20
screen-length 30
# Set the user authentication mode of the VTY user interface.

[HUAWEI-ui-vty0-9] authentication-mode aaa
[HUAWEI-ui-vty0-9] quit
Step 4 Set user login parameters on the ATN.

# Specify the user authentication mode.
[HUAWEI] aaa
[HUAWEI-aaa]
[HUAWEI-aaa]
[HUAWEI-aaa]
[HUAWEI-aaa]
local-user huawei password cipher Hello@123

local-user huawei service-type telnet
local-user huawei level 3
quit
Step 5 # Configure user login.

Use the command line to telnet the ATN. The Telnet login window is shown in Figure 5-19.
Figure 1-17 Telnet login window on the PC
Press Enter, and then input the username and password in the login window. If user
authentication succeeds, a command line prompt is displayed in the system view, which indicates
that you have entered the user view.
Issue 02 (2013-12-31)

101

Equipment
Figure 1-18 Window after login of the ATN
Press Enter and then input the username and password in the login window. If user
authentication succeeds, a command line prompt such as <HUAWEI> is displayed.
----End
Configuration Files
ATN configuration file
#
sysname HUAWEI
#
acl number 3001
rule 5 deny tcp destination-port eq telnet
#
aaa
local-user huawei password cipher %@%@!woZ2kKbSPy)TD0i$iVHq:[{/,ayXgHnsJcf2tT!!N,
6:[!q%@%@
local-user huawei service-type telnet
local-user huawei state block fail-times 3 interval 5
#
interface GigabitEthernet0/2/0
undo shutdown
ip address 10.137.147.91 255.255.0.0
#
acl 3001 outbound
idle-timeout 20 0
screen-length 30
#
return
Issue 02 (2013-12-31)

102

Equipment
Example for Using STelnet to Configure User Login

This example describes how to configure user login through STelnet. After generating the local
key pair, configuring the SSH user name and password, and enabling the STelnet service on the
SSH server, you can connect the Stelnet client to the SSH server.
As shown in Figure 1-19, after the STelnet service is enabled on the SSH server, an STelnet
client can use any authentication mode (password, Revest-Shamir-Adleman Algorithm (RSA),
password-RSA, Digital Signature Algorithm (DSA), password-DSA, Elliptic Curves
Cryptography (ECC), password-ECC or all) to log in to the SSH server.
This example uses the password authentication mode.
Figure 1-19 Networking diagram for configuring user login through STelnet
Network
GE0/2/0
10.164.39.210/16
SSH Server
PC
1.
Configure a local key pair on the SSH server to enable secure data exchange between the
STelnet client and the SSH server.
2.
Configure a VTY user interface on the SSH server.
3.
Configure an SSH client, which involves setting a user authentication mode, a username,
and a password.
4.
Enable the STelnet server function on the SSH server and configure a user service type.
Data Preparation
l
SSH user authentication mode: password, username: client001, password: !

QAZ@WSX3edc
User level of client001: 3
IP address of the SSH server: 10.164.39.210
Procedure
Step 1 Generate a local key pair on the server.
[HUAWEI] sysname SSH Server
[SSH Server] rsa local-key-pair create
Issue 02 (2013-12-31)

103

Equipment
The key name will be: HUAWEI_Host

The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 2048]: 768
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
Step 2 Configure a VTY user interface.

[SSH
[SSH
[SSH
[SSH
Server] user-interface vty 0 4

Server-ui-vty0-4] authentication-mode aaa
Server-ui-vty0-4] protocol inbound ssh
Server-ui-vty0-4] quit
NOTE
If SSH is configured as the login protocol, the ATN automatically disables Telnet.
Step 3 Configure the password of SSH user Client001 as !QAZ@WSX3edc.

[SSH
[SSH
[SSH
[SSH
[SSH
Server] aaa
Server-aaa]
Server-aaa]
Server-aaa]
Server-aaa]
local-user client001 password cipher !QAZ@WSX3edc

local-user client001 level 3
local-user client001 service-type ssh
quit
Step 4 Enable the STelnet service on the SSH server.

[SSH
[SSH
[SSH
[SSH
Server]
Server]
Server]
Server]
ssh user client001 service-type stelnet

ssh user client001 authentication-type password
quit
Step 5 Verify the configuration.

# Use PuTTY software to log in to the device. Specify the IP address of the device as
10.164.39.210 and the login protocol as SSH, as shown in Figure 5-22.
Issue 02 (2013-12-31)

104

Equipment
Figure 1-20 PuTTY configuration
# Use PuTTY software to log in to the device, and enter the username client001 and the
password !QAZ@WSX3edc, as shown in figure 5-23.
Figure 1-21 Logging in to the device using PuTTY software
----End
Configuration Files
l
SSH server configuration file

#
Issue 02 (2013-12-31)

105

Equipment
sysname SSH Server

#
aaa
local-user client001 password cipher %@%@!woZ2kKbSPy)TD0i$iVHq:
[{/,ayXgHnsJcf2tT!!N,
6:[!q%@%@
local-user client001 state block fail-times 3 interval 5
#
undo shutdown
ip address 10.164.39.210 255.255.255.0
#
ssh user client001
#
#
return
1.6 Managing the File System

The file system manages the files and directories on the storage devices of the ATN. It can move
or delete a file or directory, or display the contents of a file.
1.6.1 File System Overview

The ATN uses the file system to manage all files.
File System
The file system manages files and directories on the storage devices. It can create, delete, modify,
or rename a file or directory, or display the contents of a file.
The file system has two functions: managing storage devices and managing the files that are
stored on those devices.
Managing Files Using the File System

After logging in to the ATN by using the console port, Telnet, or STelnet, you can manage
storage devices, directories, and files.
l
Storage devices
Storage devices are hardware devices for storing data.
At present, the ATN supports the storage devices such as compact flash (CF) card and flash
card.
Files
A file is resources for storing and managing data.
l
Issue 02 (2013-12-31)
Directories
106

Equipment
A directory is a logical container that the system uses to organize files.
File Management Methods

You can use FTP, SFTP to manage files.
Using FTP to Manage Files

FTP is a standard application protocol based on the TCP/IP protocol suite. FTP is used to transfer
files between local clients and remote servers. FTP uses two TCP connections to copy a file
from one system to another. The TCP connections are usually established in client-server mode:
one for control (the server port number is 21) and the other for data transmission (the server port
number is 20).
l
Control connection: issues commands from the client to the server and transmits replies
from the server to the client, which minimizes the transmission delay.
Data connection: transmits data between the client and server, which maximizes the
throughput.
FTP has two file transfer modes:

l
Binary mode: Used to transfer program files, such as .app, .bin, and .btm files.
ASCII mode: Used to transfer text files, such as .txt, .bat, and .cfg files.
The device provides the following FTP functions:

l
FTP client: Users can use the terminal emulator or Telnet program to connect PCs to the
device, and run the ftp command to establish a connection between the device and a remote
FTP server to access and operate files on the server.
FTP server: Users can use the FTP client program to log in to the device and operate files
on the device.
Before users log in, the network administrator must configure an IP address for the FTP
server.
NOTE
The FTP is an insecure protocol. When it is used, security risks exist. Therefore, exercise caution when
using it.
Using SFTP to Manage Files

SFTP uses SSH to ensure secure file transfer. On one hand, SFTP allows remote users to securely
log in to the device to manage and transfer files. On the other hand, users can use the device that
functions as a client to log in to a remote server and transfer files securely.
If the SFTP server or the connection between the server and the client fails, the client needs to
detect the fault in time and remove the connection. To help the client accomplish this, configure
an interval at which Keepalive packets are sent if no packets are received and the maximum
number of times the server does not respond to the client before being released:
l
If the client does not receive any packets within the specified period, the client sends a
Keepalive packet to the server.
If the maximum number of times the server does not respond exceeds the specified value,
the client proactively releases the connection.
Issue 02 (2013-12-31)

107

Equipment
1.6.2 Using the File System to Manage Files

You can use the file system to manage storage devices, directories, and files.
Before You Start

Before using the file system to manage files, familiarize yourself with the applicable
configuration. This will help you complete the configuration tasks quickly and correctly.
Use the file system to manage files or directories on the ATN. If the ATN is unable to save or
obtain data, log in to the file system and repair the faulty storage devices.
Before logging in to the file system to manage files, connect the client to the server.
Data Preparation
To manage files by logging in to the file system, you need the following data:
No.
Data
Storage device name
Directory name
File name
Managing Storage Devices

If a storage device file system on the ATN is not functioning correctly, you must repair and
format the file system before managing the storage device.
Context
If the file system on a storage device fails, the terminal of the ATN prompts you to rectify the
fault.
You can format a storage device if you are unable to repair the file system or do not need any
data saved on the storage device.
NOTICE
Formatting storage devices can lead to data loss. Exercise caution when performing this
operation.
Issue 02 (2013-12-31)

108

Equipment
Procedure
l
Run:
fixdisk device-name
The storage device with file system problems is repaired.

NOTE
If, after running this command, the prompt still says the system should be repaired, there may be
damage to the physical storage medium.
Run:
format device-name
The storage device is formatted.

NOTE
If the storage device does not work after you run this command, there may be a hardware fault.
----End
Managing Directories
You can manage directories to store files in a logical hierarchy.
Context
You can manage directories by changing or displaying directories, displaying files in directories
or sub-directories, and creating or deleting directories.
Procedure
l
Run:
cd directory
A directory is specified.
l
Run:
pwd
The current directory is displayed.

l
Run:
dir [ /all ] [ filename ]
A list of files and sub-directories in the directory is displayed.

Either the absolute path or relative path applies.
l
Run:
mkdir make-remote-directory
The directory is created.

l
Run:
rmdir delete-remote-directory
The directory is deleted.

----End
Issue 02 (2013-12-31)

109

Equipment
Managing Files
You can log in to the file system to view, delete, or rename files on the ATN.
Context
l
Managing files includes: displaying contents, copying, moving, renaming, compressing,

deleting, undeleting, deleting files in the recycle bin, running files in batches and
configuring prompt modes.
You can run the cd directory command to enter another directory from the current directory.
Run:
Procedure
more file-name [ offset ] [ all ]
The content of a file is displayed.

Specify parameters in the more command for file viewing options:
Run the more file-name command to view the file named file-name. Text file contents
are displayed one screen at a time. Press the spacebar on the current terminal to display
all contents of the current file.
Two preconditions must be set to display the contents of a text one file screen at a time:
The value configured by screen-length screen-length temporary command must
be greater than 0.
The total number of lines in the file must be greater than the value configured by the
screen-length command.
Run the more file-name offset command to view the file named file-name. Text file
contents are displayed one screen at a time, beginning with the line specified by
offset. Press and hold the spacebar on the current terminal to display all contents of the
current file.
Two preconditions must be met to display the contents of a text file screen one screen
at a time:
The value configured by the screen-length screen-length command must be greater
than 0.
The difference between the number of file characters subtracted and the value of
offset must be greater than the value configured by the screen-length command.
Run the more file-name all command to view the file named file-name. All text file
contents are displayed without pausing after each screen.
l
Run:
copy source-filename destination-filename
The file is copied.

l
Run:
move source-filename destination-filename
The file is moved.

l
Run:
rename source-filename destination-filename
Issue 02 (2013-12-31)

110

Equipment
The file is renamed.

l
Run:
zip source-filename destination-filename
The file is compressed.

l
Run:
delete [ /unreserved ] [ /quiet ] { filename | device-name }
The file is deleted.
NOTICE
If you use the parameter [ /unreserved ] in the delete command, the file cannot be restored
after being deleted.
l
Run:
undelete filename
The deleted file is recovered.

NOTE
If the current directory is not the parent directory, you must use the absolute path to the file to perform
operations.
Run:
reset recycle-bin [ filename ]
The file is deleted.

You can use this command to permanently delete files in the recycle bin.
l
Run the following files in batches.

You can process uploaded files in batches. The edited batch files need to be saved to a
storage device on the ATN.
You can create and run a batch file to implement routine tasks as follows:
1.
Run:
system-view

2.
Run:
execute filename
The batched file is executed.

l
Configure prompt modes.

The system displays prompts or warning messages when you operate the device (especially
if these operations lead to data loss). If you need to change the prompt mode for file
operations, you can configure the file system prompt mode.
1.
Run:
system-view
Issue 02 (2013-12-31)

111

Equipment

2.
Run:
file prompt { alert | quiet }
The file system prompt mode is configured.

The default prompt mode is alert.
NOTICE
If the prompt mode is set to quiet, no prompt appears when data is lost due to
inappropriate operating procedures.
----End
1.6.3 Using FTP to Manage Files

FTP can transmit files between local and remote hosts. FTP is widely used for upgrading
versions, downloading logs, transmitting files, and saving time spent on configurations.
Context
The FTP protocol poses a security risk, and therefore the SFTP protocol is recommended.
Before You Start

Before using FTP to manage files, familiarize yourself with the applicable environment,
When an FTP client logs in to a ATN that serves as an FTP server, the user can transfer files
between the client and the server.
Before using FTP to manage files, connect the FTP client to the server.
Data Preparation
To use FTP to manage files, you need the following data:
Issue 02 (2013-12-31)
No.
Data
FTP username and password, and authorized FTP file directory name
(Optional) Listening port number specified on the FTP server

112

Equipment
No.
Data
(Optional) Source IP address or source interface of the FTP server

(Optional) Timeout period for disconnecting from the FTP server
IP address or host name of the FTP server
Configuring a Local FTP User

You can configure a user authorization mode and an authorized directory for FTP users to access.
Unauthorized users cannot access the specified directory, which reduces security risks.
Context
To use FTP to manage files, you must configure a local username and a password on the ATN
and specify a service type and the directories that can be accessed.
Perform the following operations on the ATN that functions as the FTP server:
Procedure
Step 1 Run:
system-view

Step 2 Run:
set default ftp-directory directory
The default FTP working directory is configured.

NOTE
The configuration in this step takes effect only for TACACS users.
Step 3 Run:
aaa

Step 4 Run:
The local user name and password are configured.

Step 5 Run:
local-user user-name service-type ftp
The FTP service type is configured.

Step 6 Run:
local-user user-name level level
The local user level is set.

Issue 02 (2013-12-31)

113

Equipment
NOTE
The local user level must be set to level 3 or higher.
Step 7 Run:
local-user user-name ftp-directory directory
The authorized directory for the FTP user is configured.

----End
(Optional) Specifying a Port Number for the FTP Server

You can configure or change the listening port number for an FTP server. After the port number
is changed, only the user knows the current port number, which protects system security.
Context
The default listening port number for an FTP server is 21. Users can log in to the ATN directly
by using the default listening port number. Attackers can also access the default listening port
to launch attacks that reduce available bandwidth and affect server performance, which prevents
valid users from accessing the server. Changing the FTP server listening port number effectively
prevents attackers from accessing the server through the listening port.
NOTE
If FTP is not enabled, change the FTP port.

If FTP is enabled, run the undo ftp server command to disable FTP, and then change the FTP port.
Perform the following on the ATN that serves as the FTP server:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ftp
[ ipv6 ]server port port-number
The port number of the FTP server is configured.

Once a new listening port number is configured, the FTP server interrupts all existing FTP
connections and starts using the new listening port.
----End
Enabling the FTP Server

You must enable an FTP server on the ATN before using FTP to manage files.
Context
The FTP server is disabled on the ATN by default. You must enable the FTP server before using
it.
Issue 02 (2013-12-31)

114

Equipment
Procedure
Step 1 Run:
system-view

Step 2 Run:
ftp
[ ipv6 ]server enable
The FTP server is enabled.

NOTE
When file operations between clients and the ATN are complete, run the undo ftp [ ipv6 ] server command
to disable the FTP server function. This protects ATN security.
----End
(Optional) Configuring the FTP Server Parameters

FTP server parameters include the FTP server source address and the timeout period for FTP
connections.
Context
l
You can configure a source IP address for the FTP server. The FTP client can only access
this address, which protects system security.
You can configure the timeout period for FTP connections on the FTP server. When the
timeout period for an FTP connection expires, the system terminates the connection to
release resources.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ftp server-source { -a ip-address | -i
interface-type interface-number }
The source IP address and source interface of an FTP server are configured.
To log in to the FTP server, you must specify the source IP address for the server in the ftp
command, or you cannot log in to the FTP server.
Step 3 Run:
ftp
timeout minutes
The timeout period for the FTP server is configured.

If the client is idle for the configured time, the connection to the FTP server is terminated.
Issue 02 (2013-12-31)

115

Equipment
By default, the timeout value is 30 minutes.

----End
(Optional) Configuring an FTP ACL

After an FTP ACL is configured, only specified clients can access the ATN.
Context
When the ATNfunctions as an FTP server, you can configure an ACL to allow the clients that
meet matching rules to access the FTP server.
Perform the following steps on the ATN that serves as the FTP server:
Procedure
Step 1 Run:
system-view

Step 2 Compared to a basic ACL that filters packets based on source addresses, an advanced ACL
supports richer filtering rules: not only based on packet source addresses but also based on packet
destination address or priorities. Run either of the following commands:
l For a basic ACL:
To enter the ACL view, run the acl { [ number ] acl-number1 | name acl-name [ basic ]
To enter the ACL view, run the acl { [ number ] acl-number1 | name acl-name
[ advance ] [ number acl-number2 ] } [ match-order { auto | config } ] command.
The user interface supports the basic ACL ranging from 2000 to 2999 and the advanced ACL
ranging from 3000 to 3999.
l For a basic ACL:
To configure a basic ACL rule, run the rule [ rule-id ] { deny | permit } [ fragment-type
fragment-type-name | source { source-ip-address source-wildcard | any } | time-range timename | vpn-instance vpn-instance-name ] * command.
To configure a basic ACL6 rule, run the rule [ rule-id ] { deny | permit } [ fragmenttype fragment-type-name | source { source-ip-address source-wildcard | any } | timerange time-name | vpn-instance vpn-instance-name ] * command.
To configure an advanced ACL rule, run the rule [ rule-id ] { deny | permit } protocol
[ [ dscp dscp | [ precedence precedence | tos tos ] * ] | destination { destination-ip-address
Issue 02 (2013-12-31)

116

Equipment
destination-wildcard | any } | fragment-type fragment-type-name | source { source-ipaddress source-wildcard | any } | time-range time-name | vpn-instance vpn-instancename ] * command.
To configure an advanced ACL6 rule, run the rule [ rule-id ] { deny | permit } protocol
[ [ traffic-class traffic-class | dscp dscp | [ precedence precedence | tos tos ] * ] |
destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefixlength | any } | fragment | source { source-ipv6-address 3prefix-length | source-ipv6address/prefix-length | any } | time-range time-name | vpn-instance vpn-instance-name ]
* command.
NOTE
l If the ACL referenced by FTP does not contain any rules or does not exist, any user can log in to the
device.
Step 4 Run:
quit

Step 5 Run:
ftp
[ ipv6 ] acl acl-number
The FTP ACL is configured.

----End
Using FTP to Access the System

After the FTP server is configured, you can use FTP to access the ATN from a PC and manage
the files on the ATN.
Context
You can use either the Windows command line prompt or third-party software to log in to the
ATN. The example here uses the Windows command line prompt.
Do as follows on the PC:
Procedure
Step 2 Run the ftp ip-address command to log in to the ATN using FTP.
Issue 02 (2013-12-31)

117

Equipment
Enter a username and password at the prompt, and press Enter. When the Windows command
line prompt, such as ftp>, is displayed in the FTP client view, you have entered the working
directory of the FTP server.
Figure 1-22 Using FTP to log in to the device
----End
Using FTP Commands to Manage Files

After using FTP to log in to the ATN that functions as an FTP server, you can upload and
download files to and from the ATN or manage the directories on the ATN.
Context
After you log in to the FTP server, you can perform the following operations:
l
Configuring the data type for the file
Uploading or downloading files
Creating or deleting directories on the FTP server
Displaying information about a specific remote directory or a file of the FTP server, or
deleting a specific file from the FTP server
After logging in to the FTP server and entering the FTP client view, you can perform the
following operations:
Procedure
l
Configure the data type and transmission mode for a file

Run:
ascii or binary
The data type of the file to be transmitted is ascii or binary.

Issue 02 (2013-12-31)

118

Equipment
NOTE
FTP supports ASCII and the binary files. The difference the two is:
l In ASCII transmission mode, ASCII characters are used to separate carriage returned from
line feeds.
l In binary transmission mode, characters can be transferred without format conversion or
formatting.
An FTP transmission mode can be set for each client. The system uses ASCII transmission mode
by default, but a mode switch command can switch a client between ASCII and binary modes.
The ASCII mode is used to transmit .txt files and the binary mode is used to transmit binary files.
Upload or download files

Upload or download a file.
Run:
put local-filename [ remote-filename ]
The local file is uploaded to the remote FTP server.

Run:
get remote-filename [ local-filename ]
The FTP file is downloaded from the FTP server and saved to the local file.
l
Run one or more of the following commands to manage directories

Run:
cd pathname
The working path of the remote FTP server is specified.

Run:
pwd
The specified directory of the FTP server is displayed.

Run:
lcd [ local-directory ]
The directory of the FTP client is displayed or changed.

Run:
A directory is created on the FTP server.

Run:
A directory is removed from the FTP server.

l
Run one or more of the following commands to manage files

Run:
ls [ remote-filename ] [ local-filename ]
The specified directory or file on the remote FTP server is displayed.

If the directory name is not specified when a specific remote file is selected, the system
searches the working directory for the specific file.
Run:
dir [ remote-filename ] [ local-filename ]
The specified directory or file on the local FTP server is displayed.

Issue 02 (2013-12-31)

119

Equipment
Run:
delete remote-filename
The specified file on the FTP server is deleted.

When local-filename is set, related information about the file can be downloaded locally.
NOTE
If you need more information about FTP operations, run the help [ command ] command in the
Windows CLI.
----End

After the configuration is complete, you can view the configuration and status of the FTP server
as well as login information about FTP users.
Prerequisites
All configurations for using FTP to manage files are complete.
Procedure
l
Run the display ftp-users command to check how many users are currently logged in to
the FTP server.
----End
Example
Run the display [ ipv6 ] ftp-server to view the status of the FTP server.
<HUAWEI> display ftp-server
FTP server is running
Max user number
User count
Timeout value(in minute)
Listening Port
Acl number
FTP server's source address
5
1
30
1080
0
1.1.1.1
Run the display ftp-users command to view the username, port number, and authorization
directory of the FTP user.
<HUAWEI> display ftp-users
username host
zll
100.2.150.226
port
1383
idle
3
topdir
cfcard:
1.6.4 Using SFTP to Manage Files

SFTP enables you to securely log in to the ATN from a remote device to manage files, which
makes data transmission to the remote end more secure.
Issue 02 (2013-12-31)

120

Equipment
Before You Start

Before using SFTP to manage files, familiarize yourself with the applicable environment,
SSH authenticates clients and encrypts data in both directions to guarantee secure data
transmission on conventional networks. SSH supports SFTP.
SFTP is a secure FTP service that enables users to log in to the FTP server to transmit data.
Before using SFTP to manage files, configure reachable routes between the terminal and the
device.
Data Preparation
Before using SFTP to manage files, you need the following data.
No.
Data
Maximum number of Virtual Type Terminal (VTY) user interfaces, (optional) ACL
for restricting incoming and outgoing calls on VTY user interfaces, connection
timeout period of terminal users, number of rows displayed in a terminal screen, size
of the history command buffer, user authentication mode, username, and password
Username, password, authentication mode, and service type of an SSH user, remote
public Revest-Shamir-Adleman Algorithm (RSA) or Digital Signature Algorithm
(DSA) or Elliptic Curves Cryptography (ECC) key pair allocated to the SSH user,
and SFTP working directory of the SSH user
(Optional) Number of the port monitored by the SSH server

(Optional) The interval for updating the key pair on the SSH server
Name of the SSH server, number of the port monitored by the SSH server, preferred
encryption algorithm from the SFTP client to the SSH server, preferred encryption
algorithm from the SSH server to the SFTP client, preferred Hashed message
authentication code (HMAC) algorithm from the SFTP client to the SSH server,
preferred HMAC algorithm from the SSH server to the SFTP client, preferred
algorithm of key exchange, name of the outgoing interface, source address
Directory name and file name
Configuring the VTY User Interface

To allow a user to log in to the device by using SFTP, you need to configure attributes of the
Virtual Type Terminal (VTY) user interface.
Issue 02 (2013-12-31)

121

Equipment
Context
Before a user logs in to the device by using SFTP, you must set the user authentication mode in
the VTY user interface. Otherwise, the user cannot log in to the device.
User Interface.
Configuring SSH for the VTY User Interface

Before users can log in to the ATN using SFTP, you must configure VTY user interfaces to
support SSH.
Context
By default, user interfaces support Telnet. If no user interfaces are configured to support SSH,
you cannot log in to the ATN using SFTP.
Procedure
Step 1 Run:
system-view

Step 2 Run:
user-interface [ vty ] first-ui-number [ last-ui-number ]
The VTY user interface is displayed.

Step 3 Run:
The AAA authentication mode is configured.

Step 4 Run:
The VTY user interface is configured to support SSH.

----End
Configuring an SSH User and Specifying SFTP as One of the Service Types
Before logging in to the ATN using SFTP, you must configure an SSH user, configure the
ATN to generate a local RSA (Revest-Shamir-Adleman Algorithm)or DSA (Digital Signature
Algorithm)or ECC (Elliptic Curves Cryptography)key pair, configure a user authentication
mode, and specify a service type and authorized directory for the SSH user.
Context
l
Issue 02 (2013-12-31)
These SSH user authentication modes are available: RSA, DSA, ECC, password, passwordRSA, password-DSA, password-ECC, and all. Password authentication depends on
Authentication, Authorization and Accounting (AAA). Before a user logs in to the device
122

Equipment
in password, password-RSA, password-ECC, or password-DSA authentication mode, you

must create a local user with the specified username in the AAA view.
Password-RSA authentication depends on both password authentication and RSA
authentication.
Password-DSA authentication depends on both password authentication and DSA
authentication.
Password-ECC authentication depends on both password authentication and ECC
authentication.
All authentication depends on either of the following authentications: password
authentication, or DSA authentication or RSA authentication and ECC authentication.
l
The device must be configured to generate local RSA, ECC, or DSA key pairs, which are
a key part of the SSH login process. If an SSH user logs in to an SSH server in password
authentication mode, configure the server to generate a local RSA, ECC,or DSA key pair.
If an SSH user logs in to an SSH server in RSA, ECC, or DSA authentication mode,
configure both the server and the client to generate local RSA, ECC, or DSA key pairs.
RSA key and DSA key are algorithms for user authentication in SSH. Compared with RSA
authentication, DSA authentication adopts the DSA encryption mode and is widely used.
In many cases, SSH only supports DSA to authenticate the server and the client. When the
RSA or DSA authentication mode is used, the priority of the users depends on the priority
of the VTY user interfaces used for login.
Perform the following operations on the ATN that functions as an SSH server:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ssh user user-name
An SSH user is created.

If password authentication is configured for the SSH user, create the same SSH user in the AAA
view
1.
Run the aaa command to enter the AAA view.
2.
Run the local-user user-name password cipher password command to configure a local
username and a password.
Step 3 Run:
local-user user-name level level
The SSH user level is set.

NOTE
The SSH user level must be set to 3 or higher.
Step 4 Create an RSA, DSA, or ECC key pair.

Two methods are available.
Issue 02 (2013-12-31)

123

Equipment
Method 1:
l Run the rsa local-key-pair create command to create a local RSA key pair.
NOTE
l Configure the rsa local-key-pair create command to generate a local key pair before completing
other SSH configurations. The minimum length of the server key pair and the host key pair is 512
bits, and the maximum length is 2048 bits.
l After a local key pair is generated, you can run the display rsa local-key-pair public command
l To clear the local RSA key pair, run the rsa local-key-pair destroy command to destroy all local
RSA key-pairs, including the local key-pair and server key-pair.
Check whether all local RSA key pairs are destroyed after running the rsa local-key-pair
destroy command. The rsa local-key-pair destroy command configuration takes effect only once
l Run the dsa local-key-pair create command to generate the RSA local-key-pair.
NOTE
l You must configure the dsa local-key-pair create command to generate a local key pair before
l After a local key pair is generated, you can run the display dsa local-key-pair public command
l To clear the local DSA key pair, run the dsa local-key-pair destroy command to destroy all local
DSA key-pairs, including the local key-pair and server key-pair.
Check whether all local DSA key pairs are destroyed after running the dsa local-key-pair
destroy command. The dsa local-key-pair destroy command configuration takes effect only once
l Run the ecc local-key-pair create command to generate the ECC local-key-pair.
NOTE
l You must configure the ecc local-key-pair create command to generate a local key pair before
l After a local key pair is generated, you can run the display ecc local-key-pair public command
l To clear the local ECC key pair, run the display ecc local-key-pair public command to destroy
all local ECC key-pairs, including the local key-pair and server key-pair.
Check whether all local ECC key pairs are destroyed after running the ecc local-key-pair
destroy command. The ecc local-key-pair destroy command configuration takes effect only once
Method 2:
1.
Run the rsa key-pair label, dsa key-pair label, or ecc key-pair label command in the
system view to create an RSA, DSA, or ECC key pair.
2.
Run the ssh server assign { rsa-host-key | rsa-server-key | dsa-host-key | ecc-hostkey } key-name command in the system view to assign an RSA host key, RSA server key,
DSA host key, or ECC host key to an SSH server.
After the key pair is generated, run the display rsa key-pair, display dsa key-pair, or display
ecc key-pair command to check information about the RSA, DSA, or ECC key pair.
Step 5 Perform the operations as described in Table 1-18 based on the configured SSH user
Issue 02 (2013-12-31)

124

Equipment
Table 1-18 Configuring an authentication mode for the SSH user

Operation
Command
Description
Configure
Password
Authentication

authentication-type password
command
If local or HuaWei Terminal

Access Controller Access Control
System (HWTACACS)
authentication is used and there
are only a few users, use password
authentication.
2. Run the aaa command to enter

the AAA view.

password cipher password
command to configure the
username and the password for the
local user.
The username must be the same to

the SSH user.

service-type ssh command to set
the access type of the local user to
SSH.

authentication-type rsa command
to configure RSA authentication.
Configure RSA
authentication
Issue 02 (2013-12-31)

By default, the administrators are

all in the domain default_admin.
125

Equipment
Operation
Command
Description
2. Run the rsa peer-public-key keyname [ encoding-type { der |

openssh | pem } ] command to
configure an encoding format for an
RSA public key and enter the RSA
public key view.

devices support only the DER
format for RSA keys before VRP
V500R012C01 version. If you use
an RSA key in non-DER format,
use a third-party tool to convert
the key into a key in DER format.
The default encoding format is

distinguished encoding rules (DER)
for an RSA public key.

software, RSA usability is
unsatisfactory. In addition to
DER, RSA keys need to support
the privacy-enhanced mail (PEM)
and OpenSSH formats to improve
RSA usability after VRP
Third-party software, such as
SecureCRT, PuTTY, OpenSSH,
and OpenSSL, can be used to
generate RSA keys in different
formats. The details are as
follows:
l The SecureCRT and PuTTY
generate RSA keys in PEM
format.
l The OpenSSH generates RSA
keys in OpenSSH format.
l The OpenSSL generates RSA
keys in DER format.

edit view.

key.

Issue 02 (2013-12-31)

126

Equipment
Operation
Command
Description

key edit view.

view.

format is entered.
is displayed.

authentication-type dsa command
to configure DSA authentication.
2. Run the dsa peer-public-key

key-name encoding-type { der |
openssh | pem } command to
configure an encoding format for a
DSA public key and enter the DSA
public key view.

devices support the DER and
PEM formats for DSA keys
before VRP V500R012C01
version. If you use an RSA key in
non-DER/PEM format, use a
third-party tool to convert the key
into a key in DER or PEM format.
software, DSA usability is
unsatisfactory. In addition to DER
and PEM, DSA keys need to
support the OpenSSH format to
improve DSA usability after VRP

edit view.
Issue 02 (2013-12-31)

127

Equipment
Operation
Command
Description

key.


key edit view.

view.

format is entered.
is displayed.
Configure ECC
authentication
Issue 02 (2013-12-31)

assign dsa-key key-name command

assign rsa-key key-name command

authentication-type ecc command
to configure ECC authentication.
2. Run the ecc peer-public-key keyname encoding-type { der | pem |

openssh } command to configure an
encoding format for a ECC public
key and enter the ECC public key
view.

128

Equipment
Operation
Command
Description

edit view.

key.


key edit view.

view.

format is entered.
is displayed.

assign ecc-key key-name command
Step 6 (Optional) Use command lines to authorize SSH users.

Run:
ssh user user-name authorization-cmd aaa
The command line authorization is configured for the specified SSH user.
After configuring the authorization through command lines for the SSH user to perform RSA
authentication, you have to configure the AAA authorization. Otherwise, the command line
authorization for the SSH user does not take effect.
Issue 02 (2013-12-31)

129

Equipment
Step 7 Run:
ssh user username service-type { SFTP | all }
The service type of an SSH user is set to SFTP or all.

By default, the service type of the SSH user is not configured.
Step 8 Run:
ssh user username sftp-directory directoryname
The authorized directory of the SFTP service for the SSH user is configured.
By default, the authorized directory of the SFTP service for the SSH user is cfcard:.
----End
Enabling the SFTP Service

You must enable the STelnet service before you can use it.
Context
By default, the SFTP server function is not enabled on the ATN. You can use SFTP to establish
connections with the router only after the SFTP server function is enabled on the ATN.
Do as follows on the ATN that serves as an SSH server:
Procedure
Step 1 Run:
system-view

Step 2 Run:
sftp server enable
The SFTP service is enabled.

By default, the SFTP service is disabled.
----End
(Optional) Configuring the SFTP Server Parameters

You can configure a device to be compatible with earlier versions of the SSH protocol, configure
or change the listening port number of an SSH server, set an interval at which the key pair of
the SSH server is updated, and specify the source interface.
Procedure
Step 1 Run:
system-view

Issue 02 (2013-12-31)

130

Equipment
Step 2 Perform any of the operations shown in Table 1-19 as needed.

Table 1-19 Server parameters
Issue 02 (2013-12-31)
Server
parameters
Command
Description
Configure the
interval at
which the key
pair of the
SSH server is
updated
Run the ssh server rekey-interval

interval command.
You can set an interval at which the

key pair of an SSH server is updated.
When the timer expires, the key pair
is automatically updated, improving
security.
Configure the
timeout
period of SSH
authentication
Run the ssh server timeout

seconds command.
Configure the
number of
times that
SSH
authentication
is retried
Run the ssh server authenticationretries times command.
Configure
earlier SSH
version
compatibility
Run the ssh server compatiblessh1x enable command.
By default, the interval is 0,

indicating that the key is never
updated.
By default, the timeout period is 60

seconds.
By default, SSH authentication

retries a maximum of 3 times.
By default, an SSH server running

SSH2.0 is compatible with SSH1.X.
To prevent clients running SSH1.3 to
SSH1.99 from logging in, run the
undo ssh server compatible-ssh1x
enable command to disable support
for earlier SSH protocol versions.
If a user fails to log in when the

timeout period of SSH
authentication expires, the system
disconnects the current connection
to ensure the system security.
The number of times that SSH
authentication is retried is set to deny
access of invalid users.
There are two SSH versions:

SSH1.X (earlier than SSH2.0) and
SSH2.0. SSH2.0 has an extended
structure and supports more
authentication modes and key
exchange methods than SSH1.X,
SSH 2.0 can eliminate the security
risks that SSH 1.X has. SSH 2.0 is
more secure and therefore is
recommended. SSH2.0 also
supports more advanced services
such as SFTP. The ATN supports
SSH versions ranging from 1.3 to
2.0.

131

Equipment
Server
parameters
Command
Description
Configure the
listening port
number of the
SSH server
Run the ssh server port portnumber command.
The default listening port number of

an SSH server is 22. Users can log in
to the device by using the default
listening port number. Attackers
may access the default listening port,
which consumes bandwidth,
deteriorates server performance, and
causes authorized users to be unable
to access the server. After the
listening port number of the SSH
server is changed, attackers do not
know the new port number. This
effectively prevents attackers from
accessing the listening port and
improves security.
By default, the listening port number

is 22.
If a new listening port is set, the SSH
server cuts off all established STelnet
and SFTP connections, and uses the
new port number to listen to
Source
interface
Run the ssh server-source -i

loopback interface-number
command.
Before the source interface of an
SSH server is specified, ensure that
the loopback interface to be specified
as the source interface has been
created. If the loopback interface is
not created, the ssh server-source
command cannot be correctly
executed.
Configuring
an ACL on the
SSH server
Run the ssh server acl acl-number or

ssh ipv6 server acl acl-number
command.
By default, an SSH server receives

connection requests from all
interfaces, and therefore, the system
is vulnerable to attacks. To enhance
system security, you can specify the
source interface of the SSH server.
This sets a login condition after
which only authorized users can log
in to the SSH server.
After the source interface is
specified, the system only allows
SFTP or STelnet users to log in to the
SSH server through this source
interface. Any SFTP or STelnet
users that log in through other
interfaces are denied. Note that
setting this parameter only affects
SFTP or STelnet users that attempt
to log in to the SSH server, but it does
not affect SFTP or STelnet users that
have already logged in to the server.
This command specifies the clients
that can access the SSH server
running IPv4/IPv6. This
configuration prevents unauthorized
users from accessing the SSH server,
ensuring data security.
----End
Issue 02 (2013-12-31)

132

Equipment
Using SFTP to Access the System

After the configuration is complete, you can use SFTP to log in to the ATN from a user terminal
and manage files on the ATN.
Context
You can use third-party software to access the ATN from the user terminal using SFTP. The
example here uses third-party software OpenSSH and the Windows CLI.
Install OpenSSH on the user terminal and then perform the following:
NOTE
For details on how to install OpenSSH, see the software installation guide.
For details on how to use OpenSSH commands to log in to the ATN, see help documentation for the
software.
Procedure
Step 2 Run OpenSSH commands to log in to the ATN in SFTP mode.
When a command line prompt, such as sftp>, is displayed in the SFTP client view, as shown in
Figure 6-2, you have entered the working directory of the SFTP server.
Figure 1-23 Using SFTP to log in to the device
Issue 02 (2013-12-31)

133

Equipment
----End
Using SFTP to Manage Files

You can log in to the SSH server from an SFTP client to create or delete directories on the SSH
server.
Context
After logging in to the SFTP server, you can perform the following operations:
l
Display the SFTP client command help
Manage directories on the SFTP server
Manage files on the SFTP server
After logging in to the SFTP server and entering the SFTP client view, you can perform one or
more of the following operations.
Procedure
l
Run:
help [ all | command-name ]
The SFTP client command help is displayed.

l
Perform the following operations as required.

Run:
cd [ remote-directory ]
The current operating directory of the users is changed.

Run:
pwd
The current operating directory of the users is displayed.

Run:
dir/ls [ path ]
A list of files in the specified directory is displayed.

Run:
rmdir delete-remote-directory &<1-10>
The directory on the server is deleted.

Run:
A directory is created on the server.

l
Perform of the following operations as required.

Run:
rename old-name new-name
The name of the specified file on the server is changed.

Run:
Issue 02 (2013-12-31)

134

Equipment
The file on the remote server is downloaded.

Run:
The local file is uploaded to the remote server.

Run:
rmdir delete-remote-directory &<1-10>
The file on the server is removed.

----End

After using SFTP to manage files, you can view SSH user information and global configurations
for the SSH server.
Prerequisites
The configurations of SSH users are complete.
Procedure
l
Run the display ssh user-information username command on the SSH server to check
information about the SSH client.
Run the display ssh server status command on the SSH server to check its global
configurations.
Run the display ssh server session command on the SSH server to check information about
connection sessions with SSH clients.
----End
Example
Run the display ssh user-information username command. It shows that the SSH user named
clinet001 is authenticated by password.
[HUAWEI] display ssh user-information client001
User Name
: client001
Authentication-type
: password
: Sftp-directory
: Service-type
: sftp
If no SSH user is specified, information about all SSH users logged in to an SSH server will be
displayed.
Run the display ssh server status command to view the global configurations of an SSH server.
SSH version
: 1.99
-------------------------------------------------------------------------------
If no SSH user is specified, information about all SSH users logging in to an SSH server will be
displayed.
Run the display ssh server status command to view the global configurations of an SSH server.
Issue 02 (2013-12-31)

135

Equipment

SSH version
SSH Authentication retries
SFTP server
Stelnet server
SSH server port
SSH server source
ACL4 number
ACL6 number
: 1.99
: 60 seconds
: 2 hours
: 5 times
: Enable
: Enable
: 55535
:0.0.0.0
:0
:0
NOTE
If the default listening port is in use, information about the current listening port is not displayed.
Run the display ssh server session command to view information about sessions between the
SSH server and SSH clients.
<HUAWEI> display ssh server
Session 2:
Conn
Version
State
Username
Retry
CTOS Cipher
STOC Cipher
CTOS Hmac
STOC Hmac
Kex
Service Type
Authentication Type
session
:
:
:
:
:
:
:
:
:
:
:
:
VTY 4
2.0
started
client002
1
aes128-cbc
aes128-cbc
hmac-sha1-96
hmac-sha1-96
diffie-hellman-group-exchange-sha1
sftp
password

The examples in this section show how to use FTP, SFTP, or FTPS to access the system and
manage files. These configuration examples explain the networking requirements and provide
configuration roadmaps and configuration notes.
Example for Using the File System to Manage Files

This example shows how to use the file system to manage files. In the example, you log in to
the ATN to view and copy directories.
You can log in to the ATN through the console port, Telnet, or STelnet to manage files on the
ATN.
You must enter the path to the file on the storage device correctly. If you do not specify a target
file name, the source file name is the name of the target file by default.
1.
Issue 02 (2013-12-31)
Check the files in a directory.

136

Equipment
2.
Copy a file to this directory.
3.
Check that the file has been copied to the directory.
Data Preparation
l
Source file name and target file name
Source file path and target file path
Procedure
Step 1 Display the file information in the directory of cfcard:/folder2, cfcard:/ is the flash memory
identifier.
<HUAWEI> pwd
cfcard:/
<HUAWEI> cd cfcard:/folder2
<HUAWEI> dir
Info: File can't be found in the directory.
499,720 KB total (47,776 KB free)
Step 2 Copy files from cfcard:/folder1/sample.txt to cfcard:/folder2/sample.txt.

<HUAWEI> copy cfcard:/folder1/sample.txt cfcard:/folder2
Copy cfcard:/folder1/sample.txt to cfcard:/folder2/sample.txt?[Y/N]:Y
100% complete
Info: Copied file cfcard:/folder1/sample.txt to cfcard:/folder2/sample.txt...Done.
Step 3 Display the file information about the current directory to check that the file has been copied to
the specified directory.
<HUAWEI> dir
Directory of cfcard:/folder2/
Idx
0
Attr
-rw-
Size(Byte)
6
Date
Time(LMT)
Dec 21 2011 16:15:52
FileName
sample.txt
499,720 KB total (47,768 KB free)
----End
Example for Using FTP to Manage Files

This example shows how to use FTP to manage files. In the example, a user uses FTP to log in
to the ATN from a PC and then download files to the FTP client.
As shown in Figure 1-24, after the FTP server is enabled on the ATN, you can log in to the FTP
server from the HyperTerminal to upload or download files.
Figure 1-24 Networking for using FTP to manage files
Network
PC
Issue 02 (2013-12-31)
GE0/2/0
10.137.217.221/16
FTP Server

137

Equipment
1.
Configure the IP address of the FTP server.
2.
Enable the FTP server.
3.
Configure the authentication information, authorization mode, and directories that can be
accessed for an FTP user.
4.
Enter the username and password to log in to the FTP server.
5.
Upload files to or download files from the FTP server.
Data Preparation
l
IP address of the FTP server: 10.137.217.221
Timeout period for the FTP connection: 30 minutes
On the server, FTP username: huawei and password: !QAZ@WSX3edc
Destination file name and its location on the FTP client
Procedure
Step 1 Configure the IP address of the FTP server.
[server] interface gigabitethernet0/2/0
[server-GigabitEthernet0/2/0] undo shutdown
[server-GigabitEthernet0/2/0] ip address 10.137.217.221 255.255.0.0
[server-GigabitEthernet0/2/0] quit
Step 2 Enable the FTP server.

<HUAWEI>
[HUAWEI]
[server]
[server]
system-view
sysname server
ftp server enable
ftp timeout 30
Step 3 Configure the authentication information, authorization mode, and directories that can be
accessed for an FTP user on the FTP server.
[server] aaa
[server-aaa]
[server-aaa]
[server-aaa]
[server-aaa]
[server-aaa]
local-user
local-user
local-user
local-user
quit
huawei
huawei
huawei
huawei
password cipher !QAZ@WSX3edc

level 3
service-type ftp
ftp-directory cfcard:
Step 4 Run FTP commands at the Windows command line prompt, and enter the username and
password to set up an FTP connection with the FTP server, as shown in Figure 6-4.
Issue 02 (2013-12-31)

138

Equipment
Figure 1-25 Logging in to the FTP server
Step 5 Upload and download files, as shown in Figure 6-5.

Figure 1-26 Using FTP to manage files
NOTE
You can run the dir command before downloading a file or after uploading a file to view detailed
information about the file.
----End
Issue 02 (2013-12-31)

139

Equipment
Configuration File
l
FTP server configuration file

#
sysname Server
#
FTP server enable
#
undo shutdown
ip address 10.137.217.221 255.255.0.0
#
aaa
local-user huawei password cipher $1a$9zS'/]'y<:$My1[;/,aS>nhG{H7GaM+{4,O6Q
8A~<75q"C}O0H
local-user huawei service-type ftp
local-user huawei ftp-directory cfcard:
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
return
Example for Using SFTP to Manage Files

This example shows how to use SFTP to manage files. In the example, a local key pair and a
user name and a password are configured on the SSH server for an SSH user. After SFTP services
are enabled on the server and the SFTP client is connected to the server, you can manage files
As shown in Figure 1-27, after SFTP services are enabled on the ATN that functions as an SSH
server, you can log in to the server from an SFTP client PC in password, Revest-Shamir-Adleman
Algorithm (RSA), password-RSA, Digital Signature Algorithm (DSA), password-DSA, Elliptic
Curves Cryptography (ECC), password-ECC or all authentication mode.
Configure a user to log in to the SSH server in password authentication mode.
Figure 1-27 Networking diagram for using SFTP to manage files
Network
GE0/2/0
10.164.39.210/16
SSH Server
PC
Issue 02 (2013-12-31)

140

Equipment
1.
Configure a local key pair on the SSH server to exchange data securely between the SFTP
client and the SSH server.
2.
Configure VTY user interfaces on the SSH server.
3.
Configure an SSH user, including user authentication mode, username, password, and
authorization directory.
4.
Enable SFTP services on the SSH server and configure a user service type.
Data Preparation
l
SSH user authentication mode: password, username: client001, password: !

QAZ@WSX3edc
User level of client001: 3
IP address of the SSH server: 10.137.217.225
Procedure
Step 1 Configure a local key pair on the SSH server.
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
Step 2 Configure VTY user interfaces on the SSH server.

[SSH
[SSH
[SSH
[SSH

Step 3 Configure the SSH username and password on the SSH server.
[SSH
[SSH
[SSH
[SSH
[SSH
Server] aaa
Server-aaa]
Server-aaa]
Server-aaa]
Server-aaa]
local-user client001 password cipher !QAZ@WSX3edc

quit
Step 4 Enable SFTP and configure the user service type as SFTP.
[SSH Server] sftp server enable
[SSH Server] ssh user client001 authentication-type password
[SSH Server] ssh user client001 service-type sftp
Step 5 Configure the authorization directory for the SSH user.

[SSH Server] ssh user client001 sftp-directory cfcard:
Issue 02 (2013-12-31)

141

Equipment
Step 6 Verify the configurations.

Figure 1-28 Access interface
----End
Configuration File
l

#
sysname SSH Server
#
aaa
local-user client001 password cipher $1a$9zS'/]'y<:$My1[;/,aS>nhG{H7GaM
+{4,O6Q
8A~<75q"C}O0H
#
undo shutdown
ip address 10.137.217.225 255.255.255.0
#
sftp server enable
#
#
return
Issue 02 (2013-12-31)

142

Equipment
1.7 Configuring System Startup

When the ATN is powered on, system software starts and configuration files are loaded. To
ensure that the ATN runs smoothly, you need to manage system software and configuration files
efficiently.
1.7.1 System Startup Overview

When the ATN is powered on, system software starts and configuration files are loaded.
System Software
System software provides an operating system for the ATN. System software must be set up
correctly for the ATN to run and provide services efficiently.
The extension of the system software file is .cc. The file must be saved in the root directory of
the storage device.
Configuration Files
The configuration file is used to configure the initial settings of the ATN.
The configuration file is a text file with the following properties:
l
It is saved in the command format.
To save space, default parameters are not saved.
Commands are organized according to the command view. All commands of the same
command view are grouped into a section. Every two command sections are separated by
one or several blank lines or comment lines (beginning with "#").
The sequence of the command sections is as follows: global configuration, physical

interface configuration, logical interface configuration, and routing protocol configuration.
The filename extension of the configuration file must be .cfg or .zip, and must be stored in
the root directory of a storage device.
In a configuration file, the commands must be expressed in full names. No abbreviation is

allowed.
In a configuration file, each command is wrapped using \r\n. No other invisible characters
can be used to wrap commands.
Transmitting the configuration file using FTP in bin mode to a device is recommended.
NOTE
l The system supports commands that contain a maximum of 510 characters. A command does not have
to be entered in full, as long as the part of the command entered is unique within the system. For
example, to run the display current-configuration command, enter d cu, di cu, or dis cu. Entering
d c or dis c will not run the command because these entries are not unique to the command.
l The system saves the complete form of incomplete commands to configuration files. Saved commands
may have more than 510 characters. When the system restarts, incomplete commands cannot be
restored. Therefore, pay attention to the length of incomplete commands before saving them.
Issue 02 (2013-12-31)

143

Equipment
Configuration Files and Current Configurations

When the ATN is running, current configurations differ from configuration files.
The concepts of configuration files and current configurations are defined as follows.
Concept
Identifying Method
Configuration files
Current configurations
When the ATN is powered

on, it retrieves configuration
files from a default save path
to initialize itself. If
configuration files do not
exist in the default save path,
the ATN uses default
initialization parameters.
l Run the display startup

command to view the
configuration files for the
current startup and next
startup on the ATN.
Current configurations
indicate the configurations in
effect on the ATN when it is
actually running.
Run the display currentconfiguration command to

view current configurations
on the ATN.
l Run the display savedconfiguration command

to view the configuration
file for the next startup on
the ATN.
You can use the command line interface to modify current ATN configurations. Use the save
command to save modified configurations to the next startup configuration file on the storage
device. This configuration file will be used to initialize the ATN the next time the ATN is
powered on.
1.7.2 Managing Configuration Files

You can manage the configuration files for the current and next startup operations on the
ATN.
Before You Start

Before managing configuration files, familiarize yourself with the applicable environment,
Configuration files can be saved, cleared, and compared. Configuration file management is
required to upgrade the ATN, take preventive measures, repair configuration files, and view
configurations after the ATN starts.
Before managing configuration files, install and power on the ATN.
Issue 02 (2013-12-31)

144

Equipment
Data Preparation
To manage configuration files, you need the following data.
No.
Data
Configuration file and its name
Configuration file saving interval and delay interval
Number of the start line from which the comparison of the configuration files
begins
Saving Configuration Files

The configurations completed by using command lines are valid only for the current operation
on the ATN. To allow the configurations to be valid for the next startup, you need to save the
current configurations to the next startup configuration file before restarting the ATN.
Context
You can save configuration files on demand or set the system to save configuration files at regular
intervals. This prevents data loss if the ATN restarts without warning or when it is powered off.
Run one of the following commands to save configuration files.
Procedure
l
Run:
NOTICE
When the automatic saving function is enabled and the LPU is not correctly installed,
corresponding configurations may be lost.
1.
system-view

2.
set save-configuration [ interval interval | cpu-limit cpu-usage |delay

delay-interval ] *
The configuration file is saved at intervals.

After you specify the parameter interval interval, the system saves the current
configuration if the configuration has changed; if the configuration has not changed,
the system does not save saves the current configuration.
If you do not run the set save-configuration command, the system does not
automatically save configurations.
If you run the set save-configuration command without specifying interval, the
system automatically saves configurations at an interval of 30 minutes.
Issue 02 (2013-12-31)

145

Equipment
When you configure the automatic saving function, to prevent that function from
affecting system performance, you can set the upper limit of the CPU usage for the
system during automatic saving. When automatic saving is triggered by the expiry of
the timer, the CPU usage is checked. If the CPU usage is higher than the set upper
limit, automatic saving will be canceled.
After you specify delay delay-interval, if the configuration is changed, the device
automatically saves the configuration after the specified delay.
After you configure the configurations to be automatically saved, the system
automatically saves the changed configurations to the configuration file for the next
startup. Then, the configuration files change according to the saved configurations.
Before you configure the configurations to be automatically saved on the server, you
need to run the set save-configuration backup-to-server server server-ip [ vpninstance vpn-instance-name ] transport-type { ftp | sftp } user user-name
password password [ path folder ] or set save-configuration backup-to-server
server server-ip transport-type tftp [ path folder ] command to configure the server,
including the IP address, username, password of the server, destination path, and mode
of transporting the configuration file to the server.
NOTE
If you use TFTP, run the tftp client-source command to configure a loopback interface address as
a client source IP address on the ATN, thereby improving security.
Run:
save [ all ] [ configuration-file ]
The current configurations are saved.

The extension of the configuration file must be .cfg or .zip. The system startup configuration
file must be saved in the root directory of a storage device.
You can modify the current configuration through the CLI. To set the current configuration
as initial configuration when the ATN starts next time, you can use the save command to
save the current configuration in the cfcard memory.
You can use the save all command to save all the current configurations, including the
configurations of the boards that have not been inserted, to the next startup configuration
file.
NOTE
When you save the configuration file for the first time, if you do not specify the optional parameter
configuration-file, the ATN asks you whether you want to save the file as "vrpcfg.zip". "vrpcfg.zip"
is the default configuration file which initially contains no configuration.
----End
Clearing a Configuration File

This section describes how to clear the content of the configuration file that has been loaded to
a device or how to delete configurations on an interface to restore the default configurations.
Context
The configuration file stored in the cfcard memory needs to be cleared in the following cases:
Issue 02 (2013-12-31)

146

Equipment
The system software does not match the configuration file after the ATN has been upgraded.
The configuration file is destroyed or an incorrect configuration file has been loaded.
Perform the following operations to clear the content of a configuration file:
Procedure
l
Clear the currently loaded configuration file.

Run the reset saved-configuration command to clear the currently loaded configuration
file.
If the configuration file used for the current startup of the ATN is the same as the file
to be used for the next startup, running the reset saved-configuration command clears
both files. The ATN will use the default configuration file for the next startup.
If the configuration file used for the current startup of the ATN is different from the file
to be used for the next startup, running the reset saved-configuration command clears
the configuration file used for the next startup.
If you run the reset saved-configuration command and the configuration file used for
the current startup of the ATN is empty, the system states that the configuration file
does not exist.
NOTICE
l Exercise caution when running this command. If necessary, do so under the guidance
of Huawei technical support personnel.
l After the contents of a configuration file are cleared, the empty configuration file with
the original file name remains.
l After the configuration file is cleared, if you do not run the startup savedconfiguration configuration-file command to specify a new configuration file or the
save command to save the configuration file, the ATN will use the default configuration
file at the next startup.
----End
Comparing Configuration Files

You can determine whether the current configuration file or another file specified on the ATN
will be used for the next startup by comparing them.
Context
You can compare the current configuration file to the file specified for the next startup to
determine which one to specify for the next startup.
Procedure
l
Run:
compare configuration [ configuration-file ] [ current-line-number save-linenumber ]
Issue 02 (2013-12-31)

147

Equipment
The current configuration is compared with the configuration file for next startup.
If no parameter is specified, the system compares whether the current configurations
are identical with the next startup configuration file from the first line.
If configuration-file is configured, the system checks whether the current configuration
file is the same as the specified configuration file.
If no parameter is set, the comparison begins with the first lines of the configuration
files. If values for current-line-number and save-line-number are set, the comparison
continues and ignore differences between the configuration files.
The system begins to display the content of the current and saved configuration file from
the first line that is different between the two files. Beginning with this line, 150 characters
are displayed by default for each of the files. If fewer than 150 characters remain after the
first line with a difference, all remaining file content is displayed.
NOTE
When trying to compare configuration files, if the configuration file for next startup is unavailable
or its content is empty, the system cannot read the file.
----End

After managing configuration files, you can view the current configuration files and files in the
storage device.
Prerequisites
The configurations for managing configuration files are complete.
Procedure
l
Run the display current-configuration [ configuration [ configuration-type

[ configuration-instance ] ] | controller | interface [ interface-type [ interface-number ] ] ]
[ feature feature-name [ filter filter-expression ] | filter filter-expression ] or display
current-configuration [ all | inactive ]command to check current configurations.
Run the display startup command to check files for startup.
Run the dir [ /all ] [ filename ] command to check files saved in the storage device.
Run the display saved-configuration configuration command to view configurations of

the autosave function, including the status of the autosave function, time for autosave check,
threshold for the CPU usage, and period during which configurations remain unchanged
(when the period expires, configurations are automatically saved).
Run the display changed-configuration time command to check the time of the last
configuration change.
----End
Example
Run the display startup command to check files for startup.
<HUAWEI> display startup
Issue 02 (2013-12-31)

148

Equipment
MainBoard:
Startup paf file:
cfcard:/vrp.cfg
cfcard:/vrp.cfg
default
default
default
default
NULL
NULL
1.7.3 Specifying a File for System Startup

You can specify a file to be used for system startup by specifying the system software and
configuration file for the next startup of the ATN.
Before You Start

Before specifying a file for system startup, familiarize yourself with the applicable environment,
To enable the ATN to provide user-defined configurations during the next startup, you need to
correctly specify the system software and configuration file for the next startup.
Before specifying a file for system startup, install the ATN and powerg it on.
Data Preparation
To specify a file for system startup, you need the following data.
No.
Data
System software and its file name on the ATN
Configuration file and its file name on the device
Configuring System Software for the ATN to Load at the Next Startup
If you need to upgrade a ATN's system software, you can specify the ATN system software to
be loaded at the next startup.
Context
The system will continue to load the current system software at each startup until different system
software is specified for the next system startup. To change system software for the next startup,
you need to specify the system software you require.
Issue 02 (2013-12-31)

149

Equipment
The filename extension of the system software must be .cc and the file must be stored in the root
directory of a storage device.
Procedure
Step 1 Run:
startup system-software system-file [ slave-board ]
The ATN system software to be load at the next startup of the ATN is configured.
You can specify the system-file and use the system software for the next startup that is saved on
the device.
slave-board is valid only on the ATN with dual main control boards.
----End
Configuring the Configuration File for the ATN to Load at the Next Startup
Before restarting a ATN, you can specify which configuration files will be loaded at the next
startup.
Context
Run the display startup command on the ATN to check whether a specific configuration file
is set to be loaded at the next startup. If a specific configuration file is not specified, the default
configuration file will be loaded at the next startup.
The filename extension of the configuration file must be .cfg or .zip, and the file must be stored
in the root directory of a storage device.
When the ATN is powered on, by default, it reads the configuration file from the cfcard memory
to initialize. The data in this configuration file is the initial configuration. If no configuration
file is saved in the cfcard memory, the ATN uses default parameters for initiation.
Procedure
l
Run:
startup saved-configuration configuration-file
A configuration file is saved for the ATN to load at the next startup.
The system allows you to set different names for the configuration files on the master and
slave main control boards, but the system requires your confirmation. After your
confirmation, the system can be restarted.
----End

After specifying a configuration file for system startup, you can check the content of the
configuration file and information about the files to be used at the ATN's next startup.
Prerequisites
A configuration file has been specified for system startup.
Issue 02 (2013-12-31)

150

Equipment
Procedure
l
Run the display current-configuration [ configuration [ configuration-type

[ configuration-instance ] ] | controller | interface [ interface-type [ interface-number ] ] ]
[ feature feature-name [ filter filter-expression ] | filter filter-expression ] command to
check current configurations.
Run the display saved-configuration [ last | time | configuration ] command to check the
contents of the configuration file to be loaded at the next startup.
Run the display startup command to check information about the files to be used at next
startup.
----End
Example
Run the display startup command to check information about the files to be used at the next
startup.
MainBoard:
Startup paf file:
cfcard:/vrp.cfg
cfcard:/vrp.cfg
default
default
default
default
NULL
NULL

The example in this section shows how to configure system startup. The example explains the
networking requirements, and provides a configuration roadmap and configuration notes.
Example for Configuring System Startup

This example shows how to configure system startup. In the example, a configuration file is
saved and the system software and configuration file to be loaded at the next startup are specified
so that the ATN can start appropriately.
After the ATN is configured, new configurations take effect after the system restarts.
1.
Save the current configuration.
2.
Specify the configuration file to be loaded at the next startup of the ATN.
3.
Specify the system software to be loaded at the next startup of the ATN.
Issue 02 (2013-12-31)

151

Equipment
Data Preparation
l
Name of the configuration file
File name of the system software
Procedure
Step 1 Check the configuration file and system software that were used during the current startup.
MainBoard:
Startup paf file:
cfcard:/vrp.cfg
cfcard:/vrp.cfg
default
default
default
default
NULL
NULL
Step 2 Save the current configuration to the specified file.

<HUAWEI> save vrpcfg.cfg
The system prompts you whether to save the current configuration to the file named vrpcfg.cfg
on the control boards. After entering y at the prompt, you save the configuration successfully.
Step 3 Specify the configuration file to be loaded at the ATN's next startup.
<HUAWEI> startup saved-configuration vrpcfg.cfg
Step 4 Specify the system software to be loaded at the ATN's next startup.
Specify the system software to be loaded at the next startup of the master main control board.
<HUAWEI> startup system-software V200R003C00.cc
Specify the system software to be loaded at the next startup of the slave main control board.
(Skip this step if the chassis is ATN 910/ATN 910I/ATN 910B.)
<HUAWEI> startup system-software V200R003C00.cc slave-board
NOTE
l The slave main control board automatically synchronizes with the master main control board after the
configuration file to be loaded during the next startup is specified for the master main control board.
l Ensure that the system software to be loaded during the next startup of the ATN is saved on the master
and slave main control boards of the ATN. Configure the system software to be loaded during the next
startup of the master and slave main control boards respectively.

After the configuration is complete, run the following command to check which configuration
file and system software will be loaded at the ATN's next startup.
MainBoard:
Issue 02 (2013-12-31)

152

Equipment
Startup paf file:
cfcard:/vrp.cfg
cfcard:/vrpcfg.cfg
default
default
default
default
NULL
NULL
----End
Configuration Files
None.
1.8 Accessing Another Device

To manage configurations or operate files on another device, you can use Telnet, STelnet, TFTP,
FTP, or SFTP to access the device from the device that you have logged in to.
1.8.1 Accessing Another Device

To manage configurations or use files on a device other than the device to which you are logged
in, you can use Telnet, FTP, TFTP, or SSH to access that device.
Figure 1-29 Networking diagram for accessing another device from the ATN
As shown in Figure 1-29, when you run a terminal emulation or Telnet program on a PC to
connect to the ATN, the ATN can still function as a client to access another device on the
network. There are several ways to accomplish this.
Telnet Method
To configure and manage a remote device on the network, you can use the ATN that you have
logged in to as a client to log in to that device, or you can use a redirection terminal service on
the ATN to log in to that device.
Telnet is an application layer protocol in the TCP/IP protocol suite that provides remote login
and virtual terminal services.
The ATN provides the following Telnet services:
l
Telnet server: You can run the Telnet client program on a PC to log in to a ATN to complete
configuration and management tasks. The ATN acts as a Telnet server.
Telnet client: You can run the terminal emulation program or Telnet client program on a
PC to connect to the ATN. You can then run the telnet command to log in to other ATNs
Issue 02 (2013-12-31)

153

Equipment
to configure and manage them. As shown in Figure 1-30,ATN A serves as both a Telnet
server and a Telnet client.
Figure 1-30 Telnet client services
Redirection terminal services: You can run the Telnet client program on a PC to log in to
the ATN through a specified port number. Then connect to serial interface devices that are
connected through the asynchronous interface of the ATN, as shown in Figure 1-31. This
scenario is typically used to connect an asynchronous ATN interface with multiple remote
devices to complete configuration and maintenance tasks.
Figure 1-31 Telnet redirection services
NOTE
Only devices that provide asynchronous interfaces support the Telnet redirection service.
Interruption of Telnet services

Two shortcut key combinations can terminate a Telnet connection.
As shown in Figure 1-32, ATN A logs in to ATN B through Telnet, and ATN B logs in
to ATN C through Telnet. Thus, a cascade network is formed. In this case, ATN A is the
client of ATN B and ATN B is the client of ATN C. Figure 1-32 illustrates the usage of
shortcut keys.
Issue 02 (2013-12-31)

154

Equipment
Figure 1-32 Usage of Telnet shortcut keys
Ctrl_]: The server interrupts the connection.

If the network connection is normal and you press Ctrl_], the Telnet server terminates the
current Telnet connection. For example:
<ATNC>
Press Ctrl_] to return to the ATN B prompt.

Info: The max number of VTY users is 10, and the current number
of VTY users on line is 1.
Info: The connection was closed by the remote host.
<ATNB>
Press Ctrl_] to return to the ATN A prompt.

Info: The max number of VTY users is 10, and the current number
Info: The connection was closed by the remote host.
<ATNA>
NOTE
If a router becomes disconnected from the network, these shortcut keys are invalid. Instructions
cannot be sent to the server.
Ctrl_]: The client interrupts the connection.

If the server fails and the client is unaware of this failure, the client continues to transmit
data but the server does not respond. In this case, press Ctrl_T to terminate the Telnet
connection.
For example:
<ATNC>
Press Ctrl_T to terminate and quit a Telnet connection.

<ATNA>
NOTICE
If remote login users are using the maximum number of VTY user interfaces allowed, the
system states that all user interfaces are in use and does not allow additional Telnet logins.
FTP Method
To access files on a remote FTP server, you can use FTP to establish a connection between the
ATN to which you are logged in and the remote FTP server.
FTP can transmit files between hosts and provide users with common FTP commands for file
system management. That is, you can use an FTP client program that does not reside on the
Issue 02 (2013-12-31)

155

Equipment
ATN to upload or download files and access directories on the router, and you can use an FTP
client program that resides on the ATN to transfer files to the FTP servers of other devices.
FTP can transmit files between local and remote hosts. It is widely used for upgrading versions,
downloading logs, transmitting files, and saving configurations.
TFTP Method
If network client/server interaction requirements are relatively simple, you can enable the TFTP
service on the ATN that functions as a TFTP client to access files on a TFTP server.
Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol.
Unlike FTP, TFTP does not have a complex interactive access interface or authentication control.
TFTP is used in environments where there is no complex interaction between the client and the
server. For example, TFTP is used to obtain a memory image of the system when the system
starts up.
Implementation of TFTP is based on the User Datagram Protocol (UDP).
The client initiates a TFTP transfer. To download files, the client sends a read request packet to
the TFTP server, receives packets from the server, and returns an acknowledgement to the server.
To upload files, the client sends a write request packet to the TFTP server, sends packets to the
server, and receives an acknowledgement from the server.
TFTP uses two formats for file transfer:
l
Binary format: transfers program files.
ASCII format: transfers text files.
The ATN can only serve as a TFTP client and can only transfer files in binary format.
SSH Method
Logging in to a remote device using SSH (including STelnet, SFTP) provides secure
communications between the remote device and the ATN to which you are logged in.
SSH Overview
When users on an insecure network use Telnet to log in to the ATN, the Secure Shell (SSH)
feature provides authentication and keeps data secure. SSH defends the ATN from IP address
spoofing and other such attacks, and protects the ATN against the interception of plain text
passwords.
The SSH client function enables users to establish SSH connections with ATNs that serve as
SSH servers or with UNIX hosts.
SSH Client Function

The ATN supports the STelnet client function and SFTP client function.
l
STelnet client (Secure Telnet)

Telnet does not provide secure authentication and TCP transmits data in plain text, which
creates security vulnerabilities. Denial of service (DOS) attacks, host IP address spoofing,
Issue 02 (2013-12-31)

156

Equipment
and route spoofing also threaten system security. Therefore, Telnet services are vulnerable
to network attacks.
SSH implements secure remote access on insecure networks and has the following
advantages compared with Telnet:
SSH supports Remote Subscriber Access (RSA) authentication and Digital Signature
Algorithm authentication (DSA) and Elliptic Curves Cryptography authentication
(ECC). SSH uses RSA authentication or DSA authentication or ECC authentication to
generate and exchange public and private keys compliant with an asymmetric
encryption system that protects session security.
SSH supports Data Encryption Standard (DES), 3DES, RC4 , and Advanced Encryption
Standard (AES) authentications.
SSH usernames and passwords are encrypted in the communication between an SSH
client and server, which prevents password interception.
SSH encrypts transmitted data.
If the STelnet server or the connection between the server and a client is faulty, the client
must detect the fault and release the connection. A fault detection function must be
configured on the client to accomplish this. The client sends keepalive packets to the server
at configured time intervals. If a configured number of keepalive packets receives no reply
from the server, the client determines that there is a fault and releases the connection.
l
SFTP client
SFTP is short for Secure FTP. You can log in to a device from a secure remote end to
manage files, which improves data transmission security when the remote system is
updated. The client function enables you to use SFTP to log in to the remote device for
secure file transmission.
If the SFTP server or the connection between the server and a client is faulty, the client
must detect the fault and release the connection. A fault detection function must be
configured on the client to accomplish this. The client sends keepalive packets to the server
at configured time intervals. If a configured number of keepalive packets receives no reply
from the server, the client determines that there is a fault and releases the connection.
1.8.2 Using Telnet to Log In to Other Devices

On most networks, multiple ATNs need to be managed and maintained, but it may be impossible
to connect some of these ATNs to a PC terminal. In other cases, there may be no reachable route
between a router and a PC terminal. You can log in to a local ATN and then use Telnet to log
in to remote ATNs to complete management and maintenance tasks.
The Telnet protocol poses a security risk, and therefore the STelnet protocol is recommended.
Before You Start

Before configuring logins to another device from the device to which you are logged in,
familiarize yourself with the applicable environment, complete the pre-configuration tasks, and
obtain any data required for the configuration. This will help you complete the configuration
task quickly and correctly.
Issue 02 (2013-12-31)

157

Equipment
Figure 1-33 Networking diagram for accessing another device to which you are logged in
As shown in Figure 1-33, you can use Telnet to log in to ATN A from a PC. You cannot,
however, manage ATN B remotely, because there is no reachable route between the PC and
ATN B. To manage ATN B remotely, you must use Telnet and log in from ATN A.
In this situation, ATN A functions as a Telnet client and ATN B functions as a server.
Before using Telnet to log in to another device on the network, complete the following tasks:
l
Log in to devices using Telnet.
Configure a reachable route between the client and Telnet server
Data Preparation
To use Telnet to log in to another device, you need the following data:
No.
Data
IP address or host name of ATNB
Number of the TCP port ATNB uses to provide Telnet services
(Optional) Configuring a Source IP Address for a Telnet Client

You can configure a source IP address for a Telnet client and then use this address to set up a
Telnet connection from the client to the server along a specific route.
Context
An IP address is configured for an interface on the ATN and functions as the source IP address
of a Telnet connection. This configuration enables security checks.
The source of a client can be a source interface or a source IP address.
Do as follows on a ATN that functions as a Telnet client.
Issue 02 (2013-12-31)

158

Equipment
Procedure
Step 1 Run:
system-view

Step 2 Run:
telnet client-source { -a source-ip-address | -i interface-type interface-number }
A source IP address of a Telnet client is configured.

After the configuration, the source IP address of the Telnet client displayed on the Telnet server
must be the same as the configured IP address.
----End
Using Telnet to Log In to Another Device

You can use Telnet to log in to and manage another ATN.
Context
Telnet provides an interactive CLI for users to log in to a remote server. Users can first use Telnet
to log in to a host, and then remotely use Telnet again to log in to a remote host. This host can
then be remotely configured and managed. Not all hosts need to be connected directly to a
hardware terminal.
Do as follows on the ATN that serves as a Telnet client:
Procedure
l
Select and perform one of the following steps for IPv4 or IPv6.
Run:
telnet [ vpn-instance vpn-instance-name ] [ -a source-ip-address | -i
interface-type interface-number ] host-name [ port-number ]
Log in to the ATN and manage other ATNs.

Run:
telnet ipv6 [ -a source-ip-address ] [ vpn6-instance vpn6-instance-name ]
host-name [ -oi interface-type interface-number ] [ port-number ]
Log in to the ATN and manage other ATNs.

----End

When you use a ATN to log in to another ATN, you can check information about the established
TCP connection.
Prerequisites
All configurations for logging in to another device are complete.
Issue 02 (2013-12-31)

159

Equipment
Procedure
l
Run the display tcp status command to check the status of all TCP connections.
----End
Example
Run the display tcp status command to view the status of TCP connections. The Established
status indicates that a TCP connection has been established.
<HUAWEI> display tcp status
TCPCB
Tid/Soid
Local Add:port
39952df8
36 /1509
0.0.0.0:0
Closed
32af9074
59 /1
0.0.0.0:21
Listening
34042c80
73 /17
10.164.39.99:23
Established
Foreign Add:port
0.0.0.0:0
VPNID
0
0.0.0.0:0
14849
10.164.6.13:1147
State
1.8.3 Using STelnet to Log In to Another Device

STelnet provides secure Telnet services. You can use STelnet to log in to another ATN and
manage the device remotely.
Before You Start

Before you use STelnet to configure login to another device, familiarize yourself with the
applicable environment, complete the pre-configuration tasks, and obtain any date required for
the configuration. This will help you complete the configuration task quickly and correctly.
Telnet logins are insecure because no secure authentication mechanism is available and data is
transmitted over TCP connections in plain text mode.
STelnet is a secure Telnet protocol. STelnet is based on SSH. SSH users can use STelnet services
in place of ordinary Telnet services.
In this configuration, the device to which you have logged in functions as a Telnet client, and
the device to which you want to log in functions as an SSH server.
Before you use STelnet to log in to another device, complete the following tasks:
l
Use STelnet to log in to devices.
Configure a reachable route between the client and SSH server.
Data Preparation
To use STelnet to log in to another device, you need the following data.
Issue 02 (2013-12-31)

160

Equipment
No.
Data
Name of the SSH server and public key that is assigned by the client to the SSH server
IPv4 or IPv6 address or host name of the SSH server, number of the port monitored
by the SSH server, preferred encryption algorithm for data from the SFTP client to
the SSH server, preferred encryption algorithm for data from the SSH server to the
SFTP client, preferred Hashed message authentication code (HMAC) algorithm for
data from the SFTP client to the SSH server, preferred HMAC algorithm for data from
the SSH server to the SFTP client, preferred algorithm of key exchange, and
user information for logging in to the SSH server
Enabling First-Time Authentication on the SSH Client

After first-time authentication on the SSH client is enabled, the STelnet client does not check
the validity of the Revest-Shamir-Adleman Algorithm (RSA) orDigital Signature Algorithm
(DSA) public key when it logs in to the SSH server for the first time.
Context
If first-time authentication on the SSH client is enabled, the STelnet client does not check the
validity of the RSA or DSA public key when it logs in to the SSH server for the first time. After
the login, the system automatically allocates the RSA or DSA public key and saves it for
authentication at the next login.
Do as follows on the ATN that serves as an SSH client:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ssh client first-time enable
First-time authentication on the SSH client is enabled.

By default, first-time authentication on the SSH client is disabled.
NOTE
l The purpose of enabling first-time authentication on the SSH client is to skip checking the validity of
the RSA or DSA public key on the SSH server when an STelnet client logs in to the SSH server for
the first time. The check is skipped because the STelnet server has not saved the RSA or DSA public
key of the SSH server.
l If an STelnet client logs in to the SSH server for the first time and first-time authentication is not enabled
on the SSH client, the STelnet client fails to pass the RSA or DSA public key validity check and cannot
log in to the server.
Issue 02 (2013-12-31)

161

Equipment
NOTE
To ensure that an STelnet client can log in to an SSH server on the first attempt, you can assign an RSA
or DSA public key to the SSH server on the SSH client in advance. You can also enable first-time
authentication on the SSH client.
----End
Allocating a Public Key to the SSH Server

To configure the first successful login to another device on an SSH client, you must allocate an
Revest-Shamir-Adleman Algorithm (RSA) or Digital Signature Algorithm (DSA) or Elliptic
Curves Cryptography (ECC) public key to the SSH server before login.
Context
If first-time authentication is not enabled on the SSH client, when the STelnet client logs in to
the SSH server for the first time, the STelnet client fails to pass the RSA or DSA or ECC public
key validity check and cannot log in to the server. You must allocate an RSA or DSA or ECC
public key to the SSH server before the STelnet client logs in to the SSH server.
Procedure
Step 1 Run:
system-view

Step 2 Run:
rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ] or dsa peerpublic-key key-name encoding-type { der | openssh | pem } or ecc peer-public-key
key-name encoding-type { der | openssh | pem }
An encoding format is configured for a public key, and the public key view is displayed.
Step 3 Run:
public-key-code begin
The public key editing view is displayed.

Step 4 Run:
hex-data
The public key is edited.

The public key is a string of hexadecimal alphanumeric characters an SSH client generates.
NOTE
l The RSA or DSA or ECC public key assigned to the SSH server must be generated on the server.
Otherwise, the validity check for the RSA or DSA or ECC public key on the STelnet client will fail.
l After entering the public key edit view, paste the RSA or DSA or ECC public key generated on the
server to the ATN that functions as the client.
Step 5 Run:
public-key-code end
Issue 02 (2013-12-31)

162

Equipment
Quit the public key editing view.

l If the specified hex-data is invalid, the public key cannot be generated after you run the peerpublic-key end command.
l If the specified key-name is deleted in other views, the system determines that the key does
not exist after you run the peer-public-key end command, and the system view is displayed.
Step 6 Run:
peer-public-key end
Return to the system view from the public key view.

Step 7 Run:
ssh client servername assign { rsa-key | dsa-key | ecc-key } keyname
The RSA or DSA or ECC public key is assigned to the SSH server
NOTE
If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servername
assign { rsa-key | dsa-key | ecc-key } command to cancel the association between the SSH client and the
SSH server. Then, run the ssh client servername assign { rsa-key | dsa-key | ecc-key } keyname command
to allocate a new RSA or DSA or ECC public key to the SSH server.
----End
Using STelnet to Log In to Another Device

You can use STelnet to log in to an SSH server from an SSH client.
Context
When accessing an SSH server, an STelnet client can carry the source address and the VPN
instance name; choose the key exchange algorithm, encryption algorithm, or Hashed message
authentication code (HMAC) algorithm; and configure the keepalive function.
Procedure
Step 1 Run:
system-view

Step 2 According to the address type of the SSH server, select and run one of the following two
commands.
For IPv4 addresses,
Run the stelnet [ -a source-address ] host-ipv4 [ port ] [ [ -vpn-instance vpn-instance-name ] |
[ prefer_kex { dh_group1 | dh_exchange_group | dh-exchange-group-sha256 | ecdh-sha2nistp256 | ecdh-sha2-nistp384 | ecdh-sha2-nistp521 } ] | [ identity-key { rsa | dsa | ecc } ] |
[ prefer_ctos_cipher { des | 3des | aes128 | aes256 | arcfour128 | arcfour256 } ] |
[ prefer_stoc_cipher { des | 3des | aes128 | aes256 | arcfour128 | arcfour256 } ] |
[ prefer_ctos_hmac { sha1 | sha1_96 | sha2_256 | sha2_256_96 | md5 | md5_96 } ] |
[ prefer_stoc_hmac { sha1 | sha1_96 | sha2_256 | sha2_256_96 | md5 | md5_96 } ] | [ -ki
Issue 02 (2013-12-31)

163

Equipment
aliveinterval ] | [ -kc alivecountmax ] ] * command. You can log in to the SSH server through
STelnet.
For IPv6 addresses,
Run the stelnet ipv6 [ -a source-address ] host-ipv6 [ -i interface-type interface-number ]
[ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des |
3des | aes128 | aes256 } ] | [ prefer_stoc_cipher { des | 3des | aes128 | aes256 } ] |
[ prefer_ctos_hmac { sha1 | sha1_96 | sha2_256 | sha2_256_96 | md5 | md5_96 } ] |
[ prefer_stoc_hmac { sha1 | sha1_96 | sha2_256 | sha2_256_96 | md5 | md5_96 } ] ] * [ -ki
aliveinterval [ -kc alivecountmax ] ] command. You can log in to the SSH server through STelnet.
----End

After configuring login to another device using STelnet, you can check the mappings between
all SSH servers of the STelnet client and the Revest-Shamir-Adleman Algorithm (RSA) or
Digital Signature Algorithm (DSA) public keys on the client. You can also check the global
configurations of the SSH servers, and information about sessions between the SSH servers and
the STelnet client.
Prerequisites
The configurations for logging in to another device by using STelnet are complete.
Procedure
l
Run the display ssh server-info command to check the mappings between all SSH servers
of the SSH client and the RSA or DSA public keys on the client.
----End
Example
Run the display ssh server-info to view the mappings between all servers of the SSH client and
the RSA or DSA public keys on the SSH client.
<HUAWEI> display ssh server-info
Server Name(IP)
Server Public Key Type Server public key name
______________________________________________________________________________
10.137.128.216
RSA
10.137.128.217
RSA
10.137.128.217
DSA
sdfasdfasdfasdfasdfasdfadfasdf
127.0.0.1
RSA
127.0.0.1
DSA
1fff:00ffff:00ffff:0ffff:ffff:ffff:ffff:fff1
RSA
0ffff:ffff:
1fff:00ffff:ffff:00ffff:000ffff:ffff:ffff:fff1
RSA
000fff
1fff:ffff:ffff:00ffff:000ffff:ffff:ffff:fff1
RSA
000ffff:
1fff:ffff:ffff:ffff:ffff:ffff:00ffff:00000fff1
RSA
Issue 02 (2013-12-31)

10.137.128.216
10.137.128.217
127.0.0.1
10.137.128.217
1fff:00ffff:00ffff:
1fff:00ffff:ffff:00ffff:
1fff:ffff:ffff:00ffff:
164

Equipment
1fff:ffff:ffff:ffff:ffff:ffff:
8.1.1.2
RSA
8.1.1.2
1.8.4 Using TFTP to Access Files on Another Device

You can configure the ATN as a TFTP client and log in to the TFTP server to upload and
download files.
Before You Start

Before configuring access to another device using TFTP, familiarize yourself with the applicable
You can use TFTP to in a simple interaction environment to transfer files between a server and
a client.
The current ATN functions as a TFTP client, and the ATN to be accessed functions as a TFTP
server.
Before configuring access to another device using TFTP, configure a reachable route between
the client and the TFTP server.
Data Preparation
To access another device using TFTP, you need the following data.
No.
Data
(Optional) Source address or source interface of the ATN that functions as a TFTP
client
IP address or host name of the TFTP server
Name of the specific file in the TFTP server and the file directory
(Optional) Configuring a Source IP Address for a TFTP Client

You can configure a source IP address for a TFTP client and then use the source IP address to
set up a TFTP connection from the TFTP client to the server along a specific route.
Context
An IP address is configured for an interface on the ATN. This IP address functions as the source
IP address of a TFTP connection, which enables security checks to be implemented.
The source address of a client can be configured as a source interface or a source IP address.
Issue 02 (2013-12-31)

165

Equipment
Do as follows on a ATN that functions as a TFTP client:
Procedure
Step 1 Run:
system-view

Step 2 Run:
tftp client-source { -a source-ip-address | -i interface-type interface-number }
A source IP address of a TFTP client is configured.

After the configuration, the source IP address of the TFTP client displayed on the TFTP server
must be the same as the configured one.
----End
(Optional) Configuring TFTP Access Authority

This section describes how to use an ACL rule to specify which TFTP servers can be accessed
by using TFTP from the ATN to which you are logged in.
Context
When the ATNfunctions as an TFTP server, you can configure an ACL to allow the clients that
meet matching rules to access the TFTP server.
Perform the following steps on the ATN that serves as the TFTP client:
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl { [ number ] acl-number1 | name acl-name [ basic ] [ number acl-number2 ] }
[ match-order { auto | config } ] or acl ipv6 { [ number ] acl6-number1 | name aclname [ number acl-number2 ] } [ match-order { auto | config } ]
The ACL or ACL6 view is displayed.

TFTP supports only the basic ACL (2000 to 2999).
Step 3 Run:
vpn-instance-name ] * or rule [ rule-id ] { deny | permit } [ fragment | source
{ source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } |
time-range time-name | vpn-instance vpn-instance-name ] *
The basic ACL or ACL6 rule is configured.

Issue 02 (2013-12-31)

166

Equipment
NOTE
l If the ACL referenced by TFTP does not contain any rules or does not exist, any user can log in to the
device.
Step 4 Run:
quit

Step 5 Run:
tftp-server acl acl-number
The ACL can be used to limit access to the TFTP server.

Step 6 According to the address type of the TFTP server, select and run one of the following two
commands.
l For IPv4 addresses,
Run the tftp-server acl acl-number command. You can use the ACL to limit the access to
the TFTP server.
Run the tftp-server ipv6 acl acl6-number command. You can use the ACL to limit the access
to the TFTP server.
----End
Using TFTP to Download Files

You can download files from a TFTP server to a TFTP client.
Context
Do as follows on the ATN that serves as the TFTP client:
Procedure
l
Run the following commands according to the server IP address type.

If the IP address of the server is an IPv4 address, run:
tftp [ -a source-ip-address | -i interface-type interface-number ] tftpserver [ public-net | vpn-instance vpn-instance-name ] get source-filename
[ destination-filename ]
The ATN is configured to download files through TFTP.

Issue 02 (2013-12-31)

167

Equipment

tftp ipv6 [ -a source-ip-address ] tftp-server-ipv6 [ interface-type
interface-number ] get source-filename [ destination-filename ]
The ATN is configured to download files using TFTP.

----End
Using TFTP to Upload Files

You can upload files from a TFTP client to a TFTP server.
Context
Do as follows on the ATN that serves as the TFTP client:
Procedure
l

tftp [ -a source-ip-address | -i interface-type interface-number ] tftpserver [ public-net | vpn-instance vpn-instance-name ] put source-filename
The ATN is configured to upload files using TFTP.

l
Run the following commands according to the server IP address type.

tftp [ -a source-ip-address | -i interface-type interface-number ] tftpserver [ public-net | vpn-instance vpn-instance-name ] put source-filename

tftp ipv6 [ -a source-ip-address ] tftp-server-ipv6 [ -oi interface-type
interface-number ] put source-filename [ destination-filename ]

----End

When a device is configured as a TFTP client, you can check the source address of the client
and the configured ACL rule.
Prerequisites
Configurations for using the device as a TFTP client are complete.
Procedure
l
Run the display tftp-client command to check the device address that is set as the source
address of the TFTP client.
Run the display acl { name acl-name | acl-number | all } command to check the ACL rule
that is configured on the TFTP client.
----End
Issue 02 (2013-12-31)

168

Equipment
Example
Run the display tftp-client command to view the source address of the TFTP client.
<HUAWEI> display tftp-client
The source address of TFTP client is 1.1.1.1.
Run the display acl{ name acl-name | acl-number | all } to view the ACL rule that is configured
on the TFTP client.
<HUAWEI> display acl 2001
Basic acl 2001, 2 rules,
Acl's step is 5
rule 5 permit
rule 10 permit source 1.1.1.1 0
1.8.5 Using FTP to Access Files on Another Device

This section describes how to configure a ATN as an FTP client to log in to an FTP server and
how to upload files to or download files from this server.
Context
The FTP protocol poses a security risk, and therefore the SFTP protocol is recommended.
Before You Start

Before configuring the use of FTP to access files on another device, familiarize yourself with
the applicable environment, complete the pre-configuration tasks, and obtain any data required
for the configuration. This will help you complete the configuration task quickly and correctly.
Before transmitting files between a client and a remote FTP server or managing directories on
the server, you can configure the ATN to which you have logged in as an FTP client. You can
then use FTP to access the FTP server for file transmission or directory management.
Before configuring the use of FTP to access files on another device, configure a reachable route
between the ATN and the FTP server.
Data Preparation
To configure the use of FTP to access files on another device, you need the following data:
Issue 02 (2013-12-31)
No.
Data
(Optional) Source IP address or source interface of the ATN that functions as an FTP
client
Host name or IP address of the FTP server, port number of the connecting FTP, login
username, and password
169

Equipment
No.
Data
Local file names and file names on the remote FTP server, name of the working
directory on the remote FTP server, name of the working directory on the local FTP
client, or directory name of the remote FTP server
(Optional) Configuring the Source IP Address and Interface of the FTP Client
This section describes how to configure the source IP address and interface of an FTP client to
connect to an FTP server.
Prerequisites
An IP address is configured for an interface on the ATN and functions as the source IP address
for an FTP connection. This allows implementation of security checks.
The source of a client can be a source interface or a source IP address.
Configuring a source interface as the source for a client is possible only if the system has a
loopback interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ftp client-source { -a source-ip-address | -i interface-type interface-number }
The source address of the FTP client is configured.

After the source address of the FTP client is configured, you can run the display ftp-users
command on the FTP server to check that the displayed source address of the FTP client is the
same as the configured one.
----End
Connecting to Other Devices Using FTP Commands

You can run FTP commands to log in to other devices from the ATN that functions as the FTP
client.
Context
You can log in to the FTP server in the user view or the FTP view.
Do as follows on the ATN that serves as the client:
Issue 02 (2013-12-31)

170

Equipment
Procedure
Step 1 Run the following commands according to types of the server IP address.
l If the IP address of the server is an IPv4 address, do as follows:
In the user view, establish a connection to the FTP server.
Run:
ftp [ -a source-ip-address | -i interface-type interface-number ] host [ portnumber ] [ public-net | vpn-instance vpn-instance-name ]
The ATN is connected to the FTP server.

In the FTP view, establish a connection to the FTP server.
1.
In the user view,Run:

ftp
The FTP view is displayed.

2.
Run:
open [-a source-ip-address | -i interface-type interface-number ] host
[ port-number ] [ vpn-instance vpn-instance-name ]

NOTE
Before logging in to the FTP server, you can run the set net-manager vpn-instance
command to configure a default VPN instance. After a default VPN instance is configured,
it will be used for FTP operations.
l If the IP address of the server is an IPv6 address, do as follows:

In the user view, establish a connection to the FTP server.
Run:
ftp ipv6 host [ port-number ]

In the FTP view, establish a connection to the FTP server.
1.
In the user view,Run:

ftp
The FTP view is displayed.

2.
Run:
open ipv6 host-ipv6-address [ port-number ]

----End
Using FTP Commands to Manage Files

After you log in to an FTP server, you can use FTP commands to manage files. File operations
include configuring a file transmission method, checking online help about FTP commands,
uploading or downloading files, and managing directories and files.
Context
After logging in to an FTP server, you can perform the following operations:
Issue 02 (2013-12-31)

171

Equipment
Configure a data type for transmission files and a file transmission method.
Check the online help about FTP commands in the FTP client view.
Upload local files to the remote FTP server, or download files from the FTP server and
save them locally.
Create directories on or delete directories from the FTP server.
Display information about a specified remote directory or a file of the FTP server, or delete
a specified file from the FTP server.
After you log in to the ATN that functions as a client and enter the FTP client view, you can
perform the following steps:
Procedure
l
Configure the data type and transmission mode for the file.
Run:
ascii | binary
The data type of the file to be transmitted is ascii or binary mode.

NOTE
FTP supports both ASCII and binary files. Their differences are as follows:
l In ASCII transmission mode, ASCII characters are used to separate the carriage returned
from line feeds.
l In binary transmission mode, characters can be transferred without format conversion or
formatting.
Clients can select an FTP transmission mode as required. The system defaults to the ASCII
transmission mode. The client can use a mode switch command to switch between the ASCII
mode and the binary mode. The ASCII mode is used to transmit .txt files and the binary mode is
used to transmit binary files.
Run:
passive
The passive file transfer mode is configured.

Run:
verbose
The verbose mode for FTP is enabled.

When the verbose mode is enabled, all FTP responses are displayed. Then, file
transmission efficiency statistics will be displayed.
l
View online help for FTP commands.

remotehelp [ command ]
The online help of the FTP commands is displayed.

l
Upload or download files.

Upload or download a file.
Run:
The local file is uploaded to the remote FTP server.

Run:
Issue 02 (2013-12-31)

172

Equipment
The FTP file is downloaded from the FTP server and saved to the local file.
l
Run one or more of the the following commands to manage directories.

Run:
cd pathname
The working path of the remote FTP server is specified.

Run:
cdup
The working path of the FTP server is switched to the upper-level directory.
Run:
pwd
The specified directory of the FTP server is displayed.

Run:
lcd [ local-directory ]
The directory of the FTP client is displayed or changed.

Run:
A directory is created on the FTP server.

Run:
A directory is removed from the FTP server.

NOTE
l A directory name can use letters and digits, but not special characters such as <, >, ?, \ and :.
l When you run the mkdir /abc command, you create a sub-directory named "abc".
Run one or more of the the following commands to manage files.

Run:
ls [ remote-filename ] [ local-filename ]
The specified directory or file on the remote FTP server is displayed.

If local-filename is configured, the remote file can be saved in another local file.
Run:
dir [ remote-filename ] [ local-filename ]
The specified directory or file on the local FTP server is displayed.

If local-filename is configured, the remote file can be saved in another local file.
Run:
delete remote-filename
The specified file on the FTP server is deleted.

----End
Issue 02 (2013-12-31)

173

Equipment
Changing Login Users

After you log in to an FTP server, you can change the username on the client and re-log in to
the server with the new username.
Context
If you are logged in to the ATN that functions as an FTP client, you can switch to a different
username and log in to the FTP server without logging out of the FTP client view. The FTP
connection established in this way is identical to that established by running the ftp command.
Perform the following steps on the ATN that functions as a client:
Procedure
l
Run:
user user-name [ password ]
The user that previously logged in to the FTP server is changed and the new user logs in
to the server.
When the username used to log in to the FTP server is changed, the original connection
between the user and the FTP server is interrupted.
----End
Disconnecting from the FTP Server

You can terminate a connection with an FTP server and return to the user view or FTP view.
Context
Various commands can be used from the FTP client view to terminate a connection with an FTP
server.
Do as follows on the ATN that serves as the client.
Procedure
l
Run one of the following commands depending on your system configurations.

Run:
bye
Or
quit
The client ATN is disconnected from the FTP server.

Return to the user view.
Run:
close
Or
disconnect
The client ATN is disconnected from the FTP server.

Issue 02 (2013-12-31)

174

Equipment
Return to the FTP view.

----End

After the configurations for accessing other devices using FTP are complete, you can view the
source parameters configured on the FTP client.
Prerequisites
The configurations for accessing other devices using FTP are complete.
Procedure
l
Run the display ftp-client command to view the source parameters of the FTP client.
----End
Example
Run the display ftp-client command to view the source parameters of the FTP client.
<HUAWEI> display ftp-client
The source address of FTP client is 1.1.1.1.
1.8.6 Using SFTP to Access Files on Another Device

SFTP is a secure FTP service. After the ATN is configured as an SFTP client, the SFTP server
authenticates the client and encrypts data in both directions to provide secure data transmission.
Before You Start

Before you configure the use of SFTP to access files on another device, familiarize yourself with
the applicable environment, complete the pre-configuration tasks, and obtain any data required
for the configuration. This will help you complete the configuration task quickly and correctly.
SFTP is a secure FTP protocol that is based on SSH. SFTP allows users to log in to a remote
device and transmit or manage files securely. You can log in to a remote SSH server from the
ATN that functions as an SFTP client.
Before configuring the use of SFTP to access files on another device, configure a reachable route
between the client and SSH server.
Data Preparation
To use SFTP to access files on another device, you need the following data:
Issue 02 (2013-12-31)

175

Equipment
No.
Data
(Optional) Source address of the device that functions as the SFTP client
(Optional) Name of the SSH server
(Optional) Public key assigned by the client to the SSH server
IPv4 or IPv6 address or host name of the SSH server
Number of the port monitored by the SSH server, preferred encryption algorithm for
data from the SFTP client to the SSH server, preferred encryption algorithm for data
from the SSH server to the SFTP client, preferred HMAC algorithm for data from the
SFTP client to the SSH server, preferred HMAC algorithm for data from the SSH
server to the SFTP client, preferred algorithm for key exchange, name of the outgoing
interface, source address, and user information for logging in to the SSH server
Name and directory of a specified file on the SSH server
(Optional) Configuring a Source IP Address for an SFTP Client

You can configure a source IP address for an SFTP client and then use this source address to set
up an SFTP connection from the client to server along a specific route.
Context
An IP address is configured for an interface on the ATN. This IP address functions as the source
IP address of an FTP connection, which enables security checks to be implemented.
The source address of a client can be configured as a source interface or a source IP address.
Do as follows on a ATN that functions as an SFTP client.
Procedure
Step 1 Run:
system-view

Step 2 Run:
sftp client-source { -a source-ip-address | -i interface-type interface-number }
A source IP address is configured for an SFTP client.

----End
Enabling the First-Time Authentication on the SSH Client

After first-time authentication on the SSH client is enabled, the SFTP client does not check the
validity of the RSA or DSA public key when it logs in to the SSH server for the first time.
Issue 02 (2013-12-31)

176

Equipment
Context
If first-time authentication on the SSH client is enabled, the SFTP client does not check the
validity of the RSA or DSA public key when it logs in to the SSH server for the first time. After
the login, the system automatically allocates the RSA or DSA public key and saves it for
authentication at the next login.
Procedure
Step 1 Run:
system-view

Step 2 Run:
First-time authentication on the SSH client is enabled.

By default, first-time authentication on the SSH client is disabled.
NOTE
l The purpose of enabling first-time authentication on the SSH client is to skip checking the validity of
the RSA or DSA public key on the SSH server when an STelnet client logs in to the SSH server for
the first time. The check is skipped because the STelnet server has not saved the RSA or DSA public
key of the SSH server.
l If an STelnet client logs in to the SSH server for the first time and first-time authentication is not enabled
on the SSH client, the STelnet client fails to pass the RSA or DSA public key validity check and cannot
log in to the server.
NOTE
To ensure that an STelnet client can log in to an SSH server on the first attempt, you can assign an RSA
or DSA public key to the SSH server on the SSH client in advance. You can also enable first-time
authentication on the SSH client.
----End
Allocating a Public Key to the SSH Server

To configure the first successful login to another device on an SSH client, allocate an RSA or
DSA or ECC public key on the SSH server before you log in.
Context
If first-time authentication is not enabled on an SSH client, when the SFTP client logs in to an
SSH server for the first time, the SFTP client fails to pass the RSA or DSA or ECC public key
validity check and cannot log in to the server.
Do as follows on the ATN that functions as an SSH client:
Procedure
Step 1 Run:
Issue 02 (2013-12-31)

177

Equipment
system-view

Step 2 Run:
rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ] or dsa peerpublic-key key-name encoding-type { der | openssh | pem } or ecc peer-public-key
key-name encoding-type { der | openssh | pem }
An encoding format is configured for a public key, and the public key view is displayed.
Step 3 Run:
The public key editing view is displayed.

Step 4 Run:
hex-data
The public key is edited.

The public key is a string of hexadecimal alphanumeric characters an SSH client generates.
NOTE
l The RSA or DSA or ECC public key assigned to the SSH server must be generated on the server.
Otherwise, the validity check for the RSA or DSA or ECC public key on the STelnet client will fail.
l After entering the public key edit view, paste the RSA or DSA or ECC public key generated on the
server to the ATN that functions as the client.
Step 5 Run:
public-key-code end
Quit the public key editing view.

l If the specified hex-data is invalid, the public key cannot be generated after you run the peerpublic-key end command.
l If the specified key-name is deleted in other views, the system determines that the key does
not exist after you run the peer-public-key end command, and the system view is displayed.
Step 6 Run:
peer-public-key end
Return to the system view from the public key view.

Step 7 Run:
ssh client servername assign { rsa-key | dsa-key | ecc-key } keyname
The RSA or DSA or ECC public key is assigned to the SSH server
NOTE
If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servername
assign { rsa-key | dsa-key | ecc-key } command to cancel the association between the SSH client and the
SSH server. Then, run the ssh client servername assign { rsa-key | dsa-key | ecc-key } keyname command
to allocate a new RSA or DSA or ECC public key to the SSH server.
----End
Issue 02 (2013-12-31)

178

Equipment
Using SFTP to Connect to Other Devices

You can use SFTP to log in to an SSH server from an SSH client.
Context
The command for enabling an SFTP client is similar to that of STelnet. When accessing an SSH
server, SFTP can carry the source address and name of the VPN instance and choose the key
exchange algorithm, encryption algorithm, and HMAC algorithm, and configure the keepalive
function.
Procedure
Step 1 Run:
system-view

Step 2 According to the address type of the SSH server, select and perform one of the following
configurations.
Run:
sftp [ -a source-address | -i interface-type interface-number ] host-ipv4
[ port ] [ [ public-net | -vpn-instance vpn-instance-name ] | [ prefer_kex
{ dh_group1 | dh_exchange_group | dh-exchange-group-sha256 | ecdh-sha2-nistp256
| ecdh-sha2-nistp384 | ecdh-sha2-nistp521 } ] | [ prefer_ctos_cipher { des |
3des | aes128 | aes256 | arcfour128 | arcfour256 } ] | [ prefer_stoc_cipher
{ des | 3des | aes128 | aes256 | arcfour128 | arcfour256 } ] |
[ prefer_ctos_hmac { sha1 | sha1_96 | sha2_256 | sha2_256_96 | md5 | md5_96 } ]
| [ prefer_stoc_hmac { sha1 | sha1_96 | sha2_256 | sha2_256_96 | md5 | md5_96 } ]
| [ -ki aliveinterval ] | [ -kc alivecountmax ] | [ identity-key { dsa | rsa |
ecc } ] ] *
You can log in to the SSH server through SFTP.

Run:
sftp ipv6 [[ -a source-address | -oi interface-type interface-number ] |
[ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des |
3des | aes128 | aes256 } ] | [ prefer_stoc_cipher { des | 3des | aes128 |
aes256 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | sha2_256 | sha2_256_96 | md5
| md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | sha2_256 | sha2_256_96 |
md5 | md5_96 } ] | [ -ki aliveinterval] |[ -kc alivecountmax ] | [ identity-key
{ dsa | rsa } ] ]* host-ipv6 [ port ]
----End
Using SFTP Commands to Manage Files

You can use an SFTP client to manage directories and files on the SSH server, and check the
command help on the SFTP client.
Issue 02 (2013-12-31)

179

Equipment
Context
After you log in to an SSH server from an SFTP client, you can use the SFTP client to perform
the following operations:
l
Create or delete directories on the SSH server, display the current working directory, or
display the specified directory and information about the file in the specified directory.
Change file names, delete files, display a file list, and upload or download files.
Display the SFTP client command help.
After you log in to the ATN that functions as an SSH client and enter the SFTP client view, you
can perform the following steps:
Procedure
l
Manage directories.
Perform the following steps as required:
Run:
cd [ remote-directory ]
The current operating directory of the users is changed.

Run:
cdup
The view is switched to a directory one level up.

Run:
pwd
The current operating directory of the users is displayed.

Run:
dir / ls [ remote-directory ]
A list of files in the specified directory is displayed.

Run:
rmdir delete-remote-directory & <1-10>
The directory on the server is deleted.

Run:
A directory is created on the server.

l
Manage files.
Perform the following steps as required:
Run:
rename old-name new-name
The name of the specified file on the server is changed.

Run:
get remote-filename [local-filename]
The file on the remote server is downloaded.

Run:
Issue 02 (2013-12-31)

180

Equipment
put local-filename [remote-filename]
The local file is uploaded to the remote server.

Run:
remove remote-filename
The file on the server is removed.

l
Display the SFTP client command help.

Run:
help [all | command-name ]
The SFTP client command help is displayed.

----End

After using SFTP to log in to another device, you can view the source address of the SSH client,
mappings between all SSH servers and the RSA, DSA public keys on the client, global
configurations of the SSH servers, and sessions between the SSH servers and the client.
Prerequisites
The configuration for using SFTP to access files on another device is complete.
Procedure
l
Run the display sftp-client command to check the source IP address of the SFTP client on
the SSH client.
Run the display ssh server-info command to check the mapping between the SSH server
and the RSA or DSA public key on the SSH client.
----End
Example
Run the display sftp-client command on the client to view the source parameters of the device
that functions as an SFTP client.
<HUAWEI> display sftp-client
The source address of SFTP client is 1.1.1.1
Run the display ssh server-info command to view the mappings between all servers and the
RSA or DSA public keys on the SSH client.
<HUAWEI> display ssh server-info
Server Name(IP)
Server Public Key Type Server public key name
______________________________________________________________________________
10.137.128.216
RSA
10.137.128.217
RSA
10.137.128.217
DSA
sdfasdfasdfasdfasdfasdfadfasdf
127.0.0.1
RSA
127.0.0.1
DSA
1fff:00ffff:00ffff:0ffff:ffff:ffff:ffff:fff1
RSA
0ffff:ffff:
Issue 02 (2013-12-31)

10.137.128.216
10.137.128.217
127.0.0.1
10.137.128.217
1fff:00ffff:00ffff:
181

Equipment
1fff:00ffff:ffff:00ffff:000ffff:ffff:ffff:fff1
RSA
000fff
1fff:ffff:ffff:00ffff:000ffff:ffff:ffff:fff1
RSA
000ffff:
1fff:ffff:ffff:ffff:ffff:ffff:00ffff:00000fff1
RSA
1fff:ffff:ffff:ffff:ffff:ffff:
8.1.1.2
RSA
1fff:00ffff:ffff:00ffff:
1fff:ffff:ffff:00ffff:
8.1.1.2

This section provides examples for accessing another device. These examples explain the
networking requirements, configuration notes, and configuration roadmap.
Example for Using Telnet to Log In to Another Device

This section provides an example for using Telnet to log in to another device. In this example,
the authentication mode and password are configured for users to log in through Telnet.
As shown in Figure 1-34, users can Telnet ATN A but cannot Telnet ATN B. The route between
ATN A and ATN B is reachable. In this case, users can Telnet ATN B from ATN A to remotely
configure and manage ATN B.
Figure 1-34 Networking diagram for using Telnet to log in to another device
Session
Session
Network
PC
GE0/2/0
1.1.1.1/24
Network
ATNA
GE0/2/0
2.1.1.1/24
ATNB
1.
On ATN B, configure the authentication mode and password for users on ATN A to log in
to ATN B..
2.
Configure a Telnet server port number on ATN B to ensure that users log in only through
this port.
Data Preparation
Issue 02 (2013-12-31)

182

Equipment
Host address of ATN B: 2.1.1.1
Password for user login: hello@123
Telnet server port number: 1028
Procedure
Step 1 Configure the authentication mode and password for Telnet services on ATN B.
[HUAWEI] sysname ATNB
[ATNB] user-interface vty 0 4
[ATNB-ui-vty0-4]set authentication password cipher hello@123
[ATNB-ui-vty0-4] quit
To configure an ACL for Telnetting another device, run the following commands on ATN B.
[ATNB] acl 2000
[ATNB-acl-basic-2000] rule permit source 1.1.1.1 0
[ATNB-acl-basic-2000] quit
[ATNB-ui-vty0-4] acl 2000 inbound
NOTE
Configuring an ACL for Telnet services is optional.
Step 2 Log in to ATN B from ATN A through Telnet.

[HUAWEI] sysname ATNA
[ATNA] quit
<ATNA> telnet 2.1.1.1
Trying 2.1.1.1 ...
Press CTRL+K to abort
Connected to 2.1.1.1 ...
Warning: Telnet is not a secure protocol, and it is recommended to use Stelnet.
Login authentication
Password:
Info: Authentication success,Welcome!
Info: The max number of VTY users is 10, and the number
of current VTY users on line is 1.
The current login time is 2010-02-22 14:31:01.
<ATNB>
Step 3 Configure a Telnet server port number on ATN B.

<ATNB> system-view
[ATNB] telnet server port 1028
Warning: This operation will cause all the online Telnet users to be offline. Co
ntinue?[Y/N]: y
Info: Succeeded in changing the listening port of telnet server.
Step 4 Use the port number 1028 to log in to ATN B from ATN A through Telnet.
<ATNA> telnet 2.1.1.1 1028
Trying 2.1.1.1 ...
Password:
Issue 02 (2013-12-31)

183

Equipment
<ATNB>
----End
Configuration Files
l
ATN A configuration file

#
sysname ATNA
#
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
return
ATN B configuration file

#
sysname ATNB
#
acl number 2000
#
undo shutdown
ip address 2.1.1.1 255.255.255.0
#
acl 2000 inbound
set authentication password cipher %$%$4X_W6DAY]Bzf%$%$4X_W6DAY]Bzf
#
return
Example for Using Telnet on a VPN to Log In to Another Device

This section provides an example for logging in to another device by using Telnet on a VPN. In
this example, the authentication mode and password are configured for users on a VPN so they
can log in to the ATN through Telnet.
As shown in Figure 1-35, ATN A and ATN B can ping through each other. Users can log in to
ATN A from ATN B through Telnet.
Figure 1-35 Networking diagram for logging in to another device by using Telnet on a VPN
GE0/2/0
1.1.1.1 24
IP Network
ATNA
Issue 02 (2013-12-31)
GE0/2/0
1.1.1.2 24
VPN tt
ATNB

184

Equipment
1.
Configure a VPN on ATN B.
2.
Configure the authentication mode and password of the user interface VTY0 to VTY4 on
ATN B.
3.
Set the user to enter the password to log in to ATN B from ATN A in Telnet mode.
Data Preparation
l
Host IP address of ATN B
Authentication mode and password
VPN instance
Procedure
Step 1 Configure the VPN instance and IP address.
# Configure ATN A.
[ATNA] interface gigabitethernet0/2/0
[ATNA-GigabitEthernet0/2/0] undo shutdown
[ATNA-GigabitEthernet0/2/0] ip address 1.1.1.1 24
# Configure ATN B.
[ATNB] ip vpn-instance tt
[ATNB-vpn-instance-tt] route-distinguisher 1000:1
[ATNB-vpn-instance-tt] quit
[ATNB] interface gigabitethernet0/2/0
[ATNB-GigabitEthernet0/2/0] undo shutdown
[ATNB-GigabitEthernet0/2/0] ip binding vpn-instance tt
[ATNB-GigabitEthernet0/2/0] ip address 1.1.1.2 24
[ATNB-GigabitEthernet0/2/0] quit
[ATNB] quit
Step 2 Configure the Telnet authentication mode and password on ATN B.

<ATNB> system-view
[ATNB-ui-vty0-4] authentication-mode password
Enter
Password:
Confirm Password:
To configure Telnet terminal services based on the ACL, perform the following on ATN B.
[ATNB] acl 2000
[ATNB-acl-basic-2000] rule permit vpn-instance tt source 1.1.1.1 0
[ATNB-acl-basic-2000] quit
[ATNB-ui-vty0-4] acl 2000 inbound
Issue 02 (2013-12-31)

185

Equipment
NOTE
Configuring Telnet terminal services based on the ACL is optional.

After the configuration is complete, you can log in to ATN B from ATN A through Telnet.
<ATNA> telnet 1.1.1.2
Trying 1.1.1.2 ...
Password:
Note: The max number of VTY users is 10, and the current number
<ATNB>
----End
Configuration Files
l
ATN A configuration file

#
sysname ATNA
#
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
return
ATN B configuration file

#
sysname ATNB
#
ip vpn-instance tt
route-distinguisher 1000:1
#
acl number 2000
rule 5 permit vpn-instance tt source 1.1.1.1 0
#
undo shutdown
ip binding vpn-instance tt
ip address 1.1.1.2 255.255.255.0
#
acl 2000 inbound
set authentication password cipher Hb(c;\@iU'@X,k6.E\Z,*.S#
#
return
Example for Using STelnet (RSA Authentication Mode) to Log In to the SSH Server
This section provides an example for logging in to another device by using STelnet.In this
example, the local key pairs are generated on the STelnet client and the SSH server, and the
public RSA key is generated on the SSH server and then bound to the STelnet client. In this
manner, the STelnet client can connect to the SSH server.
Issue 02 (2013-12-31)

186

Equipment
As shown in Figure 1-36, after the STelnet service is enabled on the SSH server, the STelnet
client can log in to the SSH server with the password, RSA, password-rsa, DSA, password-DSA,
ECC, password-ECC, or all authentication mode. In this example, the Huawei ATN functions
as an SSH server.
Two users, Client001 and Client002, are configured to log in to the SSH server in the password
and RSA authentication modes, respectively.
Figure 1-36 Networking diagram for using STelnet to log in to another device
SSH Server
GE0/2/0
10.10.1.1/16
GE0/2/0
10.10.2.2/16
GE0/2/0
10.10.3.3/16
Client 001
Client 002
1.
Configure Client001 and Client002 to log in to the SSH server in different authentication
modes.
2.
Create a local RSA key pair on STelnet client Client002 and the SSH server, and bind client
Client002 to an RSA key to authenticate the client when the client attempts to log in to the
server.
3.
Enable the STelnet service on the SSH server.
4.
Set the service type of Client001 and Client002 to STelnet.
5.
Enable first-time authentication on the SSH clients.
6.
Users Client001 and Client002 can now log in to the SSH server through STelnet.
Data Preparation
l
Client001 with the password !QAZ@WSX3edc and authentication mode password
Client002 with the public key RsaKey001 and authentication mode RSA
IP address of the SSH server: 10.10.1.1.
Procedure
Issue 02 (2013-12-31)

187

Equipment
The key name will be: SSH Server_Host
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
Step 2 Create an SSH user on the server.

NOTE
The SSH user can be authenticated in these modes: password, RSA, password-RSA, DSA, password-dsa,
ECC, password-ECC, and all.
l When the SSH user adopts the password, password-ECC, password-DSA, or password-RSA
authentication mode, configure a local user with the same name.
l When the SSH user adopts the RSA, password-RSA, DSA, password-DSA, ECC, password-ECC, or
all authentication mode, the server should save the RSA or DSA or ECC public key for the SSH client.
# Configure the VTY user interface.

[SSH
[SSH
[SSH
[SSH

l Create SSH user Client001.

# Configure password authentication for SSH user Client001.
[SSH Server] ssh user client001
# Configure password of SSH user Client001 to !QAZ@WSX3edc.

[SSH
[SSH
[SSH
[SSH
Server] aaa
Server-aaa]local-user huawei password cipher !QAZ@WSX3edc
Server-aaa] local-user client001 service-type ssh
Server-aaa] quit

# Configure RSA authentication for SSH user Client002.
[SSH Server] ssh user client002 authentication-type rsa
Step 3 Configure the RSA public key on the server.

# Generate a local key pair on the client.
[HUAWEI] sysname client002
[client002] rsa local-key-pair create
# View the RSA public key generated on the client.

[client002] display rsa local-key-pair public
=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Host
Key type: RSA encryption Key
=====================================================
Key code:
Issue 02 (2013-12-31)

188

Equipment
3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
1D7E3E1B
0203
010001
Host public key for PEM format code:
---- BEGIN SSH2 PUBLIC KEY ---AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7
yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b
---- END SSH2 PUBLIC KEY ---Public key code for pasting into OpenSSH authorized_keys file :
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn
TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key
=====================================================
Key name: client002_Server
=====================================================
Key code:
3067
0260
BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB
D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
[client002]
# Send the RSA public key generated on the client software to the server.
[SSH Server]rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[SSH Server-rsa-public-key]public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[SSH Server-rsa-key-code]3047
[SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[SSH Server-rsa-key-code] 1D7E3E1B
[SSH Server-rsa-key-code]public-key-code end
[SSH Server-rsa-public-key]peer-public-key end
Step 4 Bind SSH user Client002 to the RSA public key of the SSH client.
[SSH Server] ssh user client002 assign rsa-key RsaKey001

# Enable the STelnet service.
[SSH Server] stelnet server enable
Step 6 Configure the STelnet service for SSH users Client001 and Client002.
[SSH Server] ssh user client001 service-type stelnet
Step 7 Connect the STelnet client to the SSH server.

# At the first login, you need to enable the first authentication on the SSH client.
Issue 02 (2013-12-31)

189

Equipment
Enable the first authentication on Client001.

[client001] ssh client first-time enable

# Client001 of the STelnet connects to the SSH server in password authentication mode. Enter
the user name and password.
<client001> system-view
[client001] stelnet 10.10.1.1
Please input the username:client001
Trying 10.10.1.1 ...
The server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
The server's public key will be saved with the name 10.10.1.1. Please wait...
Enter password:
Enter the password !QAZ@WSX3edc. The login is complete.

<SSH Server>
# Connect STelnet client Client002 to the SSH server in RSA authentication mode.
Please input the username: client002
Trying 10.10.1.1 ...
<SSH Server>

After the configuration, run the display ssh server status and display ssh server session
commands. You can view that the STelnet service is enabled and the STelnet client is connected
to the SSH server.
# Display the SSH status.
[SSH Server] display ssh server status
SSH version
: 1.99
: 60 seconds
SSH server key generating interval : 0 hours
: 3 times
SFTP server
: Disable
Stelnet server
: Enable
# Display the connection of the SSH server.

Issue 02 (2013-12-31)

190

Equipment
[SSH Server] display ssh server session

Session 1:
Conn
: VTY 3
Version
: 2.0
State
: started
Username
: client001
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96
Kex
: diffie-hellman-group1-sha1
Service Type
: stelnet
Authentication Type : password
Session 2:
Conn
: VTY 4
Version
: 2.0
State
: started
Username
: client002
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96
Kex
Service Type
: stelnet
Authentication Type : rsa
# Display information about the SSH user.

[SSH Server] display ssh user-information
User 1:
User Name
: client001
Authentication-type : password
User-public-key-name : Sftp-directory
: Service-type
: stelnet
Authorization-cmd
: No
User 2:
User Name
: client002
Authentication-type : rsa
User-public-key-name : RsaKey001
Sftp-directory
: Service-type
: stelnet
Authorization-cmd
: No
----End
Configuration Files
l

#
sysname SSH Server
#
rsa peer-public-key rsakey001
3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E
519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B
0203
010001
public-key-code end
peer-public-key end
#
aaa
Issue 02 (2013-12-31)

191

Equipment

+{4,O6Q
8A~<75q"C}O0H
#
undo shutdown
ip address 10.10.1.1 255.255.0.0
#
ssh user client001
ssh user client002
ssh user client002 authentication-type rsa
ssh user client002 assign rsa-key RsaKey001
#
#
return
Client001 configuration file

#
sysname client001
#
ip address 10.10.2.2 255.255.0.0
#
#
return

#
sysname client002
#
ip address 10.10.3.3 255.255.0.0
#
#
return
Example for Using STelnet (DSA Authentication Mode) to Log In to the SSH Server
This section provides an example for logging in to the SSH server using STelnet. In this example,
the local key pairs are generated on the STelnet client and secure shell (SSH) server, and the
digital signature algorithm (DSA) public key is generated on the SSH server and then bound to
the STelnet client. These configurations implement communication between the STelnet clients
and SSH server.
After the STelnet service is enabled on the SSH server, the STelnet client can log in to the SSH
server in any of the following authentication modes: password, RSA, password-RSA, DSA,
password-DSA, ECC, password-ECC, and all. In this example, the Huawei ATN functions as
an SSH server.
Issue 02 (2013-12-31)

192

Equipment
In Figure 1-37, two users Client001 and Client002, are configured to use STelnet to log in to
the SSH server in password authentication mode and DSA authentication mode, respectively.
Figure 1-37 Networking diagram for STelnet login mode
SSH Server
GE0/2/0
10.10.1.1/16
GE0/2/0
10.10.2.2/16
GE0/2/0
10.10.3.3/16
Client 001
Client 002
1.
Configure Client001 and Client002 to log in to the SSH server in password authentication
mode and DSA authentication mode, respectively.
2.
Create a local DSA key pair on Client002 and the SSH server, and bind Client002 to the
SSH client's DSA public key. These configurations implement authentication for the client
that attempts to log in to the server.
3.
Enable the STelnet service on the SSH server.
4.
Set the service type of Client001 and Client002 to STelnet.
5.
Enable first-time authentication on the SSH clients.
6.
Use Client001 and Client002 to use STelnet to log in to the SSH server.
Data Preparation
l
Client001 with the password %TGB6yhn7ujm and authentication mode password
Client002 with the public key DsaKey001 and authentication mode DSA
SSH server IP address: 10.10.1.1
Procedure
[SSH Server] dsa local-key-pair create
Info: The key name will be: ssh server_Host_DSA.
Info: The key modulus can be any one of the following : 512, 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=2048]:
Issue 02 (2013-12-31)

193

Equipment
Info: Generating keys...

Info: Succeeded in creating the DSA host keys.
Step 2 Create SSH users on the server.

NOTE

[SSH
[SSH
[SSH
[SSH


# Create SSH user Client001 and configure the authentication mode as password.
# Set Client001's password to %TGB6yhn7ujm.

[SSH
[SSH
[SSH
[SSH
Server] aaa
Server-aaa] local-user client001 password cipher %TGB6yhn7ujm
Server-aaa] quit

# Create SSH user Client002 and configure the authentication mode as DSA.
[SSH Server] ssh user client002 authentication-type dsa
Step 3 Configure the DSA public key on the server.

.
# Generate a local key pair on Client002.
[client002] dsa local-key-pair create
Info: The key name will be: ssh server_Host_DSA.
# View the DSA public key generated on Client002.

[client002] display dsa local-key-pair public
=====================================================
Key name
: client002_Host_DSA
Key modulus : 2048
Key type
: DSA encryption Key
=====================================================
Key code:
3081DC
0240
Issue 02 (2013-12-31)

194

Equipment
AE0AE467
A34004C1
6CC46D2D
87C63485
0214
94FC5624
0240
91FF0F2C
7BCA4251
0B4C3530
C986329F
0240
9D5CA69C
717B2208
EC06D0AE
958C4074
2BF3587F 30FE81FF A14D8070 1FC2930B

B37824BB D3160595 702901CD 53F0EAE0
BE78F6A4 3DC4AAEF C7228E01 9C2EF7CE
DCEB09DA E9B88293 2AC88508 AB7C813F

91996828 BAAD5068 CD2FE83E CEFA1CF4
9F04FD24 6CFB50A3 AD78CC0D 335DEFD2
DAA25592 DEAFA0EB 61225712 E4AF6139
7BD9249B B4F1D747 707B5C13 EB980A1E

8F9C46F5 0F1875DE 013FFCD3 D4089356
B256A4DD 4B418138 74CEBD9C 16123F7A

---- BEGIN SSH2 PUBLIC KEY ---AAAAB3NzaC1kc3MAAABBAK4K5Gcr81h/MP6B/6FNgHAfwpMLo0AEwbN4JLvTFgWV
cCkBzVPw6uBsxG0tvnj2pD3Equ/HIo4BnC73zofGNIUAAAAVAJT8ViTc6wna6biC
kyrIhQirfIE/AAAAQQCR/w8skZloKLqtUGjNL+g+zvoc9HvKQlGfBP0kbPtQo614
zA0zXe/SC0w1MNqiVZLer6DrYSJXEuSvYTnJhjKfAAAAQQCdXKace9kkm7Tx10dw
e1wT65gKHnF7IgiPnEb1Dxh13gE//NPUCJNW7AbQrrJWpN1LQYE4dM69nBYSP3qV
jEB0
ssh-dss AAAAB3NzaC1kc3MAAABBAK4K5Gcr81h/MP6B/
6FNgHAfwpMLo0AEwbN4JLvTFgWVcCkBzVPw6uBsxG0tvnj2pD3Equ/
HIo4BnC73zofGNIUAAAAVAJT8ViTc6wna
6biCkyrIhQirfIE/AAAAQQCR/w8skZloKLqtUGjNL+g+zvoc9HvKQlGfBP0kbPtQo614zA0zXe/
SC0w1MNqiVZLer6DrYSJXEuSvYTnJhjKfAAAAQQCdXKace9kkm7Tx10dw
e1wT65gKHnF7IgiPnEb1Dxh13gE//NPUCJNW7AbQrrJWpN1LQYE4dM69nBYSP3qVjEB0
# Send the DSA public key generated on the client to the server.
[SSH Server] dsa peer-public-key DsaKey001 encoding-type der
Info: Enter "DSA public key" view, return system view with "peer-public-key end".
[SSH Server-dsa-public-key] public-key-code begin
Info: Enter "DSA key code" view, return the last view with "public-key-code end".
[SSH Server-dsa-key-code] 3081DC
[SSH Server-dsa-key-code] 0240
[SSH Server-dsa-key-code] AE0AE467 2BF3587F 30FE81FF A14D8070 1FC2930B
[SSH Server-dsa-key-code] A34004C1 B37824BB D3160595 702901CD 53F0EAE0
[SSH Server-dsa-key-code] 6CC46D2D BE78F6A4 3DC4AAEF C7228E01 9C2EF7CE
[SSH Server-dsa-key-code] 87C63485
[SSH Server-dsa-key-code] 94FC5624 DCEB09DA E9B88293 2AC88508 AB7C813F
[SSH Server-dsa-key-code] 91FF0F2C 91996828 BAAD5068 CD2FE83E CEFA1CF4
[SSH Server-dsa-key-code] 7BCA4251 9F04FD24 6CFB50A3 AD78CC0D 335DEFD2
[SSH Server-dsa-key-code] 0B4C3530 DAA25592 DEAFA0EB 61225712 E4AF6139
[SSH Server-dsa-key-code] C986329F
[SSH Server-dsa-key-code] 9D5CA69C 7BD9249B B4F1D747 707B5C13 EB980A1E
[SSH Server-dsa-key-code] 717B2208 8F9C46F5 0F1875DE 013FFCD3 D4089356
[SSH Server-dsa-key-code] EC06D0AE B256A4DD 4B418138 74CEBD9C 16123F7A
[SSH Server-dsa-key-code] public-key-code end
[SSH Server-dsa-public-key] peer-public-key end
[SSH Server]
Step 4 Bind Client002 to the SSH client's DSA public key.

[SSH Server] ssh user client002 assign dsa-key DsaKey001

Issue 02 (2013-12-31)

195

Equipment

Step 6 Configure the STelnet service for Client001 and Client002.


# At the first login, Enable first-time authentication on the SSH clients.
Enable first-time authentication on Client001.

# Connect Client001 to the SSH server in password authentication mode. Enter the user name
and password.
Trying 10.10.1.1 ...
Enter password:
Enter the password huawei. The command output shows that the login is complete.
Info: The max number of VTY users is 20, and the number of current VTY users on line
is 6. The current login time is 2010-09-06 11:42:42.
<SSH Server>
# Connect client002 to the SSH server in DSA authentication mode.

Trying 10.10.1.1 ...
Info: The max number of VTY users is 20, and the number of current VTY users on line
is 6. The current login time is 2010-09-06 11:42:42.
<SSH Server>

After the configuration is complete, run the display ssh server status and display ssh server
session commands. The command outputs show that the STelnet service is enabled and the
STelnet clients have logged in to the SSH server.
# View the SSH status.
Issue 02 (2013-12-31)

196

Equipment

SSH version
: 1.99
: 60 seconds
: 3 times
SFTP server
: Disable
Stelnet server
: Enable
# View the connection of the SSH server.

Session 1:
Conn
: VTY 3
Version
: 2.0
State
: started
Username
: client001
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96
Kex
Service Type
: stelnet
Session 2:
Conn
: VTY 4
Version
: 2.0
State
: started
Username
: client002
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96
Kex
Service Type
: stelnet
Authentication Type : dsa
# View information about the SSH users.

User 1:
User Name
: client001
: Service-type
: stelnet
Authorization-cmd
: No
User 2:
User Name
: client002
Authentication-type : dsa
User-public-key-name : DsaKey001
Sftp-directory
: Service-type
: stelnet
Authorization-cmd
: No
----End
Configuration Files
l
Configuration file of the SSH server

#
sysname SSH Server
#
dsa peer-public-key dsakey001 encoding-type der
Issue 02 (2013-12-31)

197

Equipment
3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E
519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B
0203
010001
public-key-code end
peer-public-key end
#
aaa
local-user client001 password cipher $1a$tPJ:9op=TO$ggyaYR@nY>"NbzP%N`
$3M~Gz@l
s$KN)mWYXahwu
#
undo shutdown
ip address 10.10.1.1 255.255.0.0
#
ssh user client001
ssh user client002
ssh user client002 authentication-type dsa
ssh user client002 assign dsa-key DsaKey001
#
#
return

#
sysname client001
#
undo shutdown
ip address 10.10.2.2 255.255.0.0
#
#
return

#
sysname client002
#
undo shutdown
ip address 10.10.3.3 255.255.0.0
#
#
return
Example for Using TFTP to Access Files on Another Device

In this example, the TFTP application is run on the TFTP server and the location of the source
file on the server is set. Then, you can upload and download files.
Issue 02 (2013-12-31)

198

Equipment
As shown in Figure 1-38, the IP address of the TFTP server is 10.111.16.160/24.
Figure 1-38 Networking diagram for using TFTP to access files on another device
1.
Run the TFTP application on the TFTP server, and set the location of the file on the server.
2.
Use the TFTP command on the ATN to download the file.
3.
Use the TFTP command on the ATN to upload the file.
Data Preparation
l
The TFTP application installed on the TFTP server
The path of the file on the TFTP server
The destination file name and its path on the ATN
Procedure
Step 1 Start the TFTP server, and set its Current Directory as the directory where the
V200R003C00.cc file resides. Figure 1-39 shows the interface.
Issue 02 (2013-12-31)

199

Equipment
Figure 1-39 Setting the base directory of the TFTP server
NOTE
The display may be different depending on which TFTP server application is run on the computer.
Step 2 Log in to the ATN from computer HyperTerminal and enter the following command to download
the file.
<HUAWEI>tftp 10.111.16.160 get V200R003C00.cc cfcard:/V200R003C00.cc
Info: Transfer file in binary mode.
Downloading the file from the remote TFTP server. Please wait...|
TFTP: Downloading the file successfully.
15805100 bytes received in 42734
second.
Step 3 Run the dir command to check whether the downloaded file is saved in the specified directory
on the ATN.
<HUAWEI> dir cfcard:
Directory of cfcard:/
Idx Attr Size(Byte)
1
-rw40
2
-rw396
3
-rw540
4
-rw2718
5
-rw14343
6
-rw1004
7
-rw6247
8
-rw14343
9
-rw- 86235884
Date
Jun 24
May 19
May 19
Jun 21
May 19
Feb 05
May 19
May 16
Feb 05
2006
2006
2006
2006
2006
2001
2006
2006
2001
Time
09:30:40
15:00:10
15:00:10
17:46:46
15:00:10
09:51:22
15:00:10
14:13:42
10:23:46
FileName
private-data.txt
rsahostkey.dat
rsaserverkey.dat
1.cfg
paf.txt
vrp1.zip
license.txt
paf.txt.bak
V200R003C00.cc
Step 4 Log in to the ATN from computer HyperTerminal and enter the following command to upload
the file.
<HUAWEI> tftp 10.111.16.160 put cfcard:/vrpcfg.zip
Uploading the file to the remote TFTP server. Please wait.../
TFTP: Uploading the file successfully.
1217 bytes send in 1 second.
----End
Issue 02 (2013-12-31)

200

Equipment
Example for Configuring Access to the TFTP Server on the Public Network When
the Management VPN Instance Is Used
This section provides an example for configuring access to the TFTP server on the public network
when the management VPN instance is used. In this example, after you log in to a ATN
configured with the management VPN instance, you can download files from the TFTP server
on the public network.
As shown in Figure 1-40, a management VPN instance is configured on the ATN. Users use
the VPN instance to access the FTP server from the ATN. To enable the client to access the
TFTP server on the public network, connect the ATN to the TFTP server on the public network.
Log in to the ATN from the HyperTerminal and then download the file V200R003C00.cc from
the TFTP server.
Figure 1-40 Networking diagram of configuring access to the TFTP server on the public network
when the management VPN instance is used
1.
Run the TFTP application on the TFTP server, and set the location of the file on the server.
2.
Use the TFTP command on the ATN to download the file.
3.
Use the TFTP command on the ATN to upload the file.
Data Preparation
l
The TFTP application installed on the TFTP server
The path of the file on the TFTP server
The destination file name and its path on the ATN
Issue 02 (2013-12-31)

201

Equipment
Procedure
Step 1 Start the TFTP server, and set its Current Directory as the directory where the
V200R003C00.cc file resides. Figure 1-41 shows the interface.
Figure 1-41 Setting the base directory of the TFTP server
NOTE
The display may be different depending on which TFTP server application is run on the computer.
Step 2 Log in to the ATN from computer HyperTerminal and enter the following command to download
the file.
<HUAWEI>tftp 10.111.16.160 public-net get V200R003C00.cc cfcard:/V200R003C00.cc
Downloading the file from the remote TFTP server. Please wait...|
TFTP: Downloading the file successfully.
15805100 bytes received in 42734
second.
Step 3 Run the dir command to check whether the downloaded file is saved in the specified directory
on the ATN.
<HUAWEI> dir cfcard:
Directory of cfcard:/
Idx Attr Size(Byte)
1
-rw40
2
-rw396
3
-rw540
4
-rw2718
5
-rw14343
6
-rw1004
7
-rw6247
8
-rw14343
9
-rw- 86235884
Date
Jun 24
May 19
May 19
Jun 21
May 19
Feb 05
May 19
May 16
Feb 05
2006
2006
2006
2006
2006
2001
2006
2006
2001
Time
09:30:40
15:00:10
15:00:10
17:46:46
15:00:10
09:51:22
15:00:10
14:13:42
10:23:46
FileName
private-data.txt
rsahostkey.dat
rsaserverkey.dat
1.cfg
paf.txt
vrp1.zip
license.txt
paf.txt.bak
V200R003C00.cc
Step 4 Log in to the ATN from computer HyperTerminal and enter the following command to upload
the file.
Issue 02 (2013-12-31)

202

Equipment
<HUAWEI> tftp 10.111.16.160 public-net put cfcard:/vrpcfg.zip

Uploading the file to the remote TFTP server. Please wait.../
TFTP: Uploading the file successfully.
1217 bytes send in 1 second.
----End
Configuration Files
None.
Example for Using FTP to Access Files on Another Device

This section provides an example for using FTP to access files on another device. In this example,
a user logs in to the FTP server from the ATN to download system software and configuration
software from the FTP server.
As shown in Figure 1-42, the route between ATN A that functions as the FTP client and the
FTP server is reachable. A user needs to download system software and configuration software
from the FTP server. The Huawei ATN functions as an FTP server.
Figure 1-42 Networking diagram for using FTP to access files on another device
GE0/2/0
2.1.1.1/24
Network
GE0/2/0
1.1.1.1/24
ATNA
FTP Server
1.
Configure the user name and password for an FTP user to log in to the FTP server.
2.
Enable the FTP server on the ATN.
3.
Run login commands to log in to the FTP server.
4.
Configure the file transmission mode and directories for the client before downloading
required files from the FTP server.
Data Preparation
l
User name: huawei and password: !QAZ@WSX3edc
Target file and its location on ATN A
Issue 02 (2013-12-31)

203

Equipment
Procedure
Step 1 Configure an FTP user on the FTP server.
[HUAWEI] aaa
[HUAWEI-aaa] local-user
[HUAWEI-aaa] quit
huawei
huawei
huawei
huawei
password cipher !QAZ@WSX3edc

service-type ftp
ftp-directory cfcard:
level 3
Step 2 Enable the FTP server.

[HUAWEI] ftp server enable
Step 3 Log in to the FTP server from ATN A.

<HUAWEI> ftp 1.1.1.1
Trying 1.1.1.1 ...
Connected to 1.1.1.1.
220 FTP service ready.
User(1.1.1.1:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp]
Step 4 On ATN A, configure the binary format as the file transfer mode and flash:/ as the working
directory.
[ftp] binary
200 Type set to I.
[ftp] lcd cfcard:/
Info: Local directory now cfcard:.
Step 5 On ATN A, download the latest system software from the remote FTP server.
[ftp] get V200R003C00.cc
200 Port command okay.
150 Opening ASCII mode data connection for V200R003C00.cc.
226 Transfer complete.
FTP: 1127 byte(s) received in 0.156 second(s) 7.22Kbyte(s)/sec.
[ftp] quit
You can run the dir command to check whether the required file is downloaded to the client.
----End
Configuration Files
l
Configuration file on the FTP server

#
FTP server enable
#
aaa
local-user huawei password cipher $1a$9zS'/]'y<:$My1[;/,aS>nhG{H7GaM+{4,O6Q
8A~<75q"C}O0H
local-user huawei service-type ftp
local-user huawei ftp-directory cfcard:
#
undo shutdown
ip address 1.1.1.1 255.255.255.0
Issue 02 (2013-12-31)

204

Equipment
Return
Configuration file on the FTP client

#
undo shutdown
ip address 2.1.1.1 255.255.255.0
Return
Example for Configuring Access to the FTP Server on the Public Network When
This section provides an example for configuring access to the FTP server on the public network
when the management VPN instance is used. In this example, after you log in to a ATN
configured with the management VPN instance, you can download files from the FTP server on
the public network.
As shown in Figure 1-43, a management VPN instance is configured on ATN A. Users use the
VPN instance to access the FTP server. To enable ATN A to access the FTP server on the public
network, you need to connect the ATN to the FTP server on the public network.
The route between ATN that functions as the FTP client and the FTP server is reachable. A user
needs to download system software and configuration software from the FTP server on the public
network.
Figure 1-43 Networking diagram of configuring access to the FTP server on the public network
when the management VPN instance is used
GE0/2/0
2.1.1.1/24
Network
GE0/2/0
1.1.1.1/24
ATNA
FTP Server
1.
Log in to the FTP server from the FTP client on the public network.
2.
Download the system files from the server to the storage devices on the client side.
Data Preparation
l
User name: huawei and password: huawei
The destination file name and its position in the ATN
Issue 02 (2013-12-31)

205

Equipment
Procedure
Step 1 Log in to the FTP server from the ATN.
<HUAWEI> ftp 1.1.1.1 public-net
Trying 1.1.1.1
Connected to 1.1.1.1
User(ftp 1.1.1.1:(none)):huawei
331 Password required for huawei
Password:
230 User logged in.
Step 2 Configure the transmission mode to the binary format and configure the directory of the cfcard
memory on the ATN..
[ftp] binary
200 Type set to I.
[ftp] lcd cfcard:/
Info: Local directory now cfcard:.
Step 3 Download the newest system software from the remote FTP server on the ATN.
[ftp] get V200R003C00.cc
150 Opening ASCII mode data connection for V200R003C00.cc.
[ftp] quit
----End
Configuration Files
None.
Example for Using SFTP (RSA Authentication Mode) to Access Files on Another
Device
In this example, the local key pairs are generated on the SFTP client and the SSH server
respectively, and the public RSA key is generated on the SSH server that binds the public RSA
key to the SFTP client. In this manner, the SFTP client can connect to the SSH server.
As shown in Figure 1-44, after the SFTP service is enabled on the SSH server, the SFTP client
can log in to the SSH server with the password, RSA, password-RSA, DSA, password-DSA,
ECC, password-ECC, or all authentication. In this example, the Huawei ATN functions as an
SSH server.
Two users client001 and client002, are configured to log in to the SSH server in password and
RSA authentication modes, respectively.
Issue 02 (2013-12-31)

206

Equipment
Figure 1-44 Networking diagram for accessing files on another device by using SFTP
SSH Server
GE0/2/0
10.10.1.1/16
GE0/2/0
10.10.2.2/16
GE0/2/0
10.10.3.3/16
Client 001
Client 002
1.
modes.
2.
Create a local RSA key pair on SFTP client Client002 and the SSH server, and bind client
server.
3.
Enable the SFTP service on the SSH server.
4.
Configure the service mode and authorization directory for the SSH user.
5.
Client001 and Client002 log in to the SSH server by using an SFTP to access files on the
server.
Data Preparation
l
Client001 password: %TGB6yhn7ujm. Adopt password authentication.
Client002: adopt RSA authentication and assign public key RsaKey001 to Client002.
Procedure
Generating keys...
.........++++++++
......................++++++++
Issue 02 (2013-12-31)

207

Equipment
......................+++++++++
.....+++++++++

NOTE

[SSH
[SSH
[SSH
[SSH

l Create Client001 for the SSH user.

# Create an SSH user with the name Client001. The authentication mode is password.
# Set %TGB6yhn7ujm as the password for Client001 of the SSH user.

[SSH Server] aaa
[SSH Server-aaa] local-user client001 password cipher $1a$9zS'/]'y<:$My1
[;/,aS>nhG{H7GaM+{4,O6Q
8A~<75q"C}O0H
[SSH Server-aaa] local-user client001 service-type ssh
[SSH Server-aaa] quit

# Create an SSH user with user name Client002 and RSA authentication.
Step 3 Configure the public RSA key of the server.


=====================================================
=====================================================
Key code:
3047
0240
1D7E3E1B
0203
010001
Issue 02 (2013-12-31)

208

Equipment

=====================================================
=====================================================
Key code:
3067
0260
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
[client]
# Send the RSA public key generated on the client to the server.
[SSH Server] rsa peer-public-key RsaKey001
[SSH Server-rsa-public-key] public-key-code begin
[SSH Server-rsa-key-code] 3047
[SSH Server-rsa-key-code] public-key-code end
[SSH Server-rsa-public-key] peer-public-key end
Step 4 Bind the RSA public key of SSH client to Client002 of the SSH user.

Step 6 Configure the service type and authorized directory of the SSH user.
Two SSH users are configured on the SSH server: Client001 and Client002. The password
authentication mode is configured for Client001 and the RSA authentication mode is configured
for Client002.
[SSH
[SSH
[SSH
[SSH
Server]
Server]
Server]
Server]
ssh
ssh
ssh
ssh
user
user
user
user
client001
client001
client002
client002
service-type sftp
sftp-directory cfcard:
service-type sftp

# For the first login, you need to enable the first authentication on the SSH client.
Issue 02 (2013-12-31)

209

Equipment

# Connect the STelnet client Client001 to the SSH server in password authentication mode.
[client001] sftp 10.10.1.1
Trying 10.10.1.1 ...
The server is not authenticated. Continue to access it? [Y/N] :y
Save the server's public key? [Y/N] : y
The server's public key will be saved with the name 10.10.1.1. Please wait.
..
Enter password:
sftp-client>
[client002] sftp 10.10.1.1
Trying 10.10.1.1 ...
Save the server's public key? [Y/N] :y
..
sftp-client>

commands. You can view that the STelnet service is enabled and the SFTP client is connected
to the SSH server.
SSH version : 1.99
SSH connection timeout : 60 seconds
SSH Authentication retries : 3 times
SFTP server: Enable
Stelnet server: Disable

Session 1:
Conn
: VTY 3
Version
: 2.0
State
: started
Username
: client001
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96
Kex
Issue 02 (2013-12-31)

210

Equipment
Service Type
Authentication Type
Session 2:
Conn
Version
State
Username
Retry
CTOS Cipher
STOC Cipher
CTOS Hmac
STOC Hmac
Kex
Service Type
Authentication Type
: sftp
: password
:
:
:
:
:
:
:
:
:
:
:
:
VTY 4
2.0
started
client002
1
aes128-cbc
aes128-cbc
hmac-sha1-96
hmac-sha1-96
diffie-hellman-group1-sha1
sftp
rsa

[SSH Server]display ssh user-information
User 1:
User Name
: client001
: cfcard:
Service-type
: sftp
Authorization-cmd
: No
User 2:
User Name
: client002
Sftp-directory
: cfcard:
Service-type
: sftp
Authorization-cmd
: No
----End
Configuration Files
l

#
sysname SSH Server
#
3047
0240
C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325
A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B
0203
010001
public-key-code end
peer-public-key end
#
aaa
local-user client001 password cipher %TGB6yhn7ujm
#
undo shutdown
ip address 10.10.1.1 255.255.0.0
#
sftp server enable
ssh user client001
ssh user client002
Issue 02 (2013-12-31)

211

Equipment

ssh user client001 service-type sftp
ssh user client001 sftp-directory cfcard:.
#
#
Return
Configuration file of Client001 on the SSH client

#
sysname client001
#
ip address 10.10.2.2 255.255.0.0
#
#
return
Configuration file of Client002 on the SSH client

#
sysname client002
#
ip address 10.10.3.3 255.255.0.0
#
#
return
Example for Using SFTP (DSA Authentication Mode) to Log In to the SSH Server
This section provides an example for using SFTP to log in to the secure shell (SSH) server. In
this example, the local key pairs are generated on the SFTP client and SSH server, and the public
DSA key is generated on the SSH server and bound to the SFTP client. These configurations
create an implement connection between the SFTP client and SSH server.
In Figure 1-45, after the SFTP service is enabled on the SSH server, the SFTP client can log in
to the SSH server in any of the following authentication modes: password, RSA, password-RSA,
DSA, password-DSA, ECC, password-ECC, and all. In this example, the Huawei ATN functions
as an SSH server.
Two users client001 and client002 are configured to log in to the SSH server in password
authentication mode and DSA authentication mode, respectively.
Issue 02 (2013-12-31)

212

Equipment
Figure 1-45 Networking diagram for using SFTP to access files on other devices
SSH Server
GE0/2/0
10.10.1.1/16
GE0/2/0
10.10.2.2/16
GE0/2/0
10.10.3.3/16
Client 001
Client 002
1.
Configure Cient001 and Client002 to log in to the SSH server in different authentication
modes.
2.
Create a local DSA key pair on client002 and the SSH server, and bind client002 to the
SSH client's DSA public key. These configurations implement authentication for the client
that attempts to log in to the server.
3.
4.
Configure the service type and authorized directory for the SSH users.
5.
Use client001 and client002 to log in to the SSH server. Then use SFTP to access files on
the server.
Data Preparation
l
Client002 with the public key DsaKey001 and authentication mode DSA
Directory to which SSH users are allowed access: flash
SSH server IP address: 10.10.1.1
Procedure
[SSH Server] dsa local-key-pair create
Info: The key name will be: SSH Server_Host_DSA.
Info: The DSA host key named SSH Server_Host_DSA already exists.
Warning: Do you want to replace it ?[Y/N]: y
Issue 02 (2013-12-31)

213

Equipment
Step 2 Create SSH users on the server.

NOTE

[SSH
[SSH
[SSH
[SSH
[SSH

Server-ui-vty0-4] user privilege level 3

# Create SSH user Client001 and configure the authentication mode as password.
[SSH Server] ssh user client001 Info: Succeeded in adding a new SSH user.
# Set client001's password to %TGB6yhn7ujm.

[SSH
[SSH
[SSH
[SSH
[SSH
Server] aaa
Server-aaa]
Server-aaa]
Server-aaa]
Server-aaa]

quit

# Create SSH user Client002 and configure the authentication mode as DSA.
[SSH Server] ssh user client002 Info: Succeeded in adding a new SSH user.
[SSH Server] ssh user client002 authentication-type dsa
Step 3 Configure the DSA public key on the server.

.
[client002] dsa local-key-pair create
Info: The key name will be: client002_Host_DSA.
[client002] display dsa local-key-pair public
=====================================================
Key name
: client002_Host_DSA
Key modulus : 2048
Key type
: DSA encryption Key
=====================================================
Key code:
3081DC
0240
AE0AE467 2BF3587F 30FE81FF A14D8070 1FC2930B
A34004C1 B37824BB D3160595 702901CD 53F0EAE0
6CC46D2D BE78F6A4 3DC4AAEF C7228E01 9C2EF7CE
87C63485
Issue 02 (2013-12-31)

214

Equipment
0214
94FC5624
0240
91FF0F2C
7BCA4251
0B4C3530
C986329F
0240
A40A1B4E
51475F29
D8A1B55A
E5FC773C
DCEB09DA E9B88293 2AC88508 AB7C813F

91996828 BAAD5068 CD2FE83E CEFA1CF4
9F04FD24 6CFB50A3 AD78CC0D 335DEFD2
DAA25592 DEAFA0EB 61225712 E4AF6139
7176FF2C 72052269 15A538DA F085C88C

CC3D1E63 83FB4193 93AFE905 65FDA2C7
15ECC7F7 A0D78921 BDF53C84 7CCBF47B

---- BEGIN SSH2 PUBLIC KEY ---AAAAB3NzaC1kc3MAAABBAK4K5Gcr81h/MP6B/6FNgHAfwpMLo0AEwbN4JLvTFgWV
cCkBzVPw6uBsxG0tvnj2pD3Equ/HIo4BnC73zofGNIUAAAAVAJT8ViTc6wna6biC
kyrIhQirfIE/AAAAQQCR/w8skZloKLqtUGjNL+g+zvoc9HvKQlGfBP0kbPtQo614
zA0zXe/SC0w1MNqiVZLer6DrYSJXEuSvYTnJhjKfAAAAQQCkChtOcXb/LHIFImkV
pTja8IXIjFFHXynMPR5jg/tBk5Ov6QVl/aLH2KG1WhXsx/eg14khvfU8hHzL9Hvl
/Hc8
ssh-dss AAAAB3NzaC1kc3MAAABBAK4K5Gcr81h/MP6B/6FNgHAfwpMLo0AEwbN4JLvTFgWVcCkBzVPw
6uBsxG0tvnj2pD3Equ/HIo4BnC73zofGNIUAAAAVAJT8ViTc6wna6biCkyrIhQirfIE/AAAAQQCR/w8s
kZloKLqtUGjNL+g+zvoc9HvKQlGfBP0kbPtQo614zA0zXe/SC0w1MNqiVZLer6DrYSJXEuSvYTnJhjKf
AAAAQQCkChtOcXb/LHIFImkVpTja8IXIjFFHXynMPR5jg/tBk5Ov6QVl/aLH2KG1WhXsx/eg14khvfU8
hHzL9Hvl/Hc8 dsa-key
# Send the DSA public key generated on the client to the server.
[SSH Server] dsa peer-public-key DsaKey001 encoding-type der
Info: Enter "DSA public key" view, return system view with "peer-public-key end".
[SSH Server-dsa-public-key] public-key-code begin
Info: Enter "DSA key code" view, return the last view with "public-key-code end".
[SSH Server-dsa-key-code] 3081DC
[SSH Server-dsa-key-code] AE0AE467 2BF3587F 30FE81FF A14D8070 1FC2930B
[SSH Server-dsa-key-code] A34004C1 B37824BB D3160595 702901CD 53F0EAE0
[SSH Server-dsa-key-code] 6CC46D2D BE78F6A4 3DC4AAEF C7228E01 9C2EF7CE
[SSH Server-dsa-key-code] 94FC5624 DCEB09DA E9B88293 2AC88508 AB7C813F
[SSH Server-dsa-key-code] 91FF0F2C 91996828 BAAD5068 CD2FE83E CEFA1CF4
[SSH Server-dsa-key-code] 7BCA4251 9F04FD24 6CFB50A3 AD78CC0D 335DEFD2
[SSH Server-dsa-key-code] 0B4C3530 DAA25592 DEAFA0EB 61225712 E4AF6139
[SSH Server-dsa-key-code] C986329F
[SSH Server-dsa-key-code] 77DF0AD1 511AF98F FE573511 2E25EE9B B908EF02
[SSH Server-dsa-key-code] 9023CCF9 0C82B474 2A9D8445 5004779F 18853E9F
[SSH Server-dsa-key-code] 0D7EE1CA D59FAF7F 13260646 44C0E8F4 119F0BF1
[SSH Server-dsa-key-code] B442C340
[SSH Server-dsa-key-code] public-key-code end
[SSH Server-dsa-public-key] peer-public-key end
[SSH Server]
Step 4 Bind client002 to the SSH client's DSA public key.

[SSH Server] ssh user client002 assign dsa-key DsaKey001
Step 5 Enable the SFTP service on the SSH server.

# Enable the SFTP service.
Issue 02 (2013-12-31)

215

Equipment
Step 6 Configure the service type and authorized directory for the SSH users.
Two SSH users are configured on the SSH server: client001 in password authentication mode
and client002 in DSA authentication mode.
Step 7 Connect the SFTP client to the SSH server.

# At the first login, Enable first-time authentication on the SSH clients.
Enable first-time authentication on client002.

# Connect Client001 to the SSH server in password authentication mode.

[client001] sftp 10.10.1.1
Trying 10.10.1.1 ...
Enter password:
sftp-client>
# Connect client002 to the SSH server in DSA authentication mode.

Trying 10.10.1.1 ...
sftp-client>

After the configuration is complete, run the display ssh server status and display ssh server
session commands. The command outputs show that the SFTP service is enabled and the SFTP
clients have logged in to the SSH server.
# View the SSH status.
SSH version
SSH authentication retries
SFTP server
Stelnet server
Scp server
SSH server source
:1.99
:60 seconds
:0 hours
:3 times
:Enable
:Disable
:Disable
:0.0.0.0
# View the connection of the SSH server.

Issue 02 (2013-12-31)

216

Equipment

Session 1:
Conn
: VTY 0
Version
: 2.0
State
: started
Username
: client002
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96
CTOS Compress
: none
STOC Compress
: none
Kex
Public Key
: rsa
Service Type
: sftp
Authentication Type : dsa
Session 2:
Conn
: VTY 1
Version
: 2.0
State
: started
Username
: client001
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96
CTOS Compress
: none
STOC Compress
: none
Kex
Public Key
: rsa
Service Type
: sftp
# View information about the SSH users.

User 1:
User Name
: client001
User-public-key-name : User-public-key-type : Service-type
Authorization-cmd
User 2:
User Name
Authentication-type
User-public-key-type
Service-type
Authorization-cmd
: sftp
: No
:
:
:
:
client002
dsa
DsaKey001
dsa
: sftp
: No
----End
Configuration Files
l

#
sysname SSH Server
#
dsa peer-public-key DsaKey001 encoding-type der
3081DC
0240
Issue 02 (2013-12-31)

217

Equipment
AE0AE467 2BF3587F 30FE81FF A14D8070 1FC2930B A34004C1 B37824BB D3160595

702901CD 53F0EAE0 6CC46D2D BE78F6A4 3DC4AAEF C7228E01 9C2EF7CE 87C63485
0214
94FC5624 DCEB09DA E9B88293 2AC88508 AB7C813F
0240
91FF0F2C 91996828 BAAD5068 CD2FE83E CEFA1CF4 7BCA4251 9F04FD24 6CFB50A3
AD78CC0D 335DEFD2 0B4C3530 DAA25592 DEAFA0EB 61225712 E4AF6139 C986329F
0240
77DF0AD1 511AF98F FE573511 2E25EE9B B908EF02 9023CCF9 0C82B474 2A9D8445
5004779F 18853E9F 0D7EE1CA D59FAF7F 13260646 44C0E8F4 119F0BF1 B442C340
public-key-code end
peer-public-key end
#
aaa
local-user client001 password cipher $1a$tPJ:9op=TO$ggyaYR@nY>"NbzP%N`
$3M~Gz@l
s$KN)mWYXahwu
#
undo shutdown
ip address 10.10.1.1 255.255.0.0
#
sftp server enable
ssh user client001
ssh
ssh
ssh
ssh
user
user
user
user
client002
client002 authentication-type dsa
client002 assign dsa-key DsaKey001
client002 service-type sftp
#
return

#
sysname client001
#
undo shutdown
ip address 10.10.2.2 255.255.0.0
#
#
return

#
sysname client002
#
undo shutdown
ip address 10.10.3.3 255.255.0.0
#
#
return
Example for Configuring Access to the SFTP Server on the Public Network When
This section provides an example for configuring access to the SFTP server on the public network
when the management VPN instance is used. In this example, after you generate the local key
Issue 02 (2013-12-31)

218

Equipment
pair on the SFTP client and SSH server, generate the RSA public key on the SSH server, and
bind the RSA public key to the client, you can connect the SFTP client to the SFTP server on
the public network when you use the management VPN instance.
As shown in Figure 1-46, a management VPN instance is configured for Client001 and
Client002. Users use the VPN instance to access the FTP server. To enable the client to access
the SFTP server on the public network, you need to connect the ATN to the SFTP server on the
public network.
The Huawei ATN functions as an SSH server. Two users Client001 and Client002 are configured
to log in to the SSH server in the password and RSA authentication modes, respectively.
Figure 1-46 Networking diagram for configuring access to the SFTP server on the public
network when the management VPN instance is used
SSH Server
GE0/2/0
10.10.1.1/16
GE0/2/0
10.10.2.2/16
GE0/2/0
10.10.3.3/16
Client 001
Client 002
1.
modes..
2.
server.
3.
4.
5.
Configure Client001 and Client002 to log in to the SSH server on the public network
through SFTP..
Data Preparation
l
Issue 02 (2013-12-31)

219

Equipment
Procedure
Generating keys...
.........++++++++
......................++++++++
......................+++++++++
.....+++++++++

NOTE

[SSH
[SSH
[SSH
[SSH


# Set %TGB6yhn7ujm as the password for Client001 of the SSH user.

[SSH
[SSH
[SSH
[SSH
Server] aaa
Server-aaa] local-user client001 password cipher %TGB6yhn7ujm
Server-aaa] quit

# Create an SSH user with user name Client002 and RSA authentication.


Issue 02 (2013-12-31)

220

Equipment

=====================================================
=====================================================
Key code:
3047
0240
1D7E3E1B
0203
010001
=====================================================
=====================================================
Key code:
3067
0260
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
[client]
Step 4 Bind the RSA public key of the SSH client to Client002 of the SSH user.

Step 6 Configure the service type and authorized directory for the SSH users.
Issue 02 (2013-12-31)

221

Equipment
Two SSH users are configured on the SSH server: Client001 and Client002. The password
authentication mode is configured for Client001 and the RSA authentication mode is configured
for Client002.
[SSH
[SSH
[SSH
[SSH
Server]
Server]
Server]
Server]
ssh
ssh
ssh
ssh
user
user
user
user
client001
client001
client002
client002
service-type sftp
service-type sftp


# Connect STelnet client Client001to the SSH server in password authentication mode.
[client001] sftp 10.10.1.1 public-net
Trying 10.10.1.1 ...
Enter password:
sftp-client>
[client002] sftp 10.10.1.1 public-net
Trying 10.10.1.1 ...
sftp-client>

commands. You can view that the STelnet service is enabled and the SFTP client is connected
to the SSH server.
SSH version : 1.99
SFTP server: Enable
STELNET server: Disable

Session 1:
Issue 02 (2013-12-31)

222

Equipment
Conn
Version
State
Username
Retry
CTOS Cipher
STOC Cipher
CTOS Hmac
STOC Hmac
Kex
Service Type
Authentication Type
Session 2:
Conn
Version
State
Username
Retry
CTOS Cipher
STOC Cipher
CTOS Hmac
STOC Hmac
Kex
Service Type
Authentication Type
:
:
:
:
:
:
:
:
:
:
:
:
VTY 3
2.0
started
client001
1
aes128-cbc
aes128-cbc
hmac-sha1-96
hmac-sha1-96
sftp
password
:
:
:
:
:
:
:
:
:
:
:
:
VTY 4
2.0
started
client002
1
aes128-cbc
aes128-cbc
hmac-sha1-96
hmac-sha1-96
sftp
rsa

User 1:
User Name
: client001
: cfcard:
Service-type
: sftp
Authorization-cmd
: No
User 2:
User Name
: client002
Sftp-directory
: cfcard:
Service-type
: sftp
Authorization-cmd
: No
----End
Configuration Files
l

#
sysname SSH Server
#
3047
0240
0203
010001
public-key-code end
peer-public-key end
#
aaa
+{4,O6Q
8A~<75q"C}O0H
Issue 02 (2013-12-31)

223

Equipment

#
undo shutdown
ip address 10.10.1.1 255.255.0.0
#
sftp server enable
ssh user client001
ssh user client002
#
#
Return

#
sysname client001
#
ip address 10.10.2.2 255.255.0.0
#
#
return

#
sysname client002
#
ip address 10.10.3.3 255.255.0.0
#
#
return
Example for Accessing the SSH Server Through Other Ports

This section provides an example for accessing the SSH server through other port numbers. In
this example, the monitoring port number of the SSH server is set to a port number other than
the standard monitoring port number so that only valid users can set up connections with the
SSH server.
The standard monitored port number of the SSH protocol is 22. Frequent malicious access to
the standard port consumes bandwidth and affects the performance of the server, and therefore,
other users cannot access the standard port.
After the number of the port monitored by the SSH server is set to another port number, the
attacker does not know the new monitored port number and keeps sending socket connection
requests to standard port 22. When the SSH detects that the port number in the connection
requests is not the number of the monitored port, the SSH does not set up the socket connection.
Issue 02 (2013-12-31)

224

Equipment
Therefore, only the valid user can set up the socket connection through the non-standard
monitored port set by the SSH server, and only the valid user can negotiate the SSH version
number, negotiate the algorithm, generate the session key, authenticate the server, send a session
request, and perform the interactive session.
The ATN functions as an SSH server. Client Client001 is configured to use STelnet in password
authentication mode to log in to the SSH server and client Client002 is configured to use SFTP
in RSA authentication mode of RSA to log in to the SSH server.
Figure 1-47 Networking diagram for accessing the SSH server through other port numbers
SSH Server
GE0/2/0
10.10.1.1/16
GE0/2/0
10.10.2.2/16
GE0/2/0
10.10.3.3/16
Client 001
Client 002
1.
modes..
2.
server.
3.
Enable STelnet and SFTP services on the SSH server.
4.
5.
Configure the listening port number for the SSH server so that the client can access the
server through other port numbers.
6.
Client001 and Client002 log in to the SSH server through STelnet and SFTP respectively.
Data Preparation
l
Number of the port monitored by the SSH server: 1025.
Issue 02 (2013-12-31)

225

Equipment
Procedure
Step 1 On the client, generate a local key pair.
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++

# Generate a local key pair of client on the client.

=====================================================
=====================================================
Key code:
3047
0240
1D7E3E1B
0203
010001
=====================================================
=====================================================
Key code:
3067
0260
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
Issue 02 (2013-12-31)

226

Equipment


NOTE

[SSH
[SSH
[SSH
[SSH


# Set %TGB6yhn7ujm as the password for SSH user Client001.

[SSH Server] aaa
[SSH Server-aaa] local-user client001 password cipher $1a$9zS'/]'y<:$My1
[;/,aS>nhG{H7GaM+{4,O6Q
8A~<75q"C}O0H
[SSH Server-aaa] local-user client001 service-type ssh
[SSH Server-aaa] quit
# Configure Client001 with service type of STelnet.


Create an SSH user with the name Client002 and RSA authentication, and bind it to the RSA
public key of the SSH client.
# Configure the service type of Client002 as SFTP and the authorization directory.
[SSH Server] ssh user client002 sftp-directory cfcard:
Step 4 Enable the STelnet service and the SFTP service on the SSH server.
# Enable the STelnet service and the SFTP service.
Issue 02 (2013-12-31)

227

Equipment
Step 5 Configure a new number for the port monitored by the SSH server.
[SSH Server] ssh server port 1025


# Connect the STelnet client to the SSH server through the new port number.
[client001] stelnet 10.10.1.1 1025
Trying 10.10.1.1 ...
he server is not authenticated. Continue to access it?(Y/N):y
he server's public key will be saved with the name 10.10.1.1. Please wait...
Enter password:
Enter the password Huawei and view the following:

<SSH Server>
# Connect the SFTP client to the SSH server through the new port number.
[client002] sftp 10.10.1.1 1025
Trying 10.10.1.1 ...
..
sftp-client>

The attacker fails to log in to the SSH server through port 22.
[client002] sftp 10.10.1.1
Trying 10.10.1.1 ...
Error: Failed to connect to the server.
commands. You can view the number of the port monitored by the SSH server and that the
STelnet client or SFTP client is connected to the SSH server.
Issue 02 (2013-12-31)

228

Equipment

SSH version : 1.99
SFTP server: Enable
STELNET server: Enable
SSH server port: 1025

Session 1:
Conn
: VTY 3
Version
: 2.0
State
: started
Username
: client001
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96
Kex
Service Type
: stelnet
Session 2:
Conn
: VTY 4
Version
: 2.0
State
: started
Username
: client002
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96
Kex
Service Type
: sftp
Authentication Type : rsa
----End
Configuration Files
l

#
sysname SSH Server
#
3047
0240
0203
010001
public-key-code end
peer-public-key end
#
aaa
#
undo shutdown
ip address 10.10.1.1 255.255.0.0
#
Issue 02 (2013-12-31)

229

Equipment
sftp server enable

ssh server port 1025
ssh user client001
ssh user client002
ssh user client002 authentication-type RSA
#
#
return

#
sysname client001
#
ip address 10.10.2.2 255.255.0.0
#
#
return

#
sysname client002
#
ip address 10.10.3.3 255.255.0.0
#
#
return
1.9 Device Maintenance

With routine device maintenance, you can detect potential operation threats on devices and then
eradicate the potential threats in time to ensure that the system runs securely, stably, and reliably.
1.9.1 Introduction of Device Maintenance

Device maintenance involves replacing boards and monitoring the internal environment.
Overview of Device Maintenance

Device maintenance involves replacing boards and monitoring the internal environment.
Concept
The stable running of a ATNdepends on the mature network planning and the routine
maintenance. In addition, fast location of the hidden hazards is necessary.
Issue 02 (2013-12-31)

230

Equipment
The maintenance personnel must check the alarm information in time and deal with the fault
properly to keep the device in normal operation and reduce the failure rate. Thus, the system
runs in a safe, stable, and reliable environment.
Maintenance Operation
Maintenance such as board replacement and internal environment check ensures the normal
operation of the ATN.
Maintenance Features Supported by the ATN

The ATN allows the operation status to be monitored.
Monitoring
In routine maintenance of the device, you can run the display commands to view the working
status of the ATN. This can help the maintenance personnel fast locate the fault during the
troubleshooting procedure.
1.9.2 Monitoring the Device Status

You can monitor the device status to facilitate fault location and cause analysis.
Displaying the System Version Information

The system version information includes the system software version and various hardware
versions.
Procedure
Step 1 Run:
display version
The system version information is displayed.

You can run this command in any view to view the system version information. The main
information is as follows:
l System software version
l Hardware and software version of the MPUs
l Hardware and software version physical interface card
.
l Hardware and software version of the Fan
.
----End
Displaying Basic Information About the Router

Basic ATN information includes detailed information about the system-control board, physical
interface card, clock board, power supply, and fan module.
Issue 02 (2013-12-31)

231

Equipment
Procedure
Step 1 Run:
display device [ pic-status | slot-id]
Basic information about the ATN is displayed.

You can run this command in any view to view the basic device information. Enter slot-id to
view information about the board in the specified slot.
l Choose a board in a certain slot. You can view basic information about this board.
l Run:
display device pic-status
Basic information about the PIC card is displayed.
----End
Displaying the Electronic Label

The electronic label information includes the type of board/card, bar code, BOM code, English
description, production date, supplier name, issuing number, Common Language Equipment
Identification (CLEI) code, and sales BOM code.
Procedure
l
Run:
display elabel [ backplane | slot-id ]
The electronic label is displayed.

In practice, you can run this command in the user view to view information about the
electronic label of the boards. Enter slot-id to view information about the electronic label
of the board in the specified slot.
Displayed information includes the type of the board and PIC card, bar code, BOM, English
description, production date, supplier name, issuing number, Common Language
Equipment Identification (CLEI) code, and sales BOM.
NOTE
You can back up the electronic label of the specified board in the following ways:
l Run the backup elabel filename [ backplane | slot-id ] command to back up the electronic label
to the CF card on the ATN.
l Run the backup elabel ftp host filename username password [ backplane | slot-id ] command
to back up the electronic label to the specified FTP server.
----End
Displaying the Memory Usage

By specifying the slot ID, you can check the memory usage of the system control board.
Issue 02 (2013-12-31)

232

Equipment
Procedure
Step 1 Run:
display memory-usage [ slave ]
The memory usage threshold of the main system control board is displayed.
NOTE
To set the memory usage threshold in the main system control board, you can run the set memory-usage
threshold thresholdcommand.
----End
Displaying the CPU Usage

By specifying the slot ID, you can check the CPU usage of the MPU.
Procedure
Step 1 Run:
display cpu-usage [ task-name ] [ congfiguration ]
[ slave ]
NOTE
Only the ATN 950B supports the slave parameter.

To set the threshold of the CPU usage on the main MPU, you can run the set cpu-usage threshold thresholdvalue [ slave ] command, and run thedisplay cpu-usage configuration command can display the current
configuration of the CPU usage.
----End
Displaying Alarm Information

The alarm information includes the alarm severity, alarm date and time, and alarm description.
Procedure
Step 1 Run:
display alarm { slot-id | all }
Information about the alarm is displayed.

You can run this command in any view to view current information about the ATN alarm. Alarm
information includes the following:
l Alarm severity
l Alarm date and time
l Alarm description
NOTE
After the ATN alarm is displayed, you can run the clear alarm index index-id { send-trap | no-trap }
command to clear the alarm at the specified index-id.
----End
Issue 02 (2013-12-31)

233

Equipment
Displaying the Board Temperature

The temperature information includes the temperature status of each board, temperature alarm
thresholds of a board, and actual temperature of a board.
Procedure
Step 1 Run:
display temperature slot slot-id
The temperature of the specified board is displayed.

In practice, using this command in any view, you can view the current temperature of the
ATN.The temperature information includes the following:
l Current temperature status of the board
l Threshold to the alarm temperature of the board
l Actual temperature of the board
----End
Displaying the Board Voltage

The voltage information includes the number of voltage sensors on each board, working voltage
sensor of each board, working status of the voltage sensor on each board, and voltage alarm
thresholds of each board.
Procedure
Step 1 Run:
display voltage slot slot-id
The board voltage is displayed.

In practice, using this command in any view, you can view the voltage of all the boards. The
voltage information includes the following:
l Number of the voltage sensors
l Working voltage sensors
l Working status of the voltage sensors
l Alarm field value of the voltage
l Actual board voltage
----End
Displaying the Power Supply Status

The power supply information includes the slot ID of the power supply module, whether the
power supply module is registered, working mode of the power supply module, and cable status
of the power supply module.
Issue 02 (2013-12-31)

234

Equipment
Procedure
Step 1 Run:
display power
The power supply status is displayed.

In practice, using this command in any view, you can view the power supply status. The displayed
information includes the following:
l Slot number of the power supply module
l Presence status of the power supply module
l Operation mode of the power supply module
l Cable status of the power supply module
----End
Displaying the Sequence Number of the MPU

Each MPU has a globally unique equipment serial number (ESN).
Procedure
Step 1 Run:
display esn
The sequence number of the MPU is displayed. In the operation, using this command in any
view, you can view the sequence number of the MPU on the ATN.
----End
1.9.3 Board Maintence

Board Maintenance involves resetting a board and clearing the maximum CPU usage.
Resetting a Board
You need to back up important data before resetting a board.
Context
In the case that a board is faulty, you can use the reset slot command to reset the board.
CAUTION
Back up important data before resetting the board.
Do as follows on the ATN:
Issue 02 (2013-12-31)

235

Equipment
Procedure
Step 1 Run:
reset slot slot-id
The board is reset.

NOTE
l If this command is run to reset a master MPU and no slave MPU exists, the master MPU is reset with
the CPU being powered on. If a slave MPU exists, this command performs master/slave MPU
switchover.
l If the board is still abnormal after being reset, contact the Huawei technical support personnel.
----End
1.10 Patch Management

Patch management includes checking the running patch, loading patch files, and installing
patches.
1.10.1 Patch Management Introduction

This section describes basic patch functions.
Patch Management Overview

You can install patches to improve system functions.
Patch Overview
You occasionally need to revise the system software, such as remove system defects or add new
functions, while the device is running. In the past, it was common practice to shut the system
down before performing an upgrade, but this static upgrade affects the service on the device and
does not improve its communication. However, if you load a patch to the system software, you
can upgrade it online without interrupting the operation of the device. This dynamic upgrade
does not affect services and can actually improve its communication.
Patch Area
In the memory of the Main Processing Unit (MPU), a space, called a patch area, is reserved for
the patch.
To install the patch, save it to the patch area in the memory of the board.
The patch saved in the patch area is numbered uniquely. Up to 2000 patches can be saved to the
patch area in the memory of the MPU .
Patch States
The patch state can be idle, deactive, active, or running. For details, see Table 1-20,
Issue 02 (2013-12-31)

236

Equipment
Table 1-20 Patch states

State
Description
States Conversion
No patch
(idle)
The patch file is saved to the CF

card but is not loaded to the patch
area in the memory.
When the patch is loaded to the patch

area, the patch status is set to deactive.
deactive
The patch is loaded to the patch

area but is disabled.
The patch in the deactive state can be:

l Uninstalled, that is, deleted from the
patch area.
l Enabled temporarily and then
switched to the active state.
active

area and enabled temporarily.
The patch in the active state can be:
If the board is reset, the active

patch on that board switches to the
deactive state.
l Uninstalled, that is, deleted from the

patch area.
l Enabled temporarily and then
switched to the active state.
l Enabled permanently and then
switched to the running state.
running

area and enabled permanently.
If the board is reset, the patch on
the board remains in the running
state.
The patch in the running state can be

uninstalled and deleted from the patch
area.
Figure 1-48shows the conversion between patch states.

Figure 1-48 Conversion between patch states
Load patch
No patch
Delete patch
Deactivated
Deactive patch
Delete patch
Active patch
Delete patch
Running
Issue 02 (2013-12-31)
Run patch
Activated

237

Equipment
Patches Supported by the ATN

The ATN enables patches to be loaded to the system or a certain board.
Patch Functions
Installing patches can improve system functions or fix bugs. By installing a patch, you can
upgrade the system without upgrading the system software.
Logic Relationships Between Configuration Tasks

Figure 1-49shows the logical relationships between the configuration tasks.
Figure 1-49 Logical relationships between configuration tasks
Resort to
technical
support for
new patch
Run VRP
Normally run
Yes
No
Enable patch
temporarily
Bug removed
No
Disable patch
Yes
End
Unload patch
1.10.2 Checking Whether a Patch is Running in the System

The system allows only one patch to run. Therefore, confirm that no patch is running before
loading a new patch.
Before You Start

Before checking the running patch, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain the required data. This can help you complete
the configuration task quickly and accurately.
The system allows the running of only one patch at a time. Therefore, you need to confirm no
patch is running in the current system before installing a patch. If a patch is running, delete it
before installing the new patch.
Issue 02 (2013-12-31)

238

Equipment
Before checking whether a patch is running in the system, complete the following tasks:
l
Ensure that the ATN starts normally after being powered on.
Ensure that you can log in to the ATN.
Data Preparation
None
Checking the Running of a Patch in the System

You can run the display patch-information command to view information about the running
patch units, activated patch units, and deactivated patch units.
Context
Do as follows on the ATN to be upgraded:
Procedure
Step 1 Run:
display patch-information
All information about the current patch is displayed, including information about the patch units
that are running, the patch units that are activated, and the patch units that are deactivated.
----End
Example
<HUAWEI> display patch-information
Info: No patch exists.
This indicates that no patch is running in the current system.

NOTE
If patches are running, delete them before loading new patches.
(Optional) Deleting a Patch

The system allows only one patch to run at a time. If a patch is running, delete it before loading
a new patch.
Context
Before installing a patch, you need to delete the running patch.
Do as follows on the ATN to be upgraded.
Procedure
Step 1 Run:patch delete all
Issue 02 (2013-12-31)

239

Equipment
The running patch is deleted.

----End
1.10.3 Loading a Patch

Patches can be loaded through FTP or TFTP.
Before You Start

Before loading a patch, familiarize yourself with the applicable environment, complete the preconfiguration tasks, and obtain the required data. This can help you complete the configuration
task quickly and accurately.
Before you upload a patch, upload it to the root directory of the CF card of the master MPU.
Then, copy the patch to the root directory of the CF card of the slave MPU.
NOTE
Only ATN 950B supports a slave MPU. You must upload the patch file to the slave MPU.
The three methods used to upload a patch are FTP,.
Before loading a patch, complete the following tasks:
l
Ensure that the ATN starts normally after being powered on.
Ensure that you can log in to the ATN.
Data Preparation
Before running a patch, obtain a patch that is consistent with the board.
No.
Data
Uploading a Patch to the Root Directory of the CF Card of the Master MPU
Copying a Patch to the Root Directory of the CF Card of the Slave MPU
Loading a Patch
On a dual-MPU router, you need to load a patch to both the master MPU and the slave MPU.
Context
Issue 02 (2013-12-31)

240

Equipment
Procedure
Step 1 Upload a patch to the root directory of the CF card of the master MPU.
The ATN supports the uploading of files through FTP, TFTP,. For more information, see: "FTP,
TFTP,". Choose an uploading method based on your requirements.
Step 2 Run:
startup patch file-name
The patch package is specified for the MPU on the next startup.
Step 3 Run:
startup patch file-name
The patch package is specified for the master MPU on the next startup. (Skip this step if the
chassis is ATN 910/ATN 910I/ATN 910B.)
Step 4 Run:
startup patch file-name slave-board
The patch package is specified for the slave MPU on the next startup. (Skip this step if the
chassis is ATN 910/ATN 910I/ATN 910B.)
----End

After a patch is loaded, you can check patch information.
Context
Run the following commands to check the previous configuration.
Procedure
l
Run:
dir cfcard:/
Check the files on the MPU.

l
Run:
dir slave#cfcard:/
Check the files on the slave MPU.

NOTE
Only the ATN 950B supports the slave#cfcard:/ parameter.
Run:
display startup
Check the patch file used in the next system startup.

----End
Issue 02 (2013-12-31)

241

Equipment
1.10.4 Installing a Patch

You can install a patch on the system to repair it. By installing the patch, you can upgrade the
system without upgrading the system software.
Establishing the Configuration Task

Before installing a patch on the system, familiarize yourself with the applicable environment,
Installing patches can fix system vulnerabilities or correct system defects. By installing a patch,
you can upgrade the system without upgrading the system software.
When a patch is uploaded, the system checks that the patch version is the same as the system
version. If the two versions are not the same, the system prompts that the patch uploading fails.
Before installing a patch, upload the patch to the root directory of the CF card of the master
MPU and slave MPU.
NOTE
Only ATN 950B supports a slave MPU. You must upload the patch file to the slave MPU.
Data Preparation
None
Loading a Patch
You can load a patch only when the patch version matches the system software version.
Context
Procedure
Step 1 Run:
patch load file-name all
The patch is loaded.

----End
Follow-up Procedure
When a patch is loaded, the system checks whether the patch version is the same as the system
version. If both versions are not the same, the system determines that the patch loading fails.
Issue 02 (2013-12-31)

242

Equipment
When the patch is loaded successfully, it's status is Deactive. This status remains Deactive after
the board is reset.
Activating a Patch
A patch can be activated only when it is correctly loaded and is in the deactivated state.
Context
Procedure
Step 1 Run:
patch active all
The patch is activated.

----End
Follow-up Procedure
A patch can be activated only when it is correctly loaded and is in the deactivated state. When
a patch is activated, it immediately becomes valid. After the board is reset, however, the status
of the patch becomes Deactive , and the patch does not remain valid.
Running a Patch
A patch can be run only after it is activated. Running a patch means that the patch is activated
permanently.
Context
Do as follows on the ATN be upgraded:
Procedure
Step 1 Run:
patch run all
The patch is run.

----End
Follow-up Procedure
A patch can be run only after it is activated. Running a patch means that the patch is activated
permanently and the patch remains valid after the board is reset. The status of the patch remains
Running.

After a patch is installed on the system, you can check the patch status.
Issue 02 (2013-12-31)

243

Equipment
Procedure
l
Run:
Check the patch state.

----End
1.10.5 (Optional) Deactivating the Patch

If an installed patch does not take effect, you need to deactivate it.
Before You Start

Before deactivating a patch, familiarize yourself with the applicable environment, complete the
pre-configuration tasks, and obtain the required data. This can help you complete the
configuration task quickly and accurately.
After a patch is activated, you need to determine whether the patch has achieved the expected
effect. If the patch is not valid, you need to activate it.
A patch can be deactivated only after it is activated.
None
Data Preparation
None
Deactivating a Patch
Deactivating a patch makes an active patch become inactive.
Procedure
Step 1 Run:
patch deactive all
The patch is deactivated.

----End

After a patch is deactivated, you can run the display command to check the patch status.
Procedure
l
Issue 02 (2013-12-31)
Run:
244

Equipment
Check the patch state.

----End
1.10.6 Configuration Examples for Patch Management

This section describes some configuration examples for managing patches.
Example for Installing a Patch

When the system has vulnerabilities or defects, you can install a patch to repair the system.
Figure 1-50shows that some urgent bug occurs in the system software at the Provider Edge (PE)
connected to the Internet. Huawei provides the patch file to remove the bug. The patch in this
patch file must be installed to remove the bug.
Figure 1-50 Networking diagram of installing a patch
FTP Server
10.1.1.2/24
GE0/2/0
10.1.1.1/24
MPLS Core
PE
PC
10.1.1.3/24
1.
Save the patch file to the root directory of the CF card on the MPU.
2.
Load the patch.
3.
Activate the patch.
4.
Run the patch.
Data Preparation
l
File name of the patch: patch.pat
Path the patch saved to on the MPU: cfcard:/
Issue 02 (2013-12-31)

245

Equipment
Procedure
Step 1 Upload the patch file for the system software.
# Log in to the FTP server.
<PE> ftp 10.1.1.2
Trying 10.1.1.2 ...
Connected to 192.168.1.2.
User(10.1.1.2:(none)):huawei
331 Password required for huawei.
Password:
230 User logged in.
[ftp]
# Configure the binary transmission format and the working directory of the CF card on PE.
[ftp] binary
200 Type set to I.
[ftp] lcd cfcard:/
% Local directory now cfcard:.
# Load the patch file for the current system software from the remote FTP server.
[ftp] get patch.pat
150 Opening ASCII mode data connection for license.txt.
[ftp] bye
221 Server closing.
<PE>
# Copy the patch file to the CF card on the slave MPU. (Skip this step if the chassis is ATN
910/ATN 910I/ATN 910B.)
<PE> copy cfcard:/patch.pat slave#cfcard:/
Copy cfcard:/patch.pat to slave#cfcard:/patch.pat?[Y/N]:y
100% complete
Info:Copied file cfcard:/ patch.pat to slave#cfcard:/ patch.pat...Done
Step 2 Load the patch.

<PE>
patch load patch.pat all
Step 3 Activate the patch.

<PE> patch active all
Step 4 Run the patch.

<PE> patch run all
Step 5 Verify the configuration

<PE> display patch-information
Patch Package Name
:cfcard:/patch.pat
Patch Package Version:V200R003C00
The state of the patch state file is: Running
The current state is: Running
************************************************************************
*
The hot patch information, as follows:
*
************************************************************************
Slot
Issue 02 (2013-12-31)
Type
State
Count

246

Equipment
-----------------------------------------------------------2
C
Running
1
----End
Configuration Files
None
1.11 Glossary
This appendix collates frequently used terms in this document.
A
Accounting
A network security service that records the user's access to the

network.
Agent
A process that is used in all managed devices. It receives request

packets from the NM Station and performs the Read or Write
operation on managed variables according to packet types and
generates response packets and sends them to the NM Station.
AH
Authentication Header. A security protocol that provides data

authentication and integrity for IP packets. AH is used in the
transmission mode and in the tunneling mode.
ASSP
Analogue Sensor Signal Processes. An error tolerance protocol

that provides the interface backup in the multiple access, multicast
and broadcast in LAN (such as Ethernet).
Authentication
A method used to prove user identity.
Authorization
A method used to prove identity of users to use the service.
B
Backup center
A mechanism in which the interfaces on a device back up each

other and trace the status of the interface. If an interface is Down,
the backup center provides a backup interface to undertake the
service.
BFD
Bidirectional Forwarding Detection. A unified detection

mechanism that is used to detect and monitor the link or IP routes
forwarding at a fast pace.
Black list
A filtering mode that is used to filter the packet according to the

source IP address. Compared with the ACL, the black list can filter
the packet at a high speed because its matching region is simple.
It can shield the packet from the specified IP address.
Issue 02 (2013-12-31)

247

Equipment
CLI
Command Line Interface. An interface that allows the user to

interact with the operating system. Users can configure and
manage the ATN by entering commands through the CLI.
Congestion avoidance
A flow control mechanism by which the network overload is

relieved by adjusting the network traffic. When the congestion
occurs and becomes worse, the packet is discarded by monitoring
the network resource.
Congestion management A flow control measure to solve the problem of network resource
competition. When the network congestion occurs, it places the
packet into the queue for buffer and determines the order of
forwarding the packet.
Command line level
The priority of the system command that is divided into 4 levels.

Users of a level can run the command only of the same or lower
level.
E
Ethernet
A baseband LAN specification created by Xerox and developed

by Xerox, Intel, and Digital Equipment Corporation (DEC). This
specification is similar to IEEE802.3.
Ethernet_II
An encapsulation format of the Ethernet frame. Ethernet_II that

contains a 16-bit protocol type field is the standard ARPA Ethernet
Version 2.0 encapsulation.
Ethernet_SNAP
An encapsulation format of the Ethernet frame. The frame format

complies with RFC 1042 and enables the transmission of the
Ethernet frame on the IEEE 802.2 media.
F
FIFO
First In First Out. A queuing scheme in which the first data into
the network is also the fist data out of the network.
File system
A method in which files and directories in the storage devices are

managed, such as creating a file system, creating, deleting,
modifying and renaming a file or directory or displaying the
contents of the file.
FTP
File Transfer Protocol. An application protocol in the TCP/IP

stack, used for transferring files between remote hosts. FTP is
implemented based on the file system.
Issue 02 (2013-12-31)

248

Equipment
HGMPv2
Huawei Group Management Protocol Version 2. A protocol with

which the discovery, topology collection, centralized management
and remote maintenance are implemented on Layer 2 devices of a
cluster that are connected with the ATN.
I
Information center
The information hinge in the MA5200G that can classify and filter
the output information.
Interface mirroring
A method of copying the packet of the mirrored interface to the

other mirroring interfaces to forward the packet.
IP negotiated
An attribute of the interface. When the user accesses the Internet

through the ISP, the IP address is usually allocated by the peer
server. The PPP packet must be encapsulated and the IP address
negotiated attribute must be configured on the interface so that the
local interface accepts the IP address allocated by the peer end
through the PPP negotiation.
IP unnumbered
A mechanism in which the interface that is not configured with an

IP address can borrow the IP address of the interface that is
configured with an IP address to save the IP address resource.
ISATAP tunnel
Intra-site Automatic Tunnel Addressing Protocol. A protocol that

is used for the IPv4/IPv6 host in the IPv4 network to access the
IPv6 network. The ISATAP tunnel can be established between the
ISATAP hosts or between the ISATAP host and the ISATAP
ATN.
ISIS-TE
Traffic engineering of IS-IS. (For the information of IS-IS, refer

to Acronyms and Abbreviations)
L
LAN interface
Local Area Network interface. Often an Ethernet interface through

which the ATN can exchange data with the network device in a
LAN.
License
Permission of some features that dynamically control the product.
Logical interface
A configured interface that can exchange data but does not exist
physically. A logical interface can be a sub-interface, virtualtemplate interface, virtual Ethernet interface, Loopback interface,
Null interface and Tunnel interface.
M
MIB
Issue 02 (2013-12-31)
Management Information Base. A database of variables of the

monitored network device. It can uniquely define a managed
object.
249

Equipment
Modem
Modulator-demodulator. Device that converts digital and analog

signals.
Multicast
A process of transmitting packets of data from one source to many

destinations. The destination address of the multicast packet uses
Class D address, that is, the IP address ranges from 224.0.0.0 to
239.255.255.255. Each multicast address represents a multicast
group rather than a host.
N
NDP
Neighbor Discovery Protocol. A protocol that is used to discover

the information of the neighboring Huawei device that is
connected with the local device.
NMS
Network Management System. A system that sends various query

packets and receives the response packet and trap packet from the
managed devices and displays all the information.
NTDP
A protocol that is used to collect the information of the adjacency

and the backup switch of each device in the network.
NTP
Network Time Protocol. An application protocol that is used to

synchronize the distributed server and the client side.
O
OSPF-TE
Traffic engineering of OSPF. (For the information of OSPF, refer

P
Policy-based routing
A routing scheme that forwards packets to specific interfaces based

on user-configured policies.
Issue 02 (2013-12-31)
Regular expression
When a lot of information is output, you can filter the unnecessary

contents out with regular expressions and display the necessary
contents.
RMON
Remote monitoring. An MIB agent specification defined by the

IETF that defines functions for the remote monitoring of the data
flow of a network segment or the whole network.

250

Equipment
ATN
A device on the network layer that selects routes in the network.

The ATN selects the optimal route according to the destination
address of the received packet through a network and forwards the
packet to the next ATN. The last ATN is responsible for sending
the packet to the destination host.
RRPP
Rapid Ring Protection Protocol. A protocol that is applied on the

data link layer. When the Ethernet ring is complete, it can prevent
the broadcast storm caused by the data loop. When a link is
disconnected on an Ethernet ring, it can rapidly restore the
communication link between the nodes on the ring network.
RSVP-TE
Traffic engineering of RSVP. (For the information of RSVP, refer

S
Service tracing
A method of service debugging, diagnosis and error detection that

is mainly used for service personnel to locate the fault in user
access. The service tracing can output the status change and the
result of the protocol processing of the specified user during the
access to the terminal or the server for the reference and analysis
of the service personnel.
SSH
Secure Shell. A protocol that provides a secure connection to a

ATN through a TCP application.
Static ARP
A protocol that binds some IP addresses to a specified gateway.

The packet of these IP addresses must be forwarded through this
gateway.
System environment
Basic parameters for running the MA5200G such as host name,

language mode and system time. After configuration, the system
environment can meet the requirements of the actual environment.
Issue 02 (2013-12-31)
Telnet
An application protocol of the TCP/IP stack that provides virtual

terminal services for a wide variety of remote systems.
Terminal
A device that is connected with other devices through the serial

port. The keyboard and the display have no disk drives.
Traffic policing
A process used to measure the actual traffic flow across a given

connection and compare it to the total admissible traffic flow for
that connection. When the traffic exceeds the flow that is agreed
upon , some restrictions or penalties are adopted to protect the
interest and the network resource of the operator.

251

Equipment
Traffic shaping
A flow control measure to shape the flow rate. It is often used to

control the flow in regular amounts to ensure that the traffic is
within the traffic stipulated for the downstream ATN and prevents
unnecessary discard and congestion.
Tunnel
Secure communication path between two peers in the VPN that

protect the internal information of the VPN from the interruption.
V
VPN
Virtual Private Network. A new technology developed with the

Internet to provide an apparent single private network over a public
network. "Virtual" means the network is a logical network.
VRP
Versatile Routing Platform. A versatile routing operating system

platform developed for all data communication products of
Huawei. With the IP service as its core, the VRP adopts the
componentized architecture. The VRP realizes rich functions and
provides tailorability and scalability based on applications.
VRRP
Virtual ATN Redundancy Protocol. An error tolerant protocol

defined in RFC 2338. It forms a backup group for a group of
ATN in a LAN that functions as a virtual ATN.
VTY
Virtual type terminal. A terminal line that is used to access a

ATN through Telnet.
X
X.25
A protocol applied on the data link layer that defines how

connections between DTE and DCE are maintained for remote
terminal access and computer communications in PDNs.
XModem
A transmission protocol in the format of the binary code.
XOT
X.25 over TCP. A protocol that implements the interconnection

between two X.25 networks through the TCP packet bearing X.25
frames.

Numerics
3DES
Issue 02 (2013-12-31)
Triple Data Encryption Standard

252

Equipment
A
AAA
Authentication, Authorization and Accounting
ACL
Access Control List
ARP
Address Resolution Protocol
AES
Advanced Encryption Standard
ASPF
Application Specific Packet Filter
AUX
Auxiliary port
B
BGP
Border Gateway Protocol
C
CBQ
Class-based Queue
CHAP
Challenge Handshake Authentication Protocol
CQ
Custom Queuing
CR-LDP
Constraint-based Routing LDP
D
DES
Data Encryption Standard
DHCP
Dynamic Host Configuration Protocol
DNS
Domain Name System
E
ESP
Encapsulating Security Payload
F
FR
Frame Relay
G
GRE
Issue 02 (2013-12-31)
Generic Routing Encapsulation

253

Equipment
H
HDLC
High Level Data Link Control
I
IETF
Internet Engineering Task Force
IKE
Internet Key Exchange
IPSec
IP Security
IS-IS
Intermediate System-to-Intermediate System intra-domain

routing information exchange protocol
ITU-T
International Telecommunication Union Telecommunications

Standardization Sector
L
L2TP
Layer Two Tunneling Protocol
LAPB
Link Access Procedure Balanced
LDP
Label Distribution Protocol
M
MAC
Medium Access Control
MBGP
Multiprotocol Extensions for BGP-4
MFR
Multiple Frame Relay
MP
MultiLink PPP
MPLS
Multiprotocol Label Switching
MSDP
Multicast Source Discovery Protocol
MTU
Maximum Transmission Unit
N
NAT
Network Address Translation
O
OAM
Issue 02 (2013-12-31)
Operation, Administration and Maintenance

254

Equipment
OSPF
Open Shortest Path First
P
PAP
Password Authentication Protocol
PE
Provider Edge
Ping
Ping (Packet Internet Groper)
PPP
Point-to-Point Protocol
PPPoA
PPP over AAL5
PPPoE
Point-to-Point Protocol over Ethernet
PPPoEoA
PPPoE on AAL5
PQ
Priority Queuing
Q
QoS
Quality of Service
R
RADIUS
Remote Authentication Dial In User Service
RIP
Routing Information Protocol
RPR
Resilient Packet Ring
RSVP
Resource Reservation Protocol
S
SFTP
SSH File Transfer Protocol
T
TE
Traffic Engineering
TCP
Transmission Control Protocol
TFTP
Trivial File Transfer Protocol
V
VPN
Issue 02 (2013-12-31)
Virtual Private Network

255

Equipment
VRP
Versatile Routing Platform
VRRP
Virtual Router Redundancy Protocol
W
WAN
Wide Area Network
WFQ
Weighted Fair Queuing
WRED
Weighted Random Early Detection
X
XOT
Issue 02 (2013-12-31)
X.25 Over TCP

256

Equipment
2 System Management
System Management
About This Chapter

The document describes the configuration methods of system management in terms of basic
for the system management of the ATN equipment.
2.1 Information Center Configuration
This chapter describes how to configure the information center to control the output of logs,
alarms, and debugging messages.
2.2 SNMP Configuration
The Simple Network Management Protocol (SNMP) is a standard network management protocol
widely used on TCP/IP networks. It uses a central computer (a network management station)
that runs network management software to manage network elements. There are three SNMP
versions, SNMPv1, SNMPv2c, and SNMPv3. You can configure one or more versions, if
needed.
2.3 RMON and RMON2 Configuration
This chapter describes how to monitor the Ethernet interface through Remote Network
Monitoring (RMON) and Remote Network Monitoring Version 2 (RMON2).
2.4 IP FPM Configuration
IP Flow Performance Measurement (FPM) is a Huawei proprietary feature that measures packet
loss rate and delay of end-to-end service packets transmitted on an IP network to determine
network performance. This feature is easy to deploy and provides an accurate assessment of
network performance.
2.5 NQA Configuration
This chapter describes how to configure the Network Quality Analysis (NQA) to monitor the
network operating status and collect network operation indexes in real time.
2.6 Ping and Tracert
This chapter describes how to check the network connectivity through ping and tracert
operations.
2.7 Fault Management
2.8 Performance Management
Issue 02 (2013-12-31)

257

Equipment
2 System Management
Performance management (PM) can discover potential problems in the network and provide
references for system decisions by monitoring and collecting performance indicators in the
system (such as the CPU usage and number of received and sent packets at an interface). PM is
used for network condition analysis, capacity planning, fault location and other purposes.
2.9 PoE Configurations
2.10 Glossary
This chapter lists the frequently used terms in this document and corresponding English full
names.
This chapter lists the frequently used acronyms in this document and corresponding English full
names.
Issue 02 (2013-12-31)

258

Equipment
2 System Management
2.1 Information Center Configuration

This chapter describes how to configure the information center to control the output of logs,
alarms, and debugging messages.
2.1.1 Information Center Overview

The information center controls the output of logs, alarms, and debugging messages.
Introduction
The information center works as the information hub of a ATN. It classifies and filters the output
of a system. The information center uses a debugging program to help network administrator
and developers monitor network operation and analyze network faults.
Information Center Supported by the ATN

The information center outputs logs, alarms, and debugging messages at eight severity levels
through 10 information channels.
Information Classification
The information center receives and processes information of the following types:
l
Logs
Debugging information
Alarms
Severity Levels of Information

Information has eight severity levels as shown in Table 2-1. The lower the severity level, the
more severe the information.
Table 2-1 Description of the severity levels of information
Issue 02 (2013-12-31)
Threshold
Severity Level
Description
Emergencies
A fatal fault, such as a program exception or incorrect

memory usage, occurs on the device. The system must
restart.
Alert
An important fault, such as the device memory

reaching the highest limit, occurs on the device. The
fault needs to be fixed immediately.

259

Equipment
2 System Management
Threshold
Severity Level
Description
Critical
A crucial fault, such as the memory or temperature

reaching the lowest limit, or the BFD device being
unreachable, occurs on the device. An internal fault
can also be generated by the device itself. The fault
needs to be analyzed and fixed.
Error
A fault, such as a user running incorrect commands,

entering a wrong password, or receiving wrong
protocol packets from other devices, occurs on the
device. These faults can be caused by improper
operation or a wrong process.
They do not affect services but should be given
attention.
Warning
An abnormal situation, such as the user disabling the

routing process, the BFD detecting packet loss, or the
wrong protocol packet being received occurs on the
device.
The fault may affect services and should be given
attention.
Notification
Indicates the key operations used to ensure that the

device runs normally, such as the execution of the
shutdown command, the performance of neighbor
discovery, or the status change of the state machine.
Informational
Indicates the common operations used to ensure that

the device runs normally, such as the execution of the
display command.
Debugging
Indicates that the common device information does

not require attention.
When information filtering based on severity levels is enabled, only the information whose
severity level threshold is less than or equal to the configured value is output.
For example, if the severity level value is configured to 6, only information with a severity level
ranging from 0 to 6 is output.
Working Process of the Information Center

The working process of the information center is as follows:
l
The information center receives logs, alarms, and debugging information from all modules.
The information center outputs information with different severity levels to different
information channels according to the configuration.
Information is transmitted in different directions based on the relationship between the

information channel and the output direction.
Issue 02 (2013-12-31)

260

Equipment
2 System Management
Generally, the information center distributes three types of information classified into eight
levels to 10 information channels. Information is then output to different directions.
As shown in Figure 2-1, logs, alarms, and debugging information have default output channels.
They can be customized to be output from other channels. For example, logs can be configured
to be output to the log cache through Channel 6 rather than the default Channel 4.
Figure 2-1 Functions of the information channel
Information Channels and Output Directions

The system supports 10 channels. The first six channels (Channel 0 to Channel 5) have default
channel names and are associated with six default output directions. For devices equipped a CF
card, log information is output to log files through Channel 9 by default. That is, seven total
default output directions are supported.
For details of the association relationship between default channels and output directions, see
Table 2-2.
Issue 02 (2013-12-31)

261

Equipment
2 System Management
Table 2-2 Association relationship between default channels and output directions
Channel
Number
Default
Channel Name
Output
Direction
Description
Console
Console
Outputs logs, alarms, and debugging

information to the local console.
Monitor
Monitor

information to the VTY terminals for
remote maintenance.
Loghost
Log host

information to the log host. Information is
saved to the log host in the file format for
easy reference.
Trapbuffer
Trap buffer
Outputs alarms to the alarm buffer. The

ATN assigns a specific area to be the alarm
buffer for recording alarms.
Logbuffer
Log buffer
Outputs logs to the log buffer. The ATN

assigns a specified area to be the log buffer
for recording logs.
Snmpagent
SNMP agent
Outputs alarms to the SNMP agent.
Unspecified
Unspecified
Reserved, this channel can be configured to

output to different directions.
Unspecified
Unspecified

Unspecified
Unspecified

Channel9
Log file
Outputs logs, alarms and debugging

information to the log file on the CF card
In the case of multiple log hosts, logs can be output through one channel or several channels.
For example, some logs can be output to a log host through Channel 2 (loghost) and some logs
can be output to another log host through Channel 6. For easy management, the name of Channel
6 can be changed.
Format of Logs
Syslog is a sub-function of the information center. It outputs information to a log host through
port 514.
Figure 2-2 shows the format of logs.
Figure 2-2 Format of the output logs
<Int_16>TIMESTAMP HOSTNAME %%ddAAA/B/CCC(t)[e]:slot=XXX; YYYY

Issue 02 (2013-12-31)

262

Equipment
2 System Management
Table 2-3 describes each field in a log message.

Table 2-3 Description of each field in a log message
Field
Indication
Description
<Int_16>
Leading character
Leading characters are added before logs are

output to log hosts.
Logs saved in the local device do not contain
leading characters.
TIMESTAMP
Time to send out the

information
Available formats for the timestamp are as follows:

l boot: The timestamp in this format indicates a
relative time.
l date: The timestamp in this format indicates the
system time. Timestamps in logs, alarms and
debugging information are in this format by
default.
l short-date: Unlike the date format, timestamps
in the short-date format do not indicate the year.
l format-date: The timestamp in this format is
another format of the system time.
l none: indicates that the information does not
contain any timestamp.
There is a space between the timestamp and the
host name.
Issue 02 (2013-12-31)
HOSTNAME
Host name
By default, the name is HUAWEI.
%%
Huawei logo
Indicates that log information is output by a

Huawei device.
dd
Version number
Identifies the version of the log format.
AAA
Module name
Indicates the name of the module that outputs

information to the information center.
Log level
Indicates the severity level of a log.
CCC
Brief description
Describes the information type.
(t)
Information type
Indicates the user log identifier.
[e]
Information counter
Indicates the log sequence number.
slot=XXX
Location information
Indicates the number of the slot that sends the

location information.

263

Equipment
2 System Management
Field
Indication
Description
YYYY
Descriptor
Indicates detailed information output from each

module to the information center.
Before outputting logs, each module fills in this
field to describe log content.
Format of Alarms
Figure 2-3 shows the format of the output alarms.
Figure 2-3 Format of the output alarms
Table 2-4 describes each field in an alarm message.

Table 2-4 Description of each field of in an alarm message
Field
Indication
Description
TimeStamp
Time to send out the

information
Available formats for the timestamp are as follows:

l boot: The timestamp in this format indicates a
relative time.
l date: The timestamp in this format indicates the
system time. Timestamps in logs, alarms and
debugging information are in this format by
default.
l short-date: Unlike the date format, timestamps
in the short-date format do not indicate the year.
l format-date: The timestamp in this format is
another format of the system time.
l none: indicates that the information does not
contain a timestamp.
There is a space between the timestamp and the
host name.
Issue 02 (2013-12-31)
HostName
Host name
By default, the name is HUAWEI.There is a space

between the sysname and module name.
ModuleName
Module name
Indicates the name of the module that generates an

alarm.

264

Equipment
2 System Management
Field
Indication
Description
Severity
Severity level
Severity levels available for an alarm message are

as follows:
l Critical
l Major
l Minor
l Warning
Brief
Brief information
Provides brief information of the alarms.
Description
Description
Provides detailed description of the alarms.
2.1.2 Enabling Log Output

This section describes how to output logs of a specific module to a log file, console, terminal,
or log host.
Before You Start

Before configuring the log output, familiarize yourself with the usage scenario, complete the
The system logs the operation information about devices in real time. It then outputs logs to the
log buffer, log file, console, terminal, and log host for storage and future reference. In this
manner, when faults occur on devices, users can locate the faults based on the logs.
Before configuring the log output, complete the following tasks:
l
Connecting the ATN to the PC properly
Ensuring that the route between the ATN and the log host is reachable
Configuring an Virtual Private Network (VPN) instance
Data Preparation
To configure the log output, you need the following data.
No.
Data
l Channel number
l Channel name
Issue 02 (2013-12-31)

265

Equipment
No.
Data
Module name
Address of the log host
Severity level of the log
(Optional) Size of the log buffer
(Optional) VPN instance name
2 System Management
Enabling the Information Center

If the information center function is disabled, you can enable it. By default, this function is
enabled.
Context
The information center classifies and outputs information. When it is heavily loaded with
information processing, system performance degrades.
Procedure
Step 1 Run:
system-view

Step 2 Run:
info-center enable
The information center is enabled.

By default, the information center is enabled.
----End
(Optional) Naming an Information Channel

Naming an information channel helps clarify what is output by each channel.
Procedure
Step 1 Run:
system-view

Step 2 Run:
info-center channel channel-number name channel-name
Issue 02 (2013-12-31)

266

Equipment
2 System Management
A channel is named.
----End
(Optional) Configuring the Function of Filtering Logs by IDs

The binary log function can filter specific logs.
Context
Binary logs provide the function of filtering specified logs by their IDs. To filter certain logs,
the user can obtain IDs of these logs through log resolution tools and add these IDs to the log
filtering list.
After that, the information center does not send these logs in each output direction.
Procedure
Step 1 Run:
system-view

Step 2 Run:
info-center filter-id { id }
&<1-50>
One or more IDs are added and a space is used to separate these IDs.
NOTE
Currently, only 50 IDs can be shielded. The aggregation of these shielded IDs is called a log ID filtering
list. The log ID filtering list is arranged by ID values.
----End
Outputting Logs to the Log Buffer

The log buffer stores the latest logs generated by the system. You can set the log buffer size or
channels in this task.
Procedure
l
Configure the channel through which logs are output.

1.
Run the following command on the ATN enabled with the information center:
system-view

2.
Run:
info-center source { module-name | default } channel { channel-number |
channel-name } [ log { state { off | on } | level severity } * ]
Logs are sent to the information channel.

Logs can be output only after the information center is enabled.
l
Issue 02 (2013-12-31)

267

Equipment
1.
2 System Management
Run the following command on the ATN enabled with the information center:
system-view

2.
Run:
info-center logbuffer [ channel { channel-number | channel-name } ]
The channel through which logs are output to the log buffer is configured.
3.
(Optional) Run:
info-center logbuffer [ channel { channel-number | channel-name } | size
buffersize ] *
The size of the log buffer is configured.

After the information center is enabled, logs are output to the log buffer through
Channel 4 by default and the log buffer can cache a maximum of 512 logs.
----End
Outputting Logs to a Log File

When a fault occurs on the device, you locate the fault based on information saved in the log
file.
Procedure
Step 1 Send logs to a channel.
1.
Run:
system-view

2.
Run:
info-center source { module-name | default }channel { channel-number | channelname } [ log { state { off | on } | level severity } * ]
Logs are sent the information channel.

Logs can be output only after the information center is enabled.
Step 2 Configure the channel through which logs are output to the log file.
1.
Run:
info-center logfile channel { channel-number | channel-name }
The channel through which logs are output to the log file is configured.
Step 3 (Optional) Configure the size of the log file output by the information center.
1.
Run:
info-center logfile size size
The size of the configuration file is set.

By default, the size of log files is 8 MB.
Step 4 (Optional) Configure the maximum number of compressed log files to be stored.
1.
Issue 02 (2013-12-31)
Run:
268

Equipment
2 System Management
info-center max-logfile-number filenumbers
The maximum number of compressed log files to be stored is set.

By default, a maximum number of 200 compressed log files can be stored. If the configured
maximum number is reached, the system will delete earlier compressed log files.
Step 5 (Optional) Save the configurations to a log file.
1.
Run:
save logfile
The configurations are saved to a log file.

----End
Configuring a Device to Send Log Information to a Console

By configuring a device to send log information to a console, you can view the operating status
of the device on the console.
Context
Perform the following operations on the ATN configured with an information center:
Procedure
Step 1 Configure a device to send log information through a channel.
1.
Run:
system-view

2.
Run:
Log information is added to the channel.

Log information can be sent only after the information center is enabled.
Step 2 Configure the channel through which log information is sent to the console.
1.
Run:
info-center console channel { channel-number | channel-name }
The channel through which log information is sent to the console is configured.
2.
Run:
quit

Step 3 Enable the terminal display.
1.
Run:
terminal monitor
Terminal display is enabled.

Issue 02 (2013-12-31)

269

Equipment
2.
2 System Management
Run:
terminal logging
The terminal is enabled to display log information asynchronously.

3.
(Optional) Run:
terminal echo synchronous
The terminal is enabled to display log information synchronously.

----End
Configuring a Device to Send Log Information to a Terminal

By configuring a device to send log information to a terminal, you can view the operating status
of the device on the terminal.
Procedure
Step 1 Configure a device to send log information through a channel.
1.
Run:
system-view

2.
Run:
info-center source { module-name | default } channel { channel-number | channelname } [ log { state { off | on } | level severity } * ]
Log information is added to the channel.

Log information can be sent only after the information center is enabled.
Step 2 Configure the channel through which log information is sent to the terminal.
1.
Run:
info-center monitor channel { channel-number | channel-name }
The channel through which log information is sent to the terminal is configured.
2.
Run:
quit

Step 3 Enable terminal display.
1.
Run:
system-view

terminal monitor

2.
Run:
terminal logging
The terminal is enabled to display log information asynchronously.

Issue 02 (2013-12-31)

270

Equipment
3.
2 System Management
(Optional) Run:
The terminal is enabled to display log information synchronously.

----End
Outputting Logs to the Log Host

By outputting logs to the log host, you can view the operating status of the device on the log
host.
Procedure
Step 1 Configure logs to be output through the channel.
1.
Run:
system-view

2.
Run:
Logs are added to the information channel.

Step 2 Configure the channel through which logs are output to the log host.
l (On an IPv4 network) Run:
info-center loghost ip-address [ channel { channel-number | channel-name } |
facility local-number | { language language-name } | { vpn-instance vpn-instancename | public-net } ] *
The channel through which logs are output to the log host is configured.
By default, logs are not output to the log host after the information center is enabled.
info-center loghost ipv6 ipv6-address [ channel { channel-number | channelname } | facility local-number | { language language-name } ] *
The channel through which logs are output to the log host is configured.
By default, logs are not output to the log host.
The system supports the configuration of a maximum of eight log hosts to implement backup
among log hosts.
Step 3 Run:
info-center loghost source interface-type interface-number
A source interface is configured. This interface is recognized by the log host as the log sending
interface.
Each device has multiple interfaces that can send logs. All of these interfaces are configured to
report the source interfaces address, if configured, when they send logs. This helps the log host
quickly determine the source device from which the logs were sent.
Issue 02 (2013-12-31)

271

Equipment
2 System Management
By default, this interface is not configured, so that the log host will be aware of all actual log
sending interfaces on a device.
----End

Checking the Configuration of Information Center
Prerequisites
The configurations of the Information Center function are complete.
Procedure
l
Run the display channel [ channel-number | channel-name ] command to check the

configuration of a channel.
Run the display info-center [ statistics ] command to check the information recorded by
an information center.
Run the display logbuffer [ level severity | size value | slot slot-id ] * command to view
the information recorded by a log buffer.
Run the display info-center filter-id [ id ] command to check whether the ID of a single
log is added into the filtering list.
Run the display info-center filter-id command to check whether IDs of all logs are added
into the filtering list.
----End
2.1.3 Enabling Alarm Output

This section describes how to configure a specific module to output alarm information to log
files, consoles, terminals, or SNMP agents.
Before You Start

Before configuring the alarm output, familiarize yourself with the usage scenario, complete the
The device can generate alarms in specific situations to draw attention of the administrators.
Alarms can be output to the alarm buffer, log file, Console, terminal, and Network Management
System (NMS), through which the administrator can easily locate and rectify the fault.
Before enabling alarm output, complete the following tasks:
l
Connecting the ATN and the NM station correctly
Configuring routes between the ATN and the NM station
Issue 02 (2013-12-31)

272

Equipment
2 System Management
Data Preparation
To configure alarm output, you need the following data.
No.
Data
l Channel number
l Channel name
Module name
Severity level of alarms
(Optional) Size of an alarm buffer
IP address of Network Management System

enabled.
Context
Classifying and outputting a large amount of information degrades system performance.
Procedure
Step 1 Run:
system-view

Step 2 Run:
info-center enable

----End

Naming information channels helps clarify what is output by each channel.
Context
Perform the following steps on the ATN configured with the information center.
Issue 02 (2013-12-31)

273

Equipment
2 System Management
Procedure
Step 1 Run:
system-view

Step 2 Run:
The information channel specified by the channel-number is named as channel-name.

----End
Outputting Alarms to the Alarm Buffer

By default, alarms are output to the alarm buffer through a default channel. You can configure
alarms to be output through a specific channel.
Context
Perform the following steps on the ATN configured with the information center:
Procedure
Step 1 Configure the alarms to be output through the channel.
1.
Run:
system-view

2.
Run:
info-center source { module-name | default } channel { channel-number | channelname } [ trap { state { off | on } | level severity } * ]
Alarms are added to the information channel.

For the specific modules, the default configurations are as follows:
For the log information, the state is on and the allowed information level is warning.
For the alarm information, the state is on and the allowed information level is
debugging.
For the debugging information, the state is off.
Step 2 Configure the channel through which alarms are output to the alarm buffer.
1.
Run:
info-center trapbuffer [ channel { channel-number | channel-name } ]
The alarm buffer is set to receive information.

2.
Run:
(optional)info-center trapbuffer [ channel {
| size buffersize ] *
channel-number | channel-name }
The channel through which alarms are output to the alarm buffer is configured.
Issue 02 (2013-12-31)

274

Equipment
2 System Management
After the information center is enabled, alarms default to be output through Channel 3 to
the alarm buffer and the alarm buffer can contain 256 pieces of information.
----End
Outputting Alarms to the Log File

When a fault occurs on the device, you can analyze the output alarms to provide references for
fault location.
Context
Procedure
Step 1 Send logs to the channel.
1.
Run:
system-view

2.
Run:

debugging.
Step 2 Configure the channel through which alarms are output to the log file.
1.
Run:
The channel through which alarms are output to the log file is configured.
By default, alarms are output through Channel 9 to the log file after the information center
is enabled.
1.
Run:
The size of the log buffer is set.

By default, the size of log files is 8 MB.
1.
Run:
Issue 02 (2013-12-31)

275

Equipment
2 System Management

1.
Run:
save logfile

----End
Configuring a Device to Send Trap Information to a Console

By outputting alarms to the console, you can view the operating status of the device on the
console.
Context
Procedure
Step 1 Configure a device to send trap information through a channel.
1.
Run:
system-view

2.
Run:
Trap information is added to the channel.

For a specific module, the default configurations are as follows:
For the trap information, the state is on and the allowed information level is debugging.
Step 2 Configure the channel through which trap information is sent to the console.
1.
Run:
The channel through which trap information is sent to the console is configured.
By default, trap information is sent to the console through channel 0.
2.
Run:
quit

Issue 02 (2013-12-31)

276

Equipment
1.
2 System Management
Run:
terminal monitor

2.
Run:
terminal trapping
The terminal is enabled to display trap information asynchronously.

3.
(Optional) Run:
The terminal is enabled to display trap information synchronously.

----End
Configuring a Device to Send Trap Information to a Terminal

By configuring a device to send trap information to a terminal, you can view the operating status
of the device on the terminal.
Context
Procedure
Step 1 Configure a device to send trap information through a channel.
1.
Run:
system-view

2.
Run:
Trap information is added to the channel.

Step 2 Configure the channel through which trap information is sent to the terminal.
1.
Run:
The channel through which trap information is sent to the terminal is configured.
By default, trap information is sent to the terminal through channel 1.
2.
Run:
quit
Issue 02 (2013-12-31)

277

Equipment
2 System Management

1.
Run:
terminal monitor

2.
Run:
terminal trapping
The terminal is enabled to display trap information asynchronously.

3.
(Optional) Run:
The terminal is enabled to display trap information synchronously.

----End
Outputting Alarms to the SNMP Agent

By outputting alarms to the SNMP agent, you can view the operating status of the device on the
NMS.
Context
Procedure
Step 1 Configure the alarms to be output through the channel.
1.
Run:
system-view

2.
Run:

debugging.
Step 2 Configure the channel through which alarms are output to the SNMP agent.
1.
Run:
info-center snmp channel { channel-number | channel-name }
The channel through which alarms are output to the SNMP agent is configured.
Issue 02 (2013-12-31)

278

Equipment
2 System Management
By default, alarms are output to the SNMP agent through Channel 5.

2.
Run:
snmp-agent
SNMP agent is enabled.

----End

After configuring the alarm output, you can use related commands to confirm the configuration.
Prerequisites
The configurations of the Alarm output function are complete.
Procedure
l

the information center.
Run the display trapbuffer [ size value ] command to check the information recorded by
the alarm buffer.
----End
2.1.4 Enabling the Output of Debugging Information

This section describes how to configure a specific module to output debugging information to
log files, consoles, terminals, or SNMP agents.
Context
NOTICE
Debugging degrades system performance. Therefore, after debugging, run the undo debugging
all command to disable debugging immediately. When the CPU usage is close to 100%,
debugging ARP may cause boards to reset. So, confirm the action before you use the command.
Before You Start

Before configuring the debugging message output, familiarize yourself with the usage scenario,
When faults occur on a device, you can enable the information center to output debugging
information for easy faults location and analysis.
Issue 02 (2013-12-31)

279

Equipment
2 System Management
Before enabling the output of debugging information, complete the following tasks:
l
Connecting the ATN and the PC correctly
Configuring routes between the ATN and the log host
Data Preparation
To enable the output of debugging information, you need the following data.
No.
Data
l Channel number
l Channel name
Module name
Severity level of debugging information
IP address of a log host

enabled.
Context
Classifying and outputting a large amount of information degrades system performance.
Procedure
Step 1 Run:
system-view

Step 2 Run:
info-center enable

----End

Naming information channels helps clarify what is output by each channel.
Issue 02 (2013-12-31)

280

Equipment
2 System Management
Context
Perform the following steps on the ATN configured with the information center.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The name of the specified channel is set.

----End
Outputting Debugging Information to the Log File

When a fault occurs on the device, you can analyze the output debugging messages to provide
references for fault location.
Context
Procedure
Step 1 Configure debugging information to be output through the channel.
1.
Run:
system-view

2.
Run:
info-center source { module-name | default } channel { channel-number | channelname } [ debug { state { off | on } | level severity } * ]
Debugging information is added to the information channel.

debugging.
Step 2 Configure the channel through which debugging information is output to the log file.
1.
Run:
The channel through which debugging information is output to the log file is configured.
Issue 02 (2013-12-31)

281

Equipment
1.
2 System Management
Run:
By default, the debugging information is not saved in the log file. If you want the debugging
information to be saved in the log file, run the info-center source default channel 9
debug state on level severity command to add records to the information channel.
1.
Run:

1.
Run:
save logfile

----End
Configuring a Device to Send Debugging Information to a Console

After you use a console to log in to a device, configure the device to send debugging information
to the console for real-time query.
Context
Procedure
Step 1 Configure a device to send debugging information through a channel.
1.
Run:
system-view

2.
Run:
Debugging information is added to the channel.

Step 2 Configure the channel through which debugging information is sent to the console.
Issue 02 (2013-12-31)

282

Equipment
1.
2 System Management
Run:
The channel through which debugging information is sent to the console is configured.
2.
Run:
quit

1.
Run:
terminal monitor

2.
Run:
terminal debugging
The terminal is enabled to display debugging information asynchronously.

3.
(Optional) Run:
The terminal is enabled to display debugging information synchronously.

----End
Configuring a Device to Send Debugging Information to a Terminal

After you use a terminal to log in to a device, configure the device to send debugging information
to the terminal for real-time query.
Context
Procedure
Step 1 Configure a device to send debugging information through a channel.
1.
Run:
system-view

2.
Run:
Debugging information is added to the channel.

Issue 02 (2013-12-31)

283

Equipment
2 System Management
Step 2 Configure the channel through which debugging information is sent to the terminal.
1.
Run:
The channel through which debugging information is sent to the terminal is configured.
2.
Run:
quit

1.
Run:
terminal monitor

2.
Run:
terminal debugging
The terminal is enabled to display debugging information asynchronously.

3.
(Optional) Run:
The terminal is enabled to display debugging information synchronously.

----End
Outputting Debugging Information to the Log Host

By outputting debugging messages to the log host, you can view debugging messages more
conveniently.
Procedure
Step 1 Configure debugging information to be output through the channel.
1.
Run:
system-view

2.
Run:
Debugging information is added to the information channel.

Step 2 Configure the channel through which debugging information is output to the log host.
info-center loghost ip-address [ channel { channel-number | channel-name } |
facility local-number | { language language-name } | { vpn-instance vpn-instancename| public-net } ] *
The channel through which debugging information is output to the log host is configured.
By default, debugging information is not output to the log host after the information center
is enabled.
Issue 02 (2013-12-31)

284

Equipment
2 System Management
The system supports the configuration of a maximum of eight log hosts to implement backup
among log hosts.
Step 3 Run:
info-center loghost source interface-type interface-number
A source interface is configured. This interface is recognized by the log host as the log sending
interface.
Each device has multiple interfaces that can send logs. All of these interfaces are configured to
report the source interface's address, if configured, when they send logs. This helps the log host
quickly determine the source device from which the logs were sent.
By default, this interface is not configured, so that the log host will be aware of all actual log
sending interfaces on a device.
----End

After configuring the debugging message output, you can view the configuration of the
information center.
Prerequisites
The configurations of the Debugging Information function are complete.
Procedure
l

an information center.
----End
2.1.5 Maintaining Information Center

This section describes how to run the following commands to delete messages in the buffer of
the information center. Note that deleted messages cannot be restored.
Context
NOTICE
Statistics about the information center cannot be restored after being cleared. So, confirm the
action before you use the command.
Issue 02 (2013-12-31)

285

Equipment
2 System Management
Procedure
l
To clear statistics about the information center, run the reset info-center statistics
command in the user view.
To clear statistics about the log buffer, run the reset logbuffer command in the user view.
To clear statistics about the alarm buffer, run the reset trapbuffer command in the user
view.
----End
2.1.6 Information Center Configuration Examples

This section provides information center configuration examples.
Example for Outputting Logs to the Log File

This part describes how to output logs of a specific module or specific severity level to the log
file. This facilitates maintenance engineers to monitor the operating status of the device and
locate the fault occurred on the device by checking the output logs.
As shown in Figure 2-4, ATNA is required to transport logs to a File Transfer Protocol (FTP)
server so that maintenance engineers can easily obtain the operation status of ATNA and locate
the faults occurring on ATNA.
Figure 2-4 Networking diagram of outputting logs to the log file
10.2.1.1/16
GE0/2/0
IP network
FTP Server
10.1.1.1/16
ATNA
1.
Enable the information center.
2.
Configure the contents of the logs to be output.
3.
4.
Set logs to be output to the FTP server.
Issue 02 (2013-12-31)

286

Equipment
2 System Management
Data Preparation
l
IP address of each interface
Information channel number
Module enabled to output logs
Severity levels of logs
Language in which logs are output
IP address of the FTP server
User name and password of the FTP server
Procedure
Step 1 Configure the routing protocol to make the ATN device and the FTP server reachable. (The
detailed procedure is not mentioned here.)
Step 2 Configure the channel used to output logs.
# Enable the information center.
[ATNA] info-center enable
Step 3 Configure the logs to be output through the channel.

# Configure the module enabled to output logs and the severity levels of logs allowed to be
output.
[ATNA] info-center source ip channel channel9 log level warning
Step 4 Configure the channel through which logs are output.

# Configure the channel through which logs are output to the log file.
[ATNA] info-center logfile channel channel9
[ATNA] quit
Step 5 Set logs to be output to the FTP server.

# Log in to the FTP server.
<ATNA> ftp 10.1.1.1
# Set logs to be output to the FTP server.

[ftp] put 2007_07.log
[ftp] quit
[ATNA] quit
<ATNA>

# View the logs output through the channel.
<ATNA> display info-center
Information Center:enabled
logfile:
channel number : 9, channel name : channel9, language : english
Issue 02 (2013-12-31)

287

Equipment
2 System Management
Information timestamp setting:

log - date, trap - date, debug - boot
Sent messages = 5753, Received messages = 5866
IO Reg messages = 124 IO Sent messages = 114
# View the received logs on the FTP server. (The display is omitted here.)
----End
Configuration Files
#
sysname ATNA
#
info-center source IP channel 9 log level warning
#
undo shutdown
ip address 10.2.1.1 255.255.0.0
#
ip route-static 10.1.0.0 255.255.0.0 10.2.1.2
#
return
Example for Outputting Logs to Log Hosts

This part describes how to output logs of different modules or severity levels to different log
hosts, and how to configure backup log hosts for backing up logs.
As shown in Figure 2-5, it is required to output logs of multiple types and severity levels to
different log hosts through information channels.
ATN sends the logs (with the severity level as notification) generated on the Forwarding
Information Base (FIB) module and the IP module to the log host Server 1. Server 3 functions
as a backup ATN device of Server 1.
ATN sends the logs (with the severity level as warning) generated on the Point-to-Point Protocol
(PPP) module and the AAA module to the log host Server 1. Server 4 functions as a backup
ATN device of Server 2.
Both the ATNs and the log hosts require to be configured.
Issue 02 (2013-12-31)

288

Equipment
2 System Management
Figure 2-5 Networking diagram of outputting logs to the log host
10.1.1.2/24
Server 3
10.1.1.1/24
Server1
GE0/2/0
172.168.0.1/24
ATN
Server 4
10.2.1.2/24
Server 2
10.2.1.1/24
1.
2.
Name the tunnel.
3.
Specify the module enabled to output logs.
4.
Configure the channel for outputting logs.
5.
Configure the source interface that sends logs.
6.
Configure the log host.
Data Preparation
l
IP address of the log host
Name of the channel through which logs are output
Module enabled to output logs
Information severity level
Language in which the log is output
Procedure
Step 1 Configure routing protocols to make the ATN device and log server routable. (The detailed
procedure is not mentioned here.)
Step 2 Configure the channel for outputting logs.
Issue 02 (2013-12-31)

289

Equipment
2 System Management
[HUAWEI] info-center enable
Step 3 Name the channel.

# Name the channel through which logs are output.
[HUAWEI] info-center channel 6 name loghost1
Step 4 Configure the channel through which logs are output.

# Configure the module enabled to output logs and the severity levels of logs allowed to be
output.
[HUAWEI]
[HUAWEI]
[HUAWEI]
[HUAWEI]
info-center
info-center
info-center
info-center
source
source
source
source
fib channel loghost log level notification

ip channel loghost log level notification
ppp channel loghost1 log level warning
aaa channel loghost1 log level warning
Step 5 Configure the source interface that sends logs.

# Configure the source interface that sends logs.
[HUAWEI] info-center loghost source gigabitethernet0/2/0
Step 6 Configure the logs to be output to a specified log host.

# Specify Server 1 as the log server and Server 3 as the backup log server to receive the logs
from the FIB module and the IP module. The logs are output in English, by Local2.
[HUAWEI] info-center loghost 10.1.1.1 channel loghost facility local2 language
english
[HUAWEI] info-center loghost 10.1.1.3 channel loghost facility local2 language
english
# Specify Server 2 as the log server and Server 4 as the backup log server to receive the logs
from the PPP module and the AAA module. The logs are output by Local4.
[HUAWEI] info-center loghost 10.2.1.2 channel loghost1 facility local4 language
english
[HUAWEI] info-center loghost 10.2.1.4 channel loghost1 facility local4 language
english
Step 7 Configure the log server.

A log server is used to collect logs of the device because the storage memory of the ATN device
is not large enough to record the generated logs.
Log servers can be installed with UNIX or LINUX operating system or with the log software of
the third party.
If being installed with UNIX or LINUX operating system, the host can collect logs when enabled
with Syslog.
Take the host installed with LINUX operating system as an example.
l To create log files:
Run the touch loghost.info command in the directory /var/log to create a file loghost.info
to record logs of the ATN device.
l To edit configuration files:
Edit etc/syslog.conf to loghost.info /var/log/ATN device.log, that is specify the log host
name. The logs with the severity level as informational are then output to /var/log/loghost.log
of the system.
Issue 02 (2013-12-31)

290

Equipment
2 System Management
l To configure the file etc/sysconfig/syslog:

Modify syslogd_options="-m o" to syslogd_option="-1 -m o", enabling the system to record
the logs of the remote devices.
l To enable Syslog:
Run the service syslog restart command.
For the host installed with the log software of a third party, you can configure the log software
of the third party to implement the log collection function on the host. For example, the HUAWEI
iManager U2000 supports the log management function and hence can receive, filter, save, and
forward the Syslog messages sent by the device or triggers other actions.
# Display the configuration of the log host.
<HUAWEI> display info-center
Log host:
the interface name of the source address:gigabitethernet0/2/0
10.1.1.1, channel number 2, channel name loghost,
language english
local2
language english
local2
10.2.1.2, channel number 6, channel name loghost1
language english
local4
10.2.1.4, channel number 6, channel name loghost1
language english
local4
Console:
channel number : 0, channel name : console
Monitor:
channel number : 1, channel name : monitor
SNMP Agent:
channel number : 5, channel name : snmpagent
Log buffer:
enabled,max buffer size 1024, current buffer size 512,
current messages 50, channel number : 4, channel name : logbuffer
dropped messages 13, overwritten messages 3
Trap buffer:
current messages 2, channel number:3, channel name:trapbuffer
log - date, trap - date, debug - boot
, host facility
, host facility
, host facility
, host facility

----End
Configuration Files
#
sysname HUAWEI
#
info-center channel 6 name loghost1
info-center source FIB channel loghost channel 2 log level notification
info-center source IP channel 2 log level notification
Issue 02 (2013-12-31)

291

Equipment
2 System Management
info-center source PPP channel 6 log level warning

info-center source AAA channel 6 log level warning
info-center loghost source gigabitethernet0/2/0
info-center loghost 10.1.1.1 facility local2
info-center loghost 10.1.1.3 facility local2
info-center loghost 10.2.1.2 channel 6 facility local4
info-center loghost 10.2.1.4 channel 6 facility local4
#interface gigabitethernet0/2/0
undo shutdown
ip address 172.168.0.1 255.255.255.0
#
ip route-static 10.1.1.0 255.255.255.0 172.168.0.2
ip route-static 10.2.1.0 255.255.255.0 172.168.0.2
#
return
Example for Configuring Binary Logs to be sent to the Log Host

This part describes how to output logs to the log host in binary mode. Outputting logs in binary
mode can effectively lighten the network load.
As shown in Figure 2-6, binary logs generated on ATNA are sent to the log host in real time.
Users or maintenance personnel can analyze the log through log analysis tools and locate the
fault.
Figure 2-6 Example for Configuring Binary Logs to be sent to the Log Host
GE0/2/0
11.1.1.1/24
Loghost
11.1.1.6/24
ATNA
1.
Enable the information center on the ATN device.
2.
Add the ID of a log to be filtered.
3.
Configure binary logs to be sent to the log host.
Data Preparation
To complete the configuration, you need to perform the following data:
l
ID of the log to be filtered
User name and password used for logging into the FTP server
Issue 02 (2013-12-31)

292

Equipment
2 System Management
IP address of the log host
Procedure
Step 1 Configure routes between ATNA and Loghost. (The detailed procedure is not mentioned here.)
Step 2 Enable the information center.
Step 3 Add the ID of a log to be filtered.

# Configure the module and channel used to output alarm messages.
[HUAWEI] info-center filter-id 1077514264
Step 4 Configure binary logs to be sent to the log host.

[HUAWEI] info-center loghost 11.1.1.6 binary

# Check the added ID of the log to be filtered.
[HUAWEI] display info-center filter-id 1077514264
ID:
1077514264
Content:
task: [string] ip: [string] user: [string] command: [string]
Filtered Number: 3
# Check the channel used by the SNMP agent to output alarms.

[HUAWEI] display info-center
Log host:
language english , host facility local7, binary
loghost
Console:
channel number : 0, channel name : console
Monitor:
channel number : 1, channel name : monitor
SNMP Agent:
channel number : 5, channel name : snmpagent
Log buffer:
current messages 512, channel number : 4, channel name : logbuffer
Trap buffer:
current messages 256, channel number:3, channel name:trapbuffer
logfile:
channel number : 9, channel name : channel9, language : english
log - formate-date millisecond, trap - date, debug - date
----End
Configuration Files
#
Issue 02 (2013-12-31)

293

Equipment
2 System Management
sysname HUAWEI
#
interface gigabitethernet0/2/0
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
info-center filter-id 1077514264
info-center source FIB channel 0 log level alert
info-center loghost 11.1.1.6 binary
#
return
Example for Outputting Alarms to the SNMP Agent

After alarms are output to the SNMP agent, the NM Station can receive the alarms sent from
the device.
As shown in Figure 2-7, alarms are required to be output first to the SNMP agent and then be
transmitted to the NM Station through SNMP Agent.
Figure 2-7 Networking diagram of outputting alarms to the SNMP Agent
GE0/2/0
NM Station
10.1.1.1/24
Agent
10.1.1.2/24
1.
Enable the information center on the ATN device.
2.
Specify the module enabled to output logs and configure the channel through which the
alarm is output.
3.
Enable outputting alarm to the SNMP agent.
4.
Enable transmitting alarms to the NM Station through SNMP.
Data Preparation
l
Module enabled to output alarms
Severity levels of alarms
Issue 02 (2013-12-31)

294

Equipment
2 System Management
Procedure
Step 2 Specify the module enabled to output alarms and configure the channel used to output alarms.
# Specify the module enabled to output alarms and configure the channel used to output alarms.
[HUAWEI] info-center source ip channel channel7 trap level informational state on
NOTE
By default, alarms are output through the SNMP agent and information about all modules is displayed.
Step 3 Enable outputting alarms to the SNMP agent.

# Enable outputting alarms to the SNMP agent.
[HUAWEI] info-center snmp channel channel7
Step 4 Enable transmitting alarms to the NM Station through SNMP agent.

# Start the SNMP agent and set the SNMP version to SNMPv2c.
[HUAWEI] snmp-agent sys-info version v2c
# Configure the alarm function.

[HUAWEI] snmp-agent trap enable
[HUAWEI] snmp-agent target-host trap address udp-domain 10.1.1.1 params
securityname public

# View the channel used to output alarms to the SNMP agent.
[HUAWEI] display info-center
SNMP Agent:
channel number : 7, channel name : channel7
# View the alarms output through the channel selected by SNMP agent.
[HUAWEI] display channel 7
channel number:7, channel name:channel7
MODU_ID NAME
ENABLE LOG_LEVEL
ENABLE TRAP_LEVEL
ENABLE DEBUG_LEVEL
ffff0000 default Y
debugging
Y
debugging
N
debugging
416a0000 IP
Y
debugging
Y
informational N
debugging
# View the alarms output to the NM Station through SNMP agent.

[HUAWEI] display snmp-agent target-host
Target-host NO. 1
----------------------------------------------------------IP-address
: 10.1.1.1
VPN instance : Security name : public
Port
: 3000
Type
: trap
Version
: v1
Level
: No authentication and privacy
NMS type
: NMS
-----------------------------------------------------------
----End
Issue 02 (2013-12-31)

295

Equipment
2 System Management
Configuration Files
#
sysname HUAWEI
#
info-center source IP channel 7 trap level informational
info-center snmp channel 7
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
snmp-agent
snmp-agent local-engineid 000007DB7F00000100003598
snmp-agent community write write
snmp-agent community read public
snmp-agent community write private
snmp-agent sys-info version v2c v3
snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname public
snmp-agent trap enable
#
return
Example for Outputting the Debugging Information to the Console

After debugging messages are configured to be output to the console, when a fault occurs on the
device you can log in to the device through the console and run the debugging command to view
debugging messages.
As shown in Figure 2-8, it is required to output the debugging information of the Address
Resolution Protocol (ARP) module to the Console.
Figure 2-8 Networking diagram of outputting information to the Console
Console
ATN
PC
1.
2.
Set the logs to be output to the Console and the information source.
3.
Configure the channel through which the debugging information is output.
4.
Enable the terminal monitor function and display the debugging information.
Data Preparation
Issue 02 (2013-12-31)

296

Equipment
Module enabled to output the logs
Information severity level
2 System Management
Procedure
Step 2 Allow the debugging on the ARP module to be output to the Console with the severity level of
the information as debugging.
[HUAWEI] info-center source arp channel console debug level debugging
[HUAWEI] info-center console channel console
[HUAWEI] quit
Step 3 Enable the terminal monitor function to display the debugging information.
<HUAWEI> terminal monitor
<HUAWEI> terminal debugging
Step 4 Enable ARP module debugging.

<HUAWEI> debugging arp packet

# View the configuration of the channel.
<HUAWEI> display channel 0
channel number:0, channel name:console
MODU_ID NAME
ENABLE LOG_LEVEL
ENABLE TRAP_LEVEL
ffff0000 default Y
warning
Y
debugging
810000
ARP
Y
warning
Y
debugging
ENABLE DEBUG_LEVEL
Y
debugging
Y
debugging
----End
Configuration Files
#
sysname HUAWEI
#
info-center source arp channel 0
#
return
2.2 SNMP Configuration

The Simple Network Management Protocol (SNMP) is a standard network management protocol
widely used on TCP/IP networks. It uses a central computer (a network management station)
that runs network management software to manage network elements. There are three SNMP
versions, SNMPv1, SNMPv2c, and SNMPv3. You can configure one or more versions, if
needed.
Issue 02 (2013-12-31)

297

Equipment
2 System Management
2.2.1 Introduction
SNMP provides a set of standard protocols for the communication between the network
management station (NM station) and devices, allowing the NM station to normally manage
devices and receive alarms reported by the devices.
SNMP Overview
Get and Set operations can be performed on a managed device that runs the SNMP agent to
manage device objects by NM stations These objects are uniquely identified in the Management
Information Base (MIB).
As network services develop, more devices are deployed on existing networks. The devices are
not close to the central equipment room where a network administrator works. When faults occur
on the remote devices, the network administrator cannot detect, locate or rectify faults
immediately because the devices do not report the faults. This affects maintenance efficiency
and greatly increases maintenance workload.
To solve this problem, equipment vendors have provided network management functions in
some products. These functions allow the NM station to query the status of remote devices, and
devices can send alarms to the NM station in the case of particular events.
SNMP operates at the application layer of the IP suite and defines how to transmit management
information between the NM station and devices. SNMP defines several device management
operations that the NM station can perform and allows devices to send alarms to notify the NM
station of device faults.
An SNMP-managed network consists of three components: NM station, agent, and managed
device. The NM station uses the MIB to identify and manage device objects. The operations
used for device management include GetRequest, GetNextRequest, GetResponse, GetBulk,
SetRequest, and notification from the agent to the NM station. The following sections give details
on the components, MIB, and operations.
SNMP Components
SNMP device management uses the following three components:
l
NM station: sends various query packets to query managed devices and receives alarms
from these devices.
Agent: is a network-management process on a managed device. An agent has the following

functions:
Receives and parses query packets sent from the NM station.
Reads or writes management variables based on the query type, and generates and sends
response packets to the NM station.
Sends an alarm to the NM station when triggering conditions defined on each protocol
module corresponding to the alarm are met. For example, the system view is displayed
or closed, or the device is restarted.
Managed device: is managed by an NM station and generates and reports alarms to the NM
station.
Figure 2-9 shows the relationship between the NM station and agent.
Issue 02 (2013-12-31)

298

Equipment
2 System Management
Figure 2-9 SNMP structure

UDP Port161
Request
Response
Agent
NM Station
UDP Port162
Trap
NM Station
Agent
MIB
SNMP uses a hierarchical naming convention to identify managed objects and to distinguish
between managed objects. This hierarchical structure is similar to a tree with the nodes
representing managed objects. Figure 2-10 shows a managed object that can be identified by
the path from the root to the node representing it.
Figure 2-10 Structure of a MIB tree
1
2
1
1
1 B
5
A
2
6
As shown in Figure 2-10, object B is uniquely identified by a string of numbers, {1.2.1.1}. Such
a number string is called an Object Identifier (OID). A MIB tree is used to describe the hierarchy
of data in a MIB that collects the definitions of variables on the managed devices.
A user can use a standard MIB or define a MIB based on certain standards. Using a standard
MIB can reduce the costs on proxy deployment and therefore reduce the costs on the entire
network management system.
SNMP Operations
SNMP uses Get and Set operations to replace a complex command set. The operations described
in Figure 2-11 can implement all functions.
Issue 02 (2013-12-31)

299

Equipment
2 System Management
Figure 2-11 Schematic diagram of SNMP operations

get-request
get-response
get-next-request
get-response
NM Station
UDP Port162
set-request
get-response
Agent
UDP Port161
trap
Table 2-5 gives details on the SNMP operations.

Table 2-5 SNMP operations
Operation
Function
GetRequest
Retrieves the value of a variable. The NM station sends the

request to a managed device to obtain the value of an object
on the device.
GetNextRequest
Retrieves the value of the next variable. The NM station

sends the request to a managed device to obtain the status
of the next object on the device.
GetResponse
Responds to GetRequest, GetNextRequest, and

SetRequest operations. It is sent from the managed device
to the NM station.
GetBulk
Request from the NMS-to-agent, equaling continuous

GetNextRequest operations.
SetRequest
Sets the value of a variable. The NM station sends the

request to a managed device to adjust the status of an object
on the device.
Trap
Reports an event to the NM station.
NOTE
The NM station uses SNMP to monitor and manage network devices. It cannot be used to monitor and
manage the operation of the entire network. To monitor and manage the operation of an entire network,
for example, to learn network performance or collect network statistics, see the Configuration Guide System Management for details about the configurations of Remote Network Monitoring (RMON) and
RMON2, and fault and performance management.
Issue 02 (2013-12-31)

300

Equipment
2 System Management
SNMP Features Supported by the ATN

This section compares SNMP versions in terms of their support for features and usage scenarios.
Use it as a reference when you select the SNMP version during network deployment.
The ATN supports SNMPv1, SNMPv2c, and SNMPv3. Table 2-6 lists the features supported
by SNMP, and Table 2-7 shows the support of different SNMP versions for the features. Table
2-8 describes the usage scenarios of SNMP versions, which will help you choose a proper version
for the communication between an NM station and managed devices based on the network
operation conditions.
NOTE
When multiple NM stations using different SNMP versions manage the same device in a network,
SNMPv1, SNMPv2c, and SNMPv3 can all be configured on the device for its communication with all the
NM stations.
Table 2-6 Description of features supported by SNMP

Feature
Description
Access control
Restricts a user's device administration rights.

It gives specific users the rights to manage
specified objects on devices and therefore
provides fine management.
Authentication and encryption
Authenticates and encrypts the packets

transmitted between the NM station and
managed devices. This prevents data packets
from being intercepted or modified,
improving data sending security.
Error code
Identifies particular faults. An administrator

uses error codes to quickly locate and rectify
faults. The more error codes received, the
more they help an administrator in device
management.
Trap
Sent from managed devices to the NM

station. These traps allow an administrator to
discover device faults immediately.
After sending traps, the managed devices do
not require the acknowledgement from the
NM station.
Issue 02 (2013-12-31)

301

Equipment
2 System Management
Feature
Description
Inform
Sent from managed devices to the NM

station.
The managed devices require the
acknowledgement from the NM station after
sending informs. If a managed device does
not receive an acknowledgement after
sending an inform, it will resend the inform
to the NM station and generate alarm logs.
Even if the NM station restarts, it can still
synchronize the informs sent during the
restart process.
If the managed device does not receive an
acknowledgement from the NM station after
sending an inform, it will store the inform in
its memory. In this regard, using informs may
consume lots of system resources.
Allows an administrator to perform GetNext
operation in batches. In a large-scale network,
GetBulk reduces the administrator's
workload and improves management
efficiency.
GetBulk
Table 2-7 Different SNMP versions' support for the features
Issue 02 (2013-12-31)
Feature
SNMPv1
SNMPv2c
SNMPv3
Access control
Community-namebased access control

supported
Community-namebased access control

supported
User or user-groupbased access control

supported

302

Equipment
2 System Management
Feature
SNMPv1
SNMPv2c
SNMPv3
Authentication and
encryption
Not supported
Not supported
Supported, and the

supported
authentication and
encryption modes are
as follows:
Authentication
mode:
l Message Digest 5
(MD5)
l Secure Hash
Algorithm (SHA)
Encryption mode:
l Data Encryption
Standard 56
(DES56)
l Triple Data
Encryption
Standard (3DES)
l Advanced
Encryption
Standard 128
(AES128)
l Advanced
Encryption
Standard 192
(AES192)
l Advanced
Encryption
Standard 256
(AES256)
Issue 02 (2013-12-31)
Error code
6 error codes
supported
16 error codes
supported
16 error codes
supported
Trap
Supported
Supported
Supported
Inform
Not supported
Supported
Supported
GetBulk
Not supported
Supported
Supported

303

Equipment
2 System Management
Table 2-8 Usage scenarios of different SNMP versions

Version
Usage Scenario
SNMPv1
Applies to small-scale networks whose

networking is simple and security
requirements are low or whose security and
stability are good, such as campus networks
and small enterprise networks.
SNMPv2c
Applies to medium and large-scale networks

whose security requirements are not strict or
whose security is good (for example, VPNs)
but whose services are so busy that traffic
congestion may occur.
Using informs can ensure that the messages
sent from managed devices are received by
the NM station.
SNMPv3
This version is applicable to networks of

various scales, especially the networks that
have strict requirements on security and can
be managed only by authorized
administrators, such as the scenario where
data between the NM station and managed
devices needs to be transmitted over a public
network.
If you plan to build a new network, choose an SNMP version based on your usage scenario. If
you plan to expand or upgrade an existing network, choose an SNMP version to match the SNMP
version running on the NM station to ensure the normal communication between managed
devices and the NM station.
2.2.2 Configuring a Device to Communicate with an NM Station by

Running SNMPv1
After SNMPv1 is configured, a managed device and an NM station can run SNMPv1 to
communicate with each other. To ensure normal communication, you need to configure both
sides. This section describes only the configurations on a managed device (the agent side). For
details about configurations on an NM station, see the pertaining NM station operation guide.
Context
The NM station manages a device in the following manners:
l
Issue 02 (2013-12-31)
Sends requests to the managed device to perform the GetRequest, GetNextRequest,

GetResponse, GetBulk, or SetRequest operation, obtaining data and setting values.

304

Equipment
2 System Management
NOTE
When SNMPv1 is used, Counter64 nodes cannot be visited.

SNMPv1 has a security risk. Using SNMPv3 is recommended.
Receives alarms from the managed device and locates and rectify device faults based on
the alarm information.
In the following configuration, after basic SNMP functions are configured, the NM station can
manage the device in these manners. For details on how to configure finer management such as
accurate access control or alarm module specification, see the following configuration
procedures.
Before You Start

Before configuring a device to communicate with an NM station by running SNMPv1,
familiarize yourself with the usage scenario, complete the pre-configuration tasks, and obtain
the data required for the configuration.
SNMP needs to be deployed in a network to allow the NM station to manage network devices.
If the network has a few devices and its security is good, such as a campus network or a small
enterprise network, SNMPv1 can be deployed to ensure the normal communication between the
NM station and managed devices.
Before configuring a device to communicate with an NM station by running SNMPv1, complete
the following task:
l
Configuring a routing protocol to ensure that the ATN and NM station are routable
Data Preparation
Before configuring a device to communicate with an NM station by running SNMPv1, you need
the following data.
Issue 02 (2013-12-31)
No.
Data
SNMP version, SNMP community name, destination address of alarm messages,

administrator's contact information and location, and the maximum SNMP packet
size
(Optional) ACL number, IP address of the NM station, and MIB object
(Optional) Name of the alarm-sending module, source address of trap messages,

queue length for trap messages, and lifetime of trap messages

305

Equipment
2 System Management
Configuring Basic SNMPv1 Functions

After basic SNMP functions are configured, an NM station can perform basic operations such
as Get and Set operations on a managed device, and the managed device can send alarms to the
NM station.
Context
Steps Step 4, Step 5, and Step 6 are mandatory for the configuration of basic SNMP functions.
After the configurations are complete, basic SNMP communication can be conducted between
the NM station and managed device.
Procedure
Step 1 Run:
system-view

Step 2 (Optional) Run:
snmp-agent
The SNMP agent function is enabled.

By default, the SNMP agent function is disabled. Running any command with the parameter
snmp-agent can enable the SNMP agent function, so this step is optional.
snmp-agent udp-port
The port number monitored by the SNMP Agent is configured.

By default, the port number monitored by the agent is 161.
The snmp-agent udp-port command can be used to change the number of the port monitored
by the SNMP Agent, to improve the security of the device.
Step 4 Run:
snmp-agent sys-info version v1
The SNMP version is set.

By default, SNMPv3 is enabled.
After SNMPv1 is enabled on the managed device, the device supports both SNMPv1 and
SNMPv3. This means that the device can be monitored and managed by NM stations running
SNMPv1 or SNMPv3.
Step 5 Run:
snmp-agent community { read | write } [ cipher ] community-name [ acl acl-number |
mib-view view-name ] *
The community name is set.

The community name will be saved in encrypted format in the configuration file.
By default, the complexity check is enabled for a community name. If a community name fails
the complexity check, the community name cannot be configured. To disable the complexity
Issue 02 (2013-12-31)

306

Equipment
2 System Management
check for a community name, run the snmp-agent community complexity-check disable
command.
NOTE
The HUAWEI has the following requirements for community name complexity:
l The default minimum length of a community name is eight characters. The set password min-length
command determines the minimum length of a community name.
l A community name includes at least two kinds of characters, which can be uppercase letters, lowercase
letters, digits, and special characters except question marks (?) and spaces.
After the community name is set, if no MIB view is configured, the NM station that uses the
community name has rights to access objects in the Viewdefault view.
Step 6 Choose either of the following commands as needed to configure a destination IP address for
the alarms and error codes sent from the device.
l To configure a destination IPv4 address for the alarms and error codes sent from the device,
run:
snmp-agent target-host trap address udp-domain ip-address [ udp-port portnumber | source interface-type interface-number | { public-net | vpn-instance
vpn-instance-name } ] * params securityname security-string [ v1 | v2c | v3
[ authentication | privacy ] ] [ private-netmanager ] [ notify-filter-profile
profile-name | ext-vb ] *
The descriptions of the command parameters are as follows:

l The default destination UDP port number is 162. In some special cases (for example, port
mirroring is configured to prevent a well-known port from being attacked), the parameter
udp-port can be used to specify a non-well-known UDP port number. This ensures normal
communication between the NM station and managed device.
l If the alarms sent from the managed device to the NM station need to be transmitted over a
public network, the parameter public-net needs to be configured. If the alarms sent from the
managed device to the NM station need to be transmitted over a private network, the
parameter vpn-instance vpn-instance-name needs to be used to specify a VPN that will take
over the sending task.
l The parameter securityname identifies the alarm sender, which will help you learn the alarm
source.
l If the NM station and managed device are both Huawei products, the parameter privatenetmanager can be configured to add more information to alarms, such as the alarm type,
alarm sequence number, and alarm sending time. The information will help you locate and
rectify faults more quickly.
snmp-agent sys-info { contact contact | location location }
The equipment administrator's contact information or location is configured.

This step is required when the NM station administrator must know equipment administrators'
contact information and locations when the NM station manages many devices. This allows the
NM station administrator to contact the equipment administrators quickly for fault location and
rectification.
To configure both the equipment administrator's contact information and location, you must run
the command twice to configure them separately.
Issue 02 (2013-12-31)

307

Equipment
2 System Management

snmp-agent packet max-size byte-count
The maximum size of an SNMP packet that the device can receive or send is set.
By default, the maximum size of an SNMP packet that the device can receive or send is 12000
bytes.
After the maximum size is set, the device will discard any SNMP packet that is larger than the
set size. The allowable maximum size of an SNMP packet for a device depends on the size of a
packet that the NM station can process; otherwise, the NM station cannot process the SNMP
packets sent from the device.
----End
Follow-up Procedure
After the configurations are complete, basic communication can be conducted between the NM
station and managed device.
l
Access control allows any NM station that uses the community name to monitor and manage
all the objects on the managed device.
The managed device sends alarms generated by the modules that are enabled by default to
the NM station.
If finer device management is required, follow directions below to configure a managed device:
l
To allow a specified NM station that uses the community name to manage specified objects
on the device, follow the procedure described in Controlling the NM Station's Access to
the Device.
To allow a specified module on the managed device to report alarms to the NM station,
follow the procedure described in Configuring the Trap Function.
If the NM station and managed device are both Huawei products, follow the procedure
described in Enabling the SNMP Extended Error Code Function to allow the device to
send more types of error codes. This allows more specific error identification and facilitates
your fault location and rectification.
(Optional) Controlling the NM Station's Access to the Device

This section describes how to specify an NM station and manageable MIB objects for SNMPbased communication between the NM station and managed device to improve communication
security.
Context
If a device is managed by multiple NM stations that use the same community name, note the
following points:
l
If all the NM stations that use the community name need to have rights to access the objects
in the Viewdefault view (1.3.6.1), skip the following steps.
If some of the NM stations that use the community name need to have rights to access the
objects in the Viewdefault view (1.3.6.1), skip Step5.
Issue 02 (2013-12-31)

308

Equipment
2 System Management
If all the NM stations need to manage specified objects on the device, skip Step2, Step3,
and Step4.
If some of the NM stations that use the community name need to manage specified objects
on the device, perform all the following steps.
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl acl-number
A basic ACL is created to filter the NM station users that can manage the device.
NOTE
SNMP supports only basic ACLs whose numbers range from 2000 to 2999.
Step 3 Run:
rule [ rule-id ] { deny | permit } interface { interface-type interface-number |
any }
A rule is added to the ACL.

Step 4 Run:
quit
Return to the system view.

Step 5 Run:
snmp-agent mib-view { excluded | included } view-name oid-tree
A MIB view is created, and manageable MIB objects are specified.

By default, an NM station has rights to access the objects in the Viewdefault view (1.3.6.1).
l If a few MIB objects on a device or some objects in the current MIB view do not or no longer
need to be managed by the NM station, excluded needs to be specified in the related command
to exclude these MIB objects.
l If a few MIB objects on the device or some objects in the current MIB view need to be
managed by the NM station, included needs to be specified in the related command to include
these MIB objects.
Step 6 Run:
snmp-agent acl
An SNMP ACL is configured.

By default, no SNMP ACL is configured.
SNMP ACLs take precedence over ACLs based on SNMP community names, SNMP groups,
and SNMP users.
Step 7 Run:
snmp-agent community { read | write } { community-name | cipher community-name } [
mib-view view-name | acl acl-number ]*
Issue 02 (2013-12-31)

309

Equipment
2 System Management
The NM station's access rights are specified.

l read needs to be configured in the command if the NM station administrator needs the read
permission in the specified view in some cases. For example, a low-level administrator needs
to read certain data. write needs to be configured in the command if the NM station
administrator needs the read and write permissions in the specified view in some cases. For
example, a high-level administrator needs to read and write certain data.
l cipher is used to display the community name in cipher text. It can be configured in the
command to improve security. If the parameter is configured, the administrator needs to
remember the community name. If the community name is forgotten, it cannot be obtained
by querying the device.
l If some of the NM stations that use the community name need to have rights to access the
objects in the Viewdefault view (1.3.6.1), mib-view view-name does not need to be
configured in the command.
l If all the NM stations that use the community name need to manage specified objects on the
device, acl acl-number does not need to be configured in the command.
l If some of the NM stations that use the community name need to manage specified objects
on the device, both mib-view and acl need to be configured in the command.
----End
Follow-up Procedure
After the access rights are configured, especially after the IP address of the NM station is
specified, if the IP address changes (for example, the NM station changes its location, or IP
addresses are reallocated due to network adjustment), you need to change the IP address of the
NM station in the ACL. Otherwise, the NM station cannot access the device.
(Optional) Enabling the SNMP Extended Error Code Function

This section describes how to enable the extended SNMP error code function when both the NM
station and managed device are Huawei products. After this function is enabled, more types of
error codes are provided to help you locate and rectify faults more quickly and accurately.
Procedure
Step 1 Run:
system-view

Step 2 Run:
snmp-agent extend error-code enable
The SNMP extended error code function is enabled.

By default, SNMP standard error codes are used. After the extended error code function is
enabled, extended error codes can be sent to the NM station.
----End
Issue 02 (2013-12-31)

310

Equipment
2 System Management
(Optional) Configuring the Trap Function

This section describes how to specify the alarms to be sent to the NM station, which will help
you to locate important problems. After relevant parameters are set, the security of alarm sending
can be improved.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Alarm sending is enabled.

NOTE
If the snmp-agent trap enable command is run to enable the trap functions of all modules, note the
following points:
l To disable the trap functions of all modules, you need to run the snmp-agent trap disable command.
l To restore the trap functions of all modules to the default status, you need to run the undo snmp-agent
trap enable or undo snmp-agent trap disable command.
l To disable one trap function of a module, you need to run the undo snmp-agent trap enable featurename command.
Step 3 Run:
snmp-agent trap enable feature-name feature-name trap-name trap-name
A trap function of a feature module is enabled. This means that an alarm of a specified feature
can be sent to the NM station.
The undo snmp-agent trap enable feature-name command can be used to disable a trap
function of a module.
Step 4 Run:
The MIB-view is configured.
For SNMPv1 and SNMPv2c, the defaule mib-view is ViewDefault and the OID is 1.3.6.1. But
there is not any default mib-view, the user need to configure manually.
Step 5 Run:
snmp-agent notify-filter-profile { excluded
| included } profile-name oid-tree
Trap messages allowed to be sent to the NM station are specified or updated.

At present, the snmp-agent notify-filter-profile command supports either the variable OID of
a character string or an object name. If the entered parameter is a character string, the asterisk
(*) can be used as the mask. The asterisk (*) can be placed only in the middle, not at the beginning
or end of the string.
Step 6 Run:
snmp-agent trap source interface-type interface-number
Issue 02 (2013-12-31)

311

Equipment
2 System Management
The source interface for trap messages is specified.

After the source interface is specified, its IP address becomes the source IP address of trap
messages. Configuring the IP address of the local loopback interface as the source interface is
recommended, which can ensure device security.
The source interface specified on the ATN for trap messages must be consistent with that
specified on the NM station; otherwise, the NM station will not accept the trap messages sent
from the ATN.
Step 7 Run:
snmp-agent trap source-port port-number
The source port to send trap is set.

The source port is fixed, the packets can be filtered by firewall to improve the security of the
network.
Step 8 Run:
snmp-agent trap queue-size size
The length of the queue storing trap messages to be sent to the destination host is set.
The queue length depends on the number of generated trap messages. If the ATN frequently
generates trap messages, a longer queue length can be set to prevent trap messages from being
lost.
Step 9 Run:
snmp-agent trap life seconds
The lifetime of every trap message is set.

The lifetime of every trap message depends on the number of generated trap messages. If the
ATN frequently generates trap messages, a longer lifetime can be set for every trap message to
prevent trap messages from being lost.
----End

After SNMPv1 functions are configured, you can view the SNMPv1 configurations.
Prerequisites
The configurations of basic SNMPv1 functions are complete.
Procedure
l
Run the display snmp-agent community command to check the configured community
name.
Run the display snmp-agent sys-info version command to check the enabled SNMP
version.
Run the display acl acl-number command to check the rules in the specified ACL.
Run the display snmp-agent mib-view command to check the MIB view.
Issue 02 (2013-12-31)

312

Equipment
2 System Management
Run the display snmp-agent sys-info contact command to check the equipment
administrator's contact information.
Run the display snmp-agent sys-info location command to check the location of the
device.
Run the display snmp-agent target-host command to view information about all
destination hosts, such as the IP addresses.
Run the display snmp-agent trap command to view whether the router is enabled to send
alarms to the NM station.
Run the display snmp-agent statistics command to view the statistics of SNMP packets.
Run the display current-configuration | include max-size command to check the

allowable maximum size of an SNMP packet.
Run the display current-configuration | include trap command to check trap

configurations.
Run the display snmp-agent extend error-code status command to check whether the
SNMP extended error code feature is enabled.
----End

Running SNMPv2c
After SNMPv2c is configured, a managed device and an NM station can run SNMPv2c to
Context
l

NOTE
SNMPv2c has a security risk. Using SNMPv3 is recommended.
procedures.
Before You Start

Before configuring a device to communicate with an NM station by running SNMPv2c,
Issue 02 (2013-12-31)

313

Equipment
2 System Management
If your network is a large scale with many devices and its security requirements are not strict or
its security is good (for example, a VPN network) but services on the network are so busy that
traffic congestion may occur, SNMPv2c can be deployed to ensure communication between the
NM station and managed devices.
Before configuring a device to communicate with an NM station by running SNMPv2c, complete
the following task:
l
Data Preparation
Before configuring a device to communicate with an NM station by running SNMPv2c, you
need the following data.
No.
Data
SNMP version, SNMP community name, address of the alarm destination host,
administrator's contact information and location, and the maximum SNMP packet
size
(Optional) ACL number, IP address of the NM station, MIB object

queue length for trap messages, lifetime of trap messages, expiry time of informs,
allowable number of inform retransmissions, allowable maximum number of informs
to be acknowledged, aging time of log messages, and allowable maximum number
of log messages about the trap and inform events in the log buffer
Configuring Basic SNMPv2c Functions

NM station.
Context
Steps Step 4, Step 5, and Step 6 are mandatory for the configuration of basic SNMP functions.
After the configurations, basic SNMP communication can be conducted between the NM station
and managed device.
Procedure
Step 1 Run:
system-view
Issue 02 (2013-12-31)

314

Equipment
2 System Management

snmp-agent

snmp-agent udp-port

Step 4 Run:
snmp-agent sys-info version v2c

By default, SNMPv3 is enabled.
After SNMPv2c is enabled on the managed device, the device supports both SNMPv2c and
SNMPv3. This means that the device can be monitored and managed by NM stations running
SNMPv2c and SNMPv3.
Step 5 Run:
snmp-agent community { read | write } [ cipher ] community-name [ acl acl-number |
mib-view view-name ] *
The community name is set.

The community name will be saved in encrypted format in the configuration file.
By default, the complexity check is enabled for a community name. If a community name fails
the complexity check, the community name cannot be configured. To disable the complexity
check for a community name, run the snmp-agent community complexity-check disable
command.
NOTE
The HUAWEI has the following requirements for community name complexity:
l The default minimum length of a community name is eight characters. The set password min-length
command determines the minimum length of a community name.
l A community name includes at least two kinds of characters, which can be uppercase letters, lowercase
letters, digits, and special characters except question marks (?) and spaces.
After the community name is set, if no MIB view is configured, the NM station that uses the
community name has rights to access objects in the Viewdefault view.
Step 6 Choose one of the following commands as needed to configure the destination IP address for
the alarms and error codes sent from the device.
l If the network is an IPv4 network, configure the device to send either traps or informs to the
NM station.
Issue 02 (2013-12-31)

315

Equipment
2 System Management
NOTE
The differences between traps and informs are as follows:

l The traps sent by the managed device do not need to be acknowledged by the NM station.
l The informs sent by the managed device need to be acknowledged by the NM station. If no
acknowledgement message from the NM station is received within a specified time period, the
managed device will resend the inform until the number of retransmissions reaches the maximum.
When the managed device sends an inform, it records the inform in the log. If the NM station and
link between the NM station and managed device recovers from a fault, the NM station can still
learn the inform sent during the fault occurrence and rectification.
In this regard, informs are more reliable than traps, but the device may need to buffer a lot of informs
because of the inform retransmission mechanism and this may consume many memory resources.
If the network is stable, using traps is recommended. If the network is unstable and the device's memory
capacity is sufficient, using informs is recommended.
Informs and traps must have different destination IP addresses. If a same destination IP address is
configured for both of them, the later configuration overrides the previous configuration.
To configure a destination IP address for the traps and error codes sent from the device,
run:
snmp-agent target-host trap address udp-domain ip-address [ udp-port portnumber | source interface-type interface-number | { public-net | vpninstance vpn-instance-name } ] * params securityname security-string [ v1 |
v2c | v3 [ authentication | privacy ] ] [ private-netmanager ] [ notifyfilter-profile profile-name | ext-vb ] *
To configure a destination IP address for the informs and error codes sent from the device,
run:
snmp-agent target-host inform ip-address [ udp-port port-number | source
interface-type interface-number | vpn-instance vpn-instance-name | publicnet ] * params securityname security-string v2c [ notify-filter-profile
profile-name | ext-vb ] *

l The default destination User Datagram Protocol (UDP) port number is 162. In some special
cases (for example, port mirroring is configured to prevent a well-known port from being
attacked), the parameter udp-port can be used to specify a non-well-known UDP port
number. This ensures normal communication between the NM station and managed device.
source.

Issue 02 (2013-12-31)

316

Equipment
2 System Management
rectification.
bytes.
----End
Follow-up Procedure
l
Access control allows any NM station that uses the community name to monitor and manage
all the objects on the managed device.
The managed device sends alarms generated by the modules that are open by default to the
NM station.
If finer device management is required, follow directions below to configure the managed
device:
l
To allow a specified NM station that uses the community name to manage specified objects
of the device, follow the procedure described in Controlling the NM Station's Access to
the Device.

This section describes how to specify an NM station and manageable MIB objects for SNMPbased communication between the NM station and managed device to improve communication
security.
Context
If a device is managed by multiple NM stations that use the same community name, note the
following points:
Issue 02 (2013-12-31)

317

Equipment
2 System Management
If all the NM stations that use the community name need to have rights to access the objects
in the Viewdefault view (1.3.6.1), skip the following steps.
If some of the NM stations that use the community name need to have rights to access the
objects in the Viewdefault view (1.3.6.1), skip Step5.
and Step4.
If some of the NM stations that use the community name need to manage specified objects
on the device, perform all the following steps.
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl acl-number
NOTE
Step 3 Run:
any }

Step 4 Run:
quit

Step 5 Run:

l If a few MIB objects on a device or some objects in the current MIB view do not or no longer
need to be managed by the NM station, excluded needs to be specified in the related command
managed by the NM station, included needs to be specified in the related command to include
these MIB objects.
Step 6 Run:
snmp-agent acl

Issue 02 (2013-12-31)

318

Equipment
2 System Management
and SNMP users.
Step 7 Run:
snmp-agent community { read | write } { community-name | cipher community-name } [
mib-view view-name | acl acl-number ]*
The NM station's access rights are specified.

l read needs to be configured in the command if the NM station administrator needs the read
permission in the specified view in some cases. For example, a low-level administrator needs
to read certain data. write needs to be configured in the command if the NM station
administrator needs the read and write permissions in the specified view in some cases. For
example, a high-level administrator needs to read and write certain data.
l cipher is used to display the community name in cipher text. It can be configured in the
command to improve security. If the parameter is configured, the administrator needs to
remember the community name. If the community name is forgotten, it cannot be obtained
by querying the device.
l If some of the NM stations that use the community name need to have rights to access the
objects in the Viewdefault view (1.3.6.1), mib-view view-name does not need to be
configured in the command.
l If all the NM stations that use the community name need to manage specified objects on the
device, acl acl-number does not need to be configured in the command.
l If some of the NM stations that use the community name need to manage specified objects
on the device, both mib-view and acl need to be configured in the command.
----End
Follow-up Procedure

Procedure
Step 1 Run:
system-view

Step 2 Run:

Issue 02 (2013-12-31)

319

Equipment
2 System Management
----End

can be improved.
Procedure
Step 1 Run:
system-view

Step 2 Run:

NOTE
following points:
To enable the trap of performance management in batches, you need to run snmp-agent trap enable
feature-name bulkstat trap-name { hwbulkstatcollectincomplete | hwbulkstatcollectresume |
hwbulkstattransferfilediscard | hwbulkstaturlconnectionfail | hwbulkstaturlconnectionresume }
command.
To enable the specified trap of performance management, you need to run snmp-agent trapfeaturenamebulkstattrap-name trap-name description description-text command.
Step 3 Run:
The undo snmp-agent trap enable feature-name feature-name trap-name trap-name
command can be used to disable a trap function of a module.
snmp-agent trap feature-name feature-name trap-name trap-name description
description-text
Description of the specified trap message is sent to the NMS.

Step 5 Configure trap function parameters based on the trap usage or inform usage selected during the
configuration of basic SNMPv2c functions.
Issue 02 (2013-12-31)

320

Equipment
2 System Management
If traps are used, follow the procedure described in Configuring trap parameters; if informs
are used, follow the procedure described in Configuring inform parameters.
Configuring trap parameters:
1.
Run:
snmp-agent notify-filter-profile { excluded | included } profile-name oid-tree

At present, the snmp-agent notify-filter-profile command supports either the variable
OID of a character string or an object name. If the entered parameter is a character string,
the asterisk (*) can be used as the mask. The asterisk (*) can be placed only in the middle,
not at the beginning or end of the string.
2.
Run:

messages. Configuring the IP address of the local loopback interface as the source interface
is recommended, which can ensure device security.
3.
Run:

The source port is fixed, the packets can be filtered by firewall to improve the security of
the network.
4.
Run:
generates trap messages, a longer queue length can be set to prevent trap messages from
being lost.
5.
Run:

The lifetime of every trap message depends on the number of generated trap messages. If
the ATN frequently generates trap messages, a longer lifetime can be set for every trap
message to prevent trap messages from being lost.
Configuring inform parameters:
1.
Run:
snmp-agent inform { timeout seconds | resend-times times | pending number }*
The timeout period for waiting for Inform ACK messages, number of inform
retransmissions, and allowable maximum number of informs to be acknowledged are set.
If the network is unstable, you need to specify the number of inform retransmissions and
allowable maximum number of informs to be acknowledged when you set a timeout period
Issue 02 (2013-12-31)

321

Equipment
2 System Management
for waiting for Inform ACK messages. By default, the timeout period for waiting for Inform
ACK messages is 15 seconds; the number of inform retransmissions is 3; the allowable
maximum number of informs waiting to be acknowledged is 39.
Setting the number of inform retransmissions to a value smaller than or equal to 10 is
recommended. Otherwise, device performance will be affected.
2.
Run:
snmp-agent inform { timeout seconds | resend-times times } *address udpdomain ip-address[ vpn-instance vpn-instance-name ] params securityname
security-string
The timeout period for waiting for Inform ACK messages from a specified NM station and
the number of inform retransmissions are set.
If the network is unstable, you need to specify the number of inform retransmissions and
allowable maximum number of informs to be acknowledged when you set a timeout period
for waiting for Inform ACK messages. By default, the timeout period for waiting for Inform
ACK messages is 15 seconds, and the number of inform retransmissions is 3.
Setting the number of inform retransmissions to a value smaller than or equal to 10 is
recommended. Otherwise, device performance will be affected.
3.
Run:
snmp-agent notification-log enable
The alarm logging function is enabled.

If the link between the managed device and the NM station fails, the managed device will
stop sending informs to the NM station because the NM station is unroutable but the
managed device will continue logging informs. If the link recovers, the NM station will
learn the informs logged by the managed device during the link failure.
After the alarm logging function is enabled, the system logs only informs, not traps.
By default, the alarm logging function is disabled.
4.
Run:
snmp-agent notification-log { global-ageout ageout | global-limit limit }*
The aging time of alarm logs and maximum number of alarm logs allowed to be stored in
the log buffer are set.
By default, the aging time of alarm logs is 24 hours. If the aging time expires, alarms logs
will be automatically deleted.
By default, the log buffer can store a maximum of 500 alarm logs. If the number of alarm
logs in the log buffer exceeds 500, the device will delete the alarm logs from the earliest
one.
----End

After SNMPv2c functions are configured, you can view the SNMPv2c configurations.
Prerequisites
The configurations of basic SNMPv2c functions are complete.
Issue 02 (2013-12-31)

322

Equipment
2 System Management
Procedure
l
Run the display snmp-agent community command to check the configured community
name.
version.
device.


configurations.
Run the display snmp-agent target-host command to check information about the target
host.
Run the display snmp-agent inform [ address udp-domain ip-address [ vpn-instance

vpn-instance-name ] params securityname security-string ] command to check inform
parameters and device statistics with the NM station being specified or not.
Run the display snmp-agent notification-log info command to check alarm logs stored
in the log buffer.
----End

Running SNMPv3
After SNMPv3 is configured, a managed device and an NM station can run SNMPv3 to
Context
l
Issue 02 (2013-12-31)


323

Equipment
2 System Management
NOTE
When SNMPv1 is used, Counter64 nodes cannot be visited.

SNMPv1 has a security risk. Using SNMPv3 is recommended.
procedures.
Before You Start

Before configuring a device to communicate with an NM station by running SNMPv3,
Assume your network has a strict requirement on security, only authorized administrators can
manage network devices, and the security and accuracy of transmitted network data need to be
ensured. For example, the data between the NM station and managed devices is transmitted over
a public network. In this case, SNMPv3 can be deployed. The authentication and encryption
functions provided by SNMPv3 ensure the security of data sending and normal communication
between the NM station and managed devices.
Before configuring a device to communicate with an NM station by running SNMPv3, complete
the following task:
l
Data Preparation
Before configuring a device to communicate with an NM station by running SNMPv3, you need
the following data.
Issue 02 (2013-12-31)
No.
Data
SNMP version, user name and user group name, address of the alarm destination host,
administrator's contact information and location, and maximum SNMP packet size
(Optional) ACL number, IP address of the NM station, and MIB object

queue length for trap messages, and lifetime of trap messages

324

Equipment
2 System Management
Configuring Basic SNMPv3 Functions

NM station.
Precautions
Ensure that the security level of the alarm host is higher than or equal to the user security level,
and the user security level is higher than or equal to the security level of the SNMP user group.
The security level can be (in descending order):
l
Level 1: privacy (authentication and encryption)
Level 2: authentication (without encryption)
Level 3: noauthentication (neither authentication nor encryption)
For example:
l
If the security level of the SNMP user group is level 1, the security level of both the user
and the alarm host must be level 1.
If the security level of the SNMP user group is level 2:

the security level of the user and the alarm host can be both level 1 or level 2.
the user security level is level 2, the security level of the alarm host can be level 1 or
level 2.
the user security level is level 1, the security level of the alarm host must be level 1.
.
Procedure
Step 1 Run:
system-view

snmp-agent

snmp-agent udp-port

Issue 02 (2013-12-31)

325

Equipment
2 System Management

By default, SNMPv3 is enabled. So, this step is optional.
Step 5 Run:
snmp-agent group v3 group-name { authentication | privacy | noauthentication }
An SNMPv3 user group is configured.

If the network or network devices are in an environment lacking security (for example, the
network is vulnerable to attacks), authentication or privacy can be configured in the command
to enable data authentication or encryption.
The available authentication and encryption modes are as follows:
l No authentication and no encryption: noauthentication is configured in the command. This
mode is applicable to secure networks managed by a specified administrator.
l Authentication without encryption: Only authentication is configured in the command. This
mode is applicable to secure networks managed by many administrators who may frequently
perform operations on the same device. In this mode, only the authenticated administrators
can access the managed device.
l Authentication and encryption: privacy is configured in the command. This mode is
applicable to insecure networks managed by many administrators who may frequently
perform operations on the same device. In this mode, only the authenticated administrators
can access the managed device, and transmitted data is encrypted to guard against tampering
and data leaking.
To send the alarms to the NM station, see the (Optional) Controlling the NM Station's Access
to the Device.
Step 6 Run the following commands as needed:
l On an IPv4 network, a managed device can send alarms in Inform or trap mode.
NOTE
The difference between alarms in trap and Inform modes is as follows:

l A managed device does not need to receive a response from the NMS when sending an alarm in
trap mode. Therefore, no remote engine ID needs to be configured on the managed device.
l A managed device needs to receive a response from the NMS when sending an alarm in Inform
mode. Therefore, specify the NMS engine ID on the managed device. The remote engine ID must
be the same as the engine ID of the destination host that receives the alarm. If the managed device
receives no response from the NMS within a timeout period, it resends the alarm until a response
is returned or the number of alarms reaches the configured upper limit.
The managed device sends the alarm in Inform mode and records an alarm log at the same time.
If the NMS or a link fails, the NMS can synchronize alarms generated during this period after the
fault is rectified.
Therefore, the alarm in Inform mode is more reliable than that in trap mode. However, a device needs
to cache massive alarm messages and consume a great number of memory resources due to the
retransmission mechanism.
If the network environment is stable, sending alarms in trap mode is recommended. If device resources
are sufficient and the network environment is unstable, sending alarms in Inform mode is
recommended.
The same destination host cannot be configured for Inform and trap messages. If the Inform and trap
messages share the same destination host, the latest configuration overrides the previous configuration.
Configure an alarm in trap mode.

Issue 02 (2013-12-31)

326

Equipment
2 System Management
1.
Run the snmp-agentusm-user v3 user-name [ group group-name | acl acl-name ]

command to configure an SNMPv3 user.
2.
Run the snmp-agentusm-user v3 user-name authentication-mode { md5 | sha }

{ cipher password } command to configure an authentication password for the SNMPv3
user.
3.
Run the snmp-agentusm-user v3 user-name privacy-mode { des56 | aes128 |

aes256 | 3des } [ cipher password ] command to configure an encryption password for
the SNMPv3 user.
4.
Run the snmp-agent target-host trap address udp-domain ip-address [ udp-port

port-number | source interface-type interface-number | { public-net | vpn-instance
vpn-instance-name } ] * params securityname security-string [ v1 | v2c | v3
[ authentication | privacy ] ] [ private-netmanager ] [ notify-filter-profile profilename | ext-vb ] * command to configure a destination host to which the device sends
alarms in trap mode and error codes.
Configure an alarm in Inform mode.

1.
Run the snmp-agent [ remote-engineid engineid ] usm-user v3 user-name [ group

group-name | acl acl-name ] command to configure an SNMPv3 user.
2.
Run the snmp-agent [ remote-engineid engineid ] usm-user v3 user-name

authentication-mode { md5 | sha } { cipher password } command to configure the
authentication password for the SNMPv3 user.
3.
Run the snmp-agent [ remote-engineid engineid ] usm-user v3 user-name privacymode { des56 | aes128 | aes256 | 3des } [ cipher password ] command to configure the
encryption password for the SNMPv3 user.
4.
Run the snmp-agent target-host inform ip-address [ udp-port port-number | source

{ interface-type interface-number | interface-name } | [ vpn-instance vpn-instancename | public-net ] ] * params securityname security-string v3 [ authentication |
privacy ] [ notify-filter-profile profile-name | ext-vb ] * command to configure an
NMS host to which the device sends alarms in Inform mode and error codes.

l The same destination host cannot be configured for Inform and trap messages. If the Inform
and trap messages share the same destination host, the latest configuration overrides the
previous configuration.
l The default destination User Datagram Protocol (UDP) port number is 162. In some special
cases (for example, port mirroring is configured to prevent a well-known port from being
attacked), the parameter udp-port can be used to specify a non-well-known UDP port
number. This ensures normal communication between the NM station and managed device.
source.
Issue 02 (2013-12-31)

327

Equipment
2 System Management
l An excess of alarms generated on the device may make fault location difficult. In this case,
the notify-filter-profile parameter can be configured in the command to allow the device to
filter out unwanted alarms and send only the needed alarms to the NM station. To make the
filtering policy take effect, you also need to configure notify-view in the snmp-agent
group command when configuring the user group.

rectification.
bytes.
----End
Follow-up Procedure
l
Access control allows any NM station in the configured SNMPv3 user group to monitor
and manage all the objects on the managed device.
The managed device sends alarms generated by the modules that are open by default to the
NM station.
If finer device management is required, follow directions below to configure the managed
device:
l
To allow a specified NM station in an SNMPv3 user group to manage specified objects of

the device (such as NM station with the specified IP address), follow the procedure
described in Controlling the NM Station's Access to the Device.
Issue 02 (2013-12-31)

328

Equipment
2 System Management

This section describes how to specify an NM station and manageable MIB objects for SNMPv3based communication between the NM station and managed device to improve communication
security.
Context
If a device is managed by multiple NM stations that are in the same SNMPv3 user group, note
the following points:
l
If all the NM stations need to have rights to access the objects in the Viewdefault view
(1.3.6.1), skip the following steps.
If some of the NM stations need to have rights to access the objects in the Viewdefault view
(1.3.6.1), skip Step5.
and Step4.
If some of the NM stations need to manage specified objects on the device, perform all the
following steps.
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl acl-number
NOTE
Step 3 Run:
rule [ rule-id ] { deny | permit } source { source-ip-address source-wildcard |
any }

l If the address of a login user matches an ACL rule in which the specified action is permit,
the user is allowed to log in to the device.
l If the address of a login user matches an ACL rule in which the specified action is deny, the
user is not allowed to log in to the device.
l If the address of a login user is not within the address range specified in an ACL rule, the
login of the user is denied.
l If the ACL does not contain any rules or does not exist, the login of users is not subject to
the ACL, and users can log in to the device.
Issue 02 (2013-12-31)

329

Equipment
2 System Management
Step 4 Run:
quit

Step 5 Run:

l If a few MIB objects on the device or some objects in the current MIB view do not or no
longer need to be managed by the NM station, excluded needs to be specified in the command
managed by the NM station, included needs to be specified in the command to include these
MIB objects.
Step 6 Run:
snmp-agent acl

and SNMP users.
Step 7 Run:
snmp-agent group v3 group-name { authentication | privacy | noauthentication }
[ read-view read-view | write-view write-view | notify-view notify-view ]* [ acl
acl-number ]
The read and write permissions are configured for the user group.
l read-view needs to be configured in the command if the NM station administrator needs the
read permission in the specified view in some cases. For example, a low-level administrator
needs to read certain data. write-view needs to be configured in the command if the NM
station administrator needs the read and write permissions in the specified view in some
cases. For example, a high-level administrator needs to read and write certain data.
l notify-view needs to be configured in the command if you want to filter out irrelevant alarms
and configure the managed device to send only the alarms of specified MIB objects to the
NM station. If the parameter is configured, only the alarms of the MIB objects specified by
notify-view will be sent to the NM station. To make the filtering policy take effect, you also
need to configure notify-filter-profile in the snmp-agent target-host trap command when
configuring the NM station.
l To improve security, configuring privacy is recommended. If noauthentication is
configured, neither authentication nor encryption is performed. The security cannot be
guaranteed. If authentication is configured, only authentication is performed. If privacy is
configured, both authentication and encryption are performed. For details, see
authentication and encryption selection guide.
l If some NM stations that are in the same SNMPv3 user group need to have rights to access
the objects in the Viewdefault view (1.3.6.1), [ read-view read-view | write-view writeview | notify-view notify-view ] does not need to be configured in the command.
Issue 02 (2013-12-31)

330

Equipment
2 System Management
l If all the NM stations that are in the same SNMPv3 user group need to manage specified
objects on the device, acl acl-number does not need to be configured in the command.
l If some of the NM stations that are in the same SNMPv3 user group need to manage specified
objects on the device, both the MIB view and ACL need to be configured in the command.
----End
Follow-up Procedure

Procedure
Step 1 Run:
system-view

Step 2 Run:

----End

can be improved.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Issue 02 (2013-12-31)

331

Equipment
2 System Management
NOTE
following points:
Step 3 Run:
The undo snmp-agent trap enable feature-name command can be used to disable a trap
function of a module.
Step 4 Run:
The MIB-view is configured.
For SNMPv1 and SNMPv2c, the defaule mib-view is ViewDefault and the OID is 1.3.6.1. But
there is not any default mib-view, the user need to configure manually.
Step 5 Run:
snmp-agent notify-filter-profile { excluded
| included } profile-name oid-tree

At present, the snmp-agent notify-filter-profile command supports either the variable OID of
a character string or an object name. If the entered parameter is a character string, the asterisk
(*) can be used as the mask. The asterisk (*) can be placed only in the middle, not at the beginning
or end of the string.
Step 6 Run:

messages. Configuring the IP address of the local loopback interface as the source interface is
recommended, which can ensure device security.
The source interface specified on the ATN for trap messages must be consistent with that
specified on the NM station; otherwise, the NM station will not accept the trap messages sent
from the ATN.
Step 7 Run:

The source port is fixed, the packets can be filtered by firewall to improve the security of the
network.
Issue 02 (2013-12-31)

332

Equipment
2 System Management
Step 8 Run:
generates trap messages, a longer queue length can be set to prevent trap messages from being
lost.
Step 9 Run:

The lifetime of every trap message depends on the number of generated trap messages. If the
ATN frequently generates trap messages, a longer lifetime can be set for every trap message to
prevent trap messages from being lost.
----End

After SNMPv3 functions are configured, you can view the SNMPv3 configurations.
Prerequisites
The configurations of basic SNMPv3 functions are complete.
Procedure
l
Run the display snmp-agent usm-user [ engineid engineid | group group-name |

username user-name ]* command to check user information.
version.
device.
Run the display snmp-agent target-host command to view information about all
destination hosts, such as the IP addresses.


configurations.
Issue 02 (2013-12-31)

333

Equipment
2 System Management
----End
2.2.5 SNMP Configuration Examples

This section provides several configuration examples of SNMP. The configuration roadmap in
the examples will help you understand the configuration procedures. Each configuration
example provides information about the networking requirements, configuration notes, and
configuration roadmap.
Example for Configuring a Device to Communicate with an NM Station by Using

SNMPv1
This section provides an example to describe how to configure a device to communicate with
an NM station by using SNMPv1 and how to specify the MIB objects that can be managed by
the NM station.
As shown in Figure 2-12, two NM stations (NMS1 and NMS2) and the ATN are connected
across a public network. According to the network planning, NMS2 can manage every MIB
object on the ATN, and NMS1 does not manage the ATN.
On the ATN, only the modules that are enabled by default are allowed to send alarms to NMS2.
This prevents an excess of unwanted alarms from being sent to NMS2. Excessive alarms can
make faults location difficult.
Equipment administrator's contact information needs to be configured on the ATN. This allows
the NMS administrator to contact the equipment administrator quickly if a fault occurs.
Figure 2-12 Networking diagram for configuring a device to communicate with an NM station
by using SNMPv1
NMS1
1.1.1.1/24
IP Network
GE0/2/0
1.1.2.1/24
ATN
NMS2
1.1.1.2/24
Issue 02 (2013-12-31)

334

Equipment
2 System Management
1.
Enable the SNMP agent.
2.
Configure the ATN to run SNMPv1.
3.
Configure an ACL to allow NMS2 to manage every MIB object on the ATN.
4.
Configure the trap function to allow the ATN to send alarms to NMS2.
5.
Configure the equipment administrator's contact information on the ATN.
6.
Configure NMS2.
Data Preparation
l
SNMP version
Community name
ACL number
IP address of the NM station
Equipment administrator's contact information
Procedure
Step 1 Configure available routes between the ATN and the NM stations. Details for the configuration
procedure are not provided here.
Step 2 Enable the SNMP agent.
[HUAWEI] snmp-agent
Step 3 Configure the ATN to run SNMPv1.

[HUAWEI] snmp-agent sys-info version v1
# Check the configured SNMP version.

[HUAWEI] display snmp-agent sys-info version
SNMP version running in the system:
SNMPv1
Step 4 Configure the NM stations' access rights.

# Configure an ACL to allow NMS2 to manage and disallow NMS1 from managing the ATN.
[HUAWEI] acl 2001
[HUAWEI-acl-basic-2001] rule 5 permit source 1.1.1.2 0.0.0.0
[HUAWEI-acl-basic-2001] rule 6 deny source 1.1.1.1 0.0.0.0
[HUAWEI-acl-basic-2001] quit
# Configure a MIB view and allow NMS2 to manage every MIB object on the ATN.
[HUAWEI] snmp-agent mib-view excluded allexthgmp 1.3.6.1.4.1.2011.6.7
# Configure a community name to allow NMS2 to manage the objects in the MIB view.
[HUAWEI] snmp-agent community write adminnms2 mib-view allexthgmp acl 2001
Step 5 Configure the trap function.

[HUAWEI] snmp-agent target-host trap address udp-domain 1.1.1.2 params securityname
1.1.3.1
[HUAWEI] snmp-agent trap source loopbak0
Issue 02 (2013-12-31)

335

Equipment
2 System Management
[HUAWEI] snmp-agent trap queue-size 200

[HUAWEI] snmp-agent trap life 60
Step 6 Configure the equipment administrator's contact information.

[HUAWEI] snmp-agent sys-info contact call Operator at 010-12345678
Step 7 Configure NMS2.

For details on how to configure NMS2, see the relevant NMS configuration guide.
After the configurations are complete, run the following commands to verify that the
configurations have taken effect.
# Check information about the SNMP community name.
<HUAWEI> display snmp-agent community
Community name:adminnms2
Group name:adminnms2
Acl:2001
Storage-type: nonVolatile
# Check the configured ACL.

Basic ACL 2001, 2 rules
ACL's step is 5
rule 5 permit source 1.1.1.2 0 (0 times matched)
rule 6 deny source 1.1.1.1 0 (0 times matched)
# Check the MIB view.

<HUAWEI> display snmp-agent mib-view viewname allexthgmp
View name:allexthgmp
MIB Subtree:hwCluster
Subtree mask:FF80(Hex)
View Type:excluded
View status:active
# Check the target host.

<HUAWEI> display snmp-agent target-host
Target-host NO. 1
----------------------------------------------------------IP-address
: 1.1.1.2
VPN instance : Security name : 1.1.3.1
Port
: 162
Type
: trap
Version
: v1
Level
NMS type
: NMS
-----------------------------------------------------------
# When an alarm is generated, run the display trapbuffer command to view the details.
<HUAWEI> display trapbuffer
Trapping buffer configuration and contents : enabled
Allowed max buffer size : 1024
Actual buffer size : 256
Channel number : 3 , Channel name : trapbuffer
Dropped messages : 0
Overwritten messages : 0
Current messages : 98
Issue 02 (2013-12-31)

336

Equipment
2 System Management
#Oct 11 2011 18:57:59+00:00 HUAWEI DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011

.5.25.191.3.1 configurations have been changed. The current change number is 95,
the change loop count is 0, and the maximum number of records is 4095.
# Check the equipment administrator's contact information.

<HUAWEI> display snmp-agent sys-info contact
The contact person for this managed node:
call Operator at 010-12345678
----End
Configuration Files
Configuration file of the ATN
#
snmp-agent trap type base-trap
#
acl number 2001
#
undo shutdown
ip address 1.1.2.1 255.255.255.0
#
interface loopback0
ip address 1.1.3.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.2.0 0.0.0.255
network 1.1.3.1 0.0.0.0
#
snmp-agent
snmp-agent local-engineid 000007DB7FFFFFFF00001AA7
snmp-agent community write %$%$Db~UGr>IxJXYc$%b8U2%u~6-%$%$ mib-view allexthgmp
acl 2001
snmp-agent sys-info contact call Operator at 010-12345678
snmp-agent target-host trap address udp-domain 1.1.1.2 params securityname
1.1.3.1
snmp-agent
snmp-agent
snmp-agent
snmp-agent
return
mib-view excluded allexthgmp hwCluster

trap source loopback0
trap queue-size 200
trap life 60

SNMPv2c
an NM station by using SNMPv2c and how to specify the MIB objects that can be managed by
the NM station.
Issue 02 (2013-12-31)

337

Equipment
2 System Management
make faults location difficult. Informs need to be used to ensure that alarms are received by
NMS2 because alarms sent by the ATN have to travel across the public network to reach NMS2.
by using SNMPv2c
NMS1
1.1.1.1/24
IP Network
GE0/2/0
1.1.2.1/24
ATN
NMS2
1.1.1.2/24
1.
2.
Configure the ATN to run SNMPv2c.
3.
Configure an ACL to allow NMS2 to manage every MIB object on the ATN.
4.
Configure the ATN to send informs to NMS2 to ensure alarm sending reliability.
5.
6.
Configure NMS2.
Data Preparation
l
SNMP version
Community name
ACL number
Issue 02 (2013-12-31)

338

Equipment
2 System Management
Procedure
[HUAWEI] snmp-agent
Step 3 Configure the ATN to run SNMPv2c.

[HUAWEI] snmp-agent sys-info version v2c

SNMPv2c

[HUAWEI] acl 2001
# Configure a MIB view.

[HUAWEI] snmp-agent mib-view excluded allexthgmp 1.3.6.1.4.1.2011.6.7
# Configure a community name to allow NMS2 to manage the objects in the MIB view.
[HUAWEI] snmp-agent community write adminnms2 mib-view allexthgmp acl 2001

[HUAWEI] snmp-agent target-host inform address udp-domain 1.1.1.2 params
securityname 1.1.2.1
[HUAWEI] snmp-agent inform timeout 15 resend-times 3 pending 39
[HUAWEI] snmp-agent notification-log enable
[HUAWEI] snmp-agent notification-log global-ageout 8

Step 7 Configure NMS2.

# Check information about the SNMP community name.
<HUAWEI> display snmp-agent community
Community name:adminnms2
Group name:adminnms2
Acl:2001

Issue 02 (2013-12-31)

339

Equipment
Basic
ACL's
rule
rule
2 System Management
ACL 2001, 2 rules

step is 5
5 permit source 1.1.1.2 0 (0 times matched)
6 deny source 1.1.1.1 0 (0 times matched)

<HUAWEI> display snmp-agent mib-view viewname allexthgmp
View name:allexthgmp
MIB Subtree:hwCluster
Subtree mask:FF80(Hex)
View Type:excluded
View status:active

Target-host NO. 1
----------------------------------------------------------IP-address
: 1.1.1.2
VPN instance : Security name : 1.1.2.1
Port
: 162
Type
: trap
Version
: v1
Level
NMS type
: NMS
With ext-vb:
: No
-----------------------------------------------------------

----End
Configuration Files
#
#
acl number 2001
#
undo shutdown
Issue 02 (2013-12-31)

340

Equipment
2 System Management
ip address 1.1.2.1 255.255.255.0

#
ospf 1
area 0.0.0.0
network 1.1.2.0 0.0.0.255
#
snmp-agent
snmp-agent local-engineid 000007DB7FFFFFFF00001AA7
snmp-agent community write %$%$Db~UGr>IxJXYc$%b8U2%u~6-%$%$ mib-view allexthgmp
acl 2001
snmp-agent target-host inform address udp-domain 1.1.1.2 params securityname
1.1.2.1
snmp-agent
snmp-agent
snmp-agent
snmp-agent
#
return
mib-view excluded allexthgmp hwCluster

inform timeout 15 resend-times 3 pending 39
notification-log enable
notification-log global-ageout 8

SNMPv3
an NM station by using SNMPv3 and how to specify the MIB objects that can be managed by
the NM station.
make faults location difficult.
The data transmitted between NMS2 and the ATN needs to be encrypted and the NMS
administrator needs to be authenticated because the data has to travel across the public network.
Issue 02 (2013-12-31)

341

Equipment
2 System Management
by using SNMPv3
NMS1
1.1.1.1/24
IP Network
GE0/2/0
1.1.2.1/24
ATN
NMS2
1.1.1.2/24
1.
2.
Configure the ATN to run SNMPv3.
3.
Configure an ACL to allow NMS2 to manage every MIB object on the ATN and configure
data encryption.
4.
Configure the trap function to allow the ATN to send alarms to NMS2.
5.
6.
Configure NMS2.
Data Preparation
l
SNMP version
User group name
User name and password
Authentication and encryption algorithms
ACL number
Procedure
[HUAWEI] snmp-agent
Issue 02 (2013-12-31)

342

Equipment
2 System Management
Step 3 Configure the ATN to run SNMPv3.

[HUAWEI] snmp-agent sys-info version v3

SNMPv3

[HUAWEI] acl 2001
# Configure a MIB view.

[HUAWEI] snmp-agent mib-view included testview iso
# Configure an SNMPv3 user group and add a user to the group, and configure authentication
for the NMS administrator and encryption for the data transmitted between the ATN and NMS2.
[HUAWEI] snmp-agent usm-user v3 testuser testgroup authentication-mode md5
hello87654321 privacy-mode des56 user87654321
[HUAWEI] snmp-agent group v3 testgroup privacy write-view testview notify-view
testview acl 2001

[HUAWEI]
testuser
[HUAWEI]
[HUAWEI]
[HUAWEI]

snmp-agent trap source loopback0
snmp-agent trap queue-size 200
snmp-agent trap life 60

Step 7 Configure the NMS2.

# Check information about the user group.
<HUAWEI> display snmp-agent group testgroup
Group name: testgroup
Security model: v3 noAuthnoPriv
Readview: ViewDefault
Writeview: testview
Notifyview: testview
Acl:2001
# Check information about the user.

<HUAWEI> display snmp-agent usm-user
User name: testuser
Issue 02 (2013-12-31)

343

Equipment
2 System Management
Engine ID: 000007DB7F00000100004C3F active

Group name:testgroup

Basic ACL 2001, 2 rules
ACL's step is 5
rule 5 permit source 1.1.1.2 0 (0 times matched)

<HUAWEI> display snmp-agent mib-view viewname testview
View name:testview
MIB Subtree:iso
Subtree mask:
View Type:included
View status:active

Target-host NO. 1
----------------------------------------------------------IP-address
: 1.1.1.2
Source interface : VPN instance
: Security name
: testuser
Port
: 162
Type
: trap
Version
: v1
Level
NMS type
: NMS
With ext-vb:
: No
-----------------------------------------------------------

----End
Configuration Files
#
Issue 02 (2013-12-31)

344

Equipment
2 System Management
#
acl number 2001
#
undo shutdown
ip address 1.1.2.1 255.255.255.0
#
interface loopback0
ip address 1.1.3.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.2.0 0.0.0.255
network 1.1.3.1 0.0.0.0
#
snmp-agent
snmp-agent local-engineid 000007DB7FFFFFFF000004A7
snmp-agent group v3 testgroup write-view testview notify-view testview acl 2001
snmp-agent group v3 testgroup privacy
testuser
snmp-agent mib-view included testview iso
snmp-agent usm-user v3 testuser testgroup authentication-mode md5 `,+VK;'MYJF=,/
<97âP^1!! privacy-mode des56 `,+VK;'MYJF=,/<97âP^1!!
snmp-agent trap source loopback0
snmp-agent trap queue-size 200
#
return
2.3 RMON and RMON2 Configuration

This chapter describes how to monitor the Ethernet interface through Remote Network
Monitoring (RMON) and Remote Network Monitoring Version 2 (RMON2).
2.3.1 Overview of RMON and RMON2

This section describes RMON and RMON2.
Introduction
This part describes working principles of and differences between RMON and RMON2.
RMON
RMON is implemented based on the Simple Network Management Protocol (SNMP)
architecture, and is compatible with the existing SNMP framework. There are two concepts
involved in RMON, namely, the Network Management Workstation (NM Station) and the agent.
An RMON agent collects the statistics of the traffic in a network, including the number of packets
on a network segment within a period and the number of correct packets sent to a host.
Compared with SNMP, RMON monitors remote network devices more efficiently and actively.
It provides an efficient solution to monitor the running of sub-networks, which reduces the
communication traffic between the NM Station and the agent. Large-sized networks can
therefore be managed in a simple and effective manner.
Issue 02 (2013-12-31)

345

Equipment
2 System Management
RMON allows multiple monitors. It collects data in the following ways:

l
Use a dedicated RMON Probe.

The NM Station obtains management information directly from the RMON Probe and
controls network resources. This ensures that the NM Station can obtain overall information
on the RMON MIB.
Embed an RMON agent into a network device (a ATN for example) to enable the device
to be of the RMON Probe capability.
The NM Station uses the basic SNMP commands for exchanging data with the RMON
agent and collecting the network management information. This process is restricted by
device resources and hence the NM Station collects only information on four groups (alarm,
event, history, and statistics) and not the complete information on the RMON MIB.
Currently, the ATN implements the monitoring and statistics collection function only on the
Ethernet interfaces of network devices.
RMON2
RMON2 is one of the RMON MIB standards. It functions as a supplement to RMON and adds
some new groups. RMON monitors the traffic only at the MAC layer whereas RMON2 can
monitor the traffic at the MAC layer and above it (here, the MAC layer refers to the Ethernet
layer). RMON and RMON2 are both used to monitor Ethernet links.
RMON2 can decode data packets of Layer 3 to Layer 7 in the OSI model.
An RMON2 agent provides the following functions:
l
Monitors the traffic based on the network layer protocols and addresses, including the IP
protocol.
An agent can learn its connected external LAN network segments and monitor the traffic
entering the LAN through the ATN.
Records the incoming and outgoing traffic to and from a specific application because it is
capable of decoding and monitoring the traffic of applications, such as email, FTP, and
WWW.
As defined in RFC 2021, RMON2 contains the following MIB groups: protocolDir,
protocolDist, addressMap, nlHost, nlMatrix, alHost, alMatrix, usrHistory, ProbeConfig, and
rmonConformance.
RMON and RMON2 Suported by the ATN

This part describes the support for RMON and RMON2 on the ATN.
Features of RMON
The ATN implements RMON by embedding agent modules to network devices to form a
complete system with other modules. The RMON Network Management System (NMS) is
completely compatible with the SNMP NMS; so, the administrator can handle it properly without
additional training.
RMON in the ATN supports four groups, namely, statistics, history, alarm, and event, as defined
in RFC 2819, and a Performance-MIB defined by Huawei. The following describes each group.
Issue 02 (2013-12-31)

346

Equipment
2 System Management
Statistic group
The statistics group collects the basic statistics of each monitored sub-network. The
statistics include date flows on a network segment, distribution of various packets, error
frames, and collisions.
The statistics group has one table: ethernetStatsTable.
NOTE
The RMON statistics result is not consistent with the output of the display interface command.
Although data is collected from the bottom layer in both the cases, the RMON information is more
comprehensive.
History group
A history group periodically collects the network state statistics and stores them for future
reference. The history group has the following tables:
historyControlTable: is used to set the control information, such as sampling intervals.
etherHistoryTable: provides network administrators with other history statistics, such
as the traffic on a network segment, error packets, broadcast packets, utilization, and
collisions.
Each entry in the historyControlTable corresponds to a maximum of 10 pieces of history
records in the etherHistoryTable. The previous pieces are overwritten in a circular
manner if the threshold of records in etherHistoryTable is crossed.
Alarm group
An alarm group allows predefining a set of thresholds for alarm variables (any object in
the local MIB). A monitor records logs or sends trap messages to the NM Station when the
sampled data in a certain direction crosses a threshold.
As defined in RFC 2819, the alarm function has a hysteresis mechanism to limit the
generation of alarms. If this mechanism is adopted, an alarm event is generated when the
sampled data in a direction crosses the threshold. No more events will be generated until
the sampled data in the opposite direction crosses the threshold.
The ATN does not apply this mechanism because it will not generate the alarms for a long
period. For the ATN, the alarms are re-generated if the sampling value turns to the normal
threshold.
The alarm group contains one table: alarmTable.
Event group
An event group stores all the events generated by the RMON agent in a table. It records
logs or sends trap messages to the NM Station when an event occurs.
The event group implements the output of three events: log, trap, and log-trap. Each event
entry corresponds to a maximum of 10 pieces of logs. The previous logs are overwritten in
a circular manner if the threshold of logs is crossed.
The event group has two tables: eventTable and logTable.
Performance-MIB
The RMON prialarm group is an enhancement of alarmTable defined in RFC 2819.
Compared with the alarmTable, the RMON prialarm group supports the setting of alarm
objects and time spans of alarm entries through expressions.
The RMON Performance-MIB has one table: prialarmTable.
Issue 02 (2013-12-31)

347

Equipment
2 System Management
In the ATN, to save system resources, each entry is given a specific time span. The time
span indicates the period for an entry to keep the invalid state. The entry is deleted when
the time span goes down to 0.
Table 2-9 shows the capacity of various tables and the maximum time span of each table.
Table 2-9 Time span of each table
Table
Entry Capacity (Byte)
Maximum Time Span(s)
ethernetStatsTable
100
600
historyControlTable
100
600
alarmTable
60
6000
eventTable
60
600
logTable
600
prialarmTable
50
6000
When an interface board or an interface card is removed, the corresponding entries in the
ethernetStatsTable and historyControlTable become invalid. If the time spans of tables are
respectively set to 1200s, the entries in the tables are deleted when the time spans go down
to 0.
If an interface is added before its corresponding entries are deleted from the table, these
entries can take effect again.
Features of RMON2
Currently, the ATN supports only two MIBs in RMON2: protocolDir and nlHost.
nlHost supports only the network layer host group but not the application layer host group. That
is, host control at the application layer and alHostTable are not implemented in the
hostControlTable. So, only IP can be set in the protocol directory group and other protocols are
invalid.
2.3.2 Configuring RMON

This section describes how to monitor the network status and traffic through RMON.
Before You Start

Before configuring RMON, familiarize yourself with the usage scenario, complete the preconfiguration tasks, and obtain the required data. This can help you complete the configuration
To monitor network status and collect traffic statistics on a network segment, you can configure
RMON.
Issue 02 (2013-12-31)

348

Equipment
2 System Management
Enabling the RMON function does not need any special requirement. You can enable it in
advance, or configure it when you suspect that the traffic of the sub-network where interface
resides is abnormal. You can configure RMON depending on actual situations.
It is recommended to configure the statistics table in advance, configure two history control
policies on the interface where the traffic is abnormal, configure the alarm for one or more
suspicious entries, set the high and low thresholds, and view the alarm information.
NOTE
RMON only stores traffic statistics and information or abnormalities but cannot avoid the generation of
these statistics or information. To clear abnormalities, you need to adopt the other management measures.
Before configuring RMON, complete the following tasks:
l
Configuring parameters for Ethernet interfaces
Configuring basic SNMP functions
Data Preparation
To configure RMON, you need the following data.
No.
Data
Interface on which the statistics function is enabled
Statistics table to be used and related parameters
HistoryControl table to be used and related parameters
Event table to be used and related parameters
Alarm table to be used and related parameters
Prialarm table to be used and related parameters
Enabling the RMON Statistics Function on the Interface

You need to enable traffic statistics function on the interface where traffic statistics are collected.
If the traffic statistics function is not enabled on the interface, statistics values of in both
ethernetStatsTable and HistoryControlTable are 0.
Context
Perform the following steps on the ATN on which traffic statistics should be collected:
Procedure
Step 1 Run:
system-view
Issue 02 (2013-12-31)

349

Equipment
2 System Management

Step 2 Run:
interface { ethernet | gigabitethernet } interface-number
The interface view is displayed.

Step 3 Run:
rmon-statistics enable
The RMON statistics function is enabled on the interface.

If the statistics function is not enabled on the interface, the statistics value in ethernetStatsTable
and historyControlTable of RMON is 0.
----End
Configuring the ethernetStatsTable

EthernetStatsTable records traffic information that RMON collects on interfaces.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
rmon statistics entry-number [ owner owner-name ]
The ethernetStatsTable is configured.

To monitor the statistics of an interface on a device, a network administrator needs to create a
table entry for this interface and specify the interface OID, entry index, and entry state. The
network administrator can then read the corresponding entry to obtain the latest statistics.
----End
Configuring the HistoryControlTable

HistoryControlTable provides the historical data management function. With this function, you
can sample traffic of a certain interface, set the maximum number of items to be saved and the
sampling interval, collect traffic statistics on the specific interface periodically, and save the
statistics to etherHistoryTable for future use.
Issue 02 (2013-12-31)

350

Equipment
2 System Management
Context
As recommended by the RMON specifications, each monitored interface should be configured
with more than two history control entries. One entry is sampled every 30 seconds while another
entry is sampled every 30 minutes.
The short sampling interval enables a monitor to probe the sudden changes of traffic modes, and
the long sampling interval is applicable if the interface status is relatively stable.
Currently, the ATN reserves up to 10 pieces of the latest records for each history control entry.
NOTE
To reduce the effect on the performance of the system, the sampling interval of the history table should be
longer than 10 seconds, and the same port should not be configured with too many history control entries
and alarm entries.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
rmon history entry-number buckets number interval sampling-interval [ owner ownername ]
The historyControlTable is configured.

----End
Configuring the EventTable

After EventTable is configured, when the number of events exceeds the alarm threshold, the
router generates logs, sends traps, or generates logs and sends traps.
Context
Perform the following steps on the ATN that is monitored:
The RMON event management module is responsible for adding events to the corresponding
rows in the eventTable and defining the methods of processing events:
l
log: sending only logs
log-trap: sending both logs and trap messages to the Network Management System (NMS)
none: marking that no event occurs
trap: sending trap messages to the NMS
Issue 02 (2013-12-31)

351

Equipment
2 System Management
Procedure
Step 1 Run:
system-view

Step 2 Run:
rmon event entry-number [ description string ] { log | trap object | log-trap
object | none } [ owner owner-name ]
The eventTable is configured.

----End
Configuring the AlarmTable

The RMON alarm management function monitors a specified trap variable identified by its OID
at a specified sampling interval. When the monitored variable exceeds the defined threshold, an
alarm is generated.
Context
The RMON alarm management is responsible for monitoring a specified alarm variable
(identified by OID) at a specified sampling interval. An alarm event occurs when the monitored
variable exceeds the defined threshold. Generally, the event is recorded in the log table, or
RMON sends a trap message to the NM Station.
If the events that correspond to the alarm upper limit and lower limit (event-entry1, evententry2) are not configured in the eventTable, an alarm is not generated even if the alarm condition
is satisfied. At this time, the status of alarm recording is undercreation and not VALID.
If an event corresponding to either the alarm upper limit or the alarm lower limit is configured,
an alarm is triggered once the alarm condition is satisfied. (At this time, the status of alarm
recording is VALID.) If an incorrect alarm variable is configured (for example, an inexistent
OID is specified), the status of alarm recording is undercreation and no alarm is generated.
Perform the following steps on the ATN that is monitored:
Procedure
Step 1 Run:
system-view

Step 2 Run:
rmon alarm entry-number alarm-OID sampling-time { absolute | changeratio | delta }
rising-threshold threshold-value1 event-entry1 falling-threshold threshold-value2
event-entry2 [ owner owner-name ]
The alarmTable is configured.

Step 3 (optional) Run:
snmp-agent trap feature-name rmon trap-name description description-text
Issue 02 (2013-12-31)

352

Equipment
2 System Management
The traps of rmon feature are configured.

----End
Configuring the PrialarmTable

Compared with AlarmTable, PrialarmTable is enhanced with the function of setting the trap
object through an expression.
Context
Based on the alarmTable in RFC 2819, the RMON prialarm management is enhanced with two
functions: setting the alarm object in the form of expressions and limiting the time to live (TTL)
value of a prialarm entry.
Compared with the alarmTable, the prialarmTable has several additional entries:
l
Expression of alarm variables. It can be an arithmetic expression composed of the OIDs of

alarm variables (+, -, *, / or brackets).
Description of the prialarm entry in a character string.
Prialarm state period, in seconds. It must be larger than the sampling interval.
Two prialarm state types: Forever or Cycle. If Cycle is set, an alarm does not occur and the
entry is deleted after the specified prialarm state period.
If the events that correspond to the alarm upper limit and lower limit (event-entry1, evententry2) are not configured in the eventTable, an alarm does not occur even if the alarm conditions
are satisfied. (The alarm record is in the undercreation state rather than in the VALID state.)
If either the alarm upper limit event or the alarm lower limit event is configured, the alarm is
triggered once the conditions for an alarm are satisfied. (The alarm record is in the VALID state.)
Perform the following steps on the ATN that is monitored.
Procedure
Step 1 Run:
system-view

Step 2 Run:
rmon prialarm entry-number prialarm-formula description-string sampling-interval
{ absolute | changeratio | delta } rising-threshold threshold-value1 event-entry1
falling-threshold threshold-value2 event-entry2 entrytype { cycle entry-period |
forever } [ owner owner-name ]
The prialarmTable is configured.

----End

After configuring RMON, you can view the traffic statistics collected by RMON.
Issue 02 (2013-12-31)

353

Equipment
2 System Management
Prerequisites
The configurations of the RMON are complete.
Procedure
l
Run the display rmon alarm [ entry-number ] command to view the RMON alarm
information.
Run the display rmon event [ entry-number ] command to view the RMON events.
Run the display rmon eventlog [ entry-number ] command to view the RMON event logs.
Run the display rmon history [ ethernet interface-number | gigabitethernet interfacenumber ]command to view the RMON history information.
Run the display rmon prialarm [ entry-number ] command to view the information of the
RMON prialarmTable.
Run the display rmon statistics [ ethernet interface-number | gigabitethernet interfacenumber ] command to view the RMON statistics.
----End
2.3.3 Configuring RMON2

This section describes how to configure RMON2 to monitor the traffic of a certain interface, to
analyze the source and destination data transmitted through the interface, and collect the statistics
on the data of each host that passes through the interface.
Before You Start

Before configuring RMON2, familiarize yourself with the usage scenario, complete the preconfiguration tasks, and obtain the required data. This can help you complete the configuration
By configuring RMON2, you can monitor the traffic on an Ethernet interface that connects to
the network, analyze the hosts the data on the interface comes from and goes to, and collect
statistics of the data passing through the interface from each host on the network.
Before configuring RMON2, configure parameters for Ethernet interface.
l
Configuring parameters for Ethernet interfaces
Data Preparation
To configure RMON2, you need the following data.
Issue 02 (2013-12-31)

354

Equipment
2 System Management
No.
Data
Values of the hlHostControlDataSource and hlHostControlStatus in the

hlHostControlTable
Values of the protocolDirDescr and protocolDirHostConfig in the protocolDirTable
Configuring the hlHostControlTable

HlHostControlTable is used to monitor the traffic of a specific host.
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
rmon2 hlhostcontroltable index ctrl-index [ datasource interface { interface-type
interface-number } ] [ maxentry maxentry-value ] [ owner owner-name ] [ status
{ active | inactive } ]
The hlHostControlTable is monitored.

To collect traffic statistics on an interface, create entries for the hlHostControlTable on the
interface.
The index is used to determine if there is a need to create an entry or to change the existing entry.
Configure the datasource interface(namely hlHostControlDataSource) parameter to create an
entry. Only a single entry can be created in the hlHostControlTable for each interface, and the
entry cannot be created repeatedly.
When the hlHostControlStatus value is set to inactive, all related entries in the host table are
deleted automatically.
When the hlHostControlStatus value is set to active, you cannot change the
hlHostControlDataSource and hlHostControlNlMaxDesiredEntries values.
When the physical status of the interface that corresponds to the hlHostControlDataSource is
Down and the hlHostControlStatus value is active, the state is switched to notinservice
automatically. The status displayed in the command output is "plug-out" while on the NM
Station, the status displayed is "notinservice". In this case, users can delete the entry but they
cannot change it. When the interface status turns to Up, the status of the hlHostControlTable
becomes active again.
If an interface that corresponds to the hlHostControlDataSource in an entry is deleted, the entry
is deleted at the same time.
----End
Issue 02 (2013-12-31)

355

Equipment
2 System Management
Configuring the ProtocolDirTable

RMON2 can collect only the IP packet statistics on Ethernet interfaces.
Context
Procedure
Step 1 Run:
system-view
Step 2 Run:
rmon2 protocoldirtable protocoldirid protocol-id parameter parameter-value [ descr
description-string ] [ host { notsupported | supportedon | supportedoff } ]
[ owner owner-name ] [ status { active | inactive } ]
The protocolDirTable is configured.

The RMON2 supports the traffic statistics of IP packets only on Ethernet interfaces. Since a
single protocol corresponds to an entry, this table currently has only one entry.
l When an entry is created or the entry status (protocolDirStatus) is set to active, both
parameter (equivalent to protocolDirDescr) and host (equivalent to
protocolDirHostConfig) must be set at the same time.
l When the protocolDirStatus is set to active, the value in the protocolDirDescr cannot be
changed.
If the protocolDirHostConfig value is notsupported, it cannot be changed into other
values.
If the value is not notsupported, it can be switched between supportedon and
supportedoff.
When the protocolDirHostConfig value changes from supportedon to supportedoff, the
corresponding entry in the hlHostControlTable is deleted.
l When the protocolDirStatus is set to inactive, the corresponding entry in the hlHostTable is
deleted.
----End

After configuring RMON2, you can view the traffic statistics collected by RMON2.
Prerequisites
The configurations of the RMON2 are complete.
Procedure
Step 1 Run the display rmon2 protocoldirtable command to view the information about the
protocolDirTable.
Issue 02 (2013-12-31)

356

Equipment
2 System Management
Step 2 Run the display rmon2 hlhostcontroltable [ index ctrl-index ] command to view the
information about the hlHostControlTable.
Step 3 Run the display rmon2 nlhosttable [ hostcontrolindex ctrl-index ] [ timemark time-value ]
[ protocoldirlocalindex protocol-local-index ] [ hostaddress ip-address ] command to view
the information about the nlHostTable.
----End
2.3.4 RMON And RMON2 Configuration Examples

This section provides examples for configuring RMON and RMON2, and illustrates the
networking requirements, configuration roadmap, and configuration notes.
Example for Configuring RMON

This part provides examples for configuring RMON to collect the traffic statistics on an interface.
When the traffic exceeds the threshold, the router generates logs.
As shown in Figure 2-15, it is required to monitor a sub-network connected to GE0/2/1,
involving:
l
Collecting realtime statistics and history statistics about traffic and various packets.
Enabling the alarm monitoring function for the traffic (in bytes) passing through the
interface and enabling the log function when the traffic sent in one minute exceeds the set
value.
Monitoring the broadcast and multicast packets on the sub-network and enabling the alarm
function for these packets. The system then automatically reports the alarm to the NM
Station when the broadcast and multicast streams on the sub-network exceed the set value.
Figure 2-15 Networking diagram of RMON configuration
IP Network
NM Station
1.1.1.1/24
GE0/2/1
3.3.3.1/24
GE0/2/0
2.2.2.1/24
LAN
ATN
Issue 02 (2013-12-31)

357

Equipment
2 System Management
1.
Execute the SNMP configuration command in advance to enable sending Trap messages
and configure the community name.
2.
Enable collecting statistics and configure the ethernetStatsTable.
3.
Configure the History Control Table.
4.
Configure the EventTable.
5.
Configuring the AlarmTable.
6.
Configure the PrialarmTable.
Data Preparation
l
Interval for sampling information
Threshold for triggering alarm events
Procedure
Step 1 Configure routes between the Example for Configuring RMON and the NM Station. The detailed
configuration procedure is not mentioned here.
Step 2 Enable sending Trap messages to the NM Station.
# Enable the Trap function.
[HUAWEI] snmp-agent trap enable
[HUAWEI] snmp trap enable feature-name rmon non-excessive all
# Set Trap messages to be sent to the specified NM Station.

[HUAWEI] snmp-agent target-host trap address udp-domain 1.1.1.1 params securityname
public
Step 3 Enable collecting statistics.

# Enable the statistics function on an RMON interface.
[HUAWEI] interface gigabitethernet0/2/1
[HUAWEI-GigabitEthernet0/2/1] rmon-statistics enable
# Configure the ethernetStatsTable.

[HUAWEI-GigabitEthernet0/2/1] rmon statistics 1 owner Test300
Step 4 Configure the historyControlTable.

# Set RMON to sample the traffic every 30 seconds and save the latest 10 pieces of history
records.
[HUAWEI-GigabitEthernet0/2/1] rmon history 1 buckets 10 interval 30 owner Test300
Step 5 Configure the eventTable.

# Set recording logs for RMON event 1, and set sending Trap messages to the NM Station for
event 2.
[HUAWEI] rmon event 1 log owner Test300
Issue 02 (2013-12-31)

358

Equipment
2 System Management
[HUAWEI] rmon event 2 description forUseofPrialarm trap public owner Test300
Step 6 Configure the alarmTable.

# Set the sampling interval and set the threshold that triggers event 1.
[HUAWEI] rmon alarm 1 1.3.6.1.2.1.16.1.1.1.6.1 30 absolute rising-threshold 500 1
falling-threshold 100 1 owner Test300
Step 7 Configure the prialarmTable.

# Configure RMON to perform sampling every 30 seconds for the total number of broadcast
and multicast packets in the ethernetStatsTable. If the delta sampled value is larger than the
maximum threshold value 1000 or less than the minimum threshold value 0, event 2 is triggered,
and Trap messages are sent to the NM Station.
[HUAWEI] rmon prialarm 1 .1.3.6.1.2.1.16.1.1.1.6.1+.1.3.6.1.2.1.16.1.1.1.7.1
sumofbroadandmulti 30 delta rising-threshold 1000 2 falling-threshold 0 2 entrytype
forever owner Test300
# View information about the prialarmTable.

<HUAWEI> display rmon prialarm 1
Prialarm table 1 owned by Test300 is VALID.
Samples delta value
: .1.3.6.1.2.1.16.1.1.1.6.1+.1.3.6.1.2.1.16.1.1.1.7.1
Sampling interval
: 30(sec)
Rising threshold
: 1000(linked with event 2)
Falling threshold
When startup enables
: risingOrFallingAlarm
This entry will exist
: forever.
Latest value
: 16
# Display the event logs.

<HUAWEI> display rmon eventlog
Event table 1 owned by Test300 is VALID.
Generates eventLog 1.1 at 0days 00h:39m:30s.
Description: The 1.3.6.1.2.1.16.1.1.1.6.1 defined in alarm table 1,
less than(or =) 100 with alarm value 0. Alarm sample type is absolute.
The NM Station receives trap messages when the set prialarm variable exceeds the preset
threshold.
# Verify the configuration result. You can check the traffic information about the sub-network
at any time.
<HUAWEI> display rmon statistics gigabitethernet 0/2/1
Statistics entry 1 owned by Test300 is VALID.
Interface : GigabitEthernet0/2/1<ifEntry.402653698>
Received :
octets
:142915224 , packets
:1749151
broadcast packets
:11603
, multicast packets:756252
undersized packets :0
, oversized packets:0
fragments packets
:0
, jabbers packets :0
CRC alignment errors:0
, collisions
:0
Dropped packet (insufficient resources):1795
Packets received according to length (octets):
64
:150183
, 65-127 :150183
, 128-255 :1383
256-511:3698
, 512-1023:0
, 1024-1518:0
# Verify the configuration. Only the last sampling record is displayed if you adopt the command
line method. To check all the history records, you need to use a specific NM Station software.
<HUAWEI> display rmon history gigabitethernet 0/2/1
Issue 02 (2013-12-31)

359

Equipment
2 System Management
History control entry 1 owned by Test300 is VALID,

Samples Interface
: GigabitEthernet0/2/1<ifEntry.402653698>
Sampling interval
: 30(sec) with 10 buckets max.
Last Sampling time
: 0days 00h:19m:43s
Latest sampled values :
octets
:645
, packets
:7
broadcast packets
:7
, multicast packets :0
undersize packets
:6
, oversize packets :0
fragments packets
:0
, jabbers packets
:0
CRC alignment errors :0
, collisions
:0
Dropped packet:
:0
, utilization
:0
History record:
Record No.1 (Sample time: 0days 00h:02m:30s)
octets
:0
, packets
:0
broadcast packets
:0
, multicast packets :0
undersize packets
:0
, oversize packets :0
fragments packets
:0
, jabbers packets
:0
CRC alignment errors :0
, collisions
:0
Dropped packet:
:0
, utilization
:0
# Verify the event.

<HUAWEI> display rmon event
Description: null.
Will cause log when triggered, last triggered at 0days 00h:24m:10s.
Description: forUseofPrialarm.
Will cause snmp-trap when triggered, last triggered at 0days 00h:26m:10s.
# View the alarms.

<HUAWEI> display rmon alarm 1
Alarm table 1 owned by Test300 is VALID.
Samples absolute value
: 1.3.6.1.2.1.16.1.1.1.6.1 <etherStatsBroadcastPkts.1>
Sampling interval
: 30(sec)
Rising threshold
Falling threshold
When startup enables
: risingOrFallingAlarm
Latest value
: 1975
----End
Configuration File
#
sysname HUAWEI
#
undo shutdown
ip address 2.2.2.1 255.255.255.0
undo shutdown
ip address 3.3.3.1 255.255.255.0
rmon-statistics enable
rmon statistics 1 owner Test300
rmon history 1 buckets 10 interval 30 owner Test300
#
rmon event 1 description null log owner Test300
rmon event 2 description forUseofPrialarm trap public owner Test 300
rmon alarm 1 1.3.6.1.2.1.16.1.1.1.6.1 30 absolute rising-threshold 500 1 fallingthreshold 100 1 owner Test300
rmon prialarm 1 .1.3.6.1.2.1.16.1.1.1.6.1+.1.3.6.1.2.1.16.1.1.1.7.1
sumofbroadandmulti 30 delta rising-threshold 1000 2 falling-threshold 0 2 entrytype
forever owner Test300
#
ip route-static 1.1.1.0 255.255.255.0 2.2.2.2
Issue 02 (2013-12-31)

360

Equipment
#
snmp-agent
snmp-agent
snmp-agent
snmp-agent
snmp-agent
snmp-agent
snmp-agent
snmp-agent
#
return
2 System Management
local-engineid 000007DB7FFFFFFF0000017C
sys-info version v3
target-host trap address udp-domain 1.1.1.1 params securityname public
trap enable feature-name RMON trap-name risingalarm
trap enable feature-name RMON trap-name fallingalarm
trap enable feature-name RMON trap-name rmon_pri_risingalarm
trap enable feature-name RMON trap-name rmon_pri_fallingalarm
Example for Configuring RMON2

This part provides examples for configuring RMON2 to collect the IP packet statistics on an
interface.
As shown in Figure 2-16, it is required to collect statistics of IP packets passing through
GE0/2/1 through RMON2.
RMON2 can monitor remote hosts through the SNMP NM Station, or through command lines.
This example describes only command-line-based monitoring method.
Figure 2-16 Networking diagram of RMON2 configuration
IP Network
NM Station
1.1.1.1/24
GE0/2/0
2.2.2.1/24
ATN
GE0/2/1
3.3.3.1/24
LAN
1.
Configure the host control list.
2.
Configure the table content of protocols.
Data Preparation
l
Index of the hlHostControlTable and the maximum items in the hlHostControlTable
Protocol ID
Issue 02 (2013-12-31)

361

Equipment
2 System Management
Procedure
Step 1 Configure RMON2.
# Configure the hlHostControlTable. Set the index to 123, and the maximum number of entries
in the nlHostTable to 100.
[HUAWEI] rmon2 hlhostcontroltable index 123 datasource interface gigabitethernet
0/2/1 maxentry 100 owner china status active
# Configure the protocolDirTable. The protocol ID currently supported is 8.0.0.0.1.0.0.8.0, and

the parameter currently supported is 2.0.0 only. Set the host value to suppurtedon (that is,
collecting traffic statistics for this protocol).
[HUAWEI] rmon2 protocoldirtable protocoldirid 8.0.0.0.1.0.0.8.0 parameter 2.0.0
descr ip host supportedon owner china status active

# Display information about the nlHostTable.
<HUAWEI> display rmon2 nlhosttable hostcontrolindex 123
Abbreviation:
HIdx - hlHostControlIndex
PIdx - ProtocolDirLocalIndex
Addr - nlHostAddress
InPkts - nlHostInPkts
OutPkts - nlHostOutPkts
InOctes - nlHostInOctets
OutOctes - nlHostOutOctets
OutMac - nlHostOutMacNonUnicastPkts
ChgTm - nlHostTimeMark
CrtTm - nlHostCreateTime
HIdx PIdx Addr
InPkts OutPkts InOctes OutOctes OutMac
123
1
10.110.99.2
0
78
0
10046
78
123
1
10.110.99.255 78
0
10046
0
0
ChgTm
81489
81489
CrtTm
40859
40859
# Display the traffic of a host with the specified IP address.

<HUAWEI> display rmon2 nlhosttable hostcontrolindex 123 hostaddress 10.110.99.2
Abbreviation:
HIdx PIdx Addr
InPkts
OutPkts InOctes
OutOctes OutMac ChgTm CrtTm
123 1
10.110.99.2 0
78
0
10046
78
81489 40859
# Set the value of the time filter to display the entries that meet the filtering condition.
<HUAWEI> display rmon2 nlhosttable hostcontrolindex 123 timemark 1000 hostaddress
10.110.99.2
Abbreviation:
Issue 02 (2013-12-31)

362

Equipment
HIdx PIdx Addr
InPkts OutPkts
123
1
10.110.99.2 0
78
2 System Management
InOctes
0
OutOctes
10046
OutMac
78
ChgTm
81489
CrtTm
40859
# Display the hlHostControlTable. You can view the number of added or deleted host entries
on the interface and the maximum number of entries in the nlHostTable.
<HUAWEI> display rmon2 hlhostcontroltable
Abbreviation:
index - hlhostcontrolindex
datasource - hlhostcontroldatasource
droppedfrm - hlhostcontrolnldroppedframes
inserts - hlhostcontrolnlinserts
Deletes - hlHostControlNlDeletes
maxentries - hlhostcontrolnlmaxdesiredentries
owner - hlhostcontrolowner
status - hlhostcontrolstatus
index datasource
droppedfrm inserts
123
GigabitEthernet0/2/1 0
19
eletes
0
maxentries owner
100
China
status
active
----End
Configuration File
#
sysname HUAWEI
#
undo shutdown
ip address 2.2.2.1 255.255.255.0
undo shutdown
ip address 3.3.3.1 255.255.255.0
#
rmon2 protocoldirtable protocoldirid 8.0.0.1.0.0.8.0 parameter 2.0.0 descr ip host
supportedon owner china status active
rmon2 hlhostcontroltable index 123 datasource interface GigabitEthernet0/2/1
maxentry 100 owner china status active
#
return
2.4 IP FPM Configuration

IP Flow Performance Measurement (FPM) is a Huawei proprietary feature that measures packet
loss rate and delay of end-to-end service packets transmitted on an IP network to determine
network performance. This feature is easy to deploy and provides an accurate assessment of
network performance.
Context
NOTE
Only the ATN 910/ATN 910I/ATN 910B/ATN 950B (AND2CXPB/AND2CXPE) supports the IP FPM
function.
The statistical function of IP FPM and that of Y.1731 are mutually exclusive and therefore cannot be
configured on the same port. Non-statistical functions of IP FPM and those of Y.1731 can be deployed on
the same port.
Issue 02 (2013-12-31)

363

Equipment
2 System Management
2.4.1 Overview
IP Flow Performance Measurement (FPM) is an IP network performance measurement tool. It
directly measures service packets to assess IP network performance and monitors services in
real time for network diagnosis.
Introduction
IP Flow Performance Measurement (FPM) measures packet loss rate and delay of end-to-end
service packets transmitted on an IP network to determine network performance.
Background
As IP services are more widely adopted, fault diagnosis and end-to-end service quality analysis
are becoming an increasingly pressing concern for carriers. However, absence of effective
measures prolongs fault diagnosis and increases the workload. IP FPM is developed to help
carriers collect statistics and monitor end-to-end network performance.
Basic Concepts
The IP FPM model is composed of three objects: target flows, the transit network, and the
statistical system. The statistical system is further classified into the Target Logical Port (TLP),
Data Collecting Point (DCP), and Measurement Control Point (MCP). Figure 2-17 shows the
IP FPM model.
Figure 2-17 IP FPM model
MCP
Upstream-TLP1
Upstream-TLP2
Downstream-TLP1
Downstream-TLP2
DCP
DCP
Upstream-TLP3
Upstream-TLP4
Downstream-TLP3
Transit Network
Downstream-TLP4
Target flow
Target flow
Target flows must be pre-defined. One or more fields in IP headers can be specified to
identify target flows. The field can be the source IP address or prefix, destination IP address
or prefix, protocol type, source port number, destination port number, or type of service
(ToS).
Transit network
The transit network can be a Layer 2 (L2), Layer 3 (L3), or L2+L3 hybrid network. Each
node on the transit network must be reachable at the network layer.
Issue 02 (2013-12-31)

364

Equipment
2 System Management
TLP
TLPs are interfaces on the edge nodes of the transit network. TLPs compile and generate
statistics.
DCP
DCPs are edge nodes on the transit network. DCPs manage and control TLPs, collect
statistics generated by TLPs, and report the statistics to an MCP.
MCP
MCPs can be any nodes on the transit network. MCPs collect statistics reported by DCPs,
summarize and calculate the statistics, and report measurement results to user terminals or
the network management system (NMS).
IP FPM also defines measurement flags. Measurement flags, also called identification flags,
identifies whether a specific packet is used to measure packet loss or delay. A specific bit in the
IPv4 packet header can be specified as a measurement flag for packet loss or delay measurement.
Implementation
IP FPM measures the packet loss rate and delay of MP2MP service flows traveling across the
transit network. Service flow statistical analysis is performed on the ingress and egress of the
transit network. On the IP/MPLS network shown in Figure 2-18, the number of packets entering
the network in the ingress direction on ATN(n) is PI(n), and the number of packets leaving the
network in the egress direction on ATN(n) is PE(n).
Figure 2-18 IP FPM statistics collection
PI2 Ingress
Egress PE2
ATN2
IP/MPLS
Ingress PI3
PI1 Ingress
PE1 Egress
ATN1
ATN3
Egress PE3
Over a specified period, the difference between the number of packets entering the network and
the number of packets leaving the network is the packet loss.
l
The number of packets entering the network is the sum of all packets moving in the ingress
direction: PI = PI(1) + PI(2) + PI(3)
The number of packets leaving the network is the sum of all packets moving in the egress
direction: PE = PE(1) + PE(2) + PE(3)
Over a specified period, the difference between the time a service flow enters the network and
the time the service flow leaves the network is the delay.
Issue 02 (2013-12-31)

365

Equipment
2 System Management
Benefits
IP FPM brings the following benefits to carriers:
l
Allows carriers to use the NMS to monitor the network running status and determine
whether the network quality is compliant with the service level agreement (SLA).
Allows carriers to promptly adjust services based on measurement results to ensure proper
transmission of voice and data services, improving user experience.
IP FPM Features Supported by the ATN

This section describes the IP Flow Performance Measurement (FPM) functions and usage
scenarios that the ATN supports.
IP FPM measures the packet loss rate and delay of multipoint-to-multipoint (MP2MP) service
flows. Three IP FPM types are available: proactive performance statistics, on-demand
performance statistics, and hop-by-hop performance statistics. Table 2-10 lists the usage
scenarios for these IP FPM types.
Table 2-10 IP FPM classification
Category
Description
Endtoend
perf
orma
nce
statis
tics
Proactive
performance
statistics
When users want to detect network performance deterioration in real

time, implement end-to-end proactive performance statistics to
continuously monitor the network.
On-demand
performance
statistics
When network performance deteriorates or users want to learn about

real-time performance statistics of specific service flows, implement
end-to-end on-demand performance statistics in a specified period.
Hopbyhop
perf
orma
nce
statis
tics
On-demand
performance
statistics
When network performance deteriorates, implement hop-by-hop ondemand performance statistics to locate the faulty node.
The ATN supports the following IP FPM functions:

l
Packet loss measurement

Point-to-point (P2P) packet loss measurement measures packet loss on a link between
two devices.
MP2MP packet loss measurement measures packet loss on links between multiple
devices where P2P packet loss measurement is inapplicable.
l
Issue 02 (2013-12-31)
Delay measurement
366

Equipment
2 System Management
P2P one-way delay measurement measures one-way delay on a link between two
devices.
P2P two-way delay measurement measures round-trip delay on a link between two
devices.
NOTE
The following examples describe how to configure packet loss measurement and two-way delay
measurement in end-to-end proactive performance statistics and how to configure packet loss measurement
and one-way delay measurement in hop-by-hop on-demand performance statistics.
2.4.2 Configuring IP FPM End-to-End Performance Statistics

Collection
IP Flow Performance Measurement (FPM) end-to-end performance statistics collection
measures packet loss and delay on the entire network so that carriers can quickly respond to
resolve network issues if network performance deteriorates.
Before You Start

Before configuring IP Flow Performance Measurement (FPM) end-to-end performance statistics
collection, familiarize yourself with the usage scenario, complete the pre-configuration tasks,
and obtain the data required for the configuration.
Usage Scenario
The ATN supports proactive and on-demand IP FPM end-to-end performance statistics. These
functions apply to different scenarios:
l
Proactive performance statistics apply when you want to monitor network performance in
real-time. After you configure this function, the system continuously implements
performance statistics on packet loss or delay.
On-demand performance statistics apply when you want to diagnose network faults or
monitor network performance over a specified period. After you configure this function,
the system periodically implements performance statistics on packet loss or delay.
These measurements serve as a reliable reference for network operation and maintenance and
fault diagnosis, improving network reliability and user experience.
Before configuring IP FPM end-to-end performance statistics collection, complete the following
tasks:
l
Configure a dynamic routing protocol or static routes so that devices are reachable at the
network layer.
Configure the network time protocol (NTP) so that all device clocks can be
synchronized
.
Issue 02 (2013-12-31)

367

Equipment
2 System Management
Data Preparation
To configure IP FPM end-to-end performance statistics collection, you need the following data.
No.
Data
MCP ID, (optional) UDP port number, (optional) authentication mode and
password, IP FPM instance ID, (optional) description of an IP FPM instance,
(optional) statistical period, DCP IDs, (optional) packet loss measurement
flag, (optional) delay measurement flag, target flow characteristics and
direction, and TLP IDs and roles
Configuring an MCP
A Measurement Control Point (MCP) collects statistics reported by Data Collecting Points
(DCPs), summarizes and calculates the statistics, and reports measurement results to user
terminals or the network management system (NMS).
Context
On the network shown in Figure 2-19, IP Flow Performance Measurement (FPM) end-to-end
performance statistics collection is implemented. The target flow enters the transport network
through ATN A, travels across ATN B, and leaves the transport network through ATN C. To
monitor transport network performance or diagnose faults, configure IP FPM end-to-end
performance statistics collection on both ATN A and ATN C.
Figure 2-19 IP FPM end-to-end performance statistics collection
MCP
DCP1
TLP100
In-point
Ingress
ATNA
Transmit Network
ATNB
TLP310
Out-point
DCP3 Egress
ATNC
Forward Target Flow
ATN A functions as an MCP to collect statistics reported by DCP1 and DCP3, summarize and
calculate the statistics, and report measurement results to user terminals or the NMS.
Perform the following steps on ATN A:
Issue 02 (2013-12-31)

368

Equipment
2 System Management
Procedure
Step 1 Run:
system-view

Step 2 Run:
nqa ipfpm mcp
MCP is enabled globally, and the IPFPM-MCP view is displayed.

Step 3 Run:
mcp id mcp-id
An MCP ID is configured.
By default, no MCP ID is configured. Using the Router ID of a device that is configured as an
MCP as its MCP ID is recommended.
The MCP ID must be an IP address reachable to DCPs. The MCP ID configured on an MCP
must be the same as that specified in the mcp mcp-id [ port port-number ] command run in the
IP FPM instance view of all DCPs associated with this MCP. If an MCP ID is changed on an
MCP, it must be changed for all DCPs associated with this MCP in an IP FPM instance.
Otherwise, the MCP cannot process the statistics reported by the DCPs.
protocol udp port port-number
A UDP port number is specified for the MCP to communicate with DCPs.
The UDP port number configured on an MCP must be the same as that specified in the mcp
mcp-id [ port port-number ] command run in the IP FPM instance view of all DCPs associated
with this MCP. If a UDP port number is changed on an MCP, it must be changed for all DCPs
associated with this MCP in an IP FPM instance. Otherwise, the MCP cannot process the
statistics reported by the DCPs.
authentication-mode hmac-sha256 key key-id [ cipher ] password
The authentication mode and password are configured on the MCP.

By default, no authentication mode or password is configured on an MCP.
The authentication mode and password configured on an MCP must be the same as those
configured in the authentication-mode hmac-sha256 key key-id [ cipher ] password command
run on all DCPs associated with this MCP. Otherwise, the MCP cannot process the statistics
reported by the DCPs.
Step 6 Run:
instance instance-id
An IP FPM instance is created, and the instance view is displayed.

instance-id must be unique on an MCP and all its associated DCPs. The MCP and all its
associated DCPs must have the same IP FPM instance configured. Otherwise, statistics
collection does not take effect.
Issue 02 (2013-12-31)

369

Equipment
2 System Management

description text
The description is configured for the IP FPM instance.

By default, no description is configured for an IP FPM instance, and an instance is identified by
an integer ID. The description of an IP FPM instance can contain the functions of the instance,
facilitating applications.
Step 8 Run:
dcp dcp-id
A DCP ID is specified in the IP FPM instance.

The DCP ID configured in an IP FPM instance must be the same as that specified in the dcp
id dcp-id command run on a DCP. Otherwise, the MCP associated with this DCP cannot process
the statistics reported by the DCP.
----End
Follow-up Procedure
When DCP configurations are being changed, the MCP may receive incorrect statistics from the
DCP. To prevent this, run the measure disable command to disable IP FPM performance
statistics collection of a specified instance on the MCP. After the DCP configuration change is
complete, run the undo measure disable or measure enable command to enable IP FPM
performance statistics collection for the specified instance on the MCP. This ensures accurate
measurement.
Configuring a DCP
A Data Collecting Point (DCP) manages and controls Target Logical Ports (TLPs), collects
statistics generated by TLPs, and reports the statistics to a Measurement Control Point (MCP).
Context
On the network shown in Figure 2-20, IP Flow Performance Measurement (FPM) end-to-end
monitor transport network performance or diagnose faults, configure IP FPM end-to-end
performance statistics collection on both ATN A and ATN C.
Issue 02 (2013-12-31)

370

Equipment
2 System Management
MCP
DCP1
TLP100
In-point
Ingress
Transmit Network
ATNA
ATNB
TLP310
Out-point
DCP3 Egress
ATNC
Forward Target Flow
ATN A and ATN C function as DCPs to manage and control TLP100 and TLP310, respectively.
ATN A and ATN C collect statistics generated by TLP100 and TLP310 and report the statistics
to the MCP.
Perform the following steps on ATN A and ATN C:
Procedure
Step 1 Run:
system-view

Step 2 Run:
nqa ipfpm dcp
DCP is enabled globally, and the IPFPM-DCP view is displayed.

Step 3 Run:
dcp id dcp-id
A DCP ID is configured.
By default, no DCP ID is configured. Using the Router ID of a device that is configured as a
DCP as its DCP ID is recommended.
The DCP ID configured on a DCP must be the same as that specified in the dcp dcp-id command
run in the IP FPM instance view of the MCP associated with this DCP. Otherwise, the MCP
cannot process the statistics reported by the DCP.
The authentication mode and password are configured on the DCP.

By default, no authentication mode or password is configured on a DCP.
The authentication mode and password configured on a DCP must be the same as those
Issue 02 (2013-12-31)

371

Equipment
2 System Management
run on the MCP associated with this DCP. Otherwise, the MCP cannot process the statistics
reported by the DCP.
color-flag loss-measure { tos-bit tos-bit | flags-bit0 } delay-measure { tos-bit
tos-bit | flags-bit0 } multicast-measure { tos-bit tos-bit | flags-bit0 }
IP FPM measurement flags are configured.

By default, the sixth bit in the ToS field of the IPv4 packet header is used as the loss measurement
flag; the seventh bit in the ToS field of the IPv4 packet header is used as the delay measurement
flag; Bit 0 in the Flags field of the IPv4 packet header is used as the multicast measurement flag.
Using the default configurations is recommended.
The loss, delay, and multicast measurement flags cannot use the same bit, and the bits used for
loss, delay, and multicast measurement must not have been used in other measurement tasks.
Step 6 Run:
mcp mcp-id [ port port-number ] [ vpn-instance vpn-instance-name | net-managervpn ]
An MCP ID is specified for the DCP.

The UDP port number configured on the DCP must be the same as that configured in the protocol
udp port port-number command run on the MCP associated with this DCP. Otherwise, the DCP
cannot report the statistics to the MCP.
If you want the DCP to report the statistics to the MCP through a VPN or management VPN,
the VPN instance must have been created on the DCP before you configure vpn-instance vpninstance-name or net-manager-vpn.
Step 7 Run:

description text

interval interval
The statistical period is configured for the IP FPM instance.

By default, the statistical period is 10s.
Issue 02 (2013-12-31)

372

Equipment
2 System Management
NOTE
To ensure statistics accuracy, before you change the statistical period of an IP FPM instance, disabling
packet loss or delay measurement in the instance view is recommended. Otherwise, statistics collection
does not take effect.
Step 10 Perform either of the following operations to configure the target flow characteristics in the IP
FPM instance.
Configure the forward or backward target flow characteristics.
l When protocol is specified as TCP or UDP, run:
flow { forward | backward } protocol { tcp | udp } [ dscp dscp-value | source src-ipaddress [ src-mask-length ] | destination dest-ip-address [ dest-mask-length ] ] * { sourceport src-port-number1 [ to src-port-number2 ] | destination-port dest-port-number1 [ to
dest-port-number2 ] } *
l When protocol is specified as any protocol other than TCP or UDP, run:
flow { forward | backward } { protocol protocol-number | dscp dscp-value | source srcip-address [ src-mask-length ] | destination dest-ip-address [ dest-mask-length ] } *
Configure the bidirectional target flow characteristics.
flow bidirectional protocol { tcp | udp } [ dscp dscp-value | source src-ip-address [ srcmask-length ] | destination dest-ip-address [ dest-mask-length ] ] * { source-port src-portnumber1 [ to src-port-number2 ] | destination-port dest-port-number1 [ to dest-portnumber2 ] } *
flow bidirectional { protocol protocol-number | dscp dscp-value | source src-ip-address
[ src-mask-length ] | destination dest-ip-address [ dest-mask-length ] } *
NOTE
l If the target flow in an IP FPM instance is unidirectional, you can specify forward to configure a forward
flow or backward to configure a backward flow.
l If the target flow in an IP FPM instance is bidirectional, two situations are available:
l If the bidirectional target flow is asymmetrical, you must configure forward and backward in two
command instances to configure the forward and backward flow characteristics.
l If the bidirectional target flow is symmetrical, you can specify bidirectional to configure the
bidirectional target flow characteristics. By default, the characteristics specified are used for the forward
flow, and the reverse of those are used for the backward flow. Specifically, the source and destination
IP addresses and port numbers specified for the forward flow are used respectively as the destination
and source IP addresses and port numbers for the backward flow.
Step 11 Run:
tlp tlp-id { in-point ingress | out-point egress }
A TLP is configured and its role is specified.

A TLP compiles statistics and outputs data in the IP FPM model. A TLP can be specified as an
in-point that measures traffic entering a network or as an out-point that measures traffic leaving
the network. TLP100 and TLP310 in Figure 2-20 are the in-point and out-point, respectively.
Step 12 Run:
quit
Issue 02 (2013-12-31)

373

Equipment
2 System Management
Return to the IPFPM-DCP view.

Step 13 Run:
quit

Step 14 Bind the TLP to an interface.
1.
Run the interface interface-type interface-name command to enter the interface view.
GE interfaces and their sub-interfaces, Ethernet interfaces and their sub-interfaces, VE
interfaces and their sub-interfaces, and Eth-Trunk interfaces and their sub-interfaces can
be bound to TLPs.
2.
Run either of the following commands:

l If the interface is a Layer 3 interface, run the ipfpm tlp tlp-id command.
l If the interface is a Layer 2 interface, run the ipfpm tlp tlp-id { ce-default-vlan | vlanid vlan-id } command.
Step 15 Configure IP FPM end-to-end performance statistics collection.

1.
Run the system-view command to enter the system view.
2.
Run the nqa ipfpm dcp command to enter the IPFPM-DCP view.
3.
Run the instance instance-id command to enter the IP FPM instance view.
4.
Run either of the following commands to enable packet loss measurement:

l To enable on-demand packet loss measurement, run the loss-measure enable [ timerange time-range ] command.
l To enable proactive packet loss measurement, run the loss-measure enable
continual command.
5.
Perform either of the following operations to enable delay measurement.

Run either of the following commands if the target flow is unidirectional:
l To enable on-demand one-way delay measurement, run the delay-measure enable oneway tlp tlp-id [ time-range time-range ] command.
l To enable proactive one-way delay measurement, run the delay-measure enable oneway tlp tlp-id continual command.
Run either of the following commands if the target flow is bidirectional:
l To enable on-demand two-way delay measurement, run the delay-measure enable twoway tlp tlp-id1 [ tlp-id2 ] [ time-range time-range ] command.
l To enable proactive two-way delay measurement, run the delay-measure enable twoway tlp tlp-id1 [ tlp-id2 ] continual command.
----End
Checking the Configurations

After configuring the MCP, DCPs, and TLPs, check the IP FPM end-to-end performance
statistics collection function.
Prerequisites
The IP FPM end-to-end performance statistics collection function has been configured.
Issue 02 (2013-12-31)

374

Equipment
2 System Management
Procedure
l
Run the display ipfpm mcp command to check MCP configurations.
Run the display ipfpm dcp command to check DCP configurations.
Run the display ipfpm statistic-type { loss | oneway-delay | twoway-delay } instance

instance-id command to check the performance statistics for a specified IP FPM instance.
----End
Example
Run the display ipfpm mcp command. The command output shows MCP configurations.
<HUAWEI> display ipfpm mcp
MCP ID
Status
Protocol Port
Total Instances
:
:
:
:
1.1.1.1
Active
65030
10
Run the display ipfpm dcp command. The command output shows DCP configurations.
<HUAWEI> display ipfpm dcp
DCP ID
Loss-measure Flag
Delay-measure Flag
Authentication Mode
Test Instances MCP ID
Port
: 2.2.2.2
: tos-bit6(default)
: tos-bit7(default)
: hmac-sha256
Test Instances MCP
Run the display ipfpm statistic-type loss command to view the statistics about discarded
packets in a specific IP FPM statistics instance.
<HUAWEI> display ipfpm statistic-type loss instance 1
Latest loss statistics of forward flow:
Unit: p - packet, b - byte
----------------------------------------------------------------------------------------TimeStamp
Loss(p)
LossRatio(p) Loss(b)
LossRatio
(b)
----------------------------------------------------------------------------------------136118757
20
20.000000% 2000
20.000000%
136118756
20
20.000000% 2000
20.000000%
136118755
20
20.000000% 2000
20.000000%
136118753
20
20.000000% 2000
20.000000%
136118752
20
20.000000% 2000
20.000000%
136118751
20
20.000000% 2000
20.000000%
136118750
20
20.000000% 2000
20.000000%
136118749
20
20.000000% 2000
20.000000%
136118748
20
20.000000% 2000
20.000000%
136118747
20
20.000000% 2000
20.000000%
136118746
20
20.000000% 2000
20.000000%
136118745
20
20.000000% 2000
Issue 02 (2013-12-31)

375

Equipment
2 System Management
20.000000%
Latest loss statistics of backward flow:
----------------------------------------------------------------------------------------TimeStamp
Loss(p)
LossRatio
(b)
----------------------------------------------------------------------------------------136118757
20
20.000000% 2000
20.000000%
136118756
20
20.000000% 2000
20.000000%
136118755
20
20.000000% 2000
20.000000%
136118753
20
20.000000% 2000
20.000000%
136118752
20
20.000000% 2000
20.000000%
136118751
20
20.000000% 2000
20.000000%
136118750
20
20.000000% 2000
20.000000%
136118749
20
20.000000% 2000
20.000000%
136118748
20
20.000000% 2000
20.000000%
136118747
20
20.000000% 2000
20.000000%
136118746
20
20.000000% 2000
20.000000%
136118745
20
20.000000% 2000
20.000000%
Run the display ipfpm statistic-type oneway-delay command to view the one-way delay
statistics in a specific IP FPM statistics instance.
<HUAWEI> display ipfpm statistic-type oneway-delay instance 1
Latest one-way delay statistics of forward flow:
-------------------------------------------------TimeStamp
Delay(usec) Delay
Variation(usec)
-------------------------------------------------136128501
400
0
136128500
400
0
136128499
400
0
136128498
400
0
136128497
400
0
136128496
400
0
136128495
400
0
136128494
400
0
136128493
400
0
136128492
400
0
136128491
400
0
136128490
400
0
136128489
400
0
136128488
400
0
Latest one-way delay statistics of backward flow:
-------------------------------------------------TimeStamp
Delay(usec) Delay
Variation(usec)
-------------------------------------------------136128501
400
0
136128500
400
0
136128499
400
0
Issue 02 (2013-12-31)

376

Equipment
136128498
136128497
136128496
136128495
136128494
136128493
136128492
136128491
136128490
136128489
136128488
400
400
400
400
400
400
400
400
400
400
400
2 System Management
0
0
0
0
0
0
0
0
0
0
0
Run the display ipfpm statistic-type twoway-delay command to view the two-way delay
statistics in a specific IP FPM statistics instance.
<HUAWEI> display ipfpm statistic-type twoway-delay instance 1
Latest two-way delay statistics:
-------------------------------------------------TimeStamp
Delay(usec) Delay
Variation(usec)
-------------------------------------------------136118757
800
0
136118756
800
0
136118755
800
0
136118753
800
0
136118752
800
0
136118751
800
0
136118750
800
0
136118749
800
0
136118748
800
0
136118747
800
0
136118746
800
0
136118745
800
0
Latest one-way delay statistics of bidirectional flow:
-------------------------------------------------------------------------------TimeStamp
Forward
ForwardDelay
Backward
BackwardDelay
Delay(usec) Variation(usec) Delay(usec) Variation(usec)
-------------------------------------------------------------------------------136118757
400
0
400
0
136118756
400
0
400
0
136118755
400
0
400
0
136118753
400
0
400
0
136118752
400
0
400
0
136118751
400
0
400
0
136118750
400
0
400
0
136118749
400
0
400
0
136118748
400
0
400
0
136118747
400
0
400
0
136118746
400
0
400
0
136118745
400
0
400
0
2.4.3 Configuring IP FPM Hop-by-Hop Performance Statistics

Collection
IP Flow Performance Measurement (FPM) hop-by-hop performance statistics collection helps
locate faulty nodes when packet loss or delay occurs.
Before You Start

Before configuring IP Flow Performance Measurement (FPM) hop-by-hop performance
statistics collection, familiarize yourself with the usage scenario, complete the pre-configuration
tasks, and obtain the data required for the configuration.
Issue 02 (2013-12-31)

377

Equipment
2 System Management
Usage Scenario
IP FPM hop-by-hop performance statistics collection helps locate faults hop by hop from the
source node that initiates traffic.
l
When a target flow is unidirectional, you can directly implement hop-by-hop performance
statistics collection for the flow.
When a target flow is bidirectional, two situations are available:

If the target flow is symmetrical, you can implement hop-by-hop performance statistics
collection for the forward or backward flow, and the measurement is the same either
way.
If the target flow is asymmetrical, you must implement hop-by-hop performance
statistics collection for both the forward and backward flows to obtain their respective
measurements.
These measurements serve as a reliable reference for network operation and maintenance and
fault diagnosis, improving network reliability and user experience.
Before configuring IP FPM hop-by-hop performance statistics collection, complete the
following tasks:
l
Configure a dynamic routing protocol or static routes so that devices are reachable at the
network layer.
Configure the network time protocol (NTP) so that all device clocks can be
synchronized.
Data Preparation
To configure IP FPM hop-by-hop performance statistics collection, you need the following data.
No.
Data
MCP ID, (optional) UDP port number, (optional) authentication mode and
password, IP FPM instance ID, (optional) description of an IP FPM instance,
(optional) statistical period, DCP IDs, (optional) delay measurement flag,
ACHs, target flow characteristics and direction, and TLP IDs and roles
Configuring an MCP
A Measurement Control Point (MCP) collects statistics reported by Data Collecting Points
(DCPs), summarizes and calculates the statistics, and reports measurement results to user
terminals or the network management system (NMS).
Context
On the network shown in Figure 2-21, IP Flow Performance Measurement (FPM) hop-by-hop
Issue 02 (2013-12-31)

378

Equipment
2 System Management
locate faults when network performance deteriorates, configure IP FPM hop-by-hop

performance statistics collection on ATN A, ATN B, and ATN C to measure packet loss and
delay hop by hop.
Figure 2-21 IP FPM hop-by-hop performance statistics collection
DCP2
TLP310
Out-point
DCP3 Egress
ATNB
ATNC
Transmit Network
MCP
DCP1
TLP100
In-point
Ingress
ATNA
TLP200
Mid-point
Ingress
Forward Target Flow
ATN A functions as an MCP to collect statistics reported by DCP1, DCP2, and DCP3, summarize
and calculate the statistics, and report measurement results to user terminals or the NMS.
Perform the following steps on ATN A:
Procedure
Step 1 Run:
system-view

Step 2 Run:
nqa ipfpm mcp
MCP is enabled globally, and the IPFPM-MCP view is displayed.

Step 3 Run:
mcp id mcp-id
An MCP ID is configured.
By default, no MCP ID is configured. Using the Router ID of a device that is configured as an
MCP as its MCP ID is recommended.
The MCP ID must be an IP address reachable to DCPs. The MCP ID configured on an MCP
must be the same as that specified in the mcp mcp-id [ port port-number ] command run in the
IP FPM instance view of all DCPs associated with this MCP. If an MCP ID is changed on an
MCP, it must be changed for all DCPs associated with this MCP in an IP FPM instance.
Otherwise, the MCP cannot process the statistics reported by the DCPs.
protocol udp port port-number
Issue 02 (2013-12-31)

379

Equipment
2 System Management
A UDP port number is specified for the MCP to communicate with DCPs.
The UDP port number configured on an MCP must be the same as that specified in the mcp
mcp-id [ port port-number ] command run in the IP FPM instance view of all DCPs associated
with this MCP. If a UDP port number is changed on an MCP, it must be changed for all DCPs
associated with this MCP in an IP FPM instance. Otherwise, the MCP cannot process the
statistics reported by the DCPs.
The authentication mode and password are configured on the MCP.

By default, no authentication mode or password is configured on an MCP.
The authentication mode and password configured on an MCP must be the same as those
run on all DCPs associated with this MCP. Otherwise, the MCP cannot process the statistics
reported by the DCPs.
Step 6 Run:

description text

Step 8 Run:
dcp dcp-id
A DCP ID is specified in the IP FPM instance.

The DCP ID configured in an IP FPM instance must be the same as that specified in the dcp
id dcp-id command run on a DCP. Otherwise, the MCP associated with this DCP cannot process
the statistics reported by the DCP.
Step 9 Run the following commands to configure Atomic Closed Hops (ACHs).
An ACH identifies a range between two neighboring measurement points. The network shown
in Figure 2-21 is classified into two ACHs: ACH1 {TLP100, TLP200}, and ACH2 {TLP200,
TLP310}. In ACH1, TLP100 is the in-point, and TLP200 is the out-point. In ACH2, TLP200 is
the in-point, and TLP310 is the out-point.
1.
Run the ach ach-id command to create an ACH and enter the ACH view.
2.
Run the flow { forward | backward } command to specify the direction in which hop-byhop delay measurement is implemented for the target flow.
Issue 02 (2013-12-31)

380

Equipment
2 System Management
3.
Run the in-group dcp dcp-id tlp tlp-id command to configure the TLP in-group.
4.
Run the out-group dcp dcp-id tlp tlp-id command to configure the TLP out-group.
----End
Follow-up Procedure
When DCP configurations are being changed, the MCP may receive incorrect statistics from the
DCP. To prevent this, run the measure disable command to disable IP FPM performance
statistics collection of a specified instance on the MCP. After the DCP configuration change is
complete, run the undo measure disable or measure enable command to enable IP FPM
performance statistics collection for the specified instance on the MCP. This ensures accurate
measurement.
Configuring a DCP
A Data Collecting Point (DCP) manages and controls Target Logical Ports (TLPs), collects
statistics generated by TLPs, and reports the statistics to a Measurement Control Point (MCP).
Context
On the network shown in Figure 2-22, IP Flow Performance Measurement (FPM) hop-by-hop
locate faults when network performance deteriorates, configure IP FPM hop-by-hop
performance statistics collection on ATN A, ATN B, and ATN C to measure packet loss and
delay hop by hop.
DCP2
TLP310
Out-point
DCP3 Egress
ATNB
ATNC
Transmit Network
MCP
DCP1
TLP100
In-point
Ingress
ATNA
TLP200
Mid-point
Ingress
Forward Target Flow
ATN A, ATN B, and ATN C function as DCPs. ATN A manages and controls TLP100, ATN
B manages and controls TLP200, and ATN C manages and controls TLP310. ATN A, ATN B,
and ATN C collect statistics generated by these TLPs and report the statistics to the MCP.
Perform the following steps on ATN A, ATN B, and ATN C:
Issue 02 (2013-12-31)

381

Equipment
2 System Management
Procedure
Step 1 Run:
system-view

Step 2 Run:
nqa ipfpm dcp
DCP is enabled globally, and the IPFPM-DCP view is displayed.

Step 3 Run:
dcp id dcp-id
A DCP ID is configured.
By default, no DCP ID is configured. Using the Router ID of a device that is configured as a
DCP as its DCP ID is recommended.
The DCP ID configured on a DCP must be the same as that specified in the dcp dcp-id command
run in the IP FPM instance view of the MCP associated with this DCP. Otherwise, the MCP
authentication-mode hmac-sha256 key key-id { cipher password | plain plainpassword }
The authentication mode and password are configured on the DCP.

By default, no authentication mode or password is configured on a DCP.
The authentication mode and password configured on a DCP must be the same as those
configured in the authentication-mode hmac-sha256 key key-id { cipher password | plain
plain-password } command run on the MCP associated with the DCP. Otherwise, the MCP
color-flag loss-measure { tos-bit tos-bit | flags-bit0 } delay-measure { tos-bit
tos-bit | flags-bit0 }
IP FPM measurement flags are configured.

By default, the sixth bit in the ToS field of the IPv4 packet header is used as the loss measurement
flag; the seventh bit in the ToS field of the IPv4 packet header is used as the delay measurement
flag. Using the default configurations is recommended.
The loss, delay, and multicast measurement flags cannot use the same bit, and the bits used for
loss, delay, and multicast measurement must not have been used in other measurement tasks.
Step 6 Run:
mcp mcp-id [ port port-number ] [ vpn-instance vpn-instance-name | net-managervpn ]
An MCP ID is specified for the DCP.

The UDP port number configured on the DCP must be the same as that configured in the protocol
udp port port-number command run on the MCP associated with this DCP. Otherwise, the DCP
cannot report the statistics to the MCP.
Issue 02 (2013-12-31)

382

Equipment
2 System Management
If you want the DCP to report the statistics to the MCP through a VPN or management VPN,
the VPN instance must have been created on the DCP before you configure vpn-instance vpninstance-name or net-manager-vpn.
Step 7 Run:

description text

interval interval
The statistical period is configured for the IP FPM instance.

By default, the statistical period is 10s.
NOTE
To ensure statistics accuracy, before you change the statistical period of an IP FPM instance, disabling
packet loss or delay measurement in the instance view is recommended. Otherwise, statistics collection
does not take effect.
Step 10 Perform either of the following operations to configure the target flow characteristics in the IP
FPM instance.
Configure the forward or backward target flow characteristics.
flow { forward | backward } protocol { tcp | udp } [ dscp dscp-value | source src-ipaddress [ src-mask-length ] | destination dest-ip-address [ dest-mask-length ] ] * { sourceport src-port-number1 [ to src-port-number2 ] | destination-port dest-port-number1 [ to
dest-port-number2 ] } *
flow { forward | backward } { protocol protocol-number | dscp dscp-value | source srcip-address [ src-mask-length ] | destination dest-ip-address [ dest-mask-length ] } *
Configure the characteristics for the bidirectional target flow.
flow bidirectional protocol { tcp | udp } [ dscp dscp-value | source src-ip-address [ srcmask-length ] | destination dest-ip-address [ dest-mask-length ] ] * { source-port src-portnumber1 [ to src-port-number2 ] | destination-port dest-port-number1 [ to dest-portnumber2 ] } *
Issue 02 (2013-12-31)

383

Equipment
2 System Management
flow bidirectional { protocol protocol-number | dscp dscp-value | source src-ip-address

[ src-mask-length ] | destination dest-ip-address [ dest-mask-length ] } *
NOTE
l If the target flow in an IP FPM instance is unidirectional, you can specify forward to configure a forward
flow or backward to configure a backward flow.
l If the target flow in an IP FPM instance is bidirectional, two situations are available:
l If the bidirectional target flow is asymmetrical, you must configure forward and backward in two
command instances to configure the characteristics for the forward and backward flows, respectively.
l If the bidirectional target flow is symmetrical, you can specify bidirectional to configure the
bidirectional target flow characteristics. By default, the characteristics specified are used for the forward
flow, and the reverse of those are used for the backward flow. Specifically, the source and destination
IP addresses and port numbers specified for the forward flow are used respectively as the destination
and source IP addresses and port numbers for the backward flow.
Step 11 Run the following commands to configure TLPs.

l Run the tlp tlp-id { in-point ingress | out-point egress } command to configure a TLP and
specify it as an in-point or out-point.
On the network shown in Figure 2-22, TLP100 is the in-point, and TLP310 is the out-point.
l Run the tlp tlp-id mid-point flow { forward | backward } ingress [ vpn-label vpn-label
[ lsp-label lsp-label ] [ control-word ] [ l2vpn [ tpid tpid ] ] ] command to configure a TLP
and specify it as a mid-point.
On the network shown in Figure 2-22, TLP200 is a mid-point.
Step 12 Run:
quit
Return to the IPFPM-DCP view.

Step 13 Run:
quit

Step 14 Bind the TLPs to interfaces.
1.
Run the interface interface-type interface-name command to enter the interface view.
GE interfaces and their sub-interfaces, Ethernet interfaces and their sub-interfaces, VE
interfaces and their sub-interfaces, and Eth-Trunk interfaces and their sub-interfaces can
be bound to TLPs.
2.

l If the interface is a Layer 3 interface, run the ipfpm tlp tlp-id command.
l If the interface is a Layer 2 interface, run the ipfpm tlp tlp-id { ce-default-vlan | vlanid vlan-id } command.
Step 15 Configure IP FPM hop-by-hop performance statistics collection.

1.
2.
Run the nqa ipfpm dcp command to enter the IPFPM-DCP view.
3.
Run the instance instance-id command to enter the IP FPM instance view.
4.
To enable hop-by-hop packet loss measurement, run the loss-measure enable [ midpoint ] [ time-range time-range ] command.
Issue 02 (2013-12-31)

384

Equipment
5.
2 System Management
To enable hop-by-hop delay measurement, run the delay-measure enable one-way tlp
{ tlp-id | mid-point } [ time-range time-range ] command.
----End

After configuring the MCP, DCPs, and TLPs, check the IP FPM hop-by-hop performance
statistics collection function.
Prerequisites
The IP FPM hop-by-hop performance statistics collection function has been configured.
Procedure
l
Run the display ipfpm mcp command to check MCP configurations.
Run the display ipfpm dcp command to check DCP configurations.
Run the display ipfpm statistic-type { loss | oneway-delay } instance instance-id ach
ach-id command to check the hop-by-hop performance statistics for a specified ACH.
----End
Example
Run the display ipfpm mcp command. The command output shows MCP configurations.
<HUAWEI> display ipfpm mcp
MCP ID
Status
Protocol Port
Total Instances
:
:
:
:
1.1.1.1
Active
65030
10
Run the display ipfpmdcp command to view the DCP configuration in the IP FPM statistics
system.
<HUAWEI> display ipfpm dcp
DCP ID
Loss-measure Flag
Delay-measure Flag
Authentication Mode
Test Instances MCP Port
Total Instances
: 2.2.2.2
: tos-bit6(default)
: tos-bit7(default)
:hmac-sha256
:1.1.1.1
:65030
: 10
Run the displayipfpm statistic-type loss command to view the statistics about discarded packets
on each node of an ACH in the IP FPM statistics system.
<HUAWEI> display ipfpm statistic-type loss instance 1 ach 1
----------------------------------------------------------------------------------------Period
Loss(p)
LossRatio
(b)
----------------------------------------------------------------------------------------136190088
10
10.000000%
1000
10.000000%
136190087
10
10.000000%
1000
Issue 02 (2013-12-31)

385

Equipment
10.000000%
136190086
10.000000%
136190085
10.000000%
136190084
10.000000%
136190083
10.000000%
136190082
10.000000%
2 System Management
10
10.000000%
1000
10
10.000000%
1000
10
10.000000%
1000
10
10.000000%
1000
10
10.000000%
1000

----------------------------------------------------------------------------------------Period
Loss(p)
LossRatio
(b)
-----------------------------------------------------------------------------------------
Run the display ipfpm statistic-type oneway-delay command to view the one-way delay
statistics on each node of an ACH in the IP FPM statistics system.
<HUAWEI> display ipfpm statistic-type oneway-delay instance 1 ach 1
-------------------------------------------------Period
Delay(usec) Delay
Variation(usec)
-------------------------------------------------136190120
100
0
136190119
100
0
136190118
100
0
136190117
100
0
136190116
100
0
136190115
100
0
136190114
100
0
-------------------------------------------------Period
Delay(usec) Delay
Variation(usec)
--------------------------------------------------
2.4.4 Maintaining IP FPM

This section describes how to maintain IP Flow Performance Measurement (FPM) by
configuring the alarm thresholds for IP FPM performance and monitoring IP FPM performance
statistics.
Configuring Alarm and Clear Alarm Thresholds for IP FPM Performance Counters
After you configure the alarm threshold and its clear alarm threshold for packet loss or delay,
the device generates an alarm when the packet loss rate or delay reaches the alarm threshold and
clears the alarm when the packet loss rate or delay falls below the clear alarm threshold. The
alarm functions help network operation and maintenance.
Context
If the packet loss rate or delay on a network is detected high but left unattended, the packet loss
rate or delay may increase and potentially affect user experience. To help network operation and
maintenance, configure the alarm threshold and its clear alarm threshold for packet loss or delay.
Issue 02 (2013-12-31)

386

Equipment
2 System Management
Procedure
Step 1 Run:
system-view

Step 2 Run:
nqa ipfpm mcp
The IPFPM-MCP view is displayed.

Step 3 Run:
The IP FPM instance view is displayed.

Step 4 Run:
loss-measure ratio-threshold upper-limit upper-limit lower-limit lower-limit
The packet loss alarm threshold and its clear alarm threshold are configured.
Step 5 Run either of the following commands to configure the delay alarm threshold and its clear alarm
threshold.
l When the target flow is unidirectional, run the delay-measure one-way delay-threshold
upper-limit upper-limit lower-limit lower-limit command to configure the one-way delay
alarm threshold and its clear alarm threshold.
l When the target flow is bidirectional, run the delay-measure two-way delay-threshold
upper-limit upper-limit lower-limit lower-limit command to configure the two-way delay
alarm threshold and its clear alarm threshold.
----End
Monitoring the IP FPM Running Status

This section describes how to monitor the IP FPM running status.
Context
Run the display commands in any view to check the IP FPM performance statistics and monitor
the IP FPM running status in routine maintenance.
Procedure
l
Run the display ipfpm statistic-type { loss | oneway-delay | twoway-delay } instance

instance-id command to check the performance statistics for a specified IP FPM instance.
Run the display ipfpm statistic-type { loss | oneway-delay } instance instance-id ach
ach-id command to check the hop-by-hop performance statistics for a specified ACH.
----End

This chapter provides IP FPM configuration examples.
Issue 02 (2013-12-31)

387

Equipment
2 System Management
Example for Configuring IP FPM End-to-End Performance Statistics Collection

This section provides an example for configuring IP Flow Performance Monitoring (FPM) endto-end performance statistics collection.
Various value-added services, such as IPTV, video conferencing, and voice over IP (VoIP) are
widely used on networks. As these services rely heavily on high speed and robust networks, link
connectivity and network performance are essential to service transmission.
l
When voice services are deployed, users will not detect any change in the voice quality if
the packet loss rate on links is lower than 5%. If the packet loss rate is higher than 10%,
the voice quality will deteriorate significantly.
Real-time services, such as VoIP, online games, and video conferencing, require a delay
lower than 100 ms, or even 50 ms. As the delay increases, user experience worsens.
To meet users' service quality requirements, carriers need to promptly measure the packet loss
rate and delay so that they can quickly respond to resolve network issues if the service quality
deteriorates.
The IPRAN network shown in Figure 2-23 transmits voice services. Voice flows are
symmetrical and bidirectional, and therefore one voice flow can be divided into two
unidirectional service flows. The forward service flow enters the network through the UPE,
travels across SPE1, and leaves the network through the NPE. The backward service flow enters
the network through the NPE, also travels across SPE1, and leaves the network through the UPE.
To meet users' service quality requirements and take measures when service quality deteriorates,
configure IP FPM end-to-end performance statistics collection to monitor the packet loss and
delay of the links between the UPE and NPE in real time.
GE0/2/0
GE
/1
0/2
G
NodeB TLP100 UPE E0/
2/2
In-point
Ingress
1
GE
/0 /
GE
1/0
/2
SPE1
GE
1/0
/2
Loopback1
GE
RNC
1 /0
/2
GE1/0/3
GE1/0/3
Loopback1
GE1/0/3
Loopback1
GE
1
/0/ NPE
1
TLP310
GE
1
/
Out-pint
0
1/
Egress
SPE2
Loopback1
Issue 02 (2013-12-31)

Forward Target Flow

Backward Target Flow
388

Equipment
2 System Management
Table 2-11 Interfaces and IP addresses

Device (Role)
Interface
Remote Device
(Role)
IP Address
UPE (DCP1/MCP)
Loopback1
1.1.1.1/32
GE0/2/0
NodeB
100.1.1.1/24
GE0/2/1
SPE1
172.1.1.1/24
GE0/2/2
SPE2
172.1.2.1/24
Loopback1
2.2.2.2/32
GE 1/0/1
UPE (DCP1/MCP)
172.1.1.2/24
GE 1/0/2
NPE (DCP2)
172.1.4.1/24
GE 1/0/3
SPE2
172.1.3.1/24
Loopback1
3.3.3.3/32
GE 1/0/1
NPE (DCP2)
172.1.5.1/24
GE 1/0/2
UPE (DCP1/MCP)
172.1.2.2/24
GE 1/0/3
SPE1
172.1.3.2/24
Loopback1
4.4.4.4/32
GE 1/0/1
SPE2
172.1.5.2/24
GE 1/0/2
SEP1
172.1.4.2/24
GE 1/0/3
NPE (DCP2)
100.2.1.1/24
SPE1
SPE2
NPE (DCP2)
1.
Configure an IP address and a routing protocol for each interface so that all provider edge
devices (PEs) can communicate at the network layer. This example uses Open Shortest
Path First (OSPF) as the routing protocol.
2.
Configure Multiprotocol Label Switching (MPLS) functions and public network tunnels.
In this example, RSVP-TE tunnels are established between the UPE and SPEs, and Label
Distribution Protocol (LDP) LSPs are established between the SPEs and between the NPE
and SPEs.
3.
Create a VPN instance on the UPE and NPE and import the local direct routes on the UPE
and NPE to their respective VPN instance routing tables.
4.
Establish MP-IBGP peer relationships between the UPE and SPEs and between the NPE
and SPEs.
5.
Configure the SPEs as route reflectors (RRs) and specify the UPE and NPE as RR clients.
6.
Configure VPN FRR on the UPE and NPE.
Issue 02 (2013-12-31)

389

Equipment
2 System Management
7.
Configure the Network Time Protocol (NTP) to synchronize the clocks of the UPE, SPE1,
and the NPE.
8.
Configure proactive packet loss and delay measurement on the UPE and NPE to collect
packet loss and delay statistics at intervals.
9.
Configure the packet loss and two-way delay alarm thresholds and clear alarm thresholds
on the UPE.
Data Preparation
l
IP address of each interface listed in Table 2-11
Interior Gateway Protocol (IGP) protocol type, process ID, and area ID
Label switching router (LSR) IDs of the UPE and SPEs
Tunnel interface names, tunnel IDs, and tunnel interface addresses (loopback interface
addresses) for the bidirectional tunnels between the UPE and SPEs
Tunnel policy names for the bidirectional tunnels between the UPE and SPEs and tunnel
selector names on the SPEs
Names, route distinguishers (RDs), and VPN targets of the VPN instances on the UPE and
NPE
UPE's NTP stratum (1); clock synchronization interval (180s) for the UPE, SPEs, and the
NPE; offset (50s) between the clock server and client; maximum polling time (64s)
UPE's DCP ID and MCP ID (both 1.1.1.1); NPE's MCP ID (4.4.4.4)
IP FPM instance ID (1) and statistical period (10s)
Forward target flow's source IP address (100.1.1.1) and destination IP address (100.2.1.1);
backward target flow's source IP address (100.2.1.1) and destination IP address (100.1.1.1)
Measurement points (TLP100 and TLP310)
Loss and delay measurement flags (respectively the third and fourth bits in the ToS field
of the IPv4 packet header)
NOTE
Before you deploy IP FPM for packet loss and delay measurement, if two or more bits in the IPv4
packet header have not been planned for other purposes, they can be used for packet loss and delay
measurement at the same time. If only one bit in the IPv4 packet header has not been planned, it can
be used for either packet loss or delay measurement in one IP FPM instance.
Authentication mode (HMAC-SHA256), password (huawei), key ID (1), and UDP port
number (2048) on the UPE and NPE
Packet loss alarm threshold and its clear alarm threshold (respectively 10% and 5%); twoway delay alarm threshold and its clear alarm threshold (respectively 100 ms and 50 ms)
Procedure
Step 1 Configure interface IP addresses.
Assign an IP address to each interface according to Table 2-11 and create a loopback interface
on each node. For configuration details, see Configuration Files in this section.
Step 2 Configure OSPF.
Issue 02 (2013-12-31)

390

Equipment
2 System Management
Configure OSPF on each node to allow the nodes to communicate at the network layer. For
detailed configurations, see Configuration Files in this section.
Step 3 Configure basic MPLS functions and public network tunnels.
l Configure basic MPLS functions and enable MPLS TE, RSVP-TE, and Constraint Shortest
Path First (CSPF).
# Configure the UPE.
[UPE] mpls lsr-id 1.1.1.1
[UPE] mpls
[UPE-mpls] mpls te
[UPE-mpls] mpls rsvp-te
[UPE-mpls] mpls te cspf
[UPE-mpls] quit
[UPE] interface gigabitethernet 0/2/1
[UPE-GigabitEthernet0/2/1] mpls
[UPE-GigabitEthernet0/2/1] mpls te
[UPE-GigabitEthernet0/2/1] mpls rsvp-te
[UPE-GigabitEthernet0/2/1] quit
[UPE] ospf 1
[UPE-ospf-1] opaque-capability enable
[UPE-ospf-1] area 0
[UPE-ospf-1-area-0.0.0.0] mpls-te enable
[UPE-ospf-1-area-0.0.0.0] quit
[UPE-ospf-1] quit
# Configure SPE1.
[SPE1] mpls lsr-id 2.2.2.2
[SPE1] mpls
[SPE1-mpls] mpls te
[SPE1-mpls] mpls rsvp-te
[SPE1-mpls] mpls te cspf
[SPE1-mpls] quit
[SPE1] mpls ldp
[SPE1-mpls-ldp] quit
[SPE1] interface gigabitethernet 1/0/1
[SPE1-GigabitEthernet1/0/1] mpls
[SPE1-GigabitEthernet1/0/1] mpls te
[SPE1-GigabitEthernet1/0/1] mpls rsvp-te
[SPE1-GigabitEthernet1/0/1] quit
[SPE1-GigabitEthernet1/0/3] mpls ldp
[SPE1] ospf 1
[SPE1-ospf-1] opaque-capability enable
[SPE1-ospf-1] area 0
[SPE1-ospf-1-area-0.0.0.0] mpls-te enable
[SPE1-ospf-1-area-0.0.0.0] quit
[SPE1-ospf-1] quit
# Configure SPE2.
[SPE2] mpls
[SPE2-mpls] mpls te
[SPE2-mpls] quit
[SPE2] mpls ldp
Issue 02 (2013-12-31)

391

Equipment
2 System Management

[SPE2] ospf 1
[SPE2-ospf-1] quit
l Enable the egress of each unidirectional tunnel to be created to assign a non-null label to the
penultimate hop.
[UPE] mpls
[UPE-mpls] label advertise non-null
[UPE-mpls] quit
# Configure SPE1.
[SPE1] mpls
[SPE1-mpls] label advertise non-null
[SPE1-mpls] quit
# Configure SPE2.
[SPE2] mpls
[SPE2-mpls] quit
l Configure RSVP-TE tunnel interfaces.

[UPE] interface tunnel 0/2/1
[UPE-Tunnel0/2/1] ip address unnumbered interface loopback 1
[UPE-Tunnel0/2/1] tunnel-protocol mpls te
[UPE-Tunnel0/2/1] destination 2.2.2.2
[UPE-Tunnel0/2/1] mpls te tunnel-id 100
[UPE-Tunnel0/2/1] mpls te signal-protocol rsvp-te
[UPE-Tunnel0/2/1] mpls te reserved-for-binding
[UPE-Tunnel0/2/1] mpls te commit
[UPE-Tunnel0/2/1] quit
# Configure SPE1.
[SPE1] interface tunnel 1/0/1
[SPE1-Tunnel1/0/1] ip address unnumbered interface loopback 1
[SPE1-Tunnel1/0/1] tunnel-protocol mpls te
[SPE1-Tunnel1/0/1] destination 1.1.1.1
[SPE1-Tunnel1/0/1] mpls te tunnel-id 100
[SPE1-Tunnel1/0/1] mpls te signal-protocol rsvp-te
[SPE1-Tunnel1/0/1] mpls te reserved-for-binding
[SPE1-Tunnel1/0/1] mpls te commit
[SPE1-Tunnel1/0/1] quit
# Configure SPE2.
Issue 02 (2013-12-31)

392

Equipment
[SPE2-Tunnel1/0/2]
[SPE2-Tunnel1/0/2]
[SPE2-Tunnel1/0/2]
[SPE2-Tunnel1/0/2]
[SPE2-Tunnel1/0/2]
[SPE2-Tunnel1/0/2]
[SPE2-Tunnel1/0/2]
[SPE2-Tunnel1/0/2]
2 System Management
ip address unnumbered interface loopback 1

tunnel-protocol mpls te
destination 1.1.1.1
mpls te tunnel-id 200
mpls te signal-protocol rsvp-te
mpls te reserved-for-binding
mpls te commit
quit
l Configure tunnel policies.

[UPE] tunnel-policy policy1
[UPE-tunnel-policy-policy1] tunnel binding destination 2.2.2.2 te tunnel 0/2/1
[UPE-tunnel-policy-policy1] quit
# Configure SPE1.
[SPE1] tunnel-policy policy1
[SPE1-tunnel-policy-policy1] tunnel binding destination 1.1.1.1 te tunnel 1/0/1
[SPE1-tunnel-policy-policy1] quit
# Configure SPE2.
Step 4 Create a VPN instance on the UPE and NPE and import the local direct routes on the UPE and
NPE to their respective VPN instance routing tables.
[UPE] ip vpn-instance vpna
[UPE-vpn-instance-vpna] ipv4-family
[UPE-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[UPE-vpn-instance-vpna-af-ipv4] vpn-target 1:1
[UPE-vpn-instance-vpna-af-ipv4] quit
[UPE-vpn-instance-vpna] quit
[UPE-GigabitEthernet0/2/0] ip binding vpn-instance vpna
[UPE-GigabitEthernet0/2/0] ip address 100.1.1.1 24
[UPE] bgp 100
[UPE-bgp] ipv4-family vpn-instance vpna
[UPE-bgp-vpna] import-route direct
[UPE-bgp-vpna] quit
[UPE-bgp] quit
# Configure the NPE.

[NPE] ip vpn-instance vpna
[NPE-vpn-instance-vpna] ipv4-family
[NPE-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[NPE-vpn-instance-vpna-af-ipv4] vpn-target 1:1
[NPE-vpn-instance-vpna-af-ipv4] quit
[NPE-vpn-instance-vpna] quit
[NPE] interface gigabitethernet 1/0/3
[NPE-GigabitEthernet1/0/3] ip binding vpn-instance vpna
[NPE-GigabitEthernet1/0/3] ip address 100.2.1.1 24
[NPE-GigabitEthernet1/0/3] quit
[NPE] bgp 100
[NPE-bgp] ipv4-family vpn-instance vpna
[NPE-bgp-vpna] import-route direct
[NPE-bgp-vpna] quit
[NPE-bgp] quit
Step 5 Establish MP-IBGP peer relationships between the UPE and SPEs and between the NPE and
SPEs.
Issue 02 (2013-12-31)

393

Equipment
2 System Management

[UPE] bgp 100
[UPE-bgp] router-id 1.1.1.1
[UPE-bgp] peer 2.2.2.2 as-number 100
[UPE-bgp] peer 2.2.2.2 connect-interface loopback 1
[UPE-bgp] ipv4-family vpnv4
[UPE-bgp-af-vpnv4] peer 2.2.2.2 enable
[UPE-bgp-af-vpnv4] quit
[UPE-bgp] quit
# Configure SPE1.
[SPE1] bgp 100
[SPE1-bgp] router-id 2.2.2.2
[SPE1-bgp] peer 1.1.1.1 as-number 100
[SPE1-bgp] peer 1.1.1.1 connect-interface loopback 1
[SPE1-bgp] ipv4-family vpnv4
[SPE1-bgp-af-vpnv4] undo policy vpn-target
[SPE1-bgp-af-vpnv4] peer 1.1.1.1 enable
[SPE1-bgp-af-vpnv4] quit
[SPE1-bgp] quit
The configuration of SPE2 is similar to the configuration of SPE1. For configuration details, see
Configuration Files in this section.
[NPE] bgp 100
[NPE-bgp] router-id 4.4.4.4
[NPE-bgp] peer 2.2.2.2 as-number 100
[NPE-bgp] peer 2.2.2.2 connect-interface loopback 1
[NPE-bgp] ipv4-family vpnv4
[NPE-bgp-af-vpnv4] peer 2.2.2.2 enable
[NPE-bgp-af-vpnv4] quit
[NPE-bgp] quit
Step 6 Configure the SPEs as RRs and specify the UPE and NPE as RR clients.
# Configure SPE1.
[SPE1] bgp 100
[SPE1-bgp-af-vpnv4] peer 1.1.1.1
[SPE1-bgp] quit
reflect-client
next-hop-local
reflect-client
next-hop-local
Step 7 Apply the tunnel policy on the UPE and configure a tunnel selector on each SPE because SPEs
do not have VPN instances, so that the UPE and SPEs use RSVP-TE tunnels to transmit traffic.
Issue 02 (2013-12-31)

394

Equipment
2 System Management
# Apply the tunnel policy on the UPE.

[UPE-vpn-instance-vpna-af-ipv4] tnl-policy policy1
# Configure a tunnel selector on SPE1 to use RSVP-TE tunnels to transmit traffic.

[SPE1] tunnel-selector bindTE permit node 10
[SPE1-tunnel-selector] apply tunnel-policy policy1
[SPE1-tunnel-selector] quit
[SPE1] bgp 100
[SPE1-bgp-af-vpnv4] tunnel-selector bindTE
Step 8 Configure VPN FRR on the UPE and NPE.
[UPE] bgp 100
[UPE-bgp-vpna] auto-frr
[UPE-bgp-vpna] quit
[UPE-bgp] quit
The configuration of the NPE is similar to the configuration of the UPE. For configuration
details, see Configuration Files in this section.
After completing the configurations, run the display bgp vpnv4 vpn-instancevpna routingtable command on the UPE and NPE to view detailed information about received routes.
[UPE] display bgp vpnv4 vpn-instance vpna routing-table
BGP Local router ID is 1.1.1.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
VPN-Instance vpna, Router ID 1.1.1.1:

Total Number of Routes: 4
Network
NextHop
*>
*>
*>i
* i
[NPE]
MED
LocPrf
100.1.1.0/24
100.1.1.1/32
100.2.1.0/24
0.0.0.0
0
0.0.0.0
0
2.2.2.2
0
100
3.3.3.3
0
100
display bgp vpnv4 vpn-instance vpna routing-table
PrefVal Path/Ogn
0
0
0
0
?
?
?
?


Network
NextHop
Issue 02 (2013-12-31)
MED
LocPrf

PrefVal Path/Ogn
395

Equipment
*>i
* i
*>
*>
100.1.1.0/24
100.2.1.0/24
100.2.1.1/32
2.2.2.2
3.3.3.3
0.0.0.0
0.0.0.0
2 System Management
0
0
0
0
100
100
0
0
0
0
?
?
?
?
The command output shows that the UPE and NPE both preferentially select the routes
advertised by SPE1 and use UPE <-> SPE1 <-> NPE as the primary path.
Step 9 Configure NTP to synchronize the clocks of the UPE, SPE1, and the NPE.
[UPE] ntp-service sync-interval 180 spike-offset 50 max-sys-poll 6
[UPE] ntp-service refclock-master 1
# Configure SPE1.
[SPE1] ntp-service sync-interval 180 spike-offset 50 max-sys-poll 6
[SPE1] ntp-service unicast-server 172.1.1.1

[NPE] ntp-service sync-interval 180 spike-offset 50 max-sys-poll 6
[NPE] ntp-service unicast-server 172.1.4.1
After completing the configuration, the UPE, SPE1, and the NPE have synchronized their clocks.
Run the display ntp-service status command on the UPE to check its NTP status. The command
output shows that the clock status is synchronized, which means that synchronization is
complete.
[UPE] display ntp-service status
clock status: synchronized
clock stratum: 1
reference clock ID: LOCAL(0)
nominal frequency: 64.0000 Hz
actual frequency: 64.0000 Hz
clock precision: 2^7
clock offset: 0.0000 ms
root delay: 0.00 ms
root dispersion: 26.49 ms
peer dispersion: 10.00 ms
reference time: 08:55:35.000 UTC Apr 2 2013(D5051B87.0020C49B)
synchronization state: clock synchronized
Run the display ntp-service status command on SPE1 to check its NTP status. The command
output shows that the clock status is synchronized and the clock stratum is 2, lower than that
of the UPE.
[SPE1] display ntp-service status
clock stratum: 2
reference clock ID: 172.1.1.1
clock offset: -0.0099 ms
root delay: 0.08 ms
reference time: 08:56:45.000 UTC Apr 2 2013(D5051BCD.00346DC5)
Run the display ntp-service status command on the NPE to check its NTP status. The command
output shows that the clock status is synchronized and the clock stratum is 3, lower than that
of SPE1.
[NPE] display ntp-service status
clock stratum: 3
Issue 02 (2013-12-31)

396

Equipment
2 System Management

root delay: 0.18 ms
reference time: 08:56:47.000 UTC Apr 2 2013(D5051BCF.001E2584)
Step 10 Configure proactive packet loss and delay measurement on the UPE and NPE; configure the
UPE as the MCP and also a DCP and configure TLP310 on the UPE; configure the NPE as a
DCP and configure TLP100 on the NPE.
l Configure the MCP.
[UPE] nqa ipfpm mcp
[UPE-nqa-ipfpm-mcp] mcp id 1.1.1.1
[UPE-nqa-ipfpm-mcp] protocol udp port 2048
[UPE-nqa-ipfpm-mcp] authentication-mode hmac-sha256 key-id 1 cipher huawei
[UPE-nqa-ipfpm-mcp] instance 1
[UPE-nqa-ipfpm-mcp-instance-1] dcp 1.1.1.1
[UPE-nqa-ipfpm-mcp-instance-1] quit
[UPE-nqa-ipfpm-mcp] quit
After completing the configuration, run the display ipfpm mcp command on the UPE. The
command output shows MCP configurations on the UPE.
[UPE] display ipfpm mcp
Specification Information:
Max Instance Number
Max DCP Number Per Instance
Max ACH Number Per Instance
Max TLP Number Per ACH
:4000
:1000
:16
:16
Configuration Information:
MCP ID
Status
Protocol Port
Current Instance Number
:1.1.1.1
:Active
:2048
:1
l Configure a DCP.
[UPE] nqa ipfpm dcp
[UPE-nqa-ipfpm-dcp] dcp id 1.1.1.1
[UPE-nqa-ipfpm-dcp] authentication-mode hmac-sha256 key-id 1 cipher huawei
[UPE-nqa-ipfpm-dcp] color-flag loss-measure tos-bit 3 delay-measure tos-bit 4
[UPE-nqa-ipfpm-dcp] mcp 1.1.1.1 port 2048
[UPE-nqa-ipfpm-dcp] instance 1
[UPE-nqa-ipfpm-dcp-instance-1] interval 10
[UPE-nqa-ipfpm-dcp-instance-1] flow bidirectional source 100.1.1.1 destination
100.2.1.1
[UPE-nqa-ipfpm-dcp-instance-1] tlp 100 in-point ingress
[UPE-nqa-ipfpm-dcp-instance-1] quit
[UPE-nqa-ipfpm-dcp] quit
After completing the configuration, run the display ipfpm dcp command on the UPE. The
command output shows DCP configurations on the UPE.
[UPE] display ipfpm dcp
Specification Information(Main Board):
Max Instance Number
Max 10s Instance Number
Max TLP Number
Max TLP Number Per Instance
Issue 02 (2013-12-31)
:16384
:16384
:256
:2048
:16

397

Equipment
2 System Management
Specification Information(IO Board):

Board ID:1
Max non-1s Instance Number
Max TLP Number
:256
:2048
:2048
DCP ID
Loss-measure Flag
Delay-measure Flag
Multicast-measure flag
Authentication Mode
:
:
:
:
:
:
:
:
1.1.1.1
tos-bit3
tos-bit4
flags-bit0(default)
hmac-sha256
1.1.1.1
2048
1
l Bind the TLP to an interface.

[UPE] interface GigabitEthernet0/2/0
[UPE-GigabitEthernet0/2/0] ipfpm tlp 100
l Enable packet loss and delay measurement.

[UPE] nqa ipfpm dcp
[UPE-nqa-ipfpm-dcp-instance-1] loss-measure enable continual
[UPE-nqa-ipfpm-dcp-instance-1] delay-measure enable two-way tlp 100 continual
[UPE-nqa-ipfpm-dcp-instance-1] quit

l Configure a DCP.
[NPE] nqa ipfpm dcp
[NPE-nqa-ipfpm-dcp] dcp id 4.4.4.4
[NPE-nqa-ipfpm-dcp] authentication-mode hmac-sha256 key-id 1 cipher huawei
[NPE-nqa-ipfpm-dcp] color-flag loss-measure tos-bit 3 delay-measure tos-bit 4
[NPE-nqa-ipfpm-dcp] mcp 1.1.1.1 port 2048
[NPE-nqa-ipfpm-dcp] instance 1
[NPE-nqa-ipfpm-dcp-instance-1] interval 10
[NPE-nqa-ipfpm-dcp-instance-1] flow bidirectional source 100.1.1.1 destination
100.2.1.1
[NPE-nqa-ipfpm-dcp-instance-1] tlp 310 out-point egress
[NPE-nqa-ipfpm-dcp-instance-1] quit
[NPE-nqa-ipfpm-dcp] quit
After completing the configuration, run the display ipfpm dcp command on the NPE. The
command output shows DCP configurations on the NPE.
Issue 02 (2013-12-31)
[NPE] display ipfpm dcp

Max Instance Number
Max TLP Number
:16384
:16384
:256
:2048
:16

Board ID:1
Max TLP Number
:256
:2048
:2048
DCP ID
Loss-measure Flag
Delay-measure Flag
Multicast-measure flag
Authentication Mode
:
:
:
:
:
:
4.4.4.4
tos-bit3
tos-bit4
flags-bit0(default)
hmac-sha256
1.1.1.1

398

Equipment
2 System Management
: 2048
: 1

[NPE] interface GigabitEthernet1/0/3
[NPE-GigabitEthernet1/0/1] ipfpm tlp 310
l Enable proactive packet loss and delay measurement.

[NPE] nqa ipfpm dcp
[NPE-nqa-ipfpm-dcp-instance-1] loss-measure enable continual
[NPE-nqa-ipfpm-dcp-instance-1] delay-measure enable two-way tlp 310 continual
Step 11 Configure alarm thresholds and clear alarm thresholds for IP FPM performance counters on the
UPE.
# Configure the packet loss alarm threshold and its clear alarm threshold.
[UPE] nqa ipfpm mcp
[UPE-nqa-ipfpm-mcp-instance-1] loss-measure ratio-threshold upper-limit 10 lowerlimit 5
# Configure the two-way delay alarm threshold and its clear alarm threshold.
[UPE-nqa-ipfpm-mcp-instance-1] delay-measure two-way delay-threshold upper-limit
100000 lower-limit 50000

Run the display ipfpm statistic-type { loss | twoway-delay } instance instance-id command
on the UPE to check the performance statistics for a specified IP FPM instance.
l # The following example uses the packet loss statistics for IP FPM instance 1.
[UPE] display ipfpm statistic-type loss instance 1
----------------------------------------------------------------------------------------Period
Loss(p)
LossRatio(b)
----------------------------------------------------------------------------------------136118757
20
20.000000% 2000
20.000000%
136118756
20
20.000000% 2000
20.000000%
136118755
20
20.000000% 2000
20.000000%
136118753
20
20.000000% 2000
20.000000%
136118752
20
20.000000% 2000
20.000000%
136118751
20
20.000000% 2000
20.000000%
136118750
20
20.000000% 2000
20.000000%
136118749
20
20.000000% 2000
20.000000%
136118748
20
20.000000% 2000
20.000000%
136118747
20
20.000000% 2000
20.000000%
136118746
20
20.000000% 2000
20.000000%
136118745
20
20.000000% 2000
20.000000%
Issue 02 (2013-12-31)

399

Equipment
2 System Management

----------------------------------------------------------------------------------------Period
Loss(p)
LossRatio(b)
----------------------------------------------------------------------------------------136118757
20
20.000000% 2000
20.000000%
136118756
20
20.000000% 2000
20.000000%
136118755
20
20.000000% 2000
20.000000%
136118753
20
20.000000% 2000
20.000000%
136118752
20
20.000000% 2000
20.000000%
136118751
20
20.000000% 2000
20.000000%
136118750
20
20.000000% 2000
20.000000%
136118749
20
20.000000% 2000
20.000000%
136118748
20
20.000000% 2000
20.000000%
136118747
20
20.000000% 2000
20.000000%
136118746
20
20.000000% 2000
20.000000%
136118745
20
20.000000% 2000
20.000000%
l # The following example uses the two-way delay statistics for IP FPM instance 1.
[UPE] display ipfpm statistic-type twoway-delay instance 1
-------------------------------------------------Period
Delay(usec) Delay
Variation(usec)
-------------------------------------------------136118757
800
0
136118756
800
0
136118755
800
0
136118753
800
0
136118752
800
0
136118751
800
0
136118750
800
0
136118749
800
0
136118748
800
0
136118747
800
0
136118746
800
0
136118745
800
0
Latest one-way delay statistics of bidirectional flow:
------------------------------------------------------------------------------Period
Forward
ForwardDelay
Backward
BackwardDelay
Delay(usec) Variation(usec) Delay(usec) Variation
(usec)
------------------------------------------------------------------------------136118757
400
0
400
0
136118756
400
0
400
0
136118755
400
0
400
0
136118753
400
0
400
0
136118752
400
0
400
0
Issue 02 (2013-12-31)

400

Equipment
136118751
136118750
136118749
136118748
136118747
136118746
136118745
400
400
400
400
400
400
400
2 System Management
0
0
0
0
0
0
0
400
400
400
400
400
400
400
0
0
0
0
0
0
0
----End
Configuration Files
l
UPE configuration file

#
sysname UPE
#
ip vpn-instance
vpna
ipv4family
route-distinguisher
100:1
tnl-policy
policy1
vpn-target 1:1 exportextcommunity
vpn-target 1:1 importextcommunity
#
mpls lsr-id
1.1.1.1
mpls
mpls
te
label advertise nonnull
mpls rsvpte
mpls te
cspf
#
ntp-service sync-interval 180 spike-offset 50 max-sys-poll
6
ntp-service refclock-master
1
#
interface
GigabitEthernet0/2/0
undo
shutdown
ip binding vpn-instance
vpna
ip address 100.1.1.1
255.255.255.0
ipfpm tlp
100
#
interface
undo
shutdown
255.255.255.0
mpls
mpls
Issue 02 (2013-12-31)

401

Equipment
2 System Management
te
mpls rsvpte
#
interface
undo
shutdown
255.255.255.0
mpls
mpls
te
mpls rsvpte
#
interface
LoopBack1
ip address 1.1.1.1
255.255.255.255
#
interface
Tunnel0/2/1
ip address unnumbered interface
LoopBack1
tunnel-protocol mpls
te
destination
2.2.2.2
mpls te tunnel-id
100
mpls te reserved-forbinding
#
interface
Tunnel0/2/2
LoopBack1
te
destination
3.3.3.3
mpls te tunnel-id
200
#
bgp
100
router-id
1.1.1.1
peer 2.2.2.2 as-number
100
peer 2.2.2.2 connect-interface
LoopBack1
100
LoopBack1
#
ipv4-family
unicast
undo
synchronization
peer 2.2.2.2
Issue 02 (2013-12-31)

402

Equipment
2 System Management
enable
peer 3.3.3.3
enable
#
ipv4-family
vpnv4
policy vpntarget
peer 2.2.2.2
enable
peer 3.3.3.3
enable
#
ipv4-family vpn-instance
vpna
import-route
direct
autofrr
#
ospf
1
opaque-capability
enable
area
0.0.0.0
network 1.1.1.1
0.0.0.0
network 172.1.1.0
0.0.0.255
network 172.1.2.0
0.0.0.255
mpls-te
enable
#
tunnel-policy
policy1
tunnel binding destination 2.2.2.2 te
Tunnel0/2/1
Tunnel0/2/2
#
nqa ipfpm
dcp
dcp id
1.1.1.1
mcp 1.1.1.1 port
2048
authentication-mode hmac-sha256 key-id 1 cipher %@%@c^)+6\&Xmec@('3&m,d%1C,d%
1C<
color-flag loss-measure tos-bit 3 delay-measure tos-bit 4
instance 1
flow bidirectional source 100.1.1.1 destination 100.2.1.1
tlp 100 in-point ingress
loss-measure enable continual
delay-measure enable two-way tlp 100 continual
#
nqa ipfpm
mcp
mcp id
1.1.1.1
protocol udp port
2048
authentication-mode hmac-sha256 key-id 1 cipher %@%@\8u;Ufa-'-+mtJG0r#:00dV[%
@%
Issue 02 (2013-12-31)

403

Equipment
2 System Management
@
instance
1
dcp
1.1.1.1
dcp
4.4.4.4
loss-measure ratio-threshold upper-limit 10.000000 lower-limit
5.000000
delay-measure two-way delay-threshold upper-limit 100000 lower-limit
50000
#
return
SPE1 configuration file

#
sysname SPE1
#
tunnel-selector bindTE permit node
10
apply tunnel-policy
policy1
#
mpls lsr-id
2.2.2.2
mpls
mpls
te
mpls rsvpte
mpls te
cspf
#
mpls
ldp
#
6
ntp-service unicast-server
172.1.1.1
#
interface
undo
shutdown
255.255.255.0
mpls
mpls
te
mpls rsvpte
#
interface
undo
shutdown
255.255.255.0
mpls
mpls
ldp
#
Issue 02 (2013-12-31)

404

Equipment
2 System Management
interface
undo
shutdown
255.255.255.0
mpls
mpls
ldp
#
interface
LoopBack1
ip address 2.2.2.2
255.255.255.0
#
interface
Tunnel1/0/1
LoopBack1
te
destination
1.1.1.1
mpls te tunnel-id
100
#
bgp
100
router-id
2.2.2.2
100
LoopBack1
100
LoopBack1
100
LoopBack1
#
ipv4-family
unicast
undo
synchronization
peer 1.1.1.1
enable
peer 3.3.3.3
enable
peer 4.4.4.4
enable
#
ipv4-family
vpnv4
undo policy vpntarget
tunnel-selector
bindTE
peer 1.1.1.1
enable
Issue 02 (2013-12-31)

405

Equipment
2 System Management
peer 1.1.1.1 reflectclient

peer 1.1.1.1 next-hoplocal
peer 3.3.3.3
enable
peer 4.4.4.4
enable
#
ospf
1
opaque-capability
enable
area
0.0.0.0
network 2.2.2.2
0.0.0.0
network 172.1.1.0
0.0.0.255
network 172.1.3.0
0.0.0.255
network 172.1.4.0
0.0.0.255
mpls-te
enable
#
tunnel-policy
policy1
Tunnel1/0/1
#
return

#
sysname SPE2
#
tunnel-selector bindTE permit node 10
apply tunnel-policy policy1
#
mpls lsr-id 3.3.3.3
mpls
mpls te
label advertise non-null
mpls rsvp-te
mpls te cspf
#
mpls ldp
#
undo shutdown
ip address 172.1.5.1 255.255.255.0
mpls
mpls ldp
#
undo shutdown
ip address 172.1.2.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
Issue 02 (2013-12-31)

406

Equipment
2 System Management
undo shutdown
ip address 172.1.3.2 255.255.255.0
mpls
mpls te
mpls ldp
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
interface Tunnel1/0/2
ip address unnumbered interface LoopBack1
destination 1.1.1.1
#
bgp 100
router-id 3.3.3.3
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
peer 2.2.2.2 enable
peer 4.4.4.4 enable
#
ipv4-family vpnv4
undo policy vpn-target
tunnel-selector bindTE
peer 1.1.1.1 enable
peer 1.1.1.1 reflect-client
peer 1.1.1.1 next-hop-local
peer 2.2.2.2 enable
peer 4.4.4.4 enable
#
ospf 1
opaque-capability enable
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 172.1.2.0 0.0.0.255
network 172.1.3.0 0.0.0.255
network 172.1.5.0 0.0.0.255
mpls-te enable
#
tunnel-policy policy1
tunnel binding destination 1.1.1.1 te Tunnel1/0/2
#
return
NPE configuration file

#
sysname NPE
#
ip vpn-instance vpna
ipv4-family
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 4.4.4.4
Issue 02 (2013-12-31)

407

Equipment
2 System Management
mpls
#
mpls ldp
#
ntp-service sync-interval 180 spike-offset 50 max-sys-poll 6
ntp-service unicast-server 172.1.4.1
#
undo shutdown
ip address 172.1.5.2 255.255.255.0
mpls
mpls ldp
#
undo shutdown
ip address 172.1.4.2 255.255.255.0
mpls
mpls ldp
#
undo shutdown
ip binding vpn-instance vpna
ip address 100.2.1.1 255.255.255.0
ipfpm tlp 310
#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255
#
bgp 100
router-id 4.4.4.4
#
ipv4-family unicast
peer 2.2.2.2 enable
peer 3.3.3.3 enable
#
ipv4-family unicast
peer 2.2.2.2 enable
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.2 enable
peer 3.3.3.3 enable
#
ipv4-family vpn-instance vpna
import-route direct
auto-frr
#
ospf 1
area 0.0.0.0
network 4.4.4.4 0.0.0.0
network 172.1.4.0 0.0.0.255
network 172.1.5.0 0.0.0.255
#
nqa ipfpm dcp
dcp id 4.4.4.4
mcp 1.1.1.1 port 2048
authentication-mode hmac-sha256 key-id 1 cipher %@%@;\VV*UAUfP'8+uS{,4v+1Gjv%
@%@
instance 1
Issue 02 (2013-12-31)

408

Equipment
2 System Management
flow bidirectional source 100.1.1.1 destination 100.2.1.1

tlp 310 out-point egress
loss-measure enable continual
delay-measure enable two-way tlp 310 continual
#
return
Example for Configuring IP FPM Hop-by-Hop Performance Statistics Collection

This section provides an example for configuring IP Flow Performance Management (FPM)
hop-by-hop performance statistics collection.
Various value-added services, such as IPTV, video conferencing, and voice over IP (VoIP) are
widely used on networks. As these services rely heavily on high speed and robust networks, link
connectivity and network performance are essential to service transmission. The performance
monitoring function can be used to verify performance of links that transmit services.
l
When voice services are deployed, users will not detect any change in the voice quality if
the packet loss rate on links is lower than 5%. If the packet loss rate is higher than 10%,
the voice quality will deteriorate significantly.
Real-time services, such as VoIP, online games, and video conferencing, require a delay
lower than 100 ms, or even 50 ms. As the delay increases, user experience worsens.
To locate faults when network performance deteriorates, configure IP FPM hop-by-hop

performance statistics collection.
The IPRAN network shown in Figure 2-24 transmits video services. A unidirectional service
flow enters the network through the UPE, travels across SPE1, and leaves the network through
the NPE.
To locate faults when network performance deteriorates, configure hop-by-hop packet loss and
delay measurement on the UPE and NPE to locate faults segment by segment.
G
NodeB TLP100 UPE E0/2
/2
In-point
Ingress
1
GE
1
/0/
GE
1/0
/2
GE1/0/3
Loopback1 /1
0 /2
GE
GE0/2/0
Loopback1
GE1/0/3
Mid-point
TLP200
Ingress
SPE1
GE
1/0
/2
GE
1/0
/2
/0
E1
NPE
RNC
GE1/0/3
/1
TLP310
G
Loopback1
1
Out-piont
/
1 /0
E
Egress
G
SPE2
Loopback1
Forward Target Flow
Issue 02 (2013-12-31)

409

Equipment
2 System Management
Table 2-12 Interfaces and IP addresses

Device (Role)
Interface
Remote Device
(Role)
IP Address
UPE (DCP1/MCP)
Loopback1
1.1.1.1/32
GE0/2/0
NodeB
100.1.1.1/24
GE0/2/1
SPE1 (DCP2)
172.1.1.1/24
GE0/2/2
SPE2
172.1.2.1/24
Loopback1
2.2.2.2/32
GE 1/0/1
UPE (DCP1/MCP)
172.1.1.2/24
GE 1/0/2
NPE (DCP3)
172.1.4.1/24
GE 1/0/3
SPE2
172.1.3.1/24
Loopback1
3.3.3.3/32
GE 1/0/1
NPE (DCP3)
172.1.5.1/24
GE 1/0/2
UPE (DCP1/MCP)
172.1.2.2/24
GE 1/0/3
SPE1 (DCP2)
172.1.3.2/24
Loopback1
4.4.4.4/32
GE 1/0/1
SPE2
172.1.5.2/24
GE 1/0/2
SPE1 (DCP2)
172.1.4.2/24
GE 1/0/3
NPE (DCP3)
100.2.1.1/24
SPE1 (DCP2)
SPE2
NPE (DCP3)
1.
Configure an IP address and a routing protocol for each interface so that all provider edge
devices (PEs) can communicate at the network layer. This example uses Open Shortest
Path First (OSPF) as the routing protocol.
2.
and SPEs.
3.
4.
and SPEs.
5.
6.
Issue 02 (2013-12-31)

410

Equipment
2 System Management
7.
Configure the Network Time Protocol (NTP) to synchronize the clocks of the UPE, SPE1,
and the NPE.
8.
Configure hop-by-hop packet loss and delay measurement on the UPE and NPE to locate
faults segment by segment.
9.
Configure the packet loss and two-way delay alarm thresholds and clear alarm thresholds
on the UPE.
Data Preparation
l
IP address of each interface listed in Table 2-12
NPE
UPE's NTP stratum (1); clock synchronization interval (180s) for the UPE, SPEs, and the
NPE; offset (50s) between the clock server and client; maximum polling time (64s)
UPE's DCP ID and MCP ID (both 1.1.1.1); SPE1's DCP ID (2.2.2.2); NPE's MCP ID
(4.4.4.4)
IP FPM instance ID (1) and statistical period (10s)
Target flow's source IP address (100.1.1.1) and destination IP address (100.2.1.1)
ACH1 {TLP100, TLP200}, and ACH2 {TLP200, TLP310}
Loss and delay measurement flags (respectively the third and fourth bits in the ToS field
of the IPv4 packet header)
NOTE
Before you deploy IP FPM for packet loss and delay measurement, if two or more bits in the IPv4
packet header have not been planned for other purposes, they can be used for packet loss and delay
measurement at the same time. If only one bit in the IPv4 packet header has not been planned, it can
be used for either packet loss or delay measurement in one IP FPM instance.
Authentication mode (HMAC-SHA256), password (huawei), key ID (1), and UDP port
number (2048) on the UPE, SPE1, and NPE
Hop-by-hop packet loss and delay measurement intervals (30s)
Packet loss alarm threshold and its clear alarm threshold (respectively 10% and 5%); twoway delay alarm threshold and its clear alarm threshold (respectively 100 ms and 50 ms)
Procedure
Step 1 Configure interface IP addresses.
Assign an IP address to each interface according to Table 2-12 and create a loopback interface
Issue 02 (2013-12-31)

411

Equipment
2 System Management
Step 2 Configure OSPF.

detailed configurations, see Configuration Files in this section.
Step 3 Configure basic MPLS functions and public network tunnels.
l Configure basic MPLS functions and enable MPLS TE, RSVP-TE, and Constraint Shortest
Path First (CSPF).
[UPE] mpls
[UPE-mpls] mpls te
[UPE-mpls] quit
[UPE] ospf 1
[UPE-ospf-1] area 0
[UPE-ospf-1] quit
# Configure SPE1.
[SPE1] mpls
[SPE1-mpls] mpls te
[SPE1-mpls] quit
[SPE1] mpls ldp
[SPE1] ospf 1
[SPE1-ospf-1] quit
# Configure SPE2.
[SPE2] mpls
[SPE2] mpls
[SPE2-mpls]
[SPE2-mpls]
[SPE2-mpls]
[SPE2-mpls]
Issue 02 (2013-12-31)
lsr-id 3.3.3.3
mpls te
mpls rsvp-te
mpls te cspf
quit

412

Equipment
2 System Management
[SPE2] mpls ldp

[SPE2] ospf 1
[SPE2-ospf-1] quit
l Enable the egress of each unidirectional tunnel to be created to assign a non-null label to the
penultimate hop.
[UPE] mpls
[UPE-mpls] quit
# Configure SPE1.
[SPE1] mpls
[SPE1-mpls] quit
# Configure SPE2.
[SPE2] mpls
[SPE2-mpls] quit

# Configure SPE1.
Issue 02 (2013-12-31)

413

Equipment
2 System Management
# Configure SPE2.

# Configure SPE1.
# Configure SPE2.
Step 4 Create a VPN instance on the UPE and NPE and import the local direct routes on the UPE and
NPE to their respective VPN instance routing tables.
[UPE] bgp 100
[UPE-bgp-vpna] quit
[UPE-bgp] quit

[NPE] bgp 100
[NPE-bgp-vpna] quit
Issue 02 (2013-12-31)

414

Equipment
2 System Management
[NPE-bgp] quit
Step 5 Establish MP-IBGP peer relationships between the UPE and SPEs and between the NPE and
SPEs.
[UPE] bgp 100
[UPE-bgp] quit
# Configure SPE1.
[SPE1] bgp 100
[SPE1-bgp] quit
[NPE] bgp 100
[NPE-bgp] quit
Step 6 Configure the SPEs as RRs and specify the UPE and NPE as RR clients.
# Configure SPE1.
[SPE1] bgp 100
[SPE1-bgp] quit
Issue 02 (2013-12-31)
reflect-client
next-hop-local
reflect-client
next-hop-local

415

Equipment
2 System Management
Step 7 Apply the tunnel policy on the UPE and configure a tunnel selector on each SPE because SPEs
do not have VPN instances, so that the UPE and SPEs use RSVP-TE tunnels to transmit traffic.

[SPE1] bgp 100
Step 8 Configure VPN FRR on the UPE and NPE.
[UPE] bgp 100
[UPE-bgp-vpna] quit
[UPE-bgp] quit
The configuration of the NPE is similar to the configuration of the UPE. For configuration
After completing the configurations, run the display bgp vpnv4 vpn-instancevpna routingtable command on the UPE and NPE to view detailed information about received routes.

Network
NextHop
*>
*>
*>i
* i
[NPE]
MED
LocPrf
100.1.1.0/24
100.1.1.1/32
100.2.1.0/24
0.0.0.0
0
0.0.0.0
0
2.2.2.2
0
100
4.4.4.4
0
100
PrefVal Path/Ogn
0
0
0
0
?
?
?
?

Issue 02 (2013-12-31)

416

Equipment
2 System Management

Network
NextHop
MED
LocPrf
*>i
* i
*>
*>
0
0
0
0
100
100
100.1.1.0/24
100.2.1.0/24
100.2.1.1/32
2.2.2.2
4.4.4.4
0.0.0.0
0.0.0.0
PrefVal Path/Ogn
0
0
0
0
?
?
?
?
The command output shows that the UPE and NPE both preferentially select the routes
advertised by SPE1 and use UPE <-> SPE1 <-> NPE as the primary path.
Step 9 Configure NTP to synchronize the clocks of the UPE, SPE1, and the NPE.
# Configure UPE.
[UPE] ntp-service sync-interval 180 spike-offset 50 max-sys-poll 6
[UPE] ntp-service refclock-master 1
# Configure SPE1.
[SPE1] ntp-service sync-interval 180 spike-offset 50 max-sys-poll 6
[SPE1] ntp-service unicast-server 172.1.1.1
# Configure NPE.
[NPE] ntp-service sync-interval 180 spike-offset 50 max-sys-poll 6
[NPE] ntp-service unicast-server 172.1.4.1
After completing the configuration, the UPE, SPE1, and the NPE have synchronized their clocks.
Run the display ntp status command on the UPE to check its NTP status. The command output
shows that the clock status is synchronized, which means that synchronization is complete.
[UPE] display ntp status
clock stratum: 1
reference clock ID: LOCAL(0)
clock offset: 0.0000 ms
root delay: 0.00 ms
reference time: 08:55:35.000 UTC Apr 2 2013(D5051B87.0020C49B)
Run the display ntp status command on SPE1 to check its NTP status. The command output
shows that the clock status is synchronized and the clock stratum is 2, lower than that of the
UPE.
[SPE1] display ntp status
clock stratum: 2
root delay: 0.08 ms
reference time: 08:56:45.000 UTC Apr 2 2013(D5051BCD.00346DC5)
Issue 02 (2013-12-31)

417

Equipment
2 System Management
Run the display ntp status command on the NPE to check its NTP status. The command output
shows that the clock status is synchronized and the clock stratum is 3, lower than that of SPE1.
[NPE] display ntp status
clock stratum: 3
root delay: 0.18 ms
reference time: 08:56:47.000 UTC Apr 2 2013(D5051BCF.001E2584)
Step 10 Configure hop-by-hop packet loss and delay measurement on the UPE, SPE1, and the NPE;
configure two ACHs on the link between the UPE and NPE: ACH1 {TLP100, TLP200}, and
ACH2 {TLP200, TLP310}.
# Configure UPE.
l Configure the MCP.
[UPE] nqa ipfpm mcp
[UPE-nqa-ipfpm-mcp] mcp id 1.1.1.1
[UPE-nqa-ipfpm-mcp] protocol udp port 2048
[UPE-nqa-ipfpm-mcp] authentication-mode hmac-sha256 key-id 1 cipher huawei
[UPE-nqa-ipfpm-mcp] description Instanceforpoint-by-pointtest
[UPE-nqa-ipfpm-mcp-instance-1] ach 1
[UPE-nqa-ipfpm-mcp-instance-1-ach-1] flow forward
[UPE-nqa-ipfpm-mcp-instance-1-ach-1] in-group dcp 1.1.1.1 tlp 100
[UPE-nqa-ipfpm-mcp-instance-1-ach-1] out-group dcp 2.2.2.2 tlp 200
[UPE-nqa-ipfpm-mcp-instance-1-ach-1] quit
[UPE-nqa-ipfpm-mcp-instance-1] ach 2
[UPE-nqa-ipfpm-mcp-instance-1-ach-2] flow forward
[UPE-nqa-ipfpm-mcp-instance-1-ach-2] in-group dcp 2.2.2.2 tlp 200
[UPE-nqa-ipfpm-mcp-instance-1-ach-2] out-group dcp 4.4.4.4 tlp 310
[UPE-nqa-ipfpm-mcp-instance-1-ach-2] quit
[UPE-nqa-ipfpm-mcp-instance-1] quit
[UPE-nqa-ipfpm-mcp] quit
After completing the configuration, run the display ipfpm mcp command on the UPE. The
command output shows MCP configurations on the UPE.
[UPE] display ipfpm mcp
Specification Information:
Max Instance Number
Max DCP Number Per Instance
Max ACH Number Per Instance
Max TLP Number Per ACH
:64
:256
:16
:16
MCP ID
Status
Protocol Port
:1.1.1.1
:Active
:2048
:1
l Configure a DCP.
[UPE] nqa ipfpm dcp
[UPE-nqa-ipfpm-dcp]
[UPE-nqa-ipfpm-dcp]
[UPE-nqa-ipfpm-dcp]
[UPE-nqa-ipfpm-dcp]
[UPE-nqa-ipfpm-dcp]
Issue 02 (2013-12-31)
dcp id 1.1.1.1
mcp 1.1.1.1 port 2048
authentication-mode hmac-sha256 key-id 1 cipher huawei
instance 1

418

Equipment
[UPE-nqa-ipfpm-dcp-instance-1]
100.2.1.1
2 System Management
description Instanceforpointbypointtest
interval 10
flow forward source 100.1.1.1 destination
tlp 100 in-point ingress
quit
After completing the configuration, run the display ipfpm dcp command on the UPE. The
command output shows DCP configurations on the UPE.
[UPE] display ipfpm dcp
Max Instance Number
Max TLP Number
:64
:64
:8
:511
:8
DCP ID
Loss-measure Flag
Delay-measure Flag
Authentication Mode
:
:
:
:
:
:
:
1.1.1.1
tos-bit3
tos-bit4
hmac-sha256
1.1.1.1
2048
1

[UPE] interface GigabitEthernet0/2/0
[UPE-GigabitEthernet0/2/0] ipfpm tlp 100
l Enable hop-by-hop packet loss and delay measurement.

[UPE] nqa ipfpm dcp
[UPE-nqa-ipfpm-dcp-instance-1] loss-measure enable time-range 30
[UPE-nqa-ipfpm-dcp-instance-1] delay-measure enable one-way tlp 100 time-range
30
# Configure SPE1.
l Configure a DCP.
[SPE1] nqa ipfpm dcp
[SPE1-nqa-ipfpm-dcp] dcp id 2.2.2.2
[SPE1-nqa-ipfpm-dcp] authentication-mode hmac-sha256 key-id 1 cipher huawei
[SPE1-nqa-ipfpm-dcp] color-flag loss-measure tos-bit 3 delay-measure tos-bit 4
[SPE1-nqa-ipfpm-dcp] mcp 1.1.1.1 port 2048
[SPE1-nqa-ipfpm-dcp] instance 1
[SPE1-nqa-ipfpm-dcp-instance-1] description Instanceforpointbypointtest
[SPE1-nqa-ipfpm-dcp-instance-1] interval 10
[SPE1-nqa-ipfpm-dcp-instance-1] flow forward source 100.1.1.1 destination
100.2.1.1
[SPE1-nqa-ipfpm-dcp-instance-1] tlp 200 mid-point flow forward ingress
[SPE1-nqa-ipfpm-dcp-instance-1] quit
[SPE1-nqa-ipfpm-dcp] quit
After completing the configuration, run the display ipfpm dcp command on SPE1. The
command output shows DCP configurations on SPE1.
[SPE1] display ipfpm dcp
Max Instance Number
Max TLP Number
:16384
:16384
:256
:2048
:16

Board ID:1
Issue 02 (2013-12-31)

419

Equipment
Max TLP Number
DCP ID
Loss-measure Flag
Delay-measure Flag
Authentication Mode
2 System Management
:256
:2048
:2048
:
:
:
:
:
:
:
2.2.2.2
tos-bit3
tos-bit4
hmac-sha256
1.1.1.1
2048
1

[SPE1] interface GigabitEthernet1/0/1
[SPE1-GigabitEthernet1/0/1] ipfpm tlp 200
l Enable hop-by-hop packet loss measurement.

[SPE1] nqa ipfpm dcp
[SPE1-nqa-ipfpm-dcp] instance 1
[SPE1-nqa-ipfpm-dcp-instance-1] loss-measure enable mid-point time-range 30

l Configure a DCP.
[NPE] nqa ipfpm dcp
[NPE-nqa-ipfpm-dcp] dcp id 4.4.4.4
[NPE-nqa-ipfpm-dcp] authentication-mode hmac-sha256 key-id 1 cipher huawei
[NPE-nqa-ipfpm-dcp] color-flag loss-measure tos-bit 3 delay-measure tos-bit 4
[NPE-nqa-ipfpm-dcp] mcp 1.1.1.1 port 2048
[NPE-nqa-ipfpm-dcp-instance-1] description Instanceforpointbypointtest
[NPE-nqa-ipfpm-dcp-instance-1] interval 10
[NPE-nqa-ipfpm-dcp-instance-1] flow forward source 100.1.1.1 destination
100.2.1.1
[NPE-nqa-ipfpm-dcp-instance-1] tlp 310 out-point egress
[NPE-nqa-ipfpm-dcp-instance-1] quit
[NPE-nqa-ipfpm-dcp] quit
After completing the configuration, run the display ipfpm dcp command on the NPE. The
command output shows DCP configurations on the NPE.
[NPE] display ipfpm dcp
Max Instance Number
Max TLP Number
:16384
:16384
:256
:2048
:16

Board ID:1
Max TLP Number
:256
:2048
:2048
DCP ID
Loss-measure Flag
Delay-measure Flag
Authentication Mode
:
:
:
:
:
:
:
4.4.4.4
tos-bit3
tos-bit4
hmac-sha256
1.1.1.1
2048
1
l Bind the TLPs to interfaces.

[NPE] interface GigabitEthernet1/0/3
[NPE-GigabitEthernet1/0/3] ipfpm tlp 310
Issue 02 (2013-12-31)

420

Equipment
2 System Management
l Enable hop-by-hop packet loss measurement.

[NPE] nqa ipfpm dcp
[NPE-nqa-ipfpm-dcp-instance-1] loss-measure enable time-range 30
[NPE-nqa-ipfpm-dcp-instance-1] loss-measure enable mid-point time-range 30
Step 11 Configure alarm thresholds and clear alarm thresholds for IP FPM performance counters on the
UPE.
# Configure the packet loss alarm threshold and its clear alarm threshold.
[UPE] nqa ipfpm mcp
[UPE-nqa-ipfpm-mcp-instance-1] loss-measure ratio-threshold upper-limit 10 lowerlimit 5
# Configure the two-way delay alarm threshold and its clear alarm threshold.
[UPE-nqa-ipfpm-mcp-instance-1] delay-measure two-way delay-threshold upper-limit
100000 lower-limit 50000

Run the display ipfpm statistic-type { loss | oneway-delay } instance instance-id ach ach-id
command on the UPE to check the performance statistics for a specified IP FPM instance.
l # The following example uses the packet loss statistics for ACH1.
[UPE] display ipfpm statistic-type loss instance 1 ach 1
----------------------------------------------------------------------------------------Period
Loss(p)
LossRatio(b)
----------------------------------------------------------------------------------------136190088
10
10.000000%
1000
10.000000%
136190087
10
10.000000%
1000
10.000000%
136190086
10
10.000000%
1000
10.000000%
136190085
10
10.000000%
1000
10.000000%
136190084
10
10.000000%
1000
10.000000%
136190083
10
10.000000%
1000
10.000000%
136190082
10
10.000000%
1000
10.000000%
----------------------------------------------------------------------------------------Period
Loss(p)
LossRatio(b)
-----------------------------------------------------------------------------------------
l # The following example uses the delay statistics for ACH1.

[UPE] display ipfpm statistic-type oneway-delay instance 1 ach 1
-------------------------------------------------Period
Delay(usec) Delay
Variation(usec)
--------------------------------------------------
Issue 02 (2013-12-31)

421

Equipment
136190120
136190119
136190118
136190117
136190116
136190115
136190114
100
100
100
100
100
100
100
2 System Management
0
0
0
0
0
0
0

-------------------------------------------------Period
Delay(usec) Delay
Variation(usec)
--------------------------------------------------
----End
Configuration Files
l
UPE configuration file

#
sysname UPE
#
ip vpn-instance
vpna
ipv4family
route-distinguisher
100:1
tnl-policy
policy1
vpn-target 1:1 exportextcommunity
vpn-target 1:1 importextcommunity
#
mpls lsr-id
1.1.1.1
mpls
mpls
te
mpls rsvpte
mpls te
cspf
#
6
ntp-service refclock-master
1
#
interface
undo
shutdown
ip binding vpn-instance
vpna
255.255.255.0
ipfpm tlp
100
#
interface
undo
Issue 02 (2013-12-31)

422

Equipment
2 System Management
shutdown
255.255.255.0
mpls
mpls
te
mpls rsvpte
#
interface
undo
shutdown
255.255.255.0
mpls
mpls
te
mpls rsvpte
#
interface
LoopBack1
ip address 1.1.1.1
255.255.255.255
#
interface
Tunnel0/2/1
LoopBack1
te
destination
2.2.2.2
mpls te tunnel-id
100
#
interface
Tunnel0/2/2
LoopBack1
te
destination
3.3.3.3
mpls te tunnel-id
200
#
bgp
100
router-id
1.1.1.1
100
LoopBack1
100
LoopBack1
Issue 02 (2013-12-31)

423

Equipment
2 System Management
#
ipv4-family
unicast
undo
synchronization
peer 2.2.2.2
enable
peer 3.3.3.3
enable
#
ipv4-family
vpnv4
policy vpntarget
peer 2.2.2.2
enable
peer 3.3.3.3
enable
#
ipv4-family vpn-instance
vpna
import-route
direct
autofrr
#
ospf
1
opaque-capability
enable
area
0.0.0.0
network 1.1.1.1
0.0.0.0
network 172.1.1.0
0.0.0.255
network 172.1.2.0
0.0.0.255
mpls-te
enable
#
tunnel-policy
policy1
Tunnel0/2/1
Tunnel0/2/2
#
nqa ipfpm
dcp
dcp id
1.1.1.1
mcp 1.1.1.1 port
2048
authentication-mode hmac-sha256 key-id 1 cipher %@%@=%uP:z;!;4\TdYHU#$z/1IR]%
@%
@
instance
1
description
Instanceforpointbypointtest
100.2.1.1
tlp 100 in-point
Issue 02 (2013-12-31)

424

Equipment
2 System Management
ingress
#
nqa ipfpm
mcp
mcp id
1.1.1.1
protocol udp port
2048
authentication-mode hmac-sha256 key-id 1 cipher %@%@i`R<<=hGt>i:|a;Ypy%~1E(U%
@%@
instance
1
description Instanceforpoint-bypointtest
dcp 1.1.1.1
dcp 2.2.2.2
dcp 4.4.4.4
loss-measure ratio-threshold upper-limit 10.000000 lower-limit
5.000000
delay-measure two-way delay-threshold upper-limit 100000 lower-limit
50000
ach 1
flow forward
in-group dcp 1.1.1.1 tlp 100
out-group dcp 2.2.2.2 tlp 200
ach
2
flow
forward
in-group dcp 2.2.2.2 tlp 200
out-group dcp 4.4.4.4 tlp 310
#
return

#
sysname SPE1
#
10
apply tunnel-policy
policy1
#
mpls lsr-id
2.2.2.2
mpls
mpls
te
mpls rsvpte
mpls te
cspf
#
mpls
ldp
#
6
ntp-service unicast-server
172.1.1.1
#
interface
undo
shutdown
Issue 02 (2013-12-31)

425

Equipment
2 System Management
255.255.255.0
mpls
mpls
te
mpls rsvpte
ipfpm tlp
200
#
interface
undo
shutdown
255.255.255.0
mpls
mpls
ldp
#
interface
undo
shutdown
255.255.255.0
mpls
mpls
ldp
#
interface
LoopBack1
ip address 2.2.2.2
255.255.255.0
#
interface
Tunnel1/0/1
LoopBack1
te
destination
1.1.1.1
mpls te tunnel-id
100
#
bgp
100
router-id
2.2.2.2
100
LoopBack1
100
LoopBack1
100
LoopBack1
Issue 02 (2013-12-31)

426

Equipment
2 System Management
#
ipv4-family
unicast
undo
synchronization
peer 1.1.1.1
enable
peer 3.3.3.3
enable
peer 4.4.4.4
enable
#
ipv4-family
vpnv4
tunnel-selector
bindTE
peer 1.1.1.1
enable
peer 3.3.3.3
enable
peer 4.4.4.4
enable
#
ospf
1
opaque-capability
enable
area
0.0.0.0
network 2.2.2.2
0.0.0.0
network 172.1.1.0
0.0.0.255
network 172.1.3.0
0.0.0.255
network 172.1.4.0
0.0.0.255
mpls-te
enable
#
tunnel-policy
policy1
Tunnel1/0/1
#
nqa ipfpm
dcp
dcp id
2.2.2.2
mcp 1.1.1.1 port
2048
authentication-mode hmac-sha256 key-id 1 cipher %@%@/#(8ARUz1+=(sUrXdsM1P.x%@
%@
instance
Issue 02 (2013-12-31)

427

Equipment
2 System Management
1
description
Instanceforpointbypointtest
100.2.1.1
tlp 200 mid-point flow forward
ingress
#
return

#
sysname SPE2
#
10
apply tunnel-policy
policy1
#
mpls lsr-id
3.3.3.3
mpls
mpls
te
mpls rsvpte
mpls te
cspf
#
mpls
ldp
#
interface
undo
shutdown
255.255.255.0
mpls
mpls
ldp
#
interface
undo
shutdown
255.255.255.0
mpls
mpls
te
mpls rsvpte
#
interface
undo
shutdown
255.255.255.0
mpls
mpls
Issue 02 (2013-12-31)

428

Equipment
2 System Management
te
mpls
ldp
#
interface
LoopBack1
ip address 3.3.3.3
255.255.255.255
#
interface
Tunnel1/0/2
LoopBack1
te
destination
1.1.1.1
mpls te tunnel-id
200
#
bgp
100
router-id
3.3.3.3
100
LoopBack1
100
LoopBack1
100
LoopBack1
#
ipv4-family
unicast
undo
synchronization
peer 1.1.1.1
enable
peer 2.2.2.2
enable
peer 4.4.4.4
enable
#
ipv4-family
vpnv4
tunnel-selector
bindTE
peer 1.1.1.1
enable
peer 2.2.2.2
enable
peer 4.4.4.4
Issue 02 (2013-12-31)

429

Equipment
2 System Management
enable
#
ospf
1
opaque-capability
enable
area
0.0.0.0
network 3.3.3.3
0.0.0.0
network 172.1.2.0
0.0.0.255
network 172.1.3.0
0.0.0.255
network 172.1.5.0
0.0.0.255
mpls-te
enable
#
tunnel-policy
policy1
Tunnel1/0/2
#
return
NPE configuration file

#
sysname NPE
#
ipv4-family
#
mpls lsr-id 4.4.4.4
mpls
#
mpls ldp
#
ntp-service sync-interval 180 spike-offset 50 max-sys-poll 6
#
undo shutdown
ip address 172.1.5.2 255.255.255.0
mpls
mpls ldp
#
undo shutdown
ip address 172.1.4.2 255.255.255.0
mpls
mpls ldp
#
undo shutdown
ip address 100.2.1.1 255.255.255.0
ipfpm tlp 310
#
interface LoopBack1
Issue 02 (2013-12-31)

430

Equipment
2 System Management
ip address 4.4.4.4 255.255.255.255

#
bgp 100
router-id 4.4.4.4
#
ipv4-family unicast
peer 2.2.2.2 enable
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.2 enable
peer 3.3.3.3 enable
#
import-route direct
auto-frr
#
ospf 1
area 0.0.0.0
network 4.4.4.4 0.0.0.0
network 172.1.4.0 0.0.0.255
network 172.1.5.0 0.0.0.255
#
nqa ipfpm dcp
dcp id 4.4.4.4
mcp 1.1.1.1 port 2048
authentication-mode hmac-sha256 key-id 1 cipher %@%@Se9P>q>D>~v\Es$K{z2H1VW#%
@%@
instance 1
description Instanceforpointbypointtest
flow forward source 100.1.1.1 destination 100.2.1.1
#
return
2.5 NQA Configuration

This chapter describes how to configure the Network Quality Analysis (NQA) to monitor the
network operating status and collect network operation indexes in real time.
2.5.1 Overview of NQA

This section describes the basic concepts of NQA and its functions.
Introduction
This part describes basic concepts and functions of NQA.
With the development of value-added services, users and carriers demand higher Quality of
Service (QoS). After voice over IP and video over IP services are carried out, carriers and users
all tend to sign Service Level Agreements (SLAs) to realize QoS guaranteed services.
Issue 02 (2013-12-31)

431

Equipment
2 System Management
To ensure users with the committed bandwidth, network operators should collect the statistics
of delay, jitter, and packet loss of the device. This helps them to analyze the performance of the
network in time.
The ATN provides Network Quality Analysis (NQA) to meet the preceding requirements.
NQA measures the performance of each protocol running in the network and helps the network
operator to collect the network running indexes, such as the delay of a TCP connection, rate of
file transfer, and delay of an FTP connection. By controlling these indexes, network operators
provide users with services of various grades and charges users differently.
NQA is also an effective tool to diagnose and locate faults in a network.
Comparisons Between NQA and Ping

This part describes the differences between NQA and Ping tests.
NQA is the extension and enhancement of Ping.
By sending an Internet Control Message Protocol (ICMP) Echo-Request packet from the local
and expecting an ICMP Echo-Reply packet from the specified destination, the Ping program can
test the round-trip time (RTT) of an ICMP packet. In addition to testing the RTT of an ICMP
packet between the local and the destination, NQA can detect whether network services, such
as TCP, UDP, FTP and the Simple Network Management Protocol (SNMP), are enabled and
test the response time of each service.
Figure 2-25 Diagram of the NQA test
Server
IP/MPLS
Network
NQA Client
In NQA, the RTT of each packet or timeout period of the packet is not displayed on the terminal
in real time, unlike the Ping program. Test results are displayed only when you run the display
nqa results command after a test is complete.
You can also configure the Network Management System (NM Station) to control each NQA
operation parameter and enable NQA tests.
NQA Server and NQA Clients

This part describes the relationships between NQA client, NQA server, and NQA test instance.
NQA test instance and NQA Client

NQA can be used to test many items. You must create a test instance for each item and each of
these test instances is a type of NQA test.
Issue 02 (2013-12-31)

432

Equipment
2 System Management
You need to create NQA test instances on NQA clients. Each test instance has an administrator
name and an operation tag as unique identification.
In the test view, configure the related test parameters. Note that a part of parameters applies to
only certain test types whereas others apply to all the test types.
NQA Server
In most types of tests, you need to configure only the NQA clients. In TCP, UDP, and Jitter tests,
however, you must configure the NQA server.
An NQA server processes the test packets received from the clients. As shown in Figure 2-26,
the NQA server responds to the test request packet received from the client through the
monitoring function.
Figure 2-26 Relationship between the NQA client and the NQA server
IP/MPLS
Network
NQA Server
NQA Client
You can create multiple TCP or UDP monitoring services on an NQA server. Each monitoring
service corresponds to a specific destination address and a port number. The destination address
and port number can be repeatedly specified.
Performing NQA Tests

After being configured with the destination address and the port number, the NQA server can
respond to test request packets. The IP address and port number specified in the monitoring
service must be consistent with those configured on the clients.
After creating a test group and configuring the related parameters, you must enable the NQA
test by using the start command and the display nqa results command to view test results.
NQA Supported by the ATN

This part describes NQA test types and scheduling modes supported by the ATN.
Features Provided by NQA

l
Cooperates with the NM Station:

The NM Station can completely manage all NQA functions.
Supports the NQA MIB.
Supports the Disman-traceroute-MIB.
Supports the Disman-NSLookUp-MIB.
Supports the Disman-ping-MIB.
Issue 02 (2013-12-31)

433

Equipment
2 System Management
Supports multiple types of tests:

ICMP test
FTP test
Traceroute test
SNMP test
TCP test
UDP test
ICMP Jitter test
UDP Jitter test
LSP Ping test
LSP Traceroute test
LSP Jitter test
PWE3 Ping test
PWE3 Trace test
MAC Ping test
Path Jitter test
Path MTU test
VPLS MAC Ping test
VPLS MAC Trace test
Jitter tests support the continuous sending of 3000 packets and support voice traffic
simulation.
Supports 64 tests.
Supports statistics collection at the millisecond and microsecond level.
Supports test task scheduling:

Implements the scheduling of test tasks to decrease the concurrent tasks on the device.
Supports the configuration of different start time and end time for a single test:
Supports three modes of starting tests: immediate, timely, and delayed.
Supports several modes of ending tests: automatic, immediate, timely, delayed, and
ending the test when the lifetime of the test expires.
Supports auto distributing the start time and the test interval when several tests are
performed at a time.
Supports the auto-delay function, with which the system resources can be effectively
utilized so that tests can be completed within a specified period.
Supports the collection of the uni-directional delay statistics and bi-directional delay
statistics. In addition, you can set a threshold and enable collecting statistics about the
packets in the test results that exceed the threshold.
Supports the collection of statistics on packet loss in one direction.
Supports dynamic reduction of test cases.
Supports the sending of the test results to the FTP server through FTP.
Issue 02 (2013-12-31)

434

Equipment
2 System Management
Supports the flexible alarm mechanism. That is, the upper and lower thresholds are set to
monitor the feature of the tested objects according to their OIDs. When the test result
exceeds the threshold, alarms are triggered based on the preset events.
2.5.2 Configuring the ICMP Test

This section describes how to configure an Internet Control Message Protocol (ICMP) test to
check the IP network connectivity.
Before You Start

Before configuring an ICMP test, familiarize yourself with the usage scenario, complete the preconfiguration tasks, and obtain the required data. This can help you complete the configuration
An ICMP test has a similar function with the ping command, but its output is more detailed.
Before configuring the ICMP test, configure reachable routes between the NQA client and the
tested device.
Data Preparation
To configure the ICMP test, you need the following data.
No.
Data
Administrator name and test name of the NQA test
Destination IP address
(Optional) Virtual Private Network (VPN) instance name, source interface that sends
test packets, source IP address, size of the Echo-Request packets, TTL value, ToS,
padding character, interval for sending test packets, and percentage of the failed NQA
tests
Start mode and end mode
Configuring ICMP Test Parameters

This part describes how to set ICMP test parameters.
Context
Perform the following steps on the NQA client:
Issue 02 (2013-12-31)

435

Equipment
2 System Management
Procedure
Step 1 Run:
system-view

Step 2 Run:
nqa test-instance admin-name test-name
An NQA test instance is created and the test instance view is displayed.
Step 3 Run:
test-type icmp
The test type is set to ICMP.

Step 4 Run:
destination-address ipv4 ip-address
The destination IP address is configured.

Step 5 (Optional) Perform the following as required to configure other ICMP test parameters ( For
detailed parameter configurations, see the chapter Configuring Universal NQA Test
Parameters ):
l To configure the VPN instance to be tested, run the vpn-instance vpn-instance-name
command.
l To configure the source interface that sends test packets, run the source-interface interfacetype interface-number command.
l To configure the source IP address, run the source-address ipv4 ip-address command.
source-address ipv4 ip-address equals the "-a" option in the ping command.
l To configure the size (packet header excluded) of the Echo-Request packet, run the
datasize size command.
datasize size equals the "-s" option in the ping command.
l To configure the time-to-live (TTL) value, run the ttl number command.
ttl number equals the "-h" option in the ping command.
l To configure the type of service (ToS) field in the IP packet header, run the tos value
command.
tos equals the "-tos" option in the ping command.
l To configure padding characters, run the datafill fillstring command.
datafill equals the "-p" option in the ping command.
l To configure the interval for sending the test packets, run the interval seconds interval
command.
interval seconds equals the "-m" option in the ping command.
l To configure the percentage of the failed NQA test, run the fail-percent percent command.
l To configure the NQA test packets to be sent without searching the routing table, run the
sendpacket passroute command.
l To configure ping packets to be forcibly forwarded through IP on the first node, run the ipforwarding command.
Issue 02 (2013-12-31)

436

Equipment
2 System Management
l To configure test packets to simulate forwarding packets and configure an inbound interface,
run the forwarding-simulation inbound-interface command. This command is similar to
-si in the ping command.
l To configure the next hop address of the test instance, run the nexthop ipv4 ip-address
command.
This command applies to NQA for IPv4 static routes.
Step 6 Run:
start
The NQA test is started.

Select the start mode as required because the start command has several forms.
l To perform the NQA test immediately, run the start now [ end { at [ yyyy/mm/dd ]
hh:mm:ss | delay { seconds second | hh:mm:ss } | lifetime { seconds second | hh:mm:ss } } ]
command.
The test instance is started immediately.
l To perform the NQA test at the specified time, run the start at [ yyyy/mm/dd ] hh:mm:ss
[ end { at [ yyyy/mm/dd ] hh:mm:ss | delay { seconds second | hh:mm:ss } | lifetime
{ seconds second | hh:mm:ss } } ] command.
The test instance is started at a specified time.
l To perform the NQA test after a certain delay period, run the start delay { seconds second
| hh:mm:ss } [ end { at [ yyyy/mm/dd ] hh:mm:ss | delay { seconds second | hh:mm:ss } |
lifetime { seconds second | hh:mm:ss } } ] command.
The test instance is started after a certain delay.
----End

After configuring the ICMP test, you can view the test result.
Prerequisites
The configurations of the ICMP Test function are complete.
Context
NOTE
NQA test results cannot be displayed automatically on a terminal. You must run the display nqa results
command to view test results. By the default, the command output contains the records about only the last
five test results.
Procedure
Step 1 Run the display nqa results [ test-instance admin-name test-name ] command to view the test
results on the NQA client.
----End
Issue 02 (2013-12-31)

437

Equipment
2 System Management
2.5.3 Configuring the FTP Download Test

This section describes how to configure a File Transfer Protocol (FTP) download test to check
the FTP download performance.
Before You Start

Before configuring an FTP download test, familiarize yourself with the usage scenario, complete
the pre-configuration tasks, and obtain the required data. This can help you complete the
In an FTP download test, the local device functions as an NQA FTP client, intending to download
the specified file from an FTP server.
The test result contains statistics about each FTP phase, including the time to set up an FTP
control connection and the time to transport the data.
Before configuring the FTP download test, complete the following tasks:
l
Configuring the FTP user name and password and the login directory
Configuring routes between the NQA FTP client and the FTP server
Data Preparation
To configure the FTP download test, you need the following data.
NOTE
FTP account must be above 3 levels.
No.
Data
Administrator name and test name
(Optional) Source IP address of the FTP operation and VPN instance name and source
and destination port numbers of the FTP operation
FTP user name and password
Name of the file to be downloaded
Start mode and end mode of the test
Configuring the FTP Download Test Parameters

This part describes how to set parameters for the FTP download test.
Issue 02 (2013-12-31)

438

Equipment
2 System Management
Context
Perform the following steps on the NQA client (FTP client):
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
test-type ftp
The test type is set to FTP.

Step 4 Run:

Step 5 (Optional) Perform the following as required to configure other parameters of the FTP Download
test ( For detailed parameter configurations, see the chapter Configuring Universal NQA Test
Parameters ):
command.
l To configure the FTP source port number, run the source-port port-number command.
l To configure the FTP destination port number, run the destination-port port-number
command.
l To configure the NQA test packet to be sent without searching the routing table, run the
Step 6 Run:
ftp-operation get
The FTP operation type is set to Get.

By default, the FTP operation type is Get.
Step 7 Run:
ftp-username name
The FTP user name is configured.

Step 8 Run:
ftp-password { password | cipher cipher-password }
The FTP password used during the login is configured.

Step 9 Run:
Issue 02 (2013-12-31)

439

Equipment
2 System Management
ftp-filename file-name
The name of the file to be downloaded is configured.

NOTE
During the FTP test, select a file with a relatively small size for the test. If the file is large, the test may fail
because of timeout.
Step 10 Run:
start

command.
----End

After configuring the FTP download test, you can view the test result.
Prerequisites
The configurations of the FTP Download Test function are complete.
Context
NOTE
five tests.
Procedure
----End
Issue 02 (2013-12-31)

440

Equipment
2 System Management
2.5.4 Configuring the FTP Upload Test

This section describes how to configure an FTP upload test to check the FTP upload performance.
Before You Start

Before configuring an FTP upload test, familiarize yourself with the usage scenario, complete
In an FTP upload test, the local device functions as an FTP client, intending to upload the
specified file to an FTP server.
The test result contains the statistics about each FTP phase, including the time to set up an FTP
control connection and the time to transport the data.
In an FTP upload test, you can specify the file to be uploaded or the bytes to be uploaded. If
certain bytes are specified, the FTP client then automatically generates the test files for
uploading.
Before configuring the FTP upload test, complete the following tasks:
l
Configuring the FTP user name and password and the login directory
Configuring routes between the NQA client and the FTP server
Data Preparation
To configure the FTP upload test, you need the following data.
No.
Data
(Optional) Source IP address of the FTP operation and VPN instance name and source
and destination port numbers of the FTP operation
Name or size of the uploaded file
Configuring the FTP Upload Test Parameters

This part describes how to set parameters for the FTP upload test.
Issue 02 (2013-12-31)

441

Equipment
2 System Management
Context
Perform the following steps on the NQA client (FTP client):
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
test-type ftp
The test type is set to FTP.

Step 4 Run:

Step 5 (Optional) Perform the following as required to configure other parameters for the FTP upload
test ( For detailed parameter configurations, see the chapter Configuring Universal NQA Test
Parameters ):
command.
l To configure the source port, run the source-port port-numbercommand.
l To configure the destination port, run the destination-port port-number command.
l To configure the NQA test packet to be sent without searching the routing table, run the
Step 6 Run:
ftp-operation put
The FTP operation type is set to Put.

By default, the FTP operation type is Get.
Step 7 Run:
ftp-username name
The FTP user name is configured.

Step 8 Run:
The FTP password used during the login is configured.

Step 9 Perform the following as required to upload the file.
Issue 02 (2013-12-31)

442

Equipment
2 System Management
l To upload the file with a specified name, run the ftp-filename file-name command.
NOTE
l If no file path is specified, the system searches for the file in the current path. If the specified file
name does not exist, a file is created according to the specified file name, and the size of the file is
set to 1 MB.
l The file name cannot contain characters such as ~, *, /, \, ', ", but the file path can contain these
characters.
l The file name can contain the extension name but cannot contain the extension name only, such
as .txt.
l To upload the file with a specified size, run the ftp-filesize size command. The client then
automatically creates a file name "nqa-ftp-test.txt" to upload.
NOTE
During the FTP test, select a file with a relatively small size. If the file is large, the test may fail because
of timeout.
NOTE
If the file is not specified, the client creates a 1MB-sized file named nqa-ftp-test.txt and uploads it.
Step 10 Run:
start

command.
----End

After configuring the FTP upload test, you can view the test result.
Prerequisites
The configurations of the FTP Upload Test function are complete.
Issue 02 (2013-12-31)

443

Equipment
2 System Management
Context
NOTE
five tests.
Procedure
Step 1 Run the display nqa results command to view the test results on the NQA client.
----End
2.5.5 Configuring the Traceroute Test

This section describes how to configure a traceroute test to check the connectivity to each hop
on the network.
Before You Start

Before configuring a traceroute test, familiarize yourself with the usage scenario, complete the
pre-configuration tasks, and obtain the data required for the configuration.
An NQA Traceroute test can provide functions similar to those provided by the tracert
command, but outputs more detailed information.
Before configuring a traceroute test, configure reachable routes between the NQA client and the
device to be tested.
Data Preparation
To configure a traceroute test, you need the following data.
No.
Data
Administrator and name of an NQA test instance
(Optional) VPN instance name, maximum hops, initial TTL and maximum TTL value
of the packet, and source IP address and destination port of the packet
Start and end modes of a test
Configuring Parameters for a Traceroute Test

This part describes how to configure parameters for a traceroute test.
Issue 02 (2013-12-31)

444

Equipment
2 System Management
Context
Procedure
Step 1 Run
system-view

Step 2 Run:
Step 3 Run:
test-type trace
A traceroute test is created.

Step 4 Run:
The destination address of the traceroute test is configured.

Step 5 (Optional) Run the following commands as required ( For detailed parameter configurations,
see the chapter Configuring Universal NQA Test Parameters ):
l To configure a VPN instance to be tested, run:
vpn-instance vpn-instance-name
l To configure the maximum hops, run:

tracert-hopfailtimes times
l To configure the initial TTL and maximum TTL values of a packet, run:
tracert-livetime first-ttl first-ttl max-ttl max-ttl
l To configure the source IP address, run:

source-address ipv4 ip-address
l To configure the destination port number, run:

destination-port port-number
l To configure an NQA test packets to be sent without searching the routing table, run:
sendpacket passroute
Step 6 Run:
start
An NQA test is started.

l To start the NQA test immediately, run the start now [ end { at [ yyyy/mm/dd ] hh:mm:ss |
delay { seconds second | hh:mm:ss } | lifetime { seconds second | hh:mm:ss } } ] command.
l To start the NQA test at the specified time, run the start at [ yyyy/mm/dd ] hh:mm:ss [ end
{ at [ yyyy/mm/dd ] hh:mm:ss | delay { seconds second | hh:mm:ss } | lifetime { seconds
second | hh:mm:ss } } ] command.
Issue 02 (2013-12-31)

445

Equipment
2 System Management

l To start the NQA test after a certain delay, run the start delay { seconds second |
hh:mm:ss } [ end { at [ yyyy/mm/dd ] hh:mm:ss | delay { seconds second | hh:mm:ss } |
----End

After configuring a traceroute test, you can view the test result.
Prerequisites
The configurations of the traceroute test are complete.
Context
NOTE
NQA test results cannot be displayed automatically on the terminal. You need to run the display nqa
results command to view test results. By the default, the command output contains the records about only
the last five tests.
Procedure
----End
2.5.6 Configuring the SNMP Query Test

This section describes how to configure a Simple Network Management Protocol (SNMP) query
test to check the communications between the host and SNMP agent.
Before You Start

Before configuring an SNMP query test, familiarize yourself with the usage scenario, complete
Through the SNMP Query test, you can obtain the statistics of the communication between hosts
and SNMP agents.
Before configuring the SNMP Query test, complete the following tasks:
l
Issue 02 (2013-12-31)
Configuring the SNMP agent

446

Equipment
2 System Management
Configuring routes between the NQA client and the SNMP agent
Data Preparation
To configure the SNMP query test, you need the following data.
No.
Data
IP address of the SNMP agent
(Optional) Source IP addresses and source port numbers of test packets, interval for
sending test packets, and percentage of the failed NQA tests
Configuring the SNMP Query Test Parameters

This part describes how to set SNMP query test parameters.
Context
Before configuring an NQA SNMP test instance, configure SNMP. The NQA SNMP test
instance supports SNMPv1, SNMPv2c, and SNMPv3. At the same time, the community name
of SNMPv1 and SNMPv2c must be set to public.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
test-type snmp
The test type is set to SNMP Query.

Step 4 Run:
The destination IP address, that is, the IP address of the SNMP agent, is configured.
NOTE
The SNMP function must be enabled on the destination host; otherwise, the destination host fails to receive
Echo packets.
Issue 02 (2013-12-31)

447

Equipment
2 System Management
Step 5 Run:
community read cipher community-name
The community name is set for SNMP test.

Step 6 (Optional) Perform the following as required to configure other parameters for the SNMP test
( For detailed parameter configurations, see the chapter Configuring Universal NQA Test
Parameters ):
command.
l To configure the source port number, run the source-port port-number command.
l To configure the interval for sending test packets, run the interval seconds interval
command.
l To configure the percentage of the failed NQA tests, run the fail-percent percent command.
Step 7 Run:
start

command.
----End

After configuring the SNMP query test, you can view the test result.
Prerequisites
The configurations of the SNMP Query Test function are complete.
Issue 02 (2013-12-31)

448

Equipment
2 System Management
Context
NOTE
five tests.
Procedure
----End
2.5.7 Configuring the TCP Test

This section describes how to configure a Transmission Control Protocol (TCP) test to check
the responding speed of a TCP port.
Before You Start

Before configuring a TCP test, familiarize yourself with the usage scenario, complete the preconfiguration tasks, and obtain the required data. This can help you complete the configuration
To obtain the time for the specified port to respond to a TCP connection request, you can create
an NQA TCP test instance.
Before configuring the TCP test, configure reachable routes between the NQA client and the
TCP server.
Data Preparation
To configure the TCP test, you need the following data.
Issue 02 (2013-12-31)
No.
Data
IP address and port number monitored by the TCP server
(Optional) Destination port numbers of the probe packets sent by the TCP client and
source IP addresses , source port numbers of test packets, interval for sending test
packets, and percentage of the failed NQA tests

449

Equipment
2 System Management
Configuring the TCP Server

The IP address and number of the port monitored by the server must be identical with those
configured on the client.
Context
Perform the following steps on the NQA server (TCP server):
Procedure
Step 1 Run:
system-view

Step 2 Run:
nqa-server tcpconnect [ vpn-instance vpn-instance-name ] ip-address port-number
The TCP monitoring service is configured.

NOTE
Note that the IP address and port number monitored by the server should be consistent with those configured
on the client.
----End
Configuring the TCP Client

This part describes how to set TCP test parameters.
Context
Perform the following steps on the NQA client (TCP client):
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
test-type tcp
The test type is set to TCP.

Step 4 Run:
Issue 02 (2013-12-31)

450

Equipment
2 System Management

Step 5 To configure the destination port number, run the destination-port port-numbercommand.
Step 6 (Optional) Perform the following as required to configure other parameters for the TCP test ( For
detailed parameter configurations, see the chapter Configuring Universal NQA Test
Parameters ):
command.
l To configure the source port number, run the source-port port-numbercommand.
command.
l To configure the percentage of the failed NQA tests, run the fail-percent percentcommand.
Step 7 Run:
start

command.
The differences between the TCP Public tests and the TCP Private tests are as follows:
l The TCP Public tests do not require the destination port to be configured on the client.
Connection requests are initiated and sent to the TCP port 7 of the destination address. The
server should monitor the TCP port 7.
l The TCP Private tests require the destination port be specified and the related monitoring
services enabled on the server.
----End

After configuring the TCP test, you can view the test result.
Issue 02 (2013-12-31)

451

Equipment
2 System Management
Prerequisites
The configurations of the TCP Test function are complete.
Context
NOTE
five tests.
Procedure
l
Run the display nqa results [ test-instance admin-name test-name ] command to view the
test results on the NQA client.
Run the display nqa-server command to view the information about the NQA server.
----End
2.5.8 Configuring the UDP Test

This section describes how to configure a User Datagram Protocol (UDP) test to check the
responding speed of a UDP port.
Before You Start

Before configuring a UDP test, familiarize yourself with the usage scenario, complete the preconfiguration tasks, and obtain the required data. This can help you complete the configuration
To obtain the time for the specified port to respond to a UDP connection request, you can create
a UDP test instance.
Before configuring the UDP test, configure reachable routes between the NQA client and the
UDP server.
Data Preparation
To configure the UDP test, you need the following data.
Issue 02 (2013-12-31)
No.
Data
IP address and port of the UDP server
Destination IP address and the port of the probe packets sent by the UDP client
452

Equipment
2 System Management
No.
Data
(Optional) Source IP addresses and source port numbers of test packets, interval for
sending test packets, and percentage of the failed NQA tests
Configuring the UDP Server

Context
Perform the following steps on the NQA server (UDP server):
Procedure
Step 1 Run:
system-view

Step 2 Run:
nqa-server udpecho [ vpn-instance vpn-instance-name ] ip-address port-number
The UDP monitoring service is configured.

Note that the IP address and port number monitored by the server should be consistent with those
----End
Configuring the UDP Client

This part describes how to set UDP test parameters.
Context
Perform the following steps on the NQA client (UDP client):
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 02 (2013-12-31)

453

Equipment
2 System Management
Step 3 Run:
test-type udp
The test type is set to UDP.

Step 4 Run:

Step 5 Run:
The destination port number is configured.

Step 6 (Optional) Perform the following as required to configure other parameters for the UDP test
Parameters ):
command.
command.
Step 7 Run:
start

command.
----End

After configuring the UDP test, you can view the test result.
Issue 02 (2013-12-31)

454

Equipment
2 System Management
Prerequisites
The configurations of the UDP Test function are complete.
Context
NOTE
five tests.
Procedure
l
----End
2.5.9 Configuring the Jitter Test

This section describes how to configure a jitter test to check jitter on the network. You can
perform a jitter test only when both the client and the server are Huawei devices.
Before You Start

Before configuring a jitter test, familiarize yourself with the usage scenario, complete the preconfiguration tasks, and obtain the required data. This can help you complete the configuration
The jitter time refers to the interval for sending two adjacent packets minus the interval for
receiving the two packets.
The process of a Jitter test is as follows:
1.
The source sends a packet to the destination at a specified interval.
2.
After receiving the packet, the destination adds a timestamp to the packet and returns them
to the source.
3.
After receiving the returned packets, the source subtracts the interval for the source to send
two adjacent packets from the interval for the destination to receive the two packets and
then obtains the jitter time.
The maximum, minimum, and average jitter time calculated based on the information received
on the source can clearly show the network status.
In a Jitter test, you can set the number of packets to be sent consecutively. Through this setting,
certain traffic can be simulated within a certain period. For example, if you set 3000 UDP packets
to be sent at an interval of 20 milliseconds. Then, in one minute, G.711 traffic is simulated.
NOTE
To improve the test accuracy, you can configure the Network Time Protocol (NTP) on both the client and
the server.
Issue 02 (2013-12-31)

455

Equipment
2 System Management
Before configuring the Jitter test, configure reachable routes between the NQA client and the
NQA server.
Data Preparation
To configure the Jitter test, you need the following data.
No.
Data
IP address and the port number monitored by the UDP server
Destination IP addresses and port numbers of the probe packets sent by the UDP
client
(Optional) VPN instance name, source IP address and port number of the probe packet
sent by the UDP client, number of probe packets and test packets sent each time,
interval for sending probe packets and test packets, percentage of the failed NQA
tests, and version number carried in the Jitter packet
Configuring the Jitter Server

Context
Perform the following steps on the NQA server (Jitter server):
Procedure
Step 1 Run:
system-view

Step 2 Run:
nqa-server udpecho [ vpn-instance vpn-instance-name ]ip-address
port-number

Note that the IP address and port number monitored by the Jitter server should be consistent
with those configured on the client.
----End
Configuring the Jitter Client

This part describes how to configure the client of the jitter test.
Issue 02 (2013-12-31)

456

Equipment
2 System Management
Context
NOTE
The system supports the collection of the statistics about the maximum uni-directional transmission delay.
Perform the following steps on the NQA client (Jitter client).
Procedure
Step 1 Run:
system-view

Step 2 (Optional) To configure the version number of Jitter packets, run the nqa-jitter tag-version
version-number command in the system view.
If Version 2 is adopted, after collecting the packet loss across a uni-directional link is enabled,
you can find the packet loss across the link from the source to the destination (or from the
destination to the source or from an unknown direction). According to these statistics, the
network administrator can easily detect network faults and malicious attacks.
Step 3 Run:
Step 4 Run:
test-type jitter
The test type is set to Jitter.

Step 5 Run:

Step 6 Run:

Step 7 (Optional) Perform the following as required to configure other parameters for the Jitter test
Parameters ):
command.
l To configure the probe times in the NQA test, run the probe-count number command.
l To configure the number of test packets sent each time, run the jitter-packetnum number
command.
The Jitter test is used to collect statistics and perform analysis of the transmission delay
variation of the UDP packets. The system sends multiple test packets for each test to make
Issue 02 (2013-12-31)

457

Equipment
2 System Management
the statistics more accurate. The more test packets are sent, the more accurate the statistics
and analysis are. This process, however, is time consuming.
NOTE
The number of the Jitter tests depends on the probe-count command. The number of test packets sent
during each test depends on the jitter-packetnum command. During the actual configuration, the
product of the number of test times and the number of the test packets must be less than 3000.
l To configure the interval for sending test packets, run the interval { milliseconds interval |
seconds interval } command.
The shorter the interval for sending the Jitter test packets is, the faster the test is completed.
If the interval, however, is set to a very small value, the jitter statistics result may have a
greater error.
l To send the NQA test packet without searching the routing table, run the sendpacket
passroute command.
l To configure a code type for an NQA Jitter simulated voice test case, run the jitter-codec
{ g711a | g711u | g729a } command.
This command is applied only to Jitter voice test cases.
l To configure the advantage factor for simulated voice test calculation, run the adv-factor
factor-value command.
This command is applied only to Jitter voice test cases.
Before running the adv-factor command, ensure that the jitter-codec command is already
run.
Step 8 Run:
start

command.
----End

After configuring the jitter test, you can view the test result.
Issue 02 (2013-12-31)

458

Equipment
2 System Management
Prerequisites
The configurations of the Jitter Test function are complete.
Context
NOTE
five tests.
Procedure
l
----End
2.5.10 Configuring a Jitter Test Based on the Mechanism That the

LPU Sends Packets
This section describes how to configure a jitter test based on the mechanism in which the LPU
sends packets to obtain detailed jitter information about the network.
Before You Start

Before configuring a jitter test based on the mechanism in which the LPU sends packets,
the required data. This can help you complete the configuration task quickly and accurately.
Jitter time refers to the interval for receiving two consecutive packets minus the interval for
sending the two packets.
The maximum, minimum, and average jitter time and the maximum unidirectional delay of the
packets from the source to the destination and from the destination to the source are calculated
according to the information received on the source. Based on these data, the network status is
clearly presented.
In the jitter test, you can set the number of packets to be sent consecutively in each test instance.
Through this setting, the actual traffic of a kind of packet during a time period can be simulated.
For example, if the interval for sending 3000 UDP is set to 20 ms, the traffic of G.711 within 1
minute can be simulated.
After the LPU is enabled to send packets, the obtained test results become more accurate.
Before configuring the jitter test, configure a reachable route between the NQA client and the
UDP server.
Issue 02 (2013-12-31)

459

Equipment
2 System Management
Data Preparation
To configure the jitter test, you need the following data.
No.
Data
Administrator of the NQA test instance and name of the test instance
IP address and number of the monitoring port on the UDP server
Destination IP address and destination port number of the probe packets sent from
the UDP client
(Optional) Name of a VPN instance, source IP address and port number of the
probe packets sent from the UDP client, number of test probes sent each time,
number of test packets sent each time, interval for sending test packets, percentage
of the failed NQA tests, and version number of jitter packets
Configuring a Server for the Jitter Test

This part describes how to configure the server of the jitter test based on the mechanism in which
the LPU sends packets.
Context
Perform the following steps on the NQA server:
Procedure
Step 1 Run:
system-view

Step 2 Run:
nqa-server udpecho [ vpn-instance vpn-instance-name ] ip-address port-number

The IP address and number of the monitoring port on the server must be the same as those
----End
Configuring a Client for the Jitter Test

Context
NOTE
The system supports the maximum unidirectional delay of the jitter test.

Issue 02 (2013-12-31)

460

Equipment
2 System Management
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
test-type jitter
The test instance type is configured as Jitter.

Step 4 Run:

Step 5 Run:
The destination port is configured.

Step 6 Run:
hardware-based enable
The LPU is enabled to send packets.

Step 7 (Optional) Run the following commands to configure other parameters for the jitter test:
l Run:
The VPN instance to be tested is configured.

l Run:
The source IP address is configured.

l Run:
source-port port-number
The source port is configured.

l Run:
probe-count number
The number of test probes to be sent each time is set.

l Run:
jitter-packetnum number
The number of test packets to be sent during each test is set.

The jitter test is used to collect and analyze the delay variation during the transmission of
UDP packets. To improve the accuracy of the test result, the system sends multiple test
packets each time. The more test packets are sent, the more accurate the statistics are, and
the longer the test lasts.
Issue 02 (2013-12-31)

461

Equipment
2 System Management
NOTE
The probe-count command is used to configure the number of times for the jitter test and the jitterpacketnum command is used to configure the number of test packets sent during each test. In actual
configuration, the product of the number of times for the jitter test and the number of test packets must
be less than 3000.
l Run:
interval { milliseconds interval | seconds interval }
The interval for sending test packets is set.

The shorter the interval is, the sooner the test is complete. However, delays occur during
sending and receiving test packets on the processor. Therefore, if the interval for sending test
packets is set to a small value, a relatively greater error may occur in the statistics of the jitter
test.
l Run:
fail-percent percent
The percentage of the failed NQA tests is set.

l Run:
The NQA test is configured to send packets without searching for the routing table.
l Enter the system view.
Run:
nqa-jitter tag-version version-number
The version number is configured for jitter packets.

After the statistics of unidirectional packet loss is enabled, you can view the number of lost
packets on the link from the source to the destination, from the destination to the source, or
from unknown directions. Based on these statistics, the network administrator can easily
locate network faults and detect malicious attacks.
l Run:
timeout time
The timeout period for the NQA test is configured.

l (Optional) Run:
timestamp-unit { millisecond | microsecond }
A timestamp unit is configured for the NQA test instance.

You need to configure a timestamp unit only when the interface board is enabled to send
packets.
The default timestamp unit is milliseconds.
Step 8 Run:
command.
Issue 02 (2013-12-31)

462

Equipment
2 System Management
----End

After configuring the jitter test based on the mechanism in which the LPU sends packets, you
can view the test result.
Prerequisites
The configurations of the Jitter Test Based on the Mechanism That the LPU Sends Packets
function are complete.
NOTE
NQA test results cannot be displayed automatically on the terminal. You should run the display nqa
results command to check the test results.
Procedure
Step 1 Run the display nqa results [ test-instance admin-name test-name ] command to check test
----End
2.5.11 Configuring the LSP Ping Test

This section describes how to configure a Label Switched Path (LSP) ping test to check the
operating status of the LSP.
Before You Start

Before configuring an LSP ping test, familiarize yourself with the usage scenario, complete the
The NQA LSP Ping test can be used to test the reachability of the following types of Label
Switched Paths (LSPs) and collect statistics about Link State Advertisement (LSA).
l
LSP tunnels
MPLS TE tunnels
MPLS Constraint-based Routed Label Switched Path (CR-LSP) hotstandby tunnels
MPLS rings
After the test parameters are configured and the test is started,
Issue 02 (2013-12-31)

463

Equipment
2 System Management
1.
NQA creates an MPLS Echo-Request packet and adds the address 127.0.0.0/8 to the IP
packet header as the destination IP address. The packet is forwarded along the specified
LSP in the MPLS network.
2.
The egress monitors port 3503 that sends Echo packets.
3.
The ingress collects the test results based on the received Echo packets.
Before configuring the LSP Ping test, you need the following configuration:
l
LSP tunnel
or an MPLS TE tunnel.
or an MPLS CR-LSP hotstandby tunnel
Or configuring an MPLS ring
Data Preparation
To configure the LSP Ping test, you need the following data.
No.
Data
l For the LSP tunnel: destination IP address and mask of the LSP Ping test
l For the MPLS TE tunnel: interface number of the TE tunnel
l For the MPLS CR-LSP hotstandby tunnels: interface number of the TE tunnel
l For an MPLS ring: ID of the MPLS ring to be tested, the destination node ID, and
test direction
(Optional): LSP EXP value, response mode of Echo packets, padding field of a
packet, packet size, number of probes for one NQA test instance, interval at which
packets are sent, source address where packets are sent, TTL, test failure conditions,
historical records and result records, aging time, and test interval.
Configuring the LSP Ping Test Parameters for the LDP Tunnel
Before performing an LDP LSP ping test, you need set parameters for the LSP ping test.
Context
Procedure
Step 1 Run:
system-view
Issue 02 (2013-12-31)

464

Equipment
2 System Management

Step 2 Run:
Step 3 Run:
test-type lspping
The test type is set to LSP Ping.

Step 4 Run:
lsp-type ipv4
The tunnel type is set to be the LSP tunnel.

Step 5 Run:
destination-address ipv4 ip-address [ lsp-masklen masklen | lsp-loopback loopbackaddress ]*
The destination IP address to be tested is configured.

Step 6 (Optional) Perform the following as required to configure other parameters for the LSP Ping
test:
l To configure a protocol used by the LSP ping test, run the lsp-version { rfc4379 | draft6 |
ptn-mode } command.
l To configure the next-hop IP address in the scenario where load balancing is enabled on the
initiator of the LSP ping test, run the lsp-nexthop nexthop-ip-address command.
NOTE
The next-hop IP address can be configured only when lsp-type is IPv4 and lsp-version is RFC 4379.
l To configure the response mode of the Echo packet, run the lsp-replymode { no-reply |
udp | udp-via-vpls | udp-router-alert | level-control-channel } command.
NOTE
In a uni-directional LSP Ping test, if the lsp-replymode no-reply command is configured, the test
result displays that the test fails regardless of whether the test, actually, is successful or fails. If the test
is successful, the test result also displays the number of the timeout packets. If the test fails, the test
result displays the number of the discarded packets.
l To configure the packet size, run the datasize size command.
NOTE
The sum of datasize and the size of the packet header should be less than the MTU of the interface;
otherwise, the test may fail.
l To configure the maximum TTL value of the packet, run the ttl number command.
l To configure the LSP EXP value, run the lsp-exp exp command.
l To configure the padding character of the packet, run the datafill fillstring command.
command.
Step 7 Run:
Issue 02 (2013-12-31)

465

Equipment
2 System Management
start

command.
----End
Configuring the LSP Ping Test Parameters for the MPLS TE Tunnel
Before performing the TE LSP ping test, you need set parameters for a TE LSP ping test.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
test-type lspping
The test type is set to LSP Ping.

Step 4 Run:
lsp-type te
The tunnel type is set to be the MPLS TE tunnel.

Step 5 Run:
lsp-tetunnel tunnel interface-number
The TE tunnel interface to be tested is configured.

Issue 02 (2013-12-31)

466

Equipment
2 System Management
test:
ptn-mode | compatible-mode } command.
NOTE
NOTE
The sum of the data size and the size of the packet header must be less than the MTU of the interface;
l To configure the interval for sending test packets, run the interval { milliseconds interval |
seconds interval } command.
Step 7 Run:
start

hh:mm:ss | delay { seconds second | hh:mm:ss } | lifetime { seconds second | hh:mm:ss } ]
command.
{ seconds second | hh:mm:ss } ] command.
lifetime { seconds second | hh:mm:ss } ] command.
----End
Configuring the LSP Ping Test Parameters for the CR-LSP Hotstandby Tunnel
Before performing the LSP ping test, you need set LSP ping test parameters for CR-LSP tunnels
in hot standby mode.
Issue 02 (2013-12-31)

467

Equipment
2 System Management
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
test-type lspping
The test type is set to be LSP Ping.

Step 4 Run:
lsp-type te
The tunnel type is set to be TE tunnel.

Step 5 Run:
lsp-tetunnel tunnel interface-number [ hot-standby ]
The TE tunnel interface to be pinged is specified and the CR-LSP hotstandby tunnel is set to be
tested.
test:
ptn-mode } command.
NOTE
result displays that the test fails regardless of whether the test, actually, succeeds or fails. If the test
succeeds, the test result shows the number of timeout packets. If the test fails, the test result shows the
number of discarded packets.
NOTE
The sum of the data size and the size of the packet header must be less than the MTU of the interface;
Issue 02 (2013-12-31)

468

Equipment
2 System Management
command.
Step 7 Run:
start

The start command has several forms. You can choose one of the following forms as required:
command.
l To perform the NQA test after a certain period of delay, run the start delay { seconds
second | hh:mm:ss } [ end { at [ yyyy/mm/dd ] hh:mm:ss | delay { seconds second |
hh:mm:ss } | lifetime { seconds second | hh:mm:ss } } ] command.
----End

After configuring the LSP ping test, you can view the test result.
Prerequisites
The configurations of the LSP Ping Test function are complete.
Context
NOTE
five tests.
Procedure
----End
2.5.12 Configuring the LSP Jitter Test

This section describes how to configure an LSP jitter test to measure jitter in the LSP during the
packet transmission.
Issue 02 (2013-12-31)

469

Equipment
2 System Management
Before You Start

Before configuring an LSP jitter test, familiarize yourself with the usage scenario, complete the
The NQA LSP Jitter test is performed to check the reachability of static LSP, LDP LSP, and TE
tunnels. After receiving a packet from the source, the destination calculates the maximum,
minimum, and average jitter time of the packet transmitted from the source to the destination.
This clearly reflects the status of the MPLS network.
NOTE
LSP Jitter tests do not support load balancing.
Before configuring the LSP Jitter test, configure an LSP tunnel or an MPLS TE tunnel.
Data Preparation
To configure the LSP Jitter test, you need the following data.
No.
Data
(Optional) Parameters of the LSP Jitter test, including the response mode of the Echo
packet, packet size, TTL, LSP EXP value, padding character, timeout period of the
packet, probe times, and test interval
Configuring the LSP Jitter Test Parameters for the LDP Tunnel
This part describes how to set parameters for an LDP LSP jitter test.
Context
Perform the following steps on the ingress of an LSP tunnel:
Procedure
Step 1 Run:
system-view

Issue 02 (2013-12-31)

470

Equipment
2 System Management
Step 2 Run:
Step 3 Run:
test-type lspjitter
The test type is set to LSP Jitter.

Step 4 Run:
lsp-type ipv4

Step 5 Run:
destination-address ipv4 ip-address { lsp-masklen masklen | lsp-loopback loopbackaddress }*
The destination IP address of the LSP Jitter test is configured.

Step 6 (Optional) Perform the following as required to configure other parameters for the LSP Jitter
test:
ptn-mode } command.
NOTE
NOTE
l To configure the interval for sending the test packets, run the interval seconds interval
command.
NOTE
The minimum interval for sending test packets is one second and the maximum interval is 60 seconds.
Step 7 Run:
start

Issue 02 (2013-12-31)

471

Equipment
2 System Management
command.
----End
Configuring the LSP Jitter Test Parameters for the MPLS TE Tunnel
This part describes how to set parameters for a TE LSP jitter test.
Context
Perform the following steps on the ingress of an MPLS TE tunnel:
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
test-type lspjitter
The test type is set to LSP Jitter.

Step 4 Run:
lsp-type te

Step 5 Run:

Step 6 (Optional) Perform the following as required to configure other parameters for the MPLS TE
Jitter test:
Issue 02 (2013-12-31)

472

Equipment
2 System Management
ptn-mode } command.
NOTE
l To configure the interval for sending the test packets, run the interval { milliseconds
interval | seconds interval } command.
NOTE
The minimum interval for sending test packets is one second and the maximum interval is 60 seconds.
Step 7 Run:
start

command.
----End

After configuring the LSP jitter test, you can view the test result.
Prerequisites
The configurations of the LSP Test function are complete.
Issue 02 (2013-12-31)

473

Equipment
2 System Management
Context
NOTE
five tests.
Procedure
----End
2.5.13 Configuring the LSP Trace Test

This section describes how to configure an LSP trace test to check the connectivity between
Label Switching Routers (LSRs) along the LSP.
Before You Start

Before configuring an LSP Trace test, familiarize yourself with the usage scenario, complete
The NQA LSP Trace test can be used to test the tunnel nodes of the following types of LSPs
and collect statistics about LSA.
l
LSP tunnels
MPLS TE tunnels
MPLS CR-LSP hotstandby tunnels
MPLS rings
After the test parameters are configured and the test is started,
l
NQA creates the UDP MPLS Echo-Request packet, adds the address 127.0.0.0/8 to the IP
packet header as the destination IP address, and searches the related LSP.
Echo Request packets should contain Downstream Mapping Tag, Length, Value (TLV)
that carries the information about the downstream node of the current LSP node, such as
the IP address of the next hop and the outgoing label.
For the MPLS TE tunnel, you can specify a tunnel interface for sending the MPLS EchoRequest packet so that the related Constraint-based Routed Label Switched Path (CR-LSP)
can be obtained.
The TTL value of the first Trace Echo-Request packet is 1. The packet is forwarded along
with the specified LSP in the MPLS network. An MPLS Echo-Reply packet is returned if
the TTL value times out.
The sender continues to send Echo-Request packets with the gradually increased TTL
value. When all Label Switching Routers (LSRs) along the LSP return Echo packets, the
Trace process is completed.
Issue 02 (2013-12-31)

474

Equipment
2 System Management
The sender collects the test results based on the received Echo packets.
Before configuring the LSP Trace test, you need the following configuration:
l
LSP tunnel
Or an MPLS TE tunnel.
Or an MPLS CR-LSP hotstandby tunnel
Or an MPLS ring network
Data Preparation
To configure the LSP Trace test, you need the following data.
No.
Data
l For the MPLS CR-LSP hotstandby tunnels: interface number of the TE tunnel
l For an MPLS ring: the ring ID, the destination node ID, and test direction
(Optional): LSP EXP value, response mode of Echo packets, padding field of a
packet, packet size, number of probes for one NQA test instance, interval at which
packets are sent, source address where packets are sent, TTL, test failure conditions,
historical records and result records, aging time, and test interval.
Configuring the LSP Trace Parameters for the LDP Tunnel

This part describes how to set parameters for an LDP LSP Trace test.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 02 (2013-12-31)

475

Equipment
2 System Management
Step 3 Run:
test-type lsptrace
The test type is set to LSP Trace.

Step 4 Run:
lsp-type ipv4

Step 5 Run:
destination-address ipv4 ip-address { lsp-masklen masklen | lsp-loopback loopbackaddress }*
The destination IP address to be tested is configured.

Step 6 (Optional) Perform the following as required to configure other parameters for the LSP Trace
test:
ptn-mode } command.
NOTE
NOTE
In a uni-directional LSP Trace test, if the lsp-replymode no-reply command is configured, the test
result displays that the test fails regardless of whether the test is successful or fails. If the test is
successful, the test result also displays the number of the timeout packets. If the test fails, the test result
displays the number of the discarded packets.
l To configure after how many hops the test is considered failed, run the tracerthopfailtimes timescommand.
l To configure the initial and the maximum TTL values of the packet, run the tracertlivetime first-ttl first-ttl max-ttl max-ttl command.
Step 7 Run:
start

command.
Issue 02 (2013-12-31)

476

Equipment
2 System Management

----End
Configuring LSP Trace Test Parameters for the MPLS TE Tunnel

This part describes how to set parameters for a TE LSP Trace test.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
test-type lsptrace
The test type is set to LSP Trace.

Step 4 Run:
lsp-type te

Step 5 Run:

test:
ptn-mode | compatible-mode } command.
Issue 02 (2013-12-31)

477

Equipment
2 System Management
NOTE
In a uni-directional LSP Trace test, if the lsp-replymode no-reply command is configured, the test
result displays that the test fails regardless of whether the test is successful or fails. If the test is
successful, the test result also displays the number of the timeout packets. If the test fails, the test result
displays the number of the discarded packets.
l To configure after how many hops a test is considered failed, run the tracert-hopfailtimes
times command.
Step 7 Run:
start

command.
----End
Configuring the LSP Trace Test Parameters for the CR-LSP Hotstandby Tunnel
This part describes how to set LSP Trace test parameters for CR-LSP hot standby tunnels.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 02 (2013-12-31)

478

Equipment
2 System Management
Step 3 Run:
test-type lsptrace
The test type is set to be LSP Trace.

Step 4 Run:
lsp-type te
The tunnel type is set to be TE tunnel.

Step 5 Run:
lsp-tetunnel tunnel interface-number hot-standby
The TE tunnel interface to be tracerouted is specified and the CR-LSP hotstandby tunnel is set
to be tested.
test:
ptn-mode } command.
NOTE
result displays that the test fails regardless of whether the test, actually, succeeds or fails. If the test
succeeds, the test result shows the number of timeout packets. If the test fails, the test result shows the
number of discarded packets.
l To configure after how many hops a test is considered failed, run the tracert-hopfailtimes
times command.
Step 7 Run:
start

The start command has several forms. You can choose one of the following forms as required:
command.
l To perform the NQA test after a certain period of delay, run the start delay { seconds
second | hh:mm:ss } [ end { at [ yyyy/mm/dd ] hh:mm:ss | delay { seconds second |
hh:mm:ss } | lifetime { seconds second | hh:mm:ss } } ] command.
----End
Issue 02 (2013-12-31)

479

Equipment
2 System Management

After configuring the LSP traceroute test, you can view the test result.
Prerequisites
The configurations of the LSP Traceroute Test function are complete.
Context
NOTE
five tests.
Procedure
----End
2.5.14 Configuring an ICMP Jitter Test

This section describes how to configure an ICMP jitter test to measure jitter on IP networks.
Before You Start

Before configuring an ICMP jitter test, familiarize yourself with the usage scenario, complete
sending these two packets.
The process of the ICMP jitter test is as follows:
l
The source sends packets to the destination at a set interval.
After receiving a packet, the destination adds a timestamp to the packet and sends it back
to the source.
After receiving the returned packets, the source obtains the jitter time by subtracting the
interval for sending the packets from the interval for receiving the packets.
clearly presented.
The devices at the two ends of the tested link can be both Huawei devices or not.
Issue 02 (2013-12-31)

480

Equipment
2 System Management
Before configuring an ICMP jitter test, configure a reachable route between the NQA client and
the server.
Data Preparation
To configure a jitter test, you need the following data.
No.
Data
(Optional) Name of a VPN instance, source IP address ,number of test probes sent
each time, number of test packets sent each time, interval for sending test packets,
ratio of the failed NQA tests, and version number of jitter packets
Configuring Parameters for the ICMP Jitter Test

This part describes how to set ICMP jitter test parameters.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
test-type icmpjitter
The type of the test instance is configured as ICMP jitter.

Step 4 Run:

Step 5 (Optional) Run the following commands to configure other parameters for the jitter test:
l Run:
icmp-jitter-mode { icmp-echo | icmp-timestamp }
Issue 02 (2013-12-31)

481

Equipment
2 System Management
The mode of the ICMP jitter test is configured.

l Run:

l Run:
probe-count number

l Run:

NOTE
The probe-count command is used to configure the number of times for the jitter test and the jitterpacketnum command is used to configure the number of test packets to be sent during each test. In
actual configuration, the product of the number of times for the jitter test multiplied by the number of
test packets must be less than 3000.
l Run:

The shorter the interval is, the sooner the test is complete. However, delays arise from sending
and receiving test packets on the processor. Therefore, if the interval for sending test packets
is set to a small value, a relatively greater error may occur in the statistics of the jitter test.
l Run:

Step 6 Run:
start

command.
----End
Issue 02 (2013-12-31)

482

Equipment
2 System Management

After configuring the ICMP jitter test, you can view the test result.
Prerequisites
The configurations of the ICMP Jitter Test function are complete.
NOTE
Procedure
Step 1 Run the display nqa results [ test-instance admin-name test-name ] command to check results
on the NQA client.
----End
2.5.15 Configuring an ICMP Jitter Test Based on the Mechanism

that the LPU Sends Packets
This section describes how to configure an ICMP jitter test based on the mechanism in which
the LPU sends packets to obtain detailed jitter information about IP networks.
Before You Start

Before configuring an ICMP jitter test based on the mechanism in which the LPU sends packets,
sending the two packets.
The process of an ICMP jitter test is as follows:
l
The source sends packets to the destination at a set interval.
After receiving a packet, the destination adds a timestamp to the packet and sends it back
to the source.
After receiving the returned packets, the source obtains the jitter time by subtracting the
interval for sending the packets from the interval for receiving the packets.
clearly presented.
Issue 02 (2013-12-31)

483

Equipment
2 System Management
If the server is a non-Huawei device, you can configure an ICMP jitter test instance based on
the mechanism that the LPU sends packets to test the jitter of the network. After that, a more
accurate test result can be obtained.
Before configuring the ICMP jitter test, complete the following task:
Configuring a reachable route between the NQA client and the server
Data Preparation
To configure the ICMP jitter test, you need the following data.
No.
Data
IP address on the server
(Optional) Name of a VPN instance, source IP address that sends test packets,
number of the source interface that sends test packets, number of the test probes
sent each time, number of the test packets sent each time, interval for sending test
packets, the time of timeout, percentage of the failed NQA tests, TTL value, ToS
value of the test packet.
Configuring a Server for the ICMP Jitter Test

This part describes how to configure the server of the ICMP jitter test based on the mechanism
in which the LPU sends packets.
Context
Perform the following steps on the NQA server:
Procedure
Step 1 Run:
system-view

Step 2 Run:
nqa-server icmp-server [ vpn-instance vpn-instance-name ] ip-address
A server is configured for the ICMP jitter test.

----End
Issue 02 (2013-12-31)

484

Equipment
2 System Management
Configuring a Client for the ICMP Jitter Test

This part describes how to configure the client of the ICMP jitter test based on the mechanism
in which the LPU sends packets.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
The type of the test instance is configured as ICMP jitter.

Step 4 Run:

Step 5 Run:
The LPU is enabled to send packets.

Step 6 (Optional) Run the following commands to configure other parameters for the ICMP jitter test.
l Run:

l Run:

l Run:
probe-count number

l Run:

sending and receiving test packets on the processor. Therefore, if the interval for sending test
Issue 02 (2013-12-31)

485

Equipment
2 System Management
packets is set to a small value, a relatively greater error may occur in the statistics of the jitter
test.
l Run:

l Run:
timeout time
The timeout period of the test is configured.

l Run:
ttl number
The TTL of the NQA test packets is configured.

l Run:
tos value
The type of service (ToS) value of the test packet is configured.

l (Optional) Run:
timestamp-unit { millisecond | microsecond }
A timestamp unit is configured for the NQA test instance.

You need to configure a timestamp unit only when the interface board is enabled to send
packets.
The default timestamp unit is milliseconds.
Step 7 Run:
start

command.
----End

After configuring the ICMP jitter test based on the mechanism in which the LPU sends packets,
you can view the test result.
Issue 02 (2013-12-31)

486

Equipment
2 System Management
Prerequisites
The configurations of the ICMP Jitter Test Based on the Mechanism that the LPU Sends Packets
NOTE
Procedure
----End
2.5.16 Configuring a Path Jitter Test

This section describes how to configure a path jitter test to check the communications between
devices along the packet transmission path.
Before You Start

Before configuring a path jitter test, familiarize yourself with the usage scenario, complete the
A network consists of multiple devices. The intercommunication between these devices may
traverse multiple networks. To better monitor the entire network, a path jitter test can be
performed to check the communication of each part.
Before configuring the path jitter test, configure a reachable route between the NQA client and
the ICMP server.
Data Preparation
To configure the path jitter test, you need the following data.
Issue 02 (2013-12-31)
No.
Data
(Optional) Name of a VPN instance, source IP address , number of test probes sent
each time, number of test packets sent each time, interval for sending test packets,
ratio of the failed NQA tests, and version number of jitter packets

487

Equipment
2 System Management
Configuring Parameters for the Path Jitter Test

This part describes how to set path jitter test parameters.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
test-type pathjitter
The type of the test instance is configured as path jitter.

Step 4 Run:

Step 5 (Optional) Run the following commands to configure other parameters for the path jitter test:
l Run:
icmp-jitter-mode { icmp-echo | icmp-timestamp }
The mode of the path jitter test is configured.

l Run:

l Run:

l Run:
probe-count number

l Run:

NOTE
The probe-count command is used to configure the number of times for the jitter test and the jitterpacketnum command is used to configure the number of test packets sent during each test. In actual
configuration, the product of the number of times for the jitter test and the number of test packets must
be less than 3000.
Issue 02 (2013-12-31)

488

Equipment
2 System Management
l Run:
interval seconds interval
The interval for sending jitter test packets is set.

The shorter the interval is, the sooner the test is complete. However, delays arise when the
processor sends and receives test packets. Therefore, if the interval for sending test packets
is set to a small value, a relatively greater error may occur in the statistics of the jitter test.
l Run:

Step 6 Run:
start

command.
----End

After configuring the path jitter test, you can view the test result.
Prerequisites
The configurations of the Path Jitter Test function are complete.
NOTE
Procedure
----End
Issue 02 (2013-12-31)

489

Equipment
2 System Management
2.5.17 Configuring a Path MTU Test

This section describes how to configure a path MTU test to measure the path MTU value of the
packet transmission path.
Before You Start

Before configuring a path MTU test, familiarize yourself with the usage scenario, complete the
In the network, the intercommunication between hosts may have to traverse multiple networks.
Different networks have various MTU values. The path MTU test can detect the MTU values
of paths in the network. Based on these values, you can limit the packet length on the transmitting
end and therefore effectively avoid discarding oversize packets.
Before configuring the path MTU test, configure a reachable route between the NQA client and
the destination end.
Data Preparation
To configure the path MTU test, you need the following data.
No.
Data
(Optional) Name of a VPN instance,source IP address,number of test probes sent

each time,number of test packets sent each time, Maximum MTU value of the
path,Step value
Configuring Parameters for the Path MTU Test

This part describes how to set path MTU test parameters.
Context
Procedure
Step 1 Run:
system-view
Issue 02 (2013-12-31)

490

Equipment
2 System Management

Step 2 Run:
Step 3 Run:
test-type pathmtu
The type of the test instance is configured as path MTU.

Step 4 Run:

Step 5 (Optional) Run the following commands to configure other parameters for the path MTU test.
l Run:
discovery-pmtu-max pmtu-max
The maximum value of the path MTU test range is set.

l Run:
step step
The value of the incremental step is set for the packet length in the path MTU test.
l Run:

l Run:

l Run:
probe-count number
The maximum number of probe packets that are allowed to time out consecutively is
configured.
Step 6 Run:
start

command.
Issue 02 (2013-12-31)

491

Equipment
2 System Management
----End

After configuring the path MTU test, you can view the test result.
Prerequisites
The configurations of the Path MTU Test function are complete.
NOTE
Procedure
----End
2.5.18 Configuring the PWE3 Ping Test to Check the Single-segment

PW
This section describes how to configure a PWE3 ping test to check the connectivity of a singlesegment pseudo-wire (PW).
Before You Start

Before configuring a PWE3 ping test for a single-hop PW, familiarize yourself with the usage
scenario, complete the pre-configuration tasks, and obtain the required data. This can help you
complete the configuration task quickly and accurately.
To check the connectivity of the single-segment pseudo wire (PW) using LDP as the signaling
protocol, you can perform the PWE3 Ping test on the single-segment PW.
Before configuring the PWE3 Ping test on a single-segment PW, you must correctly configure
the dynamic single-segment PW.
Data Preparation
To configure the PWE3 Ping test on a single-segment PW, you need the following data.
Issue 02 (2013-12-31)

492

Equipment
2 System Management
No.
Data
ID of the PW
Type of the PW
Type and number of the interface connected to the CE
Destination IP address and ID of the L2VC
(Optional) Response mode of the Echo-Request packets, LSP EXP, maximum hops,
number of probes, TTL value, and timeout period of the packets
Configuring Parameters for the PWE3 Ping Test on a Single-segment PW

This part describes how to set PWE3 ping test parameters for a Single-segment PW.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
test-type pwe3ping
The test type is set to PWE3 Ping.

vc-type ldp
The method of setting up a PW is configured.

local-pw-type { local-pw-type | ip-interworking }
The type of the local PW is configured. By default, the type is Ethernet.

Step 6 Run:
lsp-version { rfc4379 | draft6 | ptn-mode }
A protocol is configured for the LSP test instance.

Issue 02 (2013-12-31)

493

Equipment
2 System Management

label-type { control-word | label-alert | normal }
The type of the PW label is configured.

Step 8 Run:
local-pw-id local-pw-id
The ID of the local end of the PW is configured.

Step 9 (Optional) Run the following commands to configure other parameters for the PWE3 Ping test:
Step 10 Run:
start

command.
----End

After performing the PWE3 ping test for a single-hop PW, you can view the test result.
Prerequisites
The configurations of the PWE3 Ping Test function are complete.
Context
NOTE
five tests.
Issue 02 (2013-12-31)

494

Equipment
2 System Management
Procedure
----End
2.5.19 Configuring the PWE3 Trace Test to Check the singlesegment PW

This section describes how to configure a PWE3 trace test to check the communications between
devices along a PW.
Before You Start

Before configuring a PWE3 trace test for a single-segment PW, familiarize yourself with the
usage scenario, complete the pre-configuration tasks, and obtain the required data. This can help
you complete the configuration task quickly and accurately.
To trace a multi-segment PW using LDP as the signaling protocol, you can perform the PWE3
Trace test on the multi-segment PW.
Before configuring the PWE3 Trace test on a multi-segment PW, you must correctly configure
the dynamic multi-segment PW.
Data Preparation
To configure the PWE3 Trace test on a multi-segment PW, you need the following data.
No.
Data
ID of the PW
Type of the PW
Type and number of the interface connected to the CE
Destination IP address and ID of the L2VC
(Optional) Response mode of the Echo packets, LSP EXP, maximum hops, number
of probes, TTL value, and timeout period of the packets
Configuring Parameters for the PWE3 Trace Test on a single-segment PW

This part describes how to set PWE3 trace test parameters for a single-segment PW.
Issue 02 (2013-12-31)

495

Equipment
2 System Management
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
test-type pwe3trace
The test type is set to PWE3 Trace.

vc-type ldp
The method of setting up a PW is configured.

local-pw-type local-pw-type
The type of the local PW is configured. By default, the type is Ethernet.

Step 6 Run:
lsp-version { rfc4379 | draft6 | ptn-mode }
A protocol is configured for the LSP test instance.

label-type { control-word | label-alert | normal }
The type of the PW label is configured.

Step 8 Run:

Step 9 (Optional) Run the following commands to configure other parameters for the PWE3 Trace test:
l To configure maximum hops of the PWE3 Trace test, run the tracert-hopfailtimes
timescommand.
l To configure the initial TTL value and maximum TTL value of the packet, run the tracertlivetime first-ttl first-ttl max-ttl max-ttl command.
Step 10 Run:
start
Issue 02 (2013-12-31)

496

Equipment
2 System Management

command.
----End

After performing the PWE3 trace test for a single-hop PW, you can view the test result.
Prerequisites
The configurations of the PWE3 Trace Test function are complete.
Context
NOTE
five tests.
Procedure
----End
2.5.20 Configuring Universal NQA Test Parameters

This section describes how to set and use universal parameters for NQA test instances.
Before You Start

Before setting universal parameters for NQA test instances, familiarize yourself with the usage
Issue 02 (2013-12-31)

497

Equipment
2 System Management
NQA supports not only the configuration of the parameters for various types of tests, but also
the configuration of universal options of a test group.
Commonly, the default configurations of the universal parameters are adopted.
Before configuring universal NQA parameters, create NQA tests correctly.
Configuring Universal Parameters for the NQA Test Instance

This part describes the application of each parameter in the NQA test instance.
Context
Do as follows on the NQA client:
Procedure
Step 1 Run:
system-view

Step 2 Run:
The NQA test instance view is displayed.

Step 3 Perform the following as required to configure universal parameters:
l Run:
agetime hh:mm:ss
The aging time is set for the NQA test instance.

l Run:
alarm entry-number { lost-packet-ratio | jitter-average | jitter-ds-average |
jitter-sd-average | packet-loss-ds | packet-loss-sd | rtt-average } { absolute
| delta } { falling-threshold threshold-value1 event-entry1 | rising-threshold
threshold-value2 event-entry2 } * [ description ]
Configuration NQA alarms for the NQA test instance.

NOTE
This command does not apply to Path mtu test instances.
l Run:
datafill fillstring
The fill string is set for the NQA test instance.

NOTE
This command does not apply to SNMP, TCP, FTP, Path MTU, MAC Ping, VPLS PW Trace, VPLS
Trace, LSP Trace, and PWE3 Trace test instances. In the case that the icmp-jitter-type of the ICMPJitter
or Path Jitter test instanceis is icmp-echo, this command applies to ICMPJitter and Path Jitter.
Issue 02 (2013-12-31)

498

Equipment
2 System Management
l Run:
datasize size
The packet size is set for the NQA test instance.

NOTE
This command does not apply to SNMP, TCP, FTP, ICMP Jitter, VPLS PW Trace, LSP Trace, Path
Jitter, Path MTU, and PWE3 Trace test instances.
l Run:
description string
The description is configured for the NQA test instance.

l Run:
The destination IP address is set for the NQA test instance.

NOTE
In the case that the lable-type of PWE3 Ping or PWE3 Trace is normal or lable-alert, this command
also applies to PWE3 Ping and PWE3 Trace.
l Run:
The destination port number is set for the NQA test instance.
NOTE
The destination port number can be configured only for UDP, Jitter, TCP, Trace, and FTP test instances.
l Run:
The failure percentage is set for the NQA test instance.

NOTE
This command does not apply to Trace, FTP, LSP Trace, Path MTU, and PWE3 Trace test instances.
l Run:
frequency interval
The test period is set for the NQA test instance.

l Run:
ftp-filename file-name
The file name and file path are configured for the FTP test instance.
NOTE
The file name and file path can be configured only for the FTP test instance.
l Run:
ftp-filesize size
The size of the file is set for the FTP test instance.
NOTE
The size of the file can be configured only for the FTP test instance.
l Run:
ftp-operation { get | put }
The operation type is configured for the FTP test instance.

Issue 02 (2013-12-31)

499

Equipment
2 System Management
NOTE
The operation type can be configured only for the FTP test instance.
l Run:
The user password is set for the FTP test instance.

NOTE
The user password can be configured only for the FTP test instance.
l Run:
ftp-username name
The user name is set for the FTP test instance.

NOTE
The user name can be configured only for the FTP test instance.
l Run:
interval { milliseconds
interval | seconds interval }
The interval for sending packets is set for the NQA test instance.
NOTE
The interval for sending packets can be configured only for the ICMP, UDP, SNMP, Jitter, ICMP Jitter,
Path Jitter , LSP Jitter, TCP, MAC Ping, VPLS PW Ping, LSP Ping, and PWE3 Ping test instances.
l Run:
The number of test packets is set for the NQA test instance.
NOTE
The number of test packets can be configured only for all jitter type test instances.
l Run:
The PW ID or VC ID is set for the local device.

NOTE
This command applies to the VPLS PW Ping, VPLS PW Trace, PWE3 Ping, and PWE3 Trace test
instances.
l Run:
local-pw-type local-pw-type
The PW type is set for the local device.

NOTE
This command can only apply to PWE3 Ping and PWE3 Trace test instances. If the signaling protocol
of the tunnel is BGP, the PW type is always ethernet for PWE3 Trace instances and cannot be changed.
l Run:
lsp-exp exp
The LSP EXP value is set for the NQA test instance.
NOTE
This command can only apply to LSP Ping, LSP Trace, LSP Jitter, VPLS PW Ping, VPLS PW Trace,
PWE3 Ping, and PWE3 Trace test instances.
Issue 02 (2013-12-31)

500

Equipment
2 System Management
l Run:
lsp-replymode { no-reply | udp | udp-via-vpls | udp-router-alert | level-controlchannel }
The reply mode of LSPs is configured for the NQA test instance.
NOTE
This command can only apply to LSP Ping, LSP Trace, LSP Jitter, VPLS PW Ping, VPLS PW Trace,
PWE3 Ping, and PWE3 Trace test instances.
l Run:
lsp-tetunnel tunnel tunnel-number
The outgoing interface is configured for the NQA test instance.

NOTE
This command can only apply to LSP Ping, LSP Jitter and LSP Trace test instances.
l Run:
probe-count number
The number of probes for one time is set.

NOTE
This command does not apply to FTP or VPLS MAC Ping test instances.
l Run:
probe-failtimes times
The number of permitted maximum probe failures, that is, the threshold to trigger the trap
message, is set for the NQA test instance.
NOTE
This command does not apply to Path Jitter and Path MTU test instances.
l Run:
records history number
The maximum number of history records is set for the NQA test instance.
NOTE
This command does not apply to Path MTU test instances.
l Run:
records result number
The maximum number of result records is set for the NQA test instance.
l Run:
remote-pw-id remote-pw-id
The PW ID or VC ID is set for the remote device.

NOTE
This command can only apply to PWE3 Ping and PWE3 Trace test instances. In the case that the vctype of VPLS PW Ping or VPLS PW Trace is bgp, this command applies to VPLS PW Ping and VPLS
PW Trace.
l Run:
The NQA test is configured to send packets without searching for the routing table.
Issue 02 (2013-12-31)

501

Equipment
2 System Management
NOTE
This command does not apply to ICMP Jitter, Path Jitter, LSP Ping, LSP Trace, LSP Jitter, Path MTU,
PWE3 Ping, PWE3 Trace, VPLS Ping, VPLS Trace, VPLS PW Ping, and VPLS PW Trace test
instances.
l Run:
set-df
Packet fragmentation is prohibited.

NOTE
This function can be configured only for the Trace test instances.
l Run:
send-trap { all | { owd-ds | owd-sd | probefailure | rtd | testcomplete |
testfailure } * }
The condition for triggering the trap message is configured.

NOTE
This command does not apply to Path MTU and Path Jitter test instances.
l Run:
The source IP address is set for the NQA test instance.

NOTE
This command does not apply to PWE3 Ping, PWE3 Trace, MAC Ping, VPLS PW Ping, and VPLS
PW Trace test instances.
l Run:
source-interface interface-type interface-number
The source interface is configured for the NQA test instance.

NOTE
The source interface can be configured for ICMP, Jitter, ICMP Jitter, MAC Ping, and Path MTU test
instances.
l Run:
source-port port-number
The source port number is set for the NQA test instance.
NOTE
This command applies to UDP, TCP, Jitter, and FTP test instances.
l Run:
test-failtimes times
The trap threshold for continuous probe failures is set for the NQA test instance.
NOTE
This command does not apply to Path Jitter and Path MTU test instances.
l Run:
timeout time
The timeout period is set for the NQA test instance.

l Run:
ttl number
The TTL value in the NQA test packet is set.

Issue 02 (2013-12-31)

502

Equipment
2 System Management
NOTE
This command does not apply to Path MTU, Mac Ping. Path Jitter. Trace, LSP Trace, VPLS Trace,
VPLS PW Trace and PWE3 Trace test instances.
l Run:
tos value
Type of Service (TOS) is set for the test packet.

NOTE
This command does not apply to Path MTU, Mac Ping, Trace, VPLS PW Trace, VPLS PW Ping, LSP
Ping, LSP Trace, LSP Jitter, Pwe3 Ping, and PWE3 Trace test instances.
l Run:
tracert-hopfailtimes times
The hop fail times are set for the Trace test instance.
NOTE
This command can only apply to Trace, LSP Trace, Path Jitter, VPLS Trace, VPLS PW Trace, and
PWE3 Trace test instances.
l Run:
tracert-livetime first-ttl first-ttl max-ttl max-ttl
The lifetime is set for the Trace test instance.

NOTE
This command can only apply to Trace, LSP Trace, VPLS Trace, VPLS PW Trace, Path Jitter, and
PWE3 Trace test instances.
l Run:
The VPN instance name is configured for the NQA test instance.
NOTE
This command does not apply to LSP Ping, LSP Trace, LSP Jitter, PWE3 Ping, MAC Ping, VPLS PW
Ping, and VPLS PW Trace test instances. When the signaling protocol of the VC is BGP, this command
applies to PWE3 Trace test instances.
l Run:
vc-type { ldp | bgp }
The signaling protocol type is configured for the L2VPN VC.

NOTE
This command can only apply to VPLS PW Ping, VPLS PW Trace, PWE3 Ping, and PWE3 Trace test
instances. In the case of the PWE3 Ping test instance, this command can be applied only when the
signaling protocol is LDP.
----End

After setting universal parameters for NQA test instances, you can view the test result.
Prerequisites
The configurations of the Universal NQA Test Parameters function are complete.
Issue 02 (2013-12-31)

503

Equipment
2 System Management
Procedure
Step 1 Run the display nqa-agent [admin-name test-name ] [ verbose ] to view the status of the test
instance configured on the NQA client.
----End
2.5.21 Configuring Round-Trip Transmission Delay Thresholds

This section describes how to set a round-trip delay transmission threshold in an NQA test
instance.
Before You Start

Before setting a round-trip transmission delay threshold, familiarize yourself with the usage
If the round-trip transmission delay threshold is configured for a NQA test instance, the NQA
test result will contain the statistics on the test packets that exceed the set threshold. This provides
the basis for the network manager to analyze the operating status of the specified service.
Before configuring the round-trip transmission delay threshold, complete the following tasks:
l
Running the device normally
Creating NQA test instances and configuring related parameters correctly
Data Preparation
To configure the round-trip transmission delay threshold, you need the following data.
No.
Data
Round-trip transmission delay threshold
Configuring Round-Trip Delay Thresholds

This part describes how to set a round-trip transmission delay threshold. When the transmission
duration exceeds the threshold, a trap message is sent to the Network Management System
(NMS).
Context
Perform the following steps on the ATN to perform the NQA test:
Issue 02 (2013-12-31)

504

Equipment
2 System Management
Procedure
Step 1 Run:
system-view

Step 2 Run:
An NQA test instance is created and the NQA instance view is displayed.
Step 3 Run:
test-type { ftp | generalflow | icmp | jitter | lspjitter | lspping | lsptrace | snmp | tcp | trace |
udp | pwe3trace | pwe3ping | macping | pathmtu | vplstrace | pathjitter | vplspwping |
icmpjitter }
The test type is configured.
NOTE
Only the ATN 910/ATN 910I/ATN 910B/ATN 950B (AND2CXPA/AND2CXPB/AND2CXPE)

supportsgeneralflow.
Step 4 Run:

Step 5 (Optional)Run:

Step 6 Run:
threshold rtd rtd-value
The round-trip transmission delay threshold is configured.

Step 7 Run:
send-trap rtd
The trap function is enabled.

----End

After setting the round-trip transmission delay threshold, you can view the configuration.
Prerequisites
The configurations of the Round-Trip Delay Thresholds Test function are complete.
Issue 02 (2013-12-31)

505

Equipment
2 System Management
Procedure
Step 1 Run the display nqa-agent [ admin-name test-name ] [ verbose ] to view the status of the test
----End
2.5.22 Configuring Uni-directional Transmission Delay Thresholds

This section describes how to set a one-way transmission delay threshold in an NQA test
instance. After a one-way transmission delay threshold is set in an NQA test instance, the test
result will contain the statistics on the test packets that exceed the set threshold. This provides
the basis for the network manager to analyze the operating status of the specified service on the
network.
Before You Start

Before setting a one-way transmission delay threshold or uni-directional jitter threshold,
In all jitter type tests (except PathJiiter and LSPJiiter), after the uni-directional transmission
delay threshold or uni-directional jitter threshold is configured, the test results contain statistics
on the test packets that exceed the set threshold. This provides the basis for the network manager
to analyze the operating status of the specified service.
Before configuring the uni-directional transmission delay threshold, complete the following
tasks:
l
Running the device normally
Creating NQA tests and configuring related parameters correctly
Data Preparation
To configure the uni-directional transmission delay threshold, you need the following data.
No.
Data
Uni-directional transmission delay threshold
Configuring Uni-directional Transmission Delay Thresholds

This part describes how to set a one-way transmission delay threshold. When the transmission
duration exceeds the threshold, a trap message is sent to the NMS.
Issue 02 (2013-12-31)

506

Equipment
2 System Management
Context
Perform the following steps on the ATN to perform the NQA test:
Procedure
Step 1 Run:
system-view

Step 2 Run:
An NQA test instance is created and the NQA instance view is displayed.
Step 3 Run:
test-type { jitter | icmpjitter }

Step 4 Run:


Step 6 Run:
threshold owd-sd owd-sd-value
The uni-directional transmission (from the source to the destination) delay threshold is
configured.
Step 7 Run:
threshold owd-sd owd-sd-value
The uni-directional transmission (from the destination to the source) delay threshold is
configured.
----End

After setting the one-way transmission delay threshold, you can view the configuration.
Prerequisites
The configurations of the Uni-directional Transmission Delay Thresholds Test function are
complete.
Issue 02 (2013-12-31)

507

Equipment
2 System Management
Procedure
Step 1 Run the display nqa-agent [ admin-name test-name ] [ verbose ] to view the status of the test
----End
2.5.23 Configuring the Trap Function

This section describes how to configure the trap function in an NQA test instance. After the trap
function is configured, a trap message is sent to the NMS in case of transmission success or
transmission failure.
Before You Start

Before configuring the trap function, familiarize yourself with the usage scenario, complete the
Trap messages are generated regardless of whether the NQA test is successful or fails. You can
control whether to send trap messages to the NM station by enabling or disabling the trap
function.
NQA supports three types of trap messages as defined in the DISMAN-PING-MIB.
NQA also supports the sending of trap messages to the NM station when the uni-directional
transmission delay or the round-trip transmission delay exceeds the threshold.
l
For all tests supporting traps, if the round-trip transmission delay exceeds the threshold and
the trap function is enabled, trap messages are sent to the NM station with the specified IP
address.
For all the Jitter tests ( LSPJitter and PathJitter not included ), if the uni-directional
transmission delay exceeds the threshold and the trap function is enabled, trap messages
are sent to the NM station with the specified IP address.
Trap messages carry information such as destination IP address, operating status, destination IP
address of the test packet, minimum RTT, maximum RTT and total RTT, number of sent probe
packets, number of received packets, RTT square sum, and time of the last successful probe.
Before configuring the trap function, complete the following tasks:
l
Configuring routes between the NQA client and the NM station
Creating an NQA test and configuring related parameters correctly
Data Preparation
To configure the trap function, you need the following data.
Issue 02 (2013-12-31)

508

Equipment
2 System Management
No.
Data
NQA events that trigger the trap function
l (Optional) Number of test failures that trigger sending a trap message

l (Optional) Number of probe failures that trigger sending a trap message
Sending Trap Messages When Test Failed

A trap message is sent to the NMS when the transmission of NQA test packets fails.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:

Step 4 Run:


Step 6 Run:
send-trap testfailure
Sending trap messages when tests fail is enabled.

By default, the trap function is disabled.
Step 7 Run:
test-failtimes times
The number of test failures that trigger sending a trap message is configured.
By default, a trap message is sent for each test failure.
----End
Issue 02 (2013-12-31)

509

Equipment
2 System Management
Sending Trap Messages When Probes Failed

A trap message is sent to the NMS when the NQA test fails.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:

Step 4 Run:


Step 6 Run:
send-trap probefailure
Sending trap messages when probes fail is enabled.

Step 7 Run:
The number probe failures that trigger sending a Trap message is configured.
By default, a trap message is sent for each probe failure.
----End
Sending Trap Messages When Probes Are Complete Successfully

A trap message is sent to the NMS when the NQA test is complete successfully.
Context
Issue 02 (2013-12-31)

510

Equipment
2 System Management
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:

Step 4 Run:


Step 6 Run:
send-trap testcomplete
Sending trap messages when tests are complete successfully is enabled.

----End
Sending Trap Messages When the Transmission Delay Exceeds Thresholds

A trap message is sent to the NMS when the test result exceeds the threshold.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
Issue 02 (2013-12-31)

511

Equipment
2 System Management

Step 4 Run:


Step 6 Run:
send-trap { jitter-sd | jitter-ds | owd-ds | owd-sd | rtd }*
Sending trap messages when the transmission delay exceeds the threshold is enabled.
----End

After the trap function is enabled in an NQA test instance, you can view trap messages in the
trap buffer.
Prerequisites
The configurations of the Trap function are complete.
Procedure
Step 1 Run the display trapbuffer [ size value ] to view the trap messages sent in an NQA test.
----End
2.5.24 Configuring Test Results to Be Sent to the FTP Server

This section describes how to configure the system to send test results to the FTP server to avoid
loss of test results in the event that the NMS does not poll the test result in time.
Before You Start

Before configuring the system to send test results to the FTP server, familiarize yourself with
the usage scenario, complete the pre-configuration tasks, and obtain the required data. This can
help you complete the configuration task quickly and accurately.
In the test, the latest five test results can be saved by the system and earlier ones are overlapped.
Therefore, if the NM station does not perform result polling timely, test results are lost. You can
send the statistics on the test results that reach the capacity of the local storage or periodically
send the statistics to the FTP server for storage through FTP. This can effectively prevent the
loss of test results and facilitate the network management based on the analysis of test results at
different times.
Issue 02 (2013-12-31)

512

Equipment
2 System Management
Before configuring test results to be sent to the FTP server, complete the following tasks:
l
Configuring the FTP server
Configuring a reachable route between the NQA client and the NM station
Configuring a test instance
Data Preparation
To configure test results to be sent to the FTP server, you need the following data.
NOTE
FTP account must be above 3 levels.
No.
Data
Number of test results saved through FTP
Duration of saving test results through FTP
Configuring Parameters for Connecting the FTP Server

This part describes how to set parameters for accessing the FTP server that receives the test
results, such as address of the FTP server and user name and password for accessing the FTP
server.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
nqa-ftp-record ip-address ip-address
or
nqa-ftp-record vpn-instance vpn-instance
The IP address of the FTP server is configured.

Step 3 Run:
nqa-ftp-record username username
The user name for logging into the FTP server is configured.
Issue 02 (2013-12-31)

513

Equipment
2 System Management
Step 4 Run:
nqa-ftp-record password { password | cipher password }
The password for logging into the FTP server is configured.

Step 5 Run:
nqa-ftp-record filename filename
The file name used for saving test results is configured.

----End
Enabling the Function of Saving NQA Test Results Through FTP

The system can send test results to the FTP server only after the FTP server is enabled with the
test result saving function.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
nqa-ftp-record enable
The FTP server is enabled to save test results.

----End
(Optional) Configuring the Number of Test Results Saved Through FTP

This part describes how to configure the number of test results that an FTP server can save.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
nqa-ftp-record item-num item-number
The number of test results to be saved on the FTP server through FTP is configured.
----End
Issue 02 (2013-12-31)

514

Equipment
2 System Management
(Optional) Configuring the Duration of Saving Test Results Through FTP

Each time, the system can send two test results to the FTP server. If the FTP server cannot
continue to write the file after being interrupted, a new file is created on the FTP server for the
test results sent each time.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
nqa-ftp-record time time
The duration of saving test results to the FTP server through FTP is configured.
----End
(Optional) Enabling Alarms to Be Sent to the NM Station After the FTP

Transmission Succeeds
After test results are successfully saved on the FTP server, a trap message is sent to the NMS
for notification.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
nqa-ftp-record trap-enable
Alarms are configured to be sent to the NM station after the FTP transmission succeeds.
When the FTP transmission succeeds at the first time, no alarm message is generated. From the
second time on, each time when the FTP transmission succeeds, an alarm message is generated.
----End
Starting the Test Instance

After you start a test instance, test results are field periodically.
Issue 02 (2013-12-31)

515

Equipment
2 System Management
Context
Procedure
Step 1 Run:
system-view

Step 2 Run the nqa test-instance admin-name test-name command, enter the NQA test instance view.
Step 3 Run:
test-type{ ftp | icmp | jitter | lspjitter | lspping | lsptrace | snmp | tcp |
trace | udp | pathmtu | pwe3trace | pwe3ping | macping | icmpjitter | pathjitter |
vplspwping | vplspwtrace }

Step 4 Run:


Step 6 Run:
start

command.
[ end { at [ yyyy/mm | dd ] hh:mm:ss | delay { seconds second | hh:mm:ss } | lifetime
----End

After configuring the system to send test results to the FTP server, you can view the
configuration.
Issue 02 (2013-12-31)

516

Equipment
2 System Management
Prerequisites
The configurations of the Test Results to Be Sent to the FTP Server function are complete.
Procedure
Step 1 Run the display nqa-ftp-record configuration command to Check the configuration for saving
NQA test results.
----End
2.5.25 Configuring a Threshold for the NQA Alarm

This section describes how to set an alarm threshold for test results. When the number of test
results exceeds the threshold, a trap message is sent to the NMS for notification.
Before You Start

Before setting an alarm threshold for test results, familiarize yourself with the usage scenario,
The user can monitor the network by configuring an alarm threshold. After monitoring
conditions are configured, when the monitored item in the test result exceeds the configured
upper or lower threshold, the device sends alarms to the NM station. Therefore, the user can
monitor the real-time operating status of the network.
Before configuring the threshold for the NQA alarm, complete the following task:
l
Configuring a test instance
Data Preparation
To configure the threshold for the NQA alarm, you need the following data.
No.
Data
Number of the event corresponding to the threshold
Number of the alarm threshold
Upper threshold
Lower threshold
Configuring the Event Corresponding to the Alarm Threshold

This part describes the actions that the system needs to perform in response to the threshold
exceeding, such as generating logs, generating traps, or generating logs and traps.
Issue 02 (2013-12-31)

517

Equipment
2 System Management
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
nqa event event-entry { linkage admin-name test-name
none } [ description ]
| log | trap | log-trap |
The event number and the corresponding event are configured.

----End
Configuring the Alarm Threshold

This part describes how to configure the events triggered when the number of test results exceeds
the threshold.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
The test instance view is displayed.

Step 3 Run:
test-type { ftp | icmp | jitter | lspjitter | lspping | lsptrace | snmp | tcp |
trace | udp | pathmtu | pwe3trace | pwe3ping | macping | mactrace | icmpjitter |
pathjitter | vplspwping | vplspwtrace }

Step 4 Run:


Issue 02 (2013-12-31)

518

Equipment
2 System Management
Step 6 Run:
alarm entry-number { lost-packet-ratio | jitter-average | jitter-ds-average |
jitter-sd-average | packet-loss-ds | packet-loss-sd | rtt-average } { absolute |
delta } { falling-threshold threshold-value1 event-entry1 | rising-threshold
threshold-value2 event-entry2 } * [ description description ]
The alarm number and the threshold are configured.

NOTE
At present, only the absolute statistics function rather than the relative statistics function is supported.
----End
Starting the Test Instance

You can start a test instance. When the number of test results exceeds the threshold,
corresponding action is taken.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The test instance view is displayed.
Step 3 Run:
start

command.
----End

After the alarm threshold for test results is set, you can view the configuration.
Issue 02 (2013-12-31)

519

Equipment
2 System Management
Prerequisites
The configurations of the Threshold for the NQA Alarm function are complete.
Procedure
l
Run the display nqa event command to check the maximum number of events that can be
configured and the number of events that are configured.
Run the display nqa alarm command in the NQA view to check the maximum number of
alarms that can be configured and the number of alarms that are configured.
Run the display nqa-agent [ admin-name test-name ] [ verbose ] command to Check the
status of the test instance configured on the NQA client.
----End
2.5.26 Configuring a MAC Ping Test

A MAC ping test can detect connectivity of a VLAN network and a VPLS network.

A MAC Ping test instance detects the network connectivity between two maintenance
association end points (MEPs).
NQA MAC Ping test instance is similar to the Ping command in terms of providing functions
to detect the connectivity of VLAN and VPLS networks, but output more detailed test
information. To detect the connectivity of a VLAN network, it is required that devices on the
VLAN network be enabled with basic Ethernet Connectivity Fault Management (CFM)
functions; to detect the connectivity of a VPLS network, it is required that PEs on the VPLS
network be enabled with VPLS-based Ethernet CFM.
Before configuring a MAC Ping test instance, complete the following tasks:
l
In the case of a VLAN MAC Ping test instance, configuring a VLAN network and enabling
basic Ethernet CFM functions on the VLAN network
In the case of a VPLS MAC Ping test instance, configuring a VPLS network, ensuring that
the VSI is in the Up state, and enabling basic Ethernet CFM functions on PEs
Data Preparation
To configure a MAC Ping test instance, you need the following data.
Issue 02 (2013-12-31)
No.
Data
Administrator and name of an NQA test instance
Names of the MD and MA, local MEP ID, and destination MAC address
520

Equipment
2 System Management
No.
Data
(Optional): Packet size, number of probes for one NQA test instance, interval at
which packets are sent, source address where packets are sent, TTL, test failure
conditions, historical records and result records, and aging time.
Start and end modes of an NQA test instance
Configuring Parameters for a MAC Ping Test

A MAC Ping test can be performed only after relevant parameters are configured.
Context
Configure the following parameters on the NQA clients where NQA MAC Ping tests need to
be started.
Procedure
Step 1 Run:
system-view

Step 2 Create an NQA test instance and set the test instance type to MAC Ping.
1.
Run:
2.
Run:
test-type macping
The test instance type is set to MAC Ping.

3.
(Optional) Run:
description description
The description is configured for the test instance.

Step 3 Configure MEP IDs, MD name, and MA name for a MAC Ping test.
1.
Run:
mep mep-id mep-id
The local MEP ID is configured.

2.
Run:
md md-name ma ma-name
The MD and MA that send test packets are configured.

Step 4 Choose one of the following procedures to configure a destination MAC address for the MAC
Ping test.
1.
Run:
destination-address mac mac-address
Issue 02 (2013-12-31)

521

Equipment
2 System Management
The destination MAC address is configured for the MAC Ping test.
2.
Run:
destination-address remote-mep mep-id remote-mep
A MEP ID is configured for the remote end.

NOTE
If the destination MAC address is the remote-mep type, you must configure mapping between remotemep and the destination MAC address on the CFM module before the destination MAC address is
configured.
Step 5 (Optional) Configure optional parameters to transmit test packets in an actual network.
1.
Run:
datasize size
The size of an NQA test packet is set.

NOTE
The sum of the data size and the packet header size must be less than the maximum transmission unit
(MTU) value of the interface; otherwise, the test may fail.
2.
Run:
probe-count number
The number of probes is set for an NQA test instance.

3.
Run:
The interval at which probe packets are sent is set.

4.
Run:
source-interface interface-type interface-number
The source interface is configured for the test instance.

Step 6 (Optional) Configure test failure conditions and send a trap message to the NMS after a test fails.
1.
Run:
timeout time
The response timeout period is set.

If no response packets are received before the set period expires, the probe fails.
2.
Run:

If the percentage of failed probes is larger than or equal to the failure percentage, the test
fails.
3.
Run:
The NQA test instance is configured to send a trap message to the NMS when the number
of continuous probe failures reaches the specified value.
By default, a trap massage is sent for each probe failure.
Issue 02 (2013-12-31)

522

Equipment
4.
2 System Management
Run:
test-failtimes
The NQA test instance is configured to send a trap message to the NMS when the number
of continuous test failures reaches the specified value.
By default, a trap is sent for each test failure.
5.
Run:
threshold rtd rtd-value
The bidirectional transmission delay threshold is configured.

6.
Run:
send-trap rtd
A trap message is sent to the NMS after a threshold is reached.

Step 7 (Optional) Configure the NQA statistics function.
records { history number | result number }
The maximum numbers of historical records and result records that can be saved for the NQA
test instance are set.
agetime hh:mm:ss
The aging time is set for the NQA test instance.

The default aging time is 0, indicating that the test instance will not age.
Step 9 Schedule the NQA test instance.
1.
(Optional) Run:
frequency interval
The test period is set for the NQA test instance.

2.
Run:
start

Run any of the following start commands as required:
l Run:
start now [ end { at [ yyyy/mm/dd ] hh:mm:ss | delay { seconds second |
hh:mm:ss } | lifetime { seconds second | hh:mm:ss } } ]

l Run:
start at [ yyyy/mm/dd ] hh:mm:ss [ end { at [ yyyy/mm/dd ] hh:mm:ss |
delay { seconds second | hh:mm:ss } | lifetime { seconds second |
hh:mm:ss } } ]

l Run:
start delay { seconds second | hh:mm:ss } [ end { at [ yyyy/mm/dd ]
hh:mm:ss | delay { seconds second | hh:mm:ss } | lifetime { seconds second
| hh:mm:ss } } ]
Issue 02 (2013-12-31)

523

Equipment
2 System Management
The test instance is started after a specified delay.

----End

After a MAC ping test instance is successfully performed, you can view the test result.
Prerequisites
The configurations of the MAC ping test instance are complete.
NOTE
NQA test results are not displayed automatically on the terminal. You must run the display nqa results
command to view test results. By default, the command output only shows the results of the latest five
tests.
Procedure
l
Run the display nqa results [ test-instance admin-name test-name ] command to view test
results.
----End
Example
If a MAC Ping test instance is successfully performed, run the display nqa results command,
and the following information is displayed.
<HUAWEI> display nqa results test-instance admin macping
NQA entry(admin, macping) :testflag is inactive ,testtype is macping
1 . Test 1 result
The test is finished
SendProbe:3
ResponseProbe:3
Completion:success
RTD OverThresholds number:0
OWD OverThresholds SD number:0
OWD OverThresholds DS number:0
Min/Max/Avg/Sum RTT:9/12/10/30
RTT Square Sum:306
NumOfRTT:3
Drop operation number:0
Operation sequence errors number:0
RTT Stats errors number:0
System busy operation number:0
Operation timeout number:0
Min Positive SD:0
Min Positive DS:0
Max Positive SD:0
Max Positive DS:0
Positive SD Number:0
Positive DS Number:0
Positive SD Sum:0
Positive DS Sum:0
Positive SD Square Sum:0
Positive DS Square Sum:0
Min Negative SD:2
Min Negative DS:1
Max Negative SD:2
Max Negative DS:1
Negative SD Number:1
Negative DS Number:1
Negative SD Sum:2
Negative DS Sum:1
Negative SD Square Sum:4
Negative DS Square Sum:1
Min Delay SD:0
Min Delay DS:0
Avg Delay SD:0
Avg Delay DS:0
Max Delay SD:0
Max Delay DS:0
Delay SD Square Sum:0
Delay DS Square Sum:0
Packet Loss SD:0
Packet Loss DS:0
Packet Loss Unknown:0
Average of Jitter:1
Average of Jitter SD:0
Average of Jitter DS:0
Jitter out value:0.0000000
Jitter in value:0.0000000
NumberOfOWD:0
Packet Loss Ratio: 0%
OWD SD Sum:0
OWD DS Sum:0
ICPIF value: 0
MOS-CQ value: 0
TimeStamp unit: ms
Packet Rewrite Number: 0
Packet Rewrite Ratio: 0%
Packet Disorder Number: 0
Issue 02 (2013-12-31)

524

Equipment
Packet Disorder Ratio: 0%
Fragment-disorder Ratio: 0%
2 System Management
Fragment-disorder Number: 0
2.5.27 Configuring a VPLS MAC Ping Test

This section describes how to configure an NQA VPLS MAC ping test.
Before You Start

After a VPLS network is configured, an NQA VPLS MAC ping test is initiated to check the
connectivity of Layer 2 forwarding links on the VPLS network.
Before configuring a VPLS MAC ping test, complete the following tasks:
1.
Configuring a VPLS network
2.
Ensuring that the VSI is in the Up state
Data Preparation
To configure a VPLS MAC ping test, you need the following data.
No.
Data
VSI name and MAC address
(Optional) VLAN ID
Start and end modes of the NQA test
Configuring Parameters for the VPLS MAC Ping Test

Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 02 (2013-12-31)

525

Equipment
2 System Management
Step 3 Run:
test-type vplsping
The type of the test instance is configured as VPLS MAC ping.

Step 4 Run:
vsi vsi-name
The name of the VSI to be tested is configured.

Step 5 Run:
The MAC address associated with the VSI is configured.

vlan vlan-id
The VLAN ID is configured.

Step 7 Run:
start

Run the following commands as required:
command.
For details about parameters in the start command, refer to the Command Reference.
----End

Prerequisites
All the configurations of the VPLS MAC Ping are complete.
NOTE
tests.
Issue 02 (2013-12-31)

526

Equipment
2 System Management
Procedure
Step 1 Run the display nqa results [ test-instance admin-name test-name] command on the NQA
client to display test results.
----End
Example
Run the display nqa results command. If the following information is displayed, it means that
the VPLS MAC Ping test is successful.
l
Statistics on errors:
Number of unroutable connections
Number of incorrect sequences
Timeout times of the test packets
History statistics of each test packet:

Timestamp added when each test packet is sent
Timestamp added when each test packet is received
Status of each packet that is displayed on the NQA client
Statistics on the result of each test instance:

Number of successful tests
Sum of the response time of tests
RTT square sum (lower 32 bits and higher 32 bits)
Minimum and maximum RTT of the packet
Destination IP address type and destination IP address
Number of received Response packets and sent packets
Time when the last packet is received
<HUAWEI> display nqa results

NQA entry (1, 1) :testflag is inactive ,testtype is vplsping
1 . Test 1 result
Send operation times: 3
Receive response times: 3
Completion:success
RTD OverThresholds number: 0
Attempts number:1
Disconnect operation number:0
Connection fail number:0
Destination ip address:168.1.1.1
Min/Max/Average Completion Time: 21/30/24
Sum/Square-Sum Completion Time: 74/1870
Last Good Probe Time: 2009-4-21 9:49:50.1
Lost packet ratio: 0 %
2.5.28 Configuring a VPLS MAC Trace Test

This section describes how to configure an NQA VPLS MAC trace test.
Issue 02 (2013-12-31)

527

Equipment
2 System Management
Before You Start

After a VPLS network is configured, an NQA VPLS MAC trace test is initiated to check the
connectivity of Layer 2 forwarding links on the VPLS network.
Before configuring a VPLS MAC trace test, complete the following tasks:
1.
2.
Ensuring that the VSI is in the Up state
Data Preparation
To configure a VPLS MAC trace test, you need the following data.
No.
Data
VSI ID and MAC address
(Optional) VLAN ID
Start and end modes of the NQA VPLS MAC trace test
Configuring Parameters for the VPLS MAC Trace Test

Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
test-type vplstrace
The type of the test instance is configured as VPLS MAC Trace.

Step 4 Run:
vsi vsi-name
Issue 02 (2013-12-31)

528

Equipment
2 System Management
The name of the VSI to be tested is configured.

Step 5 Run:
The MAC address associated with the VSI is configured.

vlan vlan-id
The VLAN ID is configured.

Step 7 Run:
start

Run the following commands as required:
l To immediately start the test instance, run:
l To start the test instance at a specified time, run:

start at [ yyyy/mm/dd ] hh:mm:ss [ end { at [ yyyy/mm/dd ] hh:mm:ss | delay
{ seconds second | hh:mm:ss } | lifetime { seconds second | hh:mm:ss } } ]
l To start the test instance after a certain period of delay, run:

start delay { seconds second | hh:mm:ss } [ end { at [ yyyy/mm/dd ] hh:mm:ss |
delay { seconds second | hh:mm:ss } | lifetime { seconds second | hh:mm:ss } } ]
For details about parameters in the start command, refer to the Command Reference.
----End

Prerequisites
The VPLS MAC Trace test has been configured.
NOTE
tests.
Procedure
Step 1 Run the display nqa results [ test-instance admin-name operation-tag] command on the NQA
client to display test results.
----End
Example
Run the display nqa results command. If the following information is displayed, it means that
the VPLS MAC Trace test is successful.
Issue 02 (2013-12-31)

529

Equipment
2 System Management
Statistics on errors:
Number of unroutable connections
Number of incorrect sequences
Timeout times of the test packets
History statistics of each test packet:

Timestamp added when each test packet is sent
Timestamp added when each test packet is received
Status of each packet that is displayed on the NQA client
Statistics on the result of each test instance:

Number of successful tests
Number of received Response packets and sent packets
Time when the last packet is received
<HUAWEI> display nqa results

NQA entry( test, vplstrace) :testflag is inactive ,testtype is vplstrace
1 . Test 1 result
Completion:success
Attempts number:1
Last good path Time:2009-4-21 9:51:4.1
1 . Hop 1
Destination ip address:
Lost packet ratio: 0 %,
2 . Hop 2
Destination ip address:
2.5.29 Configuring VPLS PW Ping and VPLS PW Trace Test

Instances
Before You Start
VPLS PW ping and VPLS PW trace are tools for detecting the connectivity of VPLS PWs and
locating faults on PWs.
As a main technology for setting up a metropolitan area network (MAN), Virtual Private LAN
Service (VPLS) has been widely applied globally. VPLS, however, is poor in terms of service
management and monitoring. In this case, an optimized VPLS OAM mechanism is required.
Issue 02 (2013-12-31)

530

Equipment
2 System Management
On a VPLS network, the performance of PWs affects the entire network performance. For
example, the connectivity of PWs determines whether traffic can be normally forwarded between
users, and the forwarding performance of PWs determines whether the forwarding capacity of
the network complies with the Service Level Agreement (SLA) signed with users. NQA VPLS
PW ping and NQA VPLS PW trace test instances can detect a specific PW and provide data
such as jitter and delay for network analysis.
Before configuring VPLS PW ping and VPLS PW trace test instances, configure a VPLS
network correctly to ensure that the VSI is in the Up state.
Data Preparation
To configure VPLS PW ping and VPLS PW trace test instances, you need the following data.
No.
Data
Name and type of the VSI
Destination address in the case of an LDP VPLS network or a BGP AD VPLS

network; local site ID and remote site ID in the case of a BGP VPLS network
(Optional) Local PW, test period, number of sent packets, interval at which packets
are sent, packet size, padding, and failure percentage
Start and end modes of an NQA test instance
Configuring Parameters for the VPLS PW Ping Test Instance

Before configuring parameters for the VPLS PW ping test instance, ensure that the VSI is in the
Up state.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
test-type vplspwping
Issue 02 (2013-12-31)

531

Equipment
2 System Management
The test type is set to VPLS PW ping.

Step 4 Run:
vsi vsi-name
The name of the VSI to be detected is configured.

Step 5 Run the following commands as required by the signaling protocol used for creating a VC:
l In the case that the signaling protocol for creating the VC is LDP, run:
The destination address is configured.

l In the case that the signaling protocol for creating the VC is BGP, run the following
commands:
1.
Run:
vc-type bgp
The protocol type of the L2VPN is set to BGP.

2.
Run:
The local site ID is configured.

3.
Run:
The remote site ID is configured.

l When the VC type is BGP AD:
1.
Run:
vc-type bgp-ad
The protocol type configured for the L2VPN is BGP AD.

2.
Run:

Step 6 (Optional) Run the following commands as required.
l Run:
probe-count number
The number of test packets to be sent each time is configured.

l Run:
The interval at which test packets are sent is configured.

The shorter the interval is, the sooner the test is complete. However, delays occur during the
sending and receiving of test packets on the processor. Therefore, if the interval at which test
packets are is set to a small value, a relatively greater error may occur in the statistics of the
test result.
l Run:

Issue 02 (2013-12-31)

532

Equipment
2 System Management

l Run:
The reply mode of Echo packets is configured.

no-reply indicates that the destination end does not respond to Echo packets. udp indicates
that the destination end responds to Echo packets with UDP packets. udp-via-vpls indicates
that the destination end responds to Echo packets with VPLS IPv4 UDP packets. udp-routeralert indicates that the destination end responds to Echo packets with UDP packets carrying
the Router Alert option. level-control-channel indicates that the destination end responds
to Echo packets through the control channel at the application program level.
l Run:
lsp-exp exp
The LSP EXP value is configured.

NOTE
To view more optional parameters, you can enter the test instance view after the NQA test instance type is
configured and then run the display nqa-parameter command.
Step 7 Run:
start
The NQA test instance is started.

Run one of the following commands as required:
l Run:
The NQA test instance is started immediately.

l Run:
The NQA test instance is started at a specified time.

l Run:
The test instance is started after a certain period of delay.

For details on parameters of the start command, refer to the Command Reference.
----End
Configuring Parameters for the VPLS PW Trace Test Instance

Before configuring parameters for the VPLS PW trace test instance, ensure that the VSI is in
the Up state.
Context
Issue 02 (2013-12-31)

533

Equipment
2 System Management
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
test-type vplspwtrace
The test type is set to VPLS PW trace.

Step 4 Run:
vsi vsi-name
The name of the VSI to be detected is configured.

Step 5 Run the following commands as required by the signaling protocol for creating a VC:
The destination address is configured.

l In the case that the signaling protocol for creating the VC is BGP, run the following
commands:
1.
Run:
vc-type bgp
The protocol type of the L2VPN is set to BGP.

2.
Run:
The local site ID is configured.

3.
Run:
The remote site ID is configured.

l When the VC type is BGP AD:
1.
Run:
vc-type bgp-ad
The protocol type configured for the L2VPN is BGP AD.

2.
Run:

Step 6 (Optional) Run the following commands as required.
l Run:
probe-count number
The number of test packets to be sent each time is configured.

Issue 02 (2013-12-31)

534

Equipment
2 System Management
l Run:
The interval at which test packets are sent is configured.

sending and receiving test packets on the processor. Therefore, if the interval at which test
packets are is set to a small value, a relatively greater error may occur in the statistics of the
test result.
l Run:


l Run:
The reply mode of Echo packets is configured.

no-reply indicates that the destination end does not respond to the Echo packet. udp indicates
that the destination end responds to Echo packets with UDP packets. udp-via-vpls indicates
that the destination end responds to Echo packets with VPLS IPv4 UDP packets. udp-routeralert indicates that the destination end responds to Echo packets with UDP packets carrying
the Router Alert option. level-control-channel indicates that the destination end responds
to Echo packets through the control channel at the application program level.
l Run:
lsp-exp exp
The LSP EXP value is configured.

l Run
:
lsp-path full-display
All P nodes along the LSP path are displayed in the NQA test result.
NOTE
To view more optional parameters, you can enter the test instance view after the NQA test instance type is
configured and then run the display nqa-parameter command.
Step 7 Run:
start

Run one of the following commands as required:
l Run:
The NQA test instance is started immediately.

l Run:
Issue 02 (2013-12-31)

535

Equipment
2 System Management
The NQA test instance is started at a specified time.

l Run:
The test instance is started after a certain period of delay.

For details on parameters and options of the start command, refer to the Command Reference.
----End

Prerequisites
All the configurations of the VPLS PW ping and VPLS PW trace test instances are complete.
NOTE
tests.
Procedure
Step 1 Run the display nqa results [ test-instance admin-name test-name ] command on the NQA
client to view test results.
----End
2.5.30 Configuring a General Flow Test Instance

This section describes how to configure a general flow test instance to monitor the performance
of interconnected network devices.
Context
NOTE
Only the ATN 910/ATN 910I/ATN 910B/ATN 950B (AND2CXPB/AND2CXPE) supports the General
Flow Test function.
Before You Start

Before configuring a general flow test instance, familiarize yourself with the usage scenario,
complete the pre-configuration tasks, and obtain the data required for the configuration.
Usage Scenario
An NQA general flow test is a standard traffic testing method for evaluating network
performance and is in compliance with RFC 2544. This test can be used in various networking
scenarios that have different packet formats. NQA general flow tests are conducted using UDP
packets with source UDP port 0xC020 and destination UDP port 7.
Before a customer performs a service cutover, an NQA general flow test helps the customer
evaluate whether the network performance counters meet the requirements in the design. An
NQA general flow test has the following advantages:
Issue 02 (2013-12-31)

536

Equipment
2 System Management
Enables a device to send simulated service packets to itself before services are deployed
on the device.
Existing methods include Y.1731 on Layer 2 networks and IP Flow Performance
Management (IP FPM) on Layer 3 networks. These methods, unlike general flow tests, can
only be used when services have been deployed on networks. If no services are deployed,
testers must be used to send and receive test packets.
Uses standard methods and procedures that comply with RFC 2544 so that NQA general
flow tests can be conducted on a network on which both Huawei and non-Huawei devices
are deployed.
A general flow test measures the following counters:

l
Throughput: maximum rate at which packets are sent without loss. The value is expressed
in Kbit/s.
Packet loss rate: percentage of discarded packets to all sent packets.
Latency: consists of the bidirectional delay time and jitter calculated based on the
transmission and receipt timestamps carried in test packets. The transmission time in each
direction includes the time the forwarding devices process the test packet. The value is
expressed in microseconds.
A general flow test can be used in the following scenarios:

l
Layer 2: native Ethernet scenario and L2VPN scenario, including VLL and VPLS
networking
On the network shown in Figure 2-27, an initiator and a reflector perform a general flow
test to monitor the forwarding performance for end-to-end services exchanged between two
user-to-network interfaces (UNIs).
Figure 2-27 General flow test in a Layer 2 scenario
In itia to r
R e fle c to r
U N I-A
U N I-B
Layer 3: native IP scenario and L3VPN scenario

Layer 3 networking is similar to Layer 2 networking.
IP gateway scenario
Layer 2 interface access to a Layer 3 device: IP gateway scenario
Figure 2-28 shows the networking of the Layer 2 interface's access to a Layer 3 device.
Issue 02 (2013-12-31)

537

Equipment
2 System Management
Figure 2-28 General flow test in the scenario in which a Layer 2 interface accesses a Layer
3 device
U N I-A
In itia to r
IP g a te w a y
R e fle c to r
O u tb o u n d in te rfa ce o f th e in itia to r
Before configuring an NQA general flow test, complete the following tasks:
l
Layer 2:
In a native Ethernet scenario, configure reachable Layer 2 links between the initiator
and reflector.
In an L2VPN scenario, configure reachable links between CEs on both ends of an
L2VPN connection.
Layer 3:
In a native IP scenario, configure reachable IP links between the initiator and reflector.
In an L3VPN scenario, configure reachable links between CEs on both ends of an
L3VPN connection.
IP gateway scenario: configure reachable Layer 2 links between an IP gateway and the
reflector.
Data Preparation
To configure an NQA general flow test, you need the following data.
No.
Data
Simulated service parameters, including the initiator's destination MAC or IP

address, VLAN IDs, and UNI name
Key test parameters, including the rate at which test packets are sent, throughput
precision, and the interval at which test packets are sent
Common test parameters, including the data size and test duration
Configuring a Reflector
This section describes how to configure a reflector, which loops traffic to an initiator. You can
set reflector parameters based on each scenario.
Issue 02 (2013-12-31)

538

Equipment
2 System Management
Context
On the network shown in Figure 2-27 of the "Before You Start", the following two roles are
involved in a general flow test:
l
Initiator: sends simulated service traffic to a reflector.
Reflector: loops the service traffic to the initiator.

The reflector can loop all packets on a reflector interface or the packets matching filter
criteria to the initiator. The filter criteria include a destination MAC address.
Procedure
Step 1 Run:
system-view

Step 2 Configure the reflector. The reflector settings vary according to usage scenarios.
NOTE
l The reflector ID must be unique on a local node.

l The aging time can be set for a reflector. The default aging time is 1800s.
Issue 02 (2013-12-31)
Usa
ge
Sce
nar
io
Configuration Procedure
Configuration Note
Any
scen
ario
in
whi
ch a
refl
ecto
r
loop
s all
pac
kets
nqa reflector reflector-id interface interface-type

interface-number
On the network shown in

Figure 2-27 of the "Before
You Start", UNI-B is used
as a reflector interface.
Lay
er 2

interface-number [ mac mac-address ] [ pe-vid pe-vid
ce-vid ce-vid | vlan vlan-id ] [ source-port sourceport ] [ destination-port destination-port ] [ agetime
agetime ]

You Start", the MAC
address of the reflector's
UNI-B or a MAC address
that has never been used is
used as the MAC address.

539

Equipment
2 System Management
Usa
ge
Sce
nar
io
Configuration Note
Lay
er 3

interface-number [ ipv4 ip-address ] [ source-port
source-port ] [ destination-port destination-port ]
[ agetime agetime ]

You Start", an IP address on
the same network segment
as the reflector's UNI-B is
used as the IP address.
Lay
er 2
inte
rfac
e
acce
ss to
a
Lay
er 3
devi
ce

interface-number simulate-ip ipv4 ip-address [ pevid pe-vid ce-vid ce-vid | vlan vlan-id ] [ source-port
source-port ] [ destination-port destination-port ]
[ agetime agetime ]

You Start", an IP address on
the same network segment
as the reflector's UNI-B is
used as the simulated IP
address.
----End
Configuring an Initiator
This section describes how to configure an initiator that sends simulated service traffic. You can
set initiator parameters based on usage scenarios and test counter types.
Context
On the network shown in Figure 2-27 of the "Before You Start", the following two roles are
involved in a general flow test:
l
Initiator: sends simulated service traffic to a reflector.
Reflector: loops the service traffic to the initiator.
The process of configuring the initiator is as follows:

1.
Create a general flow test instance.
2.
Set basic simulated service parameters.
3.
Set key test parameters based on counters.
4.
Set general flow test parameters.
5.
Start the general flow test instance.
Issue 02 (2013-12-31)

540

Equipment
2 System Management
Procedure
Step 1 Create a general flow test instance.
1.
Run:
system-view

2.
Run:
An NQA test instance is created, and the test instance view is displayed.
3.
Run:
test-type generalflow
The test type is set to generalflow.

4.
Run:
measure { throughput | loss | delay }
A test counter is specified.

Step 2 Set basic simulated service parameters.
NOTE
The basic simulated service parameters on the initiator must be the same as those configured on the reflector.
Table 2-13 Configurations in different usage scenarios

Us
ag
e
Sc
en
ari
o
Configuration Note
La
yer
2
1. Run the destination-address mac macaddress command to specify the destination

MAC address of test packets.
The initiator shown in Figure

2-27 of the "Before You Start" has
the following parameters:
2. Run the forwarding-simulation inboundinterface interface-type interface-number

command to specify the inbound interface of
simulated service packets.
l Destination MAC address: the

MAC address of the reflector's
UNI-B or a MAC address that
has never been used
3. Run the vlan vlan-id or pe-vid pe-vid ce-vid cevid command to set VLAN IDs of simulated
service packets.
l Simulated inbound interface:

UNI-A
l VLAN ID: VLAN IDs
configured on interfaces
NOTE
The display nqa reflector command
can be used on the reflector to display
the configured destination MAC
address.
Issue 02 (2013-12-31)

541

Equipment
2 System Management
Us
ag
e
Sc
en
ari
o
Configuration Note
La
yer
3
1. Run the destination-address ipv4 ipv4address command to specify the destination IP

address of test packets.

2. Run the source-address ipv4 ipv4-address

command to specify the source IP address of test
packets.
l Destination IP address: an IP
address on the same network
segment as the reflector's
UNI-B
3. Run the forwarding-simulation inboundinterface interface-type interface-number

command to specify the inbound interface of
4. (Optional) Run the vlan vlan-id or pe-vid pevid ce-vid ce-vid command to set VLAN IDs of
l Source IP address: an IP
segment as UNI-A's IP
address
l Simulated inbound interface:
UNI-A
NOTE
If the initiator does not have an ARP entry corresponding
to the source IP address in test packets, run the arp
static ip-address mac-address command to configure a
static ARP entry for the source IP address.
IP
gat
ew
ay
1. Run the destination-address ipv4 ipv4address command to specify the destination IP

address of test packets.

2. Run the source-address ipv4 ipv4-address

command to specify the source IP address of test
packets.
l Destination IP address: the

CE's IP address or an IP
segment as the CE.
3. Run the source-interface interface-type

interface-number command to specify the
outbound interface of test packets.
4. (Optional) Run the vlan vlan-id or pe-vid pevid ce-vid ce-vid command to set VLAN IDs of
l Source IP address: an IP
segment as UNI-A's IP
address
Step 3 Set key test parameters based on counters.
Issue 02 (2013-12-31)

542

Equipment
2 System Management
Table 2-14 Key test parameters

Counte
r
Throug
hput
1. Run the rate rate-low rate-high command to set the upper and lower rate
thresholds.
Specifying one rate indicates the rate of sending the packet; specifying two
rates indicates the upper and lower rates of sending the packet.
2. Run the interval seconds interval command to set the interval at which test
packets are transmitted at a specific rate.
The default interval is 4s.
3. Run the precision precision-value command to set the throughput precision.
The default precision is 1 Mbit/s.
4. Run the fail-ratio fail-ratio-value command to set the packet loss rate during
a throughput test. The value is expressed in 1/10000. If the actual packet loss
rate is less than 1/10000 during a throughput test, the test is successful and
continues.
The default packet loss rate is 1%.
1. Run the rate rate command to set the rate at which test packets are sent.
Latency
2. Run the interval seconds interval command to set the interval at which test
packets are sent.
The default interval is 4s.
Packet
loss rate
1. Run the rate rate command to set the rate at which test packets are sent.
Step 4 Configure common parameters for an NQA test instance.

1.
Run:
datasize size & <17>
The data size of each test packet is set.

The default size of a general flow test packet is tested according to seven typical packet
lengths: 64 bytes, 128 bytes, 256 bytes, 512 bytes, 1024 bytes, 1280 bytes and 1518 bytes.
2.
Run:
duration duration
The test instance duration is set.

The default duration is 60s.
NOTE
The duration value must be greater than twice the interval value in throughput and delay tests.
This duration indicates execution time of each packet if multiple test packet lengths are configured.
3.
Run:
records result number
The maximum number of results that can be recorded is set.

Issue 02 (2013-12-31)

543

Equipment
2 System Management
By default, the last five test results are recorded.

4.
Run:
priority 8021p priority-value
The 802.1p priority is set for general flow test packets in an Ethernet scenario.
The default priority is 0.
5.
Run:
tos value
The IP packet priority is set.

Step 5 Run:
start now
NOTICE
Running the start now command interrupts user services temporarily.
----End

After you configure the general flow test instance, you can view the general flow test
configuration and test results.
Prerequisites
All general flow test configurations are complete.
NOTE
NQA test results cannot be displayed automatically on the terminal. Run the display nqa results command
to view test results. By default, the command output shows the results of the latest five tests.
Procedure
l
Run the display nqa results [ test-instance admin-name test-name ] command on the
initiator to view general flow test results.
Run the display nqa reflector [ reflector-id ] command on the reflector to view reflector
information.
----End
Example
# Run the display nqa results command to view throughput test results. The command output
shows that the throughput is 50 Mbit/s.
<HUAWEI> display nqa results test-instance admin generalflow
Issue 02 (2013-12-31)

544

Equipment
2 System Management
NQA entry(admin, generalflow) :testflag is inactive ,testtype is generalflow

1 . Test 1 result
Test mode is throughput
Completion: success
Frame size(byte): 64
Throughput(Mbps)/precision(Mbps): 50/1
Detailed result information:
# Run the display nqa results command to view the test results.
<HUAWEI> display nqa results admin generalflow
NQA entry(admin, generalflow) :testflag is active ,testtype is
generalflow
1Test 1 resultThe test is running, test mode is
throughput
ID Size Throughput(Kbps) Precision(Kbps) LossRatio
Completion
1 111 0
1000
0.00%
no
result
2 222 0
1000
0.00%
no
result
3 333 0
1000
0.00%
no
result
4 444 0
1000
0.00%
no
result
5 555 0
1000
0.00%
no
result
6 666 0
1000
0.00%
no
result
7 777 0
1000
0.00%
no result
# Run the display nqa reflector command to view reflector information.

<HUAWEI> display nqa reflector
Reflector 1:
Interface
IP-address
MAC-address
Cevid
Pevid
Simulate IP-address
Source-port
Destination-port
AgeTime(s)
SurvivalTime(s)
State
RecommendedTestMac
:
:
:
:
:
:
:
:
:
:
:
:
GE0/2/1
--10
-20.0.12.2
49184
7
1800
862
active
707b-e8c3-6513
2.5.31 Maintaining NQA

This section describes how to maintain an NQA test instance. You can restart the test instance
and clear the statistics on the test result to maintain a test instance.
Restarting NQA Test Instances

If a test instance fails, you can try to restart the test instance in the next test period.
Prerequisites
To restart an NQA test instance, run the following command in the NQA instance view.
Issue 02 (2013-12-31)

545

Equipment
2 System Management
Context
NOTICE
Restarting an NQA test instance interrupts the running of tests.
Procedure
Step 1 Run the system-view command, enter the system view.
Step 3 Run the restart command in the NQA instance view to restart an NQA test instance.
----End
Clearing NQA Statistics

When the statistics on the current test instance are saved to the FTP server, you can clear test
results on the device.
Prerequisites
NQA statistics cannot be restored after you clear them. So, confirm the action before you use
the command.
Context
NOTE
Statistics about the test being performed cannot be cleared.
Procedure
Step 1 Run the system-view command, enter the system view.
Step 3 Run the clear-records command in the NQA view to clear history statistics on NQA tests and
test results.
----End
2.5.32 NQA Configuration Examples

This section provides examples for configuring NQA and illustrates the networking
requirements, configuration roadmap, and configuration notes. You can better understand the
configuration procedures with the help of the configuration flowchart.
Example for Configuring the ICMP Test

This part provides examples for configuring an ICMP test to check the IP network connectivity.
Issue 02 (2013-12-31)

546

Equipment
2 System Management
As shown in Figure 2-29, ATNA functions as an NQA client. It is required to test whether CXB is routable.
Figure 2-29 Networking diagram of the ICMP test
ATNA
CX-B
GE0/2/0
10.1.1.1/24
GE1/0/0
10.1.1.2/24
NQA agent
1.
Perform the NQA ICMP test to test whether the packet sent by ATNA can reach CX-B.
2.
Perform the NQA ICMP test to obtain the RTT of the packet.
Data Preparation
To complete the configuration, you need the IP address of CX-B.
Procedure
Step 1 Configure the IP address. (The detailed procedure is not mentioned here.)
Step 2 Enable the NQA client and create an NQA ICMP test.
<ATNA> system-view
[ATNA] nqa test-instance admin icmp
[ATNA-nqa-admin-icmp] test-type icmp
[ATNA-nqa-admin-icmp] destination-address ipv4 10.1.1.2
Step 3 Start the test immediately.

[ATNA-nqa-admin-icmp] start now
Step 4 View the test results.

[ATNA-nqa-admin-icmp] display nqa results test-instance admin icmp
NQA entry(admin, icmp) :testFlag is inactive ,testtype is icmp
1 . Test 1 result
Completion:success
Attempts number:1
Issue 02 (2013-12-31)

547

Equipment
2 System Management
----End
Configuration Files
l
Configuration file of ATNA

#
sysname ATNA
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
nqa test-instance admin icmp
test-type icmp
destination-address ipv4 10.1.1.2
#
return
Configuration file of CX-B

#
sysname CX-B
#
interface Pos1/0/0
link-protocol ppp
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
return
Example for Configuring the FTP Download Test

This part provides examples for configuring an FTP download test to check the performance of
the FTP download function.
As shown in Figure 2-30, CX-B functions as an FTP server.
A user named user1 intends to log in to the FTP server by entering the password hello to
download the file named test.txt.
Figure 2-30 Networking diagram of the FTP download test
ATNA
CX-B
GE0/2/0
10.1.1.1/24
FTP Client
Issue 02 (2013-12-31)
GE1/0/0
10.1.1.2/24
FTP Server

548

Equipment
2 System Management
1.
Configure ATNA as the NQA client.
2.
Create and perform an FTP download test on ATNA to check whether ATNA can set up a
connection with the FTP server and to obtain the time taken by ATNA to download the file
from the FTP server.
Data Preparation
l
Source IP address for the test
Operation file of the FTP test
Procedure
Step 1 Configure IP addresses of ATNA and CX-B. (The detailed procedure is not mentioned here.)
Step 2 Configure CX-B as the FTP server.
<CX-B> system-view
[CX-B] ftp-server enable
[CX-B] aaa
[CX-B-aaa] local-user user1 password cipher hello
[CX-B-aaa] local-user user1 service-type ftp
[CX-B-aaa] local-user user1 ftp-directory flash:/
[CX-B-aaa] quit
Step 3 Create an NQA FTP test on Route A.

<ATNA> system-view
[ATNA] nqa test-instance admin ftp
[ATNA-nqa-admin-ftp] test-type ftp
[ATNA-nqa-admin-ftp] destination-address ipv4 10.1.1.2
[ATNA-nqa-admin-ftp] source-address ipv4 10.1.1.1
[ATNA-nqa-admin-ftp] ftp-operation get
[ATNA-nqa-admin-ftp] ftp-username user1
[ATNA-nqa-admin-ftp] ftp-password hello
[ATNA-nqa-admin-ftp] ftp-filename test.txt
Step 4 Start the test.

[ATNA-nqa-admin-ftp] start now

[ATNA-nqa-admin-ftp] display nqa results test-instance admin ftp
NQA entry(admin, ftp) :testFlag is inactive ,testtype is ftp
1 . Test 1 result
SendProbe:1
ResponseProb:1
Completion :success
MessageBodyOctetsSum: 448
Stats errors number: 0
Operation timeout number: 0
Disconnect operation number: 0
CtrlConnTime Min/Max/Average: 438/438/438
DataConnTime Min/Max/Average: 218/218/218
SumTime Min/Max/Average: 656/656/656
Issue 02 (2013-12-31)

549

Equipment
2 System Management
Average RTT:656
Lost packet ratio:0 %
----End
Configuration Files
l

#
sysname ATNA
#
interface gigabitehernet0/2/0
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
nqa test-instance admin ftp
test-type ftp
source-address ipv4 10.1.1.1
ftp-operation get
ftp-filename test.txt
ftp-username user1
ftp-password %$%$gw1.QU~4M1I@ESF>b/VP,@7.%$%$
#
return

#
sysname CX-B
#
FTP server enable
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
aaa
local-user user1 password cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!!
local-user user1 service-type ftp
local-user user1 ftp-directory flash:/
#
return
Example for Configuring the FTP Upload Test

This part provides examples for configuring an FTP upload test to check the performance of the
FTP upload function.
As shown in Figure 2-31, it is required to test the speed of uploading a file from ATNA to an
FTP server.
Figure 2-31 Networking diagram of the FTP upload test
ATNA
CX-C
CX-B
GE0/2/0
GE1/0/0
10.1.1.1/24 10.1.1.2/24
GE2/0/0
GE1/0/0
10.2.1.1/24 10.2.1.2/24
FTP Client
Issue 02 (2013-12-31)

FTP Server
550

Equipment
2 System Management
1.
Configure ATNA as an NQA client as well as an FTP client. Create and perform an FTP
test on ATNA to check whether ATNA can set up a connection with the FTP server and to
obtain the time taken by ATNA to upload a file to the FTP server.
2.
A user named user1 logs in to the FTP server by entering the password hello to upload a
file with the size being 10 KB.
Data Preparation
l
Source IP address for the test
Size of the uploaded file
Procedure
Step 1 Configure reachable routes between ATNA, CX-B, and CX-C. (The detailed procedure is not
mentioned here.)
Step 2 Configure CX-C as the FTP server.
<CX-C> system-view
[CX-C] ftp-server enable
[CX-C] aaa
[CX-C-aaa] local-user user1 password cipher hello
[CX-C-aaa] local-user user1 service-type ftp
[CX-C-aaa] local-user user1 ftp-directory flash:
[CX-C-aaa] quit
Step 3 Create an NQA FTP test on ATNA and create a file with the size being 10 KB for uploading.
<ATNA> system-view
[ATNA] nqa test-instance admin ftp
[ATNA-nqa-admin-ftp] test-type ftp
[ATNA-nqa-admin-ftp] destination-address ipv4 10.2.1.2
[ATNA-nqa-admin-ftp] source-address ipv4 10.1.1.1
[ATNA-nqa-admin-ftp] ftp-operation put
[ATNA-nqa-admin-ftp] ftp-username user1
[ATNA-nqa-admin-ftp] ftp-password hello
[ATNA-nqa-admin-ftp] ftp-filesize 10

[ATNA-nqa-admin-ftp] start now

# View the test results on ATNA.
[ATNA-nqa-admin-ftp] display nqa results test-instance admin ftp
NQA entry(admin, ftp) :testFlag is inactive ,testtype is ftp
1 . Test 1 result
SendProbe:1
ResponseProb:1
Completion :success
Issue 02 (2013-12-31)

551

Equipment
2 System Management
MessageBodyOctetsSum: 10240
Stats errors number: 0
Operation timeout number: 0
Disconnect operation number: 0
CtrlConnTime Min/Max/Average: 657/657/657
DataConnTime Min/Max/Average: 500/500/500
SumTime Min/Max/Average: 1157/1157/1157
Average RTT:656
Lost packet ratio:0 %
# On CX-C, you can view that a file named nqa-ftp-test.txt is added.

<CX-C> dir
Directory of flash:/
0
-rw331 Jul 06 2007 18:34:34
1
-rw1024000 Jul 06 2007 18:37:06
2540 KB total (1536 KB free)
private-data.txt
nqa-ftp-test.txt
----End
Configuration Files
l

#
sysname ATNA
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
nqa test-instance admin ftp
test-type ftp
ftp-operation put
ftp-filesize 10
ftp-username user1
ftp-password %$%$gw1.QU~4M1I@ESF>b/VP,@7.%$%$
#
ip route-static 10.2.1.0 255.255.255.0 10.1.1.2
#
return

#
sysname CX-B
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
undo shutdown
ip address 10.2.1.1 255.255.255.0
#
return
Configuration file of CX-C

#
sysname CX-C
#
FTP server enable
#
undo shutdown
ip address 10.2.1.2 255.255.255.0
#
Issue 02 (2013-12-31)

552

Equipment
2 System Management
aaa
local-user user1 password cipher 3MQ*TZ,O3KCQ=^Q`MAF4<1!!
local-user user1 service-type ftp
local-user user1 ftp-directory flash:
#
ip route-static 10.1.1.0 255.255.255.0 10.2.1.1
#
return
Example for Configuring the Traceroute Test

This part provides examples for configuring a traceroute test to check the connectivity between
the client and devices along the transmission path.
As shown in Figure 2-32, perform the Traceroute test on ATNA to trace the IP address of GE
1/0/0 on CX-C.
Figure 2-32 Networking diagram of the Traceroute test
ATNA
CX-B
GE0/2/0
GE1/0/0
10.1.1.1/24 10.1.1.2/24
CX-C
GE2/0/0
10.2.1.1/24
GE1/0/0
10.2.1.2/24
l
Configure ATNA as an NQA client.
Create and perform the Traceroute on ATNA to obtain the statistics about each hop
fromATNA to CX-C.
Data Preparation
To complete the Traceroute test, you need to configure the destination IP address to be tested.
Procedure
mentioned here.)
Step 2 Create an NQA Traceroute test on ATNA and configure the destination IP address to be tested
to 10.2.1.2.
<ATNA> system-view
[ATNA] nqa test-instance admin trace
[ATNA-nqa-admin-trace] test-type trace
[ATNA-nqa-admin-trace] destination-address ipv4 10.2.1.2

Issue 02 (2013-12-31)

553

Equipment
2 System Management
[ATNA-nqa-admin-trace] start now

# View the test results on ATNA.
[ATNA-nqa-admin-trace] display nqa results test-instance admin trace
NQA entry(admin, trace) :testflag is inactive ,testtype is trace
1 . Test 1 result
Completion:success
Attempts number:1
1 . Hop 1
2 . Hop 2
----End
Configuration Files
l

#
sysname ATNA
#
ip address 10.1.1.1 255.255.255.0
#
nqa test-instance admin trace
test-type trace
#
ip route-static 10.2.1.0 255.255.255.0 10.1.1.2
#
return

#
sysname CX-B
#
ip address 10.1.1.2 255.255.255.0
#
interface Pos2/0/0
link-protocol ppp
ip address 10.2.1.1 255.255.255.0
#
return

#
Issue 02 (2013-12-31)

554

Equipment
2 System Management
sysname CX-C
#
ip address 10.2.1.2 255.255.255.0
#
ip route-static 10.1.1.0 255.255.255.0 10.2.1.1
#
return
Example for Configuring the SNMP Query Test

This part provides examples for configuring a traceroute test to check the SNMP
communications between the client and the SNMP agent.
As shown in Figure 2-33, CX-C functions as an SNMP agent. It is required to perform an NQA
SNMP Query test to obtain the time from when ATNA sends an SNMP query packet to when
ATNA receives an Echo packet.
Figure 2-33 Networking diagram of the SNMP Query test
ATNA
CX-C
CX-B
GE0/2/0
GE1/0/0
10.1.1.1/24 10.1.1.2/24
GE2/0/0
10.2.1.1/24
GE1/0/0
10.2.1.2/24
SNMP Agent
1.
2.
Create and perform an SNMP Query test on ATNA.
3.
Enable SNMP agent on CX-C.
Data Preparation
To complete the configuration, you need to configure the IP address of the SNMP agent.
Procedure
mentioned here.)
Step 2 Enable SNMP agent on CX-C.
<CX-C> system-view
[CX-C] snmp-agent
Step 3 Create an SNMP Query test on ATNA.

Issue 02 (2013-12-31)

555

Equipment
2 System Management
<ATNA> system-view
[ATNA] nqa test-instance admin snmp
[ATNA-nqa-admin-snmp] test-type snmp
[ATNA-nqa-admin-snmp] destination-address ipv4 10.2.1.2

[ATNA-nqa-admin-snmp] start now

[ATNA-nqa-admin-snmp] display nqa results test-instance admin snmp
NQA entry(admin, snmp) :testFlag is inactive ,testtype is snmp
1 . Test 1 result
Completion:success
Attempts number:0
----End
Configuration Files
l

#
sysname ATNA
#
ip address 10.1.1.1 255.255.255.0
#
nqa test-instance admin snmp
test-type snmp
#
ip route-static 10.2.1.0 255.255.255.0 10.1.1.2
#
return

#
sysname CX-B
#
ip address 10.1.1.2 255.255.255.0
#
ip address 10.2.1.1 255.255.255.0
#
return

#
sysname CX-C
#
ip address 10.2.1.2 255.255.255.0
#
ip route-static 10.1.1.0 255.255.255.0 10.2.1.1
#
snmp-agent
Issue 02 (2013-12-31)

556

Equipment
2 System Management
snmp-agent local-engineid 000007DB7F00000100006294

#
return
Example for Configuring the TCP Test

This part provides examples for configuring a TCP test to check the TCP communications
As shown in Figure 2-34, it is required to perform an NQA TCP Private test to obtain the time
taken by ATNA to set up a TCP connection with CX-B.
Figure 2-34 Networking diagram of the TCP test
ATNA
CX-C
CX-B
GE0/2/0
10.1.1.1/24
GE1/0/0
10.1.1.2/24
GE2/0/0
10.2.1.1/24
GE1/0/0
10.2.1.2/24
NQA Server
1.
ATNA functions as an NQA client; CX-C functions as an NQA server.
2.
Configure the port number monitored by the NQA server and create an NQA TCP test on
the NQA client.
Data Preparation
l
IP address of the NQA server
TCP port number monitored by the server
Procedure
mentioned here.)
Step 2 Configure CX-C as the NQA server.
# Configure the IP address and port number monitored by the NQA server.
<CX-C> system-view
[CX-C] nqa-server tcpconnect 10.2.1.2 9000
Step 3 Configure ATNA.

Issue 02 (2013-12-31)

557

Equipment
2 System Management
Enable the NQA client and create a TCP Private test.

<ATNA> system-view
[ATNA] nqa test-instance admin tcp
[ATNA-nqa-admin-tcp] test-type tcp
[ATNA-nqa-admin-tcp] destination-address ipv4 10.2.1.2
[ATNA-nqa-admin-tcp] destination-port 9000

[ATNA-nqa-admin-tcp] start now

[ATNA-nqa-admin-tcp] display nqa results test-instance admin tcp
NQA entry(admin, tcp) :testFlag is inactive ,testtype is tcp
1 . Test 1 result
Completion:success
Attempts number:0
Operation sequence errors number:0 RTT Stats errors number:0
----End
Configuration Files
l

#
sysname ATNA
#
ip address 10.1.1.1 255.255.255.0
#
nqa test-instance admin tcp
test-type tcp
destination-port 9000
#
ip route-static 10.2.1.0 255.255.255.0 10.1.1.2
#
return

#
sysname CX-B
#
interface Pos1/0/0
link-protocol ppp
ip address 10.1.1.2 255.255.255.0
#
interface Pos2/0/0
link-protocol ppp
ip address 10.2.1.1 255.255.255.0
#
return

#
sysname CX-C
#
Issue 02 (2013-12-31)

558

Equipment
2 System Management
interface Pos1/0/0
link-protocol ppp
ip address 10.2.1.2 255.255.255.0
#
nqa-server tcpconnect 10.2.1.2 9000
#
ip route-static 10.1.1.0 255.255.255.0 10.2.1.1
#
return
Example for Configuring the UDP Test

This part provides examples for configuring a UDP test to check the UDP communications
As shown in Figure 2-35, it is required to perform an NQA UDP Public test to obtain the RTT
of a UDP packet transmitted between ATNA and CX-C.
Figure 2-35 Networking diagram of the UDP test
ATNA
CX-B
GE1/0/0
GE0/2/0
10.1.1.1/24 10.1.1.2/24
GE2/0/0
10.2.1.1/24
CX-C
GE1/0/0
10.2.1.2/24
NQA Server
1.
ATNA functions as an NQA client; CX-C functions as an NQA server.
2.
Configure the port number monitored by the NQA server and create an NQA UDP test on
the NQA client.
Data Preparation
l
UDP port number monitored by the server
Procedure
mentioned here.)
# Configure the IP address and UDP port number monitored by the NQA server.
Issue 02 (2013-12-31)

559

Equipment
2 System Management
<CX-C> system-view
[CX-C] nqa-server udpecho 10.2.1.2 6000

# Enable the NQA client and create a UDP Public test.
<ATNA> system-view
[ATNA] nqa test-instance admin udp
[ATNA-nqa-admin-udp] test-type udp
[ATNA-nqa-admin-udp] destination-address ipv4 10.2.1.2
[ATNA-nqa-admin-udp] destination-port 6000

[ATNA-nqa-admin-udp] start now

[ATNA-nqa-admin-udp] display nqa results test-instance admin udp
NQA entry(admin, udp) :testFlag is inactive ,testtype is udp
1 . Test 1 result
Completion:success
Attempts number:0
----End
Configuration Files
l

#
sysname ATNA
#
ip address 10.1.1.1 255.255.255.0
#
nqa test-instance admin udp
test-type udp
destination-address port 6000
#
ip route-static 10.2.1.0 255.255.255.0 10.1.1.2
#
return

#
sysname CX-B
#
interface Pos1/0/0
link-protocol ppp
ip address 10.1.1.2 255.255.255.0
#
interface Pos2/0/0
link-protocol ppp
ip address 10.2.1.1 255.255.255.0
#
return
Issue 02 (2013-12-31)

560

Equipment
2 System Management

#
sysname CX-C
#
interface Pos1/0/0
link-protocol ppp
ip address 10.2.1.2 255.255.255.0
#
nqa-server udpecho 10.2.1.2 6000
#
ip route-static 10.1.1.0 255.255.255.0 10.2.1.1
#
return
Example for Configuring the Jitter Test

This part provides examples for configuring a jitter test to measure jitter on the network.
As shown in Figure 2-36, it is required to perform an NQA Jitter test to obtain the jitter time of
the packet transmitted from ATNA to CX-B.
NOTE
For clock synchronization, refer to the chapter "NTP" in the Feature Description - Clock.
Figure 2-36 Networking diagram of the Jitter test
ATNA
CX-B
GE1/0/0
GE0/2/0
10.1.1.1/24 10.1.1.2/24
CX-C
GE2/0/0
GE1/0/0
10.2.1.1/24 10.2.1.2/24
NQA Server
1.
Configure ATNA as an NTP client, with CX-B being its server.
2.
Configure CX-C as an NTP client, with CX-B being its server.
3.
Configure ATNA as an NQA client, with CX-C being its server.
4.
Configure the monitoring service types and the port number to be monitored on the NQA
server.
5.
Create Jitter tests on the NQA clients.
Data Preparation
l
Issue 02 (2013-12-31)

561

Equipment
2 System Management
UDP port number monitored by the server
Procedure
mentioned here.)
Step 2 On ATNA, specify CX-B as its NTP server.
<ATNA> system-view
[ATNA] ntp-service unicast-server 10.1.1.2
Step 3 On CX-C, specify CX-B as its NTP server.

<CX-C> system-view
[CX-C] ntp-service unicast-server 10.2.1.1

# Configure the IP address and UDP port number monitored by the NQA server.
<CX-C> system-view

# Enable the NQA client and create an NQA Jitter test.
<ATNA> system-view
[ATNA] nqa test-instance admin jitter
[ATNA-nqa-admin-jitter] test-type jitter
[ATNA-nqa-admin-jitter] destination-address ipv4 10.2.1.2
[ATNA-nqa-admin-jitter] destination-port 9000

[ATNA-nqa-admin-jitter] start now

[ATNA-nqa-admin-jitter] display nqa results test-instance admin jitter
NQA entry(admin, jitter) :testflag is inactive ,testtype is jitter
1 . Test 1 result
SendProbe:60
ResponseProbe:60
Completion:success
RTT Square Sum:75
NumOfRTT:60
Min Positive SD:1
Min Positive DS:1
Max Positive SD:1
Max Positive DS:3
Positive SD Sum:15
Positive DS Sum:16
Min Negative SD:1
Min Negative DS:1
Max Negative SD:1
Max Negative DS:4
Negative SD Sum:16
Negative DS Sum:15
Min Delay SD:0
Min Delay DS:0
Max Delay SD:2
Max Delay DS:1
Packet Loss SD:0
Packet Loss DS:0
Average of Jitter:1
jitter out value:0.0322917
jitter in value:0.0322917
NumberOfOWD:60
Issue 02 (2013-12-31)

562

Equipment
OWD SD Sum:2
ICPIF value: 0
TimeStamp unit: ms
2 System Management
OWD DS Sum:1
MOS-CQ value: 0
----End
Configuration Files
l

#
sysname ATNA
#
ip address 10.1.1.1 255.255.255.0
#
nqa test-instance admin jitter
test-type jitter
#
ip route-static 10.2.1.0 255.255.255.0 10.1.1.2
#
#
return

#
sysname CX-B
#
interface Pos1/0/0
link-protocol ppp
ip address 10.1.1.2 255.255.255.0
#
interface Pos2/0/0
link-protocol ppp
ip address 10.2.1.1 255.255.255.0
#
return

#
sysname CX-C
#
interface Pos1/0/0
link-protocol ppp
ip address 10.2.1.2 255.255.255.0
#
#
ip route-static 10.1.1.0 255.255.255.0 10.2.1.1
#
#
return
Example for Configuring a Jitter Test Based on the Mechanism that the LPU Sends
Packets
This part provides examples for configuring a jitter test based on the mechanism in which the
LPU sends packets to obtain detailed jitter information about IP networks.
Issue 02 (2013-12-31)

563

Equipment
2 System Management
As shown in Figure 2-37, the NQA jitter function is used to test the jitter time of transmitting
packets from ATNA to CX-C. The accuracy of the test can be improved by enabling the LPU
to send packets.
Figure 2-37 Networking diagram of the jitter test
GE0/2/0
10.1.1.1/24
GE1/0/0
10.1.1.2/24
ATNA
GE2/0/0
11.1.1.1/24
CX-B
GE1/0/0
11.1.1.2/24
CX-C
1.
Configure ATNA as the NQA client and CX-C as the NQA server.
2.
Configure the type of the service to be monitored and number of the monitoring port on
the NQA server.
3.
Configure a Jitter NQA test instance on the NQA client.
4.
Enable the LPU to send packets on the NQA client.
Data Preparation
l
Host address on the server
Number of the port used for monitoring UDP services on the server
Procedure
Step 1 Configure reachable routes among ATNA, CX-B, and CX-C.
The configuration details are not mentioned here.
Step 2 Configure an NQA server for CX-C.
# Configure the IP address and number of the port used for monitoring UDP services on the
NQA server.
<CX-C> system-view

# Enable the NQA client and create a Jitter NQA test instance.
<ATNA> system-view
Issue 02 (2013-12-31)

564

Equipment
2 System Management
Step 4 Enable the LPU to send packets.

[ATNA-nqa-admin-jitter] hardware-based enable

Step 6 Check test results.

[ATNA-nqa-admin-jitter] display nqa results test-instance admin jitter
NQA entry(admin, jitter) :testflag is inactive ,testtype is jitter
NQA entry(admin, icmpjitter) :testflag is inactive ,testtype is icmpjitter
1 . Test 1 result
SendProbe:60
ResponseProbe:60
Completion :success
RTT Square Sum:14
NumOfRTT:60
Min Positive SD:0
Min Positive DS:1
Max Positive SD:0
Max Positive DS:1
Positive SD Sum:0
Positive DS Sum:1
Positive SD Square Sum :0
Positive DS Square Sum :1
Min Negative SD:1
Min Negative DS:0
Max Negative SD:1
Max Negative DS:0
Negative SD Sum:2
Negative DS Sum:0
Negative SD Square Sum :2
Negative DS Square Sum :0
Min Delay SD:0
Min Delay DS:0
Max Delay SD:0
Max Delay DS:0
Packet Loss SD:0
Packet Loss DS:0
Average of Jitter:1
NumberOfOWD:60
OWD SD Sum:0
OWD DS Sum:0
ICPIF value: 0
MOS-CQ value: 0
TimeStamp unit: ms
----End
Configuration Files
l

#
sysname ATNA
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
nqa test-instance admin jitter
test-type jitter
#
ip route-static 11.1.1.0 255.255.255.0 10.1.1.2
#
Issue 02 (2013-12-31)

565

Equipment
2 System Management
return

#
sysname CX-B
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
undo shutdown
ip address 11.1.1.1 255.255.255.0
#
return

#
sysname CX-C
#
undo shutdown
ip address 11.1.1.2 255.255.255.0
#
#
ip route-static 11.1.1.0 255.255.255.0 11.1.1.1
#
return
Example for Configuring the LSP Ping Test for the LDP Tunnel
This part provides examples for configuring an LSP ping test to check the operating status of
the LSP.
As shown in Figure 2-38,
l
Run OSPF on ATNA, CX-B and CX-C, enabling the three CX-s to advertise host routes
of loopback interfaces to each other.
Enable MPLS and MPLS LDP on ATNA, CX-B, and CX-C.
Enable MPLS and MPLS LDP on the POS interfaces connecting ATNA, CX-B, and CXC to trigger the setup of an LDP tunnel.
It is required to perform an NQA LSP Ping test to check the connectivity of the LSP between
ATNA and CX-C.
Issue 02 (2013-12-31)

566

Equipment
2 System Management
Figure 2-38 Networking diagram of LSP Ping test
area 0
Loopback1
1.1.1.9/32
Loopback1
2.2.2.9/32
GE0/2/0
10.1.1.1/24
Loopback1
3.3.3.9/32
GE2/0/0
10.2.1.1/24
GE1/0/0
10.1.1.2/24
ATNA
CX-B
GE1/0/0
10.2.1.2/24
CX-C
1.
2.
Configure CX-C as an NQA server.
3.
Create an LSP Ping test on ATNA.
Data Preparation
To complete the configuration, you need to configure the IP address and mask of the NQA server.
Procedure
mentioned here.)
# Enable the NQA client and create an LSP Ping test for the LDP tunnel.
<ATNA> system-view
[ATNA] nqa test-instance
[ATNA-nqa-admin-lspping]
admin lspping
test-type lspping
lsp-type ipv4
destination-address ipv4 3.3.3.9 lsp-masklen 32

[ATNA-nqa-admin-lspping] start now

[ATNA-nqa-admin-lspping] display nqa results test-instance admin lspping
Issue 02 (2013-12-31)

567

Equipment
2 System Management
NQA entry(admin, lspping) :testFlag is inactive ,testtype is lspping

1 . Test 1 result
Completion:success
Attempts number:1
Lost packet ratio:0%
----End
Configuration Files
l

#
sysname ATNA
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
nqa test-instance admin lspping
test-type lspping
destination-address ipv4 3.3.3.9 lsp-masklen 32
#
return

#
sysname CX-B
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Pos1/0/0
link-protocol ppp
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
link-protocol ppp
ip address 10.2.1.1 255.255.255.0
mpls
mpls ldp
Issue 02 (2013-12-31)

568

Equipment
2 System Management
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
return

#
sysname CX-C
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface Pos1/0/0
link-protocol ppp
ip address 10.2.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 10.2.1.0 0.0.0.255
#
Return
Example for Configuring the LSP Jitter Test for the LDP Tunnel
This part provides examples for configuring an LSP jitter test to measure jitter in the LSP during
the packet transmission.
As shown in Example for Configuring the Jitter Test,
l
Run OSPF on ATNA, CX-B, and CX-C, and enable the three CX-s to advertise host routes
Enable MPLS and MPLS LDP on ATNA, CX-B, and CX-C.
Enable MPLS and MPLS LDP on the POS interfaces connecting ATNA, CX-B, and CXC to trigger the setup of an LDP tunnel.
It is required to perform an NQA LSP Jitter test to check the connectivity of the LSP between
ATNA and CX-C.
1.
Issue 02 (2013-12-31)

569

Equipment
2.
Configure CX-C as an NQA server.
3.
Create an LSP Jitter test on ATNA.
2 System Management
Data Preparation
To complete the configuration, you need to configure the IP address and mask of the NQA server.
Procedure
Step 1 Configure routes between ATNA, CX-B, and CX-C. (The detailed procedure is not mentioned
here.)
Step 2 Configure LDP on ATNA, CX-B, and CX-C. (The detailed procedure is not mentioned here.)
For the configuration of LDP, refer to the Configuration Guide - MPLS.
Step 3 Configure ATNA as the NQA client.
# Enable the NQA client and create an LSP Jitter test for the LDP tunnel.
<ATNA> system-view
[ATNA] nqa test-instance admin lspjitter
[ATNA-nqa-admin-lspjitter] test-type lspjitter
[ATNA-nqa-admin-lspjitter] lsp-type ipv4
[ATNA-nqa-admin-lspjitter] destination-address ipv4 3.3.3.9 lsp-masklen 32 lsploopback 127.0.0.1

[ATNA-nqa-admin-lspjitter] start now

[ATNA-nqa-admin-lspjitter] display nqa results test-instance admin lspjitter
NQA entry(admin, lspjitter) :testflag is inactive ,testtype is lspjitter
1 . Test 1 result
SendProbe:60
ResponseProbe:60
Completion :success
RTT Square Sum:60
NumOfRTT:60
Min Positive SD:0
Max Positive SD:0
Positive SD Sum:0
Min Negative SD:0
Max Negative SD:1
Negative SD Sum:1
Packet Loss Ratio:0%
----End
Configuration Files
l

#
sysname ATNA
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
Issue 02 (2013-12-31)

570

Equipment
2 System Management
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
nqa test-instance admin lspjitter
test-type lspjitter
destination-address ipv4 3.3.3.9 lsp-masklen 32 lsp-loopback 127.0.0.1
#
return

#
sysname CX-B
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Pos1/0/0
link-protocol ppp
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
link-protocol ppp
ip address 10.2.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
return

#
sysname CX-C
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface Pos1/0/0
link-protocol ppp
ip address 10.2.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
Issue 02 (2013-12-31)

571

Equipment
2 System Management
ip address 3.3.3.9 255.255.255.255

#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 10.2.1.0 0.0.0.255
#
Return
Example for Configuring the LSP Jitter Test for the MPLS TE Tunnel
This part provides examples for configuring an LSP jitter test to measure jitter in the TE LSP
during the packet transmission.
As shown in Example for Configuring the Jitter Test,
l
Run OSPF on ATNA, CX-B, and CX-C, and enable the three CX-s to advertise host routes
Enable MPLS, MPLS TE, and MPLS RSVP-TE on ATNA, CX-B, and CX-C.
Enable MPLS, MPLS TE, and MPLS RSVP-TE on the POS interfaces connecting ATNA,
CX-B and CX-C to set up a TE tunnel from ATNA and CX-C.
It is required to perform an NQA LSP Jitter test to check the connectivity of the TE tunnel from
ATNA to CX-C.
1.
2.
Create an LSP Jitter test on ATNA.
Data Preparation
To complete the configuration, you need the number of the MPLS TE tunnel interface.
Procedure
here.)
Step 2 Configure MPLS RSVP-TE on ATNA, CX-B, and CX-C. (The detailed procedure is not
mentioned here.)
For the configuration of MPLS RSVP-TE, refer to the Configuration Guide - MPLS.
Step 3 Set up a TE tunnel from ATNA to CX-C. (The detailed procedure is not mentioned here.)
Step 4 Create an NQA test on ATNA.
# Enable the NQA client and create an LSP Jitter test for the TE tunnel.
<ATNA> system-view
[ATNA] nqa test-instance admin lspjitter
Issue 02 (2013-12-31)

572

Equipment
2 System Management
[ATNA-nqa-admin-lspjitter] test-type lspjitter

[ATNA-nqa-admin-lspjitter] lsp-type te
[ATNA-nqa-admin-lspjitter] lsp-tetunnel tunnel 0/2/0

[ATNA-nqa-admin-lspjitter] start now

[ATNA-nqa-admin-lspjitter] display nqa results test-instance admin lspjitter
NQA entry(admin, lspjitter) :testflag is inactive ,testtype is lspjitter
1 . Test 1 result
SendProbe:60
ResponseProbe:60
Completion :success
RTT Square Sum:60
NumOfRTT:60
Min Positive SD:0
Max Positive SD:0
Positive SD Sum:0
Min Negative SD:0
Max Negative SD:1
Negative SD Sum:1
----End
Configuration Files
l

#
sysname ATNA
#
mpls lsr-id 1.1.1.9
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
ip address 10.1.1.1 255.255.255.0
mpls
mpls te
mpls te bandwidth max-reservable-bandwidth 10000
mpls te bandwidth bc0 5000
mpls rsvp-te
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
destination 3.3.3.9
mpls te bandwidth ct0 3000
mpls te commit
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
mpls-te enable
#
Issue 02 (2013-12-31)

573

Equipment
2 System Management
nqa admin test-instance admin lsptrace

test-type lsptrace
lsp-type te
lsp-tetunnel Tunnel0/2/0
#
return

#
sysname CX-B
#
mpls lsr-id 2.2.2.9
mpls
mpls te
mpls rsvp-te
#
interface Pos1/0/0
link-protocol ppp
ip address 10.1.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Pos2/0/0
link-protocol ppp
ip address 10.2.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
mpls-te enable
#
return

#
sysname CX-C
#
mpls lsr-id 3.3.3.9
mpls
mpls te
mpls rsvp-te
#
interface Pos1/0/0
link-protocol ppp
ip address 10.2.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
Issue 02 (2013-12-31)

574

Equipment
2 System Management
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 10.2.1.0 0.0.0.255
mpls-te enable
#
return
Example for Configuring an ICMP Jitter Test

This part provides examples for configuring an ICMP jitter test to measure jitter on the network.
A server is not required in an ICMP jitter test and the peer device in the test instance can be nonHuawei devices.
ATNA serves as the NQA client to test the jitter of the network between ATNA and CX-B.
Figure 2-39 Networking diagram of an ICMP jitter test
GE0/2/0
10.1.1.1/24
10.1.1.2/24
GE1/0/0
ATNA
CX-B
1.
Configure ATNA as the NQA client and create an ICMP jitter test instance on ATNA.
2.
Configure CX-B as the NQA server.
Data Preparation
l
IP address of CX-B
Procedure
Step 1 Configure a reachable route between ATNA and CX-B.
Step 2 Configure an NQA test instance for ATNA.
# Enable the NQA client and configure the ICMP jitter test instance.
Issue 02 (2013-12-31)

575

Equipment
2 System Management
<ATNA> system-view
[ATNA] nqa test-instance admin icmpjitter
[ATNA-nqa-admin-icmpjitter] test-type icmpjitter
[ATNA-nqa-admin-icmpjitter] destination-address ipv4
10.1.1.2

[ATNA-nqa-admin-icmpjitter] start now

[ATNA-nqa-admin-icmpjitter] display nqa results test-instance admin icmpjitter
NQA entry(icmp, icmpjitter) :testflag is inactive ,testtype is
icmpjitter
1 . Test 1 result
The test is
finished
SendProbe:60
ResponseProbe:
Completion:failed
RTD OverThresholds number:
OWD OverThresholds DS number:
RTT Square Sum:
NumOfRTT:0
Drop operation number:
RTT Stats errors number:
Operation timeout number:
Min Positive SD:0
Min Positive DS:
Max Positive SD:0
Max Positive DS:
Positive DS Number:
Positive SD Sum:0
Positive DS Sum:
Positive DS Square Sum:
Min Negative SD:0
Min Negative DS:
Max Negative SD:0
Max Negative DS:
Negative DS Number:
Negative SD Sum:0
Negative DS Sum:
Negative DS Square Sum:
Min Delay SD:0
Min Delay DS:
Avg Delay SD:0
Avg Delay DS:
Max Delay SD:0
Max Delay DS:
Delay DS Square Sum:
Packet Loss SD:0
Packet Loss DS:
Average of Jitter:
Average of Jitter DS:
0
0
0
0
60
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0.0000000
NumberOfOWD:0
100%
Issue 02 (2013-12-31)
Jitter in value:
Packet Loss Ratio:

576

Equipment
2 System Management
OWD SD Sum:0
OWD DS Sum:
ICPIF value: 0
MOS-CQ value:
TimeStamp unit: ms
Packet Rewrite Number:
Packet Disorder Number:
Fragment-disorder Number:
Jitter OverThresholds SD number:
Jitter OverThresholds DS number:0
OverallOverThresholds number:0
0
0
0
0
0
0
----End
Configuration Files
l

#
sysname ATNA
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
nqa test-instance admin icmpjitter
#
return

#
sysname CX-B
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
return
Example for Configuring an ICMP Jitter Test Based on the Mechanism in Which
the LPU Sends Packets
This part provides examples for configuring an ICMP jitter test based on the mechanism in which
the LPU sends packets to obtain detailed jitter information about IP networks.
ATNA serves as the NQA client to test the jitter of the network between ATNA and CX-B. The
accuracy of the test can be improved by enabling the LPU to send packets.
Issue 02 (2013-12-31)

577

Equipment
2 System Management
Figure 2-40 Networking diagram of an ICMP jitter test based on the mechanism in which the
LPU sends packets
GE0/2/0
10.1.1.1/24
GE1/0/0
10.1.1.2/24
CX-B
ATNA
1.
Configure ATNA as the NQA client and create an ICMP jitter test instance on ATNA.
2.
Configure CX-B as the NQA server.
3.
Enable the LPU to send packets on ATNA.
Data Preparation
l
IP addresses of ATNA and CX-B
Procedure
Step 1 Configure a reachable route between ATNA and CX-B.
Step 2 Configure CX-B as the ICMP server.
# Assign an IP address to the ICMP server.
<CX-B> system-view
[CX-B] nqa-server icmp-server 10.1.1.2

# Enable the NQA client and configure the ICMP jitter test instance.
<ATNA> system-view
[ATNA-nqa-admin-icmpjitter] destination-address ipv4
10.1.1.2
Step 4 Enable the LPU to send packets.

[ATNA-nqa-admin-icmpjitter] hardware-based enable


<ATNA> display nqa results test-instance admin icmpjitter
1 . Test 1 result
SendProbe:60
ResponseProbe:60
Completion :success
Issue 02 (2013-12-31)

578

Equipment
NumOfRTT:60
Min Positive SD:0
Max Positive SD:0
Positive SD Sum:0
Min Negative SD:1
Max Negative SD:1
Negative SD Sum:2
Min Delay SD:0
Max Delay SD:0
Packet Loss SD:0
NumberOfOWD:60
OWD SD Sum:0
ICPIF value: 0
TimeStamp unit: ms
2 System Management
RTT Square Sum:14
Min Positive DS:1
Max Positive DS:1
Positive DS Sum:1
Min Negative DS:0
Max Negative DS:0
Negative DS Sum:0
Min Delay DS:0
Max Delay DS:0
Packet Loss DS:0
Average of Jitter:1
OWD DS Sum:0
MOS-CQ value: 0
----End
Configuration Files
l

#
sysname ATNA
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
hardwar-based enable
#
return

#
sysname CX-B
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
nqa-server icmp-server 10.1.1.2
#
return
Issue 02 (2013-12-31)

579

Equipment
2 System Management
Example for Configuring a Path Jitter Test

This part provides examples for configuring a path jitter test to measure jitter along the packet
transmission path.
ATNA serves as the NQA client to test the jitter of the network between ATNA and CX-C.
Figure 2-41 Networking diagram of a path jitter test
GE0/2/0
10.1.1.1/24
GE1/0/0
10.1.1.2/24
ATNA
GE2/0/0
11.1.1.1/24
GE1/0/0
11.1.1.2/24
CX-B
CX-C
1.
Configure ATNA as the NQA client and create a path jitter test instance on ATNA.
2.
Configure CX-C as the NQA server.
Data Preparation
l
IP addresses of ATNA, CX-B, and CX-C
Procedure
Step 1 Configure a reachable route between ATNA and CX-C.
# Enable the NQA client and configure the path jitter test instance.
<ATNA> system-view
[ATNA] nqa test-instance admin pathjitter
[ATNA-nqa-admin-pathjitter] test-type pathjitter
[ATNA-nqa-admin-pathjitter] destination-address ipv4 11.1.1.2
[ATNA-nqa-admin-pathjitter] icmp-jitter-mode icmp-echo

[ATNA-nqa-admin-pathjitter] start now

Issue 02 (2013-12-31)

580

Equipment
2 System Management
[ATNA-nqa-admin-pathjitter] display nqa results test-instance admin pathjitter

NQA entry(admin, pathjitter) ::testflag is inactive ,testtype is pathjitter
Current Status:CLOSE
1 . Test 1 result
Trace Completion Status:success
1 . Hop 1
Jitter Completion Status:success
Jitter Finish Status:finished
SendProbe:60
ResponseProbe:60
RTT Square Sum:111
NumOfRTT:60
Min Positive SD:1
Min Positive DS:2
Max Positive SD:1
Max Positive DS:2
Positive SD Sum:10
Positive DS Sum:2
Min Negative SD:0
Min Negative DS:0
Max Negative SD:0
Max Negative DS:0
Negative SD Sum:0
Negative DS Sum:0
Max Delay SD:2
Max Delay DS:3
Average of Jitter:1
NumberOfOWD:60
OWD SD Sum:11
OWD DS Sum:62
2 . Hop 2
Jitter Completion Status:success
Jitter Finish Status:finished
SendProbe:60
ResponseProbe:60
RTT Square Sum:634
NumOfRTT:60
Min Positive SD:1
Min Positive DS:1
Max Positive SD:6
Max Positive DS:6
Positive SD Sum:9
Positive DS Sum:24
Min Negative SD:0
Min Negative DS:0
Max Negative SD:0
Max Negative DS:0
Negative SD Sum:0
Negative DS Sum:0
Max Delay SD:7
Max Delay DS:7
Average of Jitter:1
NumberOfOWD:60
OWD SD Sum:70
OWD DS Sum:100
----End
Configuration Files
l

#
sysname ATNA
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
ospf 2
area 0.0.0.0
Issue 02 (2013-12-31)

581

Equipment
2 System Management
network 10.1.1.0 0.0.0.255

#
nqa test-instance admin pathjitter
test-type pathjitter
icmp-jitter-mode icmp-echo
#
return

#
sysname CX-B
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
undo shutdown
ip address 11.1.1.1 255.255.255.0
#
ospf 11
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 11.1.1.0 0.0.0.255
#
return

#
sysname CX-C
#
undo shutdown
ip address 11.1.1.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 11.1.1.0 0.0.0.255
#
return
Example for Configuring a Path MTU Test

This part provides examples for configuring a path MTU test to check the MTU of the packet
transmission path.
ATNA serves as the NQA client to test the MUT of the path between ATNA and CX-C.
Figure 2-42 Networking diagram of the path MTU test
GE0/2/0
10.1.1.1/24
ATNA
Issue 02 (2013-12-31)
GE1/0/0
10.1.1.2/24
GE2/0/0
11.1.1.1/24
CX-B

GE1/0/0
11.1.1.2/24
CX-C
582

Equipment
2 System Management
1.
Configure ATNA as the NQA client and create a path MTU test instance on ATNA.
2.
Data Preparation
l
IP addresses of ATNA, CX-B, and CX-C
Procedure
Step 1 Configure a reachable route between ATNA and CX-C
# Enable the NQA client and configure the path MTU test instance.
<ATNA> system-view
[ATNA] nqa test-instance admin pathmtu
[ATNA-nqa-admin-pathmtu] test-type pathmtu
[ATNA-nqa-admin-pathmtu] destination-address ipv4
11.1.1.2

[ATNA-nqa-admin-pathmtu] start now

[ATNA-nqa-admin-pathmtu] display nqa results test-instance admin pathmtu
NQA entry(admin, pathmtu) ::testflag is inactive ,testtype is pathmtu
1 . Test 0 result
Completions: success
Busies: 0
Destination-address: 11.1.1.2
Discovery field min: 48 byte
Discovery field max: 1500 byte
Drops: 0
MTU: 1492
Response probe: 41
Send probe: 47
Optimum first step: 38 byte
Second step: 10 byte
Timeouts: 6
----End
Configuration Files
l

#
sysname ATNA
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
ospf 2
area 0.0.0.0
network 10.1.1.0 0.0.0.255
#
Issue 02 (2013-12-31)

583

Equipment
2 System Management
nqa test-instance admin pathmtu

test-type pathmtu
#
return

#
sysname CX-B
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
undo shutdown
ip address 11.1.1.1 255.255.255.0
#
ospf 11
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 11.1.1.0 0.0.0.255
#
return

#
sysname CX-C
#
undo shutdown
ip address 11.1.1.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 11.1.1.0 0.0.0.255
#
return
Example for Configuring the LSP Traceroute Test for the MPLS TE Tunnel
This part provides examples for configuring an LSP traceroute test to check the connectivity
between LSRs along the TE LSP.
l
Run OSPF on ATNA, CX-B and CX-C, enabling them to advertise host routes of loopback
interfaces.
Enable MPLS and MPLS RSVP-TE on ATNA, CX-B and CX-C.
Enable MPLS, MPLS TE and MPLS RSVP-TE on the POS interfaces connecting ATNA,
CX-B and CX-C. A TE tunnel then is set up between ATNA and CX-C.
Use the NQA LSP Traceroute function to test the TE tunnel.
Issue 02 (2013-12-31)

584

Equipment
2 System Management
Figure 2-43 Networking diagram of the LSP Traceroute test
area 0
Loopback1
1.1.1.9/32
Loopback1
2.2.2.9/32
GE0/2/0
10.1.1.1/24
Loopback1
3.3.3.9/32
GE2/0/0
10.2.1.1/24
GE1/0/0
10.1.1.2/24
ATNA
CX-B
GE1/0/0
10.2.1.2/24
CX-C
1.
Configure ATNA as the NQA client. Create an LSP Traceroute on ATNA.
2.
Data Preparation
To complete the configuration, you need the TE tunnel ID.
Procedure
Step 1 Configure reachable routes ATNA, CX-B and CX-C. (The detailed procedure is not mentioned
here.)
Step 2 Configure MPLS RSVP-TE on ATNA, CX-B and CX-C. (The detailed procedure is not
mentioned here.)
For the configuration of MPLS RSVP-TE, refer to the Configuration Guide - MPLS.
Step 3 Set up a TE tunnel between ATNA and CX-C. (The detailed procedure is not mentioned here.)
Step 4 Create an NQA test on ATNA.
# Enable the NQA client and create an LSP Traceroute test for the TE tunnel.
<ATNA> system-view
[ATNA] nqa test-instance admin lsptracert
[ATNA-nqa-admin-lsptracert] test-type lsptracert
[ATNA-nqa-admin-lsptracert] lsp-type te
[ATNA-nqa-admin-lsptracert] lsp-tetunnel tunnel 0/2/0
Issue 02 (2013-12-31)

585

Equipment
2 System Management

[ATNA-nqa-admin-lsptrace] start now

[ATNA-nqa-admin-lsptrace] display nqa results test-instance admin lsptrace
NQA entry(admin, lsptrace) :testFlag is inactive ,testtype is lsptrace
1 . Test 1 result
Completion:success
Attempts number:1
1 . Hop 1
2 . Hop 2
----End
Configuration Files
l

#
sysname ATNA
#
mpls lsr-id 1.1.1.9
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
ip address 10.1.1.1 255.255.255.0
mpls
mpls te
mpls te bandwidth 5000
mpls rsvp-te
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
destination 3.3.3.9
mpls te bandwidth ct0 3000
mpls te commit
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
Issue 02 (2013-12-31)

586

Equipment
2 System Management
network 1.1.1.9 0.0.0.0

mpls-te enable
#
nqa test-instance admin lsptrace
test-type lsptrace
lsp-type te
lsp-tetunnel Tunnel0/2/0
#
return

#
sysname CX-B
#
mpls lsr-id 2.2.2.9
mpls
mpls te
mpls rsvp-te
#
interface Pos1/0/0
link-protocol ppp
ip address 10.1.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Pos2/0/0
link-protocol ppp
ip address 10.2.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
mpls-te enable
#
return

#
sysname CX-C
#
mpls lsr-id 3.3.3.9
mpls
mpls te
mpls rsvp-te
#
ip address 10.2.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
Issue 02 (2013-12-31)

587

Equipment
2 System Management
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 10.2.1.0 0.0.0.255
mpls-te enable
#
Return
Example for Configuring the PWE3 Ping Test on a One-Hop PW

This part provides examples for configuring a PWE3 ping test to check the connectivity of a
single-hop PW connecting two PEs.
As shown in Figure 2-44, NodeB and RNC respectively access PE-A and PE-B through Virtual
Local Area Network (VLANs). PE-A and PE-B are linked through the Multi-Protocol Label
Switch (MPLS) backbone network. A dynamic PW is set up between PE-A and PE-B through
an LSP.
In such a scenario, you can perform a PWE3 Ping test to check the connectivity of the one-hop
PW.
Figure 2-44 Networking diagram of configuring a PWE3 Ping test on a one-hop PW
MPLS
Backbone
Loopback0
192.2.2.2/32
Loopback0
192.4.4.4/32
GE0/2/1
10.1.1.1/24
GE1/0/0
PE-A GE0/2/0.1 10.1.1.2/24
P
PW
GE2/0/0
10.2.2.2/24
GE2/0/0
10.2.2.1/24 GE1/0/0.1 PE-B
GE1/0/0.1
100.1.1.1/24
VLAN1
NodeB
Issue 02 (2013-12-31)
Loopback0
192.3.3.3/32

GE1/0/0.1
100.1.1.2/24
VLAN2
RNC
588

Equipment
2 System Management
1.
Run IGP on the backbone network to implement communication between CX devices.
2.
Configure the basic MPLS functions on the backbone network and set up an LSP. Establish
MPLS LDP peer relationship between the PEs on both ends of the PW.
3.
Set up an MPLS L2VC between the PEs.
4.
On PE-A, configure a PWE3 Ping test for the one-hop PW.
Data Preparation
To complete the configuration, you need the following data.
l
L2VC IDs of both ends of the PW
MPLS LSR IDs of the PEs and P
IP address of the peer

NOTE
L2VC IDs of both ends of the PW must be consistent.
Procedure
Step 1 Configure a dynamic PW.
For details about configuring a one-hop PW on the MPLS backbone network, refer to the chapter
"PWE3 Configuration" in the Configuration Guide - VPN.
Step 2 Configure a PWE3 Ping test on the one-hop PW.
# Configure PE-A.
<PE-A> system-view
[PE-A] nqa test-instance
[PE-A-nqa-test-pwe3ping]
test pwe3ping
test-type pwe3ping
local-pw-id 100
local-pw-type vlan
label-type control-word

[PE-A-nqa-test-pwe3ping] start now
Step 4 View the test result.

Running the display nqa results command on PEs, you can find that the test succeeds.
[PE-A-nqa-test-pwe3ping] display nqa results
NQA entry(test, pwe3ping) :testFlag is inactive ,testtype is pwe3ping
1 . Test 1 result
Completion:success
OverThresholds number: 0
Attempts number:1
Issue 02 (2013-12-31)

589

Equipment
2 System Management
----End
Configuration Files
l
Configuration file of NodeB

#
interface GigabitEthernet1/0/0.1
undo shutdown
vlan-type dot1q 1
ip address 100.1.1.1 255.255.255.0
#
return
Configuration file of PE-A

#
sysname PE-A
#
mpls lsr-id 192.2.2.2
mpls
#
mpls l2vpn
#
mpls ldp
#
mpls ldp remote-peer 192.3.3.3
remote-ip 192.3.3.3
#
pw-template wwt
peer-address 192.3.3.3
control-word
interface GigabitEthernet 0/2/0.1
undo shutdown
mpls l2vc 192.3.3.3 pw-template wwt 100
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 192.2.2.2 0.0.0.0
#
nqa test-instance test pwe3ping
test-type pwe3ping
local-pw-id 100
local-pw-type vlan
label-type control-word
#
ospf 1
area 0.0.0.0
network 192.2.2.2 255.255.255.255
network 10.1.1.0 0.0.0.255
#
return
Configuration file of P
#
sysname P
#
mpls
#
mpls ldp
Issue 02 (2013-12-31)

590

Equipment
2 System Management
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
undo shutdown
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 192.4.4.4 255.255.255.255
#
ospf 1
area 0.0.0.0
network 192.4.4.4 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return
Configuration file of PE-B

#
sysname PE-B
#
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 192.2.2.2
#
undo shutdown
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
pw-template wwt
control-word
undo shutdown
#
interface LoopBack0
ip address 192.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 192.3.3.3 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return
Configuration file of RNC

#
vlan-type dot1q 2
ip address 100.1.1.2 255.255.255.0
#
Issue 02 (2013-12-31)

591

Equipment
2 System Management
return
Example for Configuring the PWE3 Trace Test on a One-Hop PW

This part provides examples for configuring a PWE3 trace test to check the communications
between devices on a PW.
As shown in Figure 2-45, NodeB and RNC respectively access PE-A and PE-B through VLANs.
PE-A and PE-B are linked through the MPLS backbone network. A dynamic PW is set up
between PE-A and PE-B through an LSP.
In such a scenario, you can perform a PWE3 Trace test to check the connectivity of the one-hop
PW.
Figure 2-45 Networking diagram of configuring a PWE3 Trace test on a one-hop PW
MPLS
Backbone
Loopback0
192.2.2.2/32
PE-A
Loopback0
192.3.3.3/32
Loopback0
192.4.4.4/32
GE0/2/1
10.1.1.1/24
GE1/0/0
GE0/2/0.1 10.1.1.2/24
P
PW
GE2/0/0
10.2.2.2/24
GE2/0/0
10.2.2.1/24 GE1/0/0.1 PE-B
GE1/0/0.1
100.1.1.2/24
GE1/0/0.1
100.1.1.1/24
VLAN1
VLAN2
NodeB
RNC
1.
Run IGP on the backbone network to implement communication between CX devices.
2.
Configure the basic MPLS functions on the backbone network and set up an LSP. Establish
MPLS LDP peer relationship between the PEs on both ends of the PW.
3.
Set up an MPLS L2VC between the PEs.
4.
On PE-A, configure a PWE3 Trace test for the one-hop PW.
Issue 02 (2013-12-31)

592

Equipment
2 System Management
Data Preparation
l
L2VC IDs of both ends of the PW
MPLS LSR IDs of the PEs and P
IP address of the peer

NOTE
L2VC IDs of both ends of the PW must be consistent.
Procedure
Step 1 Configure a one-hop PW.
For details about configuring a one-hop PW on the MPLS backbone network, refer to the chapter
"PWE3 Configuration" in the Configuration Guide - VPN.
Step 2 Configure the PWE3 Trace test on a one-hop PW.
# Configure PE-A.
<PE-A> system-view
[PE-A] nqa test-instance test pwe3trace
[PE-A-nqa-test-pwe3trace] test-type pwe3trace
[PE-A-nqa-test-pwe3trace] local-pw-type vlan
[PE-A-nqa-test-pwe3trace] local-pw-id 100

[PE-A-nqa-test-pwe3trace] start now
Step 4 View the test result.

Running the display nqa history command on PEs, you can find that the test status is "Success".
[PE-A-nqa-test-pwe3trace] display nqa history
NQA entry(test, pwe3trace) history:
Index T/H/P
Response Status
Address
1
1/1/1
4 success
10.1.1.2
2
1/1/2
5 success
10.1.1.2
3
1/1/3
3 success
10.1.1.2
4
1/2/1
6 success
3.3.3.9
5
1/2/2
6 success
3.3.3.9
6
1/2/3
6 success
3.3.3.9
Time
2006-9-30 9:33:3.301
2006-9-30 9:33:3.307
2006-9-30 9:33:3.311
2006-9-30 9:33:3.318
2006-9-30 9:33:3.324
2006-9-30 9:33:3.331
Running the display nqa results command on PEs, you can find that the test succeeds.
[PE-A-nqa-test-pwe3trace] display nqa results
NQA entry(test, pwe3trace) :testFlag is inactive ,testtype is pwe3trace
1 . Test 1 result
Completion:success
Attempts number:1
1 . Hop 1
Issue 02 (2013-12-31)

593

Equipment
2 System Management

2 . Hop 2
----End
Configuration Files
l
Configuration file of NodeB

#
vlan-type dot1q 1
ip address 100.1.1.1 255.255.255.0
#
return
Configuration file of PE-A

#
sysname PE-A
#
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 192.3.3.3
#
pw-template wwt
control-word
vlan-type dot1q 2
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 192.2.2.2 0.0.0.0
#
nqa test-instance test pwe3trace
test-type pwe3trace
local-pw-type vlan
local-pw-id 100
#
ospf 1
area 0.0.0.0
network 192.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
#
Issue 02 (2013-12-31)

594

Equipment
2 System Management
sysname P
#
mpls
#
mpls ldp
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
undo shutdown
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
undo shutdown
ip address 192.4.4.4 255.255.255.255
#
ospf 1
area 0.0.0.0
network 192.4.4.4 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return
Configuration file of PE-B

#
sysname PE-B
#
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 192.2.2.2
#
undo shutdown
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
pw-template wwt
control-word
vlan-type dot1q 2
#
interface LoopBack0
ip address 192.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 192.3.3.3 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return
Issue 02 (2013-12-31)

595

Equipment
2 System Management

#
vlan-type dot1q 2
ip address 100.1.1.2 255.255.255.0
#
return
Example for Sending Trap Message When Transmission Delay Exceeds Thresholds
This part provides example for setting an alarm threshold for test results. This can help the
network administrator better understand the device status.
Create a Jitter test based on the networking diagram shown in Figure 2-46. Configure a
transmission delay threshold and enable the trap function. After the Jitter test is completed, if
the test result shows that the delay of some test packets from ATNA to CX-C (or from CX-C to
ATNA) exceeds the uni-directional transmission delay, or the round-trip transmission delay
threshold, ATNA sends a trap message to the NM station. Based on the received trap message,
the NM station can clearly find the cause of the fault.
Figure 2-46 Networking diagram of enabling the trap function when the transmission delay
exceeds the threshold
NM Station
20.1.1.2/24
GE0/2/1
20.1.1.1/24
ATNA
CX-B
GE 0/2/0 GE 1/0/0
10.1.1.1/24 10.1.1.2/24
GE2/0/0
30.1.1.1/24
GE 2/0/0
30.1.1.2/24
CX-C
NQA Server
NOTE
For clock synchronization, refer to the chapter "NTP" in the Feature Description - Clock.
1.
Set a transmission delay threshold.
2.
Enable the trap function.
3.
Enable sending trap messages to the NM station.
Issue 02 (2013-12-31)

596

Equipment
2 System Management
Data Preparation
l
IP address and port number of the NQA server
Monitoring service type and the port number to be monitored
Uni-directional transmission delay and round-trip transmission delay
Procedure
here.)
Step 2 Create a Jitter test.
# Configure CX-C as an NQA server and set the IP address and UDP port number monitored
by the NQA server.
<CX-C> system-view
# Configure ATNA as an NQA client and create a Jitter test on ATNA.

<ATNA> system-view
[ATNA] nqa test-instance test jitter
Step 3 Configure the transmission delay threshold.

# Configure the round-trip transmission delay threshold on ATNA.
[ATNA -nqa-test-jitter] threshold rtd 20
# Configure the uni-directional transmission (from the destination to the source) delay threshold
on ATNA.
[ATNA -nqa-test-jitter] threshold owd-ds 100
# Configure the uni-directional transmission (from the source to the destination) delay threshold
on ATNA.
[ATNA -nqa-test-jitter] threshold owd-sd 100
Step 4 Enable the trap function.

[ATNA -nqa-test-jitter] send-trap owd-ds owd-sd rtd
Step 5 Enable sending trap messages to the NM station.

[ATNA] snmp trap enable feature-name nqa trap-name
nqajitterstatsrtdthresholdnotification
nqajitterstatsowdthresholdnotificationds
nqajitterstatsowdthresholdnotificationsd
[ATNA] snmp-agent target-host trap address udp-domain 20.1.1.2 params securityname
public v2c
Step 6 Start the Jitter test.

Issue 02 (2013-12-31)

597

Equipment
2 System Management

[ATNA-nqa-admin-jitter] quit
[ATNA] quit

# View the NQA test results on ATNA.
<ATNA> display nqa result
NQA entry(test, jitter) :testflag is inactive ,testtype is jitter
1 . Test 1 result
SendProbe:60
ResponseProbe:60
Completion:success
RTT Square Sum:60
NumOfRTT:60
Min Positive SD:0
Min Positive DS:1
Max Positive SD:0
Max Positive DS:1
Positive SD Sum:0
Positive DS Sum:5
Min Negative SD:0
Min Negative DS:1
Max Negative SD:0
Max Negative DS:1
Negative SD Sum:0
Negative DS Sum:6
Min Delay SD:0
Min Delay DS:0
Max Delay SD:0
Max Delay DS:0
Packet Loss SD:0
Packet Loss DS:0
Average of Jitter:1
NumberOfOWD:60
OWD SD Sum:0
OWD DS Sum:0
ICPIF value: 0
MOS-CQ value: 0
# Check whether the trap buffer contains the trap message.

<ATNA> display trapbuffer
Trapping Buffer Configuration and contents:enabled
allowed max buffer size : 1024
actual buffer size : 256
channel number : 3 , channel name : trapbuffer
dropped messages : 0
overwritten messages : 2550
current messages : 256
#Jul 9 00:28:34 2010 HUAWEI NQA/4/RTDTHRESHOLD:OID 1.3.6.1.4.1.2011.5.25.111.6.16
NQA entry RTD over threshold. (OwnerIndex=admin, TestName=jitter)
#Jul 9 00:28:34 2010 HUAWEI NQA/4/SDTHRESHOLD:OID 1.3.6.1.4.1.2011.5.25.111.6.17
NQA entry OWD-SD over threshold. (OwnerIndex=admin, TestName=jitter)
#Jul 9 00:28:34 2010 HUAWEI NQA/4/DSTHRESHOLD:OID 1.3.6.1.4.1.2011.5.25.111.6.
18 NQA entry OWD-DS over threshold. (OwnerIndex=admin, TestName=jitter)
----End
Configuration Files
l
Configuration files of ATNA

#
sysname ATNA
#
Issue 02 (2013-12-31)

598

Equipment
2 System Management
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
undo shutdown
ip address 20.1.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.0
#
nqa test-instance test jitter
test-type jitter
threshold rtd 20
threshold owd-sd 100
threshold owd-ds 100
send-trap rtd
send-trap owd-sd
send-trap owd-ds
#
snmp-agent
snmp-agent local-engineid 000007DB7F00000100007B29
public v2c
#
return
Configuration files of CX-B

#
sysname CX-B
#
interface Pos1/0/0
link-protocol ppp
ip address 10.1.1.2 255.255.255.0
#
interface Pos2/0/0
link-protocol ppp
ip address 30.1.1.1 255.255.255.0
#
ospf 1
area 0.0.0.1
network 10.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return
Configuration files of CX-C

#
sysname CX-C
#
interface Pos1/0/0
link-protocol ppp
ip address 30.1.1.2 255.255.255.0
#
#
ospf 1
area 0.0.0.1
network 30.1.1.0 0.0.0.255
#
return
Issue 02 (2013-12-31)

599

Equipment
2 System Management
Example for Configuring Test Results to Be Sent to the FTP Server

This part provides examples for sending send test results to the FTP server to save test results
to the most extent.
As shown in Figure 2-47, ATNA serves as the client to perform the ICMP test and send test
results to the FTP server through FTP.
Figure 2-47 Networking diagram of sending test results to the FTP server
FTP server
11.1.2.8/24
GE0/2/1
11.1.2.1/24
GE1/0/0
11.1.1.10/24
GE0/2/0
11.1.1.11/24
ATNA
CX-B
1.
Configure parameters for connecting the FTP server.
2.
Enable the FTP server to save test results through FTP.
3.
Configure the number of test results saved through FTP.
4.
Configure the duration of saving test results through FTP.
5.
Configure test results to be sent.
6.
Start the test instance.
7.
Verify the configuration.
Data Preparation
l
Number of test results saved through FTP
Duration of saving test results through FTP
Issue 02 (2013-12-31)

600

Equipment
2 System Management
Procedure
Step 1 Configure parameters for connecting the FTP server.
# Configure the IP address of the client that is connected to the FTP server.
<ATNA> system-view
[ATNA] nqa-ftp-record ip-address 11.1.2.8
# Configure the user name for logging into the FTP server.
[ATNA] nqa-ftp-record username ftp
[ATNA] nqa-ftp-record password ftp
# Configure the file name for saving test results.

[ATNA] nqa-ftp-record filename icmp
Step 2 Configure the number of test results to be saved in a file through FTP.
[ATNA] nqa-ftp-record item-num 10010
Step 3 Configure the duration of saving test results through FTP.

[ATNA] nqa-ftp-record time 2
Step 4 Send an alarm to the NM station after the FTP transmission succeeds.
[ATNA] nqa-ftp-record trap-enable
Step 5 Enable the FTP server to save NQA test results through FTP on Router A.
<ATNA> system-view
[ATNA] nqa-ftp-record enable
Step 6 Start the test instance.

[ATNA-admin-icmp] start now

# Display the NQA test results of each ATN.
<ATNA> display nqa-ftp-record configuration
---------------NQA FTP SAVE RECORD CONFIGURATION--------------FUNCTION: ENABLE
TRAP: ENABLE
IP-ADDRESS:11.1.1.8
VPN-INSTANCE:
USERNAME:ftp
PASSWORD:
FILENAME:icmp
ITEM-NUM:10010
TIME:2
LAST FINISHED FILENAME:icmp20080605-150350.txt
----End
Configuration Files
l

#
sysname ATNA
#
ip address 11.1.1.11 255.255.255.0
#
Issue 02 (2013-12-31)

601

Equipment
2 System Management
ip address 11.1.2.1 255.255.255.0

#
interface NULL0
#
aaa
#
#
#
domain default
#
nqa-ftp-record enable
nqa-ftp-record trap-enable
nqa-ftp-record ip-address 11.1.1.8
nqa-ftp-record username ftp
nqa-ftp-record password cipher %$%$gw1.QU~4M1I@ESF>b/VP,@7.%$%$
nqa-ftp-record filename icmp
nqa-ftp-record item-num 10010
nqa-ftp-record time 2
test-type icmp
frequency 5
#
snmp-agent
snmp-agent local-engineid 000007DB7F000001000021D7
snmp-agent community read public
snmp-agent community write private
snmp-agent sys-info version all
wan
snmp-agent trap enable feature-name nqa trap-name nqaftpsaverecordnotification
#
#
return

#
sysname CX-B
#
ip address 11.1.1.10 255.255.255.0
#
return
Example for Configuring a Threshold for the NQA Alarm

This part provides examples for configuring the actions that the system needs to perform in
response to the threshold exceeding, such as generating logs, generating traps, or generating logs
and traps.
As shown in Figure 2-48, ATNA serves as the client to perform the ICMP jitter test and monitor
the packet loss ratio of the test result. If the ratio exceeds the threshold, an alarm is sent to the
NM station.
Issue 02 (2013-12-31)

602

Equipment
2 System Management
Figure 2-48 Networking diagram of configuring a threshold for the NQA alarm
NM Station
11.1.2.8/24
GE0/2/1
11.1.2.1/24
GE0/2/0
11.1.1.1/24
ATNA
GE1/0/0
11.1.1.20/24
CX-B
1.
Configure the event corresponding to the alarm threshold.
2.
Configure the alarm threshold.
3.
Configure alarms to be sent to the NM station.
4.
Start the test instance.
Data Preparation
l
Number of the event corresponding to the threshold
Upper threshold and lower threshold
Procedure
Step 1 Configure ATNA as the client of the ICMP jitter test. The configuration details are not mentioned
here.
Step 2 Configure the event corresponding to the alarm on ATNA.
<ATNA> system-view
[ATNA] nqa event 10 log-trap
Step 3 Configure the alarm threshold.

[ATNA-icmpjitter] test-type icmpjitter
[ATNA-icmpjitter] destination-address ipv4 11.1.1.20
[ATNA-icmpjitter] frequency 5
Issue 02 (2013-12-31)

603

Equipment
2 System Management
[ATNA-icmpjitter] alarm 10 lost-packet-ratio absolute rising-threshold 100 10

falling-threshold 10 10
[ATNA-icmpjitter] quit
Step 4 Configure alarms to be sent to the NM station.

# Configure basic SNMP functions.
[ATNA] snmp community read public
[ATNA] snmp community write private
[ATNA] snmp sys-info version v2c
[ATNA] snmp trap enable feature-name nqa trap-name nqafaillingalarmnotification
[RouterA] snmp trap enable feature-name nqa trap-name nqarisingalarmnotification
# Configure alarms to be sent to the NM station through the SNMP agent.

[ATNA] snmp target-host trap address udp-domain 11.1.2.8 params securityname alarm
v2c

<ATNA> display nqa-event
NQA event information:
-----------------------------------------------------NQA Event Max: 5
NQA Event Number: 1
-----------------------------------------------------[ATNA-nqa-admin-icmp] display nqa-alarm
NQA alarm information:
-----------------------------------------------------NQA Alarm Max: 5
NQA Alarm Number: 1
-----------------------------------------------------<ATNA> display nqa-agent
NQA Tests Max:50
NQA Tests Number:
1
NQA Flow Max:20
NQA Flow Remained: 20
frequency 5
alarm 20 lost-packet-ratio 2 rising-threshold 100 10 falling-threshold 10 10
nqa status : normal
----End
Configuration Files
l

#
sysname ATNA
#
ip address 11.1.1.1 255.255.255.0
#
ip address 11.1.2.1 255.255.255.0
#
interface NULL0
#
aaa
#
#
#
domain default
#
#
Issue 02 (2013-12-31)

604

Equipment
2 System Management
nqa-jitter tag-version 2
nqa event 10 log-trap
frequency 5
start now
alarm 10 lost-packet-ratio 2 rising-threshold 100 10 falling-threshold 10 10
#
snmp-agent
snmp-agent local-engineid 000007DB7F00000100000B31
snmp-agent sys-info version v2c v3
alarm v2c snmp-agent trap enable feature-name NQA trap-name
nqaRisingAlarmNotification snmp-agent trap enable feature-name NQA trap-name
nqaFaillingAlarmNotification
#
#
aps fast-interval 0
#
return

#
sysname CX-B
#
ip address 11.1.1.20 255.255.255.0
#
return
Example for Configuring a VPLS MAC Ping Test

As shown in Figure 2-49, it is required that VPLS should be enabled on PE1 and PE2; NodeB
should be attached to PE1; RNC should be attached to PE2; NodeB and RNC should be on the
same VPLS network; PWs should be established by using LDP as the VPLS signaling, and VPLS
should be configured to realize the interworking between NodeB and RNC.
A VPLS MAC ping test is used to check the connectivity of the VPLS network.
Issue 02 (2013-12-31)

605

Equipment
2 System Management
Figure 2-49 Typical networking of configuring a VPLS MAC ping test
Loopback1:
1.1.1.9/32
Loopback1:
2.2.2.9/32
GE0/2/1
168.1.1.1/24
PE1
GE1/0/0
168.1.1.2/24
GE0/2/0.1
GE1/0/0.1
10.1.1.1/24
Loopback1:
3.3.3.9/32
GE2/0/0
169.1.1.1/24
NodeB
PE2
GE1/0/0
169.1.1.2/24
GE2/0/0.1
GE1/0/0.1
10.1.1.2/24
RNC
1.
Configure a Martini VPLS network.
2.
Configure a VPLS MAC ping test instance on PE1.
3.
Start the NQA VPLS MAC ping test.
Data Preparation
l
Name and ID of the VSI
IP addresses of peers and tunnel policy used for setting up the peer relationship
Interface to which the VSI is bound
A specified peer MAC address
Procedure
Step 1 Configure a Martini VPLS network.
For details, refer to the chapter "VPLS Configuration" in the Configuration Guide - VPN.
Step 2 Configure a VPLS MAC ping test instance based on the Martini VPLS network.
# Configure PE1.
<PE1> system-view
[PE1] nqa test-instance
[PE1-nqa-test-vplsping]
test vplsping
test-type vplsping
vsi a2
mac 00e0-5952-6f01

Issue 02 (2013-12-31)

606

Equipment
2 System Management
[PE1-nqa-test-vplsping] start now
Step 4 Verify the test result.

Run the display nqa results command on the PEs. You can view that the test is successful.
[PE1-nqa-test-vplsping] display nqa results
NQA entry(test, vplsping)
testtype is: vplsping
summary conclusion: total: 1
success: 1
fail: 0
schedule-status: inactive, result-status: finished
Test Failure Percent 100
1 . Completion: success
Attempts number
:1
Lost packet ratio
:0 %
Send operation times
:3
Drop operation number
:0
Receive response times
:3
Destination ip address
:170.1.1.1
Connection fail number
:0
Last Good Probe Time
:2010-2-1 13:31:38.5
RTT Stats errors number
:0
Operation timeout number
:0
RTD OverThresholds number
:0
Disconnect operation number
:0
System busy operation number
:0
Min/Max/Average Completion Time :19/21/19
Sum/Square-Sum Completion Time :59/1163
last: 1
----End
Configuration Files
l
Configuration file of PE1

#
sysname PE1
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 3.3.3.9
#
mpls ldp
#
remote-ip 3.3.3.9
#
undo shutdown
vlan-type dot1q 10
l2 binding vsi a2
#
undo shutdown
ip address 168.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
Issue 02 (2013-12-31)

607

Equipment
2 System Management
#
nqa test-instance test vplsping
test-type vplsping
vsi a2
mac 00e0-5952-6f01
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 168.1.1.0 0.0.0.255
#
return
#
sysname P
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
link-protocol ppp
undo shutdown
ip address 168.1.1.2 255.255.255.0
mpls
mpls ldp
#
link-protocol ppp
undo shutdown
ip address 169.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 168.1.1.0 0.0.0.255
network 169.1.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return

#
sysname PE2
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.9
#
mpls ldp
#
remote-ip 1.1.1.9
#
Issue 02 (2013-12-31)

608

Equipment
2 System Management
link-protocol ppp
undo shutdown
ip address 169.1.1.2 255.255.255.0
mpls
mpls ldp
#
undo shutdown
vlan-type dot1q 10
l2 binding vsi a2
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 169.1.1.0 0.0.0.255
#
return
Example for Configuring a VPLS MAC Trace Test

As shown in Figure 2-50, it is required that a VPLS MAC trace test should be used to check the
connectivity of the VPLS network and locate the fault.
Figure 2-50 Networking diagram of configuring a VPLS MAC trace test
Loopback1:
2.2.2.9/32
Loopback1:
1.1.1.9/32
GE0/2/1
168.1.1.1/24
PE1
GE1/0/0
168.1.1.2/24
GE0/2/0.1
GE1/0/0.1
10.1.1.1/24
Loopback1:
3.3.3.9/32
GE2/0/0
169.1.1.1/24
NodeB
GE1/0/0
169.1.1.2/24
PE2
GE2/0/0.1
GE1/0/0.1
10.1.1.2/24
RNC
1.
2.
Configure a VPLS MAC trace test instance on PE1.
Issue 02 (2013-12-31)

609

Equipment
3.
2 System Management
Start the NQA test.
Data Preparation
l
VSI name and VSI ID
IP addresses of peers and the tunnel policy used for setting up the peer relationship
A specified peer MAC address
Procedure
Step 2 Configure a VPLS MAC trace test instance based on the Martini VPLS network.
# Configure PE1.
<PE1> system-view
[PE1] nqa test-instance test vplstrace
[PE1-nqa-test-vplstrace] test-type vplstrace
[PE1-nqa-test-vplstrace] vsi a2
[PE1-nqa-test-vplstrace] mac 00e0-5952-6f01

[PE1-nqa-test-vplstrace] start now

Run the display nqa results command on the PEs. You can view that the test is successful.
[PE1-nqa-test-vplstrace] display nqa results
NQA entry(test, vplstrace)
testtype is: vplstrace
summary conclusion: total: 1
success: 1
fail: 0
schedule-status: inactive, result-status: finished
Test Failure Percent -1 . Completion: success
Attempts number
:1
Last good path Time
:2010-2-1 13:33:23.5
Drop operation number
:0
Connection fail number
:0
RTT Stats errors number
:0
Operation timeout number
:0
Disconnect operation number
:0
System busy operation number
:0
last: 1
1 . Hop 1
Lost packet ratio
:0 %
:2010-2-1 13:33:21.5
:1
:
:1
:0
2 . Hop 2
Issue 02 (2013-12-31)

610

Equipment
2 System Management
Lost packet ratio

:0 %
:2010-2-1 13:33:23.5
:1
:
:1
:0
----End
Configuration Files
l

#
sysname PE1
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 3.3.3.9
#
mpls ldp
#
remote-ip 3.3.3.9
#
undo shutdown
vlan-type dot1q 10
l2 binding vsi a2
#
undo shutdown
ip address 168.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 168.1.1.0 0.0.0.255
#
return
#
sysname P
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
undo shutdown
ip address 168.1.1.2 255.255.255.0
mpls
Issue 02 (2013-12-31)

611

Equipment
2 System Management
mpls ldp
#
undo shutdown
ip address 169.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 168.1.1.0 0.0.0.255
network 169.1.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return

#
sysname PE2
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.9
#
mpls ldp
#
remote-ip 1.1.1.9
undo shutdown
ip address 169.1.1.2 255.255.255.0
mpls
mpls ldp
#
undo shutdown
vlan-type dot1q 10
l2 binding vsi a2
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 169.1.1.0 0.0.0.255
#
return
Example for Configuring VPLS PW Ping and VPLS PW Trace Test Instances
On a VPLS network, the performance of PWs affects the entire network performance. For
example, the connectivity of PWs determines whether traffic can be normally forwarded between
Issue 02 (2013-12-31)

612

Equipment
2 System Management
users, and the forwarding performance of PWs determines whether the forwarding capacity of
the network complies with the SLA signed with users. To monitor PWs on the VPLS network,
VPLS PW ping and VPLS PW trace are developed for detecting the connectivity of PWs,
collecting performance information about PWs, discovering packet forwarding paths along PWs,
and locating faults on PWs.
VPLS PW ping or VPLS PW trace operations initiated through NQA commands are the same
as ping or trace operations initiated through common command lines in principle, and
additionally provide the scheduling and result collection mechanism and the thresholdexceeding alarm function. You can combine the trace operation for locating faults and
discovering packet forwarding paths with the ping operation. When finding a fault by using the
ping operation, you can use the trace operation to locate the fault.
Figure 2-51 shows that VPLS PW ping and VPLS PW trace test instances can detect the
connectivity of a VPLS network and locate faults in the PW.
Figure 2-51 Networking diagram of configuring VPLS PW ping and VPLS PW trace test
instances
Loopback1:
2.2.2.9/32
Loopback1:
1.1.1.9/32
POS2/0/0
168.1.1.1/24
PE1
POS1/0/0
168.1.1.2/24
GE1/0/0.1
GE0/2/0.1
10.1.1.1/24
Loopback1:
3.3.3.9/32
POS2/0/0
169.1.1.1/24
POS1/0/0
169.1.1.2/24
CE1
PE2
GE2/0/0.1
GE0/2/0.1
10.1.1.2/24
CE2
1.
Configure the VPLS network and the service environment for starting NQA test instances.
In this example, a Martini VPLS network is configured.
2.
Configure VPLS PW ping and VPLS PW trace test instances on PE1, and specify
mandatory configurations of test instances.
3.
Start NQA test instances.
Data Preparation
l
Issue 02 (2013-12-31)
Name and ID of the VSI

613

Equipment
2 System Management
IP addresses of peers and the tunnel policy used for setting up the peer relationship
Procedure
Step 2 Configure VPLS PW ping and VPLS PW trace test instances.
1.
Configure a VPLS PW ping test instance and start the test instance.
# Configure PE1.
<PE1> system-view
[PE1] nqa test-instance test vplspwping
[PE1-nqa-test-vplspwping ] test-type vplspwping
[PE1-nqa-test-vplspwping ] vsi a2
[PE1-nqa-test-vplspwping ] destination-address ipv4 3.3.3.9
# Start the test instance.

[PE1-nqa-test-vplspwping ] start now
2.
Configure a VPLS PW trace test instance and start the test instance.
# Configure PE1.
<PE1> system-view
[PE1] nqa test-instance test vplspwtrace
[PE1-nqa-test-vplspwtrace ] test-type vplspwtrace
[PE1-nqa-test-vplspwtrace ] vsi a2
[PE1-nqa-test-vplspwtrace ] destination-address ipv4 3.3.3.9

[PE1-nqa-test-vplspwtrace ] start now

Enter the PW ping and PW trace test instance views separately on the PE and then run the display
nqa results command to view the test result, which is "success".
[PE1-nqa-test-vplspwping ] display nqa results
NQA entry(vplspw,ping) :testflag is inactive ,testtype is vplspwping
1 . Test 1 result
SendProbe:3
ResponseProbe:3
Completion:success
RTT Square Sum:1001
NumOfRTT:3
Min Positive SD:10
Min Positive DS:40
Max Positive SD:10
Max Positive DS:40
Positive SD Sum:10
Positive DS Sum:40
Min Negative SD:20
Min Negative DS:30
Max Negative SD:20
Max Negative DS:30
Negative SD Sum:20
Negative DS Sum:30
Min Delay SD:0
Min Delay DS:0
Max Delay SD:0
Max Delay DS:0
Issue 02 (2013-12-31)

614

Equipment
2 System Management

Packet Loss SD:0
Packet Loss DS:0
Average of Jitter:25
NumberOfOWD:0
OWD SD Sum:0
OWD DS Sum:0
ICPIF value: 0
MOS-CQ value: 0
TimeStamp unit: ms
[PE1-nqa-test-vplspwtrace ] display nqa results
NQA entry(vplspw,tracert) :testflag is inactive ,testtype is vplspwtrace
1 . Test 1 result
Completion:success
Attempts number:1
1 . Hop 1
----End
Configuration Files
l
Configuration file of CE1

#
sysname CE1
#
undo shutdown
vlan-type dot1q 10
ip address 10.1.1.1 255.255.255.0
#
return

#
sysname CE2
#
undo shutdown
vlan-type dot1q 10
ip address 10.1.1.2 255.255.255.0
#
return

#
sysname PE1
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
vsi a2 static
Issue 02 (2013-12-31)

615

Equipment
2 System Management
pwsignal ldp
vsi-id 2
peer 3.3.3.9
#
mpls ldp
#
remote-ip 3.3.3.9
#
undo shutdown
vlan-type dot1q 10
l2 binding vsi a2
#
interface Pos2/0/0
link-protocol ppp
undo shutdown
ip address 168.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
nqa test-instance test vplspwping
test-type vplspwping
vsi a2
#
nqa test-instance test vplspwtrace
test-type vplspwtrace
vsi a2
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 168.1.1.0 0.0.0.255
#
return
#
sysname P
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Pos1/0/0
link-protocol ppp
undo shutdown
ip address 168.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
link-protocol ppp
undo shutdown
ip address 169.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
Issue 02 (2013-12-31)

616

Equipment
2 System Management
ospf 1
area 0.0.0.0
network 168.1.1.0 0.0.0.255
network 169.1.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return

#
sysname PE2
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.9
#
mpls ldp
#
remote-ip 1.1.1.9
interface Pos1/0/0
link-protocol ppp
undo shutdown
ip address 169.1.1.2 255.255.255.0
mpls
mpls ldp
#
undo shutdown
vlan-type dot1q 10
l2 binding vsi a2
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 169.1.1.0 0.0.0.255
#
return
Example for Configuring MAC Ping Test Instance to Detect the Connectivity of a
VLAN network
As shown in Figure 2-52, all devices are on a VLAN network and are enabled with basic Ethernet
CFM functions. A MAC ping test instance can be used to detect the connectivity and locate fault
of the VLAN network.
Issue 02 (2013-12-31)

617

Equipment
2 System Management
Figure 2-52 Networking diagram of configuring MAC ping for detecting the connectivity of a
VLAN network
GE0/2/1
VLAN
VLAN10
GE0/2/1
VLAN10
ATNB
ATNA
1.
Configure a VLAN network and the service environment for starting the NQA test instance.
2.
Configure Ethernet CFM and establish the mapping relationship between CFM and VLAN.
3.
Configure an NQA MAC ping test instance on ATN A, and specify mandatory
configurations for the test instance.
4.
Start the NQA MAC ping test instance.
Data Preparation
l
VLAN ID
MAC address of the remote device
Procedure
Step 1 Configure the IP address. (The detailed procedure is not mentioned here.)
Step 2 Add ATN A and ATN B to VLAN 10.
# Configure ATN A.
<HUAWEI> sysname ATNA
[ATNA] vlan 10
[ATN-vlan10] quit
[ATNA] interface gigabitethernet 0/2/1
[ATN-GigabitEthernet0/2/1] portswitch
[ATN-GigabitEthernet0/2/1] port default vlan 10
# Configure ATN B. Configurations performed on ATN B are similar to those on ATN A and
therefore are not provided here.
Step 3 Enable basic Ethernet CFM functions between ATN A and ATN B, and establish the mapping
relationship between the MA and VLAN 10.
# Configure ATN A.
Issue 02 (2013-12-31)

618

Equipment
2 System Management
[ATNA] cfm version standard
[ATNA] cfm enable
[ATNA] cfm md md1
[ATNA-md-md1] ma ma1
[ATNA-md-md1-ma-ma1] map vlan 10
[ATNA-md-md1-ma-ma1] mep mep-id 1 interface gigabitethernet 0/2/1 outward
[ATNA-md-md1-ma-ma1] remote-mep mep-id 2
[ATNA-md-md1-ma-ma1] mep ccm-send enable
[ATNA-md-md1-ma-ma1] remote-mep ccm-receive enable
[ATNA-md-md1-ma-ma1] quit
[ATNA-md-md1] quit
# Configure ATN B.
[ATNB] cfm version standard
[ATNB] cfm enable
[ATNB] cfm md md1
[ATNB-md-md1] ma ma1
[ATNB-md-md1-ma-ma1] map vlan 10
[ATNB-md-md1-ma-ma1] mep mep-id 2 interface gigabitethernet 0/2/1 outward
[ATNB-md-md1-ma-ma1] remote-mep mep-id 1
[ATNB-md-md1-ma-ma1] quit
[ATNB-md-md1] quit
NOTE
Each interface can be configured with only one MEP and the interface must be a Layer 2 interface.
Run the display cfm remote-mep command on ATN A to view the status of Ethernet CFM.
The command output shows that the status of Ethernet CFM is Up.
[ATNA] display cfm remote-mep
The total number of RMEPs is : 1
The status of RMEPS : 1 up, 0 down, 0 disable
-------------------------------------------------MD Name
: md1
Level
: 0
MA Name
: ma1
RMEP ID
: 2
Vlan ID
: -VSI Name
: -MAC
: -CCM Receive
: enabled
Trigger-If-Down
: disabled
CFM Status
: up
Step 4 Configure a MAC ping test instance to detect the connectivity of a VLAN network.
# Configure ATN A.
<ATNA> system-view
[ATNA] nqa test-instance test macping
[ATNA-nqa-test-macping] test-type macping
[ATNA-nqa-test-macping] destination-address mac 00e0-fca4-8ae7
[ATNA-nqa-test-macping] md md1 ma ma1
[ATNA-nqa-test-macping] mep mep-id 1

[ATNA-nqa-test-macping] start now
Issue 02 (2013-12-31)

619

Equipment
2 System Management

Enter the MAC ping test instance view on ATN A and then run the display nqa results
command. You can see that the test result is "success".
[ATNA] display nqa results
NQA entry(test, macping) :testflag is inactive ,testtype is macping
1 . Test 1 result
SendProbe:3
ResponseProbe:3
Completion:success
RTT Square Sum:306
NumOfRTT:3
Min Positive SD:0
Min Positive DS:0
Max Positive SD:0
Max Positive DS:0
Positive SD Sum:0
Positive DS Sum:0
Min Negative SD:2
Min Negative DS:1
Max Negative SD:2
Max Negative DS:1
Negative SD Sum:2
Negative DS Sum:1
Min Delay SD:0
Min Delay DS:0
Avg Delay SD:0
Avg Delay DS:0
Max Delay SD:0
Max Delay DS:0
Packet Loss SD:0
Packet Loss DS:0
Average of Jitter:1
NumberOfOWD:0
OWD SD Sum:0
OWD DS Sum:0
ICPIF value: 0
MOS-CQ value: 0
TimeStamp unit: ms
----End
Configuration Files
l
Configuration file of ATN A

#
sysname ATNA
#
cfm version standard
cfm enable
#
undo shutdown
portswitch
port default vlan 10
#
ma ma1
map vlan 10
mep mep-id 1 interface GigabitEthernet0/2/1 outward
mep ccm-send mep-id 1 enable
remote-mep mep-id 2
remote-mep ccm-receive mep-id 2 enable
#
nqa test-instance test macping
test-type macping
Issue 02 (2013-12-31)

620

Equipment
2 System Management
destination-address mac 00e0-fca4-8ae7

md md1 ma ma1
mep mep-id 1
#
return
Configuration file of ATN B

#
sysname ATNB
#
cfm enable
#
undo shutdown
portswitch
#
cfm md md1
ma ma1
map vlan 10
remote-mep mep-id 1
#
return
Example for Configuring a MAC Ping Test Instance to Detect the Connectivity of
a VPLS Network
As shown in Figure 2-53, MAC ping is enabled to detect the connectivity and locate the fault
on a VPLS network. Three PEs on the VPLS network are enabled with CFM functions. An NQA
MAC ping test instance is configured on PE1, with the destination MAC address of ping packets
being the MAC address of the interface on PE2. The test instance is initiated from PE1 to detect
the connectivity between PE1 and PE2.
Issue 02 (2013-12-31)

621

Equipment
2 System Management
Figure 2-53 Networking diagram of configuring MAC ping for detecting the connectivity of a
VPLS network
CE3
GE0/2/1.1
10.1.1.3/24
PE3 GE0/2/1.1
GE0/2/2
100.2.1.2/30
GE0/2/3
100.2.1.1/30
Loopback1
1.1.1.1/32
GE0/2/1.1
GE0/2/3
100.3.1.2/30
Loopback1
3.3.3.3/32
PE1
GE0/2/2
100.1.1.1/30
GE0/2/3
100.3.1.1/30
PE2
GE0/2/2
100.1.1.2/30
GE0/2/1.1
10.1.1.1/24
CE1
Loopback1
2.2.2.2/32
GE0/2/1.1
GE0/2/1.1
10.1.1.2/24
CE2
1.
Configure a Martini VPLS network and the service environment for starting the NQA test
instance.
2.
Configure VPLS-based Ethernet CFM on three PEs.
3.
Configure an NQA MAC ping test instance on PE1 to detect the connectivity of the VPLS
network.
Data Preparation
l
IP address of an interface
MPLS LSR ID of each PE
VSI names and VSI IDs on PE1, PE2, and PE3
Issue 02 (2013-12-31)

622

Equipment
2 System Management
Name and level of the MD, name of the MA, MEP ID, name of the interface where the
MEP resides, and type of the MEP
Destination MAC address
Procedure
Step 1 Configure routes among PE and CE.
Step 2 Configure the Martini VPLS on the MPLS backbone network.
For configuration details, refer to the chapter "VPLS Configuration" in the Configuration Guide
- VPN.
Step 3 Configure Ethernet CFM on PEs.
# Configure PE1.
[PE1] cfm version standard
[PE1] cfm enable
[PE1] cfm md md1
[PE1-md-md1] ma ma1
[PE1-md-md1-ma-ma1] ccm-interval 30
[PE1-md-md1-ma-ma1] map vsi ldp1
[PE1-md-md1-ma-ma1] mep mep-id 1 interface gigabitethernet 0/2/1.1 inward
[PE1-md-md1-ma-ma1] remote-mep mep-id 2
[PE1-md-md1-ma-ma1] quit
# Configure PE2.
[PE2] cfm enable
[PE2] cfm md md1
[PE2-md-md1] ma ma1
# Configure PE3.
[PE3] cfm enable
[PE3] cfm md md1
[PE3-md-md1] ma ma1
Step 4 Configure a VPLS MAC ping test instance.

# Configure PE1.
<PE1> system-view
[PE1] nqa test-instance test macping
[PE1-nqa-test-macping] test-type macping
[PE1-nqa-test-macping] destination-address mac 00e0-fca4-8ae7
[PE1-nqa-test-macping] md md1 ma ma1
[PE1-nqa-test-macping] mep mep-id 1
Issue 02 (2013-12-31)

623

Equipment
2 System Management

[PE1-nqa-test-macping] start now

Enter the MAC ping test instance view on PE1 and then run the display nqa results command.
You can see that the test result is "success".
[PE1] display nqa results
NQA entry(test, macping) :testflag is inactive ,testtype is macping
1 . Test 1 result
SendProbe:3
ResponseProbe:3
Completion:success
RTT Square Sum:306
NumOfRTT:3
Min Positive SD:0
Min Positive DS:0
Max Positive SD:0
Max Positive DS:0
Positive SD Sum:0
Positive DS Sum:0
Min Negative SD:2
Min Negative DS:1
Max Negative SD:2
Max Negative DS:1
Negative SD Sum:2
Negative DS Sum:1
Min Delay SD:0
Min Delay DS:0
Avg Delay SD:0
Avg Delay DS:0
Max Delay SD:0
Max Delay DS:0
Packet Loss SD:0
Packet Loss DS:0
Average of Jitter:1
NumberOfOWD:0
OWD SD Sum:0
OWD DS Sum:0
ICPIF value: 0
MOS-CQ value: 0
TimeStamp unit: ms
----End
Configuration Files
l

#
sysname PE1
#
cfm enable
#
mpls lsr-id 1.1.1.1
mpls
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 2
peer 2.2.2.2
peer 3.3.3.3
#
Issue 02 (2013-12-31)

624

Equipment
2 System Management
mpls ldp
#
undo shutdown
#
undo shutdown
vlan-type dot1q 10
l2 binding vsi ldp1
#
interface Gigabitethernet0/2/2
undo shutdown
ip address 100.1.1.1 255.255.255.252
mpls
mpls ldp
#
undo shutdown
ip address 100.2.1.1 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
cfm md md1
ma ma1
ccm-interval 30
map vsi ldp1
mep mep-id 1 interface gigabitethernet 0/2/1.1 inward
remote-mep mep-id 2
remote-mep mep-id 3
#
nqa test-instance test macping
test-type macping
destination-address mac 00e0-fca4-8ae7
md md1 ma ma1
mep mep-id 1
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 100.1.1.0 0.0.0.3
network 100.2.1.0 0.0.0.3
#
return

#
sysname PE2
#
cfm enable
#
mpls lsr-id 2.2.2.2
mpls
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 2
peer 1.1.1.1
peer 3.3.3.3
#
mpls ldp
#
Issue 02 (2013-12-31)

625

Equipment
2 System Management
undo shutdown
#
undo shutdown
vlan-type dot1q 10
l2 binding vsi ldp1
#
undo shutdown
ip address 100.1.1.2 255.255.255.252
mpls
mpls ldp
#
undo shutdown
ip address 100.3.1.1 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
cfm md md1
ma ma1
ccm-interval 30
map vsi ldp1
remote-mep mep-id 1
remote-mep mep-id 3
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 100.1.1.0 0.0.0.3
network 100.3.1.0 0.0.0.3
#
return

#
sysname PE3
#
cfm enable
#
mpls lsr-id 3.3.3.3
mpls
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 2
peer 1.1.1.1
peer 2.2.2.2
#
mpls ldp
#
undo shutdown
#
undo shutdown
vlan-type dot1q 10
l2 binding vsi ldp1
Issue 02 (2013-12-31)

626

Equipment
2 System Management
#
undo shutdown
ip address 100.2.1.2 255.255.255.252
mpls
mpls ldp
#
undo shutdown
ip address 100.3.1.2 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
cfm md md1
ma ma1
ccm-interval 30
map vsi ldp1
remote-mep mep-id 1
remote-mep mep-id 2
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 100.2.1.0 0.0.0.3
network 100.3.1.0 0.0.0.3
#
return

#
sysname CE1
#
undo shutdown
#
undo shutdown
vlan-type dot1q 10
ip address 10.1.1.1 255.255.255.0
#
return

#
sysname CE2
#
undo shutdown
#
undo shutdown
vlan-type dot1q 10
ip address 10.1.1.2 255.255.255.0
#
return

#
sysname CE3
#
Issue 02 (2013-12-31)

627

Equipment
2 System Management
undo shutdown
#
undo shutdown
vlan-type dot1q 10
ip address 10.1.1.3 255.255.255.0
#
return
Example for Configuring NQA Upper/Lower Alarm Threshold and Test Instance
Linkage
This part provides examples for configuring the association of NQA test instances to dynamically
monitor faults on the network.
As shown in Figure 2-54, an NQA Jitter is required to monitor the packet loss ratio between
ATNA and CX-B. If the packet loss ratio in the test result exceeds the threshold, the linking test
instance is triggered to test whether CX-B is reachable.
Figure 2-54 Networking diagram of configuring the NQA alarm threshold and test instance
linkage
GE0/2/0
11.1.1.1/24
ATNA
GE1/0/0
11.1.1.2/24 CX-B
1.
Configure ATNA as the NQA client and CX-B as the NQA server.
2.
On the NQA client, configure the type of the linking test instance to be ICMP.
3.
On the NQA client, specify the event that triggers test instance linkage.
4.
On the NQA client, create an ICMP Jitter test instance, as a primary test instance.
5.
On the NQA client, configure the alarm threshold.
6.
On the NQA client, start the primary test instance.
Data Preparation
l
Index of the linking test instance
Number of the event associated with the threshold
Upper threshold and lower threshold
Issue 02 (2013-12-31)

628

Equipment
2 System Management
Procedure
Step 1 Enable the NQA client and create an NQA ICMP test instance.
<ATNA> system-view
[ATNA-nqa-admin-icmp] test-type icmp
[ATNA-nqa-admin-icmp] destination-address ipv4 11.1.1.2
[ATNA-nqa-admin-icmp] quit
Step 2 On ATNA, configure the event that triggers test instance linkage and create a linked test instance
admin icmp.
[ATNA] nqa event 10 linkage admin icmp
Step 3 On ATNA, create an NQA ICMP Jitter test instance.

[ATNA-nqa-admin-icmpjitter] destination-address ipv4 11.1.1.2
# Configure the alarm threshold.

[ATNA-nqa-admin-icmpjitter] alarm 10 lost-packet-ratio absolute rising-threshold
80 10 falling-threshold 10 10


# Check information about the event that triggers test instance linkage.
<ATNA> display nqa event
NQA Event Information:
-------------------------------------------------------------------------------Event-Entry
Event-type
Description
Admin-Name
Operation-Tag
-------------------------------------------------------------------------------10
linkage
admin
icmp
# Check alarm information about all test instances.

<ATNA> display nqa alarm
NQA Alarm Information:
--------------------------------------------------------------------------Admin-Name
Operation-Tag
Alarm-Entry
AlarmType
Event-Entry
--------------------------------------------------------------------------admin
icmpjitter
10
Rising
10
admin
icmpjitter
10
Falling
10
# Check the status of the NQA client.

<ATNA> display nqa-agent
NQA Tests Max:50
NQA Flow Max:20
NQA Tests Number:

NQA Flow Remained:
2
20

test-type icmp
nqa status : normal
alarm 10 lost-packet-ratio absolute rising-threshold 80 10 falling-threshold 10
10
nqa status : normal
# Check the NQA test result.

Issue 02 (2013-12-31)

629

Equipment
2 System Management
<ATNA> display nqa results

NQA entry(admin, icmp) :testflag is inactive ,testtype is icmp
1 . Test 1 result
Completion:failed
Attempts number:1
1 . Test 1 result
SendProbe:60
ResponseProbe:0
Completion:failed
RTT Square Sum:0
NumOfRTT:0
Min Positive SD:0
Min Positive DS:0
Max Positive SD:0
Max Positive DS:0
Positive SD Sum:0
Positive DS Sum:0
Min Negative SD:0
Min Negative DS:0
Max Negative SD:0
Max Negative DS:0
Negative SD Sum:0
Negative DS Sum:0
Min Delay SD:0
Min Delay DS:0
Max Delay SD:0
Max Delay DS:0
Packet Loss SD:0
Packet Loss DS:0
Average of Jitter:0
NumberOfOWD:0
OWD SD Sum:0
OWD DS Sum:0
ICPIF value: 0
MOS-CQ value: 0
----End
Configuration Files
l

#
sysname ATNA
#
ip address 11.1.1.1 255.255.255.0
#
test-type icmp
nqa event 10 linkage admin icmp
alarm 10 lost-packet-ratio absolute rising-threshold 80 10 falling-threshold
Issue 02 (2013-12-31)

630

Equipment
2 System Management
10 10
#
return

#
sysname CX-B
#
ip address 11.1.1.2 255.255.255.0
#
return
Example for Configuring the LSP Traceroute Test for Checking the CR-LSP
Hotstandby Tunnel
This part provides examples for configuring an LSP traceroute test to detect faults on the CRLSP hot standby tunnels.
In the MPLS VPN as shown in Figure 2-55, a TE tunnel with CX- C being the egress is set up
on ATNA, and CR-LSP hot standby is configured on the TE tunnel.
l
OSPF is configured on ATNA, CX-B, CX-C, and CX-D to enable them to learn the 32-bit
host addresses of the loopback interfaces from each other.
MPLS, MPLS TE, and MPLS RSVP-TE are enabled on ATNA, CX-B, CX-C, and CX-D.
MPLS, MPLS TE, and MPLS RSVP-TE are enabled on the POS interfaces connected to
ATNA, CX- B, and CX- C. Then, a TE tunnel is set up from ATNA to CX-C.
In the preceding configurations:

l
The primary CR-LSP is ATNA, CX- B, CX- C.
The hotstandby CR-LSP is ATNA, CX- D, CX- C.
In this manner, when the primary CR-LSP becomes faulty, traffic can be switched to the hotstandby CR-LSP. Traffic is switched back to the primary CR-LSP 15 seconds after the fault on
the primary CR-LSP is rectified.
But if the hotstandby CR-LSP is faulty and therefore is unable to carry the traffic that is switched
from the primary CR-LSP, the hotstandby CR-LSP needs to be detected. NQA LSP Traceroute
can be used to detect the connectivity of the hotstandby CR-LSP. This function can detect the
connectivity of the hotstandby CR-LSP and its performance in real time. This helps detect and
identify faults on the hotstandby CR-LSP.
Issue 02 (2013-12-31)

631

Equipment
2 System Management
Figure 2-55 Networking diagram of the LSP Traceroute test
Loopback:1
1.1.1.1/32
ATNA
Loopback:1
2.2.2.2/32
GE0/2/0
10.1.1.1/24
GE1/0/0
10.1.1.2/24
CX-B
Loopback:1
3.3.3.3/32
GE1/0/1
20.1.1.1/24
GE1/0/0
20.1.1.2/24
CX-C
Loopback:1
4.4.4.4/32
GE1/0/0
30.1.1.2/24
CX-D
GE1/0/1
40.1.1.1/24
1.
Configure ATNA as the NQA client and create an LSP Traceroute test instance on ATNA.
2.
Data Preparation
l
TE tunnel interface number
Procedure
Step 1 Configure routes among ATNA, CX-B, and CX-C.
For detailed configuration, see the configuration files in this example.
Step 2 Configure MPLS RSVP-TE on ATNA, CX-B, CX-C, and CX-D.
Step 3 On ATNA, set up a TE tunnel to CX-C.
Step 4 Configure an NQA test instance on ATNA.
# Enable the NQA client and create an LSP Traceroute test instance for checking the TE tunnel.
<ATNA> system-view
Issue 02 (2013-12-31)

632

Equipment
2 System Management
[ATNA] nqa test-instance admin lsptrace

[ATNA-nqa-admin-lsptrace] test-type lsptrace
[ATNA-nqa-admin-lsptrace] lsp-type te
[ATNA-nqa-admin-lsptrace] lsp-tetunnel tunnel 0/2/0 hot-standby

[ATNA-nqa-admin-lsptrace] start now

[ATNA-nqa-admin-lsptrace] display nqa results test-instance admin lsptrace
NQA entry(admin, lsptrace) :testFlag is inactive ,testtype is lsptrace
1 . Test 1 result
Completion:success
Attempts number:1
1 . Hop 1
Receive response times:
3
2 . Hop 2
Receive response times:
3
----End
Configuration Files
l

#
sysname ATNA
#
mpls lsr-id 1.1.1.1
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
explicit-path backup
next hop 30.1.1.2
next hop 40.1.1.2
next hop 3.3.3.3
#
explicit-path main
next hop 10.1.1.2
next hop 20.1.1.2
next hop 3.3.3.3
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
mpls
mpls te
Issue 02 (2013-12-31)

633

Equipment
2 System Management
mpls rsvp-te
#
undo shutdown
ip address 30.1.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
destination 3.3.3.3
mpls te record-route
mpls te path explicit-path main
mpls te path explicit-path backup secondary
mpls te backup hot-standby wtr 15
mpls te backup ordinary best-effort
mpls te commit
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 1.1.1.1 0.0.0.0
network 30.1.1.0 0.0.0.255
mpls-te enable
#
nqa test-instance admin lsptrace
test-type lsptrace
lsp-type te
lsp-tetunnel Tunnel0/2/0 hot-standby
#
return

#
sysname CX-B
#
mpls lsr-id 2.2.2.2
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
ip address 10.1.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
ip address 20.1.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
Issue 02 (2013-12-31)

634

Equipment
2 System Management
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 2.2.2.2 0.0.0.0
network 20.1.1.0 0.0.0.255
mpls-te enable
#
return

#
sysname CX-C
#
mpls lsr-id 3.3.3.3
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
ip address 20.1.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
ip address 40.1.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 40.1.1.0 0.0.0.255
network 3.3.3.3 0.0.0.0
mpls-te enable
#
return
Configuration file of CX-D

#
sysname CX-D
#
mpls lsr-id 4.4.4.4
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
ip address 30.1.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
ip address 40.1.1.1 255.255.255.0
mpls
mpls te
Issue 02 (2013-12-31)

635

Equipment
2 System Management

mpls rsvp-te
#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255
#
ospf 1
area 0.0.0.0
network 4.4.4.4 0.0.0.0
network 30.1.1.0 0.0.0.255
network 40.1.1.0 0.0.0.255
mpls-te enable
#
return
Configuring a General Flow Test in a Native Ethernet Scenario

This section describes how to configure a general flow test in a native Ethernet scenario. A
general flow test is used to monitor the native Ethernet network performance.
A general flow test needs to be configured to monitor the performance of an Ethernet virtual
connection (EVC) between ATNA and RouterB on the network shown in Figure 2-56.
Figure 2-56 General flow test in a native Ethernet scenario
ATN C
GE
GE0/2/1
/2
0/2
/1
E
0/2
G
E
G
0/2
/2
GE
1/0
/2
GE1/0/1
Reflector
Router B
Initiator
ATN A
UNI-A
UNI-B
1.
Configure reflector Router B to loop traffic with a specified destination MAC address
through reflector interface GE 1/0/1 to the initiator.
2.
Configure initiator ATNA and test the throughput, latency, and packet loss rate.
Issue 02 (2013-12-31)

636

Equipment
2 System Management
Data Preparation
l
On reflector Router B: MAC address (1-1-1) of the Router B's GE 1/0/1
On initiator ATNA:
Destination MAC address (1-1-1) of the Router B's GE 1/0/1
Throughput test parameters: upper rate threshold (100 Kbit/s), lower rate threshold (10
Kbit/s), throughput precision (8 Kbit/s), packet loss rate (0.81%), interval (5s) at which
test packets are transmitted at a specified rate, data size (70 bytes) of each test packet,
and test duration (100s)
Delay test parameters: packet rate (99 Kbit/s), test duration (100s), and interval (5s) at
which the initiator sends test packets
Packet loss rate test parameters: packet rate (99 Kbit/s), and test duration (100s)
Procedure
Step 1 Configure reachable Layer 2 links between the initiator and reflector and add Layer 2 interfaces
to VLAN 10. For configuration details, see "Configuration Files" in this section.
Step 2 Configure the reflector.
<RouterB> system-view
[RouterB] nqa reflector 1 interface gigabitethernet 1/0/1 mac 1-1-1
Step 3 Configure the initiator to conduct a throughput test and check the test results.
<ATNA> system-view
[ATNA] nqa test-instance admin throughput
[ATNA-nqa-admin-throughput] test-type generalflow
[ATNA-nqa-admin-throughput] measure throughput
[ATNA-nqa-admin-throughput] destination-address mac 1-1-1
[ATNA-nqa-admin-throughput] forwarding-simulation inbound-interface
gigabitethernet 0/2/1
[ATNA-nqa-admin-throughput] rate 10 100
[ATNA-nqa-admin-throughput] interval seconds 5
[ATNA-nqa-admin-throughput] precision 8
[ATNA-nqa-admin-throughput] fail-ratio 81
[ATNA-nqa-admin-throughput] datasize 70
[ATNA-nqa-admin-throughput] duration 100
[ATNA-nqa-admin-throughput] vlan 10
[ATNA-nqa-admin-throughput] start now
[ATNA-nqa-admin-throughput] display nqa results test-instance admin throughput
NQA entry(admin, throughput) :testflag is inactive ,testtype is generalflow
1 . Test 1 result
Test mode is throughput
Completion: success
Throughput(Mbps)/precision(Mbps): 50/8
Step 4 Configure the initiator to conduct a latency test and check the test results.
<ATNA> system-view
[ATNA] nqa test-instance admin delay
[ATNA-nqa-admin-delay] test-type generalflow
[ATNA-nqa-admin-delay] measure loss
[ATNA-nqa-admin-delay] destination-address mac 1-1-1
[ATNA-nqa-admin-delay] forwarding-simulation inbound-interface gigabitethernet
0/2/1
[ATNA-nqa-admin-delay] rate 99
Issue 02 (2013-12-31)

637

Equipment
2 System Management
[ATNA-nqa-admin-delay] interval seconds 5

[ATNA-nqa-admin-delay] duration 100
[ATNA-nqa-admin-delay] vlan 10
[ATNA-nqa-admin-delay] start now
[ATNA-nqa-admin-delay] display nqa results test-instance admin delay
NQA entry(admin, delay) :testflag is inactive ,testtype is generalflow
1 . Test 1 result
Test mode is delay
Completion: success
Min/Max/Avg RTT(us): 1/12/5
Min/Max/Avg jitter(us): 2/15/8
Step 5 Configure the initiator to conduct a packet loss rate test and check the test results.
<ATNA> system-view
[ATNA] nqa test-instance admin loss
[ATNA-nqa-admin-loss] test-type generalflow
[ATNA-nqa-admin-loss] measure loss
[ATNA-nqa-admin-loss] destination-address mac 1-1-1
[ATNA-nqa-admin-loss] forwarding-simulation inbound-interface gigabitethernet 0/2/1
[ATNA-nqa-admin-loss] rate 99
[ATNA-nqa-admin-loss] duration 100
[ATNA-nqa-admin-loss] vlan 10
[ATNA-nqa-admin-loss] start now
[ATNA-nqa-admin-loss] display nqa results test-instance admin loss
NQA entry(admin, loss) :testflag is inactive ,testtype is generalflow
1 . Test 1 result
Test mode is loss
Completion: success
TxRate(bps)/RxRate(bps): 2000000/1982000
TxCount/RxCount: 653265345/650256141
Frame loss Rate: 0.91%
----End
Configuration Files
l

#
sysname ATNA
#
vlan 10
#
interface GigabitEthernet 0/2/1
portswitch
undo shutdown
#
portswitch
undo shutdown
#
nqa test-instance admin throughput
duration 100
measure throughput
fail-ratio 81
destination-address mac 0001-0001-0001
datasize 70
rate 10 100
precision 8
forwarding-simulation inbound-interface GigabitEthernet0/2/1
Issue 02 (2013-12-31)

638

Equipment
2 System Management
nqa test-instance admin loss

duration 100
measure loss
rate 99
nqa test-instance admin delay
duration 100
measure delay
interval seconds 5
datasize 70
rate 99
Configuration file of RouterB

#
sysname RouterB
#
vlan 10
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
portswitch
undo shutdown
#
Configuration file of ATNC

#
sysname ATNC
#
vlan 10
#
portswitch
undo shutdown
#
portswitch
undo shutdown
#
Configuring a General Flow Test in the IP gateway Scenario

This section describes how to configure a general flow test in the IP gateway scenario. The
general flow test monitors the Ethernet network performance.
Usage Scenario
A general flow test needs to be configured to monitor the performance of the Ethernet network
shown in Figure 2-57 between ATNA and IP gateway RouterB.
Issue 02 (2013-12-31)

639

Equipment
2 System Management
Figure 2-57 General flow test in the scenario where a Layer 2 interface accesses a Layer 3 device
ATNC
2
GE0/2/1
/2/
/1
0
0/2
10.1.1.1 GE0/2/1 GE
E
G
CE
GE
0/2
/2
GE
1/0
/2
GE1/0/1
Initiator
IP gateway
RouterB
Reflector
ATNA
UNI-A
UNI-B
1.
Configure reflector ATNA and set the simulated IP address to 10.1.1.1 (CE's IP address)
and the reflector interface to GE 0/2/1.
2.
Configure initiator RouterB and monitor the latency time.
Data Preparation
l
On reflector ATNA: IP address (10.1.1.1) of CE's interface connected to GE 0/2/1
On initiator RouterB:
Destination IP address (10.1.1.1) of the CE connected to ATNA's GE 0/2/1
Source IP address: IP address of outbound interface GE 1/0/2.1
Latency test parameters: packet rate (99 Kbit/s), test duration (100s), and interval (5s)
at which the initiator sends test packets
Procedure
Step 1 Configure Layer 2 devices so that Layer 3 routes between the CE and ATN B are reachable. For
configuration details, see "Configuration Files" in this section.
Step 2 Configure the reflector.
<ATNA> system-view
[ATNA] nqa reflector 1 interface gigabitethernet 1/0/1 simulate-ip 10.1.1.1
Step 3 Configure the initiator to conduct a latency test and view test results.
<RouterB> system-view
[RouterB] vlan 10
[RouterB-vlan10] quit
[RouterB] interface gigabitEthernet1/0/2.1
Issue 02 (2013-12-31)

640

Equipment
2 System Management
[RouterB-GigabitEthernet1/0/2.1] vlan-type dot1q 10

[RouterB-GigabitEthernet1/0/2.1] ip address 10.1.1.2 24
[RouterB-GigabitEthernet1/0/2.1] quit
[RouterB] nqa test-instance admin delay
[RouterB-nqa-admin-delay] test-type generalflow
[RouterB-nqa-admin-delay] measure delay
[RouterB-nqa-admin-delay] destination-address ipv4 10.1.1.1
[RouterB-nqa-admin-delay] source-address 10.1.1.2
[RouterB-nqa-admin-delay] source-interface gigabitethernet 1/0/2.1
[RouterB-nqa-admin-delay] rate 99
[RouterB-nqa-admin-delay] interval seconds 5
[RouterB-nqa-admin-delay] duration 100
[RouterB-nqa-admin-delay] vlan 10
[RouterB-nqa-admin-delay] start now
[RouterB-nqa-admin-delay] display nqa results test-instance admin delay
NQA entry(admin, delay) :testflag is inactive ,testtype is generalflow
1 . Test 1 result
Test mode is delay
Completion: success
Min/Max/Avg RTT(us): 1/12/5
Min/Max/Avg jitter(us): 2/15/8
----End
Configuration Files
l

#
sysname ATNA
#
vlan 10
#
portswitch
undo shutdown
#
portswitch
undo shutdown
#
Configuration file of RouterB

#
sysname RouterB
#
undo shutdown
ip address 10.1.2.1 255.255.255.0
#
vlan-type dot1q 10
ip address 10.1.1.2 255.255.255.0
#
nqa test-instance admin delay
duration 100
measure delay
interval seconds 5
datasize 70
Issue 02 (2013-12-31)

641

Equipment
2 System Management
rate 99
source-interface GigabitEthernet1/0/2.1

#
sysname ATNC
#
vlan 10
#
undo shutdown
#
undo shutdown
ip adress 10.1.1.3 255.255.255.0
#
2.6 Ping and Tracert

This chapter describes how to check the network connectivity through ping and tracert
operations.
2.6.1 Ping and Tracert Overview

This section describes the basic concepts of ping and tracert, and the support for ping and tracert
on the ATN.
Introduction
When a device is faulty, you can use ping and tracert operations to check the network
connectivity.
The ping command is used to check network connections and detect whether a host is reachable.
The tracert command is used to detect the gateways that packets pass when being transmitted
from source hosts to destinations. It is mainly used to check if the network connection is
reachable, and locate the network fault.
The process of executing the tracert command is as follows:
1.
A packet with TTL being 1 is transmitted.
2.
An ICMP error message is returned in the first hop, indicating that the packet cannot be
transmitted because the TTL has timed out.
3.
The packet with TTL increased by 1 is retransmitted.
4.
A similar TTL timeout error message is returned in the second hop.

The process continues until the packet reaches its destination. In this process, the source
host can record the source address of each ICMP TTL timeout message and obtain the IP
packet transmission path.
2.6.2 Configuring Ping and Tracert

This part describes how to check the network connectivity through ping and tracert operations.
Issue 02 (2013-12-31)

642

Equipment
2 System Management
Before You Start

Before checking the network connectivity through ping and tracert operations, familiarize
yourself with the usage scenario, complete the pre-configuration tasks, and obtain the required
data. This can help you complete the configuration task quickly and accurately.
A user cannot access the network. Then you need to use Ping and Tracert to test the network
connectivity.
Pre-configuration Task
Before configuring Ping or Tracert, complete the following tasks:
l
Connecting the user and the network correctly
Assigning an IP address to the user correctly
Data Preparation
To configure Ping and Tracert, you need the following data.
No.
Data
IP address of the user
IP address of the gateway
Applying Ping to Test the Network Connection

This part describes how to check the communications between two nodes on the network through
the ping operation.
Context
Perform the following steps on the user end in all views.
Procedure
Step 1 To test the network connection, run ping [ ip ] [ -a source-ip-address | -c count | -d | { -f | ignoremtu } | -h ttl-value | { [ -nexthop nexthop-address ] [ -i interface-type interface-number ] | -si
source-interface-type source-interface-number } | -m time | -n | -name | -p pattern | -q | -r | { s packetsize | -range [ min min-size | max max-size | step step-size ] * } | -system-time | -t
timeout | { -tos tos-value | dscp dscp-value } | -v | -vpn-instance vpn-instance-name | -ri |
-8021p 8021p-value ] * host
The preceding command contains only a part of the parameters. For descriptions of the
parameters of this command, refer to the Command Reference.
The output of the ping command includes:
Issue 02 (2013-12-31)

643

Equipment
2 System Management
l Status of the responses to the Ping. If the system does not receive a response packet within
the timeout period, it outputs a "Request time out" message; if receiving a response packet,
the system outputs bytes of data, sequence number, TTL, and response time of each response
packet.
l Final statistics, including the number of sent packets, number of received packets, percentage
of unacknowledged packets to all transmitted packets, and the minimum, maximum, and
mean response time.
NOTE
If the destination address of the ping command is a broadcast address, the source address carried in the
Reply message is the broadcast address.
<HUAWEI> ping 202.20.36.25
PING 202.20.36.25: 56 data bytes, press CTRL_C to break
Reply from 202.20.36.25: bytes=56 Sequence=1 ttl=255 time=2
ms
ms
ms
ms
ms
--- 202.20.36.25 ping statistics --5 packet(s) transmitted

5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/2 ms
----End
Applying Tracert to Locate Faults in the Network

This part describes how to check the communication among nodes on the network through the
tracert operation.
Context
Perform the following steps in all views on the user end. Before running the tracert command
to check network connectivity, you can run the icmp time-exceed command to specify the format
of ICMP Time Exceeded packets.
Procedure
Step 1 To locate the fault in the network, run tracert [ -a source-ip-address | -f first-ttl | -m max-ttl | name | -p port | -q nqueries | -s packet-size | -v | -vpn-instance vpn-instance-name [ pipe ] | w timeout ] * host
The preceding command contains only a part of the parameters. For the description of the options
and parameters of this command, refer to the Command Reference.
An example of applying Tracert program to analyze the network is as follows.
<HUAWEI> tracert -m 10 35.1.1.48
traceroute to 35.1.1.48 (35.1.1.48), max hops: 30, packet length: 40, press CTRL_C
to break
1 128.3.112.1
19 ms
19 ms
0 ms
2 128.32.216.1
39 ms
39 ms
19 ms
3 128.32.136.23 39 ms
40 ms
39 ms
4 128.32.168.22 39 ms
39 ms
39 ms
5 128.32.197.4
40 ms
59 ms
59 ms
6 131.119.2.5
59 ms
59 ms
59 ms
Issue 02 (2013-12-31)

644

Equipment
7 129.140.70.13
8 129.140.71.6
9 129.140.81.7
10 35.1.1.48
99 ms
139 ms
220 ms
239 ms
99 ms
239 ms
199 ms
239 ms
2 System Management
80 ms
319 ms
199 ms
239 ms
----End
2.6.3 Detecting the LDP LSP Through the Ping or Tracert Operation
This section describes how to check the connectivity of an LDP LSP through ping and tracert
operations.
Before You Start

Before checking the connectivity of an LDP LSP through ping and tracert operations, familiarize
Application Environment
You can use the ping lsp or tracert lsp command on the ingress to check connectivity of the
LDP LSP destined for the egress according to the specified FEC and mask. If load balancing is
configured on the ingress, you need to specify the next hop address when checking connectivity
of the specified LDP LSP.
Before detecting the LDP LSP through the ping or tracert operation, complete the following
task:
l
Configuring an LDP LSP correctly
Data Preparation
To detect the LDP LSP through the ping or tracert operation, you need the following data.
No.
Data
destination IPv4 address of an LDP LSP and the mask length of the destination
address
(Optional) Source IPv4 address, EXP value and TTL value of the sent Echo
Request packet, reply mode, number of bytes of the sent Echo Request packet,
total number of the sent Echo Request packets, and timeout period of the Echo
Reply packet
Checking Connectivity of the LDP LSP Through the Ping Operation

This part describes how to check the communication among LSRs along the LSP through the
ping operation.
Issue 02 (2013-12-31)

645

Equipment
2 System Management
Context
Perform the following steps on each node along the LSP to check connectivity:
Procedure
Step 1 Run:
ping lsp [ -a source-ip | -c count | -exp exp-value | -h ttl-value | -m interval |
-r reply-mode | -s packet-size | -t time-out | -v ] * ip destination-address masklength [ ip-address ] [ nexthop nexthop-address | draft6 ]
Connectivity of the LDP LSP is checked.

For detailed information about each parameter and its description in the ping command, refer
to the Command Reference.
The following information is displayed in the ping command output:
l Information about responses to each Echo Request packet is displayed, including the number
of bytes, sequence number, sending time of the Echo Reply packet. If no Echo Reply packet
is received within a certain period, a message of "Request time out" is displayed.
l Statistics are displayed, including the number of the sent Echo Request packets, number of
the received Echo Reply packets, percentage of the Echo Request packets that are not replied,
and the minimum, maximum and average delay time of sending Echo Reply packets.
<HUAWEI> ping lsp -v ip 3.3.3.3 32
LSP PING FEC: IPV4 PREFIX 3.3.3.3/32 : 100 data bytes, press CTRL_C
Reply from 3.3.3.3: bytes=100 Sequence=1 time = 4 ms Return Code
--- FEC: IPV4 PREFIX 3.3.3.3/32 ping statistics --5 packet(s) transmitted
0.00% packet loss
to
3,
3,
3,
3,
3,
break
Subcode
Subcode
Subcode
Subcode
Subcode
1
1
1
1
1
----End
Checking Connectivity of the LDP LSP Through the Tracert Operation

This part describes how to check the communication among LSRs along the LSP through the
tracert operation.
Context
Perform the following steps on each node along the LSP to check connectivity:
Procedure
Step 1 Run:
tracert lsp [ -a source-ip | -exp exp-value | -h ttl-value | -r reply-mode | -t timeout | -v ] * ip destination-address mask-length [ ip-address ] [ nexthop nexthopaddress ] [ draft6 ]
The faulty node on the LDP LSP is located.

Issue 02 (2013-12-31)

646

Equipment
2 System Management
For detailed information about each parameter and its description in the tracert lsp command,
refer to the Command Reference.
<HUAWEI> tracert lsp ip 3.3.3.3 32 nexthop
TTL
Replier
Time
Type
0
Ingress
1
66.1.1.2
230 ms
Transit
2
3.3.3.3
80 ms
Egress
66.1.1.2
Downstream
66.1.1.2/[17 ]
88.1.1.1/[3 ]
As shown in the preceding command output, you can view information about each node along
the specified LDP LSP and the response time of each hop.
----End
2.6.4 Detecting the TE Tunnel Through the Ping or Tracert

Operation
This section describes how to check the communication among nodes on a TE tunnel through
ping and tracert operations.
Before You Start

Before checking the communication among nodes on a TE tunnel through ping and tracert
operations, familiarize yourself with the usage scenario, complete the pre-configuration tasks,
and obtain the required data. This can help you complete the configuration task quickly and
accurately.
You can use the ping lsp or tracert lsp command on the ingress to check connectivity of the
TE tunnel destined for the egress. If a hot-standby CR-LSP is set up, you can check connectivity
of the hot-standby CR-LSP specified through a command line.
Before checking connectivity of the TE tunnel through the ping or tracert operation, complete
the following task:
l
Configuring a TE tunnel correctly
Data Preparation
To check connectivity of the TE tunnel through the ping or tracert operation, you need the
following data.
Issue 02 (2013-12-31)
No.
Data
Number of the TE tunnel interface
Reply packet
647

Equipment
2 System Management
Checking Connectivity of the TE Tunnel Through the Ping Operation

This part describes how to check the communication among nodes on a TE tunnel through the
ping operation.
Context
Perform the following steps on each node along the TE tunnel to check connectivity:
Procedure
Step 1 Run:
-r reply-mode | -s packet-size | -t time-out | -v ] * te tunnel interface-number
[ hot-standby ] [ draft6 ] [ compatible-mode ]
Connectivity of each node along the TE tunnel is checked.

For detailed information about each parameter and its description in the ping command, refer
and the minimum, maximum, and average delay time of sending Echo Reply packets.
<HUAWEI> ping lsp te tunnel 1/0/0
LSP PING FEC: RSVP IPV4 SESSION QUERY Tunnel1/0/0 : 100 data bytes, press CTRL_C
to break
Reply from 20.1.1.2: bytes=100 Sequence=0 time = 50 ms
--- FEC: RSVP IPV4 SESSION QUERY Tunnel1/0/0 ping statistics --5 packet(s) transmitted
0.00% packet loss
----End
Checking Connectivity of the TE Tunnel Through the Tracert Operation

This part describes how to check the communication among nodes on a TE tunnel through the
tracert operation.
Context
Perform the following steps on each node along the TE tunnel to check connectivity:
Issue 02 (2013-12-31)

648

Equipment
2 System Management
Procedure
Step 1 Run:
tracert lsp [ -a source-ip | -exp exp-value | -h ttl-value | -r reply-mode | -t timeout ] * te tunnel interface-number [ hot-standby ] [ draft6 ] [ compatible-mode ]
Gateways that the packets pass along the TE tunnel are displayed and the faulty node is located.
For detailed information about each parameter and its description in the tracert command, refer
<HUAWEI> tracert lsp te tunnel 1/0/0
LSP Trace Route FEC: TE TUNNEL IPV4 SESSION QUERY Tunnel1/0/0 , press CTRL_C to
break.
TTL
Replier
Time
Type
Downstream
0
Ingress
10.1.2.2/[13312 ]
1
10.1.2.2
63 ms
Transit
2
6.6.6.6
93 ms
Egress
the TE tunnel between the ingress and the egress and the response time of each hop.
----End
2.6.5 Detecting the PWE3 Network Through the Ping or Tracert

Operation
This section describes how to check the connectivity of PWs on the PWE3 network through ping
and tracert operations.
Before You Start

Before checking the connectivity of PWs on the PWE3 network through ping and tracert
operations, familiarize yourself with the usage scenario, complete the pre-configuration tasks,
and obtain the required data. This can help you complete the configuration task quickly and
accurately.
l
In the PWE3 networking, you can run the ping command to check connectivity of the
PWE3 network. After the PE receives the Echo Request packet, the PE abstracts and sends
FEC information in the packet to the L2VPN plane to determine whether the PE is the
egress. If the PE is the egress, an Echo Reply packet is sent.
Connectivity can be checked in control word mode or label alert mode.
If the Echo Request packet is replied through the control channel of the application
plane, the label alert function must be enabled on the PW.
If the multi-segment PW is detected in label alert mode, the Echo Request packet is sent
to the service provider end (SPE) that the L2VPN plane determines that the SPE is not
the egress. Then, the packet is forwarded and no Echo Reply packet is sent.
In the PWE3 networking, you can run the tracert command to detect the PW. Then, SPEs
and P devices along the PW of the PWE3 network are displayed; connectivity of the PW
is checked; the faulty node is located.
The TTL value in each sent Echo Request packet is increased by 1 hop. After receiving an
Echo Request packet, if the TTL in the Echo Request packet times out, the transit node
Issue 02 (2013-12-31)

649

Equipment
2 System Management
sends an Echo Reply packet containing information about its next hop information. The
tracert operation can terminate when the packet reaches the egress or when the TTL reaches
the upper limit.Different from the ping operation, the tracert operation can be performed
in normal mode. The normal mode and the control word mode cannot be configured
together.
Before detecting the PWE3 network through the ping or tracert operation, complete the following
task:
l
Configuring a PWE3 network correctly
Data Preparation
To detect the PWE3 network through the ping or tracert operation, you need the following data.
No.
Data
Type and ID of the local PW
(Optional) Remote PW ID, number of the sent Echo Request packets, interval for
sending Echo Request packets, number of bytes of the sent Echo Request packet,
and timeout period of sending the Echo Request packet
Checking Connectivity of the PWE3 Network Through the Ping Operation

This part describes how to check the connectivity of PWs on the PWE3 network through the
ping operation.
Context
Do as follows on the PE of a PWE3 network:
Procedure
Step 1 To check connectivity of the PWE3 network, run either of the following commands as required:
l To check connectivity of the PWE3 network through the control word channel, run:
ping vc pw-type pw-id [ -c echo-number | -m time-value | -s data-bytes | -t
timeout-value | -exp exp-value | -r reply-mode | -v ] * control-word [ ttl ttlvalue ] [ pipe | uniform ]
timeout-value | -exp exp-value | -r reply-mode | -v ] * control-word remote
remote-ip-address peer-pw-id [ draft6 | sender sender-address ] [ ttl ttlvalue ] [ pipe | uniform ]
l To check connectivity of the PWE3 network through the label alert channel, run:
timeout-value | -exp exp-value | -r reply-mode | -v ] * label-alert [ no-controlword ] [ remote remote-ip-address | draft6 ] * [ pipe | uniform ]
l To check connectivity of the PWE3 network through the normal channel, run:
timeout-value | -exp exp-value | -r reply-mode | -v ] * normal [ no-control-
Issue 02 (2013-12-31)

650

Equipment
2 System Management
word ] [ remote remote-ip-address peer-pw-id ] [ ttl ttl-value ] [ pipe |

uniform ]
Before using the ping vc command to check connectivity of a PWE3 network, you must
configure as follows:
l Configure the PWE3 network correctly.
For details about parameters in the ping vc command, refer to the Command Reference.
<HUAWEI> ping vc ethernet 100 control-word remote 2.2.2.2 100
Reply: bytes=100 Sequence=1 time = 11 ms
--- FEC: FEC 128 PSEUDOWIRE (NEW). Type = ethernet, ID = 100 ping statistics--5 packet(s) transmitted
0.00% packet loss
----End
Checking Connectivity of the VLL Network Through the Tracert Operation

This part describes how to check the connectivity of PWs and locate faults on the PWE3 network
by using tracert to obtain information about the SPE and P through which data passes from the
source to the destination.
Context
Do as follows on the PE of a PWE3 network:
Procedure
Step 1 To locate the faulty node on a PWE3 network, run either of the following commands as required:
l To check connectivity of the PWE3 network through the control word channel, run:
tracert vc pw-type pw-id [ -exp exp-value | -f first-ttl | -m max-ttl | -r replymode | -t timeout-value ] * control-word [ [ [ remote remote-pw-id ] draft6 ] |
remote remote-ip-address ] [ full-lsp-path ] [ pipe | uniform ]
l To check connectivity of the PWE3 network through the label alert channel, run:
tracert vc pw-type pw-id [ -exp exp-value | -f first-ttl | -m max-ttl | -r replymode | -t timeout-value ] * label-alert [ no-control-word ] [ remote remote-ipaddress ] [ full-lsp-path ] [ draft6 ] [ pipe | uniform ]
l To check connectivity of the PWE3 network through the normal channel, run:
Issue 02 (2013-12-31)

651

Equipment
2 System Management
tracert vc pw-type pw-id [ -exp exp-value | -f first-ttl | -m max-ttl | -r replymode | -t timeout-value ] * normal [ no-control-word ] [ remote remote-ipaddress ] [ full-lsp-path ] [ draft6 ] [ pipe | uniform ]
Before using the tracert vc command to check connectivity of a PWE3 network, you must
configure as follows:
l Configure the Kompella PWE3 network correctly.
The control word channel and the ordinary mode cannot be configured together.
For detailed information about each parameter and its description in the tracert vc command,
<HUAWEI> tracert vc ppp 100 control-word remote 200 draft6
TTL
Replier
Time
Type
Downstream
0
Ingress
10.1.1.2/[1025 ]
1
10.1.1.2
230 ms Transit
20.1.1.2/[3 ]
2
20.1.1.2
230 ms Transit
30.1.1.2/[3 ]
3
30.1.1.2
100 ms Transit
40.1.1.2/[3 ]
4
40.1.1.2
150 ms Egress
the PW and the response time of each hop.
----End
2.6.6 Detecting the VPLS Network Through the Ping or Tracert

Operation
This section describes how to check the VPLS network connectivity through ping and tracert
operations.
Before You Start

Before checking the VPLS network connectivity through ping and tracert operations, familiarize
You can run the ping or tracert command to check connectivity of a VPLS network. Either
command can be used to detect only the single-segment PW. On a Hierarchical Virtual Private
LAN Service (HVPLS) network, the ping or tracert operation terminates at the first hop. You
can detect a specified PW by setting a PW ID. If the PW ID is not set, the VSI ID is used.
You can use the ping operation but not the tracert operation to detect an inter-AS VPLS network.
Before detecting the VPLS network through the ping or tracert operation, complete the following
task:
l
Issue 02 (2013-12-31)
Configuring a VPLS network correctly

652

Equipment
2 System Management
Data Preparation
To detect the VPLS network through the ping or tracert operation, you need the following data.
No.
Data
In Martini mode: VSI name, IP address of the remote PW, and local PW ID
(Optional) Number of the sent Echo Request packets, interval for sending Echo
Request packets, number of bytes of the sent Echo Request packet, timeout period
of sending the Echo Request packet, reply mode, and EXP value of the sent Echo
Request packet
Checking Connectivity of the VPLS Network Through the Ping Operation

The ping operation supports the inter-AS VPLS network.
Context
Perform the following steps on the PE of a VPLS network:
Procedure
Step 1 To check connectivity of the VPLS network, run either of the following commands as required:
l In Martini mode, run:
ping vpls [ -c echo-number | -m time-value | -s data-bytes | -t timeout-value |
-r reply-mode | -exp exp-value | -v ] * vsi vsi-name peer peer-address
[ negotiate-vc-id vc-id ]
For detailed information about each parameter and its description in the ping vpls command,
The following information is displayed in the ping vpls command output:
Run the ping vpls command to check connectivity of the VPLS network.
<HUAWEI> ping vpls -c 10 -m 10 -s 65 -t 100 -v vsi test 10 10
Reply: bytes=65 Sequence=1 time = 31 ms Return Code 3, Subcode 1
Issue 02 (2013-12-31)

653

Equipment
2 System Management
--- FEC: FEC 128 PSEUDOWIRE (NEW). Type = ethernet, ID = 100 ping statistics
10 packet(s) transmitted
0.00% packet loss
----End
Checking Connectivity of the VPLS Network Through the Tracert Operation

The tracert operation does not support the inter-AS VPLS network.
Context
Perform the following steps on the PE of a VPLS network:
Procedure
Step 1 To locate the faulty node on the VPLS network, run either of the following commands as
required:
l In Martini mode, run:
tracert vpls [ -exp exp-value | -f first-ttl | -m max-ttl | -r reply-mode | -t
timeout-value ] * vsi vsi-name peer peer-address [ negotiate-vc-id vc-id ]
For detailed information about each parameter and its description in the tracert vpls command,
Run the tracert vpls command to locate VPLS network faults.
<HUAWEI> tracert vpls vsi test 10 10 full-lsp-path
TTL
Replier
Time
Type
Downstream
0
Ingress
20.1.1.2/[17409 3 ]
1
20.1.1.2
110 ms Transit
30.1.1.2/[17408 3 11264 ]
2
30.1.1.2
50 ms
Transit
40.1.1.1/[3 ]
3
4.4.4.4
50 ms
Egress
the PW and the response time of each hop.
----End
2.6.7 Detecting the BGP or MPLS IP VPN Through the Ping or

Tracert Operation
This section describes how to check the BGP or MPLS IP VPN network connectivity through
the ping operation.
Before You Start

Before checking the BGP or MPLS IP VPN network connectivity through the ping operation,
Issue 02 (2013-12-31)

654

Equipment
2 System Management
After a VPN is correctly configured, you can run the ping lsp command on the PE to ping the
peer PE to check connectivity of the LSP of the BGP/MPLS IP VPN.
The public network tunnel can be:
l
Equal-cost load balancing LDP LSPs
TE tunnels
Backup VPN FRR tunnels
The private network routes are generated through iteration of public network routes.
If the CE address is pinged and the link between the CE and PE is faulty, the ping operation can
be performed successfully because the end-to-end link between PEs is detected actually.
Before detecting the BGP/MPLS IP VPN through the ping operation, complete the following
task:
l
Configuring a BGP/MPLS IP VPN correctly
Data Preparation
To detect the BGP/MPLS IP VPN through the ping operation, you need the following data.
No.
Data
Name of a VPN instance and IP address of the remote PE
Reply packet
Checking Connectivity of the BGP or MPLS IP VPN Through the Ping Operation
Running the ping lsp command on the PE to ping the peer PE, you can check the connectivity
of the LSP on the MPLS IP VPN network.
Context
Perform the following steps on the PE of a BGP/MPLS IP VPN:
Procedure
Step 1 Run:
-r reply-mode | -s packet-size | -t time-out | -v ] * vpn-instance vpn-name remote
remote-address mask-length
Connectivity of the BGP/MPLS IP VPN is checked.

Issue 02 (2013-12-31)

655

Equipment
2 System Management
For detailed information about each parameter and its description in the ping lsp command, refer
The following information is displayed in the ping lsp command output:
<HUAWEI> ping lsp -v vpn-instance test remote 3.3.3.3 32
LSP PING FEC: IPV4 PREFIX 3.3.3.3/32 : 100 data bytes, press CTRL_C
--- FEC: IPV4 PREFIX 3.3.3.3/32 ping statistics --5 packet(s) transmitted
0.00% packet loss
to
3,
3,
3,
3,
3,
break
Subcode
Subcode
Subcode
Subcode
Subcode
1
1
1
1
1
----End
2.6.8 Checking Layer 2+Layer 3 Network Connectivity Using a Ping

Operation
This section describes how to check Layer 2+Layer 3 network connectivity using a ping
operation.

Before using a ping operation to check Layer 2+Layer 3 network connectivity, familiarize
yourself with the usage scenario, complete the pre-configuration tasks, and obtain the data
required for the configuration.
Issue 02 (2013-12-31)

656

Equipment
2 System Management
Usage Scenario
Figure 2-58 L2VPN+L3VPN networking
After you configure a Layer 2+Layer 3 network, run the ping command on the CSG to check
the Layer 2+Layer 3 network connectivity.
When the CSG is not connected to the eNodeB, the L2VPN and L3VPN between the CSG and
RSG work properly. When the CSG is connected to the eNodeB, a fault may occur between the
CSG and eNodeB or between the CSG and RSG.
Before using a ping operation to check Layer 2+Layer 3 network connectivity, complete the
following tasks:
l
Configure a tunnel and a VLL between the CSG and RSG.
Ensure that the VLL goes Up.
Data Preparation
To use a ping operation to check Layer 2+Layer 3 network connectivity, you need the following
data.
Issue 02 (2013-12-31)
No.
Data
IP address of the RSG
(Optional) Source IPv4 address, EXP value, and TTL value of the sent Echo
total number of sent Echo Request packets, and timeout period of the Echo Reply
packet

657

Equipment
2 System Management
Checking Layer 2+Layer 3 Network Connectivity Using Ping

This section describes how to use a CSG to ping an RSG to check Layer 2+Layer 3 network
connectivity.
Context
Perform the following steps on a CSG on a Layer 2+Layer 3 network:
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface interface-type interface-number
A VE interface is created, and the VE interface view is displayed.

Step 3 Run:
ve-group ve-group-id l2-terminate
An L2VE interface is created.

Step 4 Run:
bind interface interface-type interface-number
The AC interface of a VLL is bound to the L2VE interface.

Step 5 Run:
quit

Step 6 Run:
The VE interface view is displayed.

Step 7 Run:
ve-group ve-group-id l3-access
An L3VE interface is created.

Step 8 Run:
ip address ip-address { mask | mask-length }
Step 9 Run:
ip route-static ip-address { mask | mask-length } { nexthop-address | interfacetype interface-number [ nexthop-address ] } [ preference preference | tag tag ] *
[ permanent ] [ description text ]
A static route destined for the RSG is configured on the L3VE interface.
Step 10 Run:
ping [ ip ] [ -a source-ip-address | -c count | -d | { -f | ignore-mtu } | -h ttlvalue | { [ -nexthop nexthop-address ] [ -i interface-type interface-number ] | -
Issue 02 (2013-12-31)

658

Equipment
2 System Management
si source-interface-type source-interface-number } | -m time | -n | -name | -p

pattern | -q | -r | { -s packetsize | -range [ min min-size | max max-size | step
step-size ] * } | -system-time | -t timeout | { -tos tos-value | dscp dscp-value }
| -v | -vpn-instance vpn-instance-name | -ri | -8021p 8021p-value ] * host [ ipforwarding ]
The connectivity of the Layer 2 and Layer 3 network (between the CSG and RSG) is checked.
The ping command lists only some parameters. For details about parameter description, see
Command Reference.
The ping command output includes the following information:
l Response to each ping packet: If an Echo Response packet is not received before the
corresponding timer expires, a message of "Request time out" is displayed; if an Echo
Response packet is received, the number of data bytes, packet sequence number, TTL, and
response time are displayed.
l Final statistics: include the number of sent packets and the number of received response
packets, percentage of failed response packets, and minimum, maximum, and average
response times.
NOTE
If the destination address in the ping command is a broadcast address, the source address carried in the
Response packet is the broadcast address.
<HUAWEI> ping 192.168.100.1
ms
ms
ms
ms
ms

0.00% packet loss
----End
2.6.9 Checking the VPLS Network Through VPLS MAC Ping

This section describes how to check the VPLS network through VPLS MAC ping operation.
Before You Start

Before checking the VPLS network through VPLS MAC ping and VPLS MAC trace operations,
VPLS MAC ping can be used to check whether a reachable VPLS path to the destination MAC
address exists on the VPLS. However, it cannot reflect the actual path along which packets are
forwarded. If the network has faults, VPLS MAC trace can be used to locate faults.
Issue 02 (2013-12-31)

659

Equipment
2 System Management
l
Data Preparation
To configure VPLS MAC ping and VPLS MAC trace to check the VPLS network, you need the
following data.
No.
Data
VSI name and MAC address
(Optional) VLAN ID
(Optional) For VPLS MAC ping: Number of sent Request packets, size of the
Request packet, interval for sending Request packets, timeout period for waiting
for a Reply packet, priority of the packet, and reply mode
(Optional) For VPLS MAC trace: Size of the Request packet, timeout period for
waiting for a Reply packet, priority of the packet, initial TTL, maximum TTL, and
reply mode
Checking the Connectivity of the VPLS Network Through MAC Ping

This part describes how to check the VPLS network through the VPLS MAC ping operation.
Context
Perform the following steps on the PE of the VPLS network whose connectivity is to be checked.
Procedure
Step 1 Run:
ping vpls mac mac-address vsi vsi-name [ vlan vlan-id ] [ -c count | -m time-value
| -s packsize | -t timeout | -exp exp | -r replymode | -h ttl ] *,
or ping vpls mac mac-address vsi vsi-name rapid [ vlan vlan-id ] [ -c count_rapid
| -s packsize | -t timeout | -exp exp | -r replymode | -h ttl ]
Connectivity of the VPLS network is checked.

For details about parameters in the ping command, refer to the Command Reference.
The ping command output includes:
l Response to each ping packet: If no Reply packet is received within a certain period, the
message saying "Request time out" is displayed. Otherwise, the bytes of the data, sequence
number of the packet, TTL value, and response time carried in the Reply packet are displayed.
l Final statistics, including the number of sent packets, number of received Reply packets,
percentage of non-response packets, and the minimum, maximum, and average values of the
response time.
Issue 02 (2013-12-31)

660

Equipment
2 System Management
l If rapid is configured in the ping command, only the following summary statistics are
displayed: numbers of sent packets and received packets, percentage of packets that are not
responded, and minimum, maximum and average response time.
<HUAWEI> ping vpls mac 00e0-5952-6f01 vsi v123
Ping mac 00e0-5952-6f01 vsi v123 : 100 data bytes , press CTRL_C to break
Reply from 10.1.1.1 : bytes=100 sequence=1 time = 1ms
The IP address of the PE is 5.5.5.9 and the interface on the PE is
GigabitEthernet5/0/0.100.
--- vsi : v123 00e0-5952-6f01 ping statistics --5 packet(s) transmitted
0.00% packet loss
<HUAWEI> ping vpls mac 00e0-5952-6f01 vsi v123 rapid
Ping mac 00e0-5952-6f01 vsi v123 : 130 data bytes , press CTRL_C to break !!!!!
--- vsi : v123 00e0-5952-6f01 ping statistics --5 packet(s) transmitted
0.00% packet loss
----End
Checking the Connectivity of the VPLS Network Through MAC Trace

This part describes how to check the VPLS network through the VPLS MAC trace operation.
Context
Perform the following steps on the PE of the VPLS network whose connectivity is to be checked.
Procedure
Step 1 Run:
trace vpls mac mac-address vsi vsi-name [ vlan vlan-id ] [-t timeout | -f firstttl | -m max-ttl | -exp exp | -r replymode ] *
The fault location on the VPLS network is checked.

For details about parameters in the trace command, refer to the Command Reference.
The trace command output includes:
<HUAWEI> trace vpls mac 00e0-5952-6f01 vsi v123
Traceroute to mac 00e0-5952-6f01 vsi v123, 30 hops max, press CTRL_C to break
TTL
Num
Replier
Time Type
Downstream
Hit
LSR-ID
Out Interface
-----------------------------------------------------------------------0
1
Ingress
10.1.1.2/[1026]
N
2
Ingress
10.3.3.2/[10]
N
1
1
10.1.1.2
6ms
Transit
10.2.2.2/[3]
-2.2.2.2
2
10.3.3.2
5ms
Egress
N
3.3.3.3
2
1
10.2.2.2
3ms
Egress
Y
Issue 02 (2013-12-31)

661

Equipment
2 System Management
4.4.4.4
Info: Succeeded in tracing the destination address 00e0-5952-6f01.
Based on the preceding result, you can view gateways through which the packet passes from the
source address to the MAC address of the specified VSI and the response time of each hop.
----End
2.6.10 Detecting Trunk Member Links Through a Ping Operation

You can detect trunk member links through a ping operation.
Before You Start

Before detecting trunk member links through a ping operation, familiarize yourself with the
usage scenario, complete the pre-configuration tasks, and obtain the required data. This can help
Each trunk member interface transmits services through a separate path. Therefore, the delay,
jitter, and packet loss percentage on each path is unique. When the quality of services on trunk
member links declines, you can run the trunk member-port-inspect command to enable the
detection of member interfaces and then run the ping command to detect whether the network
connectivity of each member interface is normal.
Before detecting trunk member links through a ping operation, complete the following tasks:
l
Configuring IP address and IGP routes for devices to communication with each other
Data Preparation
To detect trunk member links through a ping operation, you need the following data.
No.
Data
IP address of the peer end and the outbound interface of the local end
Detecting the Connectivity of Layer 3 Trunk Member Interfaces Through a Ping

Operation
You can use the ping operation to detect trunk member links.
Context
Before performing the ping operation to detect trunk member links, you must run the trunk
member-port-inspect command on the local and peer devices to enable the detection of trunk
member interfaces.
Issue 02 (2013-12-31)

662

Equipment
2 System Management
NOTE
The trunk member-port-inspect command makes sense for all Layer 3 trunk member interfaces. Therefore,
you must disable the command immediately after the detection to save system resources.
Procedure
Step 1 To detect the connectivity of Layer 3 trunk member interfaces on the MPLS network, run:
ping [ ip ] [ -a source-ip-address | -c count | -d | -f | -h ttl-value | -i interface-type interfacenumber [ ] | -m time | -n | | -p pattern | -q | -r | -s packetsize | -system-time | -t timeout | -tos tosvalue | -v | -vpn-instance vpn-instance-name ] * host [ ip-forwarding ]
NOTE
This command can detect only the connectivity of the link between directly-connected trunk member
interfaces.
The preceding command contains only a part of the parameters. For descriptions of the
parameters of this command, refer to the Command Reference.
Information displayed in the ping command output is as follows:
l Response to each ping message: If the time expires and no Echo Request message is received,
a message "Request time out" is displayed; if an Echo Request message is received, the
number of data bytes, the sequence number of the message, and the response time are
displayed.
l Final statistics: The number of sent packets, number of received response packets, percentage
of non-response packets, and minimum, maximum and average values of the response time
are displayed.
<HUAWEI> ping -i gigabitethernet 0/2/0 10.1.1.2
Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255
0.00% packet loss
time=170 ms
time=30 ms
time=30 ms
time=50 ms
time=50 ms
----End
2.6.11 Configuring Ping/Tracert to Locate a Connection Fault in a

Multicast Network
The multicast ping or tracert operations can be used to monitor connectivity of links on a
multicast network.
Before You Start

Before establishing the configuration task, familiarize yourself with the usage scenario, complete
the pre-configuration tasks, and obtain the data required for the configuration.
Issue 02 (2013-12-31)

663

Equipment
2 System Management
When the multicast services are interrupted, configure the ping multicast or mtrace command
to monitor the connectivity of links on a multicast network.
Before establishing the configuration task of monitoring a multicast network by the ping or
tracert operation, complete the following task:
l
Configuring a multicast network correctly
Data Preparation
To monitor the multicast network by the ping multicast or mtrace operation, you need the
following data.
No.
Data
Multicast group address
Multicast source address and destination host address
Configuring Multicast Ping to Locate a Connection Fault in a Multicast Network

The section describes how to detect whether a network can bear multicast services by the ping
multicast operation.
Context
When a link fault occurs in multicast data transmission, run the following commands to check
the members of a reserved multicast group on the network segment, or generate the common
group traffic and trigger the setup of the distribution tree.
Procedure
Step 1 Run the ping multicast [ -i interface-type interface-number | -c count | -h ttl-value | -m time | p pattern | -q | -s packet (s) ize | -t timeout | -tos tos-value | -v ] * host command to ping a reserved
group address.
The preceding ping multicast command contains only a part of the parameters. For descriptions
of the parameters of this command, refer to the Command Reference.
<HUAWEI> ping multicast -i gigabitethernet 1/0/0 224.0.0.5
MULTICAST PING 224.0.0.5 : 56 data bytes, press Ctrl+C to break
Reply from 110.1.1.5 : bytes=56 Sequence=1 TTL=255 time = 30ms
Reply from 110.1.1.5 : bytes=56 Sequence=1 TTL =255 time = 10ms
Request time out
Destination multicast address 224.0.0.5
--- Multicast ping statistics --5 Request packet(s) transmitted
4 Reply packet(s) received
20.00% packet loss
Issue 02 (2013-12-31)

664

Equipment
2 System Management
Round-trip min/avg/max = 10/14/30 ms
Step 2 Run the ping multicast [ -c count | -h ttl-value | -m time | -p pattern | -q | -s packet (s) ize | -t
timeout | -tos tos-value | -v ] * host command to ping a common group address. To check whether
a router interface can be pinged from a multicast group, the router interface must have been
connected to user hosts that are capable of parsing and responding to ICMP Echo Request
packets. These requirements do not facilitate fault locating. To avoid these user hosts
requirements, run the igmp static-group group-address [ source source-address ] mpingecho command on a router interface. This configuration enables the router interface to respond
to ICMP Echo Request packets, irrespective of whether this interface is connected to user hosts
that are capable of parsing and responding to ICMP Echo Request packets. This function
facilitates fault locating.
The preceding ping multicast command contains only a part of the parameters. For descriptions
of the parameters of this command, refer to the Command Reference.
The ping multicast command output includes the following information:
l Response to each ping multicast message: If an echo rely message is not received before
the corresponding time expires, a message of "Request time out" is displayed; if an echo
reply message is received, the data bytes, message sequence number, time to live (TTL), and
response time are displayed.
l Final statistics: include the number of packets sent and response packets received, percentage
of failure response packets, and minimum, maximum and average response time.
<HUAWEI> ping multicast 225.0.0.1
MULTICAST PING 225.0.0.1 : 56 data bytes, press Ctrl+C to break
Destination multicast address 225.0.0.1
--- Multicast ping statistics --10 Request packet(s) transmitted
10 Reply packet(s) received
0% packet loss
Round-trip min/avg/max = 10/22/40 ms
----End
Configuring Multicast Tracert to Locate a Connection Fault in a Multicast Network

This section describes how to monitor a multicast path or reverse path forwarding (RPF) path
from the multicast source to the querier or destination host on a specified multicast network, and
display hop-by-hop information.
Context
If a fault occurs in multicast data transmission, run the following commands to trace traffic paths,
collect traffic data, and locate faulty nodes. The following commands can trace four types of
traffic paths: the RPF path from the multicast source to the current router, the multicast path
from the multicast source to the current router, the RPF path from the multicast source to the
destination host, and the multicast path from the multicast source to the destination host.
Issue 02 (2013-12-31)

665

Equipment
2 System Management
Procedure
Step 1 Run the mtrace -r receiver [ -l [ stat-times ] [ -st stat-int ] | -m max-ttl | -mr | -q nqueries | -tr
ttl | -ts ttl | -ur resp-dest | -v | -w timeout ] * source source-address command to monitor the
RPF path from the multicast source to the querier.
Step 2 Run the mtrace -r receiver -g group [ -l [ stat-times ] [ -st stat-int ] | -m max-ttl | -mr | -q
nqueries | -tr ttl | -ts ttl | -ur resp-dest | -v | -w timeout ] * source source-address command to
monitor the multicast path from the multicast source to the querier.
Step 3 Run the mtrace { -gw last-hop-router | -d } -r receiver [ -a source-ip-address | -l [ stat-times ]
[ -st stat-int ] | -m max-ttl | -mr | -q nqueries | -tr ttl | -ts ttl | -ur resp-dest | -v | -w timeout ] *
source source-address command to monitor the RPF path from the multicast source to the
destination host.
Step 4 Run the mtrace { -gw last-hop-router | -b | -d } -r receiver -g group [ -a source-ip-address | l [ stat-times ] [ -st stat-int ] | -m max-ttl | -mr | -q nqueries | -tr ttl | -ts ttl | -ur resp-dest | -v | w timeout ] * source source-address command to monitor the multicast path from the multicast
source to the destination host.
The preceding mtrace command contains only a part of the parameters. For descriptions of the
parameters of this command, refer to the ATN - Command Reference.
----End
2.6.12 Configuring CE Ping to Detect the Connectivity Between the

PE and CE
This section describes how to configure CE ping to detect the connectivity between the PE and
CE, and obtain the MAC address of the CE.

Before configuring CE ping to detect the connectivity between the PE and CE, familiarize
yourself with the applicable environment, complete the pre-configuration tasks, and obtain the
data required for the configuration.
CE ping can be used to detect the connectivity between the PE and CE, and obtain the MAC
address of the CE.
l
On the VLL, the connectivity between the PE and local CE can be detected.
Prerequisites
Before configuring CE ping to detect the connectivity between the PE and CE, complete the
following task:
l
Issue 02 (2013-12-31)
Configuring a VLL network

666

Equipment
2 System Management
Data Preparation
To configure CE ping to detect the connectivity between the PE and CE, you need the following
data.
No.
Data
Source IP address
Interval at which CE ping requests are sent and the number of sent CE ping requests
Configuring CE Ping to Check the Connectivity Between the PE and CE on a VLL

Network
On the VLL network, the connectivity between the PE and local CE can be detected.
Prerequisites
The VLL network has been configured.
CE ping is available for the VLL network of the following types:
l
CCC
SVC
Martini
Context
NOTICE
Note the following items when specifying the source IP address:
l The source IP address must be on the same network with the IP address of the receiver.
Otherwise, the receiver determines that the ARP request message is illegal and does not
respond to it.
l The source IP address cannot be an existing IP address on the L2VPN. Otherwise, the packet
forwarding path becomes incorrect, causing users with IP addresses being the specified
source IP address to unable to get online. If the specified source IP address is the IP address
of the gateway, all host users on the network cannot get online.
To avoid such a problem, when running the ce-ping command, you are prompted to confirm
that the specified source IP address is not in use. The command execution continues after Y is
pressed.
Procedure
Step 1 Run
ce-ping ip-address interface interface-type interface-number source-ip source-ipaddress [ mac mac-address ] [ interval interval | count count ] *
Issue 02 (2013-12-31)

667

Equipment
2 System Management
The connectivity between the PE and CE is detected.

<HUAWEI> ce-ping 20.1.1.2 interface gigabitethernet0/2/1 source-ip 20.1.1.100
Info: If the designated source IP address is in use, it could cause the abnormal
data transmission in the network. Are you sure the source-ip is unused in this
network?[Y/N]y
ce-ping is in process...
20.1.1.2 is used by 0018-8257-ffde.
----End
2.7 Fault Management

2.7.1 Introduction
Introduction
Through detecting, diagnosing, isolating, and rectifying the existing or potential fault, and then
generating the relevant alarm or precaution alarm, fault management can rectify the fault or
minimize the impact of the fault on system running, enhance the fault tolerance capability of the
system, and improve the system reliability.
2.7.2 Configuring Alarm Management

The configurations of alarm management include the alarm severity level, delayed alarm
reporting, NMS-based correlated alarm suppression, and interface-based alarm filtering.
Before You Start

Before configuring alarm management, familiarize yourself with the usage scenario, complete
the pre-configuration tasks, and obtain the required data.
By using fault management, you can configure alarm management, including changing alarm
severities, enabling delayed alarm reporting, and suppressing alarms.
Before configuring alarm management, complete the following task:
l
Installing system software to the ATN and powering it on
Data Preparation
Before configuring alarm management, you need the following data.
Issue 02 (2013-12-31)

668

Equipment
No.
Data
Alarm name
Alarm severity level:
2 System Management
l 1: Critical
l 2: Major
l 3: Minor
l 4: Warning
l 5: Indeterminate
l 6: Cleared
3
Period after which a generated alarm is reported and period after which a generated
recovery alarm is reported
IP address of the NMS host to which non-root-cause alarms are not reported, and
security name, VPN instance name, and interface name on the NMS
Setting the Alarm Severity Level

You can change the default alarm severity level.
Procedure
Step 1 Run:
system-view

Step 2 Run:
alarm
The alarm view is displayed.

Step 3 Run:
alarm-name alarm-name severity severity
The alarm severity level is set.

If you focus on certain types of alarms, you can set the highest severity level for these types of
alarms and configure filtering conditions. In this manner, the system reports only these types of
alarms to the NMS.
----End
Configuring Delaying Alarm Reporting

To control the frequency at which alarms are reported, you can set a period after which a
generated alarm is reported.
Issue 02 (2013-12-31)

669

Equipment
2 System Management
Procedure
Step 1 Run:
system-view

Step 2 Run:
alarm

Step 3 Run:
delay-suppression enable
The delayed alarm reporting function is enabled.

By default, this function is enabled to prevent intermittent alarms and repeated alarms from being
reported during the delay period.
Step 4 Run:
suppression alarm-name alarm-name { cause-period cause-seconds | clear-period
clear-seconds }
The period after which a generated alarm is reported is set.

After such a period is set for an alarm, there are the following situations:
l If no recovery alarm is generated during the period, the alarm is not reported to the NMS
until the period expires.
l If a recovery alarm is generated during this period, the alarm and its recovery alarm are both
deleted from the alarm queue and will not be reported to the NMS.
You can use the parameter cause-period cause-seconds to set the period after which a generated
alarm is reported.
You can use the parameter clear-period clear-seconds to set the period after which a generated
recovery alarm is reported.
----End
Configuring Correlated Alarm Suppression

After correlated alarm suppression is configured, the system filters out non-root-cause alarms
and reports only root-cause alarms to the NMS.
Procedure
Step 1 Run:
system-view

Step 2 Run:
alarm

Issue 02 (2013-12-31)

670

Equipment
2 System Management
Step 3 Run:
correlation-analyze enable
Correlated alarm suppression is enabled.

By default, correlated alarm suppression is disabled. Therefore, before configuring correlated
alarm suppression, ensure that this function has been enabled.
Step 4 Perform the following steps to configure correlated alarm suppression or filtering.
l Configure interface-based alarm filtering.
Run the mask interface interface-type interface-number command to configure interfacebased alarm filtering.
By default, the system does not filter alarms generated on interfaces.
After alarm filtering is configured on an interface, the system will report only root-cause
alarms but not correlated alarms generated on this interface to the NMS.
----End

After alarm management is configured, you can check alarm information.
Prerequisites
The configurations of alarm management are complete.
Context
l
Run the display alarm active command to check active alarms.
Run the display alarm history command to check historical alarms.
Run the display alarm information [ name alarm-name ] command to check alarm
information.
Run the display this command to check information about delayed alarm reporting.
2.7.3 Configuring Event Management

The configurations of event management include the delayed event reporting.
Before You Start

Before configuring event management, familiarize yourself with the usage scenario, complete
You can configure event management to configure delayed event reporting.
Before configuring event management, complete the following task:
Issue 02 (2013-12-31)

671

Equipment
2 System Management
Installing system software to the ATN and powering it on
Data Preparation
Before configuring event management, you need the following data.
No.
Data
Event name
Period after which a generated event is reported
Configuring Delayed Event Reporting

To control the frequency at which an event is reported, you can set a period after which a
generated event is reported.
Procedure
Step 1 Run:
system-view

Step 2 Run:
event
The event view is displayed.

Step 3 Run:
delay-suppression enable
The delayed event reporting function is enabled.

By default, this function is enabled to prevent events from being reported during the delay period.
Step 4 Run:
suppression event-name event-name period seconds
The period after which a generated event is reported is set.

After the delay period is set for a certain event, if an event is generated multiple times during
the delay period, the system reports only the first one to the NMS when the delay period expires
and discards the following ones.
----End

After event management is configured, you can check event information.
Prerequisites
The configurations of event management are complete.
Issue 02 (2013-12-31)

672

Equipment
2 System Management
Context
l
Run the display event command to check the contents of events.
Run the display event information [ name event-name ] command to check information
about events.
Run the display this command to check information about delayed event reporting.
2.7.4 Maintenance
This section describes how to maintain fault management.
Clearing Alarm Messages

You can clear alarm messages in the alarm view as required.
Context
NOTICE
After alarm messages are cleared, there is no way for the NMS to obtain any information about
these cleared messages. Therefore, before deleting alarm messages, be sure that the NMS no
longer needs these alarm messages.
In routine maintenance, you can run the following commands in the alarm view to clear alarm
messages.
Procedure
Step 1 Run:
system-view

Step 2 Run:
alarm

Step 3 Run:
clear alarm active { all | sequence-number sequence-number
Active alarm messages are cleared.

----End
Clearing Event Messages

You can clear event messages in the event view as required.
Issue 02 (2013-12-31)

673

Equipment
2 System Management
Context
NOTICE
After event messages are cleared, there is no way for the NMS to obtain any information about
these cleared messages. Therefore, before deleting event messages, be sure that the NMS no
longer needs these event messages.
In routine maintenance, you can run the following commands in the event view to clear event
messages.
Procedure
Step 1 Run:
system-view

Step 2 Run:
event
The event view is displayed.

Step 3 Run:
clear event all
Event messages are cleared.

----End
Maintaining Probe Diagnose

The interruption of the neighbor relationship between service modules on the network is hard
to be replicated. Therefore, once occurring, the problem is recorded in logs on the Media Transfer
Protocol (MTP) module for fault location in the future.
Context
Operations that trigger the MTP module to generate a log are as follows:
l
When the neighbor relationship established between service modules (for example, LDP
modules) is interrupted because the Interior Gateway Protocol (IGP) route is unreachable,
a ping operation is started on the MTP module to detect the reachability of the IGP route.
LDP needs to deliver the ping operation to the MTP module before it times out.
Packet statistics in the IPC and VP channels: When packets are discarded by the InterProcess Communication (IPC) and Virtual Path (VP) channels, which causes the Label
Distribution Protocol (LDP) neighbor relationship to be interrupted and therefore the
protocol to time out, the number of discarded packets is counted.
Packet statistics on the Central Processor CAR (CPCAR): When packets are discarded on
the NP at the lower layer, causing the LDP neighbor relationship to be interrupted and
Issue 02 (2013-12-31)

674

Equipment
2 System Management
therefore the protocol to time out, the number of packets discarded and forwarded on the
CPCAR is counted.
Procedure
l
If the maintainable information has been collected and recorded in logs on the MTP module,
run the display mtp statistics command in the user view.
----End
2.8 Performance Management

Performance management (PM) can discover potential problems in the network and provide
references for system decisions by monitoring and collecting performance indicators in the
system (such as the CPU usage and number of received and sent packets at an interface). PM is
used for network condition analysis, capacity planning, fault location and other purposes.
2.8.1 Configuring the Performance Management function

The performance management function enables the system to collect the performance statistics
and generate a performance statistics file for the query from local and NMS users.

Before configuring the performance statistics function, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the data required for the
configuration.
The performance statistics function enables the system to periodically monitor and collect the
performance statistics about a service. The performance statistics are saved in files and sent to
the PM server or alarms are sent to the NMS when the data exceeds the maximum value.
Before configuring the performance statistics function, complete the following task:
l
Configuring reachable routes between the ATN and PM server
Data Preparation
To configure the performance statistics function, the following data is needed.
Issue 02 (2013-12-31)
No.
Data
Name of a performance statistics task, interval for collecting the performance

statistics, number of intervals for collecting the performance statistics, type of an
instance, name of an instance, name of a performance indicator, and (Optional)
threshold values for alarms when an alarm is generated or recovered.
675

Equipment
2 System Management
No.
Data
Name of a PM server, IP address of the PM server, monitoring port number, user

name and password for logging in to the PM server, destination path where a
performance statistics file is saved on the PM server, number of retransmissions of
a performance statistics file, name of the request for uploading a performance
statistics file, and name of a performance statistics file
Type of instances and rules for naming instances are shown in the following table.
Type of Instances
Rules for Naming Instances
nqa
A string of two words with an n dash in the

middle: %s-%s
For example: AAA-bbb; Aa&-123; Aa&-_*
()
interface
Interface type+interface number with no

space between the two.
For example, GigabitEthernet0/2/0.
tdm-pwe3
Interface type (including only two types:

serial and trunk-serial)+interface number
For example, serial0/2/4:1.
card
"master" is the master MPU; "slave" is the

slave MPU; "slot%d" is the LPU.
flow-queue
Interface name+pe (VLAN ID: 0-4096)+ce

(VLAN ID: 0-4096)+received or sent packets
(1 or 2)+TM (0 or 1)
For example, GigabitEthernet0/2/0 16 15 2 1
Configuring a Performance Statistics Task

After an interval for collecting the performance statistics is set and an instance is bound to a
performance statistics task, the system starts to collect the performance statistics.
Context
A performance statistics task can be configured to collect and analyze the performance statistics
on a service in the system. A performance statistics task includes collecting basic performance
statistics, saving a performance statistics file, and reporting information on exceeded data.
Procedure
Step 1 Run the system-view command. The system view is displayed.
Issue 02 (2013-12-31)

676

Equipment
2 System Management
Step 2 Run the pm command. The PM view is displayed.

Step 3 Run the statistics enable command to enable the performance statistics function.
By default, the performance statistics function is disabled.
Step 4 Run the statistics-task task-name command to create a performance statistics task and enter the
performance statistics task view.
Step 5 Configure the basic performance statistics functions:
1.
Run the statistics-cycle cycle command to configure an interval for collecting performance
statistics.
The default interval is 15 minutes.
2.
Run the binding instance-type instance-type-name instance instance-name command to

bind an instance to a performance statistics task.
After the binding operation, the system collects the performance statistics about the instance
and generates a statistics file.
3.
(Optional) Run the measure disable measure-name command to disable a performance

statistics task indicator.
By default, all statistics indicators of the instance bound to the performance statistics task
are enabled.
Run the display pm measure-info instance-type instance-type-name command to view
the information on statistics indicators of an instance bound to a performance statistics task.
Step 6 Whether to save the performance statistics file

l Run the record-file disable command to disable generating a performance statistics file.
By default, a performance statistics file is automatically generated on the device. The system
generates a maximum of four performance statistics files for each performance statistics task.
If the system generates a new performance statistics file when four performance statistics
files already exist, the oldest performance statistics file will be overwrited.
This command can be configured to avoid the problem that generated files occupy space
when users collect performance statistics.
l Enable saving a performance statistics file and run the record-interval interval command
to configure the number of intervals for collecting the performance statistics.
By default,
If a short interval (5, 10, 15, 30, or 60 minutes) for collecting the performance statistics
is set, the system generates a performance statistics file every four performance statistics
intervals.
If a long interval (1440 minutes) for collecting the performance statistics is set, the system
generates a performance statistics file at one performance statistics interval.
After the command is run, the system generates a performance statistics file every cycle x
interval minutes and automatically saves the performance statistics in the file. The system
generates a maximum of four statistics files for each performance statistics task.
Step 7 (Optional) Configure the function of reporting alarms when the performance statistics exceed
the threshold
1.
Run the threshold-alarm enable command to enable the threshold alarm.

By default, the threshold alarm is disabled.
Issue 02 (2013-12-31)

677

Equipment
2 System Management
The threshold alarm can be used to monitor running services and performance statistics
indicators and send alarms to the NMS.
2.
Run the threshold-alarm measure measure-name operation { ge | le } trigger-value

trigger-value-val clear-value clear-value-val command to configure the monitoring rules
for the threshold alarm.
After the monitoring rules for the threshold alarm are configured, the system starts to
monitor instances. The system checks whether the number of instances exceeds the
threshold based on the monitoring rules in a week. If the number of instances exceeds the
threshold, the system will send alarms to users.
If measure-name of the command is the same as measure-name of the measure disable
command which is disabled, the command configuration is invalid.
----End
(Optional) Uploading Performance Statistics Files

The system generates a performance statistics file based on the collected performance statistics
at a specified interval. To view the performance statistics on a PM server, configure the system
to upload the performance statistics file to the PM server.
Context
Before uploading performance statistics files to a PM server, configure the PM server as the FTP
or SFTP server and confirm that the device where the performance statistics are collected has
been connected to the PM server.
Procedure
Step 1 Run:
system-view

Step 2 Run:
pm-server server-name
A PM server is created, and the view of the PM server is displayed.

Step 3 Configure a device to upload a performance statistics file to the specified PM server.
l Run the protocol { ftp | sftp } ip-address ip-address [ port port-number | { net-managervpn | vpn-instance vpn-instance-name } ] * command to configure information to be
uploaded to the PM server through the performance statistics file.
By default, the port number of the PM server is 21 (using FTP) or 22 (using SFTP).
If the PM server uses a private IP address, you can use the net-manager-vpn parameter to
specify a network management VPN or use the vpn-instance vpn-instance-name parameter
to specify a VPN instance to upload a performance statistics file.
FTP is not a secure protocol, and it is recommended to use SFTP.
l Run the username user-name password password command to configure a user name and
password for logging in to the PM server.
Issue 02 (2013-12-31)

678

Equipment
2 System Management
l Run the path destination-path command to configure the destination path where a
performance statistics file is saved on the PM server.
l Run the retry retry-times command to configure the number of retransmissions of a
performance statistics file.
The default number of retransmissions is 3.
Step 4 Run:
quit
Return to the PM view.

Step 5 Run:
upload-config request-name server server-name
A request for uploading a performance statistics file to a specified PM server is created.

Step 6 Run:
upload request-name file filename &<1-16>
The device is enabled to upload a performance statistics file to the PM server.

Step 7 Run:
upload auto request-name
The device is enabled to automatically upload a performance statistics file to the PM server.
----End
Checking Configurations
The performance statistics information can be viewed after the performance statistics function
is configured.
Prerequisites
The performance statistics function has been configured.
Operation Procedure
l
Run the display pm brief command to check brief PM information.
Run the display pm statistics-task [ task-name ] command to check information about a

performance statistics task.
Run the display pm measure-info [ instance-type instance-type-name ] command to

check statistics indicators of an instance of a certain type.
Run the display pm statistics task-name data-index index [ instance-type instance-typename [ measure measure-name | instance instance-name ] * ] command to check the
performance statistics.
Run the display pm statistics-file [ task-name ] command to check the list of performance
statistics tasks.
Example
Run the display pm brief command to view brief PM information. For example:
Issue 02 (2013-12-31)

679

Equipment
2 System Management
<HUAWEI> display pm brief

Statistics Status
Statistics Start Time
Number of Statistics Tasks
Number of Active Statistics Objects
Number of Configured Pm Servers
Number of Statistics Files
Statistics Files Saved Directory
:
:
:
:
:
:
:
disable
1
0
2
0
/pmdata/
Run the display pm statistics-task [ task-name ] command to view information about a

performance statistics task. For example:
<HUAWEI> display pm statistics-task a
Task Name
: a
Task State
: running
Record-file Status
: enable
Threshold Alarm Status
: disable
Task Cycle
: 5 minutes
Instance Type
: interface
Record Interval(cycle)
: 1
File Format
: text
File Name Prefix
: a
File Transfer Mode
: passive
Current File Name
: a20111230025500.txt
Run the display pm measure-info [ instance-type instance-type-name ] command to view

statistics indicators of an instance of a certain type. For example:
<HUAWEI> display pm measure-info instance-type interface
Total instance types: 1, total measures: 16
-------------------------------------------------------------------------------Instance Type: interface, Measures Count: 16
Measure Name
: in-discards
Measure Type
: Increase
Measure Counter Size(bit)
: 32
Measure MaxValue
: 4294967295
Measure MinValue
: 0
Measure
Measure
Measure
Measure
Measure
Name
Type
Counter Size(bit)
MaxValue
MinValue
:
:
:
:
:
in-errors
Increase
32
4294967295
0
Measure
Measure
Measure
Measure
Measure
......
Name
Type
Counter Size(bit)
MaxValue
MinValue
:
:
:
:
:
out-discards
Increase
32
4294967295
0
Run the display pm statistics task-name data-index index [ instance-type instance-typename [ measure measure-name | instance instance-name ] * ] command to view the performance
statistics. For example:
<HUAWEI> display pm statistics a data-index 0
Total measures count: 16
-------------------------------------------------------------------------------Instance Type
: interface
Instance Name
: GigabitEthernet0/2/3
Measure Name
: in-discards
Measure Data
: 0
Valid Flag
: incredible value
Timestamp
: 2011-12-28 17:03:00-08:00
Instance Type
Issue 02 (2013-12-31)
: interface

680

Equipment
Instance Name
Measure Name
Measure Data
Valid Flag
Timestamp
:
:
:
:
:
2 System Management
in-errors
0
incredible value
2011-12-28 17:03:00-08:00
......
Run the display pm statistics-file [ task-name ] command to view the list of performance
statistics tasks. For example:
<HUAWEI> display pm statistics-file
Total files count: 4
-------------------------------------------------------------------------------Task Name: a
a20111230024500.txt
a20111230025000.txt
a20111230025500.txt
a20111230030000.txt

Examples for applying the PM include the usage scenario, configuration precautions, and
PM Configuration Examples
This section provides ways on how to record and monitor the system performance statistics,
such as creating a performance statistics task, binding an instance to the performance statistics
task, and configuring threshold monitoring values and performance management servers.
Usage Scenario
The performance statistics function is enabled to periodically collect the performance data and
operating status of an interface, save the performance statistics in a file, and upload a statistics
file to the PM server. The threshold monitoring function is configured to periodically monitor
performance indicators and operating status of an interface.
1.
Enable the performance statistics function.
2.
Configure a performance statistics task.
3.
Configure the PM server to obtain a performance statistics file.
4.
Configure the threshold monitoring function.
Data Preparation
l
Issue 02 (2013-12-31)
Parameters of basic performance statistics functions:

681

Equipment
2 System Management
performance statistics task name, interval for collecting the performance statistics,
performance statistics instance type, performance statistics instance name, indicator name,
and the number of intervals for collecting the performance statistics.
l
Parameters of the threshold alarm function:

threshold monitoring type, threshold values for triggering an alarm and recovering an alarm.
Parameters of the PM server:

name of the process serving the PM server, PM server IP address, number of the listening
port of the PM server, user name and password for logging in to the PM server, destination
path where a performance statistics file is saved on the PM server, number of
retransmissions of a performance statistics file, and name of the request for uploading a
performance statistics file.
Procedure
Step 1 Enable the performance statistics function.
[HUAWEI] pm
[HUAWEI-pm] statistics enable
Step 2 Configure basic performance statistics functions.

[HUAWEI-pm] statistics-task huawei
[HUAWEI-pm-statistics-huawei] statistics-cycle 5
[HUAWEI-pm-statistics-huawei] binding instance-type interface instance
gigabitethernet0/2/1
[HUAWEI-pm-statistics-huawei] measure disable in-all-pkts
[HUAWEI-pm-statistics-huawei] record-interval 3
Step 3 Configure the threshold alarm.

[HUAWEI-pm-statistics-huawei] threshold-alarm enable
[HUAWEI-pm-statistics-huawei] threshold-alarm measure in-errors operation ge
trigger-value 5 clear-value 3
[HUAWEI-pm-statistics-huawei] quit
Step 4 Configure the PM server to obtain a performance statistics file.

[HUAWEI-pm] pm-server abc
[HUAWEI-pm-server-abc] protocol ftp ip-address 192.168.2.1 port 22
[HUAWEI-pm-server-abc] username a password a
[HUAWEI-pm-server-abc] path /pmserver
[HUAWEI-pm-server-abc] retry 2
[HUAWEI-pm-server-abc] quit
[HUAWEI-pm] upload-config req1 server abc
[HUAWEI-pm] upload req1 file huawei20111230030500.txt

# After the configuration is complete, run the following commands to view the PM configuration
information including name of a performance statistics task, interval for collecting performance
statistics, instance type, and monitoring rules. On the /pmserver path of the PM server, you can
see that the performance statistics file huawei20111230030500.txt has been uploaded.
<HUAWEI> display pm statistics-task huawei
Task Name
: huawei
Task State
: running
Record-file Status
: enable
Threshold Alarm Status
: enable
Task Cycle
: 5 minutes
Instance Type
: interface
Record Interval(cycle)
: 3
File Format
: text
Issue 02 (2013-12-31)

682

Equipment
File Name Prefix
File Transfer Mode
Current File Name
2 System Management
: huawei
: passive
: huawei20111230031500.txt
----End
Configuration Files
#
pm
statistics enable
pm-server abc
protocol ftp ip-address 192.168.2.1 port 22
username a password 1CY~*~8~Q(ani^>"qh^;=d_#
retry 2
path /pmserver
upload-config req1 server abc
statistics-task huawei
threshold-alarm enable
statistics-cycle 5
record-interval 3
binding instance-type interface instance GigabitEthernet0/2/1
measure disable in-all-pkts
threshold-alarm measure in-errors operation ge trigger-value 5 clear-value 3
#
return
2.9 PoE Configurations

Context
NOTE
Only the ATN 910I-P supports the PoE function.
2.9.1 Configuring PoE

Power over Ethernet (PoE) refers to power supply through an Ethernet. It is also called power
over LAN (PoL) or active Ethernet. After PoE is deployed, power supplies are not required for
PoE-supporting devices, such as IP phones and APs. This function cuts the costs of power cables
and cable routing.In the current usage scenario,the ATN as a PSE device enables PoE functions
and starts to supply power to the PD.
Creating a Configuration Task

Based on information about the application scenarios, pre-configuration tasks, and data
preparations related to PoE configurations, users can plan and manage the power over Ethernet
(PoE) function in a unified manner.
Application Scenarios
If the default PoE configurations do not meet the customer's requirements, they need to be
modified to ensure that the PoE function can be implemented as required.
Before configuring the PoE function, complete the following tasks:
Issue 02 (2013-12-31)

683

Equipment
2 System Management
Power on the ATN equipment and ensure that the ATN equipment passes the self-check.
Connect the interfaces between the power sourcing equipment (PSE) and powered device
(PD) to ensure that the link-layer status of the interfaces is Up.
Usually, the ATN equipment can automatically detect whether its interconnected PD requires
power supply and the PoE function can be normally used without user configurations. If you
need to modify PoE settings, see the following topics.
Enabling the PoE Function
(Optional)Configuring the Function of Supplying Power to a Non-Standard PD
(Optional)Configuring the Function of Powering Off a PD Within a Certain Time Range
Verifying the Configurations
Data Preparations
Before configuring the interface description information, prepare the following data.
No.
Data
Types and numbers of ports with the PoE function
Enabling the PoE Function

Context
Before supplying power to a powered device (PD) connected to an interface, ensure that the
power over Ethernet (PoE) function is enabled for the interface.
By default, the PoE function is enabled for interfaces.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the interface interface-type interface-number command to enter the interface view.
Step 3 Run the poe enable command to enable the PoE function for the interface.
----End
(Optional)Configuring the Function of Supplying Power to a Non-Standard PD

Context
In actual applications, a non-standard powered device (PD) may be connected to the ATN
equipment and the ATN equipment needs to supply power to the PD. In this case, the function
of supplying power to a non-standard PD needs to be enabled for the ATN equipment.
By default, the function of supplying power to a non-standard PD is disabled for ATN equipment.
Issue 02 (2013-12-31)

684

Equipment
2 System Management
Procedure
Step 3 Run the poe legacy enable command to enable the function of supplying power to a non-standard
PD.
----End
(Optional)Configuring the Function of Powering Off a PD Within a Certain Time

Range
Context
After the ATN equipment normally supplies power to its interconnected powered device (PD),
you can configure a time range during which the ATN equipment powers off the PD to save
energy.
Procedure
Step 2 Run the time-range time-name { start-time to end-time days | from time1 date1 [ to time2
date2 ] } command to configure a time range during which the ATN equipment powers off the
PD.
Step 4 Run the poe power-off time-rangtime-range-name command to power off the interconnected
PD within the set time range.
To ensure around-the-clock power supply to the PD, run the undo poe power-off time-rang
command to disable the function of powering off a PD within a certain time range.
----End
Verifying the Configurations

After performing power over Ethernet (PoE) configurations, you need to verify that the
configurations.
Prerequisites
All PoE configurations are complete.
Procedure
Step 1 Run the display poe power-state command to query related port configurations.
----End
Issue 02 (2013-12-31)

685

Equipment
2 System Management
Example
# Queries related configurations of GE0/2/1.
<HUAWEI> display poe power-state interface GigabitEthernet 0/2/1
Power state of port GigabitEthernet0/2/1 is as follows:
Port power enabled
: Enable
Port force power
: NO
Port legacy detect
: Disable
Port power status
: Detecting
Port PD class
: Port reference power(mW)
: Port configration power(mW) : 0
Port power-off range name
: Port current(mA)
: 0
Port voltage(V)
: 0.0
Port current power(mW)
: 0
Port peak power(mW)
: 0
Port average power(mW)
: 0
2.10 Glossary
This chapter lists the frequently used terms in this document and corresponding English full
names.
Glossary
Description
3G terminal
Terminals used in the third generation network, such as WCDMA

handsets.
B
business code
Business contents defined by carriers. The code is composed of

characters (case sensitive) or numbers with the maximum size as 10
bits.
C
check box
Multiple boxes are selected at the same time.
clock offset
Time offset between the local clock and the reference clock..
E
enterprise code
Address and identification of an enterprise in the network. Address

translation and accounting are based on this code.
K
key word
Issue 02 (2013-12-31)
Characters that describe the features of a product. Key words are

separated by "|". The product name and the author can be key words.

686

Equipment
Glossary
2 System Management
Description
L
long number
A destination number of the messages sent by handset users.
R
roundtrip delay
A value that measures the ability of the local clock to send a message
to the reference clock during the specified time.
S
service code
Service provided to subscribers of on demand service in SM mode or

codes provides by carriers..

This chapter lists the frequently used acronyms in this document and corresponding English full
names.
Acronyms and
Abbreviations
Full Spelling
Numerics
3DES
Triple Data Encryption Standard
Issue 02 (2013-12-31)
AAA
ACL
Access Control List
ADSL
Asymmetric Digital Subscriber Line
AH
Authentication Header
APPN
Advanced Peer-to-Peer Networking
ARP
AS
Autonomous System; Access Server
ASCII
American Standard Code for Information Interchange
ASPF
Application Specific Packet Filter
ATM
Asynchronous Transfer Mode

687

Equipment
Acronyms and
Abbreviations
Full Spelling
AUX
Auxiliary (port)
2 System Management
B
BGP
BRI
Basic Rate Interface
C
CBQ
Class Based Queue
CD
Carrier Detect
CHAP
CON
Console (port)
cPOS
channelized-POS
CQ
Custom Queueing
CRC
Cyclic Redundancy Check
D
DCC
Data Communication Channel
DCE
Data Circuit-terminating Equipment
DD
Database Description
DES
Data Encryption Standard
DHCP
DNS
Domain Name System
DOD
Downstream-on-Demand
DOS
Denial of Service
DTE
Data Terminal Equipment
DU
Downstream Unsolicited
Issue 02 (2013-12-31)
EIA
Electronics Industry Association
ESP
Encapsulating Security Payload

688

Equipment
Acronyms and
Abbreviations
2 System Management
Full Spelling
F
FEC
Forward Error Correction
FIFO
First In First Out
FLASH
FLASH memory
FR
Frame Relay
FRR
Fast Reroute
FTP
File Transfer Protocol
G
GE
Gigabit Ethernet
GNS
Get Nearest Server
GRE
H
HDLC
High level Data Link Control
HTTP
Hyper Text Transport Protocol
Issue 02 (2013-12-31)
IBGP
Internal BGP
ICMP
Internet Control Message Protocol
ID
IDentification
IETF
IF
Information Frame
IGP
Interior Gateway Protocol
IKE
Internet Key Exchange
IP
Internet Protocol
IPHC
IP Header compression
IPoA
Internet Protocols over ATM
IPoEoA
IP over Ethernet over AAL5
IPSec
Internet Protocol SECurity extensions

689

Equipment
2 System Management
Acronyms and
Abbreviations
Full Spelling
ISDN
Integrated Services Digital Network
IS-IS
Intermediate System-Intermediate System
ISP
Internet Service Provider
ITU-T
International Telecommunication Union - Telecommunication

L
L2TP
Layer 2 Tunneling Protocol
L2VPN
Layer 2 VPN
L3VPN
Layer 3 VPN
LAN
Local Area Network
LAPB
Link Access Procedure, Balanced
LDP
LLC2
Logical Link Control,Type 2
LOG
Call Logging
LR
Limit Rate
LSP
Label Switch Path
LSPAGENT
Label Switch Path Agent
LSPM
Label Switch Path Management
Issue 02 (2013-12-31)
MAC
MD5
Message Digest 5
MFR
MIB
Management Information Base
MODEM
Modulator DEModulator
MP
Multilink PPP
MPLS
Multi-Protocol Label Switching
MSDP
Multicast Source Discovery Protocol
MTU

690

Equipment
Acronyms and
Abbreviations
2 System Management
Full Spelling
N
NAT
NDA
NetStream Data Analyzer
NetBIOS
Network Basic Input/Output System
NLRI
Network Layer Reachable Information
NMS
Network Management System
NQA
Network Quality Analysis
NRZ
Non Return to Zero
NRZI
Non Return to Zero Inverted
NSC
NetStream Collector
NTP
Network Time Protocol
O
OSI
Open System Interconnection
OSPF
Issue 02 (2013-12-31)
PAD
Packet Assembler/Disassembler
PAP
PC
Personal Computer
PDU
Protocol Data Unit
PHY
Physical Sublayer & Physical Layer
POS
Packet Over SDH/SONET
PPP
PPPoA
PPP over ATM
PPPoE
PPP over Ethernet
PQ
Priority Queue
PRI
Primary Rate Interface
PSTN
Public Switched Telephone Network

691

Equipment
Acronyms and
Abbreviations
Full Spelling
PU
Payload Unit
PVC
Permanent Virtual Circuit
2 System Management
Q
QoS
Quality of Service
R
RADIUS
Remote Authentication Dial in User Service
REJ
REJect(ion)
RFC
Request for Comments
RIP
RM
Resource Management
RMON
remote monitoring
RSA
Revest, Shamir and Adleman
RTT
Round Trip Time
S
SA
Security Association
SAP
Service Advertising Protocol
SDLC
Synchronous Data Link Control
SLIP
Serial Line Internet Protocol
SLA
Service Level Agreement
SNA
Systems Network Architecture
SNAP
Sub Network Access Point
SNMP
Simple Network Management Protocol
SSH
Secure Shell
SSP
Service Switching Point
STM-1
SDH Transport Module -1
Issue 02 (2013-12-31)

692

Equipment
Acronyms and
Abbreviations
Full Spelling
TCP
TE
Traffic Engineering
TFTP
ToS
Type of Service
TS
Traffic Shaping
TTL
Time To Live
2 System Management
U
UDP
User Datagram Protocol
UP
User Plane
URL
Universal Resource Locator;
USM
User Security Mode
UTC
Universal Coordinated Time
V
VACM
View-based Access Control Model
VIU
Versatile Interface Unit
VLAN
Virtual Local Area Network
VOS
Virtual Operating System
VPDN
Virtual Private Dial Network
VPN
VRP
VRRP
Issue 02 (2013-12-31)
WAN
Wide Area Network
WFQ
Weighted Fair Queuing
WRED
Weighted Random Early Detection
WWW
World Wide Web

693

Equipment
Acronyms and
Abbreviations
2 System Management
Full Spelling
X
XOT
Issue 02 (2013-12-31)
X.25 Over TCP

694

Equipment
3 Reliability
Reliability
About This Chapter

The document describes the configuration methods of reliability in terms of basic principles,
implementation of protocols, configuration procedures and configuration examples for the
reliability of the ATN equipment.
3.1 Reliability Overview
Reliability of a network can be improved mainly in two methods. One method is to use an
effective detection mechanism to implement FRR and the other is to provide a reliable
networking scheme.
3.2 VRRP Configuration
The Virtual Router Redundancy Protocol (VRRP) is a fault-tolerant protocol that allows logical
devices to operate separately from physical devices, improving reliability and simplifying host
configurations.
3.3 Bit-Error-Triggered Protection Switching Configuration
3.4 BFD Configuration
A BFD session rapidly detects a link fault on a network.
3.5 GR Configuration
Only devices with two main control boards (such as ATN 950Bs) support GR
configuration.Through the Graceful Restart (GR) configurations, you can improve HA of a
system.
3.6 Ethernet OAM Configuration
This chapter describes Ethernet OAM and its configurations, and how to implement link-level
Ethernet OAM detection and network-level Ethernet OAM detection to improve network
reliability. Ethernet OAM is applicable mainly to MANs.
3.7 EFM Configuration
Ethernet in the First Mile (EFM) can be enabled on the devices at both ends of a point-to-point
link to monitor the connectivity and quality of the link.
3.8 Y.1731 Configuration
Issue 02 (2013-12-31)

695

Equipment
3 Reliability
Y.1731 is an OAM protocol at the network layer. It provides fault detection defined in IEEE
802.1ag and performance monitoring, such as frame loss measurement, frame delay
measurement.
3.9 MPLS-TP OAM Configuration
This section introduces the basic principles of Multiprotocol Label Switching Transport Profile
Operation, Administration, and Maintenance (MPLS-TP OAM), describes how to configure the
continuity check (CC), loopback (LB), remote defect indication (RDI), loss measurement (LM),
and delay measurement (DM) functions, and provides configuration examples.
3.10 ISSU Configuration
This chapter describes the process of the ISSU and how to configure ISSU to shorten service
interruption during the upgrade and improve device reliability.
3.11 Glossary
This appendix collates frequently used glossaries in this document.
Issue 02 (2013-12-31)

696

Equipment
3 Reliability
3.1 Reliability Overview

Reliability of a network can be improved mainly in two methods. One method is to use an
effective detection mechanism to implement FRR and the other is to provide a reliable
networking scheme.
3.1.1 Introduction
Reliability is a technology that can shorten traffic interruption time and ensure the quality of
service on a network, improving user experience.
Overview of Reliability Technologies

Reliability technologies are used to ensure high reliability on a network. Reliability technologies
cover system and hardware reliability design, software reliability design, reliability testing, and
IP network reliability design.
The reliability of a ATN involves the following aspects:
l
System and hardware reliability design
Software reliability design
Test and authentication of reliability
IP network reliability design
With the popularity of networks and diversification of applications, various value-added services
are deployed on networks. The bandwidth increases in index number. Therefore, even a shorttime interruption may impact a huge number of services critically and make an incredible loss.
For a fundamental network that bears services, its reliability is highlighted much more than ever.
This chapter focuses on reliability technologies applicable to the IP network over the Versatile
Routing Platform (ATN).
Indices of Reliability
Indices of reliability include MTTR, MTBF, and availability.
Generally, the reliability of a product or a system is evaluated based on two indices, namely,
Mean Time to Repair (MTTR) and Mean Time Between Failures (MTBF).
MTTR
The MTTR indicates the fault recovery capability. It is an index of maintainability. The MTTR
is the average time that a component or a device will take to recover from any failure. The MTTR,
in fact, is the fault-tolerance capability. In a broader sense, the MTTR also includes spare part
management and customer service. The MTTR is usually part of a maintenance contract.
The formula used to calculate the MTTR is as follows:
MTTR = Fault detection time + Board replacement time + System initialization time + Link
recovery time + Route coverage time + Forwarding recovery time
Issue 02 (2013-12-31)

697

Equipment
3 Reliability
The smaller the addends are, the smaller the MTTR is and the higher the availability a device
offers.
MTBF
The MTBF indicates the probability of faults. It is an index of reliability. The MTBF is the
predicted elapsed time between inherent failures of a system during operation, usually in hours.
Availability
The availability identifies the utility of a system. You can improve the device availability by
increasing the MTBF and decreasing the MTTR.
In the telecommunication industry, 99.999% availability means that service interruption caused
by device failures must be less than 5 minutes each year.
In actual networking, network faults and service interruption are inevitable. Therefore, providing
technologies to enable device to recover from failures rapidly becomes very important. Such
technologies can improve device availability by reducing MTTR.
Levels of Reliability Requirements

The objective and implementation method of the reliability vary with the level of reliability
requirements.
Table 3-1 lists three requirement levels and describes their objectives and implementation
methods.
Table 3-1 Levels of reliability requirements
Level
Objective
Implementation Method
Less faults in the

software and hardware
of a system
l Hardware: simplified design, standardized circuits,

reliable application of components, reliability
control over purchased components, reliable
manufacture, environment adaptability, and
reliability testing (HALT/HASS)
l Software: checklist for the software reliability design
No impact on a system
when a default occurs
l Redundancy design
l Switchover policy
l High availability of switchover
Rapid recovery from a

fault that affects the
system
l Fault detection
l Fault diagnosis
l Fault isolation
l Fault recovery
Issue 02 (2013-12-31)

698

Equipment
3 Reliability
Principles for High-Reliablity IP Networking

Technologies for reliable networking cover the hierarchy networking, redundancy technology,
and load balancing technology.
The principles for high-reliablity IP networking are as follows:
l
Hierarchical networking: A network is divided into three layers, core layer, convergence
layer, and edge layer. According to the current service status and future service prediction,
redundancy backup is required on a device connected to access nodes on the edge layer.
The active and standby nodes connect to convergence nodes. Devices of convergence layer
are dual-homed to single node multi-device of the upper layer or to multi-node device of
convergence layer and core layer alternatively. Devices of core layer are enabled with full
interconnection or half interconnection. In this manner, two devices are reachable to each
other with one route at a fast traffic rate, avoiding multi-interconnection.
On the same layer, multi-interconnection is recommended; multi-device is applicable to a

single node.
The lower-layer devices are dual-homed or multi-homed to single nodes or multiple nodes
of devices on the upper layer.
Adjustment should be taken according to traffic.
3.1.2 Reliability Technologies for IP Networks

This section describes two typical reliability technologies, failure detection and switchover.
Failure Detection for IP Networks

Fault detection technologies are divided into special detection technologies and common
detection technologies.
l
Special fault detection technologies include:

Automatic Protection Switching (at the transport layer)
Eth-OAM (at the link layer)
MPLS (Multiprotocol Label Switching) OAM (for MPLS)
Common fault detection technologies include the Bidirectional Forwarding Detection

(BFD) that detects faults at all layers, such as the data link layer and the network layer.
The fault detection mechanism is available to each layer of the TCP/IP reference module,
including:
l
Transport/Physical layer: Automatic Protection Switching (APS)
Data link layer: MPLS OAM, Eth-OAM, STP, RSTP, MSTP, and RRPP
Network layer: Hello mechanism for protocols, VRRP (Virtual Router Redundancy
Protocol), and GR (Graceful Restart)
Application layer: Heartbeat mechanism and retransmission mechanism for protocols
Fault detection has the following modes:

l
Asynchronous mode: Detection packets are sent periodically.
Query mode: A series of packets for confirmation are sent.
Issue 02 (2013-12-31)

699

Equipment
3 Reliability
Echo mode: The received packet is sent back to the sender without any change.
Protection Switching for IP Networks

The standard time of protection switching on a data communication network is 50 ms. Link
redundancy is a basis of protection switching.
Link protection involves:
l
End-to-end protection: 1:1 and 1:N
Local protection: BFD trigger, FRR technology, and OAM technology
The trigger mode includes BFD trigger mode and Fast Reroute (FRR) trigger mode.
The protection switching has the following functions:
l
Local request protection
Local real-time protection
Processing switchover signal latency
Avoiding single-node switchover
Coexistence and preemption of switchover requests
Switchover recovery mode
3.1.3 Reliability Technologies Supported by the ATN

Reliability technologies for IP networks include failure detection technologies and protection
switching technologies.
FRR (Fast ReRoute)

FRR, classified into IP FRR, LDP FRR, MPLS TE FRR, and VPN FRR, is the most common
technology used to perform a fast switchover in case of a failure.
IP FRR
During packet forwarding, if the forwarding table contains load balancing entries, that is, several
next hops, the next hop is selected based on a certain rule and its outgoing interface is detected
in the interface status table. If the outgoing interface of one next hop is invalid, another next hop
is selected and its outgoing interface status is detected until the outgoing interface of a next hop
is valid.
When the last next hop is detected, the packet is forwarded directly without checking the
outgoing interface.
Because detecting and updating the interface status is much faster than route convergence, the
rerouting takes effect faster with the IP FRR technology. Moreover, the load balancing entries
in the forwarding table are checked that ensures highly-reliable forwarding.
The enhanced IP FRR technology supports the next hop of non-equivalence load balancer. An
active next hop is selected by the Interior Gateway Protocol (IGP) and a standby next hop is
configured manually. When a failure occurs, the fast switchover is performed.
Issue 02 (2013-12-31)

700

Equipment
3 Reliability
LDP FRR
Conventional IP FRR cannot effectively protect traffic on a Multiprotocol Label Switching
(MPLS) network. The ATN provides MPLS networks with the LDP FRR for protection at the
interface level.
Compared with fast convergence in IGP, the LDP FRR calculates a secondary interface in
advance. Route calculation and re-establishment of an LSP after a failure take less time. As a
result, the switchover speeds up.
When LDP works in a mode of Downstream Unsolicited (DU) label distribution, ordered label
control and liberal label retention, a Label Switching Router (LSR) saves all label mapping
messages. Only the label mapping messages sent by the next hop corresponding to the
Forwarding Equivalence Class (FEC) can generate a label forwarding table.
With the preceding features, when a forwarding table is generated for mapping of liberal
retention label, this means that a bypass LSP is established. Normally, a packet is forwarded
through the primary LSP. When the outgoing interface of the primary LSP is Down, the packet
is forwarded along the bypass LSP. This ensures traffic continuity in the short period before
network convergence.
MPLS TE FRR
The MPLS TE FRR is a commonly used switchover technology to deal with a failure. The
solution is to create an end-to-end TE tunnel between Provider Edge (PE) devices and a bypass
Label Switched Path (LSP) for protecting a primary LSP. When the ATN detects that the primary
LSP is unavailable because of an intermediate node failure or link failure, the traffic is switched
to the bypass LSP.
In terms of principle, MPLS TE FRR can enable fast switchover to respond to link failures and
node failures between two PEs that serve as the start node and end node of a TE tunnel
respectively.
Nevertheless, MPLS TE FRR cannot deal with the failure of PEs that serves as the start node
and end node on a TE tunnel. When a PE fails, the traffic can resume by end-to-end route
convergence and LSP convergence. The time of convergence relates closely to the number of
routes of the MPLS VPN and the number of hops of the bearer network. Generally, the
convergence takes about 5s in typical networking, longer than 200ms that is required for the
end-to-end traffic convergence when a node fails.
VPN FRR
Based on the VPN fast route switching technology, VPN FRR sets a switchover forwarding
entry that is destined for the primary PE and backup PE on a remote PE. With VPN FRR and
the technology of fast sense of PE failures, on an MPLS VPN where Costumer Edge (CE) devices
are dual-homed to PEs, the time of end-to-end service convergence is shortened and the time of
PE failure recovery cannot be affected by the number of private network routes. When a PE
node fails, the convergence of end-to-end service takes less than 200ms.
On a PE device configured with VPN FRR, proper VPNv4 routes are selected by the matching
policy. For these routes, in addition to the routing information sent by the preferential next hop
(including forwarding prefix, inner tag, and selected outer LSP tunnel), information about the
inferior priority next hop (including forwarding prefix, inner tag, and selected outer LSP tunnel)
are also contained in the forwarded entry.
Issue 02 (2013-12-31)

701

Equipment
3 Reliability
When preferential next hop node fails, through BFD and MPLS OAM, the PE detects that the
outer tunnel connecting the PE to the preferential node is unavailable. The PE sets a
corresponding flag in the LSP tunnel status table to indicates the outer LSP is unavailable and
delivers the flag to the forwarding engine. When the forwarding engine selects a forwarding
entry, it checks the LSP tunnel status corresponding to this forwarding entry. If the LSP tunnel
is unavailable, the engine uses the route of an inferior priority carried in this forwarding entry
to forward packets.
OAM (Operation Administration & Maintenance)

The OAM technology can simplify the network operation and test the network performance at
any time, which helps you to cut the network operation cost. This section describes only the
MPLS OAM technology.
MPLS is a key bearer technology applied to the extendable next generation network (NGN),
supporting multiple services guaranteed by QoS. A unique network layer is introduced to MPLS
and this layer may lead to faults. Therefore, MPLS must be competent with OAM.
MPLS supports different Layer 2 and Layer 3 protocols, such as IP, FR, ATM, and Ethernet.
MPLS offers an OAM mechanism entirely independent from upper and lower layers, enabling
the following features on the MPLS user plane:
l
Detecting the TE LSP connectivity
Performing switchover when a link fails to provide services according to Service Level
Agreements (SLAs)
With the MPLS OAM mechanism, the ATN can detect, identify, and locate a fault of MPLS
layer effectively. Then, the fault is reported and processed. In addition, when a failure occurs,
the protection switching mechanism can be triggered.
BFD
As a unified detection mechanism on an entire network, Bidirectional Forwarding Detection
(BFD) can fast detect network faults, minimize the impact of device faults on services, and
improve availability of a network.
BFD is a set of entire-network applicable detection mechanisms. It is used to detect and monitor
the connectivity of a link or an IP route during forwarding packets. To improve the network
performance, a communication failure between adjacent systems must be detected quickly and
the standby channel must be created faster for communication recovery.
The BFD features are as follows:
l
Detecting channel failures between adjacent forwarding engines with light load in a short
time
Detecting any media and any protocol layer with single mechanism in real time and
supporting different detection time and costs
CR-LSP Backup
On one tunnel, a CR-LSP that protects traffic on a primary CR-LSP is called a backup CR-LSP.
Issue 02 (2013-12-31)

702

Equipment
3 Reliability
NOTE
For configurations of an CR-LSP Backup, see the section "MPLS TE Configuration." in Configuration
Guide-MPLS
On one tunnel, a CR-LSP that protects traffic on a primary CR-LSP is called a backup CR-LSP.
A backup CR-LSP protects traffic on key CR-LSPs, playing an important role in traffic
protection. If the primary CR-LSP fails, traffic can switch to the backup CR-LSP.
When the ingress detects that the primary CR-LSP is unavailable, it switches traffic to the backup
CR-LSP. After the primary CR-LSP recovers from the fault, the traffic switches back. In this
manner, traffic on the primary CR-LSP is protected.
CR-LSP backup is performed in the one of the following modes:
l
Hot standby: A backup CR-LSP is set up at the same time a primary CR-LSP is set up. If
the primary CR-LSP fails, traffic immediately switches to the backup CR-LSP. When the
primary CR-LSP recovers, traffic switches back to the primary CR-LSP. The hot-standby
CR-LSP and the best-effort path can be set up together.
Ordinary backup: A backup CR-LSP is set up after a primary CR-LSP fails. When the
primary CR-LSP fails, traffic switches to the backup CR-LSP; when the primary CR-LSP
recovers, the traffic switches back to the primary CR-LSP.
PWE3 Reliability
The Pseudo-Wire Emulation Edge to Edge (PWE3) reliability technology is mainly used on a
mobile bearer network or a broadband access network to ensure network reliability by protecting
PWs, PEs, and ACs.
NOTE
For configurations of an CR-LSP Backup, see the section "PWE3 Reliability Configuration." in
Configuration Guide-VPN
The Pseudo-Wire Emulation Edge to Edge (PWE3) reliability technology is mainly used on a
mobile bearer network or a broadband access network to ensure network reliability by protecting
PWs, PEs, and ACs.
PWE3 is a bidirectional and point-to-point MPLS L2VPN technology widely used on
Metropolitan Area Networks (MANs). On a mobile bearer network, a PW is used to transmit
traditional mobile services such as Asynchronous Transfer Mode (ATM) or Time Division
Multiplex (TDM) services, meeting the requirements of the mobile bearer market and promoting
network convergence. The network deployment has high requirements for VPN services. There
are many fast fault detection and protection switching mechanisms such as bidirectional
forwarding detection (BFD), operation, administration and maintenance (OAM), and fast reroute
(FRR). These mechanisms, however, address only link or node failures within a packet switched
network (PSN), but not PE failures or attachment circuit (AC) failures between PEs and CEs.
To protect services against PW, AC, and PE failures, PW redundancy, PW APS, PWE3 FRR
are used.
3.1.4 Networking of Reliability over an IP Network

This section describes FRR applicable scenarios and FRR solutions.
Issue 02 (2013-12-31)

703

Equipment
3 Reliability
Failures on Intermediate Nodes or on the Link Between PEs - LDP FRR/TE FRR
In LDP or TE FRR, when transmission devices exist between P devices, BFD or OAM can be
used to detect links that transmit traffic.
Figure 3-1 Networking diagram of LDP FRR/TE FRR application
PE1
P1
P2
P3
PE2
PE3
PE4
As shown in Figure 3-1, LDP LSP serves as a public network tunnel and TE is enabled with
QoS between P devices. This network deployment enhances the QoS across the entire network
and simplifies the TE deployment in changing PE devices. Without transmission devices, if a
failure occurs on the link between P1 and P2, or P2 fails on a non-broadcast network, the LDP
FRR performs switching on P1.
The premise of preceding application is that no transmission device exists, since the switching
performed by the TE FRR/LDP FRR depends on the detection of the interface status through
signals or optical signals. If transmission devices exist and a link fails, the ATN cannot detect
the interrupt of optical signals, and the switching cannot be performed. Then, another mechanism
is required to detect the link between transmission devices, namely, BFD or OAM, and BFD
can ensure that the switching takes no more than 50 ms.
Link Failure During Transmission

BFD or OAM can detect the links between both ends of a session and VRRP can implement fast
link switching.
OAM
The OAM is a unidirectional detection mechanism. Bidirectional OAM can be configured for
bidirectional protection. The detection end of OAM sends a packet to detect the link. If the link
works normally, the other end can receive the detection packet timely.
If the receiver cannot receive the detection packet within a specified period, a link-interrupt
packet is sent through a reverse path to report the link failure to the detection end. Then, the
detection end responds to the failure with a series of actions, one of which is the switchover of
the OAM protection group.
Issue 02 (2013-12-31)

704

Equipment
3 Reliability
In an OAM protection group, a primary tunnel and a bypass tunnel are created to form a
protection group. When one tunnel of the protection group is available, the primary tunnel is
available logically. Normally, a packet is forwarded through the primary tunnel, that is, the
working tunnel. When the primary tunnel is Down and the bypass tunnel is available, the tunnel
is iterated to the primary tunnel logically. In fact, the bypass tunnel, also named protection tunnel,
works.
NOTE
When MPLS OAM is used to detect tunnels, the ATN products only support detection of bidirectional
static tunnel protection groups using MPLS OAM. Dynamic tunnel protection groups and unidirectional
static tunnel protection groups can only be detected using BFD.
With fast detection performed by the OAM, the protection group is listed in the forwarding table
with its primary tunnel entry and bypass tunnel entry. This enables fast switchover after a failure
is detected, providing high reliability for network connectivity.
Figure 3-2 Networking diagram of MPLS OAM protecting switchover
P1
PE1
PE2
M PLS TE
Tunnel
P2
As shown in Figure 3-2, one TE tunnel (carrying LSP primary and secondary paths) is created
between the ingress PE1 and egress PE2, forming a protection group. A TE tunnel is created
between PE2 and PE1 through P1 as a reverse channel, advertising a failure to ingress PE1.
BFD
BFD and OAM are similar because both of them define a set of mechanisms including detection,
failure report, and switchover. For BFD and OAM, the detection is carried out by sending fast
detection packets through a preset path to detect the link status. If the detection packets cannot
pass through the link, the packets are dropped. To avoid the jitters, the number of detection
packets is specified. When the number of the lost detection packets reaches the set value, the
link is considered as interrupted.
BFD is a bidirectional detection mechanism, and its detection packets are sent bidirectionally.
If one end does not receive the detection packets within a specified period, the end assumes that
the link is interrupted and reports to related modules to perform switchover.
Issue 02 (2013-12-31)

705

Equipment
3 Reliability
Figure 3-3 Networking diagram of BFD for VRRP
Switch1
BFD for VRRP
Switch2
PE1
Backbone
VRRP
PE2
As shown in Figure 3-3, PE1 and PE2 form a VRRP master and backup group, serving as the
backup for each other. The VRRP backup group monitors BFD session. For example, when PE1
serves as the primary PE and the link between Switch1 and PE1 fails, the failure is fast detected
through BFD and reported to VRRP. The VRRP master and backup group performs switchover
fast and then PE2 becomes the primary PE.
3.2 VRRP Configuration

The Virtual Router Redundancy Protocol (VRRP) is a fault-tolerant protocol that allows logical
devices to operate separately from physical devices, improving reliability and simplifying host
configurations.
3.2.1 VRRP Overview

A Virtual Router Redundancy Protocol (VRRP) backup group consists of a master device and
one or more backup devices. A backup device can take over traffic from the master device if the
master device fails, improving network reliability.
Introduction
VRRP is a fault-tolerant protocol running on ATNs. These ATNs provide a single default
gateway address for hosts. If a VRRP-enabled ATN fails, another VRRP-enabled ATN takes
over traffic, ensuring continuity and reliability for network communication.
VRRP Introduction
As networks rapidly develop and applications become diversified, various value-added services
such as IPTV and video conferencing are widely used. Any network service interruption will
result in immeasurable loss to users. Demands for network infrastructure reliability are
increasing, especially in non-stopping network transmission for users.
Hosts on a LAN are usually connected to an external network through a default gateway. When
the hosts send packets destined for addresses out of the local network segment, these packets
Issue 02 (2013-12-31)

706

Equipment
3 Reliability
will follow a default route to an egress gateway. The egress gateway is ATN A shown in Figure
3-4. ATN A forwards these packets to the external network so that the hosts can communicate
with the external network.
Figure 3-4 Default gateway on a LAN
G a te w a y :1 0 .0 .0 .1
IP A d d re ss:1 0 .0 .0 .2 /2 4
1 0 .0 .0 .1 /2 4
G a te w a y:1 0 .0 .0 .1
IP A d d re ss :1 0 .0 .0 .3 /2 4
N e tw o rk
A T N -A
G a te w a y:1 0 .0 .0 .1
IP A d d re ss :1 0 .0 .0 .4 /2 4
E th e rn e t
If ATN A fails, hosts connected to it cannot communicate with the external network. This
communication failure persists even if another ATN is added to the LAN. Only one default
gateway (ATN) can be configured for most hosts on a LAN and used to forward all data packets
destined for devices that are not on the local network segment. Hosts send packets only through
the default gateway even if multiple ATNs are connected to the hosts.
One method to prevent communication interruption is usually to configure multiple egress
gateways but this method is only available if one of routes to these egress gateways can be
selected. Another method is to use dynamic routing protocols, such as the Routing Information
Protocol (RIP), Open Shortest Path First (OSPF) protocol, or Internet Control Message Protocol
(ICMP). This method is only available if every host runs a dynamic routing protocol and there
is no problem in proper management, security, or operating systems' support for protocols.
VRRP prevents communication failures in a better way than the preceding two solutions. VRRP
is only configured on ATNs to implement gateway backup, without any networking changes or
burden on hosts.
VRRP Definition
VRRP is a fault-tolerant protocol defined in RFC 3768. VRRP allows logical devices to work
separately from physical devices, and implements route selection among multiple egress
gateways.
Figure 3-5 shows a VRRP-enabled network. VRRP is enabled on two ATNs. One is the master
and the other is the backup. The two ATNs form a virtual router and this virtual router obtains
a virtual IP address and a virtual MAC address. Hosts monitor the presence of the virtual router
but not the presence of the master and backup ATNs. Hosts communicate with devices on other
network segments through the virtual router.
A virtual router consists of a master ATN and one or more backup ATNs. Only the master
ATN forwards packets. If the master ATN fails, a backup ATN is elected as the master ATN
and takes over traffic.
Issue 02 (2013-12-31)

707

Equipment
3 Reliability
Figure 3-5 Schematic diagram for a VRRP backup group

1 0 .1 .1 .2 /2 4
M a s te r
V irtu a l IP A d d re s s
1 0 .1 .1 .1 0 /2 4
NodeB
G a te w a y:1 0 .1 .1 .1 0 /2 4
IP A d d re s s :1 0 .1 .1 .3 /2 4
Backup
1 0 .1 .1 .1 /2 4
1 0 .1 .1 .1 0 /2 4
V irtu re R o u te r
NodeB
G a te w a y:1 0 .1 .1 .1 0 /2 4
IP A d d re s s :1 0 .1 .1 .3 /2 4
On a multicast or broadcast LAN such as an Ethernet network, a logical VRRP gateway ensures
reliability for key links. VRRP is highly reliable and prevents service interruption if a physical
VRRP-enabled gateway fails. VRRP configuration is simple and takes effect without
modification in configurations such as routing protocols.
mVRRP Definition
The VRRP protocol defines VRRP Advertisement packets. VRRP Advertisement packets are
exchanged to negotiate the master and backup status or elect a master ATN.
If multiple VRRP backup groups are configured on a single ATN, each group uses VRRP
Advertisement packets to maintain master and backup status. A large number of VRRP
Advertisement packets use many network bandwidth resources and deteriorate CPU
performance.
Management VRRP (mVRRP) can be used to decrease the number of VRRP Advertisement
packets sent by multiple VRRP backup groups. A specified VRRP backup group functions as
an mVRRP backup group, and others are bound to it and function as service VRRP backup
groups. The status of service VRRP backup groups is determined by mVRRP, and mVRRP
sends VRRP Advertisement packets to negotiate the master and backup status. This reduces the
number of VRRP Advertisement packets, bandwidth consumption, and system burden. An
mVRRP backup group is still a VRRP backup group essentially and has all functions that a
VRRP backup group provides.
VRRP-related Terms and Principles

l
Issue 02 (2013-12-31)
IP address owner
708

Equipment
3 Reliability
An IP address owner is the ATN that uses the virtual IP address of a VRRP backup group
as its interface IP address. The IP address owner retains the Master state in the VRRP
backup group
l
VRRP in master/backup mode

A virtual router must be set up, consisting of a master ATN and one or more backup
ATNs. The master ATN and backup ATNs form a backup group. The master and backup
ATNs have different priorities. The master ATN has the highest priority among all ATNs
in the backup group. If the network is working properly, the master ATN transmits all
services. When the master ATN fails, a backup ATN with a higher priority than others takes
over traffic. Figure 3-6 shows a VRRP backup group working in master/backup mode.
Figure 3-6 Networking diagram for a VRRP backup group in master/backup mode
Backup group 1
Virtual IP Address:
10.1.1.111
RouterA
Master
192.168.1.1/24
10.1.1.1/24
192.168.1.2/24
RouterC
HostA
10.1.1.100/24
Ethernet
l
20.1.1.1/24
HostB
192.168.2.2/24 20.1.1.100/24
192.168.2.1/24
10.1.1.2/24
RouterB
Backup
VRRP in load balancing mode

Two or more VRRP backup groups are set up and their master ATNs forward traffic. These
master ATNs load-balance traffic for various users. As shown in Figure 3-7, ATN A is the
master in backup group 1 and the backup in backup group 2; ATN B is the master in backup
group 2 and the backup in backup group 1. Both ATN A and ATN B are the masters in
different backup groups and both of them transmit and load-balance traffic.
Issue 02 (2013-12-31)

709

Equipment
3 Reliability
Figure 3-7 Networking diagram for VRRP backup groups in load balancing mode
Backup group 2
Virtual IP Address:10.1.1.112
RouterA
group 1:Master
group 2:Backup
192.168.1.1/24
HostA
10.1.1.100/24
10.1.1.1/24
192.168.1.2/24
RouterC
20.1.1.1/24
192.168.2.2/24
HostB
20.1.1.100/24
HostC
10.1.1.101/24
192.168.2.1/24
10.1.1.2/24 RouterB
Ethernet
group 2:Master
group 1:Backup
Backup group 1
NOTE
In load balancing mode, an interface on a single ATN can have different priorities if they join multiple
VRRP backup groups.
Smooth VRRP switching

On a network with a VRRP backup group, during an AMB/SMB switchover, the master
ATN cannot send VRRP Advertisement packets to backup ATNs. The backup ATNs
consider the master ATN faulty because they do not receive VRRP Advertisement packets.
As a result, a backup ATN with a higher priority than others preempts the Master state. If
an AMB/SMB switchover is complete, and the preemption mode is enabled, the original
master ATN preempts the master state again because its priority is higher than the priorities
of other ATNs in the VRRP backup group. This causes the unstable VRRP status and
frequent link switching. As a result, user packets are dropped.
Smooth VRRP switching prevents the preceding problems. The master ATN will save the
current interval at which VRRP Advertisement packets are sent and set the smooth VRRP
switching time as a new interval. During smooth VRRP switching, the master ATN
broadcasts a VRRP Advertisement packet at the new interval. After receiving the packet,
the backup ATNs learn the new interval value and reset their timeout timer for receiving
packets. This ensures stable VRRP backup group operation and prevents user packet loss
during the AMB/SMB switchover and data smoothing.
Pinging the virtual IP address

Pinging the virtual IP address can be enabled or disabled on VRRP-enabled ATNs.The
ATN allows user devices to ping a virtual IP address to serve the following purposes:
Monitors the operating status of the master ATN in a VRRP IPv4 backup group.
Monitors communication between a user device and a network connected by a default
gateway using the virtual IP address.
Issue 02 (2013-12-31)

710

Equipment
3 Reliability
VRRP authentication
Authentication modes and keys can be set based on network security requirements and
these settings are carried in the headers of VRRP Advertisement packets.
On a secure network, default values are used. By default, the ATN does not authenticate
any VRRP Advertisement packets. Therefore, there is no need to set an authentication key.
On a vulnerable network, VRRP supports the following authentication modes:
Simple authentication: A key is a string of 1 to 8 characters.
Message Digest 5 (MD5) authentication: A simple key is a string of 1 to 8 characters.
A ciphertext key is 24 or 32 characters long.
VRRP Features That the ATN Supports

This section describes logical VRRP configurations that the ATN supports. The information will
help you complete configuration tasks quickly and efficiently.
VRRP Functions That the ATN Supports

l
Basic VRRP functions are configured. VRRP-enabled ATNs work either in master/backup
mode to back up data or in load balancing mode to equally distribute data.
An mVRRP backup group is configured, and VRRP backup groups are bound to the
mVRRP backup group. The mVRRP backup group sends VRRP Advertisement packets to
determine the master and backup status. This prevents the increasing number of VRRP
Advertisement packets from using too many bandwidth resources. On a Virtual Private
LAN Service (VPLS) network, pseudo wires (PWs) or VRRP-disabled interfaces can be
bound to the mVRRP backup group. The mVRRP backup group helps PWs or VRRPdisabled interfaces perform a traffic switchover, ensuring uninterrupted traffic
transmission.
VRRP association is configured. If a link fails or a network configuration is changed, a

master/backup VRRP switchover is performed. This process ensures that traffic is properly
transmitted.
mVRRP Bindings
mVRRP bindings are configured to prevent some application problems that cannot be resolved
by VRRP backup groups. Table 3-2 lists objects that can be bound to mVRRP and binding
scenarios.
Table 3-2 Objects that can be bound to mVRRP and binding scenarios
Issue 02 (2013-12-31)
Object
Scenario
VRRP backup groups
If multiple VRRP backup groups are configured on a device, they

can be bound to an mVRRP backup group. The mVRRP backup
group sends VRRP Advertisement packets to determine the master
and backup status for its service VRRP backup groups.
VRRP-disabled
interfaces
VRRP-disabled interfaces can be bound to an mVRRP backup

group. A master/slave mVRRP switchover can trigger the active/
standby switchover on these interfaces, preventing traffic loss.

711

Equipment
3 Reliability
Object
Scenario
PWs
mVRRP is bound to PWs. After a master/slave mVRRP switchover

is performed, the mVRRP status determines the primary and
secondary states for PWs, preventing traffic loss.
VRRP Association
A VRRP or mVRRP backup group can be associated with other functions, optimizing master/
backup VRRP switchovers and improving network reliability. Table 3-3 shows objects with
which VRRP is associated and association scenarios.
Table 3-3 Objects with which VRRP is associated and association scenarios
Issue 02 (2013-12-31)
Association
Type
Object
Usage Scenario
A VRRP backup
group tracks the
status of another
feature. If the
tracked object's
status changes,
the VRRP backup
group is notified
of the status
change and
performs a
master/backup
VRRP
switchover.
Specified
interface
VRRP detects status changes in interfaces only in a

VRRP backup group. VRRP can be associated with
a specified interface that is not in the VRRP backup
group. If the monitored interface's status changes,
the VRRP-enabled devices change the VRRP
priority values and elect a master device.
BFD
BFD can rapidly detect link faults. VRRP can be

associated with BFD. If a link fault occurs, a BFD
session detects the fault, changes the BFD session
status, and notifies the VRRP backup group of the
fault. This process triggers a rapid master/backup
VRRP switchover.
Route
A VRRP backup group can be associated with a

specified route. VRRP-enabled interfaces can
remove the network and host routes for the previous
active link after a master/backup VRRP switchover
is complete. This prevents network-to-user traffic
from following the unreachable route or traveling
through a failed link.
A VRRP backup
group tracks the
status of another
feature. When a
master/backup
VRRP
switchover is
performed, the
bound feature is
notified of the
switchover and
Route priority
If a device in a VRRP backup group is not in the

master state, manually set the cost of the direct route
on this device, allowing all traffic to travel through
the specified active link.

712

Equipment
3 Reliability
Association
Type
Object
Usage Scenario
also performs a
traffic
switchover.
Route
After a master/backup VRRP switchover is

performed, the interface connected to the original
active link retains the original network segment
route and host route. Association between the VRRP
backup group and the route allows a device to
withdraw the original network segment route and
host route, preventing network-to-user traffic from
traveling through the faulty link.
3.2.2 Configuring Basic Functions of a VRRP IPv4 Backup Group

This section describes how to create a VRRP IPv4 backup group, configure basic VRRP
functions, implement the master/backup VRRP mode, and optimize parameters of the VRRP
backup group.
Before You Start

Before configuring basic functions of a VRRP backup group, familiarize yourself with the usage
scenario, complete the pre-configuration tasks, and obtain the data required for the configuration.
On the network shown in Figure 3-8, all hosts on a network segment use default routes in which
the next-hop address is the same gateway address. The hosts use their default routes to send
packets to the gateway and the gateway forwards the packets to other network segments. If the
gateway fails, the hosts cannot communicate with external networks using their default routes.
Figure 3-8 Default gateway on a LAN
G a te w a y:1 0 .0 .0 .1
IP A d d re ss :1 0 .0 .0 .2 /2 4
1 0 .0 .0 .1 /2 4
G a te w a y :1 0 .0 .0 .1
IP A d d re s s:1 0 .0 .0 .3 /2 4
N e tw o rk
A T N -A
G a te w a y :1 0 .0 .0 .1
IP A d d re ss :1 0 .0 .0 .4 /2 4
E th e rn e t
Using default routes simplifies user configuration but requires highly reliable performance of
the default gateway. Adding gateways can improve reliability. This method is available only
when hosts are able to select a route to other egress gateways. Hosts on a LAN cannot run a
dynamic routing protocol and cannot select a route among multiple gateways.
Issue 02 (2013-12-31)

713

Equipment
3 Reliability
Figure 3-9 shows a network diagram for a VRRP backup group that is used to address the
preceding problem.
Figure 3-9 Schematic diagram for a VRRP backup group
1 0 .1 .1 .2 /2 4
M a s te r
V irtu a l IP A d d re s s
1 0 .1 .1 .1 0 /2 4
NodeB
G a te w a y:1 0 .1 .1 .1 0 /2 4
IP A d d re s s :1 0 .1 .1 .3 /2 4
Backup
1 0 .1 .1 .1 /2 4
1 0 .1 .1 .1 0 /2 4
V irtu re R o u te r
NodeB
G a te w a y:1 0 .1 .1 .1 0 /2 4
IP A d d re s s :1 0 .1 .1 .3 /2 4
A VRRP backup group works in master/backup mode. If the master ATN fails, a backup
ATN is used to forward data, improving network reliability.
After a VRRP backup group is configured, you can configure priorities for group members,
packet attributes, the interval at which packets are sent, and smooth VRRP switching, and enable
the function that pings the virtual IP address. These configurations can improve the performance
of the VRRP backup group.
Before configuring basic functions of a VRRP IPv4 backup group, complete the following task:
l
Configuring parameters of the link layer protocol and IP addresses for the interfaces and
ensuring that the status of the link layer protocol on the interfaces is Up.
Data Preparation
To configure basic functions of a VRRP IPv4 backup group, you need the following data.
Issue 02 (2013-12-31)
No.
Data
VRID and virtual IP address of the VRRP backup group
Priorities of routers in the VRRP backup group

714

Equipment
3 Reliability
No.
Data
(Optional) VRRP authentication key, VRRP version number, and interval at which
a VRRP Advertisement packet is broadcast
(Optional) Preemption delay and timeout period for sending gratuitous ARP packets
(Optional) Interval carried in VRRP Advertisement packets sent by the master

ATN during smooth VRRP switching
Creating a VRRP Backup Group

A VRRP backup group can be configured to work in either master/backup or load balancing
mode, improving network reliability.
Context
A VRRP backup group works in either master/backup or load balancing mode. For more
information, see Introduction. When only one VRRP backup group is configured on two
devices, these two VRRP devices work in master/backup mode to transmit data. When multiple
VRRP backup groups are configured on two devices, these two VRRP devices can work in load
balancing mode to transmit data.
A VRRP backup group can be used to implement gateway redundancy without causing
networking changes. The VRRP backup group uses the master device to forward traffic along
an active link. A VRRP backup group can be assigned a maximum of 16 virtual IP addresses.
One virtual IP address serves one separate user group, in which users have the same reliability
requirements. This setting helps prevent the default gateway addresses from varying according
to location changes of VRRP routers. If a master device in a VRRP backup group fails, a backup
device takes over network traffic, providing network device-level reliability.
NOTICE
If both VRRP and static ARP are configured on a termination sub-interface or a VLANIF
interface on a device, VRRP uses IP addresses mapped to static ARP entries as virtual IP
addresses. If a VRRP virtual IP address is an IP address mapped to a static ARP entry on a
device, the device generates incorrect host routes, affecting traffic forwarding.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Issue 02 (2013-12-31)

715

Equipment
3 Reliability
Step 3 Run:
vrrp vrid virtual-router-id virtual-ip virtual-address
A VRRP backup group is created and assigned a virtual IP address.

NOTE
l VRRP backup groups cannot share virtual IP addresses. The virtual IP addresses of a VRRP backup
group must be in the same network segment as the IP addresses of the interfaces where the VRRP
backup group is configured.
l Two devices in a single VRRP backup group must be configured with the same virtual router ID
(VRID).
If VRRP backup groups need to work in load balancing mode, repeat this step to configure two
or more VRRP backup groups on the interface and assign different VRIDs to them.
----End
Configuring VRRP Priorities on Interfaces in a VRRP Backup Group

Interfaces in a VRRP backup group can be configured with different VRRP priorities. These
VRRP priorities determine the VRRP status of these interfaces. The interface with a higher
VRRP priority than others is in the Master state and forwards traffic between users and networks.
Context
One VRRP backup group can work only in master/backup mode. ATNs in the VRRP backup
group have different priorities. The ATN with a higher VRRP priority than others is in the Master
state and others are in the Backup state.
Two or more VRRP backup groups work in load balancing mode. Each ATN has different
priorities in different VRRP backup groups. Repeatedly configure VRRP priorities to allow
different ATNs to function as master devices for different VRRP backup groups.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
vrrp vrid virtual-router-id priority priority-value
The VRRP priority value of the ATN is set.

The default VRRP priority value is 100.
Issue 02 (2013-12-31)

716

Equipment
3 Reliability
NOTE
l The priority value 0 is reserved for special use. The priority value 255 is reserved for the IP address
owner. The priority value of the IP address owner cannot be configured. Priority values 1 through 254
can be specified.
l If devices have the same VRRP priority, the device enters the Master state earlier than others is the
master device. Other devices are backup devices and stop preempting the master state.
----End
(Optional) Configuring VRRP Packet Attributes

VRRP Advertisement packet attributes include the packet sending mode, authentication type,
VRRP version number, TTL detection, and interval at which VRRP Advertisement packets are
sent. Configuring these attributes help improve the performance of a VRRP backup group.
Context
VRRP Advertisement packets are primarily used to determine the status of VRRP backup group
members and elect a master device in a VRRP backup group. After a master device is elected,
the master device sends VRRP Advertisement packets to advertise its VRRP priority and status
to backup devices in the VRRP backup group. A VRRP Advertisement packet contains the
following attributes:
l
VRRP packet sending mode: When a VRRP backup group is configured for a super VLAN
on a device enabled with VLAN aggregation, VRRP Advertisement packets can be sent to
a specified sub-VLAN or all sub-VLANs of the super VLAN. Sending VRRP
Advertisement packets to a specified sub-VLAN efficiently uses network bandwidth.
Authentication type: On a secure network, the ATN forwards all VRRP Advertisement
packets without authenticating them because it considers all VRRP Advertisement packets
valid. On a vulnerable network, the ATN must authenticate VRRP Advertisement packets
in either simple or Message Digest 5 (MD5) mode.
Version number: VRRP for IPv4 supports VRRPv2 and VRRPv3. Each version has a
specific packet format.
A VRRPv2 backup group can only send and receive VRRPv2 Advertisement packets.
If the VRRPv2 backup group receives VRRPv3 Advertisement packets, it discards these
packets.
A VRRPv3 backup group can send and receive both VRRPv2 and VRRPv3
Advertisement packets. The VRRPv3 backup group can communicate with both
VRRPv2 and VRRPv3 backup groups.
VRRP TTL detection: A VRRP-enabled ATN checks the TTL in every received VRRP
Advertisement packet and discards the packets if TTLs are not 255. This function needs to
be disabled on a network with Huawei and non-Huawei devices to prevent incorrect packet
loss.
Interval at which a VRRP Advertisement packet is broadcast: The master device sends a
VRRP Advertisement packet to backup devices at specified intervals to notify the backup
devices of its normal state. If backup devices do not receive any Advertisement VRRP
packets after the timer for receiving VRRP Advertisement packets expires, the backup
device with the highest priority becomes the new master device.
Gratuitous ARP packet sending mode: A QinQ termination sub-interface sends gratuitous
ARP packets with two tags and the inner tag is a range of VLAN IDs. To ensure that
Issue 02 (2013-12-31)

717

Equipment
3 Reliability
switches connected to users learn the correct MAC address of the VRRP backup group, the
VRRP backup group configured on the QinQ termination sub-interface sends gratuitous
ARP packets to all VLANs identified by inner VLAN IDs. This increases the burden on
the VRRP-enabled device. To reduce the burden, the VRRP-enabled device can be
configured to send gratuitous ARP packets carrying only the minimal inner VLAN ID.
Perform the following steps as needed to configure VRRP packet attributes:
Procedure
l
Configure the VRRP packet sending mode.

1.
Run:
system-view

2.
Run:
interface vlanif vlan-id
The VLANIF interface view is displayed.

3.
Run:
vrrp advertise send-mode { sub-vlan-id | all }
The mode for sending VRRP Advertisement packets is configured.

l
Configure the VRRP packet authentication type.

1.
Run:
system-view

2.
Run:

3.
Run:
vrrp vrid virtual-router-id authentication-mode { simple { [ plain ] key
| cipher cipher-key } | md5 md5-key }
The authentication mode for VRRP Advertisement packets is configured.

NOTE
ATNs in a VRRP backup group must be configured with the same authentication type and the
same authentication key. If different authentication types are configured, the negotiation on
the master and backup states fail.
Configure the VRRP version number.

1.
Run:
system-view

2.
Run:
vrrp version { v2 | v3 }
VRRP version number is specified.

3.
(Optional) Run:
vrrp version-3 send-packet-mode { v2-only | v3-only | v2v3-both }
Issue 02 (2013-12-31)

718

Equipment
3 Reliability
The mode for sending VRRPv3 Advertisement packets is configured.

l
Disable VRRP TTL check.

1.
Run:
system-view

2.
Run:

3.
Run:
vrrp un-check ttl
The function that checks TTLs in VRRP Advertisement packets is disabled.

By default, TTLs in VRRP Advertisement packets are checked.
l
Configure the interval at which a VRRP Advertisement packet is sent.

1.
Run:
system-view

2.
Run:

3.
Run:
vrrp vrid virtual-router-id timer advertise advertise-interval
The interval at which a VRRP Advertisement packet is sent is configured.

The default interval is 1 second. If multiple VRRP backup groups are configured,
increase the interval to prevent the VRRP status from flapping.
l
Configure the gratuitous ARP packet sending mode.

1.
Run:
system-view

2.
Run:
interface interface-type interface-number.subinterface-number
The view of an Ethernet sub-interface or Eth-Trunk sub-interface that is configured

with QinQ VLAN tag termination is displayed.
3.
Run:
vrrp arp send-mode simple
The QinQ termination sub-interface in the Master state is configured to send gratuitous
ARP packets carrying the outer VLAN ID and the minimal inner VLAN ID.
----End
Issue 02 (2013-12-31)

719

Equipment
3 Reliability
(Optional) Configuring VRRP Time Parameters

The preemption delay and the interval at which the master ATN sends a gratuitous ARP packet
can be set for a VRRP backup group. These parameters help VRRP links to work stably and
optimize the performance of a VRRP backup group.
Context
The following time parameters can be set to optimize the functions of a VRRP backup group:
l
Preemption delay: If a master ATN fails, a backup ATN can preempt the Master state only
after a specified delay. A master/backup VRRP switchover is frequently performed on an
unstable network where the BFD or EFM status tracked by a VRRP backup group is
flapping or backup ATNs are unable to receive VRRP Advertisement packets within a
specified period. This causes network flapping. To prevent this problem, set a preemption
delay. ATNs in a VRRP backup group will preempt the Master state after the specified
delay.
NOTICE
If the IP address owner recovers, it switches to the Master state immediately without waiting
a specified preemption delay. This process violates the preemption delay setting. Therefore,
in a VRRP backup group, the preemption delay and the IP address owner cannot be
configured together.
l
The interval at which a gratuitous ARP packet is sent can be set on the master ATN as
needed.
Set the preemption delay for a VRRP backup group.
Procedure
1.
Run:
system-view

2.
Run:

3.
Run:
vrrp vrid virtual-router-id preempt-mode timer delay delay-value
The preemption delay is set for ATNs in a VRRP backup group.

The default delay is 0s, meaning immediate preemption. In a VRRP backup group
working in immediate preemption mode, a backup ATN can immediately preempt the
Master state when its priority is higher than the master ATN. After preemption is
complete, the master ATN becomes a backup ATN.
The vrrp vrid virtual-router-id preempt-mode disable command is used to set the
non-preemption mode for ATNs in the VRRP backup group. In a VRRP backup group
Issue 02 (2013-12-31)

720

Equipment
3 Reliability
working in non-preemption mode, the master ATN that works properly can retain the
Master state. This state cannot be preempted even if the master ATN's priority
decreases.
The undo vrrp vrid virtual-router-id preempt-mode command is used to restore the
default preemption mode.
NOTE
Set the preemption delay value to 0 on the master ATN to allow it to become a backup ATN
immediately after its priority decreases; set the preemption delay to a non-0 value on backup
ATNs so that they can preempt the Master state after a specified delay. These settings allow a
period of time for status synchronization between the user-to-network link and network-to-user
link on devices on an unstable network. This prevents the situation where user devices learn
about an incorrect master ATN's IP address when two master ATNs coexist or a master/backup
VRRP switchover is performed frequently.
Set the interval at which a gratuitous ARP packet is sent by the master ATN.
1.
Run:
system-view

2.
Run:
vrrp gratuitous-arp timeout time
The interval at which gratuitous ARP packets are sent by the master ATN is set.
The gratuitous ARP packets sent by the master ATN carry the virtual MAC address.
By default, the master ATN sends a gratuitous ARP packet every 120s.
NOTE
The interval at which the master ATN sends a gratuitous ARP packet must be shorter than the
aging time of the ARP entry on each user device.
To restore the default interval at which a gratuitous ARP packet is sent, run the
undo vrrp gratuitous-arp timeout command in the system view.
To disable the master ATN from sending gratuitous ARP packets, run the vrrp
gratuitous-arp timeout disable command in the system view.
----End
(Optional) Configuring Smooth VRRP Switching

After smooth VRRP switching is enabled, the backup ATNs learn about the smooth switching
time, and retain their status within the smooth switching time, preventing service traffic loss
resulted from a master/backup VRRP switchover.
Context
If the master ATN in a VRRP backup group performs an AMB/SMB switchover, the master and
backup ATNs may fail to communicate with each other during the switchover. During this period
of time, the backup ATN with the highest priority becomes the new master ATN if backup
ATNs receive no VRRP Advertisement packet after the interval at which VRRP Advertisement
packets are sent expires. In this situation, two master ATNs coexist. After the original master
ATN completes the AMB/SMB switchover, it detects that it has a higher priority than the other
master ATN, and therefore retains the Master state. The other master v switches back to the
Issue 02 (2013-12-31)

721

Equipment
3 Reliability
Backup state. During this process, the links between the VRRP backup group and user device
are switched twice, causing unstable service transmission.
After the ATN is enabled with smooth switching, backup ATNs learn the smooth switching time
and prolongs the timeout period for receiving VRRP Advertisement packets based on the learned
time, ensuring the stability of the VRRP backup group status.
Enabling smooth VRRP switching on the ATN can optimize VRRP performance and minimize
the impact on user traffic.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vrrp timer-advertise learning enable
The function of learning the interval at which a VRRP Advertisement packet is sent is enabled.
By default, this function is enabled.
Step 3 Run:
vrrp smooth-switching timer timer-value
Smooth VRRP switching is enabled, and the interval carried in VRRP Advertisement packets
during smooth VRRP switching is configured.
By default, smooth VRRP switching is enabled. The interval carried in VRRP Advertisement
packets ranges from 1s to 255s, and the default value is 100s. When the traffic is heavy, increase
the interval value.
The function of learning the interval at which a VRRP Advertisement packet is sent must be
enabled before this command is run. The undo vrrp timer-advertise learning enable command
is used to disable the function of learning the interval at which a VRRP Advertisement packet.
If this command is used, smooth VRRP switching is also disabled.
NOTE
The interval carried in VRRP Advertisement packets (for example, 120s) must be greater than the interval
at which a VRRP Advertisement packet is broadcast (for example, 1s). This ensures the stability of the
VRRP backup group status during a master/backup VRRP switchover.
----End
(Optional) Enabling the Ping to a Virtual IP Address

Enabling the ping to a virtual IP address helps monitor network connectivity.
Context
The ATN allows user devices to ping a virtual IP address to serve the following purposes:
l
Issue 02 (2013-12-31)
Monitors the operating status of the master ATN in a VRRP backup group.
722

Equipment
3 Reliability
Monitors communication between a user device and a network connected by a default

gateway using the virtual IP address.
NOTICE
If the ping to the virtual IP address is enabled, a device on an external network can ping a virtual
address. This exposes the ATN to ICMP-based attacks. The undo vrrp virtual-ip ping
enable command can be used to disable the ping function.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vrrp virtual-ip ping enable
The ping to a virtual IP address is enabled.

By default, the ping function is enabled. The master ATN in a VRRP backup group replies to
ping packets sent to the virtual IP address.
----End

You can view the status of the VRRP backup group and verify the configuration.
Prerequisites
The configurations of the VRRP backup group are complete.
Procedure
l
Run the display vrrp [ interface interface-type interface-number [ virtual-router-id ] ]

[ brief ] command to check the status of a VRRP backup group.
Run the display vrrp state-change interface interface-type interface-number vrid virtualrouter-id command to check the status change of a specified VRRP backup group.
----End
3.2.3 Configuring an mVRRP IPv4 Backup Group

VRRP backup groups, VRRP-disabled interfaces, or PWs can be bound to an mVRRP backup
group. After the bindings, the mVRRP backup group determines the master and backup VRRP
status. mVRRP is used when multiple VRRP backup groups coexist, decreasing VRRP
Advertisement packets to be sent and minimizing network bandwidth consumption. mVRRP is
also used to determine the active and standby status of links along which a user is dual-homed
to a network.
Issue 02 (2013-12-31)

723

Equipment
3 Reliability
Before You Start

Before configuring an mVRRP backup group, familiarize yourself with the usage scenario,
Figure 3-10 Network diagram for mVRRP
NPE1
mVRRP
UPE
NPE2
Figure 3-10 shows mVRRP. At the aggregation layer on a MAN, a UPE is usually dual-homed
to two NPEs. Multiple VRRP backup groups can be configured on the two NPEs to transmit
various types of services. Each VRRP backup group maintains its own state machine, leading
to transmission of a lot of VRRP Advertisement packets between NPEs. To help simplify VRRP
operation and decrease bandwidth consumption, a VRRP backup group is configured as an
mVRRP backup group. Other VRRP backup groups are bound to the mVRRP backup group and
function as service VRRP backup groups. mVRRP determines the status of its service VRRP
backup groups.
An mVRRP backup group is still a VRRP backup group essentially and has all functions that a
VRRP backup group provides.
NOTE
Multiple service VRRP backup groups can be bound to an mVRRP backup group. An mVRRP backup
group cannot be bound to another mVRRP backup group.
The following table lists objects that can be bound to mVRRP and binding scenarios.
Table 3-4 Objects that can be bound to mVRRP and binding scenarios
Issue 02 (2013-12-31)
Object
Scenario
VRRP backup groups
If multiple VRRP backup groups are configured on a device, they

can be bound to an mVRRP backup group. The mVRRP backup
group sends VRRP Advertisement packets to determine the master
and backup status for its service VRRP backup groups.

724

Equipment
3 Reliability
Object
Scenario
VRRP-disabled
interfaces
VRRP-disabled interfaces can be bound to an mVRRP backup

group. A master/slave mVRRP switchover can trigger the active/
standby switchover on these interfaces, preventing traffic loss.
PWs
mVRRP is bound to PWs. After a master/slave mVRRP switchover

is performed, the mVRRP status determines the primary and
secondary states for PWs, preventing traffic loss.
Before configuring an mVRRP backup group, complete the following task:
l
Data Preparation
To configure an mVRRP backup group, you need the following data.
No.
Data
VRID, virtual IP address, and (optional) priorities of an mVRRP backup group
(Optional) Type and number of a VRRP-disabled interface and peer IP address of a

PW
Creating an mVRRP Backup Group

An mVRRP backup group can be created, and VRRP backup groups, VRRP-disabled interfaces,
or PWs can be bound to it. The mVRRP backup group determines the master and backup VRRP
status of the bound objects.
Context
An mVRRP backup group is still a VRRP backup group essentially and has all functions that a
VRRP backup group provides. For information about the basic configuration of a VRRP backup
group, see 3.2.2 Configuring Basic Functions of a VRRP IPv4 Backup Group. A VRRP
backup group must be created before an mVRRP backup group is specified.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 02 (2013-12-31)

725

Equipment
3 Reliability
The view of an interface on which a VRRP backup group is created is displayed.

Step 3 Run:
admin-vrrp vrid virtual-router-id [ ignore-if-down ]
The VRRP backup group is configured as an mVRRP backup group.

----End
Configuring an mVRRP Backup Group Binding

VRRP backup groups, VRRP-disabled interfaces, or PWs can be bound to an mVRRP backup
group. After a binding is configured, the mVRRP backup group determines the master and
backup VRRP status of the bound objects.
Context
After configuring basic functions of an mVRRP backup group, bind the mVRRP backup group
to a specified object, implementing consistent status management. For information about the
mVRRP backup group and its typical usage scenario, see Before You Start.
Procedure
l
Bind a VRRP backup group to an mVRRP backup group.

1.
Run:
system-view

2.
Run:
The view of the interface where the VRRP backup group is configured is displayed.
3.
Run:
vrrp vrid virtual-router-id1 track admin-vrrp interface interface-type
interface-number vrid virtual-router-id2 unflowdown
The VRRP backup group is bound to an mVRRP backup group.

After the binding is complete, the state machine of the service VRRP backup group
depends on the status of the mVRRP backup group. The service VRRP backup group
deletes its VRRP packet timeout timer and stops sending or receiving VRRP packets.
It operates its state machine by directly duplicating the status of the mVRRP back
group.
NOTE
A VRRP backup group can only be bound to a single mVRRP backup group.
Do not run the control-flap command on an interface that a VRRP backup group tracks. If this
command is run on the interface and the interface recovers from a fault, the interface goes Up
after a specified delay. During the delay, the network-side route is unreachable, and the VRRP
status changes from Backup to Master. User-side traffic directed to the interface will be
discarded.
Bind a VRRP-disabled interface to an mVRRP backup group.

1.
Run:
system-view
Issue 02 (2013-12-31)

726

Equipment
3 Reliability

2.
Run:

3.
Run:
track admin-vrrp interface interface-type interface-number vrid virtualrouter-id
The interface is bound to an mVRRP backup group.

----End
(Optional) Configuring the BFD Sampling Function to Implement a Rapid Master/

Backup VRRP Switchover
Usually, a VRRP backup group implements a master/backup VRRP switchover rapidly by
tracking the BFD session status. This method is inapplicable on some networks or on a device
that does not support BFD. BFD sampling helps mVRRP implement rapid master/backup VRRP
switchovers.
Issue 02 (2013-12-31)

727

Equipment
3 Reliability
Context
Figure 3-11 Network diagram for BFD sampling
VPLS convergence
network
Access
Core
IP:10.100.1.1/24
GW:10.100.1.200
Inner VLAN: 110
Outer VLAN: 10
CE1
NPE1
CE2
IP:10.101.1.1/24
GW:10.101.1.200
Inner VLAN: 210
Outer VLAN: 10
Link BFD
PE1
Peer
BFD
MPLS/IP Core
PE2
CE3
IP:10.102.1.1/24
GW:10.102.1.200
Inner VLAN: 310
Outer VLAN: 10
NPE2
CE4
IP:10.103.1.1/24
GW:10.103.1.200
Inner VLAN: 410
Outer VLAN: 10
On the network shown in Figure 3-11, CEs are connected to sub-interfaces for QinQ VLAN tag
termination on NPEs across a VPLS convergence network.
On the NPEs, an mVRRP backup group and service VRRP backup groups are configured. The
mVRRP backup group tracks BFD sessions to implement rapid master/backup VRRP
switchovers. A peer BFD session is established between two NPEs. A link BFD session is
established between each NPE and PE, or if PEs do not support link BFD, a link BFD session
is established between each NPE and CE.
BFD sampling is applicable to this network. After link BFD sessions are established, they are
bound to the mVRRP backup group. By default, the mVRRP backup group performs a master/
backup VRRP switchover only after all link BFD sessions go Down. To speed up the switchover,
the vrrp vrid virtual-router-id track link-bfd down-number command is run to set the
maximum number of link BFD sessions tracked by mVRRP. If the specified maximum number
of link BFD sessions go Down, a master/backup VRRP switchover is performed. This is BFD
sampling.
Issue 02 (2013-12-31)

728

Equipment
3 Reliability
VRRP backup groups configured on the NPEs can perform rapid master/backup VRRP
switchovers by tracking the status of link BFD sessions between NPEs and CEs, though link
BFD sessions between NPEs and PEs are unavailable.
In this scenario, in addition to peer BFD sessions between the NPEs, multiple link BFD sessions
are established between the NPEs and CEs, but not PEs. If a link or node fails, a link BFD session
goes Down. NPEs that track the link BFD session will be notified of the change and rapidly
perform a master/backup VRRP switchover.
NOTE
l During the configuration of a rapid master/backup VRRP switchover, before VRRP monitors a peer
BFD session, you must configure peer BFD sessions on both the master and backup devices. If a single
device is configured with a peer BFD session, a failure results in VRRP flapping.
l If a VRRP backup group is bound to an mVRRP backup group, the VRRP backup group maintains its
status consistent with the status of the mVRRP backup group, and does not track BFD.
l When configuring an mVRRP backup group to track a BFD session, use either of the following
parameters as needed:
l session-name bfd-configure-name: allows only dynamic BFD sessions to be bound to the mVRRP
backup group.
l session-id: allows only static BFD sessions to be bound to the mVRRP backup group.
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface interface-type interface-number [.subinterface-number ]
The view of the interface where the mVRRP backup group is configured is displayed.
Step 3 Run:
vrrp vrid virtual-router-id track bfd-session { bfd-session-id | session-name bfdconfigure-name } [ peer | link ]
The mVRRP backup group is configured to track a link or peer BFD session.
The process-pst command must be used to allow a link BFD session to modify the port status
table (PST). If this command is not used, mVRRP tracks the link BFD session status incorrectly
and obtains incorrect tracking results. This command is applicable to the following types of link
BFD sessions:
l BFD for static LSP
l BFD for LDP LSP
l BFD for CR-LSP
l BFD for TE
Step 4 Run:
vrrp vrid virtual-router-id track link-bfd down-number down-number
The maximum number is set for link BFD sessions tracked by mVRRP.
Issue 02 (2013-12-31)

729

Equipment
3 Reliability
Among the link BFD sessions tracked by mVRRP, when the number of sessions in the Down
state reaches the specified maximum number, the mVRRP backup group performs a rapid
master/backup switchover.
----End

You can view the status of the mVRRP backup group and verify the configuration.
Prerequisites
The configurations of an mVRRP backup group are complete.
Procedure
l
Run the display vrrp binding admin-vrrp [ interface interface-type interface-number ]

[ vrid virtual-router-id ] command to check all bindings configured for an mVRRP backup
group.
Run the display vrrp binding admin-vrrp [ interface interface-type1 interfacenumber1 ] [ vrid virtual-router-id1 ] member-vrrp [ interface interface-type2 interfacenumber2 ] [ vrid virtual-router-id2 ] command to check bindings between an mVRRP
backup group and service VRRP backup groups.
Run the display vrrp binding admin-vrrp [ interface interface-type1 interfacenumber1 ] [ vrid virtual-router-id ] member-interface [ interface interface-type2
interface-number2 ] command to check the bindings between an mVRRP backup group
and VRRP-disabled interfaces.
Run the display vrrp admin-vrrp command to check the status of all mVRRP backup
groups.

command to check the status of a specified VRRP backup group.
----End
3.2.4 Configuring VRRP IPv4 Association

VRRP IPv4 association helps a VRRP IPv4 backup group rapidly perform a master/backup
VRRP switchover if a network link fails. This ensures proper service data forwarding.
Before You Start

Before configuring VRRP IPv4 association, familiarize yourself with the usage scenario,
If an interface or a link fails or the network topology is modified, devices in a VRRP backup
group detect the change after a period of time, which delays a master/backup VRRP switchover.
Although the master/backup VRRP switchover can be performed, route switching is unable to
be performed because no route is associated with the VRRP backup group. Either VRRP
switchover latency or the route switching failure causes traffic loss.
Issue 02 (2013-12-31)

730

Equipment
3 Reliability
VRRP IPv4 association can prevent traffic loss. If an object associated with a VRRP backup
group fails, the VRRP backup group is notified of the failure and performs a master/backup
VRRP switchover. Alternatively, if a master/backup VRRP switchover is performed, the VRRP
backup group instructs its associated object to perform a traffic switchover. The association
ensures proper traffic forwarding and improves link reliability.
For information about objects associated with a VRRP backup group and association scenarios,
see VRRP Features That the ATN Supports.
Before configuring VRRP IPv4 association, complete the following tasks:
l
Configure a common, link, or peer bidirectional forwarding detection (BFD) session.
Configure Ethernet in the First Mile Operation, Administration, and Maintenance (EFM
OAM).
Install Service Process Units (SPUs) on VRRP-enabled devices and configure an IPSec
instance.
Data Preparation
To configure VRRP IPv4 association, you need the following data.
No.
Data
VRID
Type and number of an interface to be tracked and value by which the VRRP priority
increases or reduces if the tracked interface goes Down
Local and remote discriminators of a BFD session to be tracked by a VRRP backup

group
ID of an IPSec instance to be tracked by a VRRP backup group.
Value by which the VRRP priority reduces if the tracked IPSec instance goes Down
NQA test instance to be tracked by a VRRP backup group and value by which the
VRRP priority reduces if the tracked NQA test instance goes Down
Associating a VRRP IPv4 Backup Group with a VRRP-Disabled Interface

A VRRP IPv4 backup group can be configured to track a VRRP-disabled interface on the master
device. If the master device detects that the status of the VRRP-disabled interface changes, it
rapidly performs a master/backup VRRP switchover.
Context
The master device cannot detect changes in the status of interfaces that are not in a VRRP IPv4
backup group. If a VRRP-disabled interface connected to a network fails, the master device is
Issue 02 (2013-12-31)

731

Equipment
3 Reliability
unable to detect the fault and still forwards user packets through the failed interface, resulting
in service interruptions.
To prevent this problem, the VRRP IPv4 backup group can be configured to track the VRRPdisabled interface connected to the network. If the interface goes Down, the VRRP IPv4 backup
group detects the fault, reduces the priority of the master device, and sends VRRP IPv4
Advertisement packets to elect a new master device. The new master device takes over traffic.
Perform the following steps on a device where an interface needs to be tracked by a VRRP IPv4
backup group:
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
vrrp vrid virtual-router-id track interface interface-type interface-number
[ increased value-increased | reduced value-reduced ]
The VRRP IPv4 backup group is configured to track a specified interface. During the
configuration, note the following settings:
l By default, the VRRP priority reduces by 10 if an interface tracked by a VRRP IPv4 backup
group goes Down.
l increased value-increased specifies the value by which the VRRP priority increases if the
tracked interface goes Down. The value is an integer ranging from 1 to 255. Only the IP
address owner has priority value 255. The greatest priority value that can be set is 254.
l reduced value-reduced specifies the value by which the VRRP priority reduces if the tracked
interface goes Down. The value is an integer ranging from 1 to 255. The smallest priority
value can be set to 1. Priority value 0 is reserved for special use. If a backup device receives
a VRRP IPv4 Advertisement packet carrying the priority value of 0, the backup device
immediately preempts the Master state.
----End
Associating a VRRP IPv4 Backup Group with a BFD Session

A VRRP IPv4 backup group can be configured to track BFD sessions. If one of the BFD sessions
changes its status, the BFD module notifies the VRRP IPv4 backup group of the change. After
receiving the notification, the VRRP IPv4 backup group rapidly performs a master/backup
VRRP switchover.
Context
If a link between devices in a VRRP IPv4 backup group fails, VRRP IPv4 Advertisement packets
cannot be sent to negotiate states. Backup devices will attempt to preempt the Master state after
Issue 02 (2013-12-31)

732

Equipment
3 Reliability
a period three times the interval at which VRRP IPv4 Advertisement packets are broadcast.
During this period of time, service data is lost. To prevent this problem, the VRRP IPv4 backup
group can be associated with BFD sessions. The BFD sessions are established between the master
and backup devices to rapidly detect faults. If a fault occurs, the BFD module rapidly notifies
the VRRP IPv4 backup group of the fault and triggers a master/backup VRRP switchover. VRRP
IPv4 association involves the following functions:
l
Association with a common BFD session: The association allows a master/backup VRRP
switchover to be performed after VRRP priorities change.
Association with a link or peer BFD session: The association allows a master/backup VRRP
switchover to be performed within milliseconds after the link or peer BFD session detects
a fault.
NOTE
When configuring a VRRP IPv4 backup group to track a BFD session, use either of the following parameters
as needed:
l session-name bfd-configure-name: allows only a static BFD session with automatically negotiated
discriminators to be bound to the VRRP IPv4 backup group.
l session-id: allows only a static BFD session to be bound to the VRRP IPv4 backup group.
A VRRP IPv4 backup group can track a maximum of eight BFD sessions and a maximum of
eight interfaces.
Perform the following steps on the device that needs to implement a rapid master/backup VRRP
switchover:
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface interface-type interface-number [.subinterface-number ]
The view of the interface where the VRRP IPv4 backup group is configured is displayed.
l
vrrp vrid virtual-router-id track bfd-session { bfd-session-id | session-name

bfd-configure-name } [ increased value-increased | reduced value-reduced ]
The VRRP IPv4 backup group is configured to track a common BFD session. During the
configuration, use either of the following parameters as needed:
increased value-increased: specifies the value by which the VRRP priority increases if the
tracked BFD session becomes Failed. The value ranges from 1 to 255. Only the IP address
owner has priority value 255, and the largest priority value can be set to 254. This parameter
takes effect only on backup devices.
reduced value-reduced: specifies the value by which the VRRP priority reduces if the tracked
BFD session becomes Failed. The value ranges from 1 to 255. The smallest priority value
can be set to 1. Priority value 0 is reserved for special use. If a backup device receives a
VRRP IPv4 Advertisement packet carrying the priority value of 0, the backup device
immediately preempts the Master state. By default, the priority value reduces by 10 if a BFD
session tracked by a VRRP IPv4 backup group becomes Failed.
Issue 02 (2013-12-31)

733

Equipment
3 Reliability
Ensure that the changed VRRP priority of a backup device is higher than the master device,
allowing a rapid master/backup VRRP switchover.
l
vrrp vrid virtual-router-id track bfd-session { bfd-session-id | session-name

bfd-configure-name } [ peer | link ]
The VRRP IPv4 backup group is configured to track a link or peer BFD session.
Before configuring a VRRP IPv4 backup group to track a link BFD session, run the processpst command to allow the BFD session to modify the port status table (PST). If this command
is not used, the VRRP IPv4 backup group tracks the link BFD session status incorrectly and
obtains incorrect tracking results. This command applies to the following types of link BFD
sessions:
BFD for static LSP
BFD for LDP LSP
BFD for CR-LSP
BFD for TE
NOTE
l If a VRRP IPv4 backup group is bound to an mVRRP backup group, the mVRRP IPv4 backup
group determines the VRRP IPv4 backup group status, and the VRRP IPv4 backup group is unable
to track any BFD sessions.
l During the configuration of a rapid master/backup VRRP switchover, a peer BFD session must be
configured on the master and backup devices before a VRRP backup group is configured to track
the peer BFD session. If the peer BFD session is only configured on a single device and detects a
fault, VRRP flapping occurs.
l A VRRP backup group is associated with a link BFD session and a peer BFD session. In this
scenario, the backup device status becomes Master if the backup device detects the peer BFD
session status change before detecting the link BFD session status change. The backup device status
transitions from Master to Initialize after it detects the peer BFD session status change. To prevent
the preceding case, run the min-tx-interval command in the BFD session view to set the interval
at which link BFD control packets to be smaller than the interval at which peer BFD control packets
are sent.
----End

After configuring VRRP IPv4 association, you can view the status of a tracked BFD or EFM
session and verify the configuration.
Prerequisites
The configurations of VRRP IPv4 association are complete.
Procedure
l

command to check the status and configurations of a specified VRRP backup group.
----End
3.2.5 Maintaining VRRP

This section describes how to maintain VRRP by deleting VRRP statistics, and monitoring
VRRP operations.
Issue 02 (2013-12-31)

734

Equipment
3 Reliability
Clearing VRRP Statistics

Deleting previous VRRP statistics is recommended before you collect VRRP statistics within a
specified period of time.
Context
NOTICE
VRRP statistics cannot be restored after being deleted. Exercise caution when using the
command.
Procedure
l
Run the reset vrrp [ interface interface-type interface-number ] [ vrid virtual-router-id ]

statistics command in the user view to delete VRRP statistics.
Run the clear admin-vrrp binding interface interface-type interface-number vrid virtualrouter-id command in the system view to delete the binding between an mVRRP backup
group and a service VRRP module on a board that does not operate.
----End
Monitoring VRRP Status

Monitoring VRRP status by viewing information about VRRP during the operation.
Context
The following commands are run in any view during routine maintenance to show VRRP status.
Procedure
l
Run the display vrrp protocol-information command in any view to check VRRP
information on the device.
Run the display vrrp [ interface interface-type interface-number ] [ virtual-router-id ]

statistics command in any view to check the current VRRP status, configured parameters,
and statistics about sent and received packets.
----End

This section provides VRRP configuration examples. Each configuration example includes
networking requirements, configuration roadmap, data preparation, configuration procedure,
and configuration files.
Issue 02 (2013-12-31)

735

Equipment
3 Reliability
Example for Configuring a VRRP Backup Group

In this example, a VRRP backup group is configured to implement backup for gateways that are
the next hops of user devices.
Users access an upper-layer network through a gateway ATN. If the gateway ATN fails, user
services are interrupted. To improve network reliability, configure a VRRP backup group on
gateway ATNs.
Figure 3-12 shows a VRRP backup group. The master ATN is transmitting data. If the master
ATN fails, the backup ATN takes over traffic. After the master ATN recovers, traffic ATNCes
back to the master ATN.
Figure 3-12 Networking diagram for a VRRP backup group
Backup group 1
GE0/2/0
10.1.1.1/24
ATNA
Master
GE0/2/1
192.168.1.1/24
GE1/0/1
192.168.1.2/24
GE3/0/0
20.1.1.1/24
ATNC
GE0/2/1
Internet
GE0/2/2
GE2/0/0
192.168.2.2/24
GE0/2/1
192.168.2.1/24
GE0/2/0
10.1.1.2/24
ATNB
Backup
l
Assign an IP address to each interface to ensure IP connectivity.
Configure a VRRP backup group on ATNs and set different VRRP priorities for the devices
to determine the master or backup state for the ATNs. This configuration ensures devicelevel reliability for network links.
Data Preparation
Issue 02 (2013-12-31)

736

Equipment
3 Reliability
IP address of each interface (For detailed information, see "Data Preparation" in Figure
3-12.)
VLAN ID (10) and mode (untagged) for adding interfaces connecting the ATNC to ATN
A and ATN B to the VLAN
VRID (1) and virtual IP address (10.1.1.111) for a VRRP backup group configured on
ATN A and ATN B
VRRP priorities (120 for ATN A and 100 for ATN B)
Preemption delay (20s)
Procedure
Step 1 Configure the devices to ensure network connectivity. The configuration details are not provided
here.
# Assign 10.1.1.111 to the default gateway for host A.
# Configure OSPF on ATN A, ATN B, and ATN C to ensure their interconnections. For detailed
information, see the configuration files.
Step 2 Configure the ATNC.
# Create a VLAN named VLAN10 on the ATNC; add physical interfaces connecting the ATNC
to ATN A and ATN B to VLAN10 in untagged mode.
[HUAWEI] sysname ATNC
[ATNC] vlan 10
[ATNC-vlan10] quit
[ATNC] interface gigabitethernet 0/2/1
[ATNC-GigabitEthernet0/2/1] undo shutdown
[ATNC-GigabitEthernet0/2/1] portswitch
[ATNC-GigabitEthernet0/2/1] port default vlan 10
[ATNC-GigabitEthernet0/2/1] quit
Step 3 Configure a VRRP backup group.

# Create VRRP backup group 1 on ATN A and set the VRRP priority value to 120 so that
ATN A functions as the Master.
[ATNA-GigabitEthernet0/2/0] vrrp vrid 1 virtual-ip 10.1.1.111
[ATNA-GigabitEthernet0/2/0] vrrp vrid 1 priority 120
[ATNA-GigabitEthernet0/2/0] vrrp vrid 1 preempt-mode timer delay 20
[ATNA-GigabitEthernet0/2/0] quit
[ATNA] quit
# Create VRRP backup group 1 on ATN B.

[ATNB] interface gigabitethernet 0/2/0
Issue 02 (2013-12-31)

737

Equipment
3 Reliability

[ATNB-GigabitEthernet0/2/0] vrrp vrid 1 virtual-ip 10.1.1.111
[ATNB] quit

l Verify that the VRRP backup group properly provides gateway functions.
# After completing the preceding configurations, run the display vrrp command on ATN A and
ATN B. The VRRP status of ATN A is Master and the VRRP status of ATN B is Backup. The
command output on ATN A and ATN B is as follows:
<ATNA> display vrrp
GigabitEthernet0/2/0 | Virtual Router 1
state
: Master
Virtual IP
: 10.1.1.111
Master IP
: 10.1.1.1
PriorityRun
: 120
PriorityConfig : 120
MasterPriority : 120
Preempt
: YES
Delay Time : 20
TimerRun
: 1
TimerConfig
: 1
Auth Type
: NONE
Virtual Mac
: 0000-5e00-0101
Check TTL
: YES
Config type
: normal-vrrp
Backup-forward : disabled
Create time
: 2010-06-22
Last change time
: 2010-06-22
<ATNB> display vrrp
state
: Backup
Virtual IP
: 10.1.1.111
Master IP
: 10.1.1.1
PriorityRun
: 100
Preempt
: YES
Delay Time : 0
TimerRun
: 1
TimerConfig
: 1
Auth Type
: NONE
Virtual Mac
: 0000-5e00-0101
Check TTL
: YES
Config type
: normal-vrrp
Create time
: 2010-06-22
Last change time
: 2010-06-22
17:33:00
17:33:06
17:33:00
17:33:06
# Run the display ip routing-table command on ATN A and ATN B. A direct route to the virtual
IP address of the VRRP backup group exists in ATN A's routing table and an OSPF route to the
virtual IP address of the VRRP backup group exists in ATN B's routing table. The command
output on ATN A and ATN B is as follows:
<ATNA> display ip routing-table
Route Flags: R - relied, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 10
Routes : 10
Destination/Mask
Proto
Pre Cost
Flags
NextHop
Interface
10.1.1.0/24
Direct
0
0
D
10.1.1.1
10.1.1.1/32
Direct
0
0
D
127.0.0.1
InLoopBack0
10.1.1.111/32
Direct 0
0
D
127.0.0.1
InLoopBack0
127.0.0.0/8
Direct
0
0
D
127.0.0.1
InLoopBack0
127.0.0.1/32
Direct
0
0
D
127.0.0.1
InLoopBack0
Issue 02 (2013-12-31)

738

Equipment
3 Reliability
192.168.1.1/32
Direct
0
0
D
127.0.0.1
InLoopBack0
192.168.2.0/24
OSPF
10
2
D
10.1.1.2
<ATNB> display ip routing-table
Destinations : 10
Routes : 10
Destination/Mask
Proto
Pre Cost
Flags
NextHop
Interface
10.1.1.0/24
Direct
0
0
D
10.1.1.2
10.1.1.2/32
Direct
0
0
D
127.0.0.1
InLoopBack0
10.1.1.111/32
OSPF
10
2
D
10.1.1.1
127.0.0.0/8
Direct
0
0
D
127.0.0.1
InLoopBack0
127.0.0.1/32
Direct
0
0
D
127.0.0.1
InLoopBack0
192.168.1.0/24
OSPF
10
2
D
10.1.1.1
192.168.2.1/32
Direct
0
0
D
127.0.0.1
InLoopBack0
l Verify that ATN B becomes the Master if ATN A fails.

# Run the shutdown command on GE 0/2/0 of ATN A.
Run the display vrrp command on ATN B to view the VRRP status. The command output
shows that ATN B is in the Master state. For example:
<ATNB> display vrrp
state
: Master
Virtual IP
: 10.1.1.111
Master IP
: 10.1.1.2
PriorityRun
: 100
Preempt
: YES
Delay Time : 0
TimerRun
: 1
TimerConfig
: 1
Auth Type
: NONE
Virtual Mac
: 0000-5e00-0101
Check TTL
: YES
Config type
: normal-vrrp
Create time
: 2010-06-22 17:33:00
Last change time
: 2010-06-22 17:33:06
l Verify that ATN A preempts the master device after recovering.

# Run the undo shutdown command on GE 0/2/0 of ATN A. Wait 20s and run the display
vrrp command on ATN A. The command output shows that ATN A is in the Master state.
----End
Configuration Files
l

#
sysname ATNA
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.111
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 20
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 10.1.1.0 0.0.0.255
Issue 02 (2013-12-31)

739

Equipment
3 Reliability
#
return

#
sysname ATNB
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 192.168.2.0 0.0.0.255
network 10.1.1.0 0.0.0.255
#
return
Configuration file of the ATNC

#
sysname ATNC
#
vlan batch 10
#
portswitch
undo shutdown
portswitch
undo shutdown
#
return
Example for Configuring VRRP Backup Groups Working in Load Balancing Mode
In this example, two VRRP backup groups are configured to work in load balancing mode.
Devices in the VRRP backup groups back up each other and load-balance traffic.
Users access an upper-layer network through a gateway ATN. A VRRP backup group configured
on a gateway ATN can improve network reliability. To load balance traffic, configure multiple
VRRP backup groups on a ATN.
Figure 3-13 shows two VRRP backup groups working in load balancing mode.
ATN A is the Master in backup group 1 and the Backup in backup group 2.
ATN B is the Master in backup group 2 and the Backup in backup group 1.
Hosts can use either of two backup groups as a gateway to communicate with an upper-layer
network. The two backup groups load balance traffic and back up each other.
Issue 02 (2013-12-31)

740

Equipment
3 Reliability
Figure 3-13 Networking diagram of two VRRP backup groups working in load balancing mode
ATNA
group 1:Master
Backup group 1
group 2:Backup
Virtual IP Address:
GE0/2/0
192.168.1.1/24
10.1.1.111
10.1.1.1/24
GE0/2/1
VLANIF10
ATNC
GE0/2/2
VLANIF10
192.168.1.2/24
Backup group 2
Virtual IP Address:
20.1.1.1/24
10.1.1.112
RouterC
HostB
192.168.2.2/24 20.1.1.100/24
GE0/2/0
10.1.1.2/24
192.168.2.1/24
ATNB
group 2:Master
group 1:Backup
l
Configure VRRP backup groups on ATNs and set different VRRP priorities for the devices
to determine the master or backup state for the ATNs in each backup group, implementing
load balancing.
Data Preparation
l
IP address of each interface on each device (For detailed information, see configuration
files or "Data Preparation" in Figure 3-13.)
VRID (1) and virtual IP address (10.1.1.111) for a VRRP backup group configured on
ATN A and ATN B
VRRP priorities (120 for ATN A and 100 for ATN B) in backup group 1
VRID (2) and virtual IP address (10.1.1.112) for another VRRP backup group configured
on ATN A and ATN B
VRRP priorities (120 for ATN B and 100 for ATN A) in backup group 2
Preemption delay (20s) for backup group 1 and backup group 2
Procedure
Step 1 Configure the devices to ensure network connectivity. The configuration details are not provided
here.
Issue 02 (2013-12-31)

741

Equipment
3 Reliability
# Assign 10.1.1.111 to backup group 1 functioning as a default gateway for host A and 10.1.1.112
to backup group 2 functioning as a default gateway for host C.
# Configure OSPF on ATN A, ATN B, and ATN C.
Step 2 Configure the ATNC.
# Create a VLAN named VLAN10 on the switch; add physical interfaces connecting the switch
to ATN A and ATN B to VLAN10 in untagged mode.
[ATNC] vlan 10
[ATNC-vlan10] quit
Step 3 Configure VRRP backup groups.

# Configure backup group 1 and backup group 2 on GE 2/0/0 of ATN A and set the VRRP
priority value to 120 for ATN A in backup group 1, which ensures that ATN A is the Master in
backup group 1 and the Backup in backup group 2.
[ATNA-GigabitEthernet0/2/0] vrrp vrid 1 preempt-mode timer delay 20
# Configure backup group 1 and backup group 2 on GE 0/2/0 of ATN B and set the VRRP
priority value to 120 for ATN B in backup group 2. This configuration ensures that ATN B is
the Master in backup group 2 and the Backup in backup group 1.
[ATNB-GigabitEthernet0/2/0] vrrp vrid 2 priority 120
[ATNB-GigabitEthernet0/2/0] vrrp vrid 2 preempt-mode timer delay 20

# After completing the preceding configurations, ping host B from host A and host C. The pings
are successful.
Run the tracert command on host A and host C to trace routes to host B. Tracert packets sent
by host A pass through ATN A and ATN C and reach host B. Tracert packets sent by host C
Issue 02 (2013-12-31)

742

Equipment
3 Reliability
pass through ATN B and ATN C and reach host B. This means that ATN A and ATN B are
properly load-balancing traffic.
<HostA> tracert 20.1.1.100
traceroute to 20.1.1.100(20.1.1.100) 30 hops max,40 bytes packet
1
10.1.1.1
120ms
50 ms
60 ms
2
192.168.1.2
100 ms 60 ms
60 ms
3
20.1.1.100
130 ms 90 ms
90 ms
<HostC> tracert 20.1.1.100
traceroute to 20.1.1.100(20.1.1.100) 30 hops max,40 bytes packet
1
10.1.1.2
30 ms 60 ms 40 ms
2
192.168.2.2 90 ms 60 ms 60 ms
3
20.1.1.100
70 ms 60 ms 90 ms
# Run the display vrrp command on ATN A. The command output shows that ATN A is in the
Master state in backup group 1 and in the Backup state in backup group 2.
<ATNA> display vrrp
state
: Master
Virtual IP
: 10.1.1.111
Master IP
: 10.1.1.1
PriorityRun
: 120
Preempt
: YES
Delay Time : 20
TimerRun
: 1
TimerConfig
: 1
Auth Type
: NONE
Virtual Mac
: 0000-5e00-0101
Check TTL
: YES
Config type
: normal-vrrp
Create time
: 2010-06-22 17:33:00
Last change time : 2010-06-22 17:33:06
state
: Backup
Virtual IP
: 10.1.1.112
Master IP
: 10.1.1.2
PriorityRun
: 100
Preempt
: YES
Delay Time : 20
TimerRun
: 1
TimerConfig
: 1
Auth Type
: NONE
Virtual Mac
: 0000-5e00-0102
Check TTL
: YES
Config type
: normal-vrrp
Create time
: 2010-06-22 17:33:00
Last change time : 2010-06-22 17:33:06
----End
Configuration Files
l

#
sysname ATNA
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
Issue 02 (2013-12-31)

743

Equipment
3 Reliability

#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 10.1.1.0 0.0.0.255
#
return

#
sysname ATNB
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 192.168.2.0 0.0.0.255
network 10.1.1.0 0.0.0.255
#
return
Configuration file of the switch

#
sysname ATNC
#
vlan batch 10
#
portswitch
undo shutdown
portswitch
undo shutdown
#
return
Example for Associating a VRRP Backup Group with a BFD Session

In this example, a VRRP backup group is associated with a BFD session. This association allows
the backup device to take over traffic if an interface or a link on the master device goes Down.
To improve link reliability, hosts are dual-homed to gateways to connect to an upper-layer
network and VRRP is configured to determine the active and standby states for dual-homing
links and perform active/standby link switchovers if a fault occurs on the active link.
If a link fails, an active/standby link switchover is performed after link states are negotiated by
sending VRRP packets. To speed up link switchovers, configure a BFD session to monitor links
and a VRRP backup group to track the BFD session. If an interface or a link fails on the master
device in the VRRP backup group, the BFD session rapidly detects the fault and notifies the
VRRP backup group of the fault. After receiving the notification, the VRRP backup group
Issue 02 (2013-12-31)

744

Equipment
3 Reliability
performs a master/backup VRRP switchover. The backup device becomes the Master and takes
over traffic.
On the network shown in Figure 3-14, a VRRP backup group needs to be associated with a BFD
session, rapidly implementing a master/backup VRRP switchover if a link fault occurs.
Figure 3-14 Example for associating a VRRP backup group with a BFD session
Backbone
Network
192.168.0.1/24
192.168.0.2/24
ATNA
GE0/2/0
10.1.1.1/24
Backup group 10
Virtual IP address:
GE0/2/1
10.1.1.3
ATNC
ATNB
GE0/2/0
10.1.1.2/24
VRRP
GE0/2/0
1.
2.
Configure a VRRP backup group on GE interfaces of ATN A and ATN B. Ensure that
ATN A is the Master and ATN B is the Backup so that a master/backup VRRP switchover
can be performed and ATN B can take over traffic if a link connected to ATN A fails.
3.
Configure a peer BFD session on ATN A and ATN B to monitor the link between ATN A
and ATN B.
4.
Configure a VRRP backup group on ATN B to track the BFD session and allow ATN B
to increase its VRRP priority by 40 to trigger a master/backup VRRP switchover if the BFD
session goes Down.
NOTE
l This example only provides configurations on ATN A and ATN B.

l To implement a rapid traffic switchover if ATN A fails, change item three in "Configuration Roadmap"
to configure a BFD session on POS interfaces directly connecting ATN A and ATN B. The
configuration is not provided in this example.
Data Preparation
l
Issue 02 (2013-12-31)
IP address of each interface on ATN A and ATN B (For details, see Configuration
Files.)
745

Equipment
3 Reliability
VRID (10), virtual IP address (10.1.1.3), VRRP priorities (160 for ATN A and 140 for
ATN B), and value (40) by which ATN B increases its VRRP priority and preempts the
Master if a link fails
Local and remote discriminators of a peer BFD session
Procedure
Step 1 Assign an IP address to each interface to ensure link connectivity on the network.
For details, see Configuration Files.
Step 2 Create a VRRP backup group and configure its basic functions.
# Create VRRP backup group 10 and set the VRRP priority to 160 on ATN A so that ATN A is
the Master.
# Create VRRP backup group 10 and set the VRRP priority to 140 on ATN B so that ATN B is
the Backup.
[ATNB-GigabitEthernet0/2/0] vrrp vrid 10 priority 140
Step 3 Configure basic BFD functions.

# Configure a peer BFD session on ATN A.
<ATNA> system-view
[ATNA] bfd
[ATNA-bfd] quit
[ATNA] bfd atob bind peer-ip 10.1.1.2 interface gigabitethernet 0/2/0
[ATNA-bfd-session-atob] discriminator local 1
[ATNA-bfd-session-atob] discriminator remote 2
[ATNA-bfd-session-atob] min-rx-interval 50
[ATNA-bfd-session-atob] min-tx-interval 50
[ATNA-bfd-session-atob] commit
[ATNA-bfd-session-atob] quit
# Configure a peer BFD session on ATN B.

<ATNB> system-view
[ATNB] bfd
[ATNB-bfd] quit
[ATNB] bfd btoa bind peer-ip 10.1.1.1 interface gigabitethernet 0/2/0
[ATNB-bfd-session-btoa] discriminator local 2
[ATNB-bfd-session-btoa] discriminator remote 1
[ATNB-bfd-session-btoa] min-rx-interval 50
[ATNB-bfd-session-btoa] min-tx-interval 50
[ATNB-bfd-session-btoa] commit
[ATNB-bfd-session-btoa] quit
Issue 02 (2013-12-31)

746

Equipment
3 Reliability
# After completing the preceding configurations, run the display bfd session command on
ATN A or ATN B. The peer BFD session is Up. In the following example, the display on
ATN A is used.
[ATNA] display bfd session all
-------------------------------------------------------------------------------Local Remote PeerIpAddr
State
Type
InterfaceName
-------------------------------------------------------------------------------1
2
10.1.1.2
Up
S_IP_IF
-------------------------------------------------------------------------------Total UP/DOWN Session Number : 1/0
Step 4 Associate the VRRP backup group with the peer BFD session.
# Configure the VRRP backup group to track the peer BFD session on ATN B and allow
ATN B to increase its VRRP priority by 40 if the peer BFD session goes Down.
[ATNB-GigabitEthernet0/2/0] vrrp vrid 10 track bfd-session 2 increased 40
After completing the preceding configurations, run the display vrrp command on ATN A or
ATN B. The VRRP status is Master on ATN A and Backup on ATN B. The command output
on ATN B also shows that the VRRP backup group is tracking the peer BFD session and the
peer BFD session goes Up.
[ATNA] display vrrp
state
: Master
Virtual IP
: 10.1.1.3
Master IP
: 10.1.1.1
PriorityRun
: 160
PriorityConfig
: 160
MasterPriority
: 160
Preempt
: YES
Delay Time : 0
TimerRun
: 1
TimerConfig
: 1
Auth Type
: NONE
Virtual Mac
: 0000-5e00-0110
Check TTL
: YES
Config type
: normal-vrrp
Backup-forward
: disabled
Create time
: 2010-06-22 17:32:56
Last change time : 2010-06-22 17:33:00
[ATNB] display vrrp
state
: Backup
Virtual IP
: 10.1.1.3
Master IP
: 10.1.1.1
PriorityRun
: 140
PriorityConfig
: 140
MasterPriority
: 160
Preempt
: YES
Delay Time : 0
TimerRun
: 1
TimerConfig
: 1
Auth Type
: NONE
Virtual Mac
: 0000-5e00-0110
Check TTL
: YES
Config type
: normal-vrrp
Backup-forward
: disabled
Track BFD
: 2 Priority increased : 40
BFD-Session State : UP
Create time
: 2010-06-22 17:33:00
Last change time : 2010-06-22 17:33:04

Issue 02 (2013-12-31)

747

Equipment
3 Reliability
# Run the shutdown command on GE 0/2/0 of ATN A to simulate that GE 0/2/0 of ATN A fails.
[ATNA-GigabitEthernet0/2/0] shutdown
Run the display vrrp command on ATN A. The VRRP status is Initialize on ATN A.
[ATNA] display vrrp
state
: Initialize
Virtual IP
: 10.1.1.3
Master IP
: 10.1.1.1
PriorityRun
: 160
PriorityConfig
: 160
MasterPriority
: 0
Preempt
: YES
Delay Time
: 0
TimerRun
: 1
TimerConfig
: 1
Auth Type
: NONE
Virtual Mac
: 0000-5e00-0110
Check TTL
: YES
Config type
: normal-vrrp
Backup-forward
: disabled
Create time
: 2010-06-22 17:32:56
Last change time : 2010-06-22 17:33:06
Run the display vrrp command on ATN B. The VRRP status is Master and the BFD session
status is DOWN on ATN B.
[ATNB] display vrrp
state
: Master
Virtual IP
: 10.1.1.3
Master IP
: 10.1.1.1
PriorityRun
: 180
PriorityConfig
: 140
MasterPriority
: 180
Preempt
: YES
Delay Time : 0
TimerRun
: 1
TimerConfig
: 1
Auth Type
: NONE
Virtual Mac
: 0000-5e00-0110
Check TTL
: YES
Config type
: normal-vrrp
Backup-forward
: disabled
Track BFD
: 2
Priority increased : 40
BFD-Session State : DOWN
Create time
: 2010-06-22 17:33:00
Last change time : 2010-06-22 17:33:06
----End
Configuration Files
l

#
sysname ATNA
#
bfd
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
Issue 02 (2013-12-31)

748

Equipment
3 Reliability
bfd atob bind peer-ip 10.1.1.2 interface gigabitethernet0/2/0

discriminator local 1
discriminator remote 2
min-tx-interval 50
min-rx-interval 50
commit
#
return

#
sysname ATNB
#
bfd
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
vrrp vrid 10 track bfd-session 2 increased 40
#
bfd btoa bind peer-ip 10.1.1.1 interface gigabitethernet0/2/0
min-tx-interval 50
min-rx-interval 50
commit
#
return
3.3 Bit-Error-Triggered Protection Switching Configuration

3.3.1 Bit-Error-Triggered Protection Switching Overview
Bit-error-triggered protection switching minimizes the impact of line bit errors on broadband
services, improving the reliability of bearer networks.
Introduction
Bit-error-triggered protection switching triggers protection switching based on bit error events,
meeting high network reliability requirements.
The demand for network bandwidth is rapidly increasing as mobile services evolve from
narrowband voice services to integrated broadband services, including voice, streaming media,
and high speed downlink packet access (HSDPA) services. Meeting the bandwidth demand with
traditional bearer networks dramatically increases carriers' operational costs. To tackle the
challenges posed by this rapid broadband-oriented development, carriers urgently need mobile
bearer networks that feature flexibility, low costs, and high efficiency. IP-based mobile bearer
networks are an ideal choice. IP radio access networks (RANs), a type of IP-based mobile bearer
network, are increasingly widely used.
When IP RANs carry broadband services, they have higher reliability requirements than
traditional bearer networks. Traditional fault detection mechanisms cannot trigger protection
switching based on random bit errors. As a result, in extreme cases, bit errors may degrade or
even interrupt services on an IP RAN. To solve this problem, configure bit-error-triggered
protection switching.
Issue 02 (2013-12-31)

749

Equipment
3 Reliability
Bit-Error-Triggered Protection Switching Supported by the ATN

ATNThe following bit-error-triggered protection switching features are supported: Resource
Reservation Protocol-Traffic Engineering (RSVP-TE) tunnel switching, Pseudo Wire (PW)
switching, interface-based bit error detection, section switching, route switching, and VPN route
switching.
Interface-based Bit Error Detection

On each section of a TE label switched path (LSP), the system checks and compares the bit error
rate (BER) with the bit error threshold. Based on the comparison results, the system determines
whether to send the bit error information on the current interface to the tunnel sink node or to
the interconnected device. If the detected BER is greater than the alarm threshold, a bit error
alarm is generated.
Bit-Error-Triggered RSVP-TE Tunnel Switching

Bit-error-triggered RSVP-TE tunnel switching triggers traffic to switch between the primary
and backup label switched paths (LSPs) of an RSVP-TE tunnel based on the bit error status of
the LSPs, minimizing the impact of bit errors on services.
Bit-Error-Triggered PW switching
In a scenario in which an RSVP-TE tunnel with traffic engineering (TE) hot standby protection
carries a PW and PW redundancy is configured, if the primary and backup LSPs of the RSVPTE tunnel are both in the excessive bit error rate (BER) state or the TE hot standby tunnel fails,
bit-error-triggered RSVP-TE tunnel switching cannot protect services against bit errors.
However, bit-error-triggered PW switching can do so.
Bit-Error-Triggered Section Switching

A bit error event on an interface will trigger the bit error status on the interface to change and
result in route convergence. The event may also trigger LDP LSP switching or the update of the
availability status of Trunk member interfaces. Bit-error-triggered section switching minimizes
the impact of bit errors on services.
Bit-Error-Triggered Route Switching

Bit-error-triggered route switching enables an OSPF or IS-IS interface to adjust its link quality
based on the detected BER and change its link cost based on link quality. This feature can divert
traffic to a link with a lower BER and minimize the impact of bit errors on services.
Bit-Error-Triggered VPN Route Switching

In a hierarchy VPN (H-VPN) scenario in which an RSVP-TE tunnel with TE hot standby
protection carries L3VPN services, if the primary and backup CR-LSPs of the RSVP-TE tunnel
are both in the excessive BER state or the TE hot standby tunnel fails, bit-error-triggered RSVPTE tunnel switching cannot protect services against bit errors. However, bit-error-triggered VPN
route switching can do so.
Issue 02 (2013-12-31)

750

Equipment
3 Reliability
3.3.2 Configuring TE Bit-Error-Triggered Tunnel Switching

TE Bit-error-triggered tunnel switching triggers traffic to switch from a link in the excessive bit
error rate (BER) state to another link, improving the transmission quality of services.
Before You Start

Before configuring bit-error-triggered tunnel switching, familiarize yourself with the usage
Bit errors caused by optical fiber aging or optical signal jitter may exist on carrier networks.
These bit errors may result in the interruption of services that have high quality
requirements.After the bit error alarm threshold is set, an alarm will be generated if the BER
exceeds the threshold. In this way, proper troubleshooting measures can be taken to ensure
normal service transmission. Meanwhile, it can avoid system performance deterioration due to
processing of many alarms.
If a network uses a Resource Reservation Protocol-Traffic Engineering (RSVP-TE) tunnel with
traffic engineering (TE) hot standby protection to carry services, you can configure bit-errortriggered RSVP-TE tunnel switching to protect services against bit errors.
In a scenario in which an RSVP-TE tunnel with TE hot standby protection carries a pseudo wire
(PW) and PW redundancy is configured, you can configure bit-error-triggered PW switching in
addition to bit-error-triggered RSVP-TE tunnel switching. If the primary and backup label
switched paths (LSPs) of the RSVP-TE tunnel are both in the excessive bit error rate (BER) state
or the TE hot standby tunnel fails, bit-error-triggered PW switching can protect services against
bit errors.
In an H-VPN scenario in which an RSVP-TE tunnel with TE hot standby protection carries
L3VPN services, you can configure bit-error-triggered VPN route switching in addition to biterror-triggered RSVP-TE tunnel switching. If the primary and backup LSPs of the RSVP-TE
tunnel are both in the excessive BER state or the TE hot standby tunnel fails and bit-errortriggered RSVP-TE tunnel switching cannot protect services against bit errors, bit-errortriggered VPN route switching triggers VPN route convergence and diverts traffic from the route
with a bit error event.
Before you configure bit-error-triggered tunnel switching, complete the following tasks:
l
Configure two RSVP-TE tunnels to forward traffic in opposite directions.
NOTICE
The label advertise non-null command must be configured to enable each egress to
allocate a label to the penultimate hop.
l
Issue 02 (2013-12-31)
Configure a TE hot standby tunnel for each RSVP-TE tunnel (for details, see 10.3.17
Configuring CR-LSP Backup).
751

Equipment
3 Reliability
Enable Bidirectional Forwarding Detection (BFD) globally on the nodes along the primary
and backup LSPs of each RSVP-TE tunnel.
(Optional) Configure PW redundancy.
(Optional) Configure VPN fast reroute (FRR).
Data Preparation
To configure bit-error-triggered tunnel switching, you need the following data:
l
Type and number of an interface
Bit error alarm threshold, alarm clearing threshold, and associated bit-error-triggered
protection switching type
Label switching router (LSR) ID and tunnel ID of the ingress for the reverse RSVP-TE
tunnel
Thresholds for bit-error-triggered protection switching and revertive switching
Configuring the Bit Error Alarm Function on an Interface

You can configure the bit error alarm threshold and the associated service types on an interface.
When the bit error rate (BER) detected on an interface reaches the alarm threshold, a bit error
alarm is generated and protection switching is triggered.
Context
The BER is the basis for detecting bit-error-triggered protection switching. Therefore, the bit
error alarm function must be configured on the desired interface.
Bit errors or packet loss occurs at random. Therefore, a validity period is reserved for detecting
the BER.
NOTICE
When bit-error-triggered protection switching occurs, service traffic may not be generated on
the original link. As a result, the BER may not be detected and services fail to be switched back.
Therefore, ensure that the rate of the background traffic on the detection link is not less than 100
packets per second. It is recommended that the Bidirectional Forwarding Detection (BFD) be
configured.
Procedure
Step 2 Run the interface interface-type interface-number command. The interface view is displayed.
Step 3 Run trap-threshold crc-error packet-error-ratio alarm-threshold coefficient-value powervalue [ resume-threshold coefficient-value power-value ] [ trigger-lsp | trigger-section ] to
configure the bit error alarm threshold and alarm clearing threshold on an interface. The biterror-triggered protection switching type parameter can be set to trigger-lsp or triggersection.
Issue 02 (2013-12-31)

752

Equipment
3 Reliability
Trigger-lsp: If a bit error alarm occurs on an interface, the BER will be sent to the dynamic TELSP sink node, triggering tunnel protection switching or virtual private network (VPN) service
Trigger-section: If a bit error alarm occurs on an interface, the status of the bit error protocol
on the interface will be set to DOWN, triggering route convergence or update in the relationships
between Trunk forwarding members.
Step 4 (Optional) Run the crc-error packet-error-ratio algorithm-parameter algorithmparameter command to set BER algorithm parameters.
----End
Configuring Bit-Error-Triggered RSVP-TE Tunnel Switching

This section describes how to configure bit-error-triggered Resource Reservation ProtocolTraffic Engineering (RSVP-TE) tunnel switching.
Context
Configuring bit-error-triggered RSVP-TE tunnel switching primarily consists of the following
operations:
l
Enable bit-error-triggered protection switching.
(Optional) Configure the thresholds for bit-error-triggered protection switching and

revertive switching.
If you do not configure the threshold for bit-error-triggered protection switching or revertive
switching, a label switched path (LSP) enters the excessive bit error rate (BER) state so long as
a bit error is detected on the LSP. After the bit error is cleared, the LSP changes to the normalized
BER state.
To precisely control bit-error-triggered protection switching based on the sensitivity of services
to bit errors, configure the thresholds for bit-error-triggered protection switching and revertive
switching. Then, the ingress of an RSVP-TE tunnel determines the bit error status of the primary
and backup LSPs based on the following principles:
l
If the BER of an LSP reaches or exceeds the threshold for bit-error-triggered protection
switching, the LSP is in the excessive BER state.
After the BER of the LSP falls below the threshold for bit-error-triggered revertive
switching, the LSP is in the normalized BER state.
An RSVE-TE tunnel determines whether to perform a primary/backup LSP switchover based

on the following principles:
l
If the primary and backup LSPs are both in the excessive or normalized BER state, the
RSVE-TE tunnel transmits traffic over the primary LSP.
If one LSP is in the excessive BER state and the other LSP is in the normalized BER state,
the RSVE-TE tunnel transmits traffic over the latter one, regardless of whether the latter
LSP is the primary or backup LSP.
Perform the following steps on the ingress of an RSVP-TE tunnel:

Issue 02 (2013-12-31)

753

Equipment
3 Reliability
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface tunnel interface-number
The tunnel interface view is displayed.

Step 3 Run:
mpls te bit-error-detection [ mode { unidirectional | bidirectional } ]
Bit-error-triggered protection switching is enabled for the current tunnel.

This function supports two switching modes:
l unidirectional: In this mode, a bit error event triggers only the current tunnel to perform a
protection or revertive switching.
l bidirectional: In this mode, a bit error event triggers both the current tunnel and its reverse
tunnel to perform a protection or revertive switching.
The default mode is bidirectional switching.
Step 4 Run:
mpls te reverse-lsp protocol rsvp-te ingress-lsr-id ingress-lsr-id tunnel-id
tunnel-id
The reverse tunnel for the current tunnel is specified.

mpls te bit-error-detection threshold switch switch-coe switch-pow resume resumecoe resume-pow
The thresholds for bit-error-triggered protection switching and revertive switching are
configured.
The switch-coe parameter specifies the protection switching coefficient, and the switch-pow
parameter specifies the protection switching power. The formula for calculating the threshold
for bit-error-triggered protection switching is as follows:
Protection switching threshold = switch-coe x 10-switch-pow
Similarly, the resume-coe parameter specifies the revertive switching coefficient, and the
resume-pow parameter specifies the revertive switching power. The formula for calculating the
threshold for bit-error-triggered revertive switching is similar to the formula for calculating the
threshold for bit-error-triggered protection switching.
NOTE
The threshold for bit-error-triggered revertive switching must be lower than or equal to the threshold for
bit-error-triggered protection switching.
Step 6 Run:
mpls te commit
Issue 02 (2013-12-31)

754

Equipment
3 Reliability
The configuration is committed.

----End
(Optional) Configuring Bit-Error-Triggered PW Switching

This section describes how to configure bit-error-triggered pseudo wire (PW) switching.
Context
The principles for bit-error-triggered PW switching are as follows:
l
When the tunnel carrying the primary PW enters the excessive bit error rate (BER) state
but the tunnel carrying the secondary PW is in the normalized bit error rate (BER) state,
traffic switches to the secondary PW.
When the tunnel carrying the primary PW enters the normalized BER state, traffic switches
back to the primary PW.
If the tunnels carrying the primary and secondary PWs are both in the excessive BER state,
traffic travels along the primary PW.
NOTE
The bit error status of the tunnel carrying the PW refers to the bit error status of the label switched path
(LSP) that transmits traffic in the tunnel.
A PW can be either a single-segment PW (SS-PW) or a multi-segment PW (MS-PW):

l
For an SS-PW, bit-error-triggered protection switching is enabled on end provider edges

(PEs).
For an MS-PW, bit-error-triggered protection switching is enabled on both end PEs and
intermediate superstratum provider edges (SPEs).
Enable bit-error-triggered protection switching for an SS-PW. The following steps must
be performed on both end PEs.
Procedure
1.
Run:
system-view

2.
Run:
The attachment circuit (AC) interface view is displayed.

3.
Run:
mpls l2vpn pw bit-error-detection
Bit-error-triggered protection switching is enabled on the end PE.

l
Enable bit-error-triggered protection switching for an MS-PW.

1.
Configure each end PE.

a.
Run:
system-view
Issue 02 (2013-12-31)

755

Equipment
3 Reliability

b.
Run:
The AC interface view is displayed.

c.
Run:
mpls l2vpn pw bit-error-detection
Bit-error-triggered protection switching is enabled on the end PE.

2.
Configure each SPE.

a.
Run:
system-view

b.
Run:
mpls switch-l2vc ip-address vc-id between ip-address vc-id
encapsulation encapsulation-type bit-error-detection
Bit-error-triggered protection switching is enabled on the SPE.

----End
(Optional) Configuring Bit-Error-Triggered VPN Route Switching

This section describes how to configure bit-error-triggered VPN route switching.
Context
Figure 3-15 shows a hierarchy VPN (H-VPN) scenario in which a Resource Reservation
Protocol-Traffic Engineering (RSVP-TE) tunnel carries L3VPN services. VPNv4 peer
relationships are established between the user-end provider edge (UPE) and superstratum
provider edges (SPEs) and between the network provider edge (NPE) and SPEs. VPN fast reroute
(FRR) is configured on the UPE and NPE. If the RSVP-TE tunnel does not have a traffic
engineering (TE) hot standby tunnel or the primary and backup LSPs of the RSVP-TE tunnel
are both in the excessive bit error rate (BER) state, bit-error-triggered RSVP-TE tunnel switching
cannot protect traffic against bit errors. To protect services against bit errors, configure bit-errortriggered VPN route switching on the UPE and SPE1.
In normal circumstances, VPN traffic from the UPE to the NPE travels along the primary path
UPE -> SPE1 -> NPE. If the RSVP-TE tunnel between the UPE and SPE1 encounters a bit error
event, the UPE selects the backup path UPE -> SPE2 -> NPE as the optimal route and switches
traffic to the backup path. After the bit error event is over, the UPE re-selects the primary path
as the optimal route and switches traffic back to the primary path.
In normal circumstances, VPN traffic from the NPE to the UPE travels along the primary path
NPE -> SPE1 -> UPE. If the RSVP-TE tunnel between the UPE and SPE1 encounters a bit error
event, SPE1 adjusts the local preference or Multi-Exit Discrimination (MED) values of the VPN
routes that it advertises to the NPE to allow the NPE to preferentially select the VPN routes
advertised by SPE2. As a result, the NPE switches traffic from the primary path to the backup
path NPE -> SPE2 -> UPE. After the bit error event is over, SPE1 restores the local preference
or MED values of the VPN routes that it advertises to the NPE. The NPE preferentially selects
the VPN routes advertised by SPE1 and switches traffic back to the primary path.
Issue 02 (2013-12-31)

756

Equipment
3 Reliability
Figure 3-15 Networking diagram for bit-error-triggered VPN route switching
SPE1
NPE
VPN Site
Backbone
CE
UPE
SPE2
RSVP-TE Tunnel
Procedure
l
Configure the UPE to reroute traffic when a bit error event occurs.
1.
Run:
system-view

2.
Run:
bgp { as-number-plain | as-number-dot }
The Border Gateway Protocol (BGP) view is displayed.

3.
Run:
ipv4-family vpn-instance vpn-instance-name
The BGP-VPN instance IPv4 address family view is displayed.

4.
Run:
bestroute bit-error-detection
The function is enabled to reroute traffic when a bit error event occurs.
l
Configure SPE1 to adjust the local preference or MED values of the VPN routes that it
advertises to the NPE when a bit error event occurs.
1.
Run:
system-view

2.
Run:
The BGP view is displayed.

3.
Run:
ipv4-family vpnv4
The BGP-VPNv4 address family view is displayed.

4.
Issue 02 (2013-12-31)
Run:
757

Equipment
3 Reliability
nexthop recursive-lookup bit-error-detection { med + med-adjust-value |

local-preference - localpref-adjust-value }* [ route-policy route-policyname ]
The function is configured to adjust local preference or MED values of the VPN routes
to be advertised when a bit error event occurs.
----End
3.3.3 Configuring Bit-Error-Triggered Route Switching

This section describes how to configure bit-error-triggered route switching.
Before You Start

Before configuring bit-error-triggered route switching, familiarize yourself with the usage
Usage Scenario
In a bit-error-triggered LDP LSP switching scenario, bit error detection is enabled on interfaces
along the primary and secondary links of the LDP LSP and the switching type of each interface
is set to trigger-section. If the bit error rate (BER) detected by an interface reaches or exceeds
the bit error alarm reporting threshold, the status of the interface changes to Down. If the primary
and secondary links of the LDP LSP both have Down interfaces, traffic transmitted over the
LDP LSP is interrupted. To prevent this problem, configure bit-error-triggered route switching.
Then, if the BER detected by an OSPF or IS-IS interface reaches or exceeds the upper threshold
for triggering link quality changes, the OSPF or IS-IS interface changes its link quality to low
and increases the link cost, so that this link, which has a higher BER, is not used by the optimal
route. As a result, the LDP LSP always uses the link with a lower BER to transmit traffic,
minimizing the impact of bit errors on services.
NOTE
Bit-error-triggered route switching and section switching are mutually exclusive. Before you configure biterror-triggered route switching for an LDP LSP, ensure that bit-error-triggered section switching is not
configured.
On two directly connected interfaces along an LDP LSP, configure the same type of bit-error-triggered
Before you configure bit-error-triggered route switching, complete either of the following tasks
as required:
l
Configure basic IS-IS functions.
Configure basic OSPF functions (IPv4).
Data Preparation
To configure bit-error-triggered route switching, you need the following data:
l
Issue 02 (2013-12-31)
Threshold for triggering link quality to change from good to low

758

Equipment
Threshold for triggering link quality to change from low to good
Link cost adjustment value
3 Reliability

Context
the BER.
NOTICE
configured.
Procedure
----End
Issue 02 (2013-12-31)

759

Equipment
3 Reliability
Configuring an IS-IS Interface to Automatically Adjust the Link Cost

Configuring an IS-IS interface to automatically adjust the link cost based on link quality
facilitates route selection control and improves network reliability.
Context
A bit error refers to the deviation between a bit that is sent and the bit that is received. The bit
error rate (BER) refers to the number of bit errors divided by the total number of bits transferred
during a studied time interval. During data transmission, a high BER will degrade or even
interrupt services in extreme cases.
To prevent this problem, configure IS-IS interfaces to automatically adjust link costs based on
link quality, so that unreliable links are not used by the optimal routes.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
isis enable [ process-id ]
IS-IS is enabled on the interface.

Step 4 Run:
link-quality low bit-error-threshold error-ratio trigger-coefficient trigger-power
resume-ratio recovery-coefficient recovery-power
The upper and lower thresholds for triggering link quality changes are set on the IS-IS interface.
After you run this command, if the BER of the IS-IS interface reaches or exceeds the upper
threshold, the link quality changes from good to low; if the BER of the IS-IS interface reaches
or falls below the lower threshold, the link quality changes from low to good.
Step 5 Run:
isis link-quality low incr-cost { cost | max-reachable }
The IS-IS interface is configured to automatically adjust the link cost based on link quality.
By default, an IS-IS interface does not have this function.
Issue 02 (2013-12-31)

760

Equipment
3 Reliability
NOTE
The cost parameter specifies the link cost adjustment value. After this parameter is specified:
l If the link quality changes from good to low, the link cost equals the original link cost plus the adjustment
value. If the new link cost exceeds the maximum link cost allowed, the maximum link cost allowed applies:
l The maximum link cost is 63, if the cost type is narrow, narrow-compatible, or compatible.
l The maximum link cost is 16777214, if the cost type is wide or wide-compatible.
l If the link quality changes from low to good, the orginal link cost applies.
----End
Configuring an OSPF Interface to Automatically Adjust the Link Cost (IPv4)

Configuring an OSPF interface to automatically adjust the link cost based on link quality
Context
A bit error refers to the deviation between a bit that is sent and the bit that is received. The bit
error rate (BER) refers to the number of bit errors divided by the total number of bits transferred
during a studied time interval. During data transmission, a high BER will degrade or even
interrupt services in extreme cases.
To prevent this problem, configure OSPF interfaces to automatically adjust link costs based on
link quality, so that unreliable links are not used by the optimal routes.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ospf enable [ process-id ] area area-id
OSPF is enabled on the interface.

Step 4 Run:
link-quality low bit-error-threshold error-ratio trigger-coefficient trigger-power
resume-ratio recovery-coefficient recovery-power
The upper and lower thresholds for triggering link quality changes are set on the OSPF interface.
After you run this command, if the BER of the OSPF interface reaches or exceeds the upper
threshold, the link quality changes from good to low; if the BER of the OSPF interface reaches
or falls below the lower threshold, the link quality changes from low to good.
Step 5 Run:
ospf link-quality low incr-cost { cost | max-reachable }
The OSPF interface is configured to automatically adjust the link cost based on link quality.
Issue 02 (2013-12-31)

761

Equipment
3 Reliability
By default, an OSPF interface does not have this function.

NOTE
The cost parameter specifies the link cost adjustment value. After this parameter is specified:
l If the link quality changes from good to low, the link cost equals the original link cost plus the adjustment
value. The maximum link cost allowed is 65535.
l If the link quality changes from low to good, the orginal link cost applies.
----End

After configuring bit-error-triggered route switching, check the link quality information of the
current interface, or check the link quality information of all IS-IS or OSPF interfaces and
whether the link costs have been adjusted based on link quality.
Prerequisites
Bit-error-triggered route switching has been configured.
Procedure
l
Run the display this interface command to check the link quality information of the current
interface.
Run the display isis interface verbose or display ospf interface verbose command to
check the link quality information of all IS-IS or OSPF interfaces and whether the link costs
have been adjusted based on link quality.
----End
3.3.4 Configuring Bit-Error-Triggered Section-Layer Protection

Switching
When the bit error protocol is in the DOWN state, the function of configuring bit-error-triggered
section-layer protection switching triggers route convergence, LDP-LSP route re-selection, or
update in the relationships between Trunk forwarding members. In this way, member links with
bit errors can be excluded, improving the quality of service (QoS) for IP bearer networks.
Creating a Configuration Task

Before configuring bit-error-triggered section-layer protection switching, familiarize yourself
with the applicable environment, complete the pre-configuration tasks, and obtain the data
required for the configuration. This will help you complete the configuration task quickly and
efficiently.
Usage Scenario
Bit errors caused by optical fiber aging or optical signal jitter may exist on carrier networks.
These bit errors may result in the interruption of services with high quality requirements. The
bit-error-triggered protection switching at the protection layer can be configured to ensure the
service transmission quality to the maximum extent. Based on the status of the bit error protocol
on an interface, this function can trigger convergence of upper-layer routes or trigger an update
Issue 02 (2013-12-31)

762

Equipment
3 Reliability
in the relationships between Trunk forwarding members to help improve the quality of service
(QoS) on IP bearer networks.
After this function is configured, upon detecting bit errors on an interface, the equipment sets
the status of the bit error protocol on the interface to DOWN. In addition, it sends a bit error
packet to the interconnected peer interface. After receiving the bit error packet, the peer
equipment also sets the bit error protocol on the interface to DOWN.
The DOWN state triggers route convergence, which then triggers LDP-LSP route re-selection.
In this way, routes with bit errors are excluded, achieving link protection in the LDP-LSP
scenario.
If the interface is a Trunk member interface, the DOWN bit error status of the interface will
trigger an update in the relationships between Trunk forwarding members and the member
interfaces with bit errors will be excluded.
Before configuring bit-error-triggered section-layer protection switching, complete the
following tasks:
l
Configure the bit error alarm function on the required interface.
Create a Trunk interface.
Enable Bidirectional Forwarding Detection (BFD) globally.
Data Preparations
The following table lists the data required for configuring bit-error-triggered section-layer
No.
Data
Bit error alarm threshold and alarm clearing threshold
Bit-error-triggered protection switching type

Context
the BER.
Issue 02 (2013-12-31)

763

Equipment
3 Reliability
NOTICE
configured.
Procedure
----End
Configuring the Bit-Error-Triggered Trunk Section-Layer Protection Switching

Type
This section describes how to configure the bit-error-triggered protection switching type for a
Trunk interface as bit-error-triggered section-layer protection switching.
Context
If the bit error alarm threshold is configured on a Trunk member interface and protection
switching can be triggered, trigger-lsp is used by default, regardless of whether trigger-lsp or
trigger-section is suffixed to a command line.
If bit-error-triggered protection switching type in the Trunk interface view is configured as biterror-triggered section-layer protection switching, trigger-section is used by default regardless
of whether trigger-lsp or trigger-section is configured on a member interface.
NOTE
On a Trunk member interface, if only the bit error alarm threshold and no trigger-lsp or trigger-section is
configured, an abnormal BER triggers only a bit error alarm but not protection switching in any scenario.
Issue 02 (2013-12-31)

764

Equipment
3 Reliability
Procedure
Step 2 Run the interface eth-Trunk eth-trunk-num command. The Trunk interface view is displayed.
Step 3 Run the bit-error-detection command to configure the bit-error-triggered protection switching
type for a Trunk interface as bit-error-triggered section-layer protection switching.
----End

After the bit-error-triggered section-layer protection switching is configured on an interface, you
can view the status of the bit error protocol on the interface.
Prerequisites
The configuration of bit-error-triggered section-layer protection switching is complete.
Procedure
l
In the interface view, run display interface [ interface-type [ interface-number | main ] |

slot slot-id [ main ] ] to view the bit error interface status on an interface where bit-errortriggered section-layer protection switching is configured.
----End

This section provides configuration examples for configuring bit-error-triggered protection
switching. Each configuration example consists of the networking requirements, configuration
roadmap, configuration procedures, and configuration files.
Example for Configuring Bit-Error-Triggered MPLS TE Protection Switching

This section describes how to configure bit-error-triggered MPLS TE protection switching.
The network shown in Figure 3-16 runs MPLS. Tunnel1 is established over the path LSRA ->
LSRB -> LSRC, and tunnel2 is established over the path LSRC -> LSRB-> LSRA. Tunnel1 and
tunnel2 forward traffic in opposite directions over the same path. A hot-standby CR-LSP is
configured for each tunnel. The bit-error-triggered MPLS TE protection switching function can
be configured to work in bidirectional mode.
Issue 02 (2013-12-31)

765

Equipment
3 Reliability
Figure 3-16 Bit-error-triggered MPLS TE protection switching
Loopback1
4.4.4.4/32
LSRD
GE1/0/1
10.1.4.1/24
GE1/0/0
10.1.2.2/24
GE0/2/1
10.1.2.1/24
Loopback1
1.1.1.1/32
Loopback1
2.2.2.2/32
GE1/0/1
GE1/0/0
10.1.3.1/24
10.1.1.2/24
GE0/2/0
LSRA 10.1.1.1/24
LSRB
GE0/2/1
10.1.4.2/24
GE0/2/0
10.1.3.2/24 LSRC
Loopback1
3.3.3.3/32
Tunnel1: Primary LSP
Tunnel2: Primary LSP
Tunnel1: Hot-Standby LSP
Tunnel2: Hot-Standby LSP
1.
Assign an IP address to each interface on every node shown in Figure 3-16 and set IS-IS
parameters to ensure network layer connectivity.
2.
Configure an RSVP-TE tunnel interface and an explicit path on each of LSRA and LSRC
so that the two CR-LSPs pass through the same path.
3.
Establish a hot-standby CR-LSP over an explicit path that passes through LSRD for each
of the RSVP-TE CR-LSPs.
4.
Enable the bit-error-triggered MPLS TE protection switching function on each tunnel

interface.
Data Preparation
l
IP address of each interface on every node shown in Figure 3-16
IGP protocol (IS-IS), process ID (1), system ID (loopback1 address), and IS-IS level
(level-2)
LSR ID (loopback interface address) of every MPLS node
Tunnel names (a-b-c and c-b-a) and explicit path names (a-d-c and c-d-a)
Switchback delay time (15s) for each CR-LSP
Tunnel interface name (Tunnel0/2/0), tunnel ID (100), and tunnel interface address
(loopback interface address)
Tunnel switching threshold
Issue 02 (2013-12-31)

766

Equipment
3 Reliability
Bit error alarm threshold and alarm clearing threshold configured on the interface where
bit error detection is enabled
Procedure
Step 1 Assign an IP address to each interface.
Assign an IP address to each interface shown in Figure 3-16 and create a loopback interface on
each node. For detailed configurations, see Configuration File in this example.
Step 2 Configure IS-IS to advertise the route to each network segment of each interface and to advertise
the host route to each loopback address (used as an LSR ID).
Configure IS-IS on each node to ensure device connectivity. For detailed configurations, see
Configuration File in this example.
Step 3 Configure basic MPLS functions and enable MPLS TE, RSVP-TE, and CSPF.
Enable MPLS, MPLS TE, and RSVP-TE on each node and on each interface of nodes, and
configure CSPF in the MPLS view on LSRA and LSRC. For detailed configurations, see
Configuration File in this example.
Step 4 Configure IS-IS TE.
Configure IS-IS TE on each node. For detailed configurations, see Configuration File in this
example.
Step 5 Configure explicit paths.
# Configure LSRA.
[LSRA] explicit-path a-b-c
[LSRA-explicit-path-a-b-c]
[LSRA] explicit-path a-d-c
[LSRA-explicit-path-a-d-c]
next hop 10.1.1.2

next hop 10.1.3.2
quit
next hop 10.1.2.2
next hop 10.1.4.2
quit
# Configure LSRC.
[LSRC] explicit-path c-b-a
[LSRC-explicit-path-c-b-a]
[LSRC] explicit-path c-d-a
[LSRC-explicit-path-c-d-a]
next hop 10.1.3.1

next hop 10.1.1.1
quit
next hop 10.1.4.1
next hop 10.1.2.1
quit
Step 6 Enable the egress to assign a label to the penultimate hop.

# Configure LSRA.
[LSRA] mpls
[LSRA-mpls] label advertise non-null
[LSRA-mpls] quit
# Configure LSRC.
[LSRC] mpls
[LSRC-mpls] label advertise non-null
Issue 02 (2013-12-31)

767

Equipment
3 Reliability
[LSRC-mpls] quit
Step 7 Create a CR-LSP and its reverse CR-LSP.

# Configure an RSVP-TE CR-LSP on LSRA.
[LSRA] interface tunnel 0/2/0
[LSRA-Tunnel0/2/0] ip address unnumbered interface loopback 1
[LSRA-Tunnel0/2/0] tunnel-protocol mpls te
[LSRA-Tunnel0/2/0] destination 3.3.3.3
[LSRA-Tunnel0/2/0] mpls te tunnel-id 100
[LSRA-Tunnel0/2/0] mpls te signal-protocol rsvp-te
[LSRA-Tunnel0/2/0] mpls te path explicit-path a-b-c
[LSRA-Tunnel0/2/0] mpls te commit
[LSRA-Tunnel0/2/0] quit
# Configure a reverse CR-LSP on LSRC.

[LSRC] interface tunnel 0/2/0
[LSRC-Tunnel0/2/0] ip address unnumbered interface loopback 1
[LSRC-Tunnel0/2/0] tunnel-protocol mpls te
[LSRC-Tunnel0/2/0] destination 1.1.1.1
[LSRC-Tunnel0/2/0] mpls te tunnel-id 100
[LSRC-Tunnel0/2/0] mpls te signal-protocol rsvp-te
[LSRC-Tunnel0/2/0] mpls te path explicit-path c-b-a
[LSRC-Tunnel0/2/0] mpls te commit
[LSRC-Tunnel0/2/0] quit
Step 8 Configure a hot-standby CR-LSP for each RSVP-TE CR-LSP.

# Configure hot standby on the tunnel interface on LSRA, set the switchback delay time to 15s,
and specify an explicit path for the hot-standby CR-LSP.
[LSRA] interface tunnel
[LSRA-Tunnel0/2/0] mpls
0/2/0
te backup hot-standby wtr 15
te path explicit-path a-d-c secondary
te commit
# Configure hot standby on the tunnel interface on LSRC, set the switchback delay time to 15s,
and specify an explicit path for the hot-standby CR-LSP.
[LSRC] interface tunnel
[LSRC-Tunnel0/2/0] mpls
0/2/0
te backup hot-standby wtr 15
te path explicit-path c-d-a secondary
te commit
Step 9 Configure the bit error alarm threshold on a bit error detection interface.
# On an LSP interface of LSRA, configure the bit error alarm threshold and set the protection
switching type to trigger-lsp.
[LSRA]interface GigabitEthernet0/2/0
[LSRA-GigabitEthernet0/2/0] trap-threshold crc-error packet-error-ratio alarmthreshold 1 3 trigger-lsp
[LSRA-GigabitEthernet0/2/0] quit
[LSRA]interface GigabitEthernet0/2/1
[LSRA-GigabitEthernet0/2/1] trap-threshold crc-error packet-error-ratio alarmthreshold 1 3 trigger-lsp
# On an LSP interface of LSRB, configure the bit error alarm threshold and set the protection
[LSRB]interface GigabitEthernet1/0/0
Issue 02 (2013-12-31)

768

Equipment
3 Reliability
[LSRB-GigabitEthernet1/0/0] trap-threshold crc-error packet-error-ratio alarmthreshold 1 3 trigger-lsp

[LSRB-GigabitEthernet1/0/0] quit
[LSRB]interface GigabitEthernet1/0/1
[LSRB-GigabitEthernet1/0/1] trap-threshold crc-error packet-error-ratio alarmthreshold 1 3 trigger-lsp
# On an LSP interface of LSRC, configure the bit error alarm threshold and set the protection
[LSRC]interface GigabitEthernet0/2/0
[LSRC-GigabitEthernet0/2/0] trap-threshold crc-error packet-error-ratio alarmthreshold 1 3 trigger-lsp
[LSRC-GigabitEthernet0/2/0] quit
[LSRC]interface GigabitEthernet0/2/1
[LSRC-GigabitEthernet0/2/1] trap-threshold crc-error packet-error-ratio alarmthreshold 1 3 trigger-lsp
[LSRC-GigabitEthernet0/2/1] quit
# On an LSP interface of LSRD, configure the bit error alarm threshold and set the protection
[LSRD]interface GigabitEthernet0/2/0
[LSRD-GigabitEthernet0/2/0] trap-threshold crc-error packet-error-ratio alarmthreshold 1 3 trigger-lsp
[LSRD-GigabitEthernet0/2/0] quit
[LSRD]interface GigabitEthernet0/2/1
[LSRD-GigabitEthernet0/2/1] trap-threshold crc-error packet-error-ratio alarmthreshold 1 3 trigger-lsp
[LSRD-GigabitEthernet0/2/1] quit
Step 10 Configure the bit-error-triggered MPLS TE protection switching function.

# Enable that function on the tunnel interface on LSRA and bind a dynamic reverse CR-LSP to
the tunnel interface.
[LSRA] interface tunnel
tunnel-id 100
0/2/0
te bit-error-detection
te reverse-lsp protocol rsvp-te ingress-lsr-id 3.3.3.3
te commit
# Enable that function on the tunnel interface on LSRC and bind a dynamic reverse CR-LSP to
the tunnel interface.
[LSRC] mpls
[LSRC] interface tunnel
tunnel-id 100
0/2/0
te commit

# Run the display bfd bit-error-detection session all command to view error code detection
information on LSRA.
[LSRA] display bfd bit-error-detection session all
-------------------------------------------------------------------------------BFD Bit Error Information:
-------------------------------------------------------------------------------Session MIndex
: 512
Issue 02 (2013-12-31)

769

Equipment
3 Reliability
Session Type
: PE
FSM Board Id
: 1
Fault Type
: Min Tx Interval (ms)
: 1000
Max Tx Interval (ms)
: 30000
Actual Tx Interval (ms) : 30000
Detect Multi
: 3
Source IP Address
: 1.1.1.1
Destination IP Address
: 127.0.0.1
Destination Port
: 3784
TOS-EXP
: 7
PDT Index
: FSM-0 | RCV-0 | IF-0 | TOKEN-0
-------------------------------------------------------------------------------LSP Information:
-------------------------------------------------------------------------------Ingress LSR ID
: 1.1.1.1
Tunnel ID
: 100
LSP ID
: 3
Tunnel-Interface
: Tunnel0/2/0
In-Interface
:
Out-Interface
:
LSP token
: 0x800805
LSP Type
: Primary
--------------------------------------------------------------------------------------------------------------------------------------------------------------BFD Bit Error Information:
-------------------------------------------------------------------------------Session MIndex
: 513
Session Type
: PE
FSM Board Id
: 1
Fault Type
: 1000
: 30000
Detect Multi
: 3
Source IP Address
: 1.1.1.1
: 127.0.0.1
Destination Port
: 3784
TOS-EXP
: 7
PDT Index
-------------------------------------------------------------------------------LSP Information:
-------------------------------------------------------------------------------Ingress LSR ID
: 1.1.1.1
Tunnel ID
: 100
LSP ID
: 32773
Tunnel-Interface
: Tunnel0/2/0
In-Interface
Out-Interface
LSP token
: 0x800806
LSP Type
: Backup
-------------------------------------------------------------------------------Total PE/P Session Number : 2/0
# Run the display bfd bit-error-detection session all command to view error code detection
information on LSRC.
[LSRC] display bfd bit-error-detection session all
-------------------------------------------------------------------------------BFD Bit Error Information:
-------------------------------------------------------------------------------Session MIndex
: 514
Session Type
: PE
Issue 02 (2013-12-31)

770

Equipment
3 Reliability
FSM Board Id
: 2
Fault Type
: 1000
: 30000
Detect Multi
: 3
Source IP Address
: 3.3.3.3
: 127.0.0.1
Destination Port
: 3784
TOS-EXP
: 7
PDT Index
-------------------------------------------------------------------------------LSP Information:
-------------------------------------------------------------------------------Ingress LSR ID
: 3.3.3.3
Tunnel ID
: 100
LSP ID
: 3
Tunnel-Interface
: Tunnel0/2/0
In-Interface
:
Out-Interface
:
LSP token
: 0x1000805
LSP Type
: Primary
--------------------------------------------------------------------------------------------------------------------------------------------------------------BFD Bit Error Information:
-------------------------------------------------------------------------------Session MIndex
: 515
Session Type
: PE
FSM Board Id
: 1
Fault Type
: 1000
: 30000
Detect Multi
: 3
Source IP Address
: 3.3.3.3
: 127.0.0.1
Destination Port
: 3784
TOS-EXP
: 7
PDT Index
-------------------------------------------------------------------------------LSP Information:
-------------------------------------------------------------------------------Ingress LSR ID
: 3.3.3.3
Tunnel ID
: 100
LSP ID
: 32773
Tunnel-Interface
: Tunnel0/2/0
In-Interface
:
Out-Interface
:
LSP token
: 0x800806
LSP Type
: Backup
-------------------------------------------------------------------------------Total PE/P Session Number : 2/0
----End
Configuration File
l
Configuration file of LSRA

#
sysname LSRA
Issue 02 (2013-12-31)

771

Equipment
3 Reliability
#
bfd
#
mpls lsr-id 1.1.1.1
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
explicit-path a-b-c
next hop 10.1.1.2
next hop 10.1.3.2
#
explicit-path a-d-c
next hop 10.1.2.2
next hop 10.1.4.2
#
isis 1
is-level level-2
cost-style wide
network-entity 00.0005.0000.0000.0001.00
traffic-eng level-2
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
trap-threshold crc-error packet-error-ratio alarm-threshold 1 3 trigger-lsp
#
undo shutdown
ip address 10.1.2.1 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
isis enable 1
#
destination 3.3.3.3
mpls te bit-error-detection switch-threshold
mpls te bit-error-detection switch-threshold threshold switch 3 3 resume 3 4
mpls te reverse-lsp protocol rsvp-te ingress-lsr-id 3.3.3.3 tunnel-id 100
mpls te path explicit-path a-b-c
mpls te path explicit-path a-d-c secondary
mpls te backup hot-standby mode revertive wtr 15
mpls te commit
#
return
Configuration file of LSRB

#
sysname LSRB
#
mpls lsr-id 2.2.2.2
Issue 02 (2013-12-31)

772

Equipment
3 Reliability
mpls
mpls te
mpls rsvp-te
#
isis 1
is-level level-2
cost-style wide
network-entity 00.0005.0000.0000.0002.00
traffic-eng level-2
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
undo shutdown
ip address 10.1.3.1 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
isis enable 1
#
return
Configuration file of LSRC

#
sysname LSRC
#
bfd
#
mpls lsr-id 3.3.3.3
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
explicit-path c-b-a
next hop 10.1.3.1
next hop 10.1.1.1
#
explicit-path c-d-a
next hop 10.1.4.1
next hop 10.1.2.1
#
isis 1
cost-style wide
is-level level-2
network-entity 00.0005.0000.0000.0003.00
traffic-eng level-2
#
undo shutdown
ip address 10.1.3.2 255.255.255.0
isis enable 1
mpls
mpls te
Issue 02 (2013-12-31)

773

Equipment
3 Reliability
mpls rsvp-te
#
undo shutdown
ip address 10.1.4.2 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
isis enable 1
#
destination 1.1.1.1
mpls te bit-error-detection switch-threshold
mpls te bit-error-detection switch-threshold threshold switch 3 3 resume 3 4
mpls te path explicit-path c-b-a
mpls te path explicit-path c-d-a secondary
mpls te backup hot-standby mode revertive wtr 15
mpls te commit
#
return
Configuration file of LSRD

#
sysname LSRD
#
mpls lsr-id 4.4.4.4
mpls
mpls te
mpls rsvp-te
#
isis 1
is-level level-2
cost-style wide
network-entity 00.0005.0000.0000.0004.00
traffic-eng level-2
#
undo shutdown
ip address 10.1.2.2 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
undo shutdown
ip address 10.1.4.1 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255
Issue 02 (2013-12-31)

774

Equipment
3 Reliability
isis enable 1
#
return
Example for Configuring Bit-Error-Triggered VPN Route Switching

This section provides an example of configuring bit-error-triggered VPN route switching.
On an IP radio access network (RAN), if a bidirectional Resource Reservation Protocol-Traffic
Engineering (RSVP-TE) tunnel (consisting of two unidirectional tunnels) carries L3VPN
services, you can configure traffic engineering (TE) hot standby to provide tunnel-level
protection and configure VPN fast reroute (FRR) to provide service-level protection. However,
these protection mechanisms cannot trigger protection switching based on random bit errors
caused by optical fiber aging or optical signal jitter. Random bit errors may degrade on an IP
RAN or even interrupt services in extreme cases.
To resolve this problem, configure bit-error-triggered VPN route switching. On the network
shown in Figure 3-17, the VPN traffic sent from the NodeB to the radio network controller
(RNC) needs to be transmitted over a bidirectional RSVP-TE tunnel between the user-end
provider edge (UPE) and a superstratum provider edge (SPE). VPN FRR needs to be configured
on the UPE and network provider edge (NPE). After you configure bit-error-triggered VPN route
switching, the UPE and NPE can reroute traffic if a bit error event occurs on the working
bidirectional RSVP-TE tunnel between the UPE and an SPE.
Figure 3-17 Networking diagram for bit-error-triggered VPN route switching
Loopback1
0 /2
GE
GE0/2/3
Loopback1
0
GE
SPE1
1
/ 2/
/1
NodeB
UPE
GE0/2/3
GE0/2/0
GE
0/2
/2
GE
0/2
/2
GE
0/2
/2
Loopback1
GE
RNC
0/2
/2
GE0/2/3
/1
0/2 NPE
E
G
/1
0/2
GE
SPE2
Loopback1
Issue 02 (2013-12-31)
Device
Interface
Peer Device
IP Address
UPE
Loopback1
1.1.1.1/32
GE0/2/0
NodeB
100.1.1.1/24
GE0/2/1
SPE1
172.1.1.1/24

775

Equipment
Device
SPE1
SPE2
NPE
3 Reliability
Interface
Peer Device
IP Address
GE0/2/2
SPE2
172.1.2.1/24
Loopback1
2.2.2.2/32
GE0/2/1
UPE
172.1.1.2/24
GE0/2/2
NPE
172.1.4.1/24
GE0/2/3
SPE2
172.1.3.1/24
Loopback1
3.3.3.3/32
GE0/2/1
NPE
172.1.5.1/24
GE0/2/2
UPE
172.1.2.2/24
GE0/2/3
SPE1
172.1.3.2/24
Loopback1
4.4.4.4/32
GE0/2/1
SPE2
172.1.5.2/24
GE0/2/2
SEP1
172.1.4.2/24
GE0/2/3
NPE
100.2.1.1/24
1.
Configure an IP address and a routing protocol for each interface so that all nodes can
communicate at the network layer. This example uses Open Shortest Path First (OSPF) as
the routing protocol.
2.
and SPEs.
3.
4.
and SPEs.
5.
6.
7.
Configure bit-error-triggered VPN route switching.
Data Preparation
l
Issue 02 (2013-12-31)
Interface IP addresses, as listed in table 1

776

Equipment
3 Reliability
NPE
1.
Configure interface IP addresses.

Assign an IP address to each interface according to table 1 and create a loopback interface
2.
Configure OSPF.
configuration details, see Configuration Files in this section.
3.
Configure basic MPLS functions and public network tunnels.

l Configure basic MPLS functions and enable MPLS TE, RSVP-TE, and Constraint
Shortest Path First (CSPF).
[UPE] mpls
[UPE-mpls] mpls te
[UPE-mpls] quit
[UPE] ospf 1
[UPE-ospf-1] area 0
[UPE-ospf-1] quit
# Configure SPE1.
[SPE1] mpls
[SPE1-mpls] mpls te
[SPE1-mpls] quit
[SPE1] mpls ldp
Issue 02 (2013-12-31)

777

Equipment
3 Reliability
[SPE1] ospf 1
[SPE1-ospf-1] quit
# Configure SPE2.
[SPE2] mpls
[SPE2-mpls] mpls te
[SPE2-mpls] quit
[SPE2] mpls ldp
[SPE2] ospf 1
[SPE2-ospf-1] quit
l Enable the egress of each unidirectional tunnel to be created to assign a non-null label
to the penultimate hop.
NOTE
If you do not enable the egress to assign a non-null label to the penultimate hop before establishing
a unidirectional RSVP-TE tunnel, bit-error-triggered VPN route switching cannot take effect.

[UPE] mpls
[UPE-mpls] quit
# Configure SPE1.
[SPE1] mpls
[SPE1-mpls] quit
# Configure SPE2.
[SPE2] mpls
[SPE2-mpls] quit

Issue 02 (2013-12-31)

778

Equipment
3 Reliability

# Configure SPE1.
# Configure SPE2.

[UPE-tunnel-policy-policy1] tunnel binding destination 2.2.2.2 te tunnel
0/2/1
[UPE-tunnel-policy-policy1] tunnel binding destination 3.3.3.3 te tunnel
0/2/2
# Configure SPE1.
[SPE1-tunnel-policy-policy1] tunnel binding destination 1.1.1.1 te tunnel
0/2/1
# Configure SPE2.
[SPE2-tunnel-policy-policy1] tunnel binding destination 1.1.1.1 te tunnel
0/2/2
4.
Issue 02 (2013-12-31)

779

Equipment
3 Reliability

[UPE] bgp 100
[UPE-bgp-vpna] quit
[UPE-bgp] quit

<NPE> system-view
[NPE] bgp 100
[NPE-bgp-vpna] quit
[NPE-bgp] quit
5.
and SPEs.
[UPE] bgp 100
[UPE-bgp] quit
# Configure SPE1.
[SPE1] bgp 100
[SPE1-bgp] quit
The configuration of SPE2 is similar to the configuration of SPE1. For configuration details,
see Configuration Files in this section.
[NPE] bgp 100
Issue 02 (2013-12-31)

780

Equipment
3 Reliability

[NPE-bgp] quit
6.
Configure the SPEs as RRs and specify the UPE and NPE as RR clients.
# Configure SPE1.
[SPE1] bgp 100
[SPE1-bgp] quit
reflect-client
next-hop-local
reflect-client
next-hop-local
7.
Apply the tunnel policy on the UPE and configure a tunnel selector on each SPE because
SPEs do not have VPN instances, so that the UPE and SPEs use RSVP-TE tunnels to
transmit traffic.

[SPE1] bgp 100
8.

[UPE] bgp 100
[UPE-bgp-vpna] quit
[UPE-bgp] quit
The configuration of the NPE is similar to the configuration of UPE. For configuration
9.
Enable bit error detection for each unidirectional RSVP-TE tunnel and specify the reverse
tunnel for each unidirectional RSVP-TE tunnel.
[UPE]bfd
[UPE-bfd] quit
Issue 02 (2013-12-31)

781

Equipment
[UPE] interface tunnel
[UPE-Tunnel0/2/1] mpls
tunnel-id 100
[UPE] interface tunnel
tunnel-id 200
3 Reliability
0/2/1
te commit
0/2/2
te commit
# Configure SPE1.
[SPE1]bfd
[SPE1-bfd] quit
[SPE1] interface tunnel
[SPE1-Tunnel0/2/1] mpls
tunnel-id 100
0/2/1
te commit
# Configure SPE2.
[SPE2]bfd
[SPE2-bfd] quit
[SPE2] interface tunnel
tunnel-id 200
0/2/2
te commit
10. Configure bit-error-triggered VPN route switching.

# Configure the UPE to reroute traffic when a bit error event occurs.
[UPE] bgp 100
[UPE-bgp-vpna] bestroute bit-error-detection
[UPE-bgp-vpna] quit
[UPE-bgp] quit
# Configure SPE1 to adjust the local preference or Multi-Exit Discrimination (MED) values
of the VPN routes that it advertises to the NPE when a bit error event occurs.
[SPE1] bgp 100
[SPE1-bgp-af-vpnv4] nexthop recursive-lookup bit-error-detection localpreference - 50
[SPE1-bgp] quit
11. Verify the configuration.

# After completing the configurations, run the display bgp vpnv4 vpn-instancevpna
routing-table command on the UPE and NPE to view detailed information about received
routes. The command output shows that the UPE and NPE both preferentially select the
routes advertised by SPE1 and use UPE <-> SPE1 <-> NPE as the primary path. After a
bit error event occurs on the RSVP-TE tunnel between the UPE and SPE1, route selection
results on the UPE and NPE change.
Issue 02 (2013-12-31)

782

Equipment
3 Reliability

Network
NextHop
*>
*>
*>i
* i
[NPE]
MED
LocPrf
100.1.1.0/24
100.1.1.1/32
100.2.1.0/24
0.0.0.0
0
0.0.0.0
0
2.2.2.2
0
100
3.3.3.3
0
100
PrefVal Path/Ogn
0
0
0
0
?
?
?
?


Network
NextHop
MED
LocPrf
*>i
* i
*>
*>
0
0
0
0
100
100
100.1.1.0/24
100.2.1.0/24
100.2.1.1/32
2.2.2.2
3.3.3.3
0.0.0.0
0.0.0.0
PrefVal Path/Ogn
0
0
0
0
?
?
?
?
# Run the display bgp vpnv4 vpn-instance vpna routing-table ipv4-address command
on the UPE. The command output shows that the UPE preferentially selects the routes
advertised by SPE2.
[UPE] display bgp vpnv4 vpn-instance vpna routing-table 100.2.1.0
BGP local router ID : 1.1.1.1
Local AS number : 100
Paths:
2 available, 1 best, 1 select
BGP routing table entry information of 100.2.1.0/24:
Label information (Received/Applied): 1029/NULL
From: 3.3.3.3 (3.3.3.3)
Route Duration: 04h59m22s
Relay Tunnel Out-Interface: Tunnel0/2/2
Relay token: 0x3
Original nexthop: 3.3.3.3
Qos information : 0x0
Ext-Community:RT <1 : 1>
AS-path Nil, origin incomplete, MED 0, localpref 100, pref-val 0, valid,
internal, best, select, active, pre 255
Originator: 4.4.4.4
Cluster list: 3.3.3.3
Not advertised to any peer yet
From: 2.2.2.2 (2.2.2.2)
Relay token: 0x1
internal, backup, pre 255, not preferred for nexthop bit error
Originator: 4.4.4.4
Issue 02 (2013-12-31)

783

Equipment
3 Reliability
# Run the display bgp vpnv4 all routing-table ipv4-address command on SPE1. The
command output shows that the local preference of routes advertised by SPE1 to the NPE
has changed.
[SPE1] display bgp vpnv4 all routing-table 100.1.1.0
Total routes of Route Distinguisher(100:1): 2
RR-client route.
Label information (Received/Applied): 1026/1029
From: 1.1.1.1 (1.1.1.1)
Relay IP Nexthop: 172.1.1.1
Relay IP Out-Interface: GigabitEthernet0/2/1
Relay token: 0x17
internal, best, select, pre 255(original localpref 100)
Advertised to such 3 peers:
3.3.3.3
1.1.1.1
4.4.4.4
From: 3.3.3.3 (3.3.3.3)
Relay IP Out-Interface: GigabitEthernet0/2/1
Relay token: 0x17
internal, pre 255, not preferred for Cluster List(original localpref 100)
Originator: 1.1.1.1
# After the local preference of routes advertised by SPE1 to the NPE is reduced, the NPE
preferentially selects the routes advertised by SPE2.
[NPE] display bgp vpnv4 vpn-instance vpna routing-table 100.1.1.0
Paths:
From: 3.3.3.3 (3.3.3.3)
Relay Tunnel Out-Interface: GigabitEthernet0/2/1
Relay token: 0x13
internal, best, select, active, pre 255, IGP cost 1
Originator: 1.1.1.1
Issue 02 (2013-12-31)

784

Equipment
3 Reliability

From: 2.2.2.2 (2.2.2.2)
Relay Tunnel Out-Interface: GigabitEthernet0/2/2
Relay token: 0xf
internal, pre 255, IGP cost 1, not preferred for Local_Pref
Originator: 1.1.1.1
Configuration Files
l
Configuration file of the UPE

#
sysname UPE
#
ipv4-family
tnl-policy policy1
#
bfd
#
mpls lsr-id 1.1.1.1
mpls
mpls te
mpls rsvp-te
#
undo shutdown
ip address 100.1.1.1 255.255.255.0
#
undo shutdown
ip address 172.1.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
undo shutdown
ip address 172.1.2.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
destination 2.2.2.2
mpls te bit-error-detection
Issue 02 (2013-12-31)

785

Equipment
3 Reliability

mpls te commit
#
destination 3.3.3.3
mpls te commit
#
bgp 100
router-id 1.1.1.1
#
ipv4-family unicast
peer 2.2.2.2 enable
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.2 enable
peer 3.3.3.3 enable
#
bestroute bit-error-detection
import-route direct
auto-frr
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.1.2.0 0.0.0.255
mpls-te enable
#
#
return
Configuration file of SPE1

#
sysname SPE1
#
#
bfd
#
mpls lsr-id 2.2.2.2
mpls
mpls te
mpls rsvp-te
#
mpls ldp
#
Issue 02 (2013-12-31)

786

Equipment
3 Reliability
undo shutdown
ip address 172.1.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
undo shutdown
ip address 172.1.4.1 255.255.255.0
mpls
mpls ldp
#
undo shutdown
ip address 172.1.3.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
destination 1.1.1.1
mpls te commit
#
bgp 100
router-id 2.2.2.2
#
ipv4-family unicast
peer 1.1.1.1 enable
peer 3.3.3.3 enable
peer 4.4.4.4 enable
#
ipv4-family vpnv4
nexthop recursive-lookup bit-error-detection local-preference - 50
peer 1.1.1.1 enable
peer 3.3.3.3 enable
peer 4.4.4.4 enable
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.1.3.0 0.0.0.255
network 172.1.4.0 0.0.0.255
mpls-te enable
Issue 02 (2013-12-31)

787

Equipment
3 Reliability
#
#
return
Configuration file of SPE2

#
sysname SPE2
#
#
bfd
#
mpls lsr-id 3.3.3.3
mpls
mpls te
mpls rsvp-te
#
mpls ldp
#
undo shutdown
ip address 172.1.5.1 255.255.255.0
mpls
mpls ldp
#
undo shutdown
ip address 172.1.2.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
undo shutdown
ip address 172.1.3.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
destination 1.1.1.1
mpls te commit
#
bgp 100
router-id 3.3.3.3
#
ipv4-family unicast
peer 1.1.1.1 enable
Issue 02 (2013-12-31)

788

Equipment
3 Reliability
peer 2.2.2.2 enable

peer 4.4.4.4 enable
#
ipv4-family vpnv4
peer 1.1.1.1 enable
peer 2.2.2.2 enable
peer 4.4.4.4 enable
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 172.1.2.0 0.0.0.255
network 172.1.3.0 0.0.0.255
network 172.1.5.0 0.0.0.255
mpls-te enable
#
#
return
Configuration file of the NPE

#
sysname NPE
#
ipv4-family
#
mpls lsr-id 4.4.4.4
mpls
#
mpls ldp
#
undo shutdown
ip address 172.1.5.2 255.255.255.0
mpls
mpls ldp
#
undo shutdown
ip address 172.1.4.2 255.255.255.0
mpls
mpls ldp
#
undo shutdown
ip address 100.2.1.1 255.255.255.0
#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255
#
bgp 100
router-id 4.4.4.4
Issue 02 (2013-12-31)

789

Equipment
3 Reliability

#
ipv4-family unicast
peer 2.2.2.2 enable
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.2 enable
peer 3.3.3.3 enable
#
import-route direct
auto-frr
#
ospf 1
area 0.0.0.0
network 4.4.4.4 0.0.0.0
network 172.1.4.0 0.0.0.255
network 172.1.5.0 0.0.0.255
#
return
Example for Configuring Bit-Error-Triggered LDP-LSP Section-Layer Protection

Switching
This section provides an example for configuring bit-error-triggered Label Distribution Protocol
(LDP) label switched path (LSP) section-layer protection switching.
As shown in Figure 3-18, LSRA and LSRB are two P devices on a multiprotocol label switching
(MPLS) LDP network, and bit-error-triggered LDP-LSP section-layer protection switching
needs to be configured on the interfaces to which LSRA and LSRB are connected.
Figure 3-18 Networking diagram for configuring bit-error-triggered LDP-LSP section-layer
protection switching
10.1.1.1/24
10.1.1.2/24
Loopback0
1.1.1.1/32
Loopback1
2.2.2.2/32
LSRA
LSRB
Table 3-5 IP addresses of device interfaces

Device
Interface
IPv6 Address
Remote Device
LSRA
GE0/2/0
10.1.1.1/24
LSRB
Loopback0
1.1.1.1/32
GE0/2/0
10.1.1.2/24
LSRA
LSRB
Issue 02 (2013-12-31)

790

Equipment
Device
3 Reliability
Interface
IPv6 Address
Remote Device
Loopback1
2.2.2.2/32
Configuration Principle
Configure the bit-error-triggered LDP-LSP section-layer protection switching as follows:
Configure the bit error alarm threshold on an interface, which triggers the corresponding sectionlayer protection switching type.
Data Preparations
To complete the configuration, obtain the following data:
l
IP address of each interface on the devices of the network, as listed in Table 1
1.
Configure an IP address for each interface.
Procedure
Assign an IP address to each interface according to Table 1 and create a loopback interface
at each node.
2.
Configure the bit error alarm threshold on each interface, which triggers the corresponding
section-layer protection switching type.
l # Configure LSRA.
[LSRA] interface GigabitEthernet0/2/0
[LSRA-GigabitEthernet0/2/0] trap-threshold crc-error packet-error-ratio
alarm-threshold 1 3 trigger-section
l # Configure LSRB.
[LSRB] interface GigabitEthernet0/2/0
[LSRB-GigabitEthernet0/2/0] trap-threshold crc-error packet-error-ratio
3.

# Run the display interface GigabitEthernet 0/2/0 command on LSRA to view the status
of the bit error protocol on an interface.
[LSRA]display interface GigabitEthernet 0/2/0
GigabitEthernet0/2/0 current state : DOWN
Line protocol current state : UP(Bit-error-detection down)
Description:HUAWEI, GigabitEthernet0/2/0 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet protocol processing : disabled
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0819a6d0-1a7d
Loopback:none, full-duplex mode, negotiation: disable, Pause
Flowcontrol:Receive Enable and Send Enable
Last physical up time
: Last physical down time : 2012-09-26 16:27:26
Current system time: 2012-09-29 10:33:55
Statistics last cleared:never
Issue 02 (2013-12-31)

791

Equipment
3 Reliability
Last 10 seconds input rate: 0 bits/sec, 0 packets/sec

Last 10 seconds output rate: 0 bits/sec, 0 packets/sec
Input: 0 bytes, 0 packets
Output: 0 bytes, 0 packets
Input:
Unicast: 0 packets, Multicast: 0 packets
Broadcast: 0 packets, JumboOctets: 0 packets
CRC: 0 packets, Symbol: 0 packets
Overrun: 0 packets, InRangeLength: 0 packets
LongPacket: 0 packets, Jabber: 0 packets, Alignment: 0 packets
Fragment: 0 packets, Undersized Frame: 0 packets
RxPause: 0 packets
Output:
Lost: 0 packets, Overflow: 0 packets, Underrun: 0 packets
System: 0 packets, Overruns: 0 packets
TxPause: 0 packets
Input bandwidth utilization :
0%
Output bandwidth utilization :
0%
# Run the display interface GigabitEthernet 0/2/0 command on LSRB to view the status
[LSRB]display interface GigabitEthernet 0/2/0
Input:
RxPause: 0 packets
Output:
TxPause: 0 packets
0%
0%
Configuration File
l

#
sysname LSRA
#
bfd
#
Issue 02 (2013-12-31)

792

Equipment
3 Reliability
mpls lsr-id 1.1.1.1

mpls
#
mpls ldp
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
trap-threshold crc-error packet-error-ratio alarm-threshold 1 3 triggersection
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return

#
sysname LSRB
#
bfd
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
Example for Configuring Bit-Error-Triggered Trunk Section-Layer Protection

Switching
This section provides an example for configuring bit-error-triggered Trunk section-layer
As shown in Figure 3-19, there are two direct links between LSRA and LSRB, which are bound
to an Eth-Trunk interface where bit-error-triggered section protection switching needs to be
configured.
Issue 02 (2013-12-31)

793

Equipment
3 Reliability
Figure 3-19 Networking diagram for configuring bit-error-triggered Trunk section-layer

protection switching
Eth-Trunk1
Eth-Trunk1
LSRA
LSRB
Table 3-6 IP addresses of device interfaces

Device
Interface
Remote Device
LSRA
GE0/2/0
LSRB
GE0/2/1
LSRB
Eth-Trunk1
LSRB
GE0/2/0
LSRA
GE0/2/1
LSRA
Eth-Trunk1
LSRA
LSRB
Configure the bit-error-triggered Trunk section-layer protection switching as follows:
l
Configure the bit error alarm threshold on an interface, which triggers the corresponding
section-layer protection switching type.
Configure bit-error-triggered protection switching on a Trunk interface.
Data Preparations
l
IP address of each interface on the devices of the network, as listed in Table 1
NOTE
Upon detecting that the bit error rate (BER) is greater than the alarm threshold, an interface sets the status
of the bit error protocol to DOWN.
Procedure
1.
Configure the bit error alarm threshold on the interfaces and associate protection switching.
l # Configure LSRA.
Issue 02 (2013-12-31)

794

Equipment
3 Reliability

l # Configure LSRB.
2.
Configure bit-error-triggered protection switching on a Trunk interface.

l # Configure LSRA.
[LSRA] interface eth-trunk 1
[LSRA-Eth-Trunk1] quit
[LSRA-GigabitEthernet0/2/0] interface eth-trunk 1
[LSRA-GigabitEthernet0/2/0] quite
[LSRA-GigabitEthernet0/2/1] interface eth-trunk 1
[LSRA-GigabitEthernet0/2/1] quite
[LSRA] interface eth-trunk 1
[LSRA-Eth-Trunk1] bit-error-detection
[LSRA-Eth-Trunk1] quit
l # Configure LSRB.
[LSRB] interface eth-trunk 1
[LSRB-Eth-Trunk1] quit
[LSRB-GigabitEthernet0/2/0] interface eth-trunk 1
[LSRB-GigabitEthernet0/2/0] quite
[LSRB-GigabitEthernet0/2/1] interface eth-trunk 1
[LSRB-GigabitEthernet0/2/1] quite
[LSRB] interface eth-trunk 1
[LSRB-Eth-Trunk1] bit-error-detection
[LSRB-Eth-Trunk1] quit
3.

# Run the display interface GigabitEthernet 0/2/0 command on LSRA to view the status
[LSRA] display interface GigabitEthernet 0/2/0
Issue 02 (2013-12-31)

795

Equipment
3 Reliability

Input:
RxPause: 0 packets
Output:
TxPause: 0 packets
0%
0%
# Run the display interface GigabitEthernet 0/2/0 command on LSRB to view the status
[LSRA] display interface GigabitEthernet 0/2/0
Input:
RxPause: 0 packets
Output:
TxPause: 0 packets
0%
0%
Configuration File
l

#
#
sysname LSRA
#
bfd
#
interface Eth-Trunk1
Issue 02 (2013-12-31)

796

Equipment
3 Reliability
bit-error-detection
#
undo shutdown
eth-trunk1
#
undo shutdown
eth-trunk1
#
return

#
sysname LSRB
#
bfd
#
bit-error-detection
#
undo shutdown
eth-trunk1
#
undo shutdown
eth-trunk1
#
return
3.4 BFD Configuration

A BFD session rapidly detects a link fault on a network.
3.4.1 Introduction
BFD rapidly detects communication faults between a local device and its neighbors. This
minimizes the impact of the faults on services.
BFD Overview
BFD is a uniform detection mechanism for an entire network. It detects faults quickly and
monitors the forwarding and connectivity of links or IP routes of the network.
On a network, a link fault is detected in either of the following methods:
l
Issue 02 (2013-12-31)
Hardware detection signals, such as those provided by the Synchronous Digital Hierarchy
(SDH) alarm function, are used to detect a link fault rapidly.

797

Equipment
3 Reliability
If the hardware detection method is unavailable, the Hello mechanism of a routing protocol
is used to detect faults.
The following problems exist in the preceding methods:

l
Hardware is used by only part of mediums to detect faults.
The routing protocol-specific Hello mechanism takes more than 1 second to detect a fault.
If data is forwarded at gigabit rates, a large amount of data is dropped.
On a small-scale Layer 3 network, if no routing protocol is deployed, the routing protocolspecific Hello mechanism does not detect faults. This means that a fault between
interconnected systems is difficult to locate.
BFD is developed to resolve these problems.

BFD provides the following functions:
l
Detects faults rapidly along paths between neighboring forwarding engines, with light loads
and high speeds.
Uses a single mechanism to monitor any kind of medium and protocol layer in real time.
Detection time and costs vary.
BFD Features Supported by the ATN

BFD features are creation modes for BFD sessions, two detection modes (single-hop BFD and
multi-hop BFD), association between the BFD session status and the interface status, resource
reservation for single-hop BFD sessions, dynamic modification of parameters, binding a BFD
session to a VPN instance, BFD for static route, BFD for routing protocols, BFD for FRR, BFD
for IS-IS, BFD for LSP, BFD for PW, BFD for VSI PW and BFD for TE tunnel.
BFD,a unified detection mechanism, is used by multiple protocols.
This section briefly describes applications provided by BFD.
BFD Session Establishment Supported by the ATN

BFD uses local and remote discriminators to differentiate multiple BFD sessions between a pair
of systems. The local and remote discriminators are set in various modes. Based on these modes,
the following types of BFD sessions are supported by the ATN:
l
Static BFD sessions with manually specified discriminators
Static BFD sessions with automatically negotiated discriminators
Dynamic BFD sessions triggered by a protocol
Discriminators of a dynamic BFD session triggered by a protocol are created as follows:

l
Dynamically allocating the local discriminator
Self-learning the remote discriminator

NOTE
On the ATN, OSPF, BGP, IS-IS, RSVP-TE, PWE3 dynamically trigger the establishment of BFD sessions.
The following conditions must be satisfied to allow two ends of a BFD session to create
discriminators in different modes:
Issue 02 (2013-12-31)

798

Equipment
3 Reliability
If a static BFD session is established by manually specifying the discriminators on one end,
the static BFD session on the other end must also be established by manually specifying
discriminators.
If a static BFD session is established by automatically negotiating the discriminators on

one end, the static BFD session on the other end is established by automatically negotiating
discriminators or a dynamic BFD session is established.
If both a static BFD session with automatically negotiated discriminators and a dynamic
BFD session are established on one end, the following principles are applicable:
If these two sessions share the same configurations (the source address, destination
address, outgoing interface, and VPN index), one BFD session works as both the
dynamic BFD session and the static BFD session with automatically negotiated
discriminators.
If the dynamic BFD session named DYN_local-discriminator is configured prior to the
static BFD session, the dynamic BFD session's name is replaced with the static BFD
session's name.
Minimum values between these two sessions are used by the shared session.
At present, one BFD session working as both a dynamic BFD session and a static BFD session
with automatically negotiated discriminators is supported by BFD for OSPF, BFD for IS-IS,
BFD for BGP, and BFD for RSVP-TE.
BFD Modes
The ATN supports the asynchronous mode.
Asynchronous mode:
Each system sends BFD Detect packets at a negotiated interval. If a system does not receive
BFD Control packets from the peer within the detection time, it sets the session to Down.
Single-hop BFD and Multi-hop BFD

The ATN supports single-hop BFD and multi-hop BFD which check the reachability of IP routes.
This section describes single-hop BFD.
The ATN supports single-hop BFD for the following types of links:
l
Layer 3 physical interfaces
Ethernet sub-interfaces including Eth-Trunk sub-interfaces

If a physical Ethernet interface has multiple sub-interfaces, BFD sessions are separately
set up on the physical Ethernet interface and every sub-interface.
Eth-Trunk
Layer 2 Eth-Trunk link
Layer 3 Eth-Trunk link
NOTE
Issue 02 (2013-12-31)
Eth-Trunk links are composed of member links, providing high bandwidth and reliability.
When the number of trunk member links that are Up reaches a certain value, the trunk link keeps Up.
For information about the Eth-Trunk configuration, refer to the ATN Multi-service Access
Equipment Configuration Guide - LAN Access and MAN Access.

799

Equipment
3 Reliability
VLANIF
Ethernet member links in a VLAN
VLANIF interface
BFD sessions are separately created on a VLANIF interface and its VLANIF member
interfaces to detect faults in the VLANIF and VLANIF member interfaces simultaneously.
Association Between the BFD Status and the Interface Status

If a transmission device exists on a direct link, BFD detects a link fault faster than a fault detection
mechanism provided by a link protocol on an interface. The link protocol status of the trunk
interface or the VLAN interface depends on the link protocol status of member interfaces.
To help BFD more rapidly notify an application of detection results, a BFD status attribute is
added to the interface management module on every interface. This attribute indicates the status
of the BFD session that is bound to the interface (on a sub-interface, this attribute indicates the
status of the BFD session that is bound to the main interface). The system obtains the interface
status based on the link status, protocol status, and BFD status on the interface, and then notifies
the application of the result.
Association between the BFD status and the interface status means that if the BFD session status
changes, the BFD status on the interface in the IFNET module is modified. This function is
applicable only to a single-hop BFD session that is bound to the outgoing interface and uses the
default multicast address. Association is classified into the following modes:
l
Association between the BFD status and the status of an interface to which BFD is bound
If a BFD session goes Down, the BFD status on the interface to which the BFD session
is bound goes Down, and this status change is reported to an application on the interface.
If the BFD session on a VLAN member interface goes Down, the link protocol status
on the VLAN member interface also changes. This accelerates the change in the link
protocol status and the route convergence.
NOTE
On a trunk interface whose trunk member interfaces reside on different LPUs, when a BFD
session is created to detect faults in links between trunk member interfaces, the process-pst
command is used to associate the BFD session with the status of the interface. Otherwise, traffic
may be dropped in some situations. For example, an LPU where the trunk member interface
resides is restarted.
When the BFD session is Up, the BFD status on the interface bound to the BFD session
also goes Up.
This function helps the BFD detection results be reported more rapidly to an application.
l
Association between the BFD status and the status of a sub-interface of a main interface
bound to which the BFD session is bound
The BFD session must be bound to the main interface.
If the BFD session goes Down, the BFD statuses on the bound interface and all subinterfaces go Down. The status change is reported to the application on the sub-interface.
The services such as L2VPN configured on the sub-interface use detection results of
the BFD session.
If the BFD session goes Up, the BFD statuses on the interface to which the BFD session
is bound to and all the sub-interfaces also go Up.
Issue 02 (2013-12-31)

800

Equipment
3 Reliability
This function saves the session resources in the system and provides reliability for more
applications. This function is typically used on the network where high reliability is required
and a great number of services are configured on the sub-interface, such as a large-scale
MAN Ethernet.
Changing Detection Parameters Dynamically

After a BFD session is set up, detection parameters can be changed, such as the minimum sending
interval, minimum receiving interval, without affecting the current session status.
Binding a VPN Instance

On the ATN, a BFD session is bound to a VPN instance, allowing BFD Control packets to be
forwarded in a specified VPN.
BFD for Static Route

Static routes do not have a detection mechanism. If a network fails, an administrator needs to
troubleshoot the fault.
BFD for static route allows a BFD session to detect the status of an IPv4 static route on the public
network. The routing management system determines whether or not the static route is available
based on the BFD session status.
NOTE
For the detailed configuration of BFD for static routes, refer to chapter "IP Static Route Configuration" in
the ATN Multi-service Access Equipment Configuration Guide - IP Routing.
BFD for Routing Protocols

BFD uses a local discriminator and a remote discriminator to identify multiple BFD sessions
between one pair of systems. BDF sessions for IS-IS are dynamically or statically created; BDF
sessions for BGP and OSPF are dynamically created.
A BFD session dynamically triggered by a routing protocol is implemented as follows:
l
Dynamically allocating the local discriminator
Self-learning the remote discriminator
After a routing protocol-specific neighbor relationship is established successfully, a routing

protocol triggers the establishment of a BFD session by using a routing management module
and the BFD session rapidly checks the protocol-specific neighbor relationship. Detection
parameters of BFD sessions are configured by a routing protocol.
If a BFD session detects a failure, the session goes Down, and BFD triggers route convergence
through a routing management module.
NOTE
A routing protocol implements second-level detection by using Hello messages based on the keepalive
mechanism, and BFD implements millisecond-level detection at intervals of 10 milliseconds with the
detection multiplier being 3. BFD advertises a protocol failure within 50 milliseconds, which speeds up
route convergence.
If a neighbor is unreachable, a routing protocol instructs BFD to delete the session by through
a routing management module.
Issue 02 (2013-12-31)

801

Equipment
3 Reliability
BFD for Fast Reroute

l
BFD for LDP FRR

MPLS uses software for forwarding. BFD detects faults in the protected interfaces. LDP
FRR switchover is triggered if a BFD session is Down.
BFD for IP FRR and BFD for VPN FRR

On ATNs, IP FRR and VPN FRR switchovers are triggered only after detected faults are
reported to the control plane.
BFD provides reliability for MPLS-based applications, such as VPN FRR, TE FRR, to
protect services.
BFD for IS-IS

On the ATN, a static BFD session is used to check the IS-IS neighbor relationship.
BFD detects a link fault between IS-IS neighbors, and rapidly reports it to IS-IS to trigger ISIS convergence rapidly.
NOTE
As IS-IS sets up only single-hop IS-IS adjacencies, BFD is applicable only to single-hop IS-IS
adjacencies.
For the detailed configuration of BFD for IS-IS, refer to the chapter "IS-IS Configuration" in the
Configuration Guide - IP Routing.
BFD for LSP

BFD detects failures in an MPLS LSP forwarding path on the data plane. As the format of BFD
packets is unchanged, the BFD packets are easily transmitted through hardware and traverse
through firewalls. The advantages of BFD for LDP LSP on the data plane are as follows:
l
Only reachable IP routes are required for a backward link.
Support rapid detection.
Supports large scale failure detection on LSPs.
Negotiation of a BFD session to detect LDP LSP connectivity is performed in either of two
modes:
l
Static establishment of the BFD session: After the local and remote BFD discriminators
are set manually, the BFD session is established by using the negotiation mechanism.
Dynamic establishment of the BFD session: The Discriminator session is established after
negotiation on the BFD Discriminator Type-Length-Value (TLV) carried in LSP Ping
messages.
On ATN, static BFD sessions detect the following types of LSPs:

l
Static LSP
LDP LSP
TE: includes the tunnel, static CR-LSP bound to the tunnel, and dynamic RSVP CR-LSP.
BFD detects faults in TE tunnels using signaling protocols (such as CE-static and RSVPTE) and a primary LSP bound to a TE tunnel.
Dynamic BFD sessions detect faults in the following forwarding paths:

Issue 02 (2013-12-31)

802

Equipment
LDP LSP
RSVP LSP
3 Reliability
At present, a dynamic BFD session only detects faults in RSVP TE LSPs, not TE LSPs using
other signaling protocol nor TE tunnels.
If BFD works on unidirectional links like LSPs and TE tunnels, only a reachable IP route is
required for backward links which are IP links, LSPs, or TE tunnels.
NOTE
l For the configuration of BFD for static LSP and BFD for LDP LSP, refer to the chapter "Basic MPLS
Configuration" in the ATN Multi-service Access Equipment Configuration Guide - MPLS.
l For the configuration of BFD for MPLS TE, refer to the chapter "MPLS TE Configuration" in the
ATN Multi-service Access Equipment Configuration Guide - MPLS.
BFD for PW
BFD detects PW links between PEs. BFD supports PW Redundancy, minimizing the impact of
link failures on services. The ATN supports BFD sessions for PW in either static (discriminators
are manually configured) or dynamic mode.
The ATN combines VCCV ping and BFD for checking PW connectivity dynamically, which
leads to rapid traffic switchovers for protecting upper-layer services.
NOTE
For the configuration of BFD for PW, refer to the chapter "PWE3 Configuration" in the ATN Multi-service
Access Equipment Configuration Guide - VPN.
3.4.2 Configuring Single-hop BFD

A single-hop BFD session rapidly detects faults on direct links over a network.
Before You Start

Before configuring a single-hop BFD session, familiarize yourself with the usage scenario,
complete the pre-configuration tasks, and obtain the required data.
To fast check directly connected links, configure single-hop BFD.
Before configuring single-hop BFD, complete the following tasks:
l
Connect each interface correctly.
Configure IP addresses for Layer 3 interfaces.
Data Preparation
To configure single-hop BFD, you need the following data.
Issue 02 (2013-12-31)

803

Equipment
3 Reliability
No.
Data
BFD configuration name
Peer IP address, local interface type and number for the directly-connected link
detected by BFD, and default multicast address used by BFD if it checks the physical
layer status of the link
BFD session parameters: local and remote discriminators
Enabling BFD Globally

Enabling BFD globally is the prerequisite for BFD configurations.
Context
If single-hop BFD detection is performed on Layer 2 interfaces or Layer 3 physical interfaces
without IP addresses, a default multicast IP address is used.
Perform the following steps on both ends of a link to be checked:
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd
BFD is enabled globally and the BFD view is displayed.

default-ip-address ip-address
The default multicast IP address of BFD is configured.

The default multicast IP address used by BFD is 224.0.0.184.
NOTE
l If more than one BFD session is created for the same link, for example, a Layer 3 interface is connected
by BFD-enabled Layer 2 switches, various default multicast addresses need to be configured for the
switches, distinguishing one BFD session from others and ensuring that BFD packets are forwarded
correctly.
----End
Setting Up a BFD Session

Creating a BFD session on both ends of a direct link enables BFD to rapidly detect a fault in the
direct link.
Issue 02 (2013-12-31)

804

Equipment
3 Reliability
Context
Perform the following procedure on both ends of a link to be checked:
Procedure
Step 1 Run:
system-view

Step 2 Select one of the following steps depending on the type of link to be checked by BFD:
l To use BFD to detect faults in an IPv4 link, run the following commands as required to
configure a BFD session:
On a Layer 3 interface with an IP address, run:
bfd bfd-name bind peer-ip peer-ip [ vpn-instance vpn-instance-name ]
interface interface-type interface-number [ source-ip source-ip ] [ trackinterface { { interface { interface-name | interface-type interfacenumber } } | { controller { interface-name | interface-type interfacenumber } } } ]
If a single-hop BFD session is to be set up on an interface for the first time, the interface
and its peer address must be bound to the BFD session. The bindings cannot be
modified after the BFD session is created.
When BFD configuration items are being created, the system checks only the format
of an IP address regardless of whether the IP address is correct. Either an incorrect
peer or source IP address leads to a failure in creating a BFD session.
If BFD and Unicast Reverse Path Forwarding (URPF) are used together, configure
source-ip to specify a correct source IP address for BFD packets during the creation
of a BFD binding (as URPF checks the source IP address of received packets); If this
is not done correctly, BFD packets are discarded mistakenly.
If BFD and Unicast Reverse Path Forwarding (URPF) are used together, configure
source-ip to specify a correct source IP address for BFD packets during the creation
of a BFD binding (as URPF checks the source IP address of received packets); If this
is not done correctly, BFD packets are discarded mistakenly.
On a Layer 2 interface or a Layer 3 physical member interface without an IP address, run:
bfd bfd-name bind peer-ip default-ip interface interface-type interfacenumber [ source-ip source-ip ]
Step 3 Configure discriminators by running the following commands:

l To configure a local discriminator, run:
discriminator local discr-value
l To configure a remote discriminator, run:

discriminator remote discr-value
NOTE
l The local discriminator set on a device is equal to the remote discriminator set on a remote device, and
the remote discriminator set on the local device is equal to the local discriminator set on the remote
device. If the local and remote discriminators do not match, the session cannot be created. After the
local and remote discriminators are set, they cannot be changed.
l If a default multicast address is bound to a BFD session, the local and remote discriminators of the
session must be different.
Issue 02 (2013-12-31)

805

Equipment
3 Reliability
Step 4 Run:
commit

NOTE
After necessary parameters, such as local and remote discriminators, are configured for a single-hop BFD
session, the commit command must be run to make the configuration take effect.
----End

By viewing the status and type of a BFD session, you can check whether the configurations are
successful.
Prerequisites
The configurations of a single-hop BFD session are complete.
Context
NOTE
Statistics about BFD sessions and detailed information about sessions can be queried only after BFD session
parameters have been set and BFD sessions have been set up.
Procedure
l
Run the display bfd configuration { all | static [ name cfg-name ] | discriminator localdiscr-value | dynamic | peer-ip peer-ip [ vpn-instance vpn-instance-name ] } [ verbose ]
command to check BFD configurations.
Run the display bfd interface [ interface-type interface-number ] command to check BFD
interfaces.
Run the display bfd session { all | discriminator discr-value | dynamic | peer-ip peerip [ vpn-instance vpn-instance-name ] | static } [ verbose ] command to check information
about a BFD session.
Run the display bfd statistics command to check the global statistics of the BFD sessions.
Run the display bfd statistics session { all | static | dynamic | discriminator discrvalue | peer-ip peer-ip [ vpn-instance vpn-instance-name ] }command to check statistics
----End
3.4.3 Configuring the Association Between the BFD Status and the
Interface Status
By associating the BFD session status with the interface status, you can trigger fast route
convergence. This function is applicable to only the BFD session that uses the default multicast
IP address to detect the single-hop link.
Issue 02 (2013-12-31)

806

Equipment
3 Reliability
Before You Start

Before associating the BFD session status with the interface status, familiarize yourself with the
usage scenario, complete the pre-configuration tasks, and obtain the required data.
When a transport device exists on the link and a fault occurs on a link, the ATNs on both ends
of the link need a long time to detect the fault. This is because although the two ATNs are directly
connected, the actual physical path is segmented by the transport device.
Figure 3-20 Networking diagram of devices between both ATNs
ATN A
CX-B
To solve the problem, the ATN implements the association between BFD status and interface
status. The change of the BFD session status affects the protocol status of the interface. Fast
convergence of routes is triggered.
After the association between BFD status and interface status is configured, the BFD session
becomes Down when it detects a fault, and the corresponding interface status becomes
BFD_Down. When the interface is BFD_Down, the direct route of this interface is deleted from
the routing table; however, the forwarding of BFD packets is not affected.
Before configuring the association between BFD status and interface status, you need to
complete the task of 3.4.2 Configuring Single-hop BFD.
NOTE
Only the one-hop BFD session to which the default multicast IP address is bound can implement the
association between BFD status and interface status. You can run the bfd bfd-name bind peer-ip defaultip interface interface-type interface-number [ source-ip source-ip ] command to set up a BFD session.
Data Preparation
To configure the association between BFD status and interface status, you need the following
data.
No.
Data
Enabling the Global BFD

Issue 02 (2013-12-31)

807

Equipment
3 Reliability
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd


NOTE
correctly.
----End
Configuring the Association Between BFD Status and Interface Status

By being associated with the interface status, a BFD session can affect the interface protocol
status after the BFD session status changes, which triggers fast route convergence.
Context
Perform the following procedure on the ATN that needs to be configured with the association
between BFD status and interface status:
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd bfd-name bind peer-ip default-ip interface interface-type interface-number
[ source-ip source-ip ]
A BFD binding for monitoring physical link status is configured.

Issue 02 (2013-12-31)

808

Equipment
3 Reliability
Step 3 Run:
bfd bfd-name
The BFD session view is displayed.

Step 4 Run:
process-interface-status
The status association between the current BFD session and the interface bound to the BFD
session is configured.
By default, the status of the current BFD session is not associated with the status of the interface.
That is, the change of the BFD session status does not affect the interface status.
Step 5 Run:
commit
NOTE
l When the process-interface-status command and the commit command are run in succession, the
BFD session may not be set up or the BFD session does not go Up through negotiation. Therefore, the
BFD session does not notify the interface of the BFD status immediately, avoiding that the BFD session
notifies the interface of incorrect status information that results in incorrect interface status change.
After the configuration is committed, the BFD sessions can notify the interface of the BFD status
change. In this manner, the BFD session status is associated with the interface status.
l If the process-interface-status command is saved in the configuration file, the BFD session that is
bound to the interface notifies the interface that the BFD session is Down when the ATN is restarted,
in view of the initial status of an interface being Down.
l Before the BFD status is associated with the interface status, the BFD configurations on the two
ATNs must be correct and symmetrical. If the BFD status on the local interface is Down, check whether
the BFD configuration on the peer is correct or whether the BFD session is shut down.
l If the networking requires that the BFD status must be synchronized with the interface status, you can
run the shutdown and undo shutdown commands to change the status of the BFD session. When the
undo shutdown command is run, a timer to test the BFD session status is started. If the BFD session
goes Up through negotiation before the timer expires, the BFD session notifies the interface of the Up
state. Otherwise, the BFD session regards the link as failed and notifies the interface of the Down state
after the timer expires. In this manner, the BFD session status and the interface status are in real-time
synchronization.
l If the shutdown command is run,the BFD status will not be send to the interface.
l If association between BFD and an interface needs to be configured, the BFD must be bound to a
primary interface. If the BFD is bound to a sub-interface, BFD cannot be associated with the subinterface. You can configure the association between BFD and the primary interface, but the
configuration does not take effect.
----End

By viewing the association between a BFD session status and the interface status, you can check
whether the configurations are successful.
Prerequisites
The configurations of the association between the BFD status and the interface status function
are complete.
Issue 02 (2013-12-31)

809

Equipment
3 Reliability
Procedure
l
Run the display bfd session { all | discriminator discr-value | dynamic | peer-ip peerip [ vpn-instance vpn-instance-name ] | static } [ verbose ] command to check the BFD
session.
----End
3.4.4 Configuring the Association Between the BFD Status and the
Sub-Interface Status
By associating the BFD session status with the sub-interface status, you can trigger fast route
convergence. This function is applicable to the single-hop BFD session that detects default
multicast IP addresses.
Before You Start

Before associating the BFD session status with the sub-interface status, familiarize yourself with
the usage scenario and complete pre-configuration task of configuring a single-hop BFD session
and data preparation.
If high reliability is required and sub-interfaces are configured with a large number of services,
only a BFD session needs to be configured on an interface not on each sub-interface. The BFD
session can be associated with the sub-interface status to allow the sub-interface's protocol status
to be synchronized with the interface's protocol status. This association improves service
reliability and saves BFD session resources.
Before associating BFD status and sub-interface status, complete the following tasks:
l
Enable BFD globally.
Set up the one-hop BFD session, which is bound to the main interface and uses the default
multicast address for detection.
Set up the BFD session and ensure that the BFD session is Up.
Data Preparation
To configure the association between the BFD status and the sub-interface status, you need the
following data.
No.
Data
Name of the BFD session

Issue 02 (2013-12-31)

810

Equipment
3 Reliability
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd


NOTE
correctly.
----End
Configuring the Association Between BFD Status and Sub-Interface Status

After being associated with sub-interface status, the BFD session can affect the interface protocol
status after the BFD session status changes, which triggers fast route convergence.
Context
Perform the following procedure on the ATN that needs to rapidly detect the link fault:
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd bfd-name bind peer-ip default-ip interface interface-type interface-number
[ source-ip source-ip ]
A BFD binding for monitoring physical link status is configured.

Issue 02 (2013-12-31)

811

Equipment
3 Reliability
Step 3 Run:
bfd bfd-name

Step 4 Run:
process-interface-status sub-if
The association between the BFD status and the sub-interface status is configured.
Step 5 Run:
commit

When the BFD session goes Down, the BFD statuses of the main interface bound to the BFD
session and its sub-interface also go Down.
NOTE
l When the process-interface-status command and the commit command are run in succession, the
BFD session may not be set up or the BFD session does not go Up through negotiation. Therefore, the
BFD session does not notify the interface of the BFD status immediately, avoiding that the BFD session
notifies the interface of incorrect status information that results in incorrect interface status change.
After the configuration is committed, the BFD sessions can notify the interface of the BFD status
change. In this manner, the BFD session status is associated with the interface status.
l If the networking requires that the BFD status must be synchronized with the interface status, you can
run the shutdown and undo shutdown commands to change the status of the BFD session. When the
undo shutdown command is run, a timer to test the BFD session status is started. If the BFD session
goes Up through negotiation before the timer expires, the BFD session notifies the interface of the Up
state. Otherwise, the BFD session regards the link as failed and notifies the interface of the Down state
after the timer expires. In this manner, the BFD session status and the interface status are in real-time
synchronization.
l If the shutdown command is run,the BFD status will not be send to the interface.
l If the process-interface-status command is saved in the configuration file, the BFD session that is
bound to the interface notifies the interface that the BFD session is Down when the ATN is restarted,
in view of the initial status of an interface being Down.
l Before BFD status is associated with interface status, the BFD configurations on the two ATNs must
be correct and symmetrical. If the BFD status on the local interface goes Down, check whether the
BFD configuration on the peer is correct or whether the BFD session has been shut down.
l If association between BFD and an interface needs to be configured, the BFD must be bound to a
primary interface. If the BFD is bound to a sub-interface, BFD cannot be associated with the subinterface. You can configure the association between BFD and the primary interface, but the
configuration does not take effect.
----End

By viewing the identifier of the association between the BFD session status and the sub-interface
status, you can check whether the configurations are successful.
Prerequisites
The configurations of the association between the BFD status and the sub-interface status
Issue 02 (2013-12-31)

812

Equipment
3 Reliability
Procedure
l
Run the display bfd session { all | static | dynamic | discriminator discr-value | peer-ip
peer-ip [ vpn-instance vpn-instance-name ] } verbose command to check information
about the BFD session.
----End
3.4.5 Configuring the BFD to Modify the PST

By configuring a BFD session to modify the PST, you can speed up link fault detection by the
BFD session. This function is applicable to only single-hop BFD sessions.
Before You Start

Before configuring the modification of the PST through a BFD session, familiarize yourself with
the usage scenario and complete pre-configuration task of configuring the single-hop BFD
session and data preparation.
If the BFD can modify the Port State Table (PST), it modifies the corresponding entry in the
PST when it detects that an interface is Down. Through the PST, other upper application
protocols can acknowledge whether the interface has a fault.
Currently, for the ATN, TE FRR, LDP FRR and IP FRR based on BFD detection need to know
the BFD detection result through the PST.
You do not need to run the process-pst command on the applications that do not learn the BFD
results through the PST.
NOTE
l For the LDP FRR, refer to chapter "MPLS Basic Configuration"in the Configuration Guide - MPLS.
l IP FRR works for the public network and for the private network. For information about the IP FRR
for the public network, refer to Chapter 10 "Routing Policy Configuration" in the Configuration Guide
- IP Routing.
l For information about the IP FRR for the private network, refer to Chapter 4 "BGP MPLS IP VPN
Configuration" in the Configuration Guide - VPN.
Before configuring the BFD to modify the PST, complete the task of 3.4.2 Configuring Singlehop BFD.
Data Preparation
To configure the BFD to modify the PST, you need the following data.
Issue 02 (2013-12-31)
No.
Data
Configuration name of the BFD session

813

Equipment
3 Reliability

Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd


NOTE
correctly.
----End
Permitting the BFD to Modify the PST

By permitting a BFD session to modify the PST, you can sense the fault detected by the BFD
session through the PST.
Context
Perform the following steps on the ATN that learns the BFD results through the PST:
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd bfd-name
Issue 02 (2013-12-31)

814

Equipment
3 Reliability

Step 3 Run:
process-pst
The BFD is permitted to modify the PST.

By default, the BFD does not modify the PST.
NOTE
l The process-pst command cannot be configured on logical interfaces, such as Eth-Trunk and VLANIF
interfaces.
l After creating a BFD session, if you need to modify session parameters such as process-pst, processinterface-status, min-tx-interval, min-rx-interval, detect-multiplier, tos-exp (BFD session view),
wtr, and description, you can directly run the corresponding commands without running the
commit command, and the modification takes effect immediately.
For the configuration of the WTR for the BFD session, see "Configuring the BFD WTR."
Step 4 Run:
commit
The configurations are committed.

----End

By viewing the enabling status of a PST, you can check whether the configurations are
successful.
Prerequisites
The configurations of the BFD to modify the PST function are complete.
Procedure
l
Run the display bfd session { all | discriminator discr-value | dynamic | peer-ip peerip [ vpn-instance vpn-instance-name ] | static } [ verbose ] command to check the BFD
session.
----End
3.4.6 Configuring the Multi-Hop BFD

By configuring a multi-hop BFD session, you can fast detect and monitor multi-hop links on a
network.
Before You Start

Before configuring a multi-hop BFD session, familiarize yourself with the usage scenario and
data preparation.
Issue 02 (2013-12-31)

815

Equipment
3 Reliability
To rapidly detect the faults occur during IP ATN forwarding, configure the multi-hop BFD.
Before configuring multi-hop BFD, complete the following tasks:
l
Correctly connect each interface and configuring IP addresses for them.
Configure a routing protocol to ensure that the network layer is reachable.
Data Preparation
To configure the multi-hop BFD, you need the following data.
No.
Data
Remote IP address
BFD session parameters: local discriminator and remote discriminator
BFD mode: asynchronous mode

You can perform related BFD configurations only after enabling BFD globally.
Context
Perform the following procedure on the ATN:
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd

----End
Setting Up a BFD Session

By creating a BFD session on both ends of a multi-hop link, you can fast detect faults on the
multi-hop link.
Issue 02 (2013-12-31)

816

Equipment
3 Reliability
Context
Perform the following steps on the ATN:
Procedure
Step 1 Run:
system-view

Step 2 l For an IPv4 link:
Run the bfd bfd-name bind peer-ip peer-ip [ vpn-instance vpn-instance-name ] [ sourceip source-ip ] [ track-interface { { interface { interface-name | interface-type interfacenumber } } | { controller { interface-name | interface-type interface-number } } } ] command
to configure a BFD session.
When a BFD session is first set up, you must bind the peer IP address to it. After the BFD
session is set up, you cannot modify it.
When the BFD configuration items are created, the system checks only the format of the
IP address rather than the correctness. The BFD session cannot be established if incorrect
peer IP address or source IP address is bound.
When BFD and URPF are used together, URPF checks the source IP address of received
packets. When creating a BFD binding, you need to specify the source IP address of the
BFD packet in case the BFD packet is incorrectly discarded.
Step 3 Configure the discriminators.
l Run:
The local discriminator is configured.

l Run:
The remote discriminator is configured.

NOTE
The local discriminator of the local device corresponds to the remote discriminator of the remote device,
and the remote discriminator of the local device corresponds to the local discriminator of the remote device.
The local discriminator of the local device must be the same as the remote discriminator of the remote
device. Otherwise, the session cannot be correctly set up. After the local and remote discriminators are
configured, they cannot be modified.
Step 4 Run:
commit

NOTE
When setting up a BFD session, you must run the commit command after configuring necessary
parameters, such as local and remote discriminators; otherwise, the session cannot be set up.
----End
Issue 02 (2013-12-31)

817

Equipment
3 Reliability

By viewing the status and type of a BFD session, you can check whether the configurations are
successful.
Prerequisites
The configurations of the multi-hop BFD function are complete.
Context
NOTE
Only after the parameters of the session are set and the session is set up, you can view the information on
the session.
Procedure
l
command to check BFD configurations.
Run the display bfd interface [ interface-type interface-number ] command to check BFD
interfaces.
Run the display bfd session { all | discriminator discr-value | dynamic | peer-ip peerip [ vpn-instance vpn-instance-name ] | static } [ verbose ] command to check information
Run the display bfd statistics command to check the global statistics of the BFD sessions.
Run the display bfd statistics session { all | static | dynamic | discriminator discrvalue | peer-ip peer-ip [ vpn-instance vpn-instance-name ] }command to check statistics
----End
3.4.7 Configuring a BFD Session with Automatically Negotiated

Discriminators
A static BFD session with automatically negotiated discriminators is configured to check the
interworking between a device and another device on which a BFD session has been dynamically
established. The static BFD session with automatically negotiated discriminators is applicable
to static routes.
Before You Start

Before configuring a static BFD session with automatically negotiated discriminators,
data required for the configuration.
If a dynamic BFD session is used by a remote device, a static BFD session with automatically
negotiated discriminators must be created on a local device to interwork with the remote device
and support a static route tracking BFD.
Issue 02 (2013-12-31)

818

Equipment
3 Reliability
Before configuring a BFD session with automatically negotiated discriminators, complete the
following tasks:
l
Correctly connect interfaces.
Correctly configure an IP address for a Layer 3 interface.
Data Preparation
No.
Data
Name of a BFD session
IP addresses of local and remote ends of a link checked by BFD, and name and
number of the local interface

You can perform related BFD configurations only after enabling BFD globally.
Context
Perform the following procedure on the ATN that uses a static BFD session with automatically
negotiated discriminators to detect link faults:
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd

----End
Configuring a BFD Session

A static BFD session with automatically negotiated discriminators is configured to rapidly detect
link faults.
Context
Perform the following steps on the ATN on which a static BFD session with automatically
negotiated discriminators is used to detect link faults:
Issue 02 (2013-12-31)

819

Equipment
3 Reliability
Procedure
l
To configured BFD for IPv4,

1.
Run:
system-view

2.
Run:
bfd bfd-name bind peer-ip ip-address [ vpn-instance-name vpn-name ]
[ interface interface-type interface-number ] source-ip ip-address auto
A static BFD session with automatically negotiated discriminators is set up.

The source IP address must be specified.
The peer IP address must be specified and is not a multicast IP address.
----End

By viewing the type of a BFD session, you can check whether the configurations are successful.
Prerequisites
The configurations of a BFD session with automatically negotiated discriminators are complete.
Procedure
l
peer-ip [ vpn-instance vpn-instance-name ] } verbose command to check information
----End
3.4.8 Configuring the Delay of a BFD Session to Go Up

In certain scenarios a BFD session is configured to go Up after a delay. Setting a delay for a
BFD session status change to Up can prevent traffic loss that occurs if an interface goes Up
before the routing protocol.
Before You Start

Before configuring a delay for a BFD session status change to Up, familiarize yourself with the
usage scenario, complete the pre-configuration tasks, and obtain the data required for the
configuration.
If BFD is Up on a network, the interface bound to BFD goes Up and traffic can be switched
back to the interface. If the interface goes Up before the status of the routing protocol changes,
no route is available for forwarding and switching back traffic. As a result, traffic is dropped.
The time when the routing protocol goes Up and the time when the interface goes Up must be
synchronous.
Issue 02 (2013-12-31)

820

Equipment
3 Reliability
Before configuring the delay of BFD session status change to Up, ensure that the ATN runs
properly.
Data Preparation
No.
Data
Delay time
Configuring the Delay for BFD Session Status Change to Up

The delay for BFD session status change to Up is configured to prevent traffic loss in special
scenarios.
Context
Perform the following procedure on the ATNs on which the setup of the BFD session needs to
be delayed:
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd

Step 3 Run:
delay-up seconds
The length of the delay before a BFD session goes Up is set.

By default, the delay time is 0 seconds.
----End

By viewing the delay of a BFD session to go Up, you can check whether the configurations are
successful.
Prerequisites
The configurations of the delay of a BFD session to go Up are complete.
Issue 02 (2013-12-31)

821

Equipment
3 Reliability
Procedure
Step 1 Run the display bfd statistics command to check statistics about global BFD.
----End
3.4.9 Adjusting BFD Parameters

Adjusting BFD parameters allows a BFD session to check network links effectively and quickly.
Before You Start

Before adjusting BFD parameters, familiarize yourself with the usage scenario and complete
pre-configuration task for a BFD session, and obtain data required for configuring the BFD
session.
After a BFD session is set up, the sending interval, receiving interval, and local detection
multiplier are adjusted on the basis of network status and performance requirements.
The Wait to Recovery (WTR) time for a BFD session is set to prevent frequent master/slave
switchovers caused by BFD session flapping.
The description of a BFD session is added to describe a link monitored by a BFD session.
If none of the preceding parameters is set, the default configurations are used.
Before adjusting BFD parameters, you need to set up a BFD session.
Data Preparation
To adjust BFD parameters, you need the following data.
No
Data
Local intervals at which BFD packets are sent and received
Local BFD detection multiplier
Modifying the Detection Time

Modifying the BFD detection time allows a BFD session to effectively detect faults on network
links.
Context
Issue 02 (2013-12-31)

822

Equipment
3 Reliability
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd bfd-name

Step 3 Run:
min-tx-interval interval
The sending interval is set.

By default, the interval at which BFD packets are sent is 10 milliseconds.
Step 4 Run:
min-rx-interval interval
The receiving interval is set.

By default, the interval at which BFD packets are sent is 10 milliseconds.
Step 5 Run:
detect-multiplier multiplier
The local detection multiplier is set.

By default, the local detection multiplier is 3.
NOTE
l Effective local sending interval = MAX { Configured local interval at which BFD packets are sent,
Remotely configured interval at which BFD packets are received }; Effective local interval at which
BFD packets are received = MAX { Configured remote interval at which BFD packets are sent,
Configured local interval at which BFD packets are received }; Effective local detection interval =
Effective local interval at which BFD packets are received x Configured remote detection multiplier
l To modify a parameter after a BFD session has been created, run a corresponding command (such as
process-pst, process-interface-status,min-tx-interval, min-rx-interval, detect-multiplier, tos-exp
(BFD session view), wtr, or description). The modification takes effect immediately without the
commit command configured.
----End
Follow-up Procedure
To efficiently use system resources, when detecting that a BFD session goes Down, the system
automatically adjusts the intervals at which BFD control packets are sent and received to a
random value larger than 1000 milliseconds. After the BFD session goes Up, the configured
intervals recover.
NOTE
To meet the requirement for fast detection, BFD draft defines that the sending interval and the receiving
interval are at microsecond level. On most devices, BFD detection is performed only at millisecond level,
and the processing inside the devices is at microsecond level.
Issue 02 (2013-12-31)

823

Equipment
3 Reliability
Configuring the BFD WTR

The wait to restore (WTR) time for a BFD session is used to prevent frequent master/slave
switchovers triggered by BFD session flapping.
Context
The WTR time for a BFD session is used to prevent frequent master/slave switchovers caused
by BFD session flapping. If a BFD session changes from Down to Up, BFD reports the change
to an upper-layer application after the WTR time expires.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd bfd-name

Step 3 Run:
wtr wtr-value
The WTR is configured.

By default, the WTR is 0.
NOTE
l As a BFD session takes effect on a unidirectional path, the WTR time at both ends of the path must be
the same. If the WRT time on one end is different from that on the other end, applications on the two
ends detect different BFD status after the BFD status on one end changes.
l To modify a parameter after a BFD session has been created, run a corresponding command (such as
l The modification of WTR takes effect after the old WTR end. The modification takes effect
immediately if the BFD configured anew.
----End
Adding the Description of a BFD Session

Descriptions of BFD sessions help you distinguish between different BFD sessions.
Context
NOTE
The description command takes effect only on statically configured BFD sessions not on BFD sessions
that are dynamically configured or BFD sessions that are created by using automatically negotiated
discriminators.
Issue 02 (2013-12-31)

824

Equipment
3 Reliability
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd bfd-name

Step 3 Run:
description description
The description of a BFD session is added.

description is a string of 1 to 51 characters.
The default description of a BFD session is Null.
You can run the undo description command to delete the description of a BFD session.
NOTE
To modify a parameter after a BFD session has been created, run a corresponding command (such as
----End
Setting the Priority of a BFD Session

A priority can be set for a BFD session. Packets of a BFD session with high priority can be
preferentially transmitted.
Procedure
l
Setting the Priority for a static BFD Session

1.
Run:
system-view

2.
Run:
bfd bfd-name

3.
Run:
tos-exp tos-value
The priority of the static BFD session is set.

tos-value is an integer ranging from 0 to 7.
Issue 02 (2013-12-31)

825

Equipment
3 Reliability
NOTE
To modify a parameter after a BFD session has been created, run a corresponding command
(such as process-pst, process-interface-status,min-tx-interval, min-rx-interval, detectmultiplier, wtr, or description). The modification takes effect immediately without the
Setting the Priority for all the dynamic BFD Sessions

1.
Run:
system-view

2.
Run:
bfd
BFD is enabled globally and the BFD global view is displayed.

3.
Run:
tos-exp
tos-value dynamic
The priority of all the dynamic BFD sessions and static BFD sessions with
automatically negotiated discriminators is set.
tos-value is an integer ranging from 0 to 7.
----End

By viewing the adjusted BFD parameters, you can check whether the configurations are
successful.
Prerequisites
The configurations for BFD parameter adjustment are complete.
Context
NOTE
Information about a BFD session is viewed only after parameters of the BFD session have been set and
the session has been created.
Procedure
l
to check BFD configurations.
Run the display bfd session { all | discriminator discr-value | dynamic | peer-ip peerip [ vpn-instance vpn-instance-name ] | static } [ verbose ] to check information about a
BFD session.
----End
Issue 02 (2013-12-31)

826

Equipment
3 Reliability
3.4.10 Globally Configuring the Destination Port Number for the

Multi-Hop BFD Control Packet
By configuring a global destination port number for multi-hop BFD control packets, you can
implement the interworking between the local device and a device running an earlier version,
and between a Huawei device and a non-Huawei device.
Before You Start

Before configuring a global destination port number for multi-hop BFD control packets,
the required data.
The BFD control packet is encapsulated in the UDP packet for transmission, using the source
port in the range of 49152 to 65535 and destination port 3784 or 4784. According to the
RFC5883, the destination port 4784 is used for the multi-hop BFD control packet. On the
ATN of the earlier version, however, destination port 3784 is used for the multi-hop BFD control
packet.
The destination port number of the multi-hop BFD control packet can be configured globally
according to the requirements:
l
To interwork with the device running the version earlier than the ATN, the device running
the ATN can be configured with destination port 3784 for the multi-hop BFD control
packet.
To interwork with the non-Huawei device, the device running the ATN can be configured
with destination port 4784 for the multi-hop BFD control packet.
Before globally configuring the destination port number for the multi-hop BFD control packet,
complete the following tasks:
l
Install the device and turning it on properly.
Connect interfaces correctly.
Data Preparation
To globally configure the destination port number for the multi-hop BFD control packet, you
Issue 02 (2013-12-31)
No.
Data
Name of the device

827

Equipment
3 Reliability
Globally Configuring the Destination Port Number

You can configure a global destination port number for multi-hop BFD control packets according
to the specified devices running a distinct version or the specified vendor's devices.
Context
Perform the following steps on each device:
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd
BFD is enabled globally on the local node and the BFD view is displayed.
Step 3 Run:
multi-hop destination-port { 3784 | 4784 }
The destination port number is configured globally for the multi-hop BFD control packet.
NOTE
If destination port 3784 is used by the multi-hop BFD control packets on a ATN, the ATN can successfully
negotiate with the ATN on which destination port 4784 is used by the multi-hop BFD control packets. At
the same time, on the ATN that is configured with destination port 3784, destination port 3784 is
automatically updated to destination port 4784. To change the destination port number, run the
shutdown command to terminate the BFD session on destination port, then, run the multi-hop destinationport command on destination ports 4784 and 3784, and finally run the undo shutdown command to restore
the BFD session.
----End

By viewing the destination port number and TTL in multi-hop BFD control packets, you can
check whether the configurations are successful.
Prerequisites
All global configurations of the destination port number of the multi-hop BFD control packet
are completed.
Context
NOTE
You can view information about the BFD session and its statistics only after only after BFD session
parameters are configured and the BFD session is set up successfully.
Issue 02 (2013-12-31)

828

Equipment
3 Reliability
Procedure
l
Run the display bfd session { all | discriminator discr-value | dynamic | peer-ip peerip [ vpn-instance vpn-instance-name ] | static } [ verbose ] [ slot slot-id ] command to
view information about the BFD session.
Run the display bfd statistics command to view information about statistics of global BFD.
----End
3.4.11 Configuring the TTL Function Globally

Configuring the TTL globally helps you connect the current device and a device running an early
version.
Before You Start

Before configuring the TTL globally, familiarize yourself with the usage scenario, complete the
pre-configuration tasks, and obtain the required data. This helps you complete the configuration
If devices running different versions interwork with each other, the TTL values and detection
modes on both ends of a BFD session are different, resulting in BFD packet loss. The TTL is
set globally to enable Huawei devices to interwork with Huawei devices running different
ATN versions and non-Huawei devices.
Before configuring the TTL globally, complete the following tasks:
l
Connect interfaces correctly.
Configure the IP address of each Layer 3 interface correctly.
Data Preparation
To configure the TTL globally, you need the following data.
No.
Data
Name and number of each interface
Configuring the TTL Globally

Context
Issue 02 (2013-12-31)

829

Equipment
3 Reliability
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd
BFD is enabled globally on the local device and the BFD view is displayed.
Step 3 Run:
peer-ip peer-ip mask-length ttl { single-hop | multi-hop } ttl-value
The TTL in BFD control packets is set.

NOTE
l By default, in a static BFD session, the TTL for single-hop BFD packets is 255, and the TTL for multihop BFD packets is 254; in a dynamic BFD session, the TTL for single-hop BFD packets is 255 and
the TTL for multi-hop BFD packets is 253.
l If a TTL is set for packets in a multi-hop BFD session that is in the same segment as a single-hop BFD
session, the single BFD session must be configured with the same IP address, a longer mask than that
for the multi-hop BFD session, and a TTL.
----End

By viewing the global TTL in BFD control packets, you can check whether the configurations
are successful.
Prerequisites
The configurations of the global TTL are completed.
Procedure
l
Run the display bfd session { all | discriminator discr-value | dynamic | peer-ip peerip [ vpn-instance vpn-instance-name ] | static } [ verbose ] command to view information
about the BFD session.
Run the display bfd ttl command to view information about the globally configured TTL.
----End
3.4.12 Configuring the Interval for Trap Messages Are Sent

The interval at which trap messages are sent is set, helping a device to suppress BFD trap
messages.
Before You Start

Before configuring the interval at which trap messages are sent, familiarize yourself with the
configuration.
Issue 02 (2013-12-31)

830

Equipment
3 Reliability
If BFD is enabled with the SNMP trap function, the NMS receives messages indicating that the
BFD session is Up or Down. If the BFD session flaps, the NMS will receive a large number of
trap messages. In this case, BFD trap messages need to be suppressed. Setting the interval at
which trap messages are sent prevents overflow of trap messages.
Before configuring the interval at which trap messages are sent, enable BFD globally.
Data Preparation
To configure the interval at which trap messages are sent, you need the following data.
No.
Data
Interval at which trap messages are sent
Configuring the Interval at Which Trap Messages Are Sent

When BFD sessions flap, the NMS receives a great number of trap messages. The interval at
which trap messages are sent is set, helping a device suppress trap messages.
Context
Perform the following steps on the ATN that needs to be configured with the interval at which
trap messages are sent:
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd
BFD is enabled globally, and the global BFD view is displayed.

Step 3 Run:
snmp-agent bfd trap-interval interval
The interval at which trap messages are sent is set.

By default, the interval at which trap messages are sent is 120 seconds.
----End
Issue 02 (2013-12-31)

831

Equipment
3 Reliability

By viewing the interval at which trap messages are sent, you can check whether the
configurations are successful.
Prerequisites
The configurations of the interval at which trap messages are sent are complete.
Procedure
l
Run the display current-configuration configuration bfd command to view the

configuration of the BFD trap function.
----End
3.4.13 Maintaining BFD

This section describes how to maintain BFD by deleting BFD statistics, and monitoring BFD
operations.
Clearing BFD Statistics

Deleting previous BFD statistics is recommended before BFD statistics within a specified period
of time are collected.
Context
NOTICE
BFD statistics cannot be restored after being deleted. Exercise caution when using the command.
Procedure
Step 1 Run the reset bfd statistics { all | discriminator discr-value } command in the user view to
delete BFD statistics.
----End
Monitoring BFD Status

Monitoring BFD status is to view information about BFD during the operation.
Context
The following commands are run in any view during routine maintenance to show the BFD
status.
Issue 02 (2013-12-31)

832

Equipment
3 Reliability
Procedure
l
command in any view to check BFD configurations.
Run the display bfd interface [ interface-type interface-number ] command in any view
to check information about an interface enabled with BFD.
peer-ip [ vpn-instance vpn-instance-name ] } [ verbose ] command in any view to check
information about a BFD session.
Run the display bfd statistics command in any view to check statistics about global BFD.
Run the display bfd statistics session { all | static | dynamic | discriminator discrvalue | peer-ip peer-ip [ vpn-instance vpn-instance-name ] } command in any view to
check statistics about a BFD session.
----End

The following sections provide several examples for configuring fast BFD link detection. Each
configuration example consists of the networking requirements, configuration roadmap,
configuration procedures, and configuration files.
Example for Configuring One-Hop BFD for Layer 3 Physical Link

In this example, by configuring a single-hop BFD session to detect a Layer 3 physical link, you
can fast detect and monitor a direct link of a network.
As shown in Figure 3-21, the asynchronous mode of the BFD is used to detect the directly
connected link between ATN And CX600.
Figure 3-21 Networking diagram of configuring the one-hop BFD
GE1/0/0
10.1.1.2/24
GE0/2/0
10.1.1.1/24
W
CX600
ATN
1.
Issue 02 (2013-12-31)
Configure a BFD session on ATN to detect the directly-connected link between ATN and
CX600.
833

Equipment
2.
3 Reliability
Configure a BFD session on CX600 to detect the directly-connected link between CX600
and ATN.
Data Preparation
l
Peer IP address of the BFD
The local interface of sending and receiving the BFD control packets
The local discriminator and remote discriminator of the BFD session

NOTE
The minimum sending interval, the minimum receiving interval, and the local detection multiplier of the
BFD Control packet adopt the default values.
Procedure
Step 1 Configure IP addresses of the directly-connected interfaces on ATN and CX600.
# Configure the IP address of the interface on ATN.
[HUAWEI] sysname ATN
[ATN] interface GigabitEthernet 0/2/0
[ATN-GigabitEthernet0/2/0] undo shutdown
[ATN-GigabitEthernet0/2/0] ip address 10.1.1.1 24
[ATN-GigabitEthernet0/2/0] quit
# Configure the IP address of the interface on CX600.

[HUAWEI] sysname CX600
[CX600] interface GigabitEthernet 1/0/0
[CX600-GigabitEthernet1/0/0] undo shutdown
[CX600-GigabitEthernet1/0/0] ip address 10.1.1.2 24
[CX600-GigabitEthernet1/0/0] quit
Step 2 Configure the one-hop BFD.

# Enable the BFD on ATN, set up the BFD session with CX600 and bind the interface to BFD
session.
[ATN] bfd
[ATN-bfd] quit
[ATN] bfd atob bind peer-ip 10.1.1.2 interface GigabitEthernet0/2/0
[ATN-bfd-session-atob] discriminator local 1
[ATN-bfd-session-atob] discriminator remote 2
[ATN-bfd-session-atob] wtr 5
[ATN-bfd-session-atob] commit
[ATN-bfd-session-atob] quit
# Enable the BFD on CX600, set up the BFD session with ATN, and bind the interface to the
BFD session.
[CX600] bfd
[CX600-bfd] quit
[CX600] bfd atob bind peer-ip 10.1.1.1 interface GigabitEthernet 1/0/0
[CX600-bfd-session-atob] discriminator local 2
[CX600-bfd-session-atob] discriminator remote 1
[CX600-bfd-session-btoa] min-tx-interval 10
[CX600-bfd-session-btoa] min-rx-interval 10
[CX600-bfd-session-btoa] wtr 5
Issue 02 (2013-12-31)

834

Equipment
3 Reliability
[CX600-bfd-session-atob] commit
[CX600-bfd-session-atob] quit

After the configurations, run the display bfd session all verbose command on ATN and CX600,
and you can view that a one-hop BFD session is set up and its status is Up.
Take the display on ATN as an example.
<ATN> display bfd session all verbose
-------------------------------------------------------------------------------Session MIndex : 256
(One Hop) State : Up
Name : atob
-------------------------------------------------------------------------------Local Discriminator
: 1
Remote Discriminator
: 2
Session Detect Mode
: Asynchronous Mode Without Echo Function
BFD Bind Type
: Interface(GigabitEthernet0/2/0)
Bind Session Type
: Static
Bind Peer Ip Address
: 10.1.1.2
NextHop Ip Address
: 10.1.1.2
Bind Interface
FSM Board Id
: 1
TOS-EXP
: 7
Min Tx Interval (ms)
: 10
Min Rx Interval (ms)
: 10
Actual Tx Interval (ms): 10
Actual Rx Interval (ms): 10
Local Detect Multi
: 3
Detect Interval (ms)
: 30
Echo Passive
: Disable
Acl Number
: -Destination Port
: 3784
TTL
: 255
Proc interface status : Disable
Process PST
: Disable
WTR Interval (ms)
: 300000
Active Multi
: 3
Last Local Diagnostic : No Diagnostic
Bind Application
: No Application Bind
Session TX TmrID
: -Session Detect TmrID
: -Session Init TmrID
: -Session WTR TmrID
: 5
Session Echo Tx TmrID : -PDT Index
: FSM-0|RCV-0|IF-0|TOKEN-0
Session Description
: --------------------------------------------------------------------------------Total UP/DOWN Session Number : 1/0
----End
Configuration Files
l
Configuration file of ATN

#
sysname ATN
#
bfd
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
bfd atob bind peer-ip 10.1.1.2 interface GigabitEthernet0/2/0
wtr 5
commit
#
return
Configuration file of CX600

#
sysname CX600
#
Issue 02 (2013-12-31)

835

Equipment
3 Reliability
bfd
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
bfd btoa bind peer-ip 10.1.1.1 interface GigabitEthernet1/0/0
wtr 5
commit
#
return
Example for Configuring One-Hop BFD for Layer 3 Eth-Trunk

In this example, by configuring single-hop BFD sessions on Eth-Trunk interfaces, you can fast
detect and monitor direct links between Eth-Trunk interfaces.
Networking requirements
As shown in Figure 3-22, an Eth-Trunk that consists of two GE links exists between ATN and
CX600.
Perform the BFD on the Eth-Trunk link.
Figure 3-22 Networking diagram of configuring one-hop BFD for Layer 3 Eth-Trunk
GE0/2/0
ATN
GE0/2/4
GE1/0/0
Eth-Trunk1
100.1.1.1/24
Eth-Trunk1
100.1.1.2/24
GE2/0/0
CX600
1.
Create an Eth-Trunk interface.
2.
Configure the one-hop BFD for the Eth-Trunk link.
Data Preparation
To configure the one-hop BFD for a Layer 3 Eth-Trunk interface, you need the following data:
l
IP address of the BFD peer, that is, the IP address of the peer Eth-Trunk interface
Local Eth-Trunk interface that sends and receives BFD Control packets
Local discriminator and remote discriminator of the BFD session

NOTE
Issue 02 (2013-12-31)

836

Equipment
3 Reliability
Procedure
Step 1 Configure an Eth-Trunk interface.
# Create an Eth-Trunk interface on ATN and set the lower threshold of the Up links of the EthTrunk to 1.
NOTE
By default, the lower threshold of the Up links of the Eth-Trunk is 1. In other networking environments,
you can configure as required.
[ATN] interface eth-trunk 1
[ATN-Eth-Trunk1] undo shutdown
[ATN-Eth-Trunk1] ip address 100.1.1.1 24
[ATN-Eth-Trunk1] least active-linknumber 1
[ATN-Eth-Trunk1] quit
[ATN] interface gigabitethernet 0/2/0
[ATN-GigabitEthernet0/2/0] eth-trunk 1
[ATN-GigabitEthernet0/2/4] eth-trunk 1
# Create an Eth-Trunk interface on CX600 and set the lower threshold of the Up links of the
Eth-Trunk to 1.
[CX600] interface eth-trunk 1
[CX600-Eth-Trunk1] undo shutdown
[CX600-Eth-Trunk1] ip address 100.1.1.2 24
[CX600-Eth-Trunk1] least active-linknumber 1
[CX600-Eth-Trunk1] quit
[CX600] interface gigabitethernet 1/0/0
[CX600-GigabitEthernet1/0/0] eth-trunk 1
[CX600-GigabitEthernet2/0/0] eth-trunk 1
After these configurations are complete, running the display interface eth-trunk command on
ATN or CX600, you can find that the status of the interface is Up.
[ATN] display interface eth-trunk 1
Eth-Trunk1 current state : UP
Line protocol current state : UP
Last line protocol up time: 2007-11-19, 12:17:09
Description: Eth-Trunk1 Interface
Route Port,Hash arithmetic : According to flow,Maximal BW: 4G, Current BW: 4G, The
Maximum Transmit Unit is 1500
Internet Address is 100.1.1.1/24
IP Sending Frames" Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc90-5851
Physical is ETH_TRUNK
Last 300 seconds input rate 0 bits/sec, 0 packets/sec
Last 300 seconds output rate 0 bits/sec, 0 packets/sec
Realtime 0 seconds input rate 0 bits/sec, 0 packets/sec
Realtime 0 seconds output rate 0 bits/sec, 0 packets/sec
Issue 02 (2013-12-31)

837

Equipment
3 Reliability
Input: 0 packets,0 bytes

0 unicast,0 broadcast,0 multicast
0 errors,0 drops
Output:0 packets,0 bytes
0 errors,0 drops
Input bandwidth utilization : 0.00%
Output bandwidth utilization : 0.01%
----------------------------------------------------PortName
Status
Weight
----------------------------------------------------GigabitEthernet0/2/0
UP
1
UP
1
----------------------------------------------------The Number of Ports in Trunk : 2
The Number of UP Ports in Trunk : 2
The Eth-Trunks of ATN and CX600 can ping though each other.
[ATN] ping -a 100.1.1.1 100.1.1.2
0.00% packet loss
ms
ms
ms
ms
ms
Step 2 Configure the one-hop BFD for Layer 3 Eth-Trunk link.

# Enable the BFD on ATN, configure the BFD session with CX600 and bind the Eth-Trunk to
the BFD session.
[ATN] bfd
[ATN-bfd] quit
[ATN] bfd atob bind peer-ip 100.1.1.2 interface eth-trunk 1
# Enable the BFD on CX600, configure the BFD session with ATN and bind the Eth-Trunk to
the BFD session.
[CX600] bfd
[CX600-bfd] quit
[CX600] bfd btoa bind peer-ip 100.1.1.1 interface eth-trunk 1
[CX600-bfd-session-btoa] discriminator local 20
[CX600-bfd-session-btoa] discriminator remote 10
[CX600-bfd-session-btoa] commit
[CX600-bfd-session-btoa] quit

After the configurations are complete, running the display bfd session all verbose command
on ATN and CX600, you can find a one-hop BFD session is set up and its status is Up.
[ATN] display bfd session all verbose
--------------------------------------------------------------------------------
Issue 02 (2013-12-31)

838

Equipment
3 Reliability
Session MIndex : 256

Name : atob
: 10
: 20
Session Detect Mode
BFD Bind Type
: Interface(Eth-Trunk1)
Bind Session Type
: Static
: 100.1.1.2
NextHop Ip Address
: 100.1.1.2
Bind Interface
: Eth-Trunk1
FSM Board Id
: 1
TOS-EXP
: 7
: 10
: 10
Local Detect Multi
: 3
: 30
Echo Passive
: Disable
Acl Number
: -Destination Port
: 3784
TTL
: 255
Process PST
: Disable
WTR Interval (ms)
: 300000
Active Multi
: 3
Bind Application
Session TX TmrID
: 5
PDT Index
Session Description
Run the shutdown command on the GE 0/2/0 of ATN to simulate the link fault.
[ATN-GigabitEthernet1/0/0] shutdown
Running the display bfd session all verbose command and the display interface eth-trunk
command on ATN and CX600, you can find that the status of the BFD session and the EthTrunk is still Up.
-------------------------------------------------------------------------------Session MIndex : 256
Name : atob
: 10
: 20
Session Detect Mode
BFD Bind Type
Bind Session Type
: Static
: 100.1.1.2
NextHop Ip Address
: 100.1.1.2
Bind Interface
: Eth-Trunk1
FSM Board Id
: 1
TOS-EXP
: 7
: 10
: 10
Local Detect Multi
: 3
: 30
Echo Passive
: Disable
Acl Number
: -Destination Port
: 3784
TTL
: 255
Process PST
: Disable
WTR Interval (ms)
: 300000
Active Multi
: 3
Bind Application
Session TX TmrID
: 5
PDT Index
Session Description
Issue 02 (2013-12-31)

839

Equipment
3 Reliability

0 errors,0 drops
0 errors,0 drops
----------------------------------------------------PortName
Status
Weight
DOWN
1
UP
1
Run the shutdown command on the 0/2/4 of ATN to simulate the link fault.
Running the display bfd session all verbose command and the display interface eth-trunk
command on ATN and CX600, you can find that status of the BFD session and that of the EthTrunk interface become Down.
-------------------------------------------------------------------------------Session MIndex : 256
(One Hop) State : Down
Name : atob
: 10
: 20
Session Detect Mode
BFD Bind Type
Bind Session Type
: Static
: 100.1.1.2
NextHop Ip Address
: 100.1.1.2
Bind Interface
: Eth-Trunk1
FSM Board Id
: 1
TOS-EXP
: 7
: 10
: 10
Local Detect Multi
: 3
: 30
Echo Passive
: Disable
Acl Number
: -Destination Port
: 3784
TTL
: 255
Process PST
: Disable
WTR Interval (ms)
: 300000
Active Multi
: 3
Last Local Diagnostic : Control Detection Time Expired
Bind Application
Session TX TmrID
: 5
PDT Index
Session Description
Eth-Trunk1 current state : Down
Line protocol current state : Down
Issue 02 (2013-12-31)

840

Equipment
3 Reliability

0 errors,0 drops
0 errors,0 drops
----------------------------------------------------PortName
Status
Weight
DOWN
1
DOWN
1
----End
Configuration Files
l

#
sysname ATN
#
bfd
#
undo shutdown
ip address 100.1.1.1 255.255.255.0
#
undo shutdown
eth-trunk 1
#
undo shutdown
eth-trunk 1
#
bfd atob bind peer-ip 100.1.1.2 interface Eth-Trunk 1
wtr 5
commit
#
return

#
sysname CX600
#
bfd
#
undo shutdown
ip address 100.1.1.2 255.255.255.0
Issue 02 (2013-12-31)

841

Equipment
3 Reliability
#
undo shutdown
eth-trunk 1
#
undo shutdown
eth-trunk 1
#
bfd btoa bind peer-ip 100.1.1.1 interface Eth-Trunk 1
wtr 5
commit
#
return
Example for Configuring the Association Between the BFD Status and the Interface
Status
In this example, by associating the BFD session status with the interface status, you can trigger
fast route convergence.
As shown in Figure 3-23, a transmission devices exist on a link. When a link between
transmission devices fails, ATN and CX600 take a long time to detect the link failure. This
causes routes to take a long time to age and traffic interruption is long. In this case, you can
configure the association between the BFD sessions status and the interface status. The status
of the BFD session between GE 0/2/0 on ATN and GE 1/0/0 on CX600 can thus affect the
protocol status of these interfaces, which triggers fast route convergence.
Figure 3-23 Configuring the association between the BFD status and the interface status
GE0/2/0
GE1/0/0
ATN
CX600
1.
Configure a BFD session on ATN.
2.
Configure a BFD session on CX600.
3.
Configure the association between the BFD status and the interface status on ATN when
the BFD session is Up.
4.
Configure the association between the BFD status and the interface status on CX600 when
the BFD session is Up.
Data Preparation
Issue 02 (2013-12-31)

842

Equipment
Peer IP address detected by BFD
Local interface that sends and receives BFD Control packets
3 Reliability
NOTE
Procedure
Step 1 Configure the IP address of the interface that directly connects ATN to CX600.
# Configure the IP address of the interface on ATN.
# Configure the IP address of the interface on CX600.

Step 2 Configure the one-hop BFD detection.

# On ATN, enable BFD and configure the BFD session between ATN and CX600.
[ATN] bfd
[ATN-bfd] quit
[ATN] bfd atob bind peer-ip default-ip interface gigabitethernet 0/2/0
# On CX600, enable BFD and configure the BFD session between CX600 and ATN.
[CX600] bfd
[CX600-bfd] quit
[CX600] bfd btoa bind peer-ip default-ip interface gigabitethernet 1/0/0
# After the configuration, run the display bfd session all verbose command on ATN and CX600,
and you can view that a one-hop BFD session is established. The session is in the Up state. Take
ATN as an example:
-------------------------------------------------------------------------------Session MIndex : 16384
Name : atob
: 10
: 20
Session Detect Mode
Issue 02 (2013-12-31)

843

Equipment
3 Reliability
BFD Bind Type

Bind Session Type
: Static
: 224.0.0.184
NextHop Ip Address
: 224.0.0.184
Bind Interface
FSM Board Id
: 3
TOS-EXP
: 7
: 10
: 10
Local Detect Multi
: 3
: 30
Echo Passive
: Disable
Acl Number
: -Destination Port
: 3784
TTL
: 255
Process PST
: Disable
WTR Interval (ms)
: 300000
Active Multi
: 3
Bind Application
Session TX TmrID
: 5
PDT Index
Session Description
Step 3 Configure the association between the BFD status and the interface status.
# Configure the association between the BFD status and the interface status on ATN.
[ATN] bfd atob
[ATN-bfd-session-atob] process-interface-status
# Configure the association between the BFD status and the interface status on CX600.
[CX600] bfd btoa
[CX600-bfd-session-btoa] process-interface-status

After the configuration is complete, run the display bfd session all verbose command on ATN
and CX600, and you can view that the field Proc interface status displays Enable.
Take ATN as an example.
-------------------------------------------------------------------------------Session MIndex : 16384
Name : atob
: 10
: 20
Session Detect Mode
BFD Bind Type
Bind Session Type
: Static
: 224.0.0.184
NextHop Ip Address
: 224.0.0.184
Bind Interface
FSM Board Id
: 3
TOS-EXP
: 7
: 10
: 10
Local Detect Multi
: 3
: 30
Echo Passive
: Disable
Acl Number
: -Destination Port
: 3784
TTL
: 255
Proc interface status : Enable
Process PST
: Disable
WTR Interval (ms)
: 300000
Active Multi
: 3
Issue 02 (2013-12-31)

844

Equipment
3 Reliability
Bind Application
:IFNET
Session TX TmrID
: 5
PDT Index
Session Description
Run the shutdown command on GE 1/0/0 of CX600. You can view that the BFD session goes
Down.
[CX600-GigabitEthernet1/0/0] shutdown
Run the display bfd session all verbose and display interface gigabitethernet 1/0/0 commands
on ATN, and you can view that the status of the BFD session is Down, and the status of GE
1/0/0 is UP (BFD status down).
-------------------------------------------------------------------------------Session MIndex : 16384
Name : atob
: 10
: 20
Session Detect Mode
BFD Bind Type
Bind Session Type
: Static
: 224.0.0.184
NextHop Ip Address
: 224.0.0.184
Bind Interface
FSM Board Id
: 3
TOS-EXP
: 7
: 10
: 10
Local Detect Multi
: 3
: 30
Echo Passive
: Disable
Acl Number
: -Destination Port
: 3784
TTL
: 255
Proc interface status : Enable
Process PST
: Disable
WTR Interval (ms)
: 300000
Active Multi
: 3
Last Local Diagnostic : Neighbor Signaled Session Down
Bind Application
: IFNET
Session TX TmrID
: 5
PDT Index
Session Description
[ATN] display interface gigabitethernet 0/2/0
GigabitEthernet0/2/0 current state : UP
Line protocol current state : UP(BFD status down)
Last line protocol up time: 2008-10-16 09:25:17
Description : GigabitEthernet0/2/0 Interface, Route Port
The Maximum Transmit Unit is 1500 bytes
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fcc7-565a
The Vendor PN is HFBR-5710L
Port BW: 1G, Transceiver max BW: 1G, Transceiver Mode: MultiMode
WaveLength: 850nm, Transmission Distance: 550m
Loopback:none, full-duplex mode, negotiation: disable, Pause Flowcontrol:Send and
Receive Enable
: 2008-10-16 09:18:48
Last physical down time : 2008-10-16 09:18:42
Issue 02 (2013-12-31)

845

Equipment
3 Reliability
Input:
Broadcast: 10 packets, Jumbo: 0 packets
RxPause: 0 packets
Output:
Broadcast: 11 packets, Jumbo: 0 packets
TxPause: 0 packets
Unknown Vlan: 0 packets
----End
Configuration Files
l

#
sysname ATN
#
bfd
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
bfd atob bind peer-ip default-ip interface GigabitEthernet0/2/0
wtr 5
commit
#
return

#
sysname CX600
#
bfd
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
bfd btoa bind peer-ip default-ip interface GigabitEthernet1/0/0
commit
#
return
Example for Configuring the Association Between the BFD Status and the SubInterface Status
In this example, by associating the BFD session status with the sub-interface status, you can
improve reliability of service transmission on sub-interfaces.
Issue 02 (2013-12-31)

846

Equipment
3 Reliability
As shown in Figure 3-24, in the large-scale MAN Ethernet network that has high requirements
for reliability, a large number of services need to be configured on the sub-interface. You can
set up BFD sessions to detect the connectivity of the main interface link and configure the
association between the BFD status and the sub-interface status. This can improve the reliability
of the service on the sub-interface and save the session resources.
Figure 3-24 Association between the BFD status and the sub-interface status
GE0/2/0
ATN
GE0/2/0.1
GE1/0/0
GE1/0/0.1
CX600
1.
Configure a BFD session on ATN.
2.
Configure a BFD session on CX600.
3.
Configure the association between the BFD status and the sub-interface status when the
BFD session on ATN is Up.
4.
Configure the association between the BFD status and the sub-interface status when the
BFD session on CX600 is Up.
Data Preparation
To configure the association between the BFD status and the sub-interface status, you need the
following data:
l
IP address of the main interface on the remote end detected by BFD
Local interface that sends and receives BFD Control packets

NOTE
Procedure
Step 1 Configure the IP addresses of the main interfaces on ATN and CX600 and create the subinterface.
# Configure the IP address of the interface on ATN and create the sub-interface.
Issue 02 (2013-12-31)

847

Equipment
3 Reliability
[ATN] interface gigabitethernet 0/2/0.1
[ATN-GigabitEthernet0/2/0.1] undo shutdown
[ATN-GigabitEthernet0/2/0.1] ip address 11.1.1.1 24
[ATN-GigabitEthernet0/2/0.1] vlan-type dot1q 10
[ATN-GigabitEthernet0/2/0.1] quit
# Configure the IP address of the interface on CX600 and create the sub-interface.
[CX600] interface gigabitethernet 1/0/0.1
[CX600-GigabitEthernet1/0/0.1] undo shutdown
[CX600-GigabitEthernet1/0/0.1] ip address 11.1.1.2 24
[CX600-GigabitEthernet1/0/0.1] vlan-type dot1q 10
[CX600-GigabitEthernet1/0/0.1] quit
Step 2 Configure the one-hop BFD detection.

# On ATN, enable BFD and configure the BFD session between ATN and CX600 and bind the
session with the main interface.
[ATN] bfd
[ATN-bfd] quit
[ATN] bfd atob bind peer-ip default-ip interface gigabitethernet 0/2/0.1
# On CX600, enable BFD and configure the BFD session between CX600 and ATN and bind
the session with the main interface.
[CX600] bfd
[CX600-bfd] quit
[CX600] bfd btoa bind peer-ip default-ip interface gigabitethernet 1/0/0.1
# After the configuration is complete, run the display bfd session all verbose command on ATN
and CX600, and you can view that a one-hop BFD session is set up, and the session status is
Up.
-------------------------------------------------------------------------------Session MIndex : 16384
Name : atob
: 10
: 20
Session Detect Mode
BFD Bind Type
Bind Session Type
: Static
: 224.0.0.184
NextHop Ip Address
: 224.0.0.184
Bind Interface
FSM Board Id
: 3
TOS-EXP
: 7
: 10
: 10
Issue 02 (2013-12-31)

848

Equipment
3 Reliability

Local Detect Multi
: 3
: 30
Echo Passive
: Disable
Acl Number
: -Destination Port
: 3784
TTL
: 255
Process PST
: Disable
WTR Interval (ms)
: -Active Multi
: 3
Bind Application
Session TX TmrID
: 5
Session Description
Step 3 Configure the association between the BFD status and the sub-interface status.
# Configure the association between the BFD status and the sub-interface status on ATN.
[ATN] bfd atob
[ATN-bfd-session-atob] process-interface-status sub-if
# Configure the association between the BFD status and the sub-interface status on CX600.
[CX600] bfd btoa
[CX600-bfd-session-btoa] process-interface-status sub-if

# After the configuration is complete, run the display bfd session all verbose command on ATN
and CX600, and you can view that the field Proc interface status displays Enable (Sub-If).
-------------------------------------------------------------------------------Session MIndex : 16384
Name : atob
: 10
: 20
Session Detect Mode
BFD Bind Type
Bind Session Type
: Static
: 224.0.0.184
NextHop Ip Address
: 224.0.0.184
Bind Interface
FSM Board Id
: 3
TOS-EXP
: 7
: 10
: 10
Local Detect Multi
: 3
: 30
Echo Passive
: Disable
Acl Number
: -Destination Port
: 3784
TTL
: 255
Proc interface status : Enable (Sub-If)
Process PST
: Disable
WTR Interval (ms)
: -Active Multi
: 3
Bind Application
: IFNET
Session TX TmrID
: 5
Session Description
: --
Issue 02 (2013-12-31)

849

Equipment
3 Reliability
# Run the shutdown command on GE 1/0/0 of CX600. You can view that the BFD session goes
Down.
[CX600-GigabitEthernet1/0/0] shutdown
# Run the display bfd session all verbose and display interface gigabitethernet0/2/0.1
commands on ATN, and you can view that the status of the BFD session is Down, and the status
of GE0/2/0.1 is UP (Main BFD status down).
-------------------------------------------------------------------------------Session MIndex : 16384
Name : atob
: 10
: 20
Session Detect Mode
BFD Bind Type
Bind Session Type
: Static
: 224.0.0.184
Bind Interface
FSM Board Id
: 3
TOS-EXP
: 7
: 10
: 10
Local Detect Multi
: 3
: 30
Echo Passive
: Disable
Acl Number
: -Destination Port
: 3784
TTL
: 255
Process PST
: Disable
WTR Interval (ms)
: -Active Multi
: 3
Last Local Diagnostic : Neighbor Signaled Session Down
Bind Application
: IFNET
Session TX TmrID
: 5
Session Description
[ATN] display interface gigabitethernet 0/2/0.1
GigabitEthernet0/2/0.1 current state : UP
Line protocol current state : UP(Main BFD status down)
Route Port,The Maximum Transmit Unit is 1500 bytes
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fcc7-565a
Encapsulation dot1q Virtual LAN, Vlan number 1
Last 300 seconds input rate 0 bytes/sec, 0 packets/sec
Last 300 seconds output rate 0 bytes/sec, 0 packets/sec
Input: 0 packets,0 bytes,
0 errors,0 drops
Output:0 packets,0 bytes,
0 errors,0 drops
----End
Configuration Files
l

#
Issue 02 (2013-12-31)

850

Equipment
3 Reliability
sysname ATN
#
bfd
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
undo shutdown
vlan-type dot1q 10
ip address 11.1.1.1 255.255.255.0
#
bfd atob bind peer-ip 10.1.1.2 interface GigabitEthernet0/2/0.1
commit
#
return

#
sysname CX600
#
bfd
#
undo shutdown
ip address 11.1.1.2 255.255.255.0
#
undo shutdown
vlan-type dot1q 10
ip address 10.1.1.2 255.255.255.0
#
bfd btoa bind peer-ip 10.1.1.1 interface GigabitEthernet1/0/0.1
commit
#
return
Example for Configuring Multi-Hop BFD

In this example, by creating a BFD session on both ends of a multi-hop path, you can use the
BFD session to fast detect the multi-hop path.
As shown in Figure 3-25, the asynchronous mode of the BFD is used to detect the multi-hop
routes between ATN and CX-C.
Figure 3-25 Networking diagram of the multi-hop BFD
GE0/2/0
10.1.1.1/24
ATN
Issue 02 (2013-12-31)
GE1/0/0
10.1.1.2/24
POS2/0/0
10.2.1.1/24
CX-B

POS1/0/0
10.2.1.2/24
CX-C
851

Equipment
3 Reliability
1.
Configure a BFD session on ATN to detect the multi-hop routes between ATN and CX-C.
2.
Configure a BFD session on CX-C to detect the multi-hop routes between CX-C and ATN.
Data Preparation
l

NOTE
Procedure
Step 1 Configure the reachable routes between ATN, CX-B, and CX-C.
In this example, the static route is used. The detailed configuration is not mentioned here.
Step 2 Configure the multi-hop detection between ATN and CX-C.
# Configure a BFD session with CX-C on ATN.
You do not need to bind the interface.
<ATN> system-view
[ATN] bfd
[ATN-bfd] quit
[ATN] bfd atoc bind peer-ip 10.2.1.2
[ATN-bfd-session-atoc] discriminator local 10
[ATN-bfd-session-atoc] discriminator remote 20
[ATN-bfd-session-atoc] wtr 10
[ATN-bfd-session-atoc] commit
[ATN-bfd-session-atoc] quit
# Configure a BFD session with ATN on CX-C.

You do not need to bind the interface.
<CX-C> system-view
[CX-C] bfd
[CX-C-bfd] quit
[CX-C] bfd ctoa bind peer-ip 10.1.1.1
[CX-C-bfd-session-ctoa] discriminator local 20
[CX-C-bfd-session-ctoa] discriminator remote 10
[CX-C-bfd-session-ctoa] commit
[CX-C-bfd-session-ctoa] quit

After the configurations are complete, running the display bfd session all verbose command
on ATN and CX-C, you can view that a multi-hop BFD session is set up and its status is Up.
<ATN> display bfd session all
Issue 02 (2013-12-31)

852

Equipment
3 Reliability
-------------------------------------------------------------------------------Session MIndex : 256

(Multi Hop) State : Up
Name : atoc
: 10
: 20
Session Detect Mode
BFD Bind Type
: Peer Ip Address
Bind Session Type
: Static
: 10.2.1.2
Bind Interface
: -FSM Board Id
: 1
TOS-EXP
: 7
: 10
: 10
Local Detect Multi
: 3
: 30
Echo Passive
: Disable
Acl Number
: -Destination Port
: 3784
TTL
: 254
Process PST
: Disable
WTR Interval (ms)
: 600000
Active Multi
: 3
Bind Application
Session TX TmrID
: 5
PDT Index
Session Description
----End
Configuration Files
l

#
sysname ATN
#
bfd
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
bfd atoc bind peer-ip 10.2.1.2
wtr 10
commit
#
ip route-static 10.2.1.0 255.255.255.0 10.1.1.2
#
return

#
sysname CX-B
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
interface Pos2/0/0
link-protocol ppp
undo shutdown
ip address 10.2.1.1 255.255.255.0
#
return
Issue 02 (2013-12-31)

853

Equipment
3 Reliability

#
sysname CX-C
#
bfd
#
interface Pos1/0/0
link-protocol ppp
undo shutdown
ip address 10.2.1.2 255.255.255.0
#
bfd ctoa bind peer-ip 10.1.1.1
wtr 10
commit
#
ip route-static 10.1.1.0 255.255.255.0 10.2.1.1
#
return
Example for Configuring the BFD for VPN Routes

In this example, by configuring a BFD session on interfaces of a VPN, you can use the BFD
session to detect VPN routes.
Figure 3-26 shows a networking diagram of configuring the BFD for VPN routes.
l
Node B and RNC belong to VPN-A. They access the MPLS backbone network through
PE1 and PE2 respectively.
GE 1/0/0 of PE1 and GE 1/0/0 of PE2 are bound to VPN-A.
BFD in asynchronous mode is used to detect the VPN route between PE1 and PE2.
Figure 3-26 Networking diagram of configuring the BFD for VPN routes
Loopback1
2.2.2.2/32
Loopback1
1.1.1.1/32
PE1
GE0/2/0
10.1.1.2/24
GE1/0/0
172.1.1.2/24
GE0/2/4
172.1.1.1/24
GE1/0/0
10.1.1.1/24
Loopback1
3.3.3.3/32
POS2/0/0
172.2.1.1/24
POS2/0/0
172.2.1.2/24
P
MPLS Backbone
AS:100
GE1/0/0
10.2.1.2/24
GE1/0/0
10.2.1.1/24
NodeB
VPN-A
AS:65410
Issue 02 (2013-12-31)
PE2

RNC
VPN-A
AS:65420
854

Equipment
3 Reliability
1.
Configure a BFD session on PE1 to detect the multi-hop path from PE1 to PE2.
2.
Configure a BFD session on PE2 to detect the multi-hop path from PE2 to PE1.
Data Preparation
To configure the BFD for VPN routes, you need the following data:
l

NOTE
Procedure
Step 1 Configure the MPLS backbone network to interconnect PE1 and PE2. The configuration details
are not mentioned here.
Step 2 Configure the VPN instance. The configuration details are not mentioned here.
Step 3 Configure the VPN route between PE1 and PE2 to be reachable. The configuration details are
not mentioned here.
After the configuration is complete, PE1 can ping through the IP address of GE 1/0/0 on PE2.
<PE1> ping -vpn-instance vpna 10.2.1.2
0.00% packet loss
ms
ms
ms
ms
ms
Step 4 Configure the detection on the VPN route between PE1 and PE2.
# On PE1, configure the BFD session between PE1 and PE2 and bind the session with the VPN
instance.
<PE1> system-view
[PE1] bfd
[PE1-bfd] quit
[PE1] bfd 1to2_vpn bind peer-ip 10.2.1.2 vpn-instance vpna
[PE1-bfd-session-1to2_vpn] discriminator local 12
[PE1-bfd-session-1to2_vpn] discriminator remote 21
[PE1-bfd-session-1to2_vpn] wtr 5
[PE1-bfd-session-1to2_vpn] commit
# On PE2, configure the BFD session between PE2 and PE1 and bind the session and the VPN
instance.
<PE2> system-view
Issue 02 (2013-12-31)

855

Equipment
3 Reliability
[PE2] bfd
[PE2-bfd] quit
[PE2] bfd 2to1_vpn bind peer-ip 10.1.1.2 vpn-instance vpna
[PE2-bfd-session-2to1_vpn] discriminator local 21
[PE2-bfd-session-2to1_vpn] discriminator remote 12
[PE2-bfd-session-2to1_vpn] wtr 5
[PE2-bfd-session-2to1_vpn] commit

After the configuration is complete, run the display bfd session peer-ip command on PE1 and
PE2, and you can view that a multi-hop BFD session is set up, and the session is Up.
Take PE1 as an example:
<PE1> display bfd session peer-ip 10.2.1.2 vpn-instance vpna verbose
-------------------------------------------------------------------------------Session MIndex : 256
(Multi Hop) State : Up
Name : 1to2_vpn
: 12
: 21
Session Detect Mode
BFD Bind Type
: Peer Ip Address
Bind Session Type
: Static
: 10.2.1.2
NextHop Ip Address
: 10.2.1.2
Bind Interface
: -Vpn Instance Name
: vpna
FSM Board Id
: 6
TOS-EXP
: 7
: 10
: 10
Local Detect Multi
: 3
: 30
Echo Passive
: Disable
Acl Number
: -Destination Port
: 3784
TTL
: 254
Process PST
: Disable
WTR Interval (ms)
: 300000
Active Multi
: 3
Bind Application
Session TX TmrID
: 5
PDT Index
Session Description
----End
Configuration Files
l

#
sysname PE1
#
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
bfd
#
Issue 02 (2013-12-31)

856

Equipment
3 Reliability
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
undo shutdown
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
bfd 1to2_vpn bind peer-ip 10.2.1.2 vpn-instance vpna
wtr 5
commit
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.3 enable
#
import-route direct
#
ospf 100
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return

#
sysname PE2
#
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
bfd
#
interface Pos2/0/0
link-protocol ppp
undo shutdown
ip address 172.2.1.2 255.255.255.0
mpls
mpls ldp
#
undo shutdown
Issue 02 (2013-12-31)

857

Equipment
3 Reliability

ip address 10.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bfd 2to1_vpn bind peer-ip 10.1.1.2 vpn-instance vpna
wtr 5
commit
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
ipv4-family vpn-instance vpn1
import-route direct
#
ospf 100
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 172.2.1.0 0.0.0.255
#
return
Configuration file of the P

#
sysname P
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
undo shutdown
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
link-protocol ppp
undo shutdown
ip address 172.2.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 100
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
network 2.2.2.2 0.0.0.0
#
Return
Issue 02 (2013-12-31)

858

Equipment
3 Reliability
Configuration file of Node B

#
sysname Node B
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
bgp 65410
#
ipv4-family unicast
import-route direct
peer 10.1.1.2 enable
#
return

#
sysname RNC
#
undo shutdown
ip address 10.2.1.1 255.255.255.0
#
bgp 65420
#
ipv4-family unicast
import-route direct
#
return
3.5 GR Configuration
Only devices with two main control boards (such as ATN 950Bs) support GR
configuration.Through the Graceful Restart (GR) configurations, you can improve HA of a
system.
3.5.1 GR Introduction
Defined as an extension of IP/MPLS by the IETF, GR ensures the uninterrupted forwarding
during the protocol restart, which limits the flapping of the control-plane protocols during the
AMB/SMB switchover.
HA Overview
The technologies that implement HA include redundancy backup, HSB, and GR.
In practical network, the network may fail and the service may be interrupted because of
inevitable non-technical factors. To improve the system availability, it is feasible to improve the
fault-tolerance capability of the system, speed up recovery from faults, and reduce the impact
of faults on the service.
High availability (HA) indicates that a device has high reliability.
Issue 02 (2013-12-31)

859

Equipment
3 Reliability
Generally, Mean Time to Repair (MTTR) and Mean Time Between Failures (MTBF) are used
to assess the reliability of a device.
l
MTTR: indicates the average time that a component or a device takes to recover from a
failure.
In broader sense, MTTR refers to spare part management, customer service, and is an
important index to evaluate equipment maintenance.
The formula of MTTR is as follows:
MTTR = Fault detection time + Board replacement time + System initialization time + Link
recovery time + Route coverage time + Forwarding recovery time
The less the time is, the greater the MTTR is and the higher the device reliability is.
In the telecommunication industry, 99.999% availability means that service interruption caused
by device failures must be less than 5 minutes each year.
l
MTBF: indicates the average time (usually in hours) when a component or a device works
without any failure.
AMB/SMB switchover is an important method to ensure the system availability when the system
fails.
Data may be lost during AMB/SMB switchover. Most lost data can be restored smoothly through
hot standby (HSB). The lost data that cannot be restored through HSB can be restored through
Graceful Restart (GR).
Redundancy Backup
Redundancy backup for the key components in the system is an important method to improve
the fault-tolerance capability of the system.
Redundancy backup is performed in the following modes:
l
1+1 backup: Two components must mirror each other. If the master component is Down,
the slave component takes over the previous component to ensure that the system service
is not interrupted.
n+1 backup: If you need n similar components to provide services, another component is
necessary to act as the backup for all the n components. If one of the n components fails,
the backup component takes over the faulty component to ensure the smooth service.
At present, the ATN provides the following hardware backup functions:

l
Main Control Unit (also named main board): 1+1 backup
Service Process Unit (also named service board): 1+1 or n+1 backup
Power Module: 1+1 backup
Cool Fan: n+1 backup
The system performs the AMB/SMB switchover on the premise of 1+1 backup of the main
board, that is, two main boards.
HSB
HSB is a key technology providing hot backup.
Issue 02 (2013-12-31)

860

Equipment
3 Reliability
The components and terms related to HSB are described as follows:

l
Active Main Board (AMB): indicates the current active main board of the two main boards
on a ATN.
Standby Main Board (SMB): indicates the backup main board of the two main boards on
a ATN.
HA channel: indicates the communication channel between the AMB and SMB.
Switchover: indicates the AMB is switched to the SMB. It is triggered by the commands
or by a serious fault. In the switchover, the original AMB is reset and becomes an SMB.
Smooth: After the switchover is performed on a ATN, the SMB is switched to be the AMB,
but the data in different modules on the new AMB may be inconsistent. Thus, the data
needs to be synchronized on the new AMB.
The HSB can back up the static and dynamic configurations of the system from the AMB to the
SMB.
The AMB and SMB communicate as shown in Figure 3-27.
Figure 3-27 Basic mechanism of HSB
GR Capabiliby
Negotiation to support
Passive GR
AMB
SMB
State Sync
RPA MPLS
RIB
Download
FIB
Routing / MPLS Protocol
IFnet
FIB
IPC
Socket /TCP Link

Synchronize
configuration
and change
Heart Beat Check
RPA MPLS
RIB
IFnet
FIB
IPC
Switch Fabric
IPC
IO board
FIB
FIB
IPC
FIB
FIB
Interface
Incoming Packet
Outcoming Packet
When the system is restarted, the AMB backs up its static configurations on the SMB and the
SMB re-execute the static configurations.
When the system runs normally, any data changes in the AMB, including static and dynamic
data changes, are backed up to the SMB. Note that the AMB can download the routing
information from the data plane to the interface board but the SMB cannot download the routing
information. In addition, the SMB cannot receive any information from the interface board.
Issue 02 (2013-12-31)

861

Equipment
3 Reliability
After the switchover, the SMB switches itself to the AMB and runs smoothly. All data on the
AMB is backed up; therefore, the sessions with other ATNs are not affected and other ATNs
are not aware of the switchover. That is, the HSB switchover is "self-contained".
The requirements for the hardware and software to implement the HSB are as follows:
l
Supporting two main boards that serve as the backup for each other
Providing a physical communication channel between the AMB and the SMB
Supporting AMB heart beat detection on hardware or software
The HSB performs the following functions:

l
Supporting backup of static configuration data from the AMB to the SMB
Supporting dynamic backup and update of protocol status data from the AMB to the SMB
Supporting the protocol-level GR capability
Supporting data smoothing between modules
GR
In IETF, protocols related to Internet Protocol/Multiprotocol Label Switching (IP/MPLS) such
as Open Shortest Path First (OSPF), Intermediate System-Intermediate System (IS-IS), Border
Gateway Protocol (BGP), Label Distribution Protocol (LDP), and Resource Reservation
Protocol (RSVP) are extended to ensure that the forwarding is not interrupted when the system
is restarted. This reduces the flapping of the protocols at the control plane when the system
performs the AMB/SMB switchover. This series of standards is called GR extension to each
protocol. Currently, GR has been widely applied to the AMB/SMB switchover and system
upgrade.
The system can perform GR on the condition that the forwarding plane is separated from control
plane. That is, the ATN has a main board and an Interface board, and the Interface board forwards
packets. When the system restarts the protocol or performs AMB/SMB switchover, the interface
board is not reset. The interface board continues forwarding packets; thus, packets can be
forwarded in the entire system without interruption. The prerequisite to uninterrupted forwarding
in the system is that the network topology and interface status do not change in the GR period;
otherwise, the system exits from the GR and the forwarding is interrupted.
The concepts related to the GR are as follows:
l
Roles
GR Restarter: indicates a ATN on which the routing protocol is enabled with the GR
capability. The ATN has dual main boards, and is capable of notifying the neighbor to
maintain the adjacency during AMB/SMB switchover.
GR Helper: indicates the neighbor of the GR Restarter. The GR Helper should be able
to identify the GR signaling, maintain the adjacency with the GR Restarter during the
AMB/SMB switchover, and help the GR Restarter to restore the network topology.
NOTE
The GR Restarter and the GR Helper interact with each other. When the GR Helper is enabled with
the GR capability, the GR Restarter and the GR Helper can interchange.
At present, the ATN only can be used as a GR Helper to support the GR process.
l
Issue 02 (2013-12-31)
Session and timer

862

Equipment
3 Reliability
GR session: indicates the session that has the GR capability. Through the session, the
GR Restarter and the GR Helper negotiate the GR capability.
GR time: indicates the time of maintaining the undeleted routing information after the
GR Helper finds that the GR Restarter becomes Down. The GR time can be regarded
as the period between the start and end of the GR session.
NOTE
The mechanisms of implementing GR in each protocol are different. For the detailed value of the
GR time, refer to the Configuration Guide - IP Routing and Configuration Guide - MPLS.
The administrator and the fault can trigger the restart and AMB/SMB switchover of the GR
Restarter.
The following describes the GR process during the AMB/SMB switchover.
NOTE
If the network topology or the interface status changes, the system exits from GR. In the following
description, it is assumed that the network topology and interface status do not change.
1.
The GR Restarter and the GR Helper negotiate the GR capability and establish a session.
Figure 3-28 Setting up sessions between the GR Helper and the GR Restarter
ATN
CX-A
CX-B
GR Helper
GR Restarter
CX-C
GR Helper
GR Helper
Session with GR capability
ATN serves as the GR Restarter. CX-A, CX-B and CX-C are GR Helpers responding to
ATN. A session with the GR capability is established between the GR Restarter and each
GR Helper.
2.
Issue 02 (2013-12-31)
The GR Restarter performs the AMB/SMB switchover.

863

Equipment
3 Reliability
Figure 3-29 AMB/SMB switchover of the GR Restarter
GR Helper
ATN
CX-A
GR Restarter
CX-B
CX-C
GR
Helper
GR
Helper
Session with GR capability
The administrator restarts the GR
restarter,or the GR restarter itself fails
When the GR Helpers find that the GR Restarter fails, they maintain the adjacency with
the GR Restarter and retain the routing information related to the GR Restarter before the
GR time times out.
3.
After the SMB is started, the GR Restarter sends signals to the neighbors.
Figure 3-30 GR Restarter sending signals to the neighbors after the AMB/SMB switchover
ATN
CX-A
CX-B
GR
Restarter
CX-C
GR Helper
Issue 02 (2013-12-31)
GR
Helper
GR Helper
Signals sent to estabilish a GR
Session

864

Equipment
3 Reliability
The SMB of the GR Restarter is restarted to sends signals to the GR Helpers, and reestablish sessions.
4.
The GR Restarter obtains topology information from neighbors.

Figure 3-31 GR Restarter obtaining topology information from neighbors
ATN
GR Restarter
GR Helper
CX-A
CX-C
CX-B
GR Helper
GR Helper
GR restarter gets topology information
or routes from neighbors
After the GR Restarter obtains the topology information from its neighbors, it recalculates
the routing table and triggers the aging of the old routes.
Thus, the GR Restarter completes the AMB/SMB switchover during which packet
forwarding is not interrupted.
Issue 02 (2013-12-31)

865

Equipment
3 Reliability
Comparison Between the GR and the HSB

Table 3-7 Comparison between the GR and the HSB
Name
Advantage
Drawback
GR
l It is easy to implement and does not

need great modifications to the
existing software.
l Interoperability: Some of the GR

specifications are still drafts and the
implementation varies with
vendors.
l It does not need to back up the

protocol status information.
l Few data needs to be backed up
from the AMB to the SMB. The
data includes configuration
modification, updated messages
and events, interface status change,
and topology information and
routing information from
neighbors after restart.
l During the switchover, there is
little probability of service
interruption.
l Normally, the network converges
rapidly.
l Concurrent collapse: If a GR ATN

and its neighbor(s) collapse
concurrently, GR cannot work
normally.
l Long convergence time: When a GR
ATN in the Down state cannot
recover again, its neighbors assume
that the GR Restarter will restart, so
the neighbors do not delete the
related routing and topology
information before the Recovery
timer times out. Compared with the
common network in which the
ATNs do not have the GR
capability, this network takes a
longer period to converge.
l Dependence of the recovery process
on neighbor ATNs: Neighboring
ATNs must support the GR
capability, because GR is not "selfcontained".
Issue 02 (2013-12-31)

866

Equipment
3 Reliability
Name
Advantage
Drawback
HSB
l The AMB/SMB switchover on the

HSB ATN does not affect the
service forwarding and routing
process.
l More difficult to implement than

GR: More information, including
the protocol status, the session, the
route, the policy, and the update,
needs to be backed up.
l The routing information and

topology information are not lost
and the protocol session is not
interrupted during the switchover.
l The switchover between the AMB
and SMB is self-contained.
l The neighbour ATNs do not need
to have the GR capability.
l There is no problem of
compatibility.
l The switchover does not affect the
neighbors.
l Usage of more communication

channel bandwidth: The HSB needs
to support the TCP backup between
the AMB and the SMB.
l Dependence on the hot backup of
the BGP/LDP session on the TCP
connection. If you do not expect the
neighbors to be aware of the
switchover, you must back up the
continuously changing TCP link
status from the AMB to the SMB.
l The network convergence is faster

than the network with GR ATNs.
GR Features Supported in the ATN

The GR features include system-level GR. System-level GR is a technology that combines
redundancy backup, GR, and HSB to implement the uninterrupted forwarding during the AMB/
SMB switchover, which minimizes the impact on services and ensures HA for devices.
Currently, the ATN supports the following GR features:
l
MPLS LDP (DU)
OSPF (IPv4)
IS-IS (IPv4)
BGP (IPv4), VPNv4 BGP, and BGP with labelled routes
RSVP
L3VPN
Martini VLL, PWE3 VPLS, and Martini VPLS
The ATN integrates the advantages of the GR and the HSB to implement the HA as follows:
l
Provides the 1+1 backup through redundancy backup
Backs up static configuration from the AMB to the SMB through HSB, and backs up the
status of the protocols that do not have the GR capability.
Restores the session status of the protocol extended with the GR capability, with the help
of the neighbouring ATNs.
The HA feature that integrates dual main control boards, GR, and HSB is called system-level
GR. The function of the system-level GR is to decrease the impact of the AMB/SMB switchover
on the packet forwarding.
Issue 02 (2013-12-31)

867

Equipment
3 Reliability
A ATN can perform the system-level GR on the following conditions:

l
The ATN has dual main control boards.
BGP, OSPF, IS-IS, and LDP support the GR function.
The ATN supports HSB.

NOTE
When a ATN supports only GR rather than HSB, this ATN can be used as a GR Helper to support the GR
process of other ATNs.
3.5.2 Configuring the System-Level GR

System-level GR is a technology that combines redundancy backup, GR, and HSB together to
improve HA of devices.
Before You Start

Before configuring the system-level GR function, familiarize yourself with the usage scenario,
The system-level GR function is used in the following situations:
l
A system fault triggers the AMB/SMB switchover.
When upgrading the software or maintaining the system, the administrator manually
triggers the AMB/SMB switchover.
To ensure that services are not affected during the switchover, configure information
synchronization between AMB and SMB.
Before configuring system level GR, complete the following tasks:
l
Configure basic protocol functions.
Configure a protocol level GR capability.

NOTE
For the detailed configurations of OSPF GR, IS-IS GR, and BGP GR, refer to the Configuration Guide IP Routing; for the detailed configurations of LDP GR, refer to the Configuration Guide - MPLS.
Data Preparation
To configure the system-level GR, you need the following data.
Issue 02 (2013-12-31)
No.
Data
Default slot number of the SMB

868

Equipment
3 Reliability
(Optional) Configuring the Default Slot Number for the SMB

You can set the slot ID of the default SMB for the system restart.
Context
If both main boards are available, the system determines which one is to be the SMB when the
ATN restarts. Set the default slot number of the SMB using the command mentioned in this
section.
Perform the following steps on the GR Restarter:
Procedure
Step 1 Run:
system-view

Step 2 Run:
slave default slot-id
The default slot number for the SMB is configured.

----End
Enabling the Force AMB/SMB Switchover

The AMB and SMB can be switched to each other after the AMB/SMB switchover is enabled.
Context
Perform the following steps on the GR Restarter:
Procedure
Step 1 Run:
system-view

Step 2 Run:
slave switchover enable
The force AMB/SMB switchover is enabled.

After the configuration, you can run the slave switchover command to perform the force AMB/
SMB switchover manually.
By default, the force AMB/SMB switchover is enabled.
To disable the force AMB/SMB switchover, run the slave switchover disable command.
----End
Issue 02 (2013-12-31)

869

Equipment
3 Reliability

By viewing the status of the AMB and SMB, you can check whether the configurations are
successful.
Prerequisites
The configurations of the system-level GR function are complete.
Procedure
Step 1 Run the display switchover state command to check the status of AMB and SMB.
----End
3.5.3 Maintaining HA
This section describes how to maintain HA. The detailed operation includes monitoring the
operations status of HA.
Monitoring the Running of HA

By monitoring the operating status of HA, you can view information about HA during the
operation.
Context
In routine maintenance, you can run the following command in any view to display the running
of HA.
Procedure
Step 1 Run the display switchover state command in any view to display the backup status of the AMB
and the SMB according to the specified slot ID.
----End
3.6 Ethernet OAM Configuration

This chapter describes Ethernet OAM and its configurations, and how to implement link-level
Ethernet OAM detection and network-level Ethernet OAM detection to improve network
reliability. Ethernet OAM is applicable mainly to MANs.
3.6.1 CFM Configuration

IEEE 802.1ag, also known as Connectivity fault management (CFM), defines OAM functions
for Ethernet bearer networks. CFM applies to large-scale E2E Ethernet networks and monitor
network-wide connectivity and locate connectivity faults.
Issue 02 (2013-12-31)

870

Equipment
3 Reliability
Introduction
Ethernet OAM can effectively improve management and maintenance capabilities on Ethernet
networks, which ensures the stable network operation. Ethernet OAM is applicable mainly to
Ethernet networks.
Background
The Ethernet has developed as the major Local Area Network (LAN) technology because it
features easy implementation and low cost. Recently, along with the applications of Gigabit
Ethernet and the later 10-Gigabit Ethernet, Ethernet has been extended to the Metropolitan Area
Network (MAN) and Wide Area Network (WAN).
Compared with MANs and WANs, reliability and stability are not highly required for LANs.
Therefore, a mechanism for network Operations, Administration and Maintenance (OAM) is
always required for the Ethernet. The lack of the OAM mechanism prevents Ethernet from
effectively functioning as the Internet Service Provider (ISP) network. In this manner, Ethernet
OAM is becoming a trend.
Functions
Ethernet OAM has the following functions:
l
Fault management
Ethernet OAM can detect the network connectivity by sending detection messages
regularly or through manual triggering.
Ethernet OAM can locate faults on the Ethernet by using means similar to the Packet
Internet Groper (ping) and traceroute tools on IP networks.
Ethernet OAM can work with the Automatic Protection Switching (APS) to trigger
protection switching when detecting connectivity faults. This ensures service
interruption in no more than 50 ms to achieve carrier-class reliability.
Performance management
Performance management is used to measure the packet loss ratio, delay, and jitter during
the transmission of packets. It also collects statistics on various kinds of traffic.
Performance management is implemented at the access point of users. By using the
performance management tools, the ISP can monitor the network status and locate faults
through the Network Management System (NMS). The ISP checks whether the forwarding
capacity of the network complies with the Service Level Agreement (SLA) signed with
users.
Ethernet OAM improves network management and maintenance capabilities on the Ethernet
and guarantees a steady network.
Ethernet OAM Supported by the ATN

Ethernet OAM includes EFM OAM, Ethernet CFM, fault association, and EFM OAM extension.
Ethernet CFM
Connectivity Fault Management (CFM) defined in IEEE 802.1ag specifies the OAM functions
of connectivity check for Ethernet bearer networks. It includes the Continuity Check (CC),
Issue 02 (2013-12-31)

871

Equipment
3 Reliability
Loopback (LB), and Linktrace (LT). Ethernet CFM applies to end-to-end scenarios on largescale networks. Ethernet CFM is OAM at the network level.
Currently, IEEE 802.1ag has two versions, that is, IEEE 802.1ag Draft 7 and IEEE Standard
802.1ag-2007. Table 3-8 shows the differences between these two versions.
Table 3-8 Differences between IEEE 802.1ag Draft 7 and IEEE Standard 802.1ag-2007
Issue 02 (2013-12-31)
Feature
IEEE 802.1ag Draft

7
IEEE Standard
802.1ag-2007
Remarks
Maintenance Domain
Supported
Supported
The features
and
configurations
supported by
802.1ag Draft 7
and Standard
802.1ag-2007
are the same.
Default MD
Not supported
Supported
Maintenance
Association
Supported
Supported
The features
and
configurations
supported by
802.1ag Draft 7
and Standard
802.1ag-2007
are the same.
Maintenance
association End Point
Supported
Supported
The features
and
configurations
supported by
802.1ag Draft 7
and Standard
802.1ag-2007
are the same.
Remote Maintenance
association End Point
Supported
Supported
The features
and
configurations
supported by
802.1ag Draft 7
and Standard
802.1ag-2007
are the same.

872

Equipment
3 Reliability
Feature
IEEE 802.1ag Draft

7
IEEE Standard
802.1ag-2007
Remarks
Maintenance
association
Intermediate Point
Supported
Supported
The MIP
generation
rules in both
802.1ag Draft 7
and Standard
802.1ag-2007
are classified
into the same
types, that is,
default,
explicit, and
none. The
difference
between the
MIP
generation
rules in
802.1ag Draft 7
and Standard
802.1ag-2007,
however, is as
follows:
l According
to 802.1ag
Draft 7, the
MIP is
created on
the basis of
the
interface.
l According
to Standard
802.1ag-20
07, the MIP
is created
on the basis
of the MD
or default
MD.
Issue 02 (2013-12-31)

873

Equipment
3 Reliability
Feature
IEEE 802.1ag Draft

7
IEEE Standard
802.1ag-2007
Remarks
Maintenance Point
Supported
Supported
The features
and
configurations
supported by
802.1ag Draft 7
and Standard
802.1ag-2007
are the same.
Basic concepts
MD
A Maintenance Domain (MD) refers to the network or a part of the network where CFM
is performed. Devices in an MD are managed by a single ISP.
Default MD
According to IEEE Standard 802.1ag-2007, each device can be configured with one
default MD. The default MD must be of a higher level than all MDs to which MEPs
configured on the local device belong. In addition, the default MD must be of the same
level as the high-level MD. The default MD transmits high-level CCMs and creates
MIPs to reply LTR packets.
MA
A Maintenance Association (MA) is part of an MD. An MD can be divided into one or
multiple MAs. On the ATN, each MA is associated with a VLAN or a VSI. Ethernet
CFM maintains the connectivity of each MA separately.
MEP
A Maintenance association End Point (MEP) is an edge point within an MA.
For the devices on the network enabled with Ethernet CFM, their MEPs are called local
MEPs. For the other devices in the same MA, their MEPs are called the Remote
Maintenance association End Points (RMEPs).
MIP
A Maintenance association Intermediate Point (MIP) is an intermediate point within an
MA.
According to IEEE 802.1ag Draft 7, MIPs reside on the interfaces of the device and are
automatically generated on the basis of the interface.
According to IEEE Standard 802.1ag-2007, MIPs are automatically generated on the
basis of the MD or default MD.
The MIP is automatically generated.
Connectivity check
Ethernet CFM divides the network into one MD or multiple MDs. Each MD is further
divided into one MA or multiple MAs. Ethernet CFM can detect the connectivity between
MEPs within an MA by exchanging Continuity Check Messages (CCMs) periodically
between MEPs.
Issue 02 (2013-12-31)

874

Equipment
3 Reliability
Fault verification
802.1ag MAC ping
Similar to ping, 802.1ag MAC ping works by sending test packets and waiting for a
reply to test whether the destination device is reachable. 802.1ag MAC ping is initiated
by a MEP and destined for a MEP or MIP within an MA.
Fault location
802.1ag MAC trace
Similar to traceroute or tracert, 802.1ag MAC trace works by sending test packets and
waiting for a reply to test the path between the local device and the destination device
and to locate faults. 802.1ag MAC trace is initiated by a MEP and destined for a MEP
or MIP within an MA.
Fault Association
l
Association between Ethernet CFM and an interface

When a MEP detects a connectivity fault between the MEP and a specified RMEP within
the same MA, the OAM management module performs the restart function, that is, shuts
down the interface on which the MEP resides for seven seconds and then starts it.
Association between Ethernet CFM and EFM OAM

When the Ethernet CFM module detects a fault in an MA, the OAM management module
sends fault messages to the peer device enabled with EFM OAM through the interface.
When the EFM OAM module detects a fault, the OAM management module sends fault
messages to the MA through the interface.
Ethernet CFM sends fault messages to EFM OAM.
EFM OAM sends fault messages to Ethernet CFM.
Ethernet CFM and EFM OAM perform bidirectional transmission of fault messages.
Association between Ethernet CFM and Ethernet CFM

sends fault messages to the MA at the other side through the binding relationship.
Ethernet CFM at one side sends fault messages to Ethernet CFM at the other side.
Ethernet CFMs at both sides perform bidirectional transmission of fault messages.
Association between Ethernet CFM and Bidirectional Forwarding Detection (BFD)

sends fault messages to BFD at the other side through the binding relationship. When BFD
detects a fault, BFD sends fault messages to the MA through the binding relationship.
Ethernet CFM sends fault messages to BFD.
BFD sends fault messages to Ethernet CFM.
Ethernet CFM and BFD perform bidirectional transmission of fault messages.
3.6.2 Configuring Basic Ethernet CFM

By configuring basic Ethernet CFM functions, you can implement end-to-end detection,
advertisement, verification, and location of connectivity faults.
Issue 02 (2013-12-31)

875

Equipment
3 Reliability
Before You Start

Before configuring basic Ethernet CFM functions, familiarize yourself with the usage scenario,
CFM is mainly used to monitor the connectivity of end-to-end links or direct links.
As shown in Figure 3-32, the Layer 2 network is connected to the Layer 3 network through PE3.
l
CFM can be deployed to monitor the link connectivity between Layer 2 network devices,
for example, between the CE and PE1 and between PE1 and PE2.
CFM can be deployed to monitor the link connectivity between a Layer 2 network device
and a device connecting the Layer 2 network to the Layer 3 network, such as the link
connectivity between the CE and PE3 and between PE2 and PE3.
Figure 3-32 Schematic diagram of the CFM function

CE
PE1
PE2
PE3
IP Core
CFM
CFM
CFM
CFM
MEP
MIP
You need to ensure that the following conditions be met before implementing automatic endto-end connectivity detection on the Ethernet:
l
MDs are classified based on the ISP that manages the devices. All the devices that are
managed by a single ISP and enabled with CFM can be configured in an MD.
One default MD can be configured on each device, that it transmits high-level CCMs and
generates MIPs to reply LTR packets.
MAs are classified based on different SIs. An MA is associated with a VLAN. A VLAN
generally maps to an SI. When the MA is classified, fault detection in connectivity can be
carried out on the network where an SI is transmitted.
You need to determine the interfaces on which devices are located at the edge of the MA,
that is, to determine that MEPs must be configured on the interfaces on which devices.
When implementing automatic connectivity detection on directly connected links, you also need
to ensure that:
l
The devices at both ends must be configured in the same MA within an MD.
An MA can be either associated with a VLAN or not.
MEPs must be configured on the interfaces at both ends of the directly connected link.
Issue 02 (2013-12-31)

876

Equipment
3 Reliability
None.
Data Preparation
To configure Ethernet CFM, you need the following data.
No.
Data
Name and level of an MD
(Optional) Name and level of a default MD
Name of an MA, ID of the VLAN associated with the MA
ID of a MEP, name of the interface on which the MEP resides, type of the MEP
(Optional) ID of an RMEP and MAC address of the interface where the RMEP resides
Rule for creating a MIP
Interval for a MEP sending or detecting CCMs in an MA
(Optional) ID of the specified VLAN
Enabling Ethernet CFM Globally

You must enable Ethernet CFM globally before configuring and applying all CFM functions.
Context
Perform the following steps on the ATN that requires Ethernet CFM:
Procedure
Step 1 Run:
system-view

Step 2 Run:
cfm enable
Ethernet CFM is enabled globally.

By default, Ethernet CFM on the ATN is disabled globally.
----End
Creating an MD
An MD refers to a network or a part of a network under the management of Ethernet CFM. One
MD is managed by a single ISP.
Issue 02 (2013-12-31)

877

Equipment
3 Reliability
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
cfm md md-name [ format { no-md-name | dns dns-md-format-name | mac-address mac-mdformat-name | string string-md-format-name } ] [ level level ]
An MD is created and the MD view is displayed.

Parameters format, no-md-name, dns dns-md-format-name,mac-address mac-md-formatname and string string-md-format-name can be used only on the device running IEEE Standard
802.1ag-2007.
By default, an MD is at level 0. Level 0 is the lowest level.
Repeat Step 2 to create more MDs. Up to 16 MDs can be created on the ATN.
NOTE
The 802.1ag packets from a lower-level MD are discarded when being transmitted through the same level
MD or a higher-level MD. The 802.1ag packets from a higher-level MD can be transmitted through a lowerlevel MD.
----End
(Optional) Creating the Default MD

The default MD must be of a higher level than all MDs to which MEPs on the local device
belong. In addition, the default MD must be of the same level as the high-level MD. The highlevel CCMs are transmitted through the default MD.
Context
Perform the following steps on each ATN device that requires Ethernet CFM:
Procedure
Step 1 Run:
system-view

Step 2 Run:
cfm default md [ level level ]
The default MD is created and the default MD view is displayed.

By default, the default MD is at Level 7, the highest level.
Each device can create only one default MD.
Issue 02 (2013-12-31)

878

Equipment
3 Reliability
NOTE
The default MD must be of a higher level than all MDs to which MEPs configured on the local device
belong. In addition, the default MD must be of the same level as the high-level MD. The default MD
transmits high-level CCMs and generates MIPs to reply LTR packets.
----End
Creating an MA
An MD can be divided into one or multiple MAs. Ethernet CFM detects connectivity of each
MA separately.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
cfm md md-name
The MD view is displayed.

Step 3 Run:
ma ma-name
[ format { icc-based iccbased-ma-format-name | string ma-format-name }]
An MA is created and the MA view is displayed.

On the ATN, up to 512 MAs can be created in an MD. On the ATN, up to MAs can be created.
One or multiple MA can map to one VLAN.
Step 4 Perform the following step as needed.
l (Optional) If an MA is created on a Layer 2 device, run: map vlan vlan-id. The MA is
associated with a VLAN.
NOTE
l An AM is not associated with any VLAN by default.

l Ethernet CFM monitors the connectivity of links in each MA. Associating an MA with a VLAN
allows Ethernet CFM to monitor the connectivity of the VLAN.
l An MA used to monitor the connectivity between two directly connected devices does not need to
be associated with a VLAN. An MA used to monitor the connectivity of two indirectly connected
devices must be associated with a VLAN.
l When creating a MEP on a device connecting the Layer 2 network to the Layer 3 network,
specify a VLAN. The VLAN is automatically associated with the MA. For details, see the
section "Creating a MEP."
----End
Issue 02 (2013-12-31)

879

Equipment
3 Reliability
Follow-up Procedure
An MA is associated with a VLAN only.
l
If you need to create multiple MAs in an MD, repeat Step 3 and Step 4.
If you need to create multiple MAs in multiple MDs, repeat Step 2 to Step 4.
Creating a MEP
A MEP is an edge node of an MA. It is configured on an interface manually.
Context
When creating a MEP in an MA, also note that:
l
When an inward-facing MEP is created, the MA must be associated with a VLAN and the
interface on which the MEP resides must be added to the VLAN. The inward-facing MEP
then broadcasts the OAMPDUs in the VLAN associated with the MA. That is, the
inwarding-facing MEP sends the OAMPDUs out through all the interfaces excluding the
interface on which the MEP resides in the VLAN associated with the MAC.
When the outward-facing MEP is created, the MA is not required to be associated with a
VLAN. However, if the MA is associated with a VLAN, the interface on which the MEP
resides must be added to the VLAN. The outward-facing MEP sends out the OAMPDUs
through the interface on which the MEP resides.
The following lists the requirements for the number and types of MEPs created in an MA:
l
Only one outward-facing interface-based MEP can be created. Multiple inward-facing

interface-based MEPs can be created. However, only one inward-facing interface-based
MEP can be created on an interface.
Perform the following steps on the edge devices of an MA:
Procedure
Step 1 Run:
system-view

Step 2 Run:
cfm md md-name

Step 3 Run:
ma ma-name
The MA view is displayed.

Step 4 Run the following command as required.
l To create an interface-based MEP, run:
mep mep-id mep-id interface {interface-type interface-number | interface-type
interface-number. subnumber } [ vlan vlan-id ] { inward | outward }
Issue 02 (2013-12-31)

880

Equipment
3 Reliability
The device connecting the Layer 2 network to the Layer 3 network can be configured as
only an Outward MEP.
vlan vlan-id must be configured when a MEP is created. vlan vlan-id specifies the VLAN
to which interface interface-type interface-number.subnumber belongs.
----End
Follow-up Procedure
l
If you need to create multiple MEPs in an MA, repeat Step 4.
If you need to create multiple MEPs in multiple MAs, repeat Step 3 and Step 4.
If you need to create multiple MEPs in multiple MDs, repeat Step 2 to Step 4.
Creating an RMEP
For other devices in the same MA, their MEPs are RMEPs for the local device. By configuring
an RMEP, you can perform connectivity fault detection between the local MEP and the RMEP
in one MA.
Context
If you need to detect the connectivity between a device and an RMEP, you need to create the
RMEP first.
Perform the following steps on the edge devices of an MA:
Procedure
Step 1 Run:
system-view

Step 2 Run:
cfm md md-name

Step 3 Run:
ma ma-name

Step 4 Run:
remote-mep mep-id mep-id
An RMEP in the current MA is created.

----End
Follow-up Procedure
l
If you need to create multiple RMEPs in an MA, repeat Step 4.
If you need to create multiple RMEPs in multiple MAs, repeat Step 3 and Step 4.
Issue 02 (2013-12-31)

881

Equipment
3 Reliability
If you need to create multiple RMEPs in multiple MDs, repeat Step 2 to Step 4.
(Optional) Setting the Rule for Creating a MIP

A MIP is a node inside an MA. MEPs periodically send multicast CCMs. A MIP needs to be
used to locate faults.
Context
According to IEEE Standard 802.1ag-2007, MIPs are automatically generated on the basis of
the MD or default MD.
Procedure
Step 1 Run:
system-view

Step 2 Choose the following commands to configure the MIP generation rule.
l To configure the MIP generation rule in accordance with IEEE Standard 802.1ag-2007,
choose one of the following commands to enter the proper view.
1.
Run:
cfm md md-name

Or, run:
The default MD view is displayed.

2.
Run:
mip create-type { default | explicit | none }
The MIP generation rule in accordance with IEEE Standard 802.1ag-2007 is configured.
By default, the rule for creating a MIP is set to none.
l default: MIPs can be generated on the interface, to which the MD or default MD belongs,
without a MEP of a higher level and a MIP of a lower level.
l explicit: MIPs can be generated on the interface, to which the MD or default MD belongs,
with a MEP of a lower level but without a MEP of a higher level or a MIP of a lower level.
l none: MIPs cannot be generated on the interface, to which the MD or default MD belongs.
If the rule for creating the MIP is default or explicit, the device generates the MIP automatically
according to the rule.
The level of a MIP depends on the level of the MD generating the MIP and the level generation
rule.
----End
Issue 02 (2013-12-31)

882

Equipment
3 Reliability
Enabling CC Detection
Through the CC detection, Ethernet CFM can periodically send CCMs between MEPs to detect
connectivity between MEPs.
Context
Perform the following steps on the edge devices on which MEPs reside within MAs:
Procedure
Step 1 Run:
system-view

Step 2 Run:
cfm md md-name

Step 3 Run:
ma ma-name

Step 4 Run:
ccm-interval interval
The interval for the MEP sending or detecting CCMs within the local MA is set.
By default, the interval for the MEP sending or detecting CCMs within an MA is 1 second.
l The sending of CCMs is enabled by using the mep ccm-send enable command.
l The receiving of CCMs is enabled by using the remote-mep ccm-receive enable command.
If any of the preceding conditions is met in an MA, the interval for sending or detecting CCMs
in the MA cannot be modified. If you want to modify the interval for sending or detecting CCMs
in an MA, you must run the related undo commands to disable the sending or receiving of CCMs.
ccm tlv interface-status
Encapsulates the Interface Status TLV field in continuity check messages (CCMs) to be sent.
By default, the CCMs to be sent do not carry the Interface Status TLV field.
l The sending of CCMs is enabled by using the mep ccm-send enable command.
l The receiving of CCMs is enabled by using the remote-mep ccm-receive enable command.
If any of the preceding conditions is met in an MA, the interval for sending or detecting CCMs
in the MA cannot be modified. If you want to modify the Interface Status TLV field in continuity
check messages (CCMs) to be sent, you must run the related undo commands to disable the
sending or receiving of CCMs.
Step 6 Run:
mep ccm-send [ mep-id mep-id ] enable
Issue 02 (2013-12-31)

883

Equipment
3 Reliability
The sending of CCMs is enabled on the MEP.

By default, a MEP is disabled to send CCMs.
If mep-id mep-id is not specified, all the MEPs in the MA are enabled to send CCMs.
Step 7 Run:
remote-mep ccm-receive [ mep-id mep-id ] enable
The receiving of CCMs from the RMEP within the same MA is enabled on the local MEP.
By default, the local MEP cannot receive CCMs from the RMEP.
When the local device is enabled to receive CCMs from an RMEP, and if connectivity faults are
detected between the local device and the RMEP through CC detection, the local device prompts
alarms of RMEP connectivity.
If mep-id mep-id is not specified, all the MEPs in the MA are enabled to receive CCMs from
all the RMEPs.
----End
Follow-up Procedure
l
If you need to enable the CC detection in multiple MAs, repeat Step 3 to Step 6.
If you need to enable the CC detection in multiple MDs, repeat Step 2 to Step 6.
(Optional) Creating a VLAN

Through the association between a VLAN and default MDs, all interfaces of the specified VLAN
can generate MIPs based on default MDs.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
The default MD is created and the default MD view is displayed.

Step 3 Run:
vlan { vlan-id1 [ to vlan-id2 ] }&<1-10>
The specified VLAN is created.

----End
Issue 02 (2013-12-31)

884

Equipment
3 Reliability

By viewing MDs, MAs, MEPs, and MIPs, you can check whether the configurations are
successful.
Prerequisites
The configurations of the Ethernet CFM function are complete.
Procedure
l
Run the display cfm md [ md-name ] command to check the configuration information
about an MD.
Run the display cfm ma [ md md-name [ ma ma-name ] ] command to check detailed

information about an MA.
Run the display cfm mep [ md md-name [ ma ma-name [ mep-id mep-id ] ] ] command
to check detailed information about a MEP.
Run the display cfm remote-mep [ md md-name [ ma ma-name [ mep-id mep-id ] ] ]

command to check detailed information about an RMEP.
Run the display cfm mip [ interface interface-type interface-number | level level ]
command to check information about a MIP.
Run the display cfm default md command to check the configuration of the default MD.
Run the display cfm mp-info [ interface interface-type interface-number [ level mdlevel ] [ inward | outward ] [ vlan vlanid | vsi vsi-name | no-associated-vlan ] ]command
to check information about the CFM objects on the specified interface and VLAN or VSI.
Run the display oam global configuration command to check the MP address model.
----End
3.6.3 Configuring Related Parameters of Ethernet CFM

By adjusting parameters of Ethernet CFM, you can detect connectivity of an Ethernet network
from end to end.
Before You Start

Before configuring parameters of Ethernet CFM, familiarize yourself with the usage scenario,
Usage Scenario
If Ethernet CFM is enabled, you can adjust related parameters according to your requirement.
In different application environments, you can adjust the following parameters:
l
RMEP activation time

After the local device is enabled with the function of receiving CCMs from a certain RMEP,
the local device can display RMEP connectivity alarm in one of the following situations:
If the CC detects a connectivity fault between the local MEP and the RMEP, then, the
local device displays the alarm of the RMEP connectivity fault..
Issue 02 (2013-12-31)

885

Equipment
3 Reliability
The physical link works normally between the local MEP and the RMEP. The peer
device is not configured with a MEP when the CC is performed; or, the MEP
configuration is performed after the CC is performed. In this case, if the local MEP does
not receive any CCMs from the RMEP in three consecutive sending intervals, the local
device considers that a connectivity fault occurs between the local MEP and the RMEP.
According to the preceding description, the RMEP connectivity fault alarm is incorrect.
To solve the problem, you can set the RMEP activation time.
If the local device is configured with the RMEP activation time and enabled with the
function of receiving CCMs from a certain RMEP, the local device can receive CCMs at
the set RMEP activation time. That is, the activation time for receiving CCMs from the
RMEP is the time reserved for configuring the RMEP.
At the set RMEP activation time, if the local MEP does not receive any CCMs in three
consecutive sending intervals, this means that a connectivity fault occurs between the local
MEP and the RMEP. In addition, the local device displays the alarm of the RMEP
connectivity fault.
l
Anti-jitter time during alarm restoration

All the RMEPs of each MA use the following timers:
Alarm generation timer: Its interval is set to the anti-jitter time during alarm generation.
Alarm restoration timer: Its interval is set to the anti-jitter time during alarm restoration.
When the RMEP detects an alarm, the alarm generation timer is activated. After the timer
expires, the alarm is notified to the device. When the RMEP detects that the alarm is
restored, the alarm restoration timer is activated. After the timer expires, the alarm
restoration event is notified to the device.
If the RMEP frequently detects the alarm and alarm restoration signals, this means that
alarm flapping occurs.
To suppress alarm flapping, you can set the anti-jitter time during alarm generation.
VLAN or VLAN chain

All interfaces of the specified VLAN generate MIPs according to the configured MIP
generation rule in the MD.
None.
Data Preparation
To adjust parameters of Ethernet CFM, you need the following data.
Issue 02 (2013-12-31)
No.
Data
(Optional) RMEP activation time
(Optional) Anti-jitter time during alarm restoration
(Optional) Anti-jitter time during alarm generation

886

Equipment
3 Reliability
(Optional) Configuring the RMEP Activation Time

The RMEP activation time is reserved for you to configure an RMEP. After the configuration
of the RMEP activation time, the local device can receive CCMs after the configured RMEP
activation time expires.
Context
Perform the following steps on each edge device in an MA:
Procedure
Step 1 Run:
system-view

Step 2 Run:
cfm md md-name

Step 3 Run:
ma ma-name

Step 4 Run:
active time time
The RMEP activation time is configured.

----End
(Optional) Configuring the Anti-Jitter Time During Alarm Restoration

By configuring the anti-jitter time during alarm restoration, you can suppress alarm flapping.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
cfm md md-name

Step 3 Run:
ma ma-name
Issue 02 (2013-12-31)

887

Equipment
3 Reliability

Step 4 Run:
alarm finish time time
The anti-jitter time during alarm restoration is configured.

----End
(Optional) Configuring the Anti-Jitter Time During Alarm Generation

By configuring the anti-jitter time during alarm restoration, you can suppress the alarm flapping.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
cfm md md-name

Step 3 Run:
ma ma-name

Step 4 Run:
alarm occur time time
The anti-jitter time during alarm generation is configured.

----End
(Optional) Disabling an RDI Alarm from Triggering a CFM Association

This section describes how to disable a remote defect indication (RDI) alarm from triggering
connectivity fault management (CFM). If CFM is associated with another feature in the
operation, administration and maintenance (OAM) manager (MGR) view on a device, you can
decide whether to enable an RDI alarm to trigger CFM.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 02 (2013-12-31)

888

Equipment
3 Reliability
cfm md md-name
The maintenance domain (MD) view is displayed.

Step 3 Run:
ma ma-name
The maintenance association (MA) view is displayed.

Step 4 Run:
alarm rdi track-action oam-mgr disable
CFM is not triggered by an RDI alarm.

----End
3.6.4 Fault Verification on the Ethernet

By sending detection packets and waiting for replies, you can test connectivity of the path
between devices.

Before configuring the Ethernet fault verification function, familiarize yourself with the
applicable environment, complete the pre-configuration tasks, and obtain the required data. This
can help you complete the configuration task quickly and accurately.
To manually detect the connectivity between two devices, you can send test packets and wait
for a reply to test whether the destination device is reachable.
l
For the network where the MD, MA, and MEP are configured, you can implement 802.1ag
MAC ping to test the connectivity between MEPs at the same maintenance level or between
MEPs and MIPs at the same maintenance level.
Before implementing 802.1ag MAC ping, complete the following tasks:
l
Configuring Ethernet CFM
No pre-configuration tasks are needed to implement Gmac ping and PBB-TE MAC ping.
Data Preparation
To detect the connectivity on the Ethernet, you need the following data.
Issue 02 (2013-12-31)
No.
Data
(Optional) Bridge MAC address of the device on which the destination MEP resides
or ID of the destination MEP
(Optional) Bridge MAC address of the device on which the destination MIP resides
889

Equipment
3 Reliability
No.
Data
(Optional) Number, PRI, size, timeout period, and outbound interface of LBMs
(Optional) Implementing 802.1ag MAC Ping

By performing the 802.1ag MAC ping, you can detect connectivity between MEPs or between
MEPs and MIPs within an MA.
Context
Similar to the ping operation, 802.1ag MAC ping checks whether the destination device is
reachable by sending test packets and receiving response packets. In addition, the ping operation
time can be calculated at the transmitting end for network performance analysis.
Procedure
Step 1 Do as follows on the ATN with a MEP at one end of the link to be tested.
1.
Run:
system-view

2.
Run:
cfm md md-name

3.
Run:
ma ma-name

4.
Run:
ping mac-8021ag mep mep-id mep-id { md md-name ma ma-name [ mac mac-address |
remote-mep mep-id mep-id ] | mac mac-address | remote-mep mep-id mep-id } [ c count | interface interface-type interface-number | -s packetsize | -t
timeout | -p priority-value ] *
The connectivity between a MEP and a MEP or a MIP on other devices is tested.
When implementing 802.1ag MAC ping, ensure that:
l The MA is associated with a VLAN.
l The MEP is configured in the MA.
l If the outbound interface is specified, it cannot be configured with an inward-facing
MEP. The interface must be added to the VLAN associated with the MA.
l If the destination node is a MEP, either mac mac-address or remote-mep mep-id mepid can be selected.
l If the destination node is a MIP, select mac mac-address.
The intermediate device on the link to be tested only forwards LBMs and LBRs. In this
manner, the MD, MA, or MEP are not required to be configured on the intermediate device.
----End
Issue 02 (2013-12-31)

890

Equipment
3 Reliability
3.6.5 Locating the Fault on the Ethernet

By sending test packets and waiting for a reply, you can test connectivity of the path between
devices and locate faults.

Before configuring the Ethernet fault verification function, familiarize yourself with the
To locate the connectivity fault between two devices, you can send test packets and wait for
reply packets to test the path between the local device and the destination device and to locate
faults.
l
For the network where the MD, MA, and MEP are configured, you can implement 802.1ag
MAC trace to locate the connectivity fault between MEPs at the same maintenance level
or between MEPs and MIPs at the same maintenance level.
Before implementing 802.1ag MAC trace, complete the following tasks:
l
Configuring Ethernet CFM
Data Preparation
To locate the connectivity fault on the Ethernet, you need the following data.
No.
Data
(Optional) Bridge MAC address of the device on which the destination MEP resides
or ID of the destination MEP
(Optional) Bridge MAC address of the device on which the destination MIP resides
(Optional) Outbound interface of Linktrace Messages (LTMs)
(Optional) Timeout period for waiting for an LTR
(Optional) Time to Live (TTL) of LTMs
(Optional) Implementing 802.1ag MAC Trace

By performing the 802.1ag MAC trace, you can detect connectivity between MEPs or between
MEPs and MIPs within an MA and locate faults.
Issue 02 (2013-12-31)

891

Equipment
3 Reliability
Context
Similar to tracerout or tracert, 802.1ag MAC trace tests the path between the local device and a
destination device or locates failure points by sending test packets and receiving reply packets.
Procedure
Step 1 A device is usually configured with multiple MDs and MAs. To determine the forwarding path
for sending packets from a MEP to another MEP or a MIP in an MA or failure points, perform
either of the following operations on the ATN with a MEP at one end of the link to be tested.
l MA view
1.
Run:
system-view

2.
Run:
cfm portid-tlv type
The portid-tlv type for trace packets is set.

3.
Run:
cfm md md-name

4.
Run:
ma ma-name

5.
Run:
trace mac-8021ag mep mep-id mep-id { md md-name ma ma-name { mac macaddress | remote-mep mep-id mep-id } | mac mac-address | remote-mep mep-id
mep-id } [ interface interface-type interface-number | -t timeout | ttl
ttl ] *
The connectivity fault between the local ATN and the remote ATN is located.
Run the trace mac-8021ag command without md md-name ma ma-name in the MA view
to determine a forwarding path or failure point in a specified MA.
Run the trace mac-8021ag md md-name ma ma-name command in the MA view to
determine a forwarding path or failure point in a specified MA.
l All views except the MA view:
1.
Run:
cfm portid-tlv type
The portid-tlv type for trace packets is set.

2.
Run:
trace mac-8021ag mep mep-id mep-id md md-name ma ma-name { mac mac-address
| remote-mep mep-id mep-id } [ interface interface-type interface-number |
-t timeout | ttl ttl ] *
The connectivity fault between the ATN and the remote ATN is located.
When implementing 802.1ag MAC trace, ensure that:
l The MA is associated with a VLAN.
Issue 02 (2013-12-31)

892

Equipment
3 Reliability
l The MEP is configured in the MA.

l If the outbound interface is specified, it cannot be configured with an inward-facing MEP.
The interface must be added to the VLAN associated with the MA.
l If the destination node is a MEP, either mac mac-address or remote-mep mep-id mep-id
can be selected. And mac address must be created and learned.
l If the destination node is a MIP, select mac mac-address.
l If the forwarding entry of the destination node does not exist in the MAC address table,
interface interface-type interface-number must be specified.
The intermediate device on the link to be tested only forwards LTMs and LTRs. In this manner,
the MD, MA, or MEP are not required to be configured on the intermediate device.
----End
3.6.6 Configuring Association Between Ethernet CFM and an

Interface
Only the ATN 910ATN 910I/ATN 910B/ATN 950B (with the AND2CXPB/AND2CXPE
configured) supports the association between Ethernet CFM and an interface.The association
between Ethernet CFM and an interface is used to detect faults of an active link in the LACP
static link aggregation group or in the manually-configured 1:1 active/standby link aggregation
group and then trigger the protection switchover.
Before You Start

Before configuring the association between Ethernet CFM and an interface, familiarize yourself
with the usage scenario, complete the pre-configuration tasks, and obtain the required data.
After Ethernet CFM is associated with an interface, when a MEP detects a connectivity fault
between the MEP and a specified RMEP within the same MA, the OAM management module
shuts down and then turns on the interface on which the MEP resides so that the other modules
can sense the fault.
Figure 3-33 Diagram of associating Ethernet CFM with an interface (1)
E th e rn e t C F M
ATN A
G E 0 /2 /0
G E 2 /0 /1
C X -B
T h e in te rfa ce a sso cia te d w ith E th e rn e t C F M
Issue 02 (2013-12-31)

893

Equipment
3 Reliability
Ethernet CFM
ATN A
GE0/2/0 GE2/0/1
GE1/0/1 GE2/0/1
CX-B
CX-C
The interface associated with Ethernet CFM
Ethernet CFM is used to detect a directly connected link shown in Figure 3-33, or a multi-hop
link shown in Figure 3-34. Configure Ethernet CFM on ATN A and CX-B; associate Ethernet
CFM with GE 0/2/0 on ATN A. When the CFM OAM module on ATN A detects a connectivity
fault between ATN A and CX-B, the OAM management module shuts down GE 0/2/0 and then
starts it so that the other interfaces on ATN A can sense the fault.
GE0/2/4
GE0/2/0
ATN A
Ethernet CFM
Link1
Link2
Link3
GE1/0/1
GE1/0/2
GE0/2/0
Active link
Inactive link
Aggregation group in
static LACP mode
CX-B
GE1/0/3
MEPs in MA1
MEPs in MA2
MEPs in MA3
Configure the link aggregation group in static LACP mode on ATN A and CX-B. Enable
Ethernet CFM on ATN A and CX-B. ATN A and CX-B belong to the same MD. Configure the
MEP on all the member interfaces of the aggregation group. MEPs on the interfaces of the same
link are configured within the same MA. MEPs on the interfaces along the same link belong to
the same MA. MEPs on the interfaces on different links belong to different MAs. Ethernet CFM
detects the link connectivity by exchanging CCMs between MEPs of the same link. You can
then associate Ethernet CFM with the interfaces.
When a connectivity fault occurs on Link 1, the OAM management modules on ATN A and
CX-B shut down and then turn on their GE 7/3/0 interfaces respectively. In this manner, the
LACP module senses the connectivity fault on Link 1 and switches the service data forwarded
on Link 1 to the inactive Link 3. This implements protection switching in no more than 50 ms
to achieve carrier-class reliability.
Before associating Ethernet CFM with an interface, complete the following tasks:
l
Issue 02 (2013-12-31)
Configure the link aggregation group.

894

Equipment
3 Reliability
Configure Ethernet CFM.
Data Preparation
To associate Ethernet CFM with an interface, you need the following data.
No.
Data
Name of an MD, MA, and ID of an RMEP
Associating Ethernet CFM with an Interface

Through the configured association between Ethernet CFM and an interface, a MEP in a
specified MA can detect a connectivity fault between the MEP and a specified RMEP within
the same MA. Then, the OAM module blocks and then unblocks the interface on which the MEP
resides so that other modules can sense the fault.
Context
Perform the following steps on the ATN configured with the link aggregation group in static
LACP mode:
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of a member interface of the link aggregation group is displayed.

Step 3 Run:
cfm md md-name ma ma-name remote-mep mep-id mep-id trigger if-down
Ethernet CFM is associated with an interface.

By default, an interface is not associated with Ethernet CFM.
It is required that outward-facing MEPs be created in the specified MA and the current interface
is configured with outward-facing MEPs before you use the cfm md md-name ma ma-name
remote-mep mep-id mep-id trigger if-down command.
An interface can be associated with an RMEP only. You need to delete the current configurations
to modify the mapping between the interface and the RMEP.
If multiple member interfaces exist in the link aggregation group, you should repeat Step 2 and
Step 3 to associate Ethernet CFM with all the member interfaces.
----End
Issue 02 (2013-12-31)

895

Equipment
3 Reliability

By viewing the Trigger-If-down field, you can check whether the configurations are successful.
Prerequisites
The configurations of Associating Ethernet CFM with an Interface function are complete.
Procedure
Step 1 Run the display cfm remote-mep [ md md-name [ ma ma-name [ mep-id mep-id ] ] ] command
to check detailed information about an RMEP.
----End
3.6.7 Associating EFM OAM with Ethernet CFM

By configuring the association between EFM OAM and Ethernet CFM, you can implement the
bidirectional fault notification.
Before You Start

Before configuring the association between EFM OAM and Ethernet CFM, familiarize yourself
IEEE 802.3ah is designed for the last mile of the Ethernet to detect the direct link between a
NodeB and a PE. IEEE 802.1ag is designed for a group of services or some specific network
devices to detect faults on the network. It functions between the following devices:
l
NodeB and RNC
PE and PE
RNC and PE
As shown in Figure 3-36, EFM OAM or Ethernet CFM runs between NodeB and PE1, and
between RNC and PE2; Ethernet CFM runs between PE1 and PE2. Configure the association
between Ethernet OAMs. When a fault occurs on the link between NodeB and PE1, Ethernet
CFM sends alarms of the fault to RNC.
Figure 3-36 Diagram of associating Ethernet OAM with Ethernet OAM
PE1
PE2
RNC
Before associating Ethernet OAM with Ethernet OAM, complete the following tasks:
Issue 02 (2013-12-31)

896

Equipment
3 Reliability
Configure Basic Ethernet CFM.
Data Preparation
To associate Ethernet OAM with Ethernet OAM, you need the following data.
No.
Data
Number of the interfaces to be associated
Name of an MD and an MA
Associating Ethernet OAM with Ethernet OAM

You can configure the fault notification mode as required.
Context
Perform the following steps on the CEs:
Procedure
Step 1 Run:
system-view

Step 2 Run:
oam-mgr
The OAM management view is displayed.

l Run:
oam-bind cfm md md-name ma ma-name efm interface interface-type interface-number
The bidirectional transmission of fault messages between EFM OAM and Ethernet CFM is
configured.
l Run:
oam-bind ingress efm interface interface-type interface-number egress cfm md mdname ma ma-name
EFM OAM is configured to send fault messages to Ethernet CFM.

l Run:
oam-bind ingress cfm md md-name ma ma-name egress efm interface interface-type
interface-number
Ethernet CFM is configured to send fault messages to EFM OAM.

l Run:
oam-bind ingress cfm md md-name1 ma ma-name1 egress cfm md md-name2 ma ma-name2
Ethernet CFM at one side is configured to send fault messages to Ethernet CFM at the other
side.
Issue 02 (2013-12-31)

897

Equipment
3 Reliability
l Run:
oam-bind cfm md md-name1 ma ma-name1 cfm md md-name2 ma ma-name2
The bidirectional transmission of fault messages between Ethernet CFMs at both sides is
configured.
NOTE
After Ethernet OAM is associated with other functional modules, note the following:
l If EFM OAM is disabled on an interface, the association between EFM OAM and other functional
modules is deleted.
l If an MA or MD is deleted, the association between Ethernet CFM and other functional modules is
deleted.
----End

By viewing whether Ethernet CFM sends trap messages to advertise fault information to the
peer, you can check whether the configurations are successful.
Procedure
l
After the preceding configuration, when Ethernet OAM running between CE1 and PE1
detects faults, Ethernet CFM notifies Ethernet OAM running between CE2 and PE2 of the
fault.
You can also query the current interface status using the value of the Line protocol current
state field in the display interface [ interface-type [ interface-number ] ] command.
----End
3.6.8 Configuring Association Between Ethernet CFM and an

Interface (Triggering the Physical Status of the Interface Associated
with Ethernet CFM to Become Down)
Only the ATN 910/ATN 910I/ATN 910B/ATN 950B (with the AND2CXPB/AND2CXPE
configured) supports the association between Ethernet CFM and an interface.After the
association between Ethernet CFM and an interface is configured in the OAM management
view, local Ethernet CFM can detect a fault and then notify the OAM management module of
the fault. This triggers the physical status of the interface associated with Ethernet CFM to
become Down.
Before You Start

Before configuring the association between Ethernet CFM and an interface, you must enable
Ethernet CFM globally on each device.
As shown in Figure 3-37, Ethernet CFM is enabled on PE1 and PE2. When a fault occurs on a
link between PEs, a CE needs to detect the fault to ensure reliable service transmission. In this
case, the associations between Ethernet CFM and interfaces need to be configured. Take PE2
as an example. When detecting a link fault, Ethernet CFM notifies the OAM management
Issue 02 (2013-12-31)

898

Equipment
3 Reliability
module of the fault on PE2. This triggers the physical status of GE 1/0/2 associated with Ethernet
CFM to become Down. CE2 can then detect the fault and switch traffic to a backup path, which
ensures reliable service transmission.
Figure 3-37 Networking diagram of the association between Ethernet CFM and an interface
PE1
PE2
Ethernet CFM
GE1/0/1
GE1/0/2
GE1/0/1
GE1/0/2
CE1
CE2
Interface associated with Ethernet CFM
Interface enabled with Ethernet CFM
Before configuring the association between Ethernet CFM and an interface (in the OAM
management view), complete the following task:
l
Configuring Basic Ethernet CFM Functions
Data Preparation
To configure the association between Ethernet CFM and an interface (in the OAM management
view), you need the following data.
No.
Data
Type and number of each interface associated with Ethernet CFM
Type and number of each interface enabled with Ethernet CFM
Name of an MD and MA
Configuring Association Between Ethernet CFM and an Interface

Ethernet CFM can be associated with only one interface. When Ethernet CFM is associated with
an interface, it cannot be associated with another interface. In addition, the interface cannot be
associated with Ethernet CFM on another device.
Issue 02 (2013-12-31)

899

Equipment
3 Reliability
Context
Perform the following steps on the device that needs the association.
Procedure
Step 1 Run:
system-view

Step 2 Run:
oam-mgr

Step 3 Configure unidirectional transmission of fault information between Ethernet CFM and an
interface according to Table 3-9.
Table 3-9 Configuration schemes for Ethernet CFM and interface association
Scenario
Configuration Scheme 1
Configuration Scheme 2
Fault
information
needs to be
transmitted
unidirection
ally between
Ethernet
CFM and an
interface.
If fault information needs to be

transmitted from Ethernet CFM to the
interface, use the following
command:
None
oam-bind ingress cfm md ma trigger

if-down egress interface
----End

After the association between Ethernet CFM and an interface is successfully configured, you
can view the related association configuration in the OAM management view.
Prerequisites
All configurations of the association between Ethernet CFM and an interface are complete.
Procedure
Step 1 Run the display this command in the OAM management view to check whether Ethernet CFM
and an interface are successfully associated.
----End
Issue 02 (2013-12-31)

900

Equipment
3 Reliability
3.6.9 Associating Ethernet CFM with VLL

In the VLL network, you can configure CFM to monitor and manage the connectivity faults of
the link.
Before You Start

Before configuring EFM and VLL combination, familiarize yourself with the usage scenario,
Figure 3-38 Networking diagram for associating Ethernet CFM with VLL
CE1
PE1
PE2
CE2
VLL
User
Network
User
Network
On the VLL network shown in Figure 3-38, CFM can be configured to monitor link connectivity
and implement MAC ping and trace to locate and diagnose faults.
PE1 and PE2 are connected by a VLL network. CFM is configured between CE1 and PE1, CE1
and PE2, and PE1 and PE2. PE1 accesses the VLL network through one of the following
interfaces:
Before associating Ethernet CFM with VLL by using sub-interfaces for QinQ VLAN tag
termination, complete the following tasks:
l
Configure a Martini VLL.

For details, refer to the chapter "VLL Configuration" in the Configuration Guide - VPN.
Configure a sub-interface to access the VLL network.

For the procedure of connecting a sub-interface or VLANIF interface to the VLL
network, see the chapter "VLL Configuration" in the Configuration Guide - VPN.
Data Preparation
To associate Ethernet CFM with VLL, you need the following data.
Issue 02 (2013-12-31)

901

Equipment
3 Reliability
No.
Data
Destination address and VC ID of an L2VC
Name of an interface to which an L2VC is bound
Names of MDs and MAs
ID of a MEP, name of the interface on which the MEP resides, and type of the MEP
Interval for MEPs sending CCMs in an MA
Configuring Ethernet CFM on PEs on a VLL

Ethernet CFM provides end-to-end connectivity detection, fault notification, fault verification,
and fault location. Providing the preceding functions, Ethernet CFM can be used to detect the
connectivity of the entire network and locate faults. This helps improve the reliability of the
network.
Context
NOTE
l When performing 802.1ag MAC trace between PEs, you cannot specify the outbound interface for
sending trace packets.
l The current MA must be associated with an L2VC, and the type of the MEP must be inward-facing.
After an MEP is bound to a PW interface, the MEP is outward-facing.
Perform the following steps on the PEs:
Procedure
Step 1 Run:
system-view

Step 2 Run:
cfm md md-name [ level level ]

Step 3 Run:
ma ma-name

Step 4 Run:
map mpls l2vc vc-id { raw | tagged }
The L2VC is associated with a MA.

NOTE
MA cannot be associated with backup VC in 802.1ag.
Issue 02 (2013-12-31)

902

Equipment
3 Reliability
The interface of the raw type and the interface of the tagged type process packets in different
manners, as shown in Table 3-10 and Table 3-11.
Table 3-10 Packet processing on the inbound interface
Type of the
Inbound Interface
raw Encapsulation (Ethernet

Encapsulation)
tagged Encapsulation
(VLAN Encapsulation)
Dot1q sub-interface
Strips one tag.
Reserves the tag, and no action is

required.
Table 3-11 Packet processing on the outbound interface

Type of the
Outbound
Interface
raw Encapsulation (Ethernet

Encapsulation)
Dot1q sub-interface
Adds one tag.
Replaces the tag with the tag that

is encapsulated on the outbound
interface.
Step 5 Configure a MEP based on the interface type.

Table 3-12 MEP configurations on different interfaces
Interface Type
Configuration Note
Common interface
Run the mep mep-id mep-id interface interface-type interfacenumber.subnumber inward command to create a MEP.
PW
Run themep mep-id mep-id peer-ip peer-ip [ vc-id vc-id ]

[ mac mac-address ] { ouward | inward } command to create a
MEP.
Step 6 Run:
An RMEP is created in the MA.

Step 7 Run:
A MEP is enabled to send CCMs.

Step 8 Run:
The MEP is enabled to receive CCMs from the RMEP in the same MA.
Issue 02 (2013-12-31)

903

Equipment
3 Reliability
NOTE
If a PW interface-based MEP has been configured, the MEP cannot be enabled to sent CCMs.
----End
Configuring Ethernet CFM Between the CE and Local PE

By configuring Ethernet CFM between a CE and the local PE, you can implement end-to-end
detection, advertisement, verification, and location of connectivity faults between the CE and
the local PE.
Procedure
l
Perform the following steps on the PE:

NOTE
The MA configured on the PE must be associated with an L2VC, and the type of the MEP must be
outward-facing.
1.
Run:
system-view

2.
Run:

3.
Run:
ma ma-name

4.
Run:
The L2VC is associated with a MA.

NOTE
The interface of the raw type and the interface of the tagged type process packets in
different manners, as shown in Table 3-13 and Table 3-14.
Table 3-13 Packet processing on the inbound interface
Issue 02 (2013-12-31)
Type of the
Inbound
Interface
raw Encapsulation
(Ethernet Encapsulation)
Dot1q subinterface
Strips one tag.
Reserves the tag, and no

action is required.
Dot1q termination
sub-interface
Strips one tag.
Reserves the tag, and no

action is required.

904

Equipment
3 Reliability
Table 3-14 Packet processing on the outbound interface
5.
Type of the
Outbound
Interface
raw Encapsulation
Dot1q subinterface
Adds one tag.
Replaces the tag with the tag

that is encapsulated on the
outbound interface.
Dot1q termination
sub-interface
Adds one tag.
Replaces the tag with the tag

that is encapsulated on the
outbound interface.
Configure a MEP based on the interface type.

6.
Interface Type
Configuration Note
Common interface
Run the mep mep-id mep-id interface interface-type

interface-number.subnumber outward command to
create a MEP.
Run:

7.
Run:

8.
Run:
remote-mep ccm-receive [ mep-idmep-id ] enable
l
Perform the following steps on the CE:

1.
Run:
system-view

2.
Run:

3.
Run:
ma ma-name

4.
Run:
map vlan vlan-id
Issue 02 (2013-12-31)

905

Equipment
3 Reliability
The MA is bound to a VLAN.

5.
Run:
mep mep-id mep-id interface-type interface-number outward
A MEP is created.
6.
Run:

7.
Run:
The MEP is enabled to send CCMs.

8.
Run:
The MEP in the MA is enabled to receive CCMs sent by the RMEP in the same MA.
----End
Configuring Ethernet CFM on the CE and Remote PE

Run Ethernet CFM between the CE and remote PE to check connectivity by exchanging CCMs.
In addition, MAC ping and MAC trace can be performed.
Context
The detailed configuration is similar to that in Configuring Ethernet CFM Between the CE
and Local PE, and is not mentioned here.
NOTE
l The MA configured on the remote PE must be associated with an L2VC, and the type of the MEP must
be inward-facing.
l The rule for creating the MIP needs to be configured on transit nodes.
For the rule for creating the MIP, see (Optional) Setting the Rule for Creating a MIP.

After Ethernet CFM is associated with VLL by using sub-interfaces, you can view information
about the MEPs and REMPs in the specified MD and MA, and the CFM status of different MAs.
Prerequisites
The configurations of associating Ethernet CFM and VLL by using sub-interfaces for QinQ
VLAN tag termination are complete.
Procedure
l
Run the display cfm md [ md-name ] command to view detailed information about the
MD.
Run the display cfm ma [ md md-name [ ma ma-name ] ] command to view detailed

information about the MA.
Issue 02 (2013-12-31)

906

Equipment
3 Reliability
to view detailed information about the MEP.

command to view detailed information about the RMEP.
command to view information about the MIP.
NOTE
You can run the display cfm mip commands to view detailed information about a MIP only after
the MIP is created.
----End
3.6.10 Associating Ethernet CFM with VPLS

In the VPLS network, you can configure CFM to monitor and manage the connectivity faults of
the link.
Before You Start

Before configuring CFM and VPLS combination, familiarize yourself with the usage scenario,
On the VPLS network shown in Figure 3-39, CFM can be configured to monitor link
connectivity and implement MAC ping and trace to locate and diagnose faults.
Figure 3-39 Networking diagram for associating Ethernet CFM with VPLS I
CE1
PE1
PE2
CE2
VPLS
User
Network
User
Network
PE1 and PE2 are connected by a VPLS network. CFM is configured between CE1 and PE1,
CE1 and PE2, and PE1 and PE2. PE1 accesses the VPLS network through one of the following
interfaces:
l
Common interface
Before associating Ethernet CFM with VPLS by using sub-interfaces, complete the following
tasks:
l

Issue 02 (2013-12-31)

907

Equipment
3 Reliability
Configure a sub-interface to access the VPLS network.

For the procedure of connecting a sub-interface or VLAN to the VPLS network, see the
chapter "VPLS Configuration" in the Configuration Guide - VPN.
Data Preparation
To associate Ethernet CFM with VPLS by using sub-interfaces for QinQ VLAN tag termination,
you need the following data.
No.
Data
Name and ID of a VSI
Name of an interface to which a VSI is bound
Names of MDs and MAs
ID of an MEP, name of the interface on which the MEP resides, and type of the MEP
Interval for MEPs sending CCMs in an MA
Configuring Ethernet CFM on PEs on a VPLS

Context
NOTE
l If 802.1ag MAC trace needs to be implemented to locate the connectivity fault between the PEs, you
cannot specify the outbound interface for sending trace packets.
l The current MA must be associated with a VSI and the type of the MEP must be inward-facing.After
an MEP is bound to a PW interface, the MEP is outward-facing.
Perform the following steps on the PEs:
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ma ma-name

Issue 02 (2013-12-31)

908

Equipment
3 Reliability
Step 4 Run:
map vsi vsi-name
The MA is associated with a VSI.

Step 5 Configure a MEP based on the interface type.
Interface Type
Configuration Note
Common interface
Run the mep mep-id mep-id interface interface-type interfacenumber.subnumber inward command to create a MEP.
PW
Run themep mep-id mep-id peer-ip peer-ip [ vc-id vc-id ]

[ mac mac-address ] { ouward | inward } command to create a
MEP.
Step 6 Run:
An RMEP in the MA is created.

Step 7 Run:
The MEPs are enabled to send CCMs.

Step 8 Run:
The local MEP is enabled to receive CCMs from the RMEP within the same MA.
NOTE
If a PW interface-based MEP has been configured, the MEP cannot be enabled to sent CCMs.
----End
Configuring Ethernet CFM on the CE and Local PE

Run Ethernet CFM between the switch and local PE to check connectivity by exchanging CCMs.
Procedure
l
Perform the following steps on the PE:

NOTE
The MA configured on the PE must be associated with a VSI, and the type of the MEP must be
outward-facing.
1.
Run:
system-view

2.
Run:
Issue 02 (2013-12-31)

909

Equipment
3 Reliability

3.
Run:
ma ma-name

4.
Run:
map vsi vsi-name
The MA is associated with a VSI.

5.
Configure a MEP based on the interface type.

6.
Interface Type
Configuration Note
Common subinterfaces
Run the mep mep-id mep-id interface interface-type

interface-number.subnumber outward command to
create a MEP.
Run:

7.
Run:

8.
Run:
l
Perform the following steps on the CE:

1.
Run:
system-view

2.
Run:

3.
Run:
ma ma-name

4.
Run:
map vlan vlan-id

5.
Run:
mep mep-id mep-id interface-type interface-number outward
Issue 02 (2013-12-31)

910

Equipment
3 Reliability
A MEP is created.
6.
Run:

7.
Run:

8.
Run:
The MEP in the MA is enabled to receive CCMs sent by the RMEP in the same MA.
----End
Configuring Ethernet CFM on the Switch and Remote PE

Run Ethernet CFM between the switch and remote PE to check connectivity by exchanging
CCMs. In addition, MAC ping and MAC trace can be performed.
Context
The detailed configuration is similar to that in Configuring Ethernet CFM on the CE and
Local PE, and is not mentioned here.
NOTE
l The MA configured on the remote PE must be associated with a VSI, and the type of the MEP must
be inward-facing.
l The rule for creating the MIP needs to be configured on transit nodes.
For the rule for creating the MIP, see (Optional) Setting the Rule for Creating a MIP.

After Ethernet CFM is associated with VPLS by using sub-interfaces, you can view information
about the MEPs and REMPs in the specified MD and MA, and the CFM status of different MAs.
Prerequisites
The configurations of associating Ethernet CFM and VPLS by using sub-interfaces for QinQ
VLAN tag termination are complete.
Procedure
l
Run the display cfm md [ md-name ] command to view detailed information about the
MD.
Run the display cfm ma [ md md-name [ ma ma-name ] ] command to view detailed

information about the MA.
to view detailed information about the MEP.
Issue 02 (2013-12-31)

911

Equipment
3 Reliability

command to view detailed information about the RMEP.
command to view information about the MIP.
NOTE
You can run the display cfm mip commands to view detailed information about a MIP only after
the MIP is created.
----End
3.6.11 Maintaining Ethernet OAM

This section describes how to maintain Ethernet OAM. Detailed operations include monitoring
Ethernet OAM.
Monitoring the Running Status of Ethernet OAM

By monitoring the operating status of Ethernet OAM, you can view information about Ethernet
OAM.
Context
In routine maintenance, you can select to run the following commands in any view To check the
running status of Ethernet OAM.
Procedure
l
Run the display oam global configuration command in any view to check the global
configurations of Ethernet OAM on the device.
in any view to check information about a MEP.
command in any view to check information about a MIP.
Run the display cfm remote-mep [ md md-name ma ma-name mep-id mep-id | [ md mdname [ ma ma-name [ mep-id mep-id ] ] ] ] command in any view to check information
about an RMEP.
Run the display efm session { all | interface interface-type interface-number } command
in any view to check information about the EFM OAM session between the specified
interface and the peer.
----End

The following sections provide several examples for configuring CFM. Each configuration
example consists of the networking requirements, configuration precautions, and configuration
roadmap.
Issue 02 (2013-12-31)

912

Equipment
3 Reliability
Example for Configuring Ethernet CFM

In this example, by configuring basic Ethernet CFM, you can implement end-to-end connectivity
fault detection.
The Ethernet shown in Figure 3-40 is managed by two ISPs. ISP 1 manages CX-A, CX-B, and
CX-D. ISP 2 manages CX-C, ATN E, CX-F, ATN G, ATN H, and ATN I. It is required that
connectivity detection be implemented on the network.
Figure 3-40 Diagram of configuring Ethernet CFM
VLAN2
GE0/2/1
VLAN2
CX-A
ATNI
GE1/0/0
ATNE
GE1/0/1
GE1/0/0
GE1/0/2
GE0/2/1
MD2
CX-D
GE0/2/0
VLAN2
CX-F
GE1/0/1
GE1/0/0
GE1/0/2
CX-C
ATNH
GE0/2/2
CX-B
MD1
ATNG
GE0/2/0
GE0/2/1
VLAN3
VLAN3
MD1
MEP of MA1
MEP of MA2
MD2
MEP of MA3
1.
Create VLANs and add interfaces to the corresponding VLAN.
2.
Create MD 1 at level 6 on all the equipment.
Issue 02 (2013-12-31)

913

Equipment
3 Reliability
3.
Create MA 1 within MD 1 on all the equipment except ATN G. Associate MA 1 with VLAN
2.
4.
Create MA 2 within MD 1 on all the equipment except ATN E and ATN I. Associate MA
2 with VLAN 3.
5.
Create MD 2 at level 4 on CX-A, CX-B, CX-C, and CX-D. Create MA 3 within MD 2.

Associate MA 3 with VLAN 4.
6.
Create MEPs and RMEPs on ATN I, ATN H, and ATN E in MA 1 within MD 1.
7.
Create MEPs and RMEPs on ATN H and ATN G in MA 2 within MD 1.
8.
Create MEPs and RMEPs on CX-A, CX-C, and CX-D in MA 3 within MD 2.
9.
Enable the sending and receiving of CCMs.
Data Preparation
l
MD 1 at level 6
MD 2 at level 4
Procedure
Step 1 Create VLANs and add interfaces to the corresponding VLAN. The detailed configuration is
not mentioned here.
Step 2 Create MD 1.
# Create MD 1 on CX-A.
<CX-A> system-view
[CX-A] cfm enable
Info: Operation succeeded.
[CX-A] cfm md md1 level 6
# Create MD 1 on CX-B, CX-C, CX-D, ATN E, CX-F, ATN G, ATN H, and ATN I.
The detailed configuration is not mentioned here. The configuration is similar to that on CX-A.
Step 3 Create and configure MA 1 within MD 1 on all the device except ATN G.
# Create and configure MA 1 on CX-A within MD 1.
[CX-A-md-md1] ma ma1
[CX-A-md-md1-ma-ma1] map vlan 2
[CX-A-md-md1-ma-ma1] quit
# Create and configure MA 1 on CX-B, CX-C, CX-D, ATN E, CX-F, ATN H, and ATN I within
MD 1.
Step 4 Create and configure MA 2 within MD 1 on all the device except ATN E and ATN I.
# Create and configure MA 2 on CX-A within MD 1.
[CX-A-md-md1] quit
Issue 02 (2013-12-31)

914

Equipment
3 Reliability
# Create and configure MA 2 on CX-B, CX-C, CX-D, CX-F, ATN G, and ATN H within MD
1.
Step 5 Create MD 2 on CX-A, CX-B, CX-C, and CX-D. Create and configure MA 3 within MD 2.
# Create MD 2 on CX-A. Create and configure MA 3 within MD 2.
[CX-A] cfm md md2 level 4
[CX-A-md-md2] quit
# Create MD 2 on CX-B, CX-C, and CX-D. Create and configure MA 3 within MD 2.

Step 6 Configure MEPs and RMEPs on ATN E, ATN H, and ATN I in MA 1 within MD 1.
# Configure a MEP on ATN E in MA 1 within MD 1.
[ATNE] cfm md md1
[ATNE-md-md1] ma ma1
[ATNE-md-md1-ma-ma1] mep mep-id 3 interface gigabitethernet 0/2/1 inward
# Configure a MEP on ATNH in MA 1 within MD 1.

[ATNH] cfm md md1
[ATNH-md-md1] ma ma1
[ATNH-md-md1-ma-ma1] mep mep-id 2 interface gigabitethernet 0/2/2 inward
# Configure a MEP on ATNI in MA 1 within MD 1.

[ATNI] cfm md md1
[ATNI-md-md1] ma ma1
[ATNI-md-md1-ma-ma1] mep mep-id 1 interface gigabitethernet 0/2/1 inward
# Configure an RMEP on ATNE in MA 1 within MD 1.

[ATNE-md-md1-ma-ma1] remote-mep mep-id 1
[ATNE-md-md1-ma-ma1] remote-mep mep-id 2
# Configure an RMEP on ATNH in MA 1 within MD 1.

[ATNH-md-md1-ma-ma1] remote-mep mep-id 1
# Configure an RMEP on ATNI in MA 1 within MD 1.

[ATNI-md-md1-ma-ma1] remote-mep mep-id 2
[ATNI-md-md1-ma-ma1] remote-mep mep-id 3
Step 7 Configure MEPs and RMEPs on ATN H and ATN G in MA 2 within MD 1.

# Configure a MEP on ATN H in MA 2 within MD 1.
[ATNH] cfm md md1
[ATNH-md-md1] ma ma2
[ATNH-md-md1-ma-ma2] mep mep-id 1 interface gigabitethernet 0/2/1 inward
# Configure a MEP on ATN G in MA 2 within MD 1.

[ATNG] cfm md md1
[ATNG-md-md1] ma ma2
[ATNG-md-md1-ma-ma2] mep mep-id 2 interface gigabitethernet 0/2/0 inward
Issue 02 (2013-12-31)

915

Equipment
3 Reliability
# Configure an RMEP on ATN H in MA 2 within MD 1.

# Configure an RMEP on ATN G in MA 2 within MD 1.

[ATNG-md-md1-ma-ma2] remote-mep mep-id 1
Step 8 Configure MEPs and RMEPs on CX-A, CX-C, and CX-D in MA 3 within MD 2.
# Configure a MEP on CX-A in MA 3 within MD 2.
[CX-A] cfm md md2
[CX-A-md-md2-ma-ma3] mep mep-id 1 interface gigabitethernet 1/0/0 inward
# Configure a MEP on CX-C in MA 3 within MD 2.

[CX-C] cfm md md2
[CX-C-md-md2] ma ma3
[CX-C-md-md2-ma-ma3] mep mep-id 2 interface gigabitethernet 1/0/1 outward
# Configure a MEP on CX-D in MA 3 within MD 2.

[CX-D] cfm md md2
[CX-D-md-md2] ma ma3
[CX-D-md-md2-ma-ma3] mep mep-id 3 interface gigabitethernet 1/0/0 inward
# Configure an RMEP on CX-A in MA 3 within MD 2.

[CX-A-md-md2-ma-ma3] remote-mep mep-id 2
[CX-A-md-md2-ma-ma3] remote-mep mep-id 3
# Configure an RMEP on CX-C in MA 3 within MD 2.

[CX-C-md-md2-ma-ma3] remote-mep mep-id 1
[CX-C-md-md2-ma-ma3] remote-mep mep-id 3
# Configure an RMEP on CX-D in MA 3 within MD 2.

[CX-D-md-md2-ma-ma3] remote-mep mep-id 1
[CX-D-md-md2-ma-ma3] remote-mep mep-id 2
Step 9 Enable the sending and receiving of CCMs.

# Enable the sending of CCMs on the MEP on CX-A.
[CX-A-md-md2-ma-ma3] mep ccm-send enable
# Enable the receiving of CCMs from the RMEP on CX-A.

[CX-A-md-md2-ma-ma3] remote-mep ccm-receive enable
# Enable the sending of CCMs on MEPs and the receiving of CCMs from RMEPs on CX-B,
CX-C, CX-D, ATN E, CX-F, ATN G, ATN H, and ATN I.
----End
Configuration Files
l
Configuration file of CX-A

#
sysname CX-A
#
Issue 02 (2013-12-31)

916

Equipment
3 Reliability
vlan batch 2 to 4
#
cfm enable
#
portswitch
port trunk allow-pass vlan 2 to 4
#
portswitch
#
portswitch
#
cfm md md1 level 6
ma ma1
map vlan 2
ma ma2
map vlan 3
#
cfm md md2 level 4
ma ma3
map vlan 4
mep mep-id 1 interface gigabitethernet 1/0/0 inward
remote-mep mep-id 2
remote-mep mep-id 3
#
return

#
sysname CX-B
#
vlan batch 2 to 4
#
cfm enable
#
portswitch
#
portswitch
#
cfm md md1 level 6
ma ma1
map vlan 2
ma ma2
map vlan 3
#
cfm md md2 level 4
ma ma3
map vlan 4
#
return

#
sysname CX-C
#
vlan batch 2 to 4
Issue 02 (2013-12-31)

917

Equipment
3 Reliability
#
cfm enable
#
portswitch
#
portswitch
#
cfm md md1 level 6
ma ma1
map vlan 2
ma ma2
map vlan 3
#
cfm md md2 level 4
ma ma3
map vlan 4
mep mep-id 2 interface gigabitethernet 1/0/0 outward
remote-mep mep-id 1
remote-mep mep-id 3
#
return

#
sysname CX-D
#
vlan batch 2 to 4
#
cfm enable
#
portswitch
#
portswitch
#
cfm md md1 level 6
ma ma1
map vlan 2
ma ma2
map vlan 3
#
cfm md md2 level 4
ma ma3
map vlan 4
remote-mep mep-id 1
remote-mep mep-id 2
#
return
Configuration file of ATN E

#
sysname ATNE
#
Issue 02 (2013-12-31)

918

Equipment
3 Reliability
vlan batch 2
#
cfm enable
#
portswitch
port trunk allow-pass vlan 2
#
portswitch
#
cfm md md1 level 6
ma ma1
map vlan 2
remote-mep mep-id 1
remote-mep mep-id 2
#
return
Configuration file of CX-F

#
sysname CX-F
#
vlan batch 2 to 3
#
cfm enable
#
portswitch
#
portswitch
#
portswitch
#
cfm md md1 level 6
ma ma1
map vlan 2
ma ma2
map vlan 3
#
return
Configuration file of ATN G

#
sysname ATNG
#
vlan batch 3
#
cfm enable
#
portswitch
#
portswitch
Issue 02 (2013-12-31)

919

Equipment
3 Reliability
#
cfm md md1 level 6
ma ma2
map vlan 3
remote-mep mep-id 1
#
return
Configuration file of ATN H

#
sysname ATNH
#
vlan batch 2 to 3
#
cfm enable
#
portswitch
#
portswitch
#
portswitch
#
cfm md md1 level 6
ma ma1
map vlan 2
remote-mep mep-id 1
remote-mep mep-id 3
ma ma2
map vlan 3
remote-mep mep-id 2
#
return
Configuration file of ATN I

#
sysname ATNI
#
vlan batch 2
#
cfm enable
#
portswitch
#
portswitch
#
cfm md md1 level 6
ma ma1
Issue 02 (2013-12-31)

920

Equipment
3 Reliability
map vlan 2
remote-mep mep-id 2
remote-mep mep-id 3
#
return
Example for Configuring the Ethernet CFM Function (Layer 2 Network Accessing
Layer 3 Network)
This section describes the example for configuring the Ethernet CFM function to monitor the
end-to-end connectivity in a scenario where the Layer 2 network accesses the Layer 3 network.
As shown in Figure 3-41, VPLS is deployed between PE1 and PE2. PE3 and PE4 working in
master/slave mode are used to connect the Layer 2 network to the Layer 3 network. The
connectivity of links between the following devices needs to be monitored in real time:
l
Link between the CE and PE3
Link between the CE and PE4
Link between the PE3 and PE4
Figure 3-41 Networking diagram for configuring the Ethernet CFM function (Layer 2 network
accessing Layer 3 network)
PE1
PE3
GE1/0/2
GE1/0/2
GE1/0/1
IP Core
CE
GE1/0/3
GE0/2/1
GE1/0/2
GE1/0/1
GE1/0/2
PE2
PE4
1.
Configure a PW between PE2 and PE1 to transmit packets between PE2 and PE1.
2.
Configure CFM to monitor the connectivity of the link between the CE and PE3.
3.
Configure CFM to monitor the connectivity of the link between the CE and PE4.
4.
Configure CFM to monitor the connectivity of the link between PE3 and PE4.
Issue 02 (2013-12-31)

921

Equipment
3 Reliability
Data Preparation
l
MD name and MA name
Procedure
Step 1 Configure a VPLS connection.
Configure a VPLS connection between PE1 and PE2. For details, see the section "VPLS
Configuration" in the Configuration Guide - VPN or the configuration files of the configuration
example.
After the preceding configuration completes, run the display vsi name vsi-name verbose
command on PE1 to view VSI and PW information.
<PE1>display vsi name ldp1
***VSI Name
Administrator VSI
Isolate Spoken
VSI Index
PW Signaling
Member Discovery Style
PW MAC Learn Style
Encapsulation Type
MTU
Diffserv Mode
Service Class
Color
DomainId
Domain Name
Ignore AcState
P2P VSI
Create Time
VSI State
Resource Status
VSI ID
*Peer Router ID
primary or secondary
ignore-standby-state
VC Label
Peer Type
Session
Tunnel ID
Broadcast Tunnel ID
Broad BackupTunnel ID
CKey
NKey
StpEnable
PwIndex
Interface Name
State
Access Port
Last Up Time
Total Up Time
verbose
: ldp1
: no
: disable
: 0
: ldp
: static
: unqualify
: vlan
: 1500
: uniform
: -: -: 255
:
: disable
: disable
: 3 days, 22 hours, 58 minutes, 0 seconds
: up
: Valid
:
:
:
:
:
:
:
:
:
:
:
:
:
:
1
2.2.2.224
primary
no
4096
dynamic
up
0x82004004
0x82004004
0x0
6
5
0
0
:
:
:
:
:
GigabitEthernet1/0/2.1
up
false
2000/01/28 23:56:24
3 days, 22 hours, 56 minutes, 10 seconds
**PW Information:
*Peer Ip Address
PW State
Local VC Label
Issue 02 (2013-12-31)
: 2.2.2.224
: up
: 4096

922

Equipment
Remote VC Label
PW Type
Tunnel ID
Broadcast Tunnel ID
Ckey
Nkey
Main PW Token
Slave PW Token
Tnl Type
OutInterface
Backup OutInterface
Stp Enable
Mac Flapping
PW Last Up Time
PW Total Up Time
3 Reliability
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
4096
label
0x82004004
0x82004004
0x0
0x6
0x5
0x82004004
0x0
LSP
0
0
2000/01/29 01:37:08
After the preceding configuration completes, run the display vsi name vsi-name verbose
command on PE2 to view VSI and PW information.
<PE2>display vsi name ldp1
***VSI Name
Administrator VSI
Isolate Spoken
VSI Index
PW Signaling
PW MAC Learn Style
Encapsulation Type
MTU
Diffserv Mode
Service Class
Color
DomainId
Domain Name
Ignore AcState
P2P VSI
Create Time
VSI State
Resource Status
VSI ID
*Peer Router ID
VC Label
Peer Type
Session
Tunnel ID
Broadcast Tunnel ID
CKey
NKey
StpEnable
PwIndex
Interface Name
State
Access Port
Last Up Time
Total Up Time
Interface Name
State
Access Port
Last Up Time
Total Up Time
Issue 02 (2013-12-31)
verbose
: ldp1
: no
: disable
: 0
: ldp
: static
: unqualify
: vlan
: 1500
: uniform
: -: -: 255
:
: disable
: disable
: up
: Valid
:
:
:
:
:
:
:
:
:
:
:
:
:
:
1
1.1.1.223
primary
no
4096
dynamic
up
0x81004001
0x81004001
0x0
2
1
0
0
:
:
:
:
:
:
:
:
:
:
up
false
2000/01/01 01:01:21
up
false
2000/01/01 01:42:11

923

Equipment
3 Reliability
**PW Information:
*Peer Ip Address
PW State
Local VC Label
Remote VC Label
PW Type
Tunnel ID
Broadcast Tunnel ID
Ckey
Nkey
Main PW Token
Slave PW Token
Tnl Type
OutInterface
Backup OutInterface
Stp Enable
Mac Flapping
PW Last Up Time
PW Total Up Time
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
1.1.1.223
up
4096
4096
label
0x81004001
0x81004001
0x0
0x2
0x1
0x81004001
0x0
LSP
0
0
2000/01/01 02:11:03
Step 2 # Configure the CFM function to monitor the link between the CE and PE3.
# Configure the CFM function on the CE.
<ATN> system-view
[ATN] sysname CE
[CE] cfm enable
[CE] vlan 2
[CE-vlan2] quit
[CE] interface GigabitEthernet0/2/1
[CE-GigabitEthernet1/0/1] portswitch
[CE-GigabitEthernet1/0/1] port trunk allow-pass vlan 2
[CE-GigabitEthernet1/0/1] quit
[CE] cfm md md
[CE-md-md] ma ma
[CE-md-md-ma-ma] map vlan 2
[CE-md-md-ma-ma] mep mep-id 1 interface GigabitEthernet0/2/1 outward
[CE-md-md-ma-ma] mep ccm-send mep-id 1 enable
[CE-md-md-ma-ma] remote-mep mep-id 2
[CE-md-md-ma-ma] remote-mep ccm-receive mep-id 2 enable
[CE-md-md-ma-ma] remote-mep mep-id 3
[CE-md-md-ma-ma] remote-mep ccm-receive mep-id 3 enable
# Configure the CFM function on PE3.

<PE3> system-view
[PE3] cfm enable
[PE3] interface GigabitEthernet 1/0/2.1
[PE3--GigabitEthernet1/0/2.1] vlan-type dot1q 2
[PE3--GigabitEthernet1/0/2.1] quit
[PE3] cfm md md
[PE3-md-md] ma ma
[PE3-md-md-ma-ma] mep mep-id 2 interface GigabitEthernet1/0/2.1 vlan 2 outward
[PE3-md-md-ma-ma] mep ccm-send mep-id 2 enable
[PE3-md-md-ma-ma] remote-mep mep-id 1
[PE3-md-md-ma-ma] remote-mep ccm-receive mep-id 1 enable
# Configure the CFM function on PE4.

<PE4> system-view
[PE4] cfm enable
Issue 02 (2013-12-31)

924

Equipment
3 Reliability
[PE4] interface GigabitEthernet 1/0/2.1

[PE4--GigabitEthernet1/0/2.1] vlan-type dot1q 2
[PE4--GigabitEthernet1/0/2.1] quit
[PE4] cfm md md
[PE4-md-md] ma ma
[PE4-md-md-ma-ma] mep mep-id 3 interface GigabitEthernet1/0/2.1 vlan 2 outward
[PE4-md-md-ma-ma] mep ccm-send mep-id 3 enable

Run the display cfm remote-mep command on the CE. The command output shows that the
remote MEP is Up.
[CE]display cfm remote-mep
-------------------------------------------------MD Name
: md
Level
: 0
MA Name
: ma
RMEP ID
: 2
VLAN ID
: 2
VSI Name
: -L2VC ID
: -MAC
: 0018-82d4-04c3
CCM Receive
: enabled
Trigger-If-Down
: disabled
CFM Status
: up
Alarm Status
: none
MD Name
Level
MA Name
RMEP ID
VLAN ID
VSI Name
L2VC ID
MAC
CCM Receive
Trigger-If-Down
CFM Status
Alarm Status
:
:
:
:
:
:
:
:
:
:
:
:
md
0
ma
3
2
--0018-8267-7f7d
enabled
disabled
up
none
Run the display cfm remote-mep command on PE3. The command output shows that the remote
MEP is Up.
[PE3]display cfm remote-mep
-------------------------------------------------MD Name
: md
Level
: 0
MA Name
: ma
RMEP ID
: 1
VLAN ID
: -VSI Name
: -L2VC ID
: -MAC
: -CCM Receive
: enabled
Trigger-If-Down
: disabled
CFM Status
: up
Alarm Status
: none
Issue 02 (2013-12-31)

925

Equipment
MD Name
Level
MA Name
RMEP ID
VLAN ID
VSI Name
L2VC ID
MAC
CCM Receive
Trigger-If-Down
CFM Status
Alarm Status
:
:
:
:
:
:
:
:
:
:
:
:
3 Reliability
md
0
ma
3
----enabled
disabled
up
none
----End
Configuration Files
l
Configuration file of the CE

#
sysname CE
#
vlan 2
#
cfm
enable
#
interface
portswitch
undo
shutdown
#
cfm md
md
ma
ma
map vlan
2
mep mep-id 1 interface GigabitEthernet0/2/1
outward
mep ccm-send mep-id 1
enable
remote-mep mep-id
2
remote-mep ccm-receive mep-id 2
enable
remote-mep mep-id
3
enable
#
return

#
sysname PE1
#
cfm
enable
#
mpls lsr-id
1.1.1.223
mpls
Issue 02 (2013-12-31)

926

Equipment
3 Reliability
#
mpls
l2vpn
#
vsi ldp1
static
pwsignal
ldp
vsi-id
1
peer
2.2.2.224
#
mpls
ldp
#
interface
undo
shutdown
255.255.255.0
mpls
mpls
ldp
#
interface
vlan-type dot1q
2
l2 binding vsi ldp1
#
interface
LoopBack0
255.255.255.0
#
ospf
1
area
0.0.0.0
network 2.2.2.223
0.0.0.0
network 192.168.1.0
0.0.0.255
network 1.1.1.223
0.0.0.0
#
return

#
sysname PE3
#
cfm
enable
#
interface
vlan-type dot1q
2
#
cfm md
md
ma
Issue 02 (2013-12-31)

927

Equipment
3 Reliability
ma
mep mep-id 2 interface GigabitEthernet1/0/2.1 vlan 2
outward
enable
remote-mep mep-id
1
remote-mep mep-id 3
enable
#
return

#
sysname PE4
#
cfm
enable
#
interface
vlan-type dot1q 2
#
cfm md
md
ma
ma
mep mep-id 3 interface GigabitEthernet1/0/6.1 vlan 2
outward
enable
remote-mep mep-id
1
remote-mep mep-id 2
enable
#
return
Example for Configuring the Default MD for Ethernet CFM

In this example, you can configure the default MD on a device on which a lower-level MD
resides so that the higher-level MD can detect the topology change of the lower-level MD.
As shown in Figure 3-42, CX-B and CX-C are managed by ISP1, and ATNA, CX-D, CX-E,
and CX-F are managed by ISP2. To enable the CFM function, you can configure the default MD
on the device configured with an MD of a low level.
Issue 02 (2013-12-31)

928

Equipment
3 Reliability
Figure 3-42 Networking diagram of configuring the default MD for Ethernet CFM
VLAN3
CX-C
CX-B
GE0/2/0
/0/1
GE 1
CX-E
G
E1
/0
/2
G
E1
/0
/1
VLAN2
GE1/0/2
CX-F
GE0/2/1
GE0/2/2
ATNA
CX-D
GE1
/0/3
VLAN3
GE1/0/1
VLAN2
MEP of MA1
MEP of MA2
MIP
1.
Create a VLAN and add related interfaces to the VLAN.
2.
Create MD1 at Level 6 on all the devices except for CX-B and CX-C.
Create MD2 at Level 4 on CX-B and CX-C.
3.
Create the default MD at Level 6 on CX-B and CX-C, associate the default MD with VLAN
2 and VLAN 3, and set the MIP generation rule to default.
4.
Create and configure MA1 within MD1 on all the devices except for CX-B and CX-C.
(MA1 is associated with VLAN 2.)
Create and configure MA2 within MD1 on all the devices except for CX-B and CX-C..
(MA2 is associated with VLAN 3.)
5.
Create and configure MEPs and RMEPs on MA1 in MD1 of ATNA and CX-F.
Create and configure MEPs and RMEPs in MA2 within MD1 of ATNA and CX-E.
6.
Enable the CCM transmission function.
Data Preparation
l
Issue 02 (2013-12-31)
Range of VLAN IDs to which interfaces belong

929

Equipment
MD1 at Level 6
MD2 at Level 4
Default MD at Level 6
3 Reliability
Procedure
Step 1 Create a VLAN and add related interfaces to the VLAN. The configuration is not mentioned
here.
Step 2 Create MD1.
# Create MD1 on ATNA.
<ATNA> system-view
[ATNA] cfm enable
Info: Enable the CFM successfully!
[ATNA] cfm md md1 level 6
[ATNA] quit
# Create MD1 on CX-D, CX-E, and CX-F.

The configurations on CX-D, CX-E, and CX-F are the same as the configurations on ATNA,
and are not mentioned here.
Step 3 Create MD2.
# Create MD2 on CX-B.
<CX-B> system-view
[CX-B] cfm enable
Info: Enable the CFM successfully!
[CX-B] cfm md md2 level 4
[CX-B] quit
# Create MD2 on CX-C.

The configurations on CX-C are the same as the configurations on CX-B, and are not mentioned
here.
Step 4 Create the default MD and associate the default MD with VLAN 2 and VLAN 3 on CX-B and
CX-C.
# Create the default MD and associate the default MD to VLAN 2 and VLAN 3 on CX-C.
<CX-B> system-view
[CX-B] cfm default md level 6
[CX-B-default-md] vlan 2 to 3
[CX-B-default-md] quit
Create the default MD and associate the default MD to VLAN 2 and VLAN 3 on CX-C.
here.
Step 5 Set the MIP generation rule in the default MD on CX-B and CX-C.
# Set the MIP generation rule in the default MD on CX-B.
<CX-B> system-view
[CX-B] cfm default md
[CX-B-default-md] mip create-type default
[CX-B-default-md] quit
Issue 02 (2013-12-31)

930

Equipment
3 Reliability
# Set the MIP generation rule in the default MD on CX-C.

here.
Step 6 Create and configure MA1 within MD1 on all the devices except for CX-B and CX-C.
# Create MA1 within MD1 on ATNA.
[ATNA] cfm md md1
# Create MA1 within MD1 on CX-D and CX-F.

The configurations on CX-D and CX-F are the same as the configurations on ATNA, and are
not mentioned here.
Step 7 Create and configure MA2 within MD1 on all the devices except for CX-B and CX-C.
# Create MA2 within MD1 on ATNA.
[ATNA-md-md1] quit
# Create MA2 within MD1 on CX-D and CX-E.

The configurations on CX-D and CX-E are the same as the configurations on ATNA, and are
not mentioned here.
Step 8 Create and configure MEPs and RMEPs in MA1 within MD1 on ATNA and CX-F.
# Create and configure a MEP in MA1 within MD1 on ATN A.
[ATNA] cfm md md1
[ATNA-md-md1-ma-ma1] mep mep-id 2 interface gigabitethernet 0/2/1 inward
# Create and configure a MEP in MA1 within MD1 on CX-F.

[CX-F] cfm md md1
[CX-F-md-md1] ma ma1
[CX-F-md-md1-ma-ma1] mep mep-id 1 interface gigabitethernet 1/0/1 inward
# Create and configure an RMEP in MA1 within MD1 on ATN A.

# Create and configure an RMEP in MA1 within MD1 on ATNF.

[ATNF-md-md1-ma-ma1] remote-mep mep-id 2
Step 9 Create and configure MEPs and RMEPs in MA2 within MD1 on ATNA and CX-E.
# Create and configure a MEP in MA2 within MD1 on ATNA.
[ATNA] cfm md md1
[ATNA-md-md1-ma-ma2] mep mep-id 1 interface gigabitethernet 0/2/2 inward
# Create and configure a MEP in MA2 within MD1 on CX-E.

[CX-E] cfm md md1
Issue 02 (2013-12-31)

931

Equipment
3 Reliability
[CX-E-md-md1] ma ma2
[CX-E-md-md1-ma-ma2] mep mep-id 2 interface gigabitethernet 1/0/2 inward
# Create and configure an RMEP in MA2 within MD1 on ATN A.

# Create and configure an RMEP in MA2 within MD1 on CX-E.

[CX-E-md-md1-ma-ma2] remote-mep mep-id 1
Step 10 Enable the CCM transmission function.

# Enable the function of sending CCMs on all MEPs of ATNA.
# Enable ATN A with the function of receiving CCMs from the RMEP.
# Enable the function of sending CCMs on all MEPs of CX-E and CX-F, and enable the function
of receiving CCMs from all RMEPs on CX-E and CX-F.
The configurations on CX-E and CX-F are the same as the configurations on ATNA, and are
not mentioned here.
After the preceding configurations are successful and the network converges, run the following
commands to verify the configuration. Take the display on CX-B and ATNA as an example:
l Run the display cfm default md command on CX-B. You can view that the default MD at
Level 6 is configured and associated with VLAN 2 and VLAN 3. You can also view that the
MIP generation rule is set to default.
[CX-B] display cfm default md
Level
MIP Create-type
SenderID TLV-type
VLAN List
--------------------------------------------------------------------------------------6
default
Defer
2 to 3
l Perform the 802.1ag MAC trace operation on ATN A. You can view that the 802.1ag MAC
trace operation is successful and no connectivity fault occurs between ATN A and CX-E
<ATNA> system
[ATNA] cfm md md1
[ATNA--md-md1-ma-ma1] trace mac-8021ag mac aa99-6600-5600
Tracing the route to aa99-6600-5600 over a maximum of 255 hops:
Hops Mac
Ingress
Ingress Action
Relay Action
Forwarded
Egress
Egress Action
Ismep
1
2155-2201-3302
IngOK
RlyFDB
Forwarded
EgrOK
2
5522-1101-5503
IngOK
RlyFDB
Forwarded
EgrOk
3
2234-6432-3344
IngOK
RlyFDB
Forwarded
EgrOk
4
4323-5332-5522
IngOK
RlyFDB
Forwarded
EgrOk
5
aa99-6600-5600
IngOK
Issue 02 (2013-12-31)

No
No
No
No
932

Equipment
3 Reliability
RlyHit
Not Forwarded
Yes
Info: Succeed in tracing the destination address aa99-6600-5600.
----End
Configuration Files
l

#
sysname ATNA
#
vlan batch 2 to 3
#
cfm enable
#
undo shutdown
portswitch
#
undo shutdown
portswitch
#
undo shutdown
portswitch
#
cfm md md1 level 6
ma ma1
map vlan 2
remote-mep mep-id 1
ma ma2
map vlan 3
remote-mep mep-id 2
#
return

#
sysname CX-B
#
vlan batch 2 to 3
#
cfm enable
#
undo shutdown
portswitch
#
undo shutdown
portswitch
#
Issue 02 (2013-12-31)

933

Equipment
3 Reliability
cfm md md2 level 4

#
cfm default md level 6
mip create-type defaul
vlan 2 to 3
#
return

#
sysname CX-C
#
vlan batch 2 to 3
#
cfm enable
#
undo shutdown
portswitch
#
undo shutdown
portswitch
#
cfm md md2 level 4
#
cfm default md level 6
mip create-type defaul
vlan 2 to 3
#
return

#
sysname CX-D
#
vlan batch 2 to 3
#
cfm enable
#
undo shutdown
portswitch
#
undo shutdown
portswitch
#
undo shutdown
portswitch
#
cfm md md1 level 6
ma ma1
map vlan 2
ma ma2
map vlan 3
#
return
Configuration file of CX-E

#
Issue 02 (2013-12-31)

934

Equipment
3 Reliability
sysname CX-E
#
vlan batch 3
#
cfm enable
#
undo shutdown
portswitch
#
undo shutdown
portswitch
#
cfm md md1 level 6
ma ma2
map vlan 3
remote-mep mep-id 1
#
return

#
sysname CX-F
#
vlan batch 2
#
cfm enable
#
undo shutdown
portswitch
#
undo shutdown
portswitch
#
cfm md md1 level 6
ma ma1
map vlan 2
remote-mep mep-id 2
#
return
Example for Associating Ethernet CFM with an Interface

In this example, by associating Ethernet CFM with an interface, you can detect a fault on the
link between a CE and a UPE through LACP.
As shown in Figure 3-43, a user network is connected to an ISP network through ATN A and
CX-B. ATN A acts as the CE device. CX-B acts as the UPE device. It is required that the
following be achieved:
Issue 02 (2013-12-31)

935

Equipment
3 Reliability
The bandwidth for the user network to access the ISP network is 2000 Mbit/s and an inactive
link that serves as a backup is provided.
When the active link between the user network and the ISP network fails, the LACP module
on the interface can sense the fault within 50 ms and stop forwarding data on the active
link.
Figure 3-43 Diagram of associating Ethernet CFM with an interface
ISP network
CX-B
GE1/0/3
GE1/0/1
GE1/0/2
GE0/2/2
GE0/2/3
GE0/2/1
ATNA
User
network 1
Active link
Inactive link
Link aggregation group in
static LACP mode
1.
Configure the link aggregation group with three member interfaces on ATN A and CX-B
respectively. The three member interfaces are all GE interfaces.
2.
Configure Ethernet CFM on ATN A and CX-B. To allow the LACP module to sense the
connectivity fault within 50 ms, set the interval for sending and detecting CCMs to 10 ms
within each MA.
3.
Associate Ethernet CFM with all the member interfaces of the aggregation groups in static
LACP mode on ATN A and CX-B.
Data Preparation
l
Issue 02 (2013-12-31)
The number of the aggregation groups in static LACP mode on ATN A and CX-B is 2.
936

Equipment
3 Reliability
The three member interfaces of the aggregation group in static LACP mode on ATN A are
GE 0/2/1, GE 0/2/2, and GE 0/2/3.
The three member interfaces of the aggregation group in static LACP mode on CX-B are
GE 1/0/1, GE 1/0/2, and GE 1/0/3.
Procedure
Step 1 Configure the aggregation group in static LACP mode.
The detailed configuration is not mentioned here. For details, refer to the Configuration Guide
- LAN Access and MAN Access.
Step 2 Configure Ethernet CFM.
# Enable Ethernet CFM globally on ATN A.
[ATNA] cfm enable
# Create the MD, MA, MEP, and RMEP on ATN A.

[ATNA] cfm md md1
[ATNA-md-md1-ma-ma1]
[ATNA-md-md1] quit
ccm-interval 10
remote-mep mep-id 1
mep ccm-send enable
remote-mep ccm-receive enable
quit
ccm-interval 10
remote-mep mep-id 3
mep ccm-send enable
quit
ccm-interval 10
remote-mep mep-id 5
mep ccm-send enable
quit
# Enable Ethernet CFM globally on ATN B.

[CX-B] cfm enable
# Create the MD, MA, MEP, and RMEP on ATN B.

[CX-B] cfm md md1
[CX-B-md-md1] ma ma1
[CX-B-md-md1-ma-ma1]
Issue 02 (2013-12-31)
ccm-interval 10
remote-mep mep-id 2
mep ccm-send enable
quit
ccm-interval 10
remote-mep mep-id 4
mep ccm-send enable

937

Equipment
[CX-B-md-md1] quit
[CX-B] quit
3 Reliability
quit
ccm-interval 10
remote-mep mep-id 6
mep ccm-send enable
quit
# Verify the configuration.

Run the display cfm mep command and the display cfm remote-mep command. If information
about the MEP and RMEP is displayed, it means that the configuration succeeds. For example,
the detailed information on CX-B is displayed as follows:
[CX-B] display cfm mep md md1
The total number of MEPs is 3
MD Name
: md1
MD Name Format
: string
Level
: 0
MA Name
: ma1
MA Name Format
: string
MEP ID
: 1
VLAN ID
: -VSI Name
: -Interface Name
CCM Send
: enabled
Direction
: outward
MD Name
: md1
MD Name Format
: string
Level
: 0
MA Name
: ma2
MA Name Format
: string
MEP ID
: 3
VLAN ID
: -VSI Name
: -Interface Name
CCM Send
: enabled
Direction
: outward
MD Name
: md1
MD Name Format
: string
Level
: 0
MA Name
: ma3
MA Name Format
: string
MEP ID
: 5
VLAN ID
: -VSI Name
: -Interface Name
CCM Send
: enabled
Direction
: outward
[CX-B] display cfm remote-mep md md1
The total number of RMEPs is 3
The status of RMEPs : 3 up, 0 down
-------------------------------------------------MD Name
: md1
Level
: 0
MA Name
: ma1
RMEP ID
: 2
VLAN ID
: -VSI Name
: -L2VC ID
: -MAC
: -CCM Receive
: enabled
Trigger-If-Down
: disabled
CFM Status
: up
Issue 02 (2013-12-31)

938

Equipment
Alarm Status
MD Name
Level
MA Name
RMEP ID
VLAN ID
VSI Name
L2VC ID
MAC
CCM Receive
Trigger-If-Down
CFM Status
Alarm Status
MD Name
Level
MA Name
RMEP ID
VLAN ID
VSI Name
L2VC ID
MAC
CCM Receive
Trigger-If-Down
CFM Status
Alarm Status
3 Reliability
: None
: md1
: 0
: ma2
: 4
: -: -: -: -: enabled
: disabled
: up
: None
: md1
: 0
: ma3
: 6
: -: -: -: -: enabled
: disabled
: up
: None
Step 3 Associate Ethernet CFM with the member interfaces of the aggregation group in static LACP
mode.
# Associate Ethernet CFM with the member interfaces of Eth-Trunk 2 on ATN A.
[ATNA-GigabitEthernet0/2/1] cfm md md1 ma ma1 remote-mep mep-id 1 trigger if-down
# Associate Ethernet CFM with the member interfaces of Eth-Trunk 2 on CX-B.

[CX-B] interface gigabitethernet1/0/1
[CX-B-GigabitEthernet1/0/1] cfm md md1 ma ma1 remote-mep mep-id 2 trigger if-down
[CX-B-GigabitEthernet1/0/1] quit

Run the display cfm remote-mep command. If the item of "Trigger-If-down" is displayed as
"enable", it means that the configuration succeeds. For example, the detailed information on
CX-B is displayed as follows:
[CX-B] display cfm remote-mep md md1
-------------------------------------------------MD Name
: md1
Level
: 0
MA Name
: ma1
RMEP ID
: 2
Issue 02 (2013-12-31)

939

Equipment
VLAN ID
VSI Name
L2VC ID
MAC
CCM Receive
Trigger-If-Down
CFM Status
Alarm Status
MD Name
Level
MA Name
RMEP ID
VLAN ID
VSI Name
L2VC ID
MAC
CCM Receive
Trigger-If-Down
CFM Status
Alarm Status
MD Name
Level
MA Name
RMEP ID
VLAN ID
VSI Name
L2VC ID
MAC
CCM Receive
Trigger-If-Down
CFM Status
Alarm Status
3 Reliability
: -: -: -: -: enabled
: enabled
: up
: None
: md1
: 0
: ma2
: 4
: -: -: -: -: enabled
: enabled
: up
: None
: md1
: 0
: ma3
: 6
: -: -: -: -: enabled
: enabled
: up
: None
----End
Configuration Files
l

#
sysname ATNA
#
cfm enable
#
portswitch
mode lacp-static
#
eth-trunk 2
cfm md md1 ma ma1 remote-mep mep-id 1 trigger
#
eth-trunk 2
#
eth-trunk 2
#
cfm md md1
ma ma1
ccm-interval 10
remote-mep mep-id 1
Issue 02 (2013-12-31)

if-down
if-down
if-down
outward
940

Equipment
3 Reliability
ma ma2
ccm-interval 10
remote-mep mep-id 3
ma ma3
ccm-interval 10
remote-mep mep-id 5
#
return

#
sysname CX-B
#
lacp priority 100
#
cfm enable
#
portswitch
mode lacp-static
max bandwidth-affected-linknumber 2
#
eth-trunk 2
lacp priority 2000
#
eth-trunk 2
lacp priority 2000
#
eth-trunk 2
#
cfm md md1
ma ma1
ccm-interval 10
remote-mep mep-id 2
ma ma2
ccm-interval 10
remote-mep mep-id 4
ma ma3
ccm-interval 10
remote-mep mep-id 6
#
return
Issue 02 (2013-12-31)

if-down
if-down
if-down
outward
outward
outward
941

Equipment
3 Reliability
Example for Associating EFM OAM with Ethernet CFM

In this example, by configuring EFM OAM and Ethernet CFM, you can implement the fault
notification.
As shown in Figure 3-44, configure EFM OAM to run between ATN A and CX-B, and between
CX-C and CX-D; configure Ethernet CFM to run between CX-B and CX-C. This implements
end-to-end link detection. When a fault occurs on the link between ATN A and CX-B, Ethernet
CFM is triggered to send alarms of the fault to CX-D.When a fault occurs on the link between
CX-C and CX-D, Ethernet CFM is triggered to send alarms of the fault to ATN A.
Figure 3-44 Diagram of associating EFM OAM with Ethernet CFM
ATNA
CX-B
CX-C
CX-D
GE0/2/1
GE1/0/0
GE2/0/0
GE1/0/0
GE2/0/0
GE1/0/0
GE0/2/0
GE2/0/0
VLAN10
VLAN10
1.
Create a VLAN and add interfaces to the VLAN.
2.
Configure EFM OAM to run between ATN A and CX-B.
3.
Configure Ethernet CFM to run between CX-B and CX-C.
4.
Configure EFM OAM to run between CX-C and CX-D.
5.
Associate EFM OAM with Ethernet CFM on CX-B and CX-C.
Procedure
Step 1 Create VLAN 10 and add interfaces to VLAN 10.
Step 2 Configure EFM OAM to run between ATN A and CX-B.
# Configure ATN A.
[ATNA] efm enable
Issue 02 (2013-12-31)

942

Equipment
3 Reliability
[ATNA-GigabitEthernet0/2/0] efm mode passive

[ATNA-GigabitEthernet0/2/0] efm enable
# Configure CX-B.
[CX-B] efm enable
[CX-B] interface gigabitethernet 1/0/0
[CX-B-GigabitEthernet1/0/0] efm enable
Step 3 Configure Ethernet CFM to run between CX-B and CX-C.

# Configure CX-B.
[CX-B] cfm enable
[CX-B] cfm md md1
map vlan 10
remote-mep mep-id 2
mep ccm-send enable
return
# Configure CX-C.
[CX-C] cfm enable
[CX-C] cfm md md1
[CX-C-md-md1] ma ma1
[CX-C-md-md1-ma-ma1]
map vlan 10
remote-mep mep-id 1
mep ccm-send enable
return
Step 4 Configure EFM OAM to run between CX-C and CX-D.

# Configure CX-C.
[CX-C] efm enable
[CX-C] interface gigabitethernet 1/0/0
[CX-C-GigabitEthernet1/0/0] efm enable
[CX-C-GigabitEthernet1/0/0] quit
# Configure CX-D.
[CX-D] efm enable
[CX-D] interface gigabitethernet 1/0/0
[CX-D-GigabitEthernet1/0/0] efm mode passive
[CX-D-GigabitEthernet1/0/0] efm enable
[CX-D-GigabitEthernet1/0/0] quit
Step 5 Associate EFM OAM with Ethernet CFM.

# Associate EFM OAM running between ATN A and CX-B with Ethernet CFM running between
CX-B and CX-C.
[CX-B] oam-mgr
[CX-B-oam-mgr] oam-bind cfm md md1 ma ma1 efm interface gigabitethernet 1/0/0
# Associate Ethernet CFM running between CX-B and CX-C with EFM OAM running between
CX-C and CX-D.
[CX-C] oam-mgr
[CX-C-oam-mgr] oam-bind cfm md md1 ma ma1 efm interface gigabitethernet 1/0/0
Issue 02 (2013-12-31)

943

Equipment
3 Reliability

After the preceding configuration, when EFM OAM running between ATN A and CX-B detects
faults, Ethernet CFM notifies EFM OAM running between CX-C and CX-D of the faults.
----End
Configuration Files
l

#
sysname ATNA
#
vlan batch 10
#
efm enable
#
portswitch
efm mode passive
efm enable
#
portswitch
#
return

#
sysname CX-B
#
vlan batch 10
#
efm enable
#
cfm enable
#
portswitch
efm enable
#
portswitch
#
cfm md md1
ma ma1
map vlan 10
mep ccm-send enable
remote-mep mep-id 2
#
oam-mgr
oam-bind cfm md md1 ma ma1 efm interface gigabitethernet 1/0/0
#
return

#
sysname CX-C
#
Issue 02 (2013-12-31)

944

Equipment
3 Reliability
vlan batch 10
#
efm enable
#
cfm enable
#
portswitch
efm enable
#
portswitch
#
cfm md md1
ma ma1
map vlan 10
mep ccm-send enable
remote-mep mep-id 1
#
oam-mgr
oam-bind cfm md md1 ma ma1 efm interface gigabitethernet 1/0/0
#
return

#
sysname CX-D
#
vlan batch 10
#
efm enable
#
portswitch
efm mode passive
efm enable
#
portswitch
#
return
Example for Configuring VPLS Ethernet CFM

In this example, by configuring VPLS Ethernet CFM, you can detect connectivity faults between
PEs.
As shown in Figure 3-45, Martini VPLS runs on the backbone network and LDP is used as
signaling to create Pseudo Wires (PWs). Configure VPLS Ethernet CFM on PEs to fast detect
VPLS connectivity between PEs.
Issue 02 (2013-12-31)

945

Equipment
3 Reliability
Figure 3-45 Diagram of configuring VPLS Ethernet CFM
CE3
GE0/2/0.1
10.1.1.3/24
PE3 GE1/0/0.1
GE2/0/0
100.2.1.2/30
GE3/0/0
100.2.1.1/30
Loopback1
1.1.1.1/32
GE1/0/0.1
GE3/0/0
100.3.1.2/30
Loopback1
3.3.3.3/32
PE1
GE2/0/0
100.1.1.1/30
GE3/0/0
100.3.1.1/30
PE2
GE2/0/0
100.1.1.2/30
GE0/2/0.1
10.1.1.1/24
CE1
Loopback1
2.2.2.2/32
GE1/0/0.1
GE0/2/0.1
10.1.1.2/24
CE2
1.
Run the Interior Gateway Protocol (IGP) on the backbone network. ATNs across the
backbone network then can communicate.
2.
Configure the routing protocols on the backbone network to enable communication

between ATNs and basic functions of MPLS.
3.
Set up LSP tunnels between PEs.
4.
Enable MPLS L2VPN on PEs.
5.
Create Virtual Switch Instances (VSIs) on PEs and bind VSIs to Attachment Circuit (AC)
interfaces.
6.
Configure VPLS Ethernet CFM on PEs.
Data Preparation
l
MPLS LSR ID of each PE
Issue 02 (2013-12-31)

946

Equipment
3 Reliability
VSI name and VSI ID of each PE
Interfaces bound to the VSI
Name and level of the MD, name of the MA, MEP ID, name of the interface on which the
MEP resides, and type of the MEP
Procedure
# Configure PE1.
[HUAWEI] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.1 32
[PE1-LoopBack1] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] ip address 100.1.1.1 30
[PE1-GigabitEthernet2/0/0] undo shutdown
[PE1-GigabitEthernet2/0/0] quit
# Configure PE2.
[PE2] interface LoopBack 1
# Configure PE3.
Step 2 Configure the IGP on the MPLS backbone network. The Open Shortest Path First (OSPF) is
used as the IGP protocol in this example.
NOTE
When configuring OSPF, advertise the 32-bit addresses of loopback interfaces on PEs.
# Configure PE1.
Issue 02 (2013-12-31)

947

Equipment
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0]
[PE1-ospf-1] quit
3 Reliability
network 1.1.1.1 0.0.0.0

network 100.1.1.0 0.0.0.3
network 100.2.1.0 0.0.0.3
quit
# Configure PE2.
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
network 2.2.2.2 0.0.0.0

network 100.1.1.0 0.0.0.3
network 100.3.1.0 0.0.0.3
quit
# Configure PE3.
[PE3] ospf 1
[PE3-ospf-1] area 0
[PE3-ospf-1] quit
network 3.3.3.3 0.0.0.0

network 100.2.1.0 0.0.0.3
network 100.3.1.0 0.0.0.3
quit
After the preceding configuration, PE1 and PE2, PE1 and PE3 can learn IP addresses of
loopback1 interfaces from each other through OSPF.
Take the display on PE1 as an example.
[PE1] display ip routing-table
Destinations : 12
Routes : 13
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
1.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
2.2.2.2/32 OSPF
10
2
D 100.1.1.2
3.3.3.3/32 OSPF
10
2
D 100.2.1.2
100.1.1.0/30 Direct 0
0
D 100.1.1.1
100.1.1.1/32 Direct 0
0
D 127.0.0.1
Gigabitethernet2/0/0
100.1.1.2/32 Direct 0
0
D 100.1.1.2
100.3.1.0/30 OSPF
10
2
D 100.1.1.2
OSPF
10
2
D 100.2.1.2
100.2.1.0/30 Direct 0
0
D 100.2.1.1
100.2.1.1/32 Direct 0
0
D 127.0.0.1
Gigabitethernet3/0/0
100.2.1.2/32 Direct 0
0
D 100.2.1.2
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
Step 3 Enable basic MPLS functions and LDP on the MPLS backbone network.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.1
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-GigabitEthernet2/0/0] mpls
[PE1-GigabitEthernet2/0/0] mpls ldp
Issue 02 (2013-12-31)

948

Equipment
3 Reliability
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface gigabitethernet2/0/0
[PE2] interface gigabitethernet3/0/0
# Configure PE3.
[PE3] mpls
[PE3-mpls] quit
[PE3] mpls ldp
[PE3-mpls-ldp] quit
[PE3] interface gigabitethernet
[PE3] interface gigabitethernet
2/0/0
ldp
3/0/0
ldp
After the preceding configuration, LDP sessions are set up between PEs. Run the display mpls
ldp session command. You can view that the Status field displays Operational.
[PE1] display mpls ldp session
LDP Session(s) in Public Network
-----------------------------------------------------------------------------Peer-ID
Status
LAM SsnRole SsnAge
KA-Sent/Rcv
-----------------------------------------------------------------------------2.2.2.2:0
Operational DU
Passive 000:00:02
10/10
3.3.3.3:0
Operational DU
Passive 000:00:02
9/9
-----------------------------------------------------------------------------TOTAL: 2 session(s) Found.
LAM : Label Advertisement Mode
SsnAge Unit : DDD:HH:MM
NOTE
If PEs are indirectly connected, you need to run the mpls ldp remote-peer command and the remote-ip
command to create remote LDP sessions between PEs.
Step 4 Enable MPLS L2VPN on PEs.

# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit
Issue 02 (2013-12-31)

949

Equipment
3 Reliability
# Configure PE3.
[PE3] mpls l2vpn
[PE3-l2vpn] quit
Step 5 Create VSIs and specify LDP as the signaling protocol of VSIs.
# Configure PE1.
[PE1] vsi ldp1 static
[PE1-vsi-ldp1] pwsignal ldp
[PE1-vsi-ldp1-ldp] vsi-id 2
[PE1-vsi-ldp1-ldp] peer 2.2.2.2
# Configure PE2.
# Configure PE3.
Step 6 Bind VSIs to AC interfaces and connect CEs to PEs.

# Configure PE1.
[PE1] interface gigabitethernet 1/0/0.1
[PE1-GigabitEthernet1/0/0.1] vlan-type dot1q 10
[PE1-GigabitEthernet1/0/0.1] l2 binding vsi ldp1
[PE1-GigabitEthernet1/0/0.1] undo shutdown
[PE1-GigabitEthernet1/0/0.1] quit
# Configure PE2.
# Configure PE3.
# Configure CE1.
[HUAWEI] sysname CE1
[CE1] interface gigabitethernet 0/2/0.1
[CE1-GigabitEthernet0/2/0.1] vlan-type dot1q 10
[CE1-GigabitEthernet0/2/0.1] ip address 10.1.1.1 24
[CE1-GigabitEthernet0/2/0.1] undo shutdown
[CE1-GigabitEthernet0/2/0.1] quit
# Configure CE2.
Issue 02 (2013-12-31)

950

Equipment
3 Reliability
# Configure CE3.
After the preceding configuration, run the display vsi name ldp1 verbose command on PE1.
You can view that PWs are set up between PE1 and PE2, PE1 and PE3 by the VSI named ldp1.
The VSI is in the Up state.
[PE1] display vsi name bgp1 verbose
***VSI Name
: ldp1
VSI Index
: 0
PW Signaling
: ldp
Member Discovery Style : static
PW MAC Learn Style
: unqualify
Encapsulation Type
: vlan
MTU
: 1500
VSI State
: up
Resource Status
: Valid
VSI ID
: 2
*Peer ATN ID
: 3.3.3.3
VC Label
: 23552
Peer Type
: dynamic
Session
: up
Tunnel ID
: 0x6002003,
*Peer ATN ID
: 2.2.2.2
VC Label
: 23553
Peer Type
: dynamic
Session
: up
Tunnel ID
: 0x6002000,
Interface Name
: GigabitEthernet1/0/0.1
State
: up
**PW Information:
*Peer Ip Address
: 2.2.2.2
PW State
: up
Local VC Label
: 23553
Remote VC Label
: 23552
PW Type
: label
Tunnel ID
: 0x6002000,
*Peer Ip Address
: 3.3.3.3
PW State
: up
Local VC Label
: 23552
Remote VC Label
: 23552
PW Type
: label
Tunnel ID
: 0x6002003,
Hosts attached to CE1, CE2, and CE3 can ping through each other.
Take CE1 as an example.
[CE1] ping 10.1.1.2
PING 10.1.1.2: 56
Issue 02 (2013-12-31)
data bytes, press CTRL_C to break

951

Equipment
3 Reliability
Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=50 ms

0.00% packet loss
[CE1] ping 10.1.1.3
0.00% packet loss
Step 7 Configure Ethernet CFM on PEs.

# Configure PE1.
[PE1] cfm enable
[PE1] cfm md md1
[PE1-md-md1] ma ma1
[PE1-md-md1-ma-ma1]
[PE1-md-md1-ma-ma1]
[PE1-md-md1-ma-ma1]
[PE1-md-md1-ma-ma1]
[PE1-md-md1-ma-ma1]
[PE1-md-md1-ma-ma1]
[PE1-md-md1-ma-ma1]
[PE1-md-md1-ma-ma1]
ccm-interval 100
map vsi ldp1
remote-mep mep-id 2
remote-mep mep-id 3
mep ccm-send enable
quit
# Configure PE2.
[PE2] cfm enable
[PE2] cfm md md1
[PE2-md-md1] ma ma1
[PE2-md-md1-ma-ma1]
[PE2-md-md1-ma-ma1]
[PE2-md-md1-ma-ma1]
[PE2-md-md1-ma-ma1]
[PE2-md-md1-ma-ma1]
[PE2-md-md1-ma-ma1]
[PE2-md-md1-ma-ma1]
[PE2-md-md1-ma-ma1]
ccm-interval 100
map vsi ldp1
remote-mep mep-id 1
remote-mep mep-id 3
mep ccm-send enable
quit
# Configure PE3.
[PE3] cfm enable
[PE3] cfm md md1
[PE3-md-md1] ma ma1
[PE3-md-md1-ma-ma1]
[PE3-md-md1-ma-ma1]
[PE3-md-md1-ma-ma1]
[PE3-md-md1-ma-ma1]
[PE3-md-md1-ma-ma1]
[PE3-md-md1-ma-ma1]
[PE3-md-md1-ma-ma1]
[PE3-md-md1-ma-ma1]
Issue 02 (2013-12-31)
ccm-interval 100
map vsi ldp1
remote-mep mep-id 1
remote-mep mep-id 2
mep ccm-send enable
quit

952

Equipment
3 Reliability

After the preceding configuration, run the display cfm mep command and the display cfm
remote-mep command on PE1, PE2, and PE3. You can view that the configuration of Ethernet
CFM succeeds. Ethernet CFM can fast detect faults between PEs of VSIs and notify the NMS.
Take PE1 as an example.
[PE1] display cfm mep md md1
The total number of MEPs is 2
MD Name
: md1
MD Name Format
: string
Level
: 0
MA Name
: ma1
MA Name Format
: string
MEP ID
: 2
VLAN ID
: -VSI Name
: -Interface Name
CCM Send
: enabled
Direction
: inward
MD Name
: md1
MD Name Format
: string
Level
: 0
MA Name
: ma1
MA Name Format
: string
MEP ID
: 3
VLAN ID
: -VSI Name
: -Interface Name
CCM Send
: enabled
Direction
: inward
[PE1] display cfm remote-mep md md1
-------------------------------------------------MD Name
: md1
Level
: 0
MA Name
: ma1
RMEP ID
: 2
VLAN ID
: -VSI Name
: -L2VC ID
: -MAC
: -CCM Receive
: enabled
Trigger-If-Down
: disabled
CFM Status
: up
Alarm Status
: None
MD Name
: md1
Level
: 0
MA Name
: ma1
RMEP ID
: 3
VLAN ID
: -VSI Name
: -L2VC ID
: -MAC
: -CCM Receive
: enabled
Trigger-If-Down
: disabled
CFM Status
: up
Alarm Status
: None
----End
Issue 02 (2013-12-31)

953

Equipment
3 Reliability
Configuration Files
l

#
sysname PE1
#
cfm enable
#
mpls lsr-id 1.1.1.1
mpls
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 2
peer 2.2.2.2
peer 3.3.3.3
#
mpls ldp
#
undo shutdown
#
undo shutdown
vlan-type dot1q 10
l2 binding vsi ldp1
#
undo shutdown
ip address 100.1.1.1 255.255.255.252
mpls
mpls ldp
#
undo shutdown
ip address 100.2.1.1 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
cfm md md1
ma ma1
ccm-interval 100
map vsi ldp1
remote-mep mep-id 2
remote-mep mep-id 3
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 100.1.1.0 0.0.0.3
network 100.2.1.0 0.0.0.3
#
return

#
sysname PE2
#
cfm enable
Issue 02 (2013-12-31)

954

Equipment
3 Reliability
#
mpls lsr-id 2.2.2.2
mpls
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 2
peer 1.1.1.1
peer 3.3.3.3
#
mpls ldp
#
undo shutdown
#
undo shutdown
vlan-type dot1q 10
l2 binding vsi ldp1
#
undo shutdown
ip address 100.1.1.2 255.255.255.252
mpls
mpls ldp
#
undo shutdown
ip address 100.3.1.1 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
cfm md md1
ma ma1
ccm-interval 100
map vsi ldp1
remote-mep mep-id 1
remote-mep mep-id 3
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 100.1.1.0 0.0.0.3
network 100.3.1.0 0.0.0.3
#
return

#
sysname PE3
#
cfm enable
#
mpls lsr-id 3.3.3.3
mpls
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
Issue 02 (2013-12-31)

955

Equipment
3 Reliability
vsi-id 2
peer 1.1.1.1
peer 2.2.2.2
#
mpls ldp
#
undo shutdown
#
undo shutdown
vlan-type dot1q 10
l2 binding vsi ldp1
#
undo shutdown
ip address 100.2.1.2 255.255.255.252
mpls
mpls ldp
#
undo shutdown
ip address 100.3.1.2 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
cfm md md1
ma ma1
ccm-interval 100
map vsi ldp1
remote-mep mep-id 1
remote-mep mep-id 2
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 100.2.1.0 0.0.0.3
network 100.3.1.0 0.0.0.3
#
return

#
sysname CE1
#
undo shutdown
#
undo shutdown
vlan-type dot1q 10
ip address 10.1.1.1 255.255.255.0
#
return

#
sysname CE2
#
Issue 02 (2013-12-31)

956

Equipment
3 Reliability
undo shutdown
#
undo shutdown
vlan-type dot1q 10
ip address 10.1.1.2 255.255.255.0
#
return

#
sysname CE3
#
undo shutdown
#
undo shutdown
vlan-type dot1q 10
ip address 10.1.1.3 255.255.255.0
#
return
Example for Configuring Association Between Ethernet CFM and an Interface

(Triggering the Physical Status of the Interface Associated with Ethernet CFM to
Become Down)
After the association between Ethernet CFM and an interface is configured in the OAM
management view, the local Ethernet CFM notifies the OAM management module of a fault
detected by Ethernet CFM. This triggers the physical status of the interface associated with
Ethernet CFM to become Down. In addition, when the physical status of an interface becomes
Down, the OAM management module notifies Ethernet CFM of the fault. Ethernet CFM can
then send fault information to the remote device.
As shown in Figure 3-46, Ethernet CFM is enabled on PE2 and PE3 and is associated with GE
1/0/1 of PE2. When GE 1/0/1 of PE2 goes Down, Ethernet CFM messages carrying fault
information are sent to PE3 through OAM management modules.
When detecting a fault on the link between PE2 and PE3, Ethernet CFM notifies the OAM
management module of the fault. This triggers the physical status of GE 1/0/1 on PE2 to become
Down. PE1 can then detect the fault and switch traffic to a backup path, which ensures reliable
service transmission.
Figure 3-46 Networking diagram of the association between Ethernet CFM and an interface
PE1
PE2
PE3
GE0/2/2
GE0/2/1
GE1/0/1
GE1/0/2
CFM
Interface associated with CFM
Issue 02 (2013-12-31)

957

Equipment
3 Reliability
1.
Enable Ethernet CFM on PE2 and PE3.
2.
Associate Ethernet CFM with GE 1/0/1 on PE2.
Data Preparation
l
Type and number of each interface enabled with Ethernet CFM
Type and number of each interface associated with Ethernet CFM
Procedure
Step 1 Enable Ethernet CFM on PE2 and PE3.
# Configure PE2.
[PE2] cfm enable
[PE2] cfm md md1
[PE2-md-md1] ma ma1
[PE2-md-md1-ma-ma1] mep mep-id 1 interface gigabitethernet 1/0/2 outward
[PE2-md-md1-ma-ma1] mep ccm-send enable
[PE2-md-md1-ma-ma1] remote-mep ccm-receive enable
[PE2-md-md1] quit
# Configure PE3.
[PE3] cfm enable
[PE3] cfm md md1
[PE3-md-md1] ma ma1
[PE3-md-md1-ma-ma1] mep mep-id 2 interface gigabitethernet 0/2/2 outward
[PE3-md-md1] quit
NOTE
The MEP must be configured on a Layer 2 interface, and one interface can be configured with only one
MEP.
Run the display cfm remote-mep command on PE2. You can view that the Ethernet CFM status
is Up.
[PE2] display cfm remote-mep
The status of RMEPs : 1 up, 0 down, 0 disable
-------------------------------------------------MD Name
: md1
Level
: 0
MA Name
: ma1
RMEP ID
: 2
VLAN ID
: --
Issue 02 (2013-12-31)

958

Equipment
VSI Name
L2VC ID
MAC
CCM Receive
Trigger-If-Down
CFM Status
Alarm Status
:
:
:
:
:
:
:
3 Reliability
---enabled
disabled
up
None
Step 2 Associate Ethernet CFM with an interface.

# Bidirectionally associate GE 1/0/1 with Ethernet CFM on PE2.
[PE2] oam-mgr
[PE2-oam-mgr] oam-bind cfm md 1 ma 1 efm interface gigabitethernet 1/0/1

Run the shutdown command on GE 1/0/1 of PE2 to simulate a link fault. Ethernet CFM
messages carrying fault information can then be sent to PE3 through OAM management
modules.
----End
Configuration Files
l

#
sysname PE2
#
cfm enable
#
undo shutdown
portswitch
#
cfm md md1
ma ma1
remote-mep mep-id 2
#
oam-mgr
oam-bind ingress interface GigabitEthernet1/0/1 egress cfm md md1 ma ma1 efm
oam-bind ingress cfm md 1 ma 1 efm interface gigabitethernet 1/0/1
#
return

#
sysname PE2
#
cfm enable
#
undo shutdown
portswitch
#
cfm md md1
ma ma1
remote-mep mep-id 1
#
Issue 02 (2013-12-31)

959

Equipment
3 Reliability
oam-mgr
#
return
3.7 EFM Configuration

Ethernet in the First Mile (EFM) can be enabled on the devices at both ends of a point-to-point
link to monitor the connectivity and quality of the link.
3.7.1 EFM Overview

EFM is a feature for detecting network faults in the first-mile direct Ethernet link.
Introduction
EFM effectively improves Ethernet management and maintenance capabilities and ensures the
stable operation of networks.
High-bandwidth Ethernet technology is inexpensive and easy to use. It is widely used on
enterprise networks, MANs, and WANs. Traditional Ethernet networks, however, have
relatively weak operating capabilities and are difficult to maintain. As the use of Ethernet
technology has grown, Ethernet OAM has become increasingly important.
Hierarchical Ethernet OAM needs to be provided based on the network architecture, as shown
in Figure 3-47.
Figure 3-47 Networking diagram for Ethernet OAM
Services
Access
CE
PE1
Metro
P
PE2
PE3
Core
Access
Link OAM
EFM
EFM
Connectivity
Layer OAM
CFM/Y.1731
Service
Layer OAM
CFM/Y.1731
Issue 02 (2013-12-31)
802.3ah, also known as Ethernet in the First Mile (EFM), is used to monitor the first-mile
link connectivity. It is a type of link-level OAM technology. EFM provides link
connectivity detection, link fault monitoring, remote fault notification, and remote
loopback for two directly connected devices.
960

Equipment
3 Reliability
802.1ag, also known as Connectivity Fault Management (CFM), defines OAM functions,
such as continuity check (CC), link trace (LT) and loopback (LB), for Ethernet networks.
CFM is network-level OAM and applies to large-scale networks.
Y.1731 is an OAM protocol defined by the ITU-T. It covers the contents defined by IEEE
802.1ag and other OAM functions, including the Alarm Indication Signal (AIS), Remote
Defect Indication (RDI), Locked Signal (LCK), test signal, Automatic Protection Switching
(APS), Maintenance Communication Channel (MCC), Experimental OAM (EXP), and
Vendor Specific OAM (VSP) for fault management and frame loss measurement (LM) and
delay measurement (DM) for performance monitoring.
EFM OAMPDU
EFM works on the data link layer. EFM uses EFM OAM Protocol Data Units (OAMPDUs) to
report link status so that administrators can effectively manage Ethernet networks. Table 3-18
lists OAMPDU types and functions.
Table 3-18 EFM OAMPDU types and functions
OAMPDU Type
Function
Information OAMPDU
Used to detect link connectivity. EFM entities in the

handshake stage send information OAMPDUs at a
specific interval to detect link connectivity.
Event notification OAMPDU
Used to monitor links. When detecting an errored

symbol event, errored frame event, or errored frame
second event, an interface sends an event notification
OAMPDU to notify the remote device of the event.
Loopback control OAMPDU
Used to control the remote device's OAM remote

loopback state. The OAM remote loopback command
value contained in the Loopback Control OAMPDU
Data field of a loopback control OAMPUD determines
whether to enable or disable remote loopback.
EFM Functions
Basic EFM functions are described as follows:
l
Remote device discovery

The remote device discovery process is used to establish and maintain EFM connections.
During the remote device discovery process, an EFM entity discovers remote EFM
entities and establishes sessions with them. Interconnected EFM entities determine
whether to set up EFM connections by exchanging information OAMPDUs that carry
EFM configuration information and supported EFM capabilities.
After an EFM connection is established, the EFM entities at both sides exchange
information OAMPDUs at a specified interval (called a handshake message
transmission interval) to check whether the EFM connection is working properly. If an
Issue 02 (2013-12-31)

961

Equipment
3 Reliability
EFM entity receives no information OAMPDU within the EFM connection timeout
period, the EFM entity considers that the EFM connection is closed.
l
Link monitoring
When the physical connection in the network is not closed but network performance is
deteriorating gradually, fault detection on an Ethernet link is difficult. Link monitoring is
used to detect link layer faults in various environments. EFM entities exchange event
notification OAMPDUs to monitor links.
When detecting one of the link events listed in Table 3-19, the local EFM entity sends an
event notification OAMPDU to notify the remote EFM entity. This mechanism helps
network administrators to keep track of network status.
Table 3-19 Minor link events
Minor Link Event
Description
Errored symbol event
An errored symbol event occurs when the number of

symbol errors detected during a specified interval
exceeds a predefined threshold.
Errored frame event
An errored frame event occurs when the number of

errored frames detected during a specified interval
exceeds a predefined threshold.
Errored frame second event
An errored frame second event occurs when the

number of errored frame seconds detected during a
specified interval exceeds a predefined threshold.
Remote loopback
When an interface sends non-EFM PDUs to the peer, the peer loops back the PDUs to the
transmitting interface, instead of forwarding the PDUs to their destination addresses. This
function is called remote loopback.
Remote loopback can be used for fault location and link performance testing. Performing
remote loopback periodically provides a way to detect network faults rapidly. Furthermore,
performing remote loopback by network segment helps engineers locate the network
segment where faults occur.
Remote fault indication

When traffic is interrupted because a remote EFM entity fails or becomes unavailable, the
remote EFM entity will send an OAMPDU carrying one of the critical link events listed in
Table 3-20 to the local EFM entity. This helps administrators to understand link status in
real time and troubleshoot link faults promptly.
Table 3-20 Critical link events
Issue 02 (2013-12-31)
Critical Link Event
Description
Link Fault
A loss of signal (LoS) error occurs because a physical link

fails.

962

Equipment
3 Reliability
Critical Link Event
Description
Dying Gasp
An unexpected status change or event occurs because a

remote device or board is reset.
Critical Event
An unidentified critical event occurs because a fault is

detected using association between the remote EFM entity
and a specific feature.
EFM Features Supported by the ATN

This section describes EFM features supported by the ATN. Familiarizing yourself with these
features helps you complete the configuration tasks quickly and efficiently.
EFM is link-level OAM, and provides the following functions:
l
Link connectivity detection: detects link connectivity.
Minor link event detection: monitors links.
Remote loopback: tests link performance.
Remote fault indication: monitors remote devices and links.
EFM Association
As networks develop quickly, more and more IP networks are used to bear multiple services
such as voice and video services. These services pose high requirements on network reliability
and rapid fault detection.
Link detection protocols are usually deployed on a network to detect link connectivity and faults.
As network environments become increasingly complex, it is impossible to detect all link faults
using a single detection technique. Network environments and user requirements, therefore, need
to be properly analyzed, and various detection techniques are required to implement rapid link
fault detection. EFM can be associated with interfaces and detection protocols to implement
rapid fault detection.
EFM monitors link status and network performance, and sends monitoring results to an
associated interface or detection protocol. When the associated interface or detection protocol
senses a network status change, it makes a rapid response to prevent communication interruption
or service quality deterioration. This improves network reliability.
Association between EFM and interfaces
On the network shown in Figure 3-48, when EFM detects that a fault occurs in the link between
CE1 and CE4 or the quality of the link deteriorates, traffic can be switched to the backup link
between CE1 and CE2 based on association between EFM and Port1 or Port2.
Issue 02 (2013-12-31)

963

Equipment
3 Reliability
Figure 3-48 Association between EFM and interfaces
CE2
CE1
CE3
Port1
EFM
Port2
CE4
Association between EFM and detection protocols

Figure 3-49 Association between EFM and detection protocols
VRRP
CE3
CE5
PE3
PE1
CE1
IP/MPLS
CE4
User
Network
EFM
PE2
EFM
EFM
PE4
CFM
MPLS OAM
BFD
On the network shown in Figure 3-49, multiple detection protocols such as EFM, BFD, CFM,
and MPLS OAM are deployed to detect link connectivity. The link CE5-CE4-CE1-PE2-PE4 is
used as an example. Before association between EFM and detection protocols is configured, the
following situations occur:
Issue 02 (2013-12-31)

964

Equipment
3 Reliability
If the link between CE5 and CE4 goes faulty, CE1 cannot detect the fault. As a result, return
traffic continues to be forwarded to CE4.
If the link between PE2 and PE4 goes faulty, CE1 cannot detect the fault. As a result,
services are interrupted.
If the link between CE1 and PE2 goes faulty, PE4 cannot detect the fault. As a result, a
large volume of unnecessary traffic continues to be forwarded to PE4.
To address the preceding problems, association between EFM and detection protocols can be
configured so that faults can be reported to remote devices. This association enables network
administrators to dynamically understand link status based on alarm information and rectify
faults in time.
Table 3-21 lists associations between EFM and protocols and their usage scenarios.
Table 3-21 Association between EFM and detection protocols
Issue 02 (2013-12-31)
Asso
ciatio
n
Type
Usage Scenario
Assoc
iation
betwe
en
EFM
and
EFM
On the network shown in Figure 3-49, after EFM is deployed for the links between
CE5 and CE4 and between CE4 and CE1, association between EFM and EFM can
be deployed on CE4 so that a fault in the link between CE5 and CE4 can be sent to
CE1 and a fault in the link between CE4 and CE1 can be sent to CE5.
Assoc
iation
betwe
en
EFM
and
CFM
On the network shown in Figure 3-49, when EFM is deployed for the link between
CE1 and PE2 and CFM is deployed for the link between PE2 and PE4, association
between EFM and CFM can be deployed on PE2. The following results will be
achieved:
Assoc
iation
betwe
en
EFM
and
BFD
CE1 and PE2 and BFD is deployed for the link between PE2 and PE4, association
between EFM and BFD can be deployed on PE2. The following results will be
achieved:
l After detecting a link fault, EFM will notify CFM of the fault.
l After detecting a link fault, CFM will notify EFM of the fault.
l After detecting a link fault, EFM will notify BFD of the fault.
l After detecting a link fault, BFD will notify EFM of the fault.

965

Equipment
3 Reliability
Asso
ciatio
n
Type
Usage Scenario
Assoc
iation
betwe
en
EFM
and
MPLS
OAM
CE1 and PE2 and MPLS OAM is deployed for the link between PE2 and PE4,
association between EFM and MPLS OAM can be deployed on PE2. The following
results will be achieved:
Assoc
iation
betwe
en
EFM
and
VRRP
On the network shown in Figure 3-49, EFM is deployed for the links between CE1
and PE1 and between CE1 and PE2, and VRRP is configured on PE1 and PE2. After
association between EFM and VRRP is configured, EFM will notify VRRP of
detected faults, triggering a master/backup VRRP switchover.
l After detecting a link fault, EFM will notify MPLS OAM of the fault.
l After detecting a link fault, MPLS OAM will notify EFM of the fault.
3.7.2 Configuring Basic EFM Functions

After basic EFM functions are configured, the connectivity of physical links can be monitored.

Before configuring basic EFM functions, familiarize yourself with the usage scenario, complete
Ethernet was originally used in LANs that have low reliability and stability requirements. There
is no effective management and maintenance mechanisms for Ethernet, hindering the usage of
Ethernet in MANs and WANs. To solve this problem, Ethernet OAM is introduced.
Hierarchical Ethernet OAM is provided based on the network architecture. EFM is link-level
OAM and addresses common first-mile link issues. On the network shown in Figure 3-50, EFM
is enabled on the devices at both ends of a point-to-point link to monitor link connectivity,
ensuring reliability and stability of network connections.
Figure 3-50 Networking diagram for configuring basic EFM functions
CE
Issue 02 (2013-12-31)
EFM OAM

PE
966

Equipment
3 Reliability
Before configuring basic EFM functions, complete the following task:
l
Connecting interfaces and setting their physical parameters to ensure that the interfaces are
physically Up
Data Preparation
To configure basic EFM functions, you need the following data.
No.
Data
EFM modes of interfaces
(Optional) EFM packet parameters such as the maximum OAMPDU size and
interval at which OAMPDUs are received
Enabling EFM Globally

Enabling EFM globally is the prerequisite for configuring basic EFM functions.
Procedure
Step 1 Run:
system-view

Step 2 Run:
efm enable
EFM is enabled globally.

By default, EFM is disabled globally.
----End
(Optional)Configuring EFM Modes for Interfaces

Configuring EFM modes for interfaces enables administrators to control devices' behaviors.
Context
There are two EFM modes: active mode and passive mode. Table 3-22 lists behaviors of devices
in different EFM modes.
Table 3-22 Behaviors of devices in active/passive mode
Issue 02 (2013-12-31)
Behavior
Active Mode
Passive Mode
Initiates the discovery process.
Yes
No

967

Equipment
3 Reliability
Behavior
Active Mode
Passive Mode
Responds to OAM discovery process

initiation.
Yes
Yes
Sends information OAMPDUs.
Yes
Yes
Sends event notification OAMPDUs.
Yes
Yes
Sends loopback control OAMPDUs.
Yes
No
Reacts to loopback control

OAMPDUs.
Yes (if both sides operate

in active EFM mode)
Yes
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of an interface at one end of a link is displayed.

Step 3 Run:
efm mode { active | passive }
An EFM mode is configured for the interface.

By default, an interface works in active EFM mode.
NOTE
An EFM mode can be configured for an interface after EFM is enabled globally and before EFM is enabled
on the interface. After EFM is enabled on an interface, the EFM mode of the interface cannot be changed.
When using EFM to monitor a link, ensure that either of the interfaces at both ends of the link operates in
active mode.
l An EFM connection can be initiated only by an active EFM entity, and a passive EFM entity waits for
a connection request from its remote EFM entity.
l If two ends of a link are configured to work in active EFM mode, link detection can be implemented.
l If two ends of a link are configured to work in passive EFM mode, link detection cannot be
implemented.
----End
(Optional) Configuring EFM OAMPDU Parameters

Configuring the maximum OAMPDU size, and interval at which OAMPDUs are received of
EFM OAMPDU enables network administrators to effectively control OAMPDU transmission.
Issue 02 (2013-12-31)

968

Equipment
3 Reliability
Context
EFM devices exchange OAMPDUs periodically to report the link status. Administrators can set
EFM OAMPDU parameters to effectively manage networks.
EFM OAMPDU parameters include the maximum OAMPDU size, interval at which OAMPDUs
are sent, and interval at which OAMPDUs are received.
l
After setting up an EFM connection, two EFM entities exchange OAMPDUs at a specific
interval to check whether the connection is working properly. If an EFM entity does not
receive any OAMPDU from its remote EFM entity within the interval at which OAMPDUs
are received, it considers that the link is not working properly. Network administrators can
configure different intervals at which OAMPDUs are received based on user requirements.
A short interval can be set for high-priority users or services sensitive to link quality. A
long interval can be set for low-priority users or services insensitive to link quality.
After the maximum OAMPDU size is set on an interface, the interface will discard packets
of which the size is greater than the maximum OAMPDU size. By adjusting the maximum
OAMPDU size, you can enable Huawei devices to communicate with non-Huawei devices.
Perform the following steps on the interfaces at both ends of a link:
Procedure
l
Set the maximum EFM OAMPDU size.

1.
Run:
system-view

2.
Run:

3.
Run:
efm packet max-size size
The maximum EFM OAMPDU size is set.

By default, the maximum EFM OAMPDU size is 128 bytes on the interface.
If the maximum EFM OAMPDU sizes configured on the interfaces at both ends of a link
are different, the interfaces negotiate the maximum EFM OAMPDU size at the discovery
stage. The smaller one between the maximum EFM OAMPDU sizes on the two ends is
used.
l
Set the interval at which EFM OAMPDUs are received.

1.
Run:
system-view

2.
Run:

3.
Run:
efm timeout period-value
Issue 02 (2013-12-31)

969

Equipment
3 Reliability
The interval at which EFM OAMPDUs are received is set.

By default, the interval at which EFM OAMPDUs are received is 5000 ms on the
interface.
The same interval at which EFM OAMPDUs are received must be configured for the
interfaces at both ends of a link. Otherwise, the session negotiation between the two
interfaces fails or the session flaps.
NOTE
The interval at which EFM OAMPDUs are received is configured on an interface after EFM
is enabled globally but before EFM is enabled on the interface.
----End
Enabling EFM on Interfaces

After EFM is enabled on interfaces connecting the local and remote EFM entities, the two entities
start to set up an EFM connection to monitor the connectivity of the link between them.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
efm enable
EFM is enabled on the interface.

By default, EFM is disabled on the interface.
NOTE
Before enabling EFM on an interface, run the efm enable command to enable EFM globally.
----End

After configuring EFM, you can check whether the EFM configuration succeeds.
Prerequisites
All basic EFM function configurations are complete.
Procedure
l
Issue 02 (2013-12-31)
Run the display efm { all | interface interface-type interface-number } command to check
the EFM configuration on interfaces.
970

Equipment
3 Reliability
to check the EFM status on interfaces.
----End
3.7.3 Configuring Link Monitoring

After link monitoring is configured, network administrators can detect link-layer faults in various
environments and dynamically monitor link quality.
Before You Start

Before configuring link monitoring, familiarize yourself with the usage scenario, complete the
pre-configuration tasks, and obtain the required data.
Fault detection on an Ethernet network is difficult, especially when the physical connection on
the network is not closed but network performance is degrading gradually. Link monitoring is
used to detect link layer faults in various environments. EFM entities exchange event notification
OAMPDUs to monitor links. When detecting a minor link event (such as an errored symbol
event, errored frame event, or errored frame second event), an EFM entity sends an event
notification OAMPDU to notify its remote entity of the event.
Before configuring link monitoring, complete the following task:
Configuring Basic EFM Functions
Data Preparation
To configure link monitoring, you need the following data.
No.
Data
Period of detecting symbol errors and threshold for the number of symbol errors
detected in the period, period of detecting errored frames and threshold for the
number of errored frames detected in the period and period of detecting errored
frame seconds and threshold for the number of errored frame seconds detected in
the period.
The interface name that associated with EFM.
Detecting Minor Link Events

Minor link events include errored symbol events, errored frame events, and errored frame second
events. Configuring minor link events enables network administrators to dynamically monitor
quality and performance of links.
Issue 02 (2013-12-31)

971

Equipment
3 Reliability
Context
Table 3-23 lists information about minor link event detection.
Table 3-23 Minor link event detection
Minor
Link
Event
Detection Method
Usage Scenario
Errored
symbol
event
An errored symbol event occurs if the

number of symbol errors detected by
a device during a specified period is
greater than or equal to a configured
threshold. The device then notifies its
remote device of the event.
This method is used to detect error

symbols during data transmission at
the physical layer.
Errored
frame event
An errored frame event occurs if the

number of errored frames detected by
a device during a specified period is
greater than or equal to a configured
This method is used to detect errored

frames during data transmission at the
media access control sublayer.
Errored
frame
second
event
If errored frames occur in a second,

the second is called an errored frame
second. An errored frame second
event occurs if the number of errored
frame seconds detected by a device
during a specified period is greater
than or equal to a configured
This method is used to detect errored

frame seconds during data
transmission at the media access
control sublayer.
Select one or more detection methods to monitor links based on actual scenarios.
Procedure
l
Detect errored frame events.

1.
Run:
system-view

2.
Run:

3.
Run:
efm error-frame period period
The period of detecting errored frame is set on the interface.

Issue 02 (2013-12-31)

972

Equipment
3 Reliability
By default, the period of detecting errored frames is 1 second on the interface.

4.
Run:
efm error-frame threshold threshold
The threshold for the number of errored frames that are detected in the specified period
is set on the interface.
By default, the threshold for the number of errored frames that are detected in the
specified period is 1 on the interface.
5.
Run:
efm error-frame notification enable
The interface is enabled to report errored frames.

By default, an interface is disabled from reporting errored frames.
----End

After configuring link monitoring, you can check whether the link monitoring configuration
succeeds.
Prerequisites
The link monitoring configurations are complete.
Procedure
l
Run the display efm { all | interface interface-type interface-number } command to check
link monitoring configurations on interfaces.
----End
3.7.4 Configuring Remote Loopback

Remote loopback is used to test link connectivity and performance.
Context
On the network shown in Figure 3-51, remote loopback is configured on the interface connecting
the CE to the PE. The interface sends test packets to its remote interface. The packet loss ratio
and delay can be calculated based on returned test packets to evaluate link connectivity and
performance.
Figure 3-51 Remote loopback
Test packets
CE
GE0/2/0
(Active)
EFM OAM
PE
GE2/0/1
Test packets data flow
Issue 02 (2013-12-31)

973

Equipment
3 Reliability
NOTICE
Remote loopback is initiated by an interface in active EFM mode.
Remote loopback can be configured only on interfaces that do not need to forward service data.
Before configuring remote loopback, complete the following tasks:
l
Configure basic EFM functions.
Set the interface EFM mode to active for the interface that needs to be configured with
remote loopback.
Procedure
Step 1 Enable a device that initiates a request with the remote loopback function.
1.
Run:
system-view

2.
Run:
The view of an interface in active EFM mode is displayed.

3.
Run:
efm loopback start [ timeout timeout ]
The interface is configured to initiate remote loopback.

The default timeout period of remote loopback is 20 minutes. After the timeout period expires,
remote loopback is disabled automatically. To keep a link in the remote loopback state, set the
timeout period to 0.
Remote loopback can be performed successfully over a link only when EFM is in the detect
state and the local end works in active EFM mode. The display efm session { all | interface
interface-type interface-number } command can be used to display the EFM status on the devices
at both ends of an EFM session. The display efm { all | interface interface-type interfacenumber } command can be used to display the EFM modes of the interfaces at both ends of a
link.
Step 2 (Optional) Configure a receiving device to ignore the remote loopback request.
1.
Run:
system-view

2.
Run:

Issue 02 (2013-12-31)

974

Equipment
3.
3 Reliability
Run:
efm loopback ignore-request
The interface is configured to ignore the remote loopback request.

By default, the interface accepts and processes the remote loopback request.
Step 3 Disable remote loopback.
1.
Run:
system-view

2.
Run:

3.
Run:
efm loopback stop
Remote loopback is disabled on the interface.

If remote loopback for a link is not disabled for a long period of time, the link cannot forward
service data properly in this period. To avoid this problem, a timeout period can be set. After
the timeout period expires, remote loopback is automatically disabled. The default timeout
period of remote loopback is 20 minutes. After remote loopback expires, the local end
automatically sends a message to the remote end to disable remote loopback.
----End

After configuring remote loopback, check whether the configuration succeeds.
l
to check the EFM status on interfaces.
After remote loopback is configured, run the display efm session command on the device where
the remote loopback interface resides. The command output shows that the EFM status on the
interface is Loopback (control), indicating that the interface initiates the remote loopback
process.
<HUAWEI> display efm session interface gigabitethernet 1/0/1
Interface
EFM State
Loopback Timeout
---------------------------------------------------------------------GigabitEthernet1/0/1
Loopback(control)
20minute(s)
After remote loopback is configured, run the display efm session command on the device where
the interface in passive EFM mode resides. The command output shows that the EFM status on
the interface is Loopback (be controlled), indicating that the interface is the peer interface of
the remote loopback interface.
Interface
EFM State
Loopback Timeout
Loopback(be controlled)
--
After remote loopback is disabled, run the display efm session command on either of the devices
on the link. The command output shows that the EFM status on the interfaces connecting the
two devices is Detect or Discovery.
Issue 02 (2013-12-31)

975

Equipment
3 Reliability

Interface
EFM State
Loopback Timeout
Detect
--
3.7.5 Configuring Remote Fault Indication

Remote fault indication is used to detect remote device faults and monitor Ethernet link
performance.
Context
After setting up an EFM connection, two EFM entities exchange information OAMPDUs
periodically. When traffic is interrupted because an EFM entity fails or becomes unavailable,
the faulty EFM entity will send an information OAMPDU carrying a critical link event flag to
its remote EFM entity, record a log, and send an alarm. This mechanism helps administrators to
understand the link status in real time and troubleshoot link faults promptly.
On the network shown in Figure 3-52, if a fault occurs on PE2, PE2 sends an information
OAMPDU carrying a critical link event flag to the CE. Association between EFM and Port1 is
triggered and services are switched to the backup path. This association ensures reliable traffic
transmission.
Figure 3-52 Remote fault indication and association between EFM and an interface
PE1
DSLAM
CE
User
Network
IP/MPLS
Port1
EFM
PE2
Before configuring remote fault indication, complete the following task:
l
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 02 (2013-12-31)

976

Equipment
3 Reliability

Step 3 Run:
efm trigger if-down
Association between EFM and the interface is configured. The association will be triggered if
a remote fault occurs.
----End

After configuring remote default indication, check whether the configuration succeeds.
l
Run the display interface interface-type interface-number command to check the physical
status of a specified interface.
After association between EFM and an interface is configured on a device and EFM detects a
link fault, run the display interface interface-type interface-number command on the device.
The command output shows that the physical status of the interface associated with EFM
becomes ETHOAM Down.
<HUAWEI> display interface gigabitethernet 0/2/0
current state : DOWN
Line protocol current state : DOWN(ETHOAM Down)
Description:HUAWEI, Quidway Series, GigabitEthernet0/2/0 Interface
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-3c23-8100
: 2011-04-21 12:08:46 UTC-08:00
Last physical down time : 2011-04-21 14:44:33 UTC-08:00
Current system time: 2011-04-21 14:44:45-08:00
Hardware address is 00e0-3c23-8100
Input:
Broadcast: 0 packets
Output:
3.7.6 Configuring EFM Association Functions

EFM can be associated with interfaces and detection protocols to quickly report link faults,
ensuring service reliability.
Before You Start

Before configuring EFM association functions, familiarize yourself with the usage scenario,
Issue 02 (2013-12-31)

977

Equipment
3 Reliability
fault detection. EFM can be associated with interfaces and detection protocols to implement
rapid fault detection.
EFM monitors link status and network performance, and sends monitoring results to an
associated interface or detection protocol. When the associated interface or detection protocol
senses a network status change, it makes a rapid response to prevent communication interruption
or service quality deterioration. This improves network reliability.
For details on association between EFM and interfaces and between EFM and detection
protocols, see EFM Association.
Before configuring EFM association functions, complete the following tasks:
l
Complete one of the following tasks based on detection protocols to be associated with
EFM:
Configure basic CFM functions If EFM is associated with CFM.
Configure basic BFD functions if EFM is associated with BFD.
Configure basic MPLS OAM functions if EFM is associated with MPLS OAM.
Data Preparation
To configure EFM association functions, you need the following data.
Issue 02 (2013-12-31)
No.
Data
Names of interfaces enabled with EFM and interfaces associated with EFM (used
for configuring basic EFM functions)
Names of interfaces enabled with EFM (used for configuring association

between EFM and EFM)
Names of interfaces enabled with EFM, MD names, MA names, and MEP IDs
(used for configuring association between EFM and CFM)
Names of interfaces enabled with EFM, and local and remote discriminators of
BFD sessions (used for configuring association between EFM and BFD)
Names of interfaces enabled with EFM and tunnel IDs (used for configuring
association between EFM and MPLS OAM)

978

Equipment
3 Reliability
Configuring Association Between EFM and Interfaces

Association between EFM and interfaces can be triggered by link faults, threshold crossing
events, or remote faults, ensuring reliable service transmission.
Context
A device carrying IP services is usually dual-homed to an IP network to improve network
robustness and service reliability. On the network shown in Figure 3-53, CE1 is dual-homed to
CE2 and CE4. EFM is deployed for the link between CE1 and CE4. When EFM detects that link
quality deteriorates or a link fails, association between EFM and interfaces is triggered and
services are rapidly switched to a backup link.
Figure 3-53 Association between EFM and interfaces
CE2
CE1
CE3
Port1
EFM
Port2
CE4
Table 3-24 lists association between EFM and interfaces and its usage scenarios.
Issue 02 (2013-12-31)

979

Equipment
3 Reliability
Table 3-24 Association between EFM and interfaces

Triggering
Mode
Usage Scenario
Link fault
Description
The association function is
configured in the interface view
and is unidirectional.
On the network shown in Figure 3-53,

when EFM detects that the link between
CE1 and CE4 becomes faulty (the EFM
status changes from Detect to
Discovery), association between EFM
and EFM-capable Port1 is triggered and
traffic is switched from the master path
CE1-CE4 to the backup path CE1-CE2.
If EFM detects a link fault, the

protocol status of the interface
associated with EFM is set to
ETHOAM Down. Only EFM
OAMPDUs can be transmitted,
speeding up the traffic
switchover from the master path
to the backup path.

when EFM detects that the link between
CE1 and CE4 becomes faulty,
association between EFM and EFMincapable Port2 is triggered and traffic
is switched from the path CE3-CE4 to
the path CE3-CE2. The association
between EFM and Port2 is described as
follows:
The association function is

configured in the MGR view and
is bidirectional.
l If only association between EFM and

Port1 is configured, CE3 cannot
detect a link fault between CE1 and
CE4 and will continue to send return
traffic along the link.
l If CE3 does not support OAM,
association between EFM and EFMincapable Port2 can be configured to
report link faults.
l When EFM detects a fault,

the physical status of the
interface associated with
EFM becomes TRIGGER
DOWN (3AH).
l When the interface
associated with EFM goes
Down, the OAM
management module notifies
associated EFM of the fault.
EFM then notifies the remote
device of the fault.
l Association between EFM and Port2

is simple to deploy. Network
administrators do not need to know
the protocol running over the link
between CE3 and CE4.
Threshold
crossing
Issue 02 (2013-12-31)

EFM is used to monitor links. If an
errored symbol event, errored frame
event, or errored frame second event
occurs on a link, the link quality is
considered poor. Association between
EFM and interfaces is triggered to
implement a rapid master/backup link
switchover, ensuring reliable traffic
transmission.

After the association function is

enabled, the status of the
interface associated with EFM
will be set to administratively
Down and all services on the
interface will be blocked.
980

Equipment
3 Reliability
Triggering
Mode
Usage Scenario
Description
Remote fault

if EFM detects a link fault, a dying gasp,
or a critical event on CE4, association
between EFM and interfaces is triggered
to implement a rapid master/backup link
switchover, ensuring reliable traffic
transmission.
After the association function is

enabled, the protocol status of
the interface associated with
EFM will be set to Down and all
services on the interface will be
blocked. The EFM status on the
interface remains Down even if
EFM detects link recovery. Test
link quality manually and
determine whether to switch
traffic back.
Before configuring association between EFM and interfaces, complete the following task:
l
Configure association between EFM and interfaces to be triggered by a link fault.
Procedure
Configure association between EFM and EFM-capable interfaces.
1.
Run:
system-view

2.
Run:

3.
Run:
efm trigger if-down
The interface is associated with EFM.

By default, the interface is not associated with EFM.
EFM must be enabled on the interface using the efm enable command.
Before configuring association between EFM and the interfaces at both ends of a
link, ensure that the EFM status on the interfaces is Detect.
If Layer 2 and Layer 3 services are blocked due to a misoperation, run the undo
efm trigger if-down command in the interface view to restore services.
l
Configure association between EFM and interfaces to be triggered by a minor link event.
For details, see 3.7.3 Configuring Link Monitoring.
Configure association between EFM and interfaces to be triggered by a remote fault.

For details, see 3.7.5 Configuring Remote Fault Indication.
----End
Issue 02 (2013-12-31)

981

Equipment
3 Reliability
Configuring Association Between EFM and CFM

If EFM is deployed at the user side and CFM is deployed at the network side of a device,
association between EFM and CFM can be configured. This allows EFM and CFM to notify
each other of faults and ensures reliable service transmission.
Context
For details on the principles and usage scenarios of association between EFM and CFM, see
Association Between EFM and Detection Protocols.
Association between EFM and CFM is bidirectional. The details are as follows:
l
When EFM detects a link fault, it will notify CFM of the fault.
When CFM detects a link fault, it will notify EFM of the fault.
Before configuring association between EFM and CFM, complete the following tasks:
l
Configure basic CFM functions.
Procedure
Step 1 Run:
system-view

Step 2 Run:
oam-mgr

Step 3 Perform either of the following configurations as required.
l Unidirectional association
Run the oam-bind ingress efm interface interface-type interface-number egress cfm md
md-name ma ma-name command to configure EFM to notify CFM of faults.
Run the oam-bind ingress cfm md md-name ma ma-name egress efm interface interfacetype interface-number command to configure CFM to notify EFM of faults.
l Bidirectional association
Run the oam-bind cfm md md-name ma ma-name efm interface interface-type interfacenumber command to configure CFM and EFM to notify each other of faults.
Issue 02 (2013-12-31)

982

Equipment
3 Reliability
NOTE
The functions of two commands used to configure association functions in opposite directions are the same
as those of one command used to configure the bidirectional association function.
If the oam-bind cfm md md-name ma ma-name efm interface interface-type interface-number command
is run, the oam-bind ingress efm interface interface-type interface-number egress cfm md md-name
ma ma-name and oam-bind ingress cfm md md-name ma ma-name egress efm interface interfacetype interface-number commands will be displayed in the configuration file.
After association between EFM and CFM is configured, the following situations occur:
l If EFM is disabled on an interface, the association configuration will be deleted.
l If an MA or MD is deleted, the association configuration will be deleted.
----End
Configuring Association Between EFM and BFD

If EFM is deployed at the user side and BFD is deployed at the network side of a device,
association between EFM and CFM can be configured. This allows EFM and CFM to notify
each other of faults and ensures reliable service transmission.
Context
For details on the principles and usage scenarios of association between EFM and BFD, see
Association Between EFM and Detection Protocols.
Association between EFM and BFD is bidirectional. The details are as follows:
l
When EFM detects a link fault, it will notify BFD of the fault.
When BFD detects a link fault, it will notify EFM of the fault.
The following BFD sessions support association between EFM and BFD:
l
Static BFD for LSP (LDP, TE, TE-LSP, static-LSP, and VLL PW) sessions (a PST is
required)
BFD for IP sessions (no PST is required)
Before configuring association between EFM and BFD, complete the following tasks:
l
Configure basic BFD functions.
Procedure
Step 1 Run:
system-view

Step 2 Run:
oam-mgr

Issue 02 (2013-12-31)

983

Equipment
3 Reliability
Step 3 Perform either of the following configurations as required.

l Unidirectional association
Run the oam-bind ingress efm interface interface-type interface-number egress bfdsession bfd-session-id command to configure EFM to notify BFD of faults.
Run the oam-bind ingress bfd-session bfd-session-id egress efm interface interface-type
interface-number command to configure BFD to notify EFM of faults.
l Bidirectional association
Run the oam-bind efm interface interface-type interface-number bfd-session bfd-sessionid command to configure EFM and BFD to notify each other of faults.
NOTE
The functions of two commands used to configure association functions in opposite directions are the same
as those of one command used to configure the bidirectional association function.
If the oam-bind efm interface interface-type interface-number bfd-session bfd-session-id command is
run, the oam-bind ingress efm interface interface-type interface-number egress bfd-session bfd-sessionid and oam-bind ingress bfd-session bfd-session-id egress efm interface interface-type interfacenumber commands will be displayed in the configuration file.
----End
3.7.7 Maintaining EFM

This section describes how to maintain EFM, involving EFM debugging.
Debugging EFM
In routine maintenance, run debugging commands in any view to view the operating status of
EFM.
Context
NOTICE
Debugging affects system performance. After debugging is complete, run the undo
debugging command to disable it immediately.
When an EFM fault occurs, run the debugging command in the user view to debug EFM, and
locate and analyze the fault.
Procedure
Step 1 Run the debugging efm { message | interface interface-type interface-num { all | error |
message | packet { all | receive | send } | event | process } } command to enable EFM debugging
on a specified interface.
----End
Issue 02 (2013-12-31)

984

Equipment
3 Reliability

This section provides several examples showing how to configure EFM functions in different
scenarios. In each configuration example, the networking requirements, configuration roadmap,
data preparation, and configuration files are provided.
Example for Configuring Basic EFM Functions

This section provides an example showing how to configure basic EFM functions.
In the networking shown in Figure 3-54, the network between CE1 and CE3 is newly deployed.
The requirements on the network are as follows:
l
Link connectivity and quality on the network are tested before the network is started.
Link quality is dynamically monitored after links are properly started.
Traffic is switched to a backup link if the primary link fails.
Figure 3-54 Networking diagram for configuring basic EFM functions
CE2
GE2/0/1
User
Network
CE1 GE0/2/0
CE3
GE0/2/1
Metro
Core
CE4
GE2/0/1
EFM
1.
Configure basic EFM functions on CE1 and CE4 to monitor link connectivity.
2.
Configure remote loopback on CE1 to test the connectivity and performance of the link
between CE1 and CE4 before the link is used to transmit services.
3.
Configure link monitoring on CE1 to monitor the performance and quality of the link
between CE1 and CE4.
4.
Configure association between EFM and interfaces on CE1 so that when the link between
CE1 and CE4 goes faulty, traffic sent from CE3 will not be sent along the link.
Issue 02 (2013-12-31)

985

Equipment
3 Reliability
Data Preparation
l
Period of detecting symbol errors and threshold for the number of symbol errors detected
in the period on GE 0/2/1 of CE1
Period of detecting errored frames and threshold for the number of errored frames detected
in the period on GE 0/2/1 of CE1
Period of detecting errored frame seconds and threshold for the number of errored frame
seconds detected in the period on GE 0/2/1 of CE1
Procedure
Step 1 Configure basic EFM functions.
# Enable EFM on CE1.
[CE1] efm enable

[CE4] efm enable
# Configure the EFM mode to passive on GE 2/0/1 of CE4.

[CE4] interface gigabitethernet 2/0/1
[CE4-GigabitEthernet2/0/1] efm mode passive
# Enable EFM on GE 2/0/1 of CE4.

[CE4-GigabitEthernet2/0/1] efm enable
[CE4-GigabitEthernet2/0/1] quit


If EFM is correctly configured on CE1 and CE4, GE 0/2/1 and GE 2/0/1 will enter the handshake
phase. Run the display efm session { all | interface interface-type interface-num } command
on CE1 or CE4. The command output shows that the EFM state is detect on GE 0/2/1 or GE
2/0/1.
[CE1] display efm session all
Interface
EFM State
Loopback Timeout
detect
--
Step 2 Configure remote loopback.

# Configure remote loopback on CE1.
[CE1-GigabitEthernet0/2/1] efm loopback start
Issue 02 (2013-12-31)

986

Equipment
3 Reliability

After configuring remote loopback, run the display efm session { all | interface interfacetype interface-num } command on CE1. The command output shows that the EFM status is
Loopback (control) on GE 2/0/1.
[CE1] display efm session interface gigabitethernet 0/2/1
Interface
EFM State
Loopback Timeout
loopback (control)
20
Run the display efm session { all | interface interface-type interface-num } command on CE4.
The command output shows that the EFM status is Loopback (be controlled) on GE 2/0/1.
Interface
EFM State
Loopback Timeout
---------------------------------------------------------------------Interface
EFM State
Loopback Timeout
loopback (be controlled)
--
Step 3 Disable remote loopback.

[CE1-GigabitEthernet0/2/1] efm loopback stop
NOTE
The default timeout period of remote loopback is 20 minutes. After the timeout period expires, remote
loopback is automatically disabled. To disable remote loopback, perform the preceding step.

After disabling remote loopback, run the display efm session { all | interface interface-type
interface-num } command on CE1 or CE4. The command output shows that the EFM status is
Detect or Discovery on the interfaces at both ends of the link. For example:
Interface
EFM State
Loopback Timeout
detect
--
If the link is working properly, perform the following operations to monitor the link in real time.
Step 5 Configure errored symbol detection, errored frame detection, and errored frame second
detection.
# Configure errored symbol detection on GE 0/2/1 of CE1.
[CE1-GigabitEthernet0/2/1] efm error-frame period 5
[CE1-GigabitEthernet0/2/1] efm error-frame threshold 5
[CE1-GigabitEthernet0/2/1] efm error-frame notification enable
# Configure errored frame detection on GE 0/2/1 of CE1.

[CE1-GigabitEthernet0/2/1] efm error-code period 5
[CE1-GigabitEthernet0/2/1] efm error-code threshold 5
[CE1-GigabitEthernet0/2/1] efm error-code notification enable
# Configure errored frame second detection on GE 1/0/1 of CE1.

[CE1-GigabitEthernet0/2/1] efm error-frame-second period 120
[CE1-GigabitEthernet0/2/1] efm error-frame-second threshold 5
Issue 02 (2013-12-31)

987

Equipment
3 Reliability
[CE1-GigabitEthernet0/2/1] efm error-frame-second notification enable


If the preceding configurations are complete, GE 0/2/1 of CE1 and GE 2/0/1 of CE4 will enter
the handshake phase. Run the display efm session { all | interface interface-type interfacenum } command on CE1 or CE4. The command output shows that the EFM state is detect on
GE 0/2/1 or GE 2/0/1.
Interface
EFM State
Loopback Timeout
detect
--
After the preceding configuration is complete, run the display efm { all | interface interfacetype interface-number } command to display EFM configurations.
[CE1] display efm interface gigabitethernet 0/2/1
Item
Value
---------------------------------------------------Interface:
EFM Enable Flag:
enable
Mode:
active
Loopback IgnoreRequest:
no
OAMPDU MaxSize:
128
OAMPDU Timeout:
5000
ErrCodeNotification:
enable
ErrCodePeriod:
5
ErrCodeThreshold:
5
ErrFrameNotification:
enable
ErrFramePeriod:
5
ErrFrameThreshold:
5
ErrFrameSecondNotification:
enable
ErrFrameSecondPeriod:
120
ErrFrameSecondThreshold:
5
Hold Up Time:
0
ThresholdEvtTriggerErrDown:
disable
TriggerIfDown:
disable
Remote MAC:
0010-0010-0010
Remote EFM Enable Flag:
enable
Remote Mode:
passive
Remote MaxSize:
128
Remote Loopback IgnoreRequest: no
Remote State:
--
Step 7 Configure association between EFM and GE 0/2/1 on CE4.

[CE4] oam-mgr
[CE4-oam-mgr] oam-bind efm
interface GigabitEthernet
[CE4-oam-mgr] quit
interface
0/2/1
GigabitEthernet
2/0/1 trigger if-down

After the preceding configurations are complete, run the undo efm enable command on GE
0/2/1 of CE1. Then, run the display interface GigabitEthernet 0/2/1 command on CE4. The
command output shows that the current state field value is TRIGGER DOWN (3AH).
[CE4] display interface GigabitEthernet 0/2/1
GigabitEthernet0/2/1 current state : TRIGGER DOWN (3AH)
Line protocol current state : DOWN
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-304b-8200
Issue 02 (2013-12-31)

988

Equipment
3 Reliability

: 2011-05-05 13:58:45 UTC-08:00
Hardware address is 00e0-304b-8200
Input:
Output:
----End
Configuration Files
l

#
sysname CE1
#
efm
enable
#
interface
undo
shutdown
efm
enable
efm error-frame period
5
efm error-frame threshold
5
efm error-frame notification
enable
efm error-frame-second period
120
efm error-frame-second threshold
5
efm error-frame-second notification
enable
efm error-code period
5
efm error-code threshold
5
efm error-code notification enable
#
interface
NULL0
#
return

#
sysname CE4
#
efm enable
#
interface
Issue 02 (2013-12-31)

989

Equipment
3 Reliability
undo
shutdown
efm mode
passive
efm enable
#
oammgr
oam-bind ingress interface GigabitEthernet0/2/1 egress efm interface
GigabitEthernet2/0/1 trigger ifdown
oam-bind ingress efm interface GigabitEthernet2/0/1 trigger if-down egress
interface
#
return
Example for Configuring Association Between EFM and CFM

This section provides an example showing how to configure association between EFM and CFM.
fault detection.
On the network shown in Figure 3-55, CE1 is dual-homed to PE1 and PE3. The requirements
on the network are as follows:
l
The connectivity of links between CE1 and PE3, between PE3 and PE4, and PE4 and CE2
can be monitored.
If the link between CE1 and PE3 goes faulty, CE2 can detect the fault, preventing return
traffic from being forwarded to PE4.
When the link between PE3 and PE4 goes faulty, CE1 or CE2 can detect the fault.
If the link between CE1 and PE3 goes faulty, a master/backup link switchover can be
implemented.
Issue 02 (2013-12-31)

990

Equipment
3 Reliability
Figure 3-55 Networking diagram for configuring association between EFM and CFM
PE2
PE1
GE1/0/2 GE1/0/2
GE1/0/1
GE1/0/1
CE2
CE1
GE0/2/0
GE0/2/0
User
Network
GE0/2/1
GE1/0/1
GE0/2/1
User
Network
PE4
PE3
GE1/0/2 GE1/0/2
GE1/0/1
EFM
CFM
EFM
1.
Configure EFM for links between CE1 and PE3 and between CE2 and PE4 to monitor link
connectivity.
2.
Configure EFM for the link between PE3 and PE4 to monitor link connectivity.
3.
Configure association between EFM and interfaces on CE2 so that if EFM detects a link
fault between CE1 and PE3, traffic can be switched to the backup link and return traffic is
not forwarded to PE4.
4.
Configure association between CFM and EFM on PE3 and PE4 so that CFM and EFM can
notify each other of faults.
Data Preparation
l
MD names, MA names, MEP IDs, and REMP IDs
Names of interfaces associated with EFM
Procedure
[CE1] efm enable

Issue 02 (2013-12-31)

991

Equipment
3 Reliability
[CE2] efm enable
# Enable EFM on PE3.

[PE3] efm enable

[PE4] efm enable


# Enable EFM on GE 1/0/1 of PE3.

[PE3-GigabitEthernet1/0/1] efm enable


If EFM is correctly configured on PE3, CE1, PE4, and CE2, GE 1/0/1 or GE 0/2/1 of these
devices will enter the handshake stage. Run the display efm session { all | interface interfacetype interface-num } command on one of these devices. The command output shows that the
EFM status on GE 1/0/1 or GE 0/2/1 is Detect.
Interface
EFM State
Loopback Timeout
detect
--
Step 2 Configure basic CFM functions.

MEPs of outward type are used as an example for configuring basic CFM functions.
# Configure basic CFM functions on PE3.
[PE3] vlan 2
[PE3--vlan2] quit
[PE3] interface GigabitEthernet1/0/2
[PE3-GigabitEthernet1/0/2] portswitch
[PE3-GigabitEthernet1/0/2] port trunk allow-pass vlan 2
[PE3] cfm md md1
[PE3-md-md1] ma ma1
[PE3-md-md1-ma-ma1] map vlan 2
[PE3-md-md1-ma-ma1] mep mep-id 1 interface GigabitEthernet
Issue 02 (2013-12-31)

1/0/2 outward
992

Equipment
[PE3-md-md1-ma-ma1]
[PE3-md-md1-ma-ma1]
[PE3-md-md1-ma-ma1]
[PE3-md-md1-ma-ma1]
[PE4-md-md1] quit
3 Reliability
remote-mep mep-id 2
mep ccm-send enable
quit
# Configure basic CFM functions on PE4.

[PE4] vlan 2
[PE4--vlan2] quit
[PE4] cfm md md1
[PE4-md-md1] ma ma1
[PE4-md-md1-ma-ma1] mep mep-id 2 interface GigabitEthernet
[PE4-md-md1] quit
1/0/2 outward

Run the display cfm remote-mep command on PE3 or PE4. If CFM is correctly configured on
PE3 and PE4, the command output shows that the CFM Status field value is Up.
[PE3] display cfm remote-mep
The status of RMEPs : 1 up, 0 down, 0 disable
-------------------------------------------------MD Name
: md1
Level
: 0
MA Name
: ma1
RMEP ID
: 2
VLAN ID
: 2
VSI Name
: -L2VC ID
: -MAC
: -CCM Receive
: enabled
Trigger-If-Down
: disabled
CFM Status
: up
Step 3 Configure association between EFM and CFM.

# Configure association between EFM and CFM on PE3.
[PE3] oam-mgr
[PE3-oam-mgr] oam-bind cfm
[PE3-oam-mgr] quit
md md1 ma ma1 efm
interface
GigabitEthernet
1/0/1
GigabitEthernet
1/0/1
# Configure association between EFM and CFM on PE4.

[PE4] oam-mgr
[PE4-oam-mgr] oam-bind cfm
[PE4-oam-mgr] quit
md md1 ma ma1 efm
interface
Step 4 Configure association between EFM and interfaces on CE2.

[CE2] interface GigabitEthernet0/2/1
[CE2-GigabitEthernet0/2/1] efm trigger if-down

After association functions are configured, run the undo efm enable command on GE 0/2/1 of
CE1 to simulate a fault in the link between CE1 and PE3. Run the display interface interfaceIssue 02 (2013-12-31)

993

Equipment
3 Reliability
type interface-num command on GE 0/2/1 of CE2. The command output shows that the Line
protocol current state field value is DOWN (EFM down).
[CE2] display interface gigabitethernet0/2/1
Line protocol current state : DOWN (EFM down)
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-0845-8100
: 2011-05-13 10:36:05 UTC-08:00
Hardware address is 00e0-0845-8100
Input:
Output:
----End
Configuration Files
l

#
sysname CE1
#
efm enable
#
interface
undo
shutdown
efm enable
#
return

#
sysname PE3
#
vlan batch
2
#
cfm
enable
#
efm
enable
#
interface
undo
shutdown
efm
enable
#
Issue 02 (2013-12-31)

994

Equipment
3 Reliability
interface
portswitch
undo
shutdown
port trunk allow-pass vlan
2
#
interface
NULL0
#
cfm md
md1
ma
ma1
map vlan
2
outward
enable
remote-mep mep-id
2
enable
#
oammgr
oam-bind ingress efm interface GigabitEthernet1/0/1 egress cfm md md1 ma
ma1
oam-bind ingress cfm md md1 ma ma1 egress efm interface
#
return

#
sysname PE4
#
vlan batch
2
#
cfm
enable
#
efm
enable
#
interface
undo
shutdown
efm
enable
#
interface
portswitch
undo
shutdown
port trunk allow-pass vlan
2
#
interface
NULL0
Issue 02 (2013-12-31)

995

Equipment
3 Reliability
#
cfm md
md1
ma
ma1
map vlan
2
outward
enable
remote-mep mep-id
1
enable
#
oammgr
oam-bind ingress efm interface GigabitEthernet1/0/1 egress cfm md md1 ma
ma1
oam-bind ingress cfm md md1 ma ma1 egress efm interface
#
return

#
sysname CE2
#
efm enable
#
interface
undo
shutdown
efm enable
efm trigger if-down
#
return
Example for Configuring Association Between EFM and BFD

This section provides an example showing how to configure association between EFM and BFD.
fault detection.
On the network shown in Figure 3-56, CE1 is dual-homed to PE1 and PE3. The requirements
on the network are as follows:
l
Issue 02 (2013-12-31)
The connectivity of links between CE1 and PE3, between PE3 and PE4, and PE4 and CE2.

996

Equipment
3 Reliability
If the link between CE1 and PE3 goes faulty, CE2 can detect the fault, preventing return
traffic from being forwarded to PE4.
When the link between PE3 and PE4 goes faulty, CE1 or CE2 can detect the fault.
If the link between CE1 and PE3 goes faulty, a master/backup link switchover can be
implemented.
Figure 3-56 Networking diagram for configuring association between EFM and BFD
PE2
PE1
CE1
User
Network1
CE2
GE0/2/1
GE0/2/1
GE1/0/1
PE3
User
Network2
GE1/0/1
GE1/0/2 GE1/0/2
PE4
802.3ah
BFD
802.3ah
1.
Configure EFM for links between CE1 and PE3 and between CE2 and PE4 to monitor link
connectivity.
2.
Configure BFD for the link between PE3 and PE4 to monitor link connectivity.
3.
Configure association between EFM and interfaces on CE2 so that if EFM detects a link
fault between CE1 and PE3, traffic can be switched to the backup link and return traffic is
not forwarded to PE4.
4.
Configure association between BFD and EFM on PE3 and PE4 so that CFM and BFD can
notify each other of faults.
Data Preparation
l
Local and remote discriminators of a BFD session
VLAN IDs
Procedure
Issue 02 (2013-12-31)

997

Equipment
3 Reliability
[CE1] efm enable

[CE2] efm enable

[PE3] efm enable

[PE4] efm enable





If EFM is correctly configured on PE3, CE1, PE4, and CE2, GE 0/2/1 of these devices will enter
the handshake stage. Run the display efm session { all | interface interface-type interfacenum } command on one of these devices. The command output shows that the EFM status on
GE 1/0/1 or GE 0/2/1 is Detect.
Interface
EFM State
Loopback Timeout
detect
--
Step 2 Configure basic BFD functions.

BFD for IP is used as an example for configuring basic BFD functions.
# Configure basic BFD functions on PE3.
[PE3] bfd
Issue 02 (2013-12-31)

998

Equipment
3 Reliability
[PE3-bfd] quit
[PE3] bfd pedetect bind peer-ip 1.1.1.2 interface
[PE3-bfd-session-pedetect] discriminator local 1
[PE3-bfd-session-pedetect] discriminator remote 2
[PE3-bfd-session-pedetect] commit
[PE3-bfd-session-pedetect] quit
GigabitEthernet
1/0/2
GigabitEthernet
1/0/2
# Configure basic BFD functions on PE4.

[PE4] bfd
[PE4-bfd] quit
[PE4] bfd pedetect bind peer-ip 1.1.1.1 interface
[PE4-bfd-session-pedetect] discriminator local 2
[PE4-bfd-session-pedetect] discriminator remote 1
[PE3-bfd-session-pedetect] commit
[PE4-bfd-session-pedetect] quit

Run the display bfd session all command on PE3 or PE4. If BFD is correctly configured on
PE3 and PE4, The command output shows that the BFD status is Up.
[PE3] display bfd session all
-------------------------------------------------------------------------------Local Remote PeerIpAddr
State
Type
InterfaceName
-------------------------------------------------------------------------------1
2
1.1.1.2
Up
S_IP_IF
Step 3 Configure association between EFM and BFD.

# Configure association between EFM and BFD on PE3.
[PE3] oam-mgr
[PE3-oam-mgr] oam-bind efm interface GigabitEthernet 1/0/1 bfd-session 1
[PE3-oam-mgr] quit
# Configure association between EFM and BFD on PE4.

[PE4] oam-mgr
[PE4-oam-mgr] oam-bind efm
[PE4-oam-mgr] quit
interface GigabitEthernet
1/0/1 bfd-session 2
Step 4 Configure association between EFM and interfaces on CE2.

[CE2] interface GigabitEthernet0/2/1
[CE2-GigabitEthernet0/2/1] efm trigger if-down

After association functions are configured, run the undo efm enable command on GE 0/2/1 of
CE1 to simulate a fault in the link between CE1 and PE3. Run the display interface interfacetype interface-num command on GE 0/2/1 of CE2. The command output shows that the Line
protocol current state field value is DOWN (EFM down).
[CE2] display interface gigabitethernet0/2/1
Line protocol current state : DOWN (EFM down)
Description:HUAWEI, Quidway Series, 0/2/1 Interface
Issue 02 (2013-12-31)

999

Equipment
3 Reliability

IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-453f-8100
: 2011-05-10 16:50:52 UTC-08:00
Hardware address is 00e0-453f-8100
Input:
Output:
----End
Configuration Files
l

#
sysname CE1
#
efm enable
#
interface
undo
shutdown
efm enable
#
return

#
sysname PE3
#
efm
enable
#
bfd
#
interface
undo
shutdown
efm
enable
#
interface
undo
shutdown
ip address 1.1.1.1
255.255.255.0
#
interface
NULL0
#
bfd pedetect bind peer-ip 1.1.1.2 interface
Issue 02 (2013-12-31)

1000

Equipment
3 Reliability
discriminator local
1
discriminator remote
2
commit
#
oammgr
oam-bind ingress efm interface GigabitEthernet1/0/1 egress bfd-session
1
oam-bind ingress bfd-session 1 egress efm interface GigabitEthernet1/0/1
#
return

#
sysname PE4
#
efm
enable
#
bfd
#
interface
undo
shutdown
efm
enable
#
interface
undo
shutdown
ip address 1.1.1.2
255.255.255.0
#
interface
NULL0
#
bfd pedetect bind peer-ip 1.1.1.1 interface
discriminator local
2
discriminator remote
1
commit
#
oammgr
oam-bind ingress efm interface GigabitEthernet1/0/1 egress bfd-session
2
oam-bind ingress bfd-session 2 egress efm interface
#
return

#
sysname CE2
#
efm enable
#
interface
Issue 02 (2013-12-31)

1001

Equipment
3 Reliability
undo
shutdown
efm enable
efm trigger if-down
#
return
3.8 Y.1731 Configuration

Y.1731 is an OAM protocol at the network layer. It provides fault detection defined in IEEE
802.1ag and performance monitoring, such as frame loss measurement, frame delay
measurement.
3.8.1 Y.1731 Overview

Y.1731 is used to implement performance monitoring and fault management for end-to-end links
on Ethernet networks.
Y.1731 Introduction
Y.1731 is an Operation, Administration and Maintenance (OAM) protocol defined by the ITUT. It is used to implement end-to-end connectivity detection, loopback detection, and link trace
on Metro Ethernets (MEs). It also provides the test diagnosis and performance monitoring
functions such as frame loss measurement, frame delay measurement, frame jitter measurement,
and throughput measurement.
Background
Originally, Ethernet was mainly used in Local Area Networks (LANs), and had a poor OAM
capability. In addition, Ethernet supports only the network element-level management system
that cannot meet network management requirements of most network operators. After Ethernet
is widely used in MANs, the requirement on OAM becomes increasingly high.
Hierarchical Ethernet OAM needs to be provided based on the network architecture, as shown
in Figure 3-57.
Issue 02 (2013-12-31)

1002

Equipment
3 Reliability
Figure 3-57 Networking diagram for Ethernet OAM
Services
Access
CE
PE1
Metro
P
PE2
PE3
Core
Access
Link OAM
EFM
EFM
Connectivity
Layer OAM
CFM/Y.1731
Service
Layer OAM
CFM/Y.1731
802.3ah, also known as Ethernet in the First Mile (EFM), is used to monitor the first-mile
link connectivity. It is a type of link-level OAM technology. EFM provides link
connectivity detection, link fault monitoring, remote fault notification, and remote
loopback for two directly connected devices.
IEEE 802.1ag, also known as Connectivity Fault Management (CFM), defines OAM
functions, such as continuity check (CC), link trace (LT) and loopback (LB), for Ethernet
networks. CFM is network-level OAM and is applicable to large-scale end-to-end
networking.
Y.1731 is an OAM protocol defined by the ITU-T. It covers the contents defined by IEEE
802.1ag and other OAM functions, including the Alarm Indication Signal (AIS), Remote
Defect Indication (RDI), Locked Signal (LCK), Test Signal, Automatic Protection
Switching (APS), Maintenance Communication Channel (MCC), Experimental OAM
(EXP), and Vendor Specific OAM (VSP) for fault management and frame loss
measurement (LM) and delay measurement (DM) for performance monitoring.
As shown in Figure 3-57, Y.1731 is used to implement fast fault detection and performance
monitoring for end-to-end services. When a user considers that the quality of purchased Ethernet
tunnel services deteriorates or when an operator needs to conduct regular Service level agreement
(SLA) monitoring.
Basic Concepts and Principles

l
Single-ended frame loss measurement

Frame loss measurement is performed by sending frames with ETH-LM information to a
remote Maintenance association End Point (MEP) and receiving frames with ETH-LM
information from the remote MEP. As shown in Figure 3-58, the process of single-ended
frame loss measurement is as follows:
1.
Issue 02 (2013-12-31)
The local MEP(Maintenance association End Point) sends an ETH-LMM (a frame

containing ETH-LM request information) to the remote MEP. The ETH-LMM carries
a transmit counter indicating the time at which the message is sent by the local end.
1003

Equipment
3 Reliability
2.
After receiving the ETH-LMM, the remote MEP replies with an ETH-LMR (a frame
containing ETH-LM response information).
3.
After receiving the ETH-LMR, the local MEP obtains corresponding measurement
information based on message contents and calculates the frame loss ratio.
Figure 3-58 Networking diagram for single-ended frame loss measurement

ETH-LMM
ETH-LMR
CE
CE
PE
VLL
CE
CE
PE
P
Y.1731
CE
CE
ETH-LMM
ETH-LMR
Dual-ended frame loss measurement

Frame loss measurement is performed by sending frames with ETH-LM information to a
remote MEP and receiving frames with ETH-LM information from the remote MEP. As
shown in Figure 3-59, the process of dual-ended frame loss measurement is as follows:
1.
Each MEP sends a frame containing ETH-LM request information to remote MEPs.
Here, the frame containing ETH-LM request information is called a Continuity Check
Message (CCM).
2.
Each MEP processes the received CCMs and measures the number of frames lost on
both the local and remote ends.
3.
Each MEP obtains corresponding measurement information based on contents in the

CCMs and calculates frame loss ratios.
Figure 3-59 Networking diagram for dual-ended frame loss measurement

ETH-CCM
ETH-CCM
CE
CE
PE
Y.1731
CE
PE
P
CE
Issue 02 (2013-12-31)
CE

CE
1004

Equipment
3 Reliability
Single-ended synthetic loss measurement (SLM)

SLM measures frame loss using synthetic frames instead of data traffic. When
implementing SLM, the local MEP exchanges frames containing ETH-SLM information
with one or more RMEPs.
Figure 3-60 demonstrates the process of single-ended SLM:
1.
The local MEP sends frames with the ETH-SLM request information to the RMEPs.
2.
After receiving the frames with the ETH-SLM request information, the RMEPs send
frames with the ETH-SLM reply information to the local MEP.
A frame with the single-ended ETH-SLM request information is called an SLM, and a
frame with the single-ended ETH-SLM reply information is called an SLR. SLM frames
carry SLM protocol data units (PDUs), and SLR frames carry SLR PDUs.
Figure 3-60 Networking diagram for single-ended SLM
CE2
PE2
PE1
CE1
User
Network
Network
CE3
SLM
SLR
User
Network
User
Network
PE3
One-way frame delay measurement

One-way frame delay measurement is performed between end-to-end MEPs by sending
and receiving 1DM frames. As shown in Figure 3-61, the process of one-way frame delay
measurement is as follows:
1.
A MEP periodically sends 1DM frames carrying TxTimeStampf.
2.
After receiving a 1DM frame, the remote MEP compares the TxTimeStampf with the
RxTimef that is the time at the reception of the frame, and then calculates the oneway frame delay by using the following formula:
Frame delay = RxTimef - TxTimeStampf
Figure 3-61 Networking diagram for one-way frame delay measurement

1DM PDU
CE
CE
PE
CE
Issue 02 (2013-12-31)
VLL
CE
CE
PE
P
Y.1731

CE
1005

Equipment
3 Reliability
Two-way frame delay measurement

Two-way frame delay measurement is performed between end-to-end MEPs by sending
and receiving Delay Measurement Messages (DMMs) and Delay Measurement Replies
(DMRs). As shown in Figure 3-62, the process of two-way frame delay measurement is
as follows:
1.
A MEP periodically sends DMMs carrying TxTimeStampf.
2.
After receiving a DMM, the remote MEP adds the RxTimeStampf value (the time of
receiving the DMM) to the DMM, generates a DMR with the TxTimeStampb value
(the time of sending the DMR), and sends the frame to the requesting MEP. Every
field in the DMM is copied to the DMR, except that the source and destination MAC
addresses are swapped and the message type is changed from DMM to DMR.
3.
Upon receiving the DMR frame, the requesting MEP calculates the two-way frame
delay based on the following formula: The formula is as follows:
Frame delay = (RxTimeb - TxTimeStampf) - (TxTimeStampb - RxTimeStampf)
Figure 3-62 Networking diagram for two-way frame delay measurement
DMM
CE
CE
PE2
PE1
CE
CE
VLL
CE
Y. 1731
CE
DMR
AIS
AIS(Alarm Indication Signal) is a protocol used to transmit fault information.
As shown in Figure 3-63, the MEPs configured on the access interfaces of CE1 and CE2
reside in level-6 MD1. MD1 is a user domain, and does not have a high requirement for
fault detection time. The MEPs configured on PE1 and PE2 reside in level-3 MD2. MD2
is a carrier domain, and has a high requirement for fault detection time.
If the PEs are enabled with the AIS function, the PEs will send AIS packets to associated
CEs when CFM detects a fault on the link between PEs. After receiving the AIS packets,
the CEs can suppress all alarms to reduce the impact of the alarms on the NMS.
After the link between the PEs recovers, the PEs stop sending AIS packets. The CEs
will not receive any AIS packet. After a period (3.5 times the period for sending AIS
packets) expires, the alarm suppression function on the CEs is disabled automatically.
Issue 02 (2013-12-31)

1006

Equipment
3 Reliability
Figure 3-63 Networking diagram of AIS
CE1
AIS packets
PE1
PE 2
VLL/ VPLS/ VLAN
VLAN/ QinQ
AIS packets
CE2
VLAN/ QinQ
MD 2 Level 3
MD 1 Level 6
Y.1731 Features Supported by the ATN

This section describes the functions and deployment scenarios of Y.1731 features that the
ATN supports.
The Y.1731 features that the ATN supports include single-ended frame loss measurement, dualended frame loss measurement, one-way frame delay measurement, two-way frame delay
measurement applied to Virtual Private LAN Service (VPLS), Virtual Leased Line (VLL), and
Virtual Local Area Network (VLAN) networking. Table 3-25 lists the functions and deployment
scenarios of these features.
NOTE
Before configuring a unidirectional delay, synchronize the clock frequency between the two ends. For
details about frequency synchronization configuration, see the chapter "1588v2 Configuration" in
Configuration Guide-Clock.
Table 3-25 Functions that Y.1731 supports
Issue 02 (2013-12-31)
Funct
ion
Singleended
Frame Loss
Measureme
nt
Dual-ended
Frame Loss
Measureme
nt
One-way
Frame Delay
Measureme
nt
Two-way
Frame Delay
Measureme
nt
AIS
Descr
iption
Checks the
quality of a
link by
measuring
packet loss on
the MEP at
either end of
the link.
Checks the
quality of a
link by
measuring
packet loss on
the MEPs at
both ends of
the link.
Checks the
quality of a
link by
measuring the
delay in
unidirectional
frame
transmission
over the link
between MEP
peers.
Checks the
quality of a
link by
measuring the
delay in
bidirectional
frame
transmission
over the link
between MEP
peers.
Suppresses
alarms to
minimize the
impact of a
large number
of alarms on
the NMS.

1007

Equipment
Funct
ion
Singleended
Frame Loss
Measureme
nt
Dual-ended
Frame Loss
Measureme
nt
Deplo
yment
Scena
rio
Single-ended frame loss

measurement or dual-ended
frame loss measurement can be
used to measure frame loss on a
link as needed.
l If the connectivity of a link
and packet loss need to be
detected and the MEPs at
both ends of a link support
the CC function, dual-ended
frame loss measurement can
be implemented.
l If at least one of the MEPs at
both ends of a link does not
support the CC function,
single-ended frame loss
measurement can be
implemented.
3 Reliability
One-way
Frame Delay
Measureme
nt
Two-way
Frame Delay
Measureme
nt
One-way frame delay

measurement or two-way frame
delay measurement can be used
to measure the delay in frame
transmission on a link or
monitor the performance of a
link as needed.
l One-way frame delay
measurement can be used if
the following conditions are
met:
AIS
If the
requirement
for fault
detection time
is high, AIS
can be used to
suppress
alarms when
CFM detects
faults in
connectivity.
The clocks of the MEPs

at both ends of a link are
synchronized.
The requirement for the
delay in frame
transmission is high or
the delay in frame
transmission over the
return link is not
concerned.
l Two-way frame delay
measurement can be used if
the following conditions are
met:
If the clocks of the MEPs
at both ends of a link are
not synchronized.
The requirement for the
delay in frame
transmission is low or the
delay in frame
transmission over the
return link is concerned.
3.8.2 Configuring Y.1731 Functions in VLL Networking

This section describes how to configure Y.1731 functions including single-ended frame loss
measurement, dual-ended frame loss measurement, one-way frame delay measurement, twoway frame delay measurement in VLL networking.
Issue 02 (2013-12-31)

1008

Equipment
3 Reliability
Before You Start

Before configuring Y.1731 functions on in VLL networking, familiarize yourself with the usage
The VLL technology implements point-to-point VPN networking. As shown in Figure 3-64,
the PEs are connected through a PW. To take accurate statistics about frame loss on one end of
a PW between PE1 and PE2 in VLL networking, the following performance monitoring
functions defined by Y.1731 can be used to monitor links:
l
Single-ended synthetic frame loss measurement
Y.1731 functions implemented on the PW side include Y.1731 functions implemented by an

interface-based MEP and a PW-based MEP. Y.1731 functions implemented by a PW-based
MEP supports only one-way frame DM, two-way frame DM, single-ended SLM.
Figure 3-64 Networking diagram for configuring Y.1731 functions in VLL networking
User
Network
User
Network
PW
CE1
PE1
VLL
PE2
Y.1731
CE2
Y.1731
Y.1731
MEP
The type of PE1's interface that accesses a VLL is as follows:

l
Common sub-interface
Sub-interface for QinQ VLAN tag termination
L2VE sub-interface
Before configuring Y.1731 functions in VLL networking, complete the tasks listed in Table
3-26.
Issue 02 (2013-12-31)

1009

Equipment
3 Reliability
Table 3-26 Pre-configuration tasks for configuring Y.1731 functions in VLL networking
Function
Configuring Y.1731 functions (single-ended

frame loss measurement, dual-ended frame
loss measurement, one-way frame delay
measurement, and two-way frame delay
measurement, and single-ended synthetic
loss measurement) for a PW in VLL
networking
l Completing VLL-related configurations

on PEs
For details, see the chapter "VLL
Configuration" in the Configuration
Guide - VPN.
l Completing CFM-related configurations
Data Preparation
To configure Y.1731 functions in VLL networking, you need the following data.
No.
Data
VC ID of the VLL bound to an MA
Interval at which frames are sent and number of sent frames during single-ended
frame loss measurement
Interval at which frames are sent and number of sent frames during dual-ended frame
loss measurement
Interval at which frames are sent and number of sent frames during one-way frame
delay measurement
Interval at which frames are sent and number of sent frames during two-way frame
delay measurement
(Optional) the interval for sending AIS packets
Interval and number at which multicast MAC Ping frames are sent
Interval at which SLM frames are sent and maximum number of SLM frames to be
sent
Binding an MA to a VLL
Binding an MA to a VLL is a prerequisite for configuring single-ended frame loss measurement,
dual-ended frame loss measurement, one-way frame delay measurement, two-way frame delay
measurement.
Context
VLL-based performance monitoring is L2VC-specific. Therefore, when deploying performance
monitoring defined in Y.1731 on a VLL, bind an MA to an L2VC, and then collect performance
statistics about the MA. Then, performance statistics about a specified PW will be available.
Issue 02 (2013-12-31)

1010

Equipment
3 Reliability
To collect performance statistics about a PW, do as follows on the PEs at both ends of a
VLL.
Procedure
Step 1 Run:
system-view

Step 2 Run:
cfm md md-name

Step 3 Run:
ma ma-name

Step 4 Run:
The MA is bound to a specified L2VC.

NOTE
The interface of the raw type and the interface of the tagged type process packets in different
manners, as shown in Table 3-27 and Table 3-28.
Table 3-27 Packet processing on an inbound interface
Inbound Interface
Type
Raw Encapsulation
Tagged Encapsulation
VLANIF interface
l default mode: No action is

performed.
No action is performed.
l trunk mode: The outer tags

are stripped.
l default mode: Adds a tag

(default VLAN ID of the
interface).
l trunk mode: No action is
required.
Issue 02 (2013-12-31)
Ethernet main
interface
Tags are stripped.
No action is performed.
Dot1q sub-interface
Removes one tag.
Keeps the tag unchanged.
Dot1q termination
sub-interface
Removes one tag.
Keeps the tag unchanged.

1011

Equipment
3 Reliability
Table 3-28 Packet processing on an outbound interface

Outbound
Interface Type
Raw Encapsulation
Tagged Encapsulation
VLANIF interface
l No action is performed by
default.
l The tag is stripped by default.
l A specific tag is added in

trunk mode.
l The tag is replaced in trunk

mode.
Ethernet main
interface
A specific tag is added.
The tag is replaced.
Dot1q sub-interface
Adds one tag.
Replaces the VLAN ID in the tag

contained in a packet with the
local VLAN ID.
Dot1q termination
sub-interface
Adds one tag.
Replaces the VLAN ID in the tag

contained in a packet with the
local VLAN ID.
----End
Configuring Single-ended Frame Loss Measurement in VLL Networking

In VLL networking, CFM is enabled. CCMs are not used to monitor link connectivity, preventing
them from using a lot of network bandwidth resources. if frame loss measurement needs to be
performed for a link, single-ended frame loss measurement can be configured to monitor the
quality of the link.
Context
Single-ended frame loss measurement in VLL networking can be either on-demand or proactive.
On-demand single-ended frame loss measurement is manually initiated for diagnosis of frame
loss in a limited time. It can be singular or periodic measurement. Proactive single-ended frame
loss measurement is carried out continuously to permit proactive reporting of frame loss or
performance results.
l
To implement singular or periodic single-ended frame loss measurement for a PW or an

AC, configure on-demand single-end frame loss measurement in VLL networking.
To implement continual single-ended frame loss measurement for a PW, configure

proactive single-ended frame loss measurement in VLL networking.
802.1p priorities carried by packets on a network are used to differentiate services, and
therefore different policies can be deployed for services. As shown in Figure 3-65, the
802.1p priority values contained in traffic passing through the P on the VLL are 1 and 2.
Frame loss measurement is performed for the link between PE1 and PE2. Assume that
traffic (with the priority value of 2) that is not involved in frame loss measurement is sent
out after frame loss measurement is enabled. The traffic is forwarded preferentially because
its priority is high. As a result, the traffic (with the priority value of 1) that is involved in
frame loss measurement fails to reach PE2 in time, causing incorrect frame loss statistics.
Issue 02 (2013-12-31)

1012

Equipment
3 Reliability
802.1p-priority-based single-ended frame loss measurement can be configured for the VLL
for accurate proactive frame loss tests.
Figure 3-65 Networking diagram for priority-based frame loss measurement on a VLL
CE2
CE1
PE1
User
Network
PE2
Y.1731
User
Network
MEP
Priority 1
Priority 2
Procedure
l
Configure on-demand single-ended frame loss measurement.

Configure on-demand single-ended frame loss measurement for an AC.
1.
Perform the following steps on the devices at both ends of an AC where singleended frame loss measurement will be implemented:
a.
Run:
system-view

b.
Run:
cfm md md-name

c.
Run:
ma ma-name

d.
Perform the following steps on the devices where the MEPs reside:
On the CE, run:
map vlan vlan-id

On the PE, run:
Issue 02 (2013-12-31)

1013

Equipment
3 Reliability

e.
Run:
mep mep-id
The MEP is configured.

f.
Run:
The remote MEP ID is configured.

g.
Run:
mep ccm-send enable
The CCM transmission function is enabled.

h.
Run:
The CCM reception function is enabled.

2.
On the receiving device of an AC where single-ended frame loss measurement will

be implemented, run:
loss-measure single-ended receive mep mep-id
The LMM reception function is configured on the device.

3.
On the transmitting device of an AC where single-ended frame loss measurement

will be implemented, run:
loss-measure single-ended send mep mep-id [ mac mac-address | remotemep mep-id ] interval interval count count-value
On-demand single-ended frame loss measurement is configured for an AC.

l
Configure proactive single-ended frame loss measurement.

1.
Perform the following steps on the devices at both ends of a AC where proactive
single-ended frame loss measurement will be implemented:
a.
Run:
system-view

b.
(Optional) Run:
y1731 trust inner-priority mode
The queue priority-based Y.1731 performance statistics function is enabled.

c.
(Optional) Run:
y1731 pm-mode enable
Performance management (PM) to manage Y.1731 proactive performance

statistics is enabled. PM saves the statistics to generated statistics files and then
sends the files to the NMS.
By default, PM is disabled from managing Y.1731 proactive performance
statistics.
d.
(Optional) Run:
y1731_record-upload
A device is enabled to send Y.1731 proactive performance statistics files to a

server.
Issue 02 (2013-12-31)

1014

Equipment
3 Reliability
The y1731 pm-mode enable and y1731_record-upload commands are

mutually exclusive.
e.
Run:
cfm md md-name

f.
Run:
ma ma-name

g.
Run:

h.
Run:
mep mep-id

i.
Run:

j.
Run:
mep ccm-send enable

k.
Run:

l.
On the transmitting device of a AC where proactive single-ended frame loss

measurement will be implemented, run:
loss-measure single-ended continual send mep mep-id [ mac macaddress | remote-mep mep-id ] interval interval [ 8021p { 8021pvalue } &<1-3> ]
Proactive single-ended frame loss measurement is configured for a AC.

If 8021p 8021p-value is specified, frame loss measurement based on a specified
802.1p priority is performed for the AC. If 8021p 8021p-value is not specified,
frame loss measurement based on all priorities is performed for the AC.
2.
On the receiving device on a PW where proactive single-ended frame loss

loss-measure
single-ended receive mep mep-id [ 8021p { 8021p-value } &<13> ]
The receive end is enabled to receive LMMs.

If the 8021p 8021p-value parameter is specified, the device that is to receive LMMs
computes the frame loss ratio based on the specified 802.1p priority. If this parameter
is not specified, the device that is to receive LMMs computes the frame loss ratio for
all packets.
3.
On the transmitting device of a PW where proactive single-ended frame loss

loss-measure single-ended
continual send mep mep-id [ remote-mep mep-id ] interval interval
[ 8021p { 8021p-value } &<13> ]
Issue 02 (2013-12-31)

1015

Equipment
3 Reliability
Proactive single-ended frame loss measurement is enabled on the device on the PW

side.
If the 8021p 8021p-value parameter is specified, LMMs with a specified 802.1p
priority are used for single-ended frame loss measurement on a PW. If the parameter
is not specified, LMMs with all 802.1p priorities are used for single-ended frame loss
measurement on a PW.
----End

Run the display y1731 statistic-type single-loss md md-name ma ma-name [ count countvalue ] [ 8021p { 8021p-value } &<1-3> ] [ count count-value ] command on the device that
initiates single-ended frame loss measurement to check statistics about single-ended frame loss
of an AC.
NOTE
Currently, you can check the configuration of single-ended frame loss measurement in VLL networking
by using the NMS that matches the current device version.
Run the display y1731 statistic-type command to view the statistics about single-ended frame
loss.
<HUAWEI> display y1731 statistic-type single-loss md md1 ma ma1
Latest single-ended loss statistics of 802.1p 1:
-------------------------------------------------------------------------------Index
Local-loss
Local-loss ratio
Remote-loss
Remote-loss ratio
-------------------------------------------------------------------------------1
20
50.0000%
30
75.0000%
2
20
50.0000%
30
75.0000%
3
20
50.0000%
30
75.0000%
4
20
50.0000%
30
75.0000%
5
20
50.0000%
30
75.0000%
6
20
50.0000%
30
75.0000%
-------------------------------------------------------------------------------Average Local-loss :
20
Average Local-loss Ratio : 50.0000%
Maximum Local-loss :
20
Maximum Local-loss Ratio : 50.0000%
Minimum Local-loss :
20
Minimum Local-loss Ratio : 50.0000%
Average Remote-loss :
30
Average Remote-loss Ratio : 75.0000%
Maximum Remote-loss :
30
Maximum Remote-loss Ratio : 75.0000%
Minimum Remote-loss :
30
Minimum Remote-loss Ratio : 75.0000%
Latest single-ended loss statistics of 802.1p 2:
-------------------------------------------------------------------------------Index
Local-loss
Local-loss ratio
Remote-loss
Remote-loss ratio
-------------------------------------------------------------------------------1
20
50.0000%
30
75.0000%
2
20
50.0000%
30
75.0000%
3
20
50.0000%
30
75.0000%
4
20
50.0000%
30
75.0000%
5
20
50.0000%
30
75.0000%
20
20
20
30
30
30
Issue 02 (2013-12-31)

1016

Equipment
3 Reliability
Configuring Dual-ended Frame Loss Measurement in VLL Networking

In VLL networking, CFM is enabled to monitor link connectivity. if accurate frame loss
measurement needs to be performed for a link, dual-ended frame loss measurement can be
configured to monitor the quality of the link.
Context
Dual-ended frame loss measurement is carried out continuously to permit proactive reporting
of frame loss or performance results.
Dual-ended frame loss measurement in VLL networking is usually deployed on end-to-end
MEPs. Frame loss statistics are collected based on the transmit and receive counters carried by
CCMs. Dual-ended frame loss measurement can be successfully performed only when the
remote MEP is in the Up state.
Procedure
l
Configure dual-ended frame loss measurement for a PW.

NOTE
Perform the following steps on the devices initiates dual-ended frame loss measurement.
1.
Run:
system-view

2.
(Optional) Run:

3.
(Optional) Run:
y1731 record-mode detailed
The detailed mode for recording Y.1731 proactive statistics is enabled.

4.
(Optional) Run:
Performance management (PM) to manage Y.1731 proactive performance statistics

is enabled. PM saves the statistics to generated statistics files and then sends the files
to the NMS.
By default, PM is disabled from managing Y.1731 proactive performance statistics.
5.
Run:
cfm md md-name

6.
Run:
ma ma-name

7.
Run:

8.
Issue 02 (2013-12-31)
Run:
1017

Equipment
3 Reliability
mep mep-id

9.
Run:

10. Run:
mep ccm-send enable

11. Run:

12. (Optional) Run:
loss-measure dual-ended local-ratio-threshold mep mep-id upper-limit
upper-limit lower-limit lower-limit
Lower and upper thresholds are set for the near-end frame loss rate in dual-ended
frame loss measurement.
13. (Optional) Run:
loss-measure dual-ended remote-ratio-threshold mep mep-id upper-limit
Lower and upper thresholds are set for the far-end frame loss rate in dual-ended frame
loss measurement.
14. Run:
loss-measure dual-ended continual mep mep-id remote-mep mep-id
Dual-ended frame loss measurement is enabled for a PW.

----End

Run the display y1731 statistic-type dual-loss md md-name ma ma-name [ count countvalue ] command on the devices that initiates dual-ended frame loss measurement to check
statistics about dual-ended frame loss.
NOTE
Currently, you can check the configuration of dual-ended frame loss measurement in VLL networking by
using the NMS that matches the current device version.
Run the display y1731 statistic-type command to view statistics about dual-ended frame loss.
<HUAWEI> display y1731 statistic-type dual-loss md md1 ma ma1
Latest dual-ended loss statistics:
-------------------------------------------------------------------------------Index
Local-loss
Local-loss ratio
Remote-loss
Remote-loss ratio
-------------------------------------------------------------------------------1
0
0.0000%
0
0.0000%
2
0
0.0000%
0
0.0000%
3
5
50.0000%
10
50.0000%
4
0
0.0000%
0
0.0000%
5
5
50.0000%
10
50.0000%
6
10
50.0000%
5
50.0000%
7
5
50.0000%
10
50.0000%
8
10
50.0000%
5
50.0000%
9
10
50.0000%
5
50.0000%
Issue 02 (2013-12-31)

1018

Equipment
3 Reliability
10
5
50.0000%
10
50.0000%
11
5
50.0000%
10
50.0000%
12
10
50.0000%
5
50.0000%
13
5
50.0000%
10
50.0000%
14
10
50.0000%
5
50.0000%
15
5
50.0000%
10
50.0000%
16
10
50.0000%
5
50.0000%
5
10
0
Minimum Local-loss Ratio :
0.0000%
6
10
0
Minimum Remote-loss Ratio :
0.0000%
Configuring One-way Frame Delay Measurement in VLL Networking

In VLL networking, the clock frequency between the two ends are synchronized and CFM is
enabled to monitor link connectivity. if the unidirectional delay measurement needs to be
performed for a link, one-way frame delay measurement can be configured to monitor the quality
of the link.
Context
NOTE
One-way frame delay measurement in VLL networking can be either on-demand or proactive.
On-demand one-way frame delay measurement is manually initiated for diagnosis of frame
transmission delays in a limited time. It can be singular or periodic measurement. Proactive oneway frame delay measurement is carried out continuously to permit proactive reporting of frame
transmission delays or performance results.
l
To implement singular or periodic one-way frame delay measurement for a PW or an

AC, configure on-demand one-way frame delay measurement in VLL networking.
To implement continual one-way frame delay measurement for a PW, configure proactive
one-way frame delay measurement in VLL networking.
802.1p priority values contained in traffic passing through the P on the VLL are 1 and 2.
One-way frame delay measurement is performed for the link between PE1 and PE2.
Assume that traffic (with the priority value of 2) that is not involved in frame delay
measurement is sent out after one-way frame delay measurement is enabled. The traffic is
forwarded preferentially, because its priority is high. As a result, the traffic (with the priority
value of 1) that is involved in frame delay measurement fails to reach PE2 in time, causing
incorrect frame delay statistics.
802.1p-priority-based one-way frame delay measurement can be configured for the VLL
for accurate proactive frame delay tests.
Issue 02 (2013-12-31)

1019

Equipment
3 Reliability
CE2
CE1
PE1
User
Network
PE2
Y.1731
User
Network
MEP
Priority 1
Priority 2
Procedure
l
Configure on-demand one-way frame delay measurement.

Configure on-demand one-way frame delay measurement for a PW.
1.
Perform the following steps on the devices at both ends of a PW where one-way
frame delay measurement will be implemented:
a.
Run:
system-view

b.
Run:
cfm md md-name

c.
Run:
ma ma-name

d.
Run:

2.
Configure a MEP according to Table 3-29.

Table 3-29 MEP configuration
Operation
Issue 02 (2013-12-31)
Command

1020

Equipment
Configure a
PW-based
MEP.
3 Reliability
mep mep-id mep-id peer-ip peer-ip [ vc-id vc-id ] [ mac macaddress ] { outward | inward }
NOTE
For the same VLL, PW-based MEPs with the same service ID and
direction but different levels are configured. In this case, there are
restrictions on statistics functions:
Only the ATN 950B (with the AND1CXPA/AND1CXPB configured)
supports following notes.
1. The priority-based statistics function and the non-priority-based
statistics function are mutually exclusive.
2. The priority-based statistics function can only be configured for a
single MA.
3.
Run:

4.
Perform the following steps on the device that is to receive 1DMs on the PW side.
delay-measure one-way receivemepmep-id
a.
Run:
test-id test-id mep mep-id [ remote-mep mep-id | mac mac-address ]
[ description description ]
A specific test instance is configured on a peer device.

b.
Run:
delay-measure one-way receive test-id test-id
The peer device is enabled to receive 1DMs.

5.
On the transmitting device on a PW where one-way frame delay measurement will

a.
Run:

b.
Run:
delay-measure one-way send test-id test-id interval interval
count count-value
On-demand one-way frame delay measurement is enabled on the device that

is to send 1DMs on the PW side.
Configure on-demand one-way frame delay measurement for an AC.
1.
Perform the following steps on the devices at both ends of an AC where on-demand
one-way frame delay measurement will be implemented:
a.
Run:
system-view

b.
Run:
cfm md md-name

Issue 02 (2013-12-31)

1021

Equipment
c.
3 Reliability
Run:
ma ma-name

d.
On the CE, run:
map vlan vlan-id

On the PE, run:

e.
Run:
mep mep-id

f.
Run:

g.
Run:
mep ccm-send enable

h.
Run:

2.
On the receiving device on an AC where on-demand one-way frame delay

delay-measure one-way receive mep mep-id
The 1DM reception function is configured on the device.

3.
On the transmitting device on an AC where on-demand one-way frame delay

delay-measure one-way send mep mep-id { mac mac-address | remote-mep
mep-id } interval interval count count-value
On-demand one-way frame delay measurement is configured for an AC.

l
Configure proactive one-way frame delay measurement.

1.
Perform the following steps on the devices at both ends of a PW where proactive oneway frame delay measurement will be implemented:
a.
Run:
system-view

b.
(Optional) Run:

c.
(Optional) Run:
Issue 02 (2013-12-31)

1022

Equipment
3 Reliability

d.
(Optional) Run:

statistics.
e.
(Optional) Run:
y1731_record-upload

server.
mutually exclusive.
f.
Run:
cfm md md-name

g.
Run:
ma ma-name

h.
Run:

i.

Operation
Command
Configure a
PW-based
MEP.
mep mep-idmep-id peer-ip peer-ip [ vc-id vc-id ] [ mac macaddress ] { outward | inward }
NOTE
single MA.
j.
Run:

2.
Issue 02 (2013-12-31)
On the receiving device on a PW where proactive one-way frame delay measurement

1023

Equipment
a.
3 Reliability
Run:
[ 8021p 8021p-value ] [ description description ]

b.
Run:
delay-measure one-way continual receive test-id test-id

3.
On the transmitting device on a PW where proactive one-way frame delay

a.
Run:

b.
Run:

----End

Run the display y1731 statistic-type oneway-delay md test-id test-id [ count count-value ]
command on the device that initiates one-way frame delay measurement to check statistics about
the delay in unidirectional frame transmission on a PW.
Run the display y1731 statistic-type oneway-delay md md-name ma ma-name [ 8021p
{ 8021p-value } &<1-3> ] [ count count-value ] command on the device that initiates one-way
frame delay measurement to check statistics about the delay in unidirectional frame transmission
on an AC.
NOTE
Currently, you can check the configuration of one-way frame delay measurement on in VLL networking
Run the display y1731 statistic-type command to view statistics about the delay in
unidirectional frame transmission on an AC.
<HUAWEI> display y1731 statistic-type oneway-delay md md1 ma ma1
Latest one-way delay statistics of 802.1p 1:
-------------------------------------------------------------------------------Index
Delay(usec)
Delay variation(usec)
-------------------------------------------------------------------------------1
10000
2
10000
0
3
10000
0
4
10000
0
5
10000
0
6
10000
0
7
10000
0
8
10000
0
9
10000
0
10
10000
0
11
10000
0
-------------------------------------------------------------------------------Average delay(usec) :
10000
Average delay variation(usec) :
0
Maximum delay(usec) :
10000
Maximum delay variation(usec) :
0
Issue 02 (2013-12-31)

1024

Equipment
Minimum delay(usec) :
3 Reliability
10000
Minimum delay variation(usec) :
Latest one-way delay statistics of 802.1p 2:

-------------------------------------------------------------------------------Index
Delay(usec)
-------------------------------------------------------------------------------1
10000
2
10000
0
3
10000
0
4
10000
0
5
10000
0
6
10000
0
7
10000
0
8
10000
0
9
10000
0
10
10000
0
11
10000
0
10000
0
10000
0
10000
0
Configuring Two-way Frame Delay Measurement in VLL Networking

In VLL networking, the clock frequency between the two ends are not synchronized and CFM
is enabled to monitor link connectivity. if the bidirectional delay measurement needs to be
performed for a link, two-way frame delay measurement can be configured to monitor the quality
of the link.
Context
Two-way frame delay measurement in VLL networking can be either on-demand or proactive.
On-demand two-way frame delay measurement is manually initiated for diagnosis of the frame
transmission delay in a limited time. It can be singular or periodic measurement. Proactive twoway frame delay measurement is carried out continuously to permit proactive reporting of frame
l
To implement singular or periodic two-way frame delay measurement for a PW or an

AC, configure on-demand two-way frame delay measurement in VLL networking.
To implement continual two-way frame delay measurement for a PW, configure proactive
two-way frame delay measurement in VLL networking.
802.1p priority values contained in traffic passing through the P are 1 and 2.
Two-way frame delay measurement is performed for the link between PE1 and PE2.
Assume that traffic (with the priority value of 2) that is not involved in frame delay
measurement is sent out after two-way frame delay measurement is enabled. The traffic is
forwarded preferentially, because its priority is high. As a result, the traffic (with the priority
value of 1) that is involved in frame delay measurement fails to reach PE2 in time, causing
incorrect frame delay statistics.
802.1p-priority-based two-way frame delay measurement can be configured for the VLL
for accurate proactive frame delay tests.
Issue 02 (2013-12-31)

1025

Equipment
3 Reliability
CE2
CE1
PE1
User
Network
PE2
Y.1731
User
Network
MEP
Priority 1
Priority 2
Procedure
l
Configure on-demand two-way frame delay measurement.

Configure on-demand two-way frame delay measurement for a PW.
1.
Perform the following steps on the devices at both ends of a PW where two-way
frame delay measurement will be implemented:
a.
Run:
system-view

b.
Run:
cfm md md-name

c.
Run:
ma ma-name

d.
Run:

e.
Run:
Operation
Issue 02 (2013-12-31)
Command

1026

Equipment
Configure a
PW-based
MEP.
3 Reliability
mep mep-id mep-id peer-ip peer-ip [ vc-id vc-id ] [ mac

mac-address ] { outward | inward }
NOTE
restrictions on statistics functions:For the same VLL, PW-based
MEPs with the same service ID and direction but different levels
are configured. In this case, there are restrictions on statistics
functions:
Only the ATN 950B (with the AND1CXPA/AND1CXPB
configured) supports following notes.
1. The priority-based statistics function and the non-prioritybased statistics function are mutually exclusive.
2. The priority-based statistics function can only be configured
for a single MA.
f.
Run:

2.
On the receiving device on a PW where two-way frame delay measurement will

a.
Run:
A test instance is configured.

b.
Run:
The peer device is enabled to receive DMMs.

3.
On the transmitting device on a PW where two-way frame delay measurement will

a.
Run:

b.
Run:
delay-measure two-way send test-id test-id interval interval
count count
On-demand two-way frame delay measurement is enabled on the device that

is to send DMMs on the PW side.
Configure on-demand two-way frame delay measurement for an AC.
1.
two-way frame delay measurement will be implemented:
a.
Run:
system-view

Issue 02 (2013-12-31)

1027

Equipment
b.
3 Reliability
Run:
cfm md md-name

c.
Run:
ma ma-name

d.
On the CE, run:
map vlan vlan-id

On the PE, run:

e.
Run:
mep mep-id

f.
Run:

g.
Run:
mep ccm-send enable

h.
Run:

2.
On the receiving device on an AC where on-demand two-way frame delay

delay-measure two-way receive mep mep-id
The DMM reception function is configured on the device.

3.
On the transmitting device on an AC where on-demand two-way frame delay

delay-measure two-way send mep mep-id {
interval count count-value
remote-mep mep-id } interval
On-demand two-way frame delay measurement is configured for an AC.

l
Configure proactive two-way frame delay measurement.

1.
Perform the following steps on the devices at both ends of a PW where proactive twoway frame delay measurement will be implemented:
a.
Run:
system-view

b.
(Optional) Run:
Issue 02 (2013-12-31)

1028

Equipment
3 Reliability

c.
(Optional) Run:

d.
(Optional) Run:

statistics.
e.
(Optional) Run:
y1731_record-upload

server.
mutually exclusive.
f.
Run:
cfm md md-name

g.
Run:
ma ma-name

h.
Run:

i.

Operation
Command
Configure a
PW-based
MEP.
NOTE
single MA.
j.
Issue 02 (2013-12-31)
Run:
1029

Equipment
3 Reliability

2.
On the receiving device on a PW where proactive two-way frame delay measurement

a.
Run:

b.
Run:
delay-measure two-way receive test-id test-id
The peer device is enabled to receive DMMs.

3.
On the transmitting device on a PW where proactive two-way frame delay

a.
Run:

b.
Run:
delay-measure two-way continual send test-id test-id interval interval
Proactive two-way frame delay measurement is enabled on the device that is to

send DMMs on the PW side.
----End

Run the display y1731 statistic-type twoway-delay md test- id test-id [ count count-value ]
command on the device that initiates two-way frame delay measurement to check statistics about
the delay in bidirectional frame transmission on a PW.
Run the display y1731 statistic-type twoway-delay md md-name ma ma-name [ 8021p
{ 8021p-value } &<1-3> ] [ count count-value ] command on the device that initiates two-way
frame delay measurement to check statistics about the delay in bidirectional frame transmission
on an AC.
NOTE
Currently, you can check the configuration of two-way frame delay measurement on in VLL networking
Run the display y1731 statistic-type command to view statistics about the delay in bidirectional
frame transmission on an AC.
<HUAWEI> display y1731 statistic-type twoway-delay md md1 ma ma1
Latest two-way delay statistics of 802.1p 2:
-------------------------------------------------------------------------------Index
Delay(usec)
-------------------------------------------------------------------------------1
0
2
0
0
3
0
0
0
0
0
0
Issue 02 (2013-12-31)

1030

Equipment
3 Reliability
0
Latest two-way delay statistics of 802.1p 3:

-------------------------------------------------------------------------------Index
Delay(usec)
-------------------------------------------------------------------------------1
0
2
0
0
3
0
0
0
0
0
0
0
0
Configuring Single-ended SLM in VLL Networking

This section describes how to configure single-ended synthetic loss measurement (SLM) in
virtual leased line (VLL) networking. To collect performance statistics for frame loss on pointto-multipoint or multipoint-to-multipoint links, deploy single-ended SLM, which helps monitor
link quality.
Context
In VLL networking, single-ended SLM includes on-demand and proactive SLM functions.
On-demand SLM collects single-ended frame loss statistics at one or more specific times for
diagnosis. It is used on the pseudo wire (PW) or attachment circuit (AC) side.
Proactive SLM collects single-ended frame loss statistics periodically. It is used on the PW side
only.
On a network, each packet carries the IEEE 802.1p field, indicating its priority. According to
packet priority, different QoS policies will be applied. On the network, the PE1-to-PE3 traffic
has two priorities: 1 and 2, as indicated by the IEEE 802.1p field.
When implementing single-ended SLM for traffic over the PE1-PE3 link, PE1 sends SLM
frames with varied priorities and checks the frame loss. Based on the check result, the network
administrator can adjust the QoS policy for the link.
To collect accurate performance statistics, configure 802.1p priority-based single-ended SLM.
Procedure
l
Configure single-ended on-demand SLM.

Configure single-ended on-demand SLM on the PW side.
1.
Perform the following steps on the devices at both ends of a PW where singleended on-demand SLM will be implemented:
a.
Run:
system-view

b.
Run:
cfm md md-name

c.
Issue 02 (2013-12-31)
Run:
1031

Equipment
3 Reliability
ma ma-name

d.
Run:

e.

Operation
Command
Configure a
PW-based
MEP.

NOTE
Only the ATN 950B (with the AND1CXPA/AND1CXPB
configured) supports following notes.
1. The priority-based statistics function and the non-prioritybased statistics function are mutually exclusive.
2. The priority-based statistics function can only be configured
for a single MA.
f.
Run:
A remote MEP (RMEP) is specified.

g.
Run:
mep ccm-send enable
The MEP is enabled to send continuity check messages (CCMs).

h.
Run:
The RMEP is enabled to receive CCMs.

i.
Run:
test-id test-id-value mep mep-id remote-mep mep-id [ description
description ]
A test instance is created.

2.
Perform the following configuration on the RMEP that receives SLM frames on
the PW side:
Run:
loss-measure single-ended-synthetic receive test-id test-id [ time-out
timeout-value ]
The RMEP is enabled to receive SLM frames.

3.
Perform the following configuration on the MEP that sends SLM frames to initiate
on-demand SLM on the PW side:
Run:
Issue 02 (2013-12-31)

1032

Equipment
3 Reliability
loss-measure single-ended-synthetic send test-id test-id interval

interval [ sending-count count-value ] [ timeout timeout ]
The MEP is enabled to send SLM frames.

Configure single-ended on-demand SLM on the AC side.
1.
Perform the following steps on the devices at both ends of an AC where singleended on-demand SLM will be implemented:
a.
Run:
system-view

b.
Run:
cfm md md-name

c.
Run:
ma ma-name

d.
Perform the following steps on the devices at both ends of the AC:
On the CE, run:
map vlan vlan-id

On the PE, run:

e.
Run:
mep mep-id
A MEP is configured.
f.
Run:
An RMEP is specified.
g.
Run:
mep ccm-send enable

h.
Run:

i.
Run:
description ]

2.
the AC side:
Run:
timeout-value ]
Issue 02 (2013-12-31)

1033

Equipment
3 Reliability

3.
on-demand SLM on the AC side:
Run:

l
Configure single-ended proactive SLM.

1.
Perform the following steps on the devices at both ends of a PW where single-ended
proactive SLM will be implemented:
a.
Run:
system-view

b.
(Optional) Run:

c.
(Optional) Run:
Performance management (PM) is enabled to manage Y.1731 proactive

By default, Y.1731 collects proactive performance statistics, generates statistics
files, and allows the files to be sent to the network management system (NMS).
d.
(Optional) Run:
y1731 record-upload

server.
The y1731 pm-mode enable and y1731 record-upload commands are mutually
exclusive.
e.
Run:
cfm md md-name

f.
Run:
ma ma-name

g.
Run:

h.

Operation
Issue 02 (2013-12-31)
Command

1034

Equipment
Configure a
PW-based
MEP.
3 Reliability
NOTE
single MA.
i.
Run:
j.
Run:
mep ccm-send enable

k.
Run:

l.
Run:
test-id test-id-value mep mep-id remote-mep mep-id [ 8021p 8021pvalue ] [ description description ]

2.
Perform the following configuration on the RMEP that receives SLM frames on the
PW side:
Run:
timeout-value ]

3.
proactive SLM on the PW side:
Run:
interval [ sending-count count ] [ time-out timeout ]

----End

After configuring single-ended SLM, run the display y1731 statistic-type single-syntheticloss test-id test-id [ count count ] command on the MEP that has been enabled to send SLM
frames.
Issue 02 (2013-12-31)

1035

Equipment
3 Reliability
Run the display y1731 statistic-type command. The command output shows statistics for singleended SLM.
<HUAWEI> display y1731 statistic-type single-synthetic-loss test-id 2
-------------------------------------------------------------------------------Index
L-send R-send L-recv Unack L-loss R-loss L-loss-ratio R-loss-ratio
-------------------------------------------------------------------------------667
1000
1000
1000
0
0
0
0.0000%
0.0000%
668
1000
1000
1000
0
0
0
0.0000%
0.0000%
669
1000
1000
1000
0
0
0
0.0000%
0.0000%
670
1000
1000
1000
0
0
0
0.0000%
0.0000%
671
1000
1000
1000
0
0
0
0.0000%
0.0000%
672
1000
1000
1000
0
0
0
0.0000%
0.0000%
673
1000
1000
1000
0
0
0
0.0000%
0.0000%
674
1000
1000
1000
0
0
0
0.0000%
0.0000%
675
1000
1000
1000
0
0
0
0.0000%
0.0000%
676
1000
1000
1000
0
0
0
0.0000%
0.0000%
677
1000
1000
1000
0
0
0
0.0000%
0.0000%
678
1000
1000
1000
0
0
0
0.0000%
0.0000%
679
1000
1000
1000
0
0
0
0.0000%
0.0000%
680
1000
1000
1000
0
0
0
0.0000%
0.0000%
681
1000
1000
1000
0
0
0
0.0000%
0.0000%
682
1000
1000
1000
0
0
0
0.0000%
0.0000%
683
1000
1000
1000
0
0
0
0.0000%
0.0000%
684
1000
1000
1000
0
0
0
0.0000%
0.0000%
685
1000
1000
1000
0
0
0
0.0000%
0.0000%
686
1000
1000
1000
0
0
0
0.0000%
0.0000%
687
1000
1000
1000
0
0
0
0.0000%
0.0000%
688
1000
1000
1000
0
0
0
0.0000%
0.0000%
689
1000
1000
1000
0
0
0
0.0000%
0.0000%
690
1000
1000
1000
0
0
0
0.0000%
0.0000%
691
1000
1000
1000
0
0
0
0.0000%
0.0000%
692
1000
1000
1000
0
0
0
0.0000%
0.0000%
693
1000
1000
1000
0
0
0
0.0000%
0.0000%
694
1000
1000
1000
0
0
0
0.0000%
0.0000%
695
1000
1000
1000
0
0
0
0.0000%
0.0000%
696
1000
1000
1000
0
0
0
0.0000%
0.0000%
697
1000
1000
1000
0
0
0
0.0000%
0.0000%
698
1000
1000
1000
0
0
0
0.0000%
0.0000%
699
1000
1000
1000
0
0
0
0.0000%
0.0000%
700
1000
1000
1000
0
0
0
0.0000%
0.0000%
701
1000
1000
1000
0
0
0
0.0000%
0.0000%
702
1000
1000
1000
0
0
0
0.0000%
0.0000%
703
1000
1000
1000
0
0
0
0.0000%
0.0000%
704
1000
1000
1000
0
0
0
0.0000%
0.0000%
705
1000
1000
1000
0
0
0
0.0000%
0.0000%
706
1000
1000
1000
0
0
0
0.0000%
0.0000%
707
1000
1000
1000
0
0
0
0.0000%
0.0000%
708
1000
1000
1000
0
0
0
0.0000%
0.0000%
709
1000
1000
1000
0
0
0
0.0000%
0.0000%
710
1000
1000
1000
0
0
0
0.0000%
0.0000%
711
1000
1000
1000
0
0
0
0.0000%
0.0000%
712
1000
1000
1000
0
0
0
0.0000%
0.0000%
713
1000
1000
1000
0
0
0
0.0000%
0.0000%
714
1000
1000
1000
0
0
0
0.0000%
0.0000%
715
1000
1000
1000
0
0
0
0.0000%
0.0000%
716
1000
1000
1000
0
0
0
0.0000%
0.0000%
717
1000
1000
1000
0
0
0
0.0000%
0.0000%
718
1000
1000
1000
0
0
0
0.0000%
0.0000%
719
1000
1000
1000
0
0
0
0.0000%
0.0000%
720
1000
1000
1000
0
0
0
0.0000%
0.0000%
721
1000
1000
1000
0
0
0
0.0000%
0.0000%
722
1000
1000
1000
0
0
0
0.0000%
0.0000%
723
1000
1000
1000
0
0
0
0.0000%
0.0000%
724
1000
1000
1000
0
0
0
0.0000%
0.0000%
725
1000
1000
1000
0
0
0
0.0000%
0.0000%
726
1000
1000
1000
0
0
0
0.0000%
0.0000%
Issue 02 (2013-12-31)

1036

Equipment
3 Reliability
0
Average Local-loss Ratio :
0.0000%
0
Maximum Local-loss Ratio :
0.0000%
0
0.0000%
0
Average Remote-loss Ratio :
0.0000%
0
Maximum Remote-loss Ratio :
0.0000%
0
0.0000%
Configuring AIS
Configuring AIS prohibits a MEP in an MD of a higher level from sending the same alarm as
that sent by a MEP in an MD of a lower level to the NMS.
Context
As shown in Figure 3-68, the MEPs configured on the access interfaces of CE1 and CE2 reside
in level-6 MD1. The MEPs configured on PE1 and PE2 reside in level-3 MD2. When a fault
occurs, a MEP in level-3 MD2 first detects the fault and sends an alarm to the NMS. After a
certain period, a MEP in level-6 MD1 also detects the fault and sends the same alarm to the
NMS. Therefore, the AIS function needs to be configured on the PEs to prohibit the MEP in the
MD of a higher level from sending alarms to the NMS.
NOTE
Millisecond-level CC cannot be performed for the link between the CEs configured with alarm suppression.
Figure 3-68 Networking diagram of configuring AIS in VLL networking
CE1
AIS packets PE1

VLAN/QinQ
PE2 AIS packets CE2

VLL
VLAN/QinQ
MD2 Level 3
MD1 Level 6
Procedure
Step 1 Perform the following steps on a PE:
1.
Run:
system-view

2.
Run:
cfm md md-name
Issue 02 (2013-12-31)

1037

Equipment
3 Reliability

3.
Run:
ma ma-name

4.
Run:

5.
Run:
ais enable
AIS is enabled for the current MA.

By default, AIS is disabled from an MA.
6.
(Optional) Run:
ais link-status
AIS is configured to monitor interfaces in the current MA.

By default, AIS does not monitor any interface.
7.
(Optional) Run:
ais interval interval-value
The interval at which AIS packets are sent is set.

By default, AIS packets are sent at an interval of 1s.
NOTE
If the range of VLANs to which AIS packets are to be sent is set, setting the interval at which AIS
packets are sent to 60s is recommended.
8.
Run:
ais level level-value
The level of AIS packets to be sent is set.

9.
Run:
ais vlan { pe-vid pe-vid ce-vid { low-ce-vid [ to hig-ce-vid ] } &<1-10> |
vid { low-vid [ to high-vid ] } &<1-10>} mep mep-id
The range of VLANs to which AIS packets are to be sent is set.

Step 2 Perform the following steps on a CE:
1.
Run:
system-view

2.
Run:
cfm md md-name

3.
Run:
ma ma-name

4.
Run:
map vlan vlan-id
The MA is bound to the current VLAN.

Issue 02 (2013-12-31)

1038

Equipment
5.
3 Reliability
Run:
ais enable

6.
Run:
ais suppress-alarm
Alarm suppression is enabled for the current MA.

By default, alarm suppression is disabled from a MEP.
In an MD nesting scenario, if alarm suppression is enabled for the MD of a high level, a
MEP in this MD does not send alarms that a MEP in an MD of a low level has sent to the
NMS after receiving an AIS packet.
7.
Run:
mep alarm disable
Disables the alarm reporting function of a specific alarm indication signal (AIS).
By default, the alarm reporting function is enabled.
----End

l
Run the display cfm ma command on a PE to check information about MAs.

The command output shows that the Sending Ais Packet field is displayed as Yes.
<PE>display cfm ma md md1 ma ma1
The total number of MAs is 1
MD Name
: md1
MD Name Format
: string
Level
: 3
MIP Create-type
: none
SenderID TLV-type : Defer
MA Name
: ma1
MA Name Format
: string
Interval
: 1000
Priority
: 4
Vlan ID
: -VSI Name
: -L2VC ID
: 100 tagged
MEP Number
: 1
RMEP Number
: 2
Suppressing Alarms : No
Sending Ais Packet : Yes
Interface TLV
: disabled
RDI Track-action
: --
Run the display cfm ma command on a CE to check information about MAs.

The command output shows that the Suppressing Alarms field is displayed as Yes.
<CE>display cfm ma md md1 ma ma1The total number of MAs is 1
MD Name
: md2
MD Name Format
: string
Level
: 6
MIP Create-type
: none
MA Name
: ma2
MA Name Format
: string
Interval
: 10000
Piority
: 4
Issue 02 (2013-12-31)

1039

Equipment
Vlan ID
VSI Name
L2VC ID
MEP Number
RMEP Number
Suppressing Alarms
Sending Ais Packet
Interface TLV
RDI Track-action
:
3 Reliability
: 7
: -: 100 tagged
: 21
: 22
: Yes
: No
: disabled
--
3.8.3 Configuring Y.1731 Functions in VPLS Networking

This section describes how to config Y.1731 functions including single-ended frame loss
measurement, dual-ended frame loss measurement, one-way frame delay measurement, twoway frame delay measurement, AIS, and multicast MAC ping in VPLS networking.
Before You Start

Before configuring Y.1731 functions in VPLS networking, familiarize yourself with the usage
The VPLS technology implements MP2MP VPN networking, and therefore there may be
multiple PWs between devices in the same VSI. As shown in Figure 3-69, the PEs are connected
through a VPLS network. To take accurate statistics about frame loss on one end of a PW in
VPLS networking, the following performance monitoring functions defined by Y.1731 can be
used to monitor links:
l
Figure 3-69 Networking diagram for configuring Y.1731 functions in VPLS networking
User
Network
User
Network
VPLS
CE1
PE1
PE2
Y.1731
CE2
Y.1731
MEP
PWs are connected through a VPLS network as shows in Figure 3-70. The VPLS technology
implements MP2MP VPN networking, and therefore there may be multiple PWs between
devices in the same VSI. To collect accurate statistics about frame loss on one end of a PW or
Issue 02 (2013-12-31)

1040

Equipment
3 Reliability
an AC in VPLS networking, the following performance monitoring functions defined by Y.1731

can be used to monitor links:
l
Alarm indication signal (AIS)
Multicast MAC ping
Multicast MAC ping
Y.1731 functions implemented on the PW side include Y.1731 functions implemented by an

interface-based MEP and a PW-based MEP. Y.1731 functions implemented by a PW-based
MEP supports only one-way frame DM, two-way frame DM, single-ended SLM, and multicast
MAC ping.
Figure 3-70 Networking diagram for configuring Y.1731 functions in VPLS networking
Y.1731
CE2
PE2
User
Network
VPLS
CE1
CE3
PE3
PE1
User
Network
User
Network
Y.1731
All Y.1731 functions can collect performance statistics for a point-to-point link in VPLS
networking. In addition, SLM, one-way frame delay measurement, and two-way frame delay
measurement can collect performance statistics for MP2MP links, such as the links between PE1
and PE2 and between PE1 and PE3.
The type of PE1's interface that accesses a VPLS network is as follows:
l
Common sub-interface
Sub-interface for QinQ VLAN tag termination
QinQ stacking sub-interface
VLANIF sub-interface that connects a VLAN to a VPLS network
Before configuring Y.1731 functions in VPLS networking, complete the tasks listed in Table
3-35.
Issue 02 (2013-12-31)

1041

Equipment
3 Reliability
Table 3-35 Pre-configuration tasks for configuring Y.1731 functions in VPLS networking
Function
Configuring Y.1731 functions (single-ended

frame loss measurement, dual-ended frame
loss measurement, one-way frame delay
measurement, and two-way frame delay
measurement, and single-ended SLM) for a
PW in VPLS networking
l Completing VPLS-related configurations

on PEs
For details, see the chapter "VPLS
Configuration" in the Configuration
Guide - VPN.
l Completing CFM-related configurations
and configuring the MEP type as Outward
Data Preparation
To configure Y.1731 functions in VPLS networking, you need the following data.
No.
Data
Name of the VSI bound to an MA
Interval at which frames are sent and number of sent frames during single-ended
frame loss measurement
Interval at which frames are sent and number of sent frames during dual-ended frame
loss measurement
Interval at which frames are sent and number of sent frames during one-way frame
delay measurement
Interval at which frames are sent and number of sent frames during two-way frame
delay measurement
(Optional) the interval for sending AIS packets
Interval and number at which multicast MAC Ping frames are sent
Interval at which SLM frames are sent and maximum number of SLM frames to be
sent
Binding an MA to a VPLS Network

Binding an MA to a VPLS network is a prerequisite for configuring single-ended frame loss
measurement, dual-ended frame loss measurement, one-way frame delay measurement, or twoway frame delay measurement in VPLS networking.
Context
VPLS-based performance monitoring function is VSI-specific. Therefore, when deploying Y.
1731, bind an MA to a specified VSI, and then collect performance statistics about the MA.
Then, performance statistics about a specified PW will be available.
Issue 02 (2013-12-31)

1042

Equipment
3 Reliability
Procedure
Step 1 Run:
system-view

Step 2 Run:
cfm md md-name

Step 3 Run:
ma ma-name

Step 4 Run:
map vsi vsi-name
The MA is bound to a VSI.

----End
Configuring Single-ended Frame Loss Measurement in VPLS Networking

In VPLS networking, the clock frequency between the two ends are synchronized and CFM is
of the link.
Context
Single-ended frame loss measurement in VPLS networking can be either on-demand or
proactive. On-demand single-ended frame loss measurement is manually initiated for diagnosis
of frame loss in a limited time. It can be singular or periodic measurement. Proactive singleended frame loss measurement is carried out continuously to permit proactive reporting of frame
loss or performance results.
l
To implement singular or periodic single-ended frame loss measurement for a PW,

configure on-demand single-end frame loss measurement in VLL networking.
To implement continual single-ended frame loss measurement for a PW, configure

proactive single-ended frame loss measurement in VLL networking.
Configure on-demand single-ended frame loss measurement for an AC.
Procedure
1.
Perform the following steps on the devices at both ends of an AC where single-ended
frame loss measurement will be implemented:
a.
Run:
system-view

b.
Run:
cfm md md-name
Issue 02 (2013-12-31)

1043

Equipment
3 Reliability

c.
Run:
ma ma-name

d.
On the PE, run:

map vsivsi-name

e.
Run:
mep mep-id

f.
Run:

g.
Run:
mep ccm-send enable

h.
Run:

2.
On the receiving device of an AC where single-ended frame loss measurement will

The LMM reception function is configured on the device.

3.
On the transmitting device of an AC where single-ended frame loss measurement will

loss-measure single-ended send mep mep-id [ mac mac-address | remote-mep
mep-id ] interval interval count count-value
On-demand single-ended frame loss measurement is configured for an AC.

Single-ended frame loss measurement is implemented for the link between the local
MEP and a remote MPE identified by an ID or a MAC address.
If the local MEP has not learned the MAC address of the remote MEP, the MAC
address of the remote MEP must be specified to implement single-ended frame
loss measurement.
If the local MEP has learned the MAC address of the remote MEP, the ID of the
remote MEP can be used to implement single-ended frame loss measurement.
l

1.
Perform the following steps on the devices at both ends of a PW where proactive
a.
Run:
system-view

b.
(Optional) Run:
Issue 02 (2013-12-31)

1044

Equipment
3 Reliability

statistics.
c.
(Optional) Run:
y1731_record-upload

server.
mutually exclusive.
d.
Run:
cfm md md-name

e.
Run:
ma ma-name

f.
Run:
map vsi vsi-name

g.
Run:
mep mep-id

h.
Run:

i.
Run:
mep ccm-send enable

j.
Run:

----End

Run the display y1731 statistic-type single-loss md md-name ma ma-name [ count countvalue ] command on the device that initiates single-ended frame loss measurement to check
statistics about single-ended frame loss.
NOTE
Currently, you can check the configuration of single-ended frame loss measurement in VPLS networking
Run the display y1731 statistic-type command to view the statistics about single-ended frame
loss.
Issue 02 (2013-12-31)

1045

Equipment
3 Reliability
<HUAWEI> display y1731 statistic-type single-loss md md1 ma ma1 peer-ip 2.2.2.2

Latest single-ended loss statistics:
-------------------------------------------------------------------------------Index
Local-loss
Local-loss ratio
Remote-loss
Remote-loss ratio
-------------------------------------------------------------------------------1
20
50.0000%
30
75.0000%
2
20
50.0000%
30
75.0000%
3
20
50.0000%
30
75.0000%
4
20
50.0000%
30
75.0000%
5
20
50.0000%
30
75.0000%
6
20
50.0000%
30
75.0000%
7
20
50.0000%
30
75.0000%
8
20
50.0000%
30
75.0000%
9
20
50.0000%
30
75.0000%
10
20
50.0000%
30
75.0000%
11
20
50.0000%
30
75.0000%
12
20
50.0000%
30
75.0000%
13
20
50.0000%
30
75.0000%
14
20
50.0000%
30
75.0000%
20
20
20
30
30
30
Configuring Dual-ended Frame Loss Measurement in VPLS Networking

In VPLS networking, CFM is enabled to monitor link connectivity. if accurate frame loss
Context
Dual-ended frame loss measurement in VPLS networking is carried out continuously to permit
proactive reporting of frame loss or performance results. Dual-ended frame loss measurement
in VPLS networking is usually deployed on end-to-end MEPs. Frame loss statistics are collected
based on the transmit and receive counters carried by CCMs. Dual-ended frame loss
measurement can be successfully performed only when the remote MEP is in the Up state.
Procedure
l
Configure dual-ended frame loss measurement for an AC.

NOTE
Perform the following steps on the devices initiates dual-ended frame loss measurement.
1.
Run:
system-view

2.
(Optional) Run:

3.
(Optional) Run:
Issue 02 (2013-12-31)

1046

Equipment
3 Reliability

to the NMS.
4.
(Optional) Run:
y1731 record-upload
A device is enabled to send Y.1731 proactive performance statistics files to a server.

exclusive.
5.
Run:
cfm md md-name

6.
Run:
ma ma-name

7.
On the CE, run:
map vlan vlan-id

Run:
map vsi vsi-name

8.
Run:
mep mep-id

9.
Run:

10. Run:
mep ccm-send enable

11. Run:

12. (Optional) Run:
13. (Optional) Run:
Issue 02 (2013-12-31)

1047

Equipment
3 Reliability
loss measurement.
14. Run:
Dual-ended frame loss measurement is configured for an AC.

----End

NOTE
Currently, you can check the configuration of dual-ended frame loss measurement in VPLS networking
-------------------------------------------------------------------------------Index
Local-loss
Local-loss ratio
Remote-loss
Remote-loss ratio
-------------------------------------------------------------------------------1
0
0.0000%
0
0.0000%
2
0
0.0000%
0
0.0000%
3
5
50.0000%
10
50.0000%
4
0
0.0000%
0
0.0000%
5
5
50.0000%
10
50.0000%
6
10
50.0000%
5
50.0000%
7
5
50.0000%
10
50.0000%
8
10
50.0000%
5
50.0000%
9
10
50.0000%
5
50.0000%
10
5
50.0000%
10
50.0000%
11
5
50.0000%
10
50.0000%
12
10
50.0000%
5
50.0000%
13
5
50.0000%
10
50.0000%
14
10
50.0000%
5
50.0000%
15
5
50.0000%
10
50.0000%
16
10
50.0000%
5
50.0000%
5
10
0
0.0000%
6
10
0
0.0000%
Configuring One-way Frame Delay Measurement in VPLS Networking

In VPLS networking, the clock frequency between the two ends are synchronized and CFM is
of the link.
Issue 02 (2013-12-31)

1048

Equipment
3 Reliability
Context
NOTE
One-way frame delay measurement in VPLS networking can be either on-demand or proactive.
On-demand one-way frame delay measurement is manually initiated for diagnosis of frame
transmission delays in a limited time. It can be singular or periodic measurement. Proactive oneway frame delay measurement is carried out continuously to permit proactive reporting of frame
l
To implement singular or periodic one-way frame delay measurement for a PW, configure
on-demand one-way frame delay measurement in VLL networking.
To implement continual one-way frame delay measurement for a PW, configure proactive
one-way frame delay measurement in VLL networking.
Configure on-demand one-way frame delay measurement for a PW.
Procedure
1.
Perform the following steps on the devices at both ends of a PW where one-way frame
delay measurement will be implemented:
a.
Run:
system-view

b.
Run:
cfm md md-name

c.
Run:
ma ma-name

d.
Run:
map vsi vsi-name

NOTE
Only I-VSI can bound to a VSI on a PBB VPLS network.
e.

f.
Issue 02 (2013-12-31)
Operation
Command
Configure a
PW-based
MEP.
Run:
1049

Equipment
3 Reliability

g.
Run:
mep ccm-send enable

This command can be configured only on an interface-based MEP.
h.
Run:

2.
Table 3-37 Enabling the 1DM frame reception function

Scenario
Procedure
Point-topoint
Performance statistics collection based on a specified test instance:

1. Run:
test-id test-id

2. Run:
The 1DM frame reception function is enabled.

Point-tomultipoint
1. Run:
test-id test-id
A test instance is configured on a specific peer device.

2. Run:
3.
Table 3-38 Enabling the 1DM frame send function

Scenario
Procedure
Point-topoint

1. Run:
test-id test-id

2. Run:
delay-measure one-way send test-id test-id
On-demand one-way frame delay measurement is configured for

a PW.
Issue 02 (2013-12-31)

1050

Equipment
Scenario
Procedure
Point-tomultipoint
1. Run:
3 Reliability
test-id test-id

2. Run:

a PW.
The peer-ip peer-ip parameter or the vc-id vc-id parameter does not need to be
configured and CFM must be disabled in I-VSI view. if on-demand two-way frame
delay measurement is performed on PWs on a PBB VPLS network.
Perform the following steps to verify that CFM is disabled on a PBB VPLS network:
Run the vsi vsi-name command to enter the I-VSI view.
Run the display this command to check whether the cfm enable command exists
in the I-VSI view.
One-way frame delay measurement is implemented for the link between the local MEP
and a remote MEP identified by an ID or a MAC address.
address of the remote MEP must be specified to implement one-way frame delay
measurement.
remote MEP can be used to implement one-way frame delay measurement.
l
Configure on-demand one-way frame delay measurement for an AC.

1.
one-way frame delay measurement will be implemented:
a.
Run:
system-view

b.
(Optional) Run:

c.
Run:
cfm md md-name

d.
Run:
ma ma-name

e.
On the CE, run:
map vlan vlan-id
Issue 02 (2013-12-31)

1051

Equipment
3 Reliability

On the PE, run:
map vsivsi-name

f.
Run:
mep mep-id

g.
Run:

h.
Run:
mep ccm-send enable

i.
Run:

2.

Scenario
Procedure
Point-topoint
Non-test instance-based statistics collection by an interface-based

MEP
Run:

1. Run:
test-id test-id

2. Run:
Point-tomultipoint
1. Run:
test-id test-id

2. Run:
Issue 02 (2013-12-31)

1052

Equipment
3.
3 Reliability

Scenario
Procedure
Point-topoint
Non-test instance-based statistics collection by an interface-based

MEP
Run:
delay-measure one-way send mep mep-id { mac mac-address |
remote-mep mep-id } interval interval count count-value
On-demand one-way frame delay measurement is configured for an

AC.
1. Run:
test-id test-id

2. Run:
an AC.
Point-tomultipoint
1. Run:
test-id test-id

2. Run:
an AC.
measurement.
l
Configure proactive one-way frame delay measurement.

1.
Perform the following steps on the devices at both ends of a PW where proactive oneway frame delay measurement will be implemented:
a.
Run:
system-view

b.
(Optional) Run:

Issue 02 (2013-12-31)

1053

Equipment
3 Reliability

statistics.
c.
(Optional) Run:
y1731_record-upload

server.
mutually exclusive.
d.
Run:
cfm md md-name

e.
Run:
ma ma-name

f.
Run:
map vsi vsi-name

g.

h.
Operation
Command
Configure a
PW-based
MEP.
Run:

i.
Run:
j.
Run:
2.

Scenario
Procedure
Point-topoint

1. Run:
test-id test-id

2. Run:
Issue 02 (2013-12-31)

1054

Equipment
Scenario
Procedure
Point-tomultipoint
1. Run:
3 Reliability
test-id test-id

2. Run:
3.

Scenario
Procedure
Point-topoint
scenario

1. Run:
test-id test-id

2. Run:
delay-measure one-way continual send test-id test-id
Proactive one-way frame delay measurement is configured for a
PW.
Point-tomultipoint
scenario
1. Run:
test-id test-id

2. Run:
delay-measure one-way continual send test-id test-id
Proactive one-way frame delay measurement is configured for a
PW.
measurement.
----End

Run the display y1731 statistic-type oneway-delay md test- id test-id [ count count-value ]
command on the device that initiates one-way frame delay measurement to check statistics about
the delay in unidirectional frame transmission on a PW.
Issue 02 (2013-12-31)

1055

Equipment
3 Reliability
Run the display y1731 statistic-type oneway-delay md md-name ma ma-name [ count countvalue ] command on the device that initiates one-way frame delay measurement to check
statistics about the delay in unidirectional frame transmission on an AC.
NOTE
Currently, you can check the configuration of one-way frame delay measurement on in VPLS networking
unidirectional frame transmission on an AC.
Latest one-way delay statistics:
-------------------------------------------------------------------------------Index
Delay(usec)
-------------------------------------------------------------------------------1
10000
2
10000
0
3
10000
0
4
10000
0
5
10000
0
6
10000
0
7
10000
0
8
10000
0
9
10000
0
10
10000
0
11
10000
0
12
40000
30000
13
10000
30000
14
10000
0
15
10000
0
16
10000
0
17
10000
0
11764
3750
40000
30000
10000
0
Configuring Two-way Frame Delay Measurement in VPLS Networking

In VPLS networking, if the clocks of the MEPs at both ends of a link are not synchronized and
the requirement for delay measurement is not high, two-way frame delay measurement can be
configured for the link.
Context
Two-way frame delay measurement in VPLS networking can be either on-demand or proactive.
On-demand two-way frame delay measurement is manually initiated for diagnosis of the frame
transmission delay in a limited time. It can be singular or periodic measurement. Proactive twoway frame delay measurement is carried out continuously to permit proactive reporting of frame
l
To implement singular or periodic two-way frame delay measurement for a PW, configure
on-demand two-way frame delay measurement in VPLS networking.
To implement continual two-way frame delay measurement for a PW, configure proactive
two-way frame delay measurement in VPLS networking.
Issue 02 (2013-12-31)

1056

Equipment
3 Reliability
Procedure
l
Configure on-demand two-way frame delay measurement for a PW.

1.
Perform the following steps on the devices at both ends of a PW where on-demand
a.
Run:
system-view

b.
Run:
cfm md md-name

c.
Run:
ma ma-name

d.
Run:
map vsi vsi-name

e.
Table 3-44 lists MEP settings in various networking environments.

Table 3-44 MEP configurations
f.
MEP Type
Command
creates a PW
based MEP
Run:
mep mep-id mep-id peer-ip peer-ip [ vc-id vc-id ]
[ mac mac-address ] { ouward | inward }
Run:

2.
On the receiving device on a PW where on-demand two-way frame delay

Table 3-45 Enabling the DMM frame reception function
Scenario
Procedure
Point-topoint
scenario

1. Run:
test-id test-id

2. Run:
Issue 02 (2013-12-31)

1057

Equipment
Scenario
Procedure
Point-tomultipoint
scenario
1. Run:
3 Reliability
test-id test-id

2. Run:
3.
On the transmitting device on a PW where two-way frame delay measurement will

Table 3-46 Enabling the DMM frame send function
Scenario
Procedure
Point-topoint
scenario

1. Run:
test-id test-id

2. Run:
delay-measure two-way send test-id test-id
On-demand two-way frame delay measurement is configured for

a PW.
Point-tomultipoint
scenario
1. Run:
test-id test-id

2. Run:

a PW.
Two-way frame delay measurement is implemented for the link between the local
MEP and a remote MEP identified by an ID or a MAC address.
address of the remote MEP must be specified to implement two-way frame delay
measurement.
remote MEP can be used to implement two-way frame delay measurement.
l
Configure on-demand two-way frame delay measurement for an AC.

1.
a.
Run:
system-view
Issue 02 (2013-12-31)

1058

Equipment
3 Reliability

b.
Run:
cfm md md-name

c.
Run:
ma ma-name

d.
On the CE, run:
map vlan vlan-id

On the PE, run:
map vsivsi-name

e.
Run:
mep mep-id

f.
Run:

g.
Run:
mep ccm-send enable

h.
Run:

2.
On the receiving device on an AC where on-demand two-way frame delay

Scenario
Procedure
Point-topoint
scenario
Performance statistics collection not based on a test instance:

Run:

1. Run:
test-id test-id

2. Run:

Issue 02 (2013-12-31)

1059

Equipment
Scenario
Procedure
Point-tomultipoint
scenario
1. Run:
3 Reliability
test-id test-id

2. Run:
3.
On the transmitting device on an AC where on-demand two-way frame delay

Scenario
Procedure
Point-topoint
scenario

Run:
delay-measure two-way send mep mep-id { mac mac-address |
remote-mep mep-id } interval interval count count-value
On-demand two-way frame delay measurement is configured for an

AC.
1. Run:
test-id test-id

2. Run:

an AC.
Point-tomultipoint
scenario
1. Run:
test-id test-id

2. Run:

an AC.
Two-way frame delay measurement is implemented for the link between the local
MEP and a remote MEP identified by an ID or a MAC address.
address of the remote MEP must be specified to implement two-way frame delay
measurement.
remote MEP can be used to implement two-way frame delay measurement.
Issue 02 (2013-12-31)

1060

Equipment
3 Reliability
Configure proactive two-way frame delay measurement.

1.
Perform the following steps on the devices at both ends of a PW where proactive twoway frame delay measurement will be implemented:
a.
Run:
system-view

b.
(Optional) Run:

statistics.
c.
Run:
cfm md md-name

d.
Run:
ma ma-name

e.
Run:
map vsi vsi-name

f.
Table 3-44 lists MEP settings in various networking environments.

Table 3-49 MEP configurations
g.
MEP Type
Command
creates a PW
based MEP
Run:
mep mep-id mep-id peer-ip peer-ip [ vc-id vc-id ]
[ mac mac-address ] { ouward | inward }
Run:
The RMEP is configured.

2.
Issue 02 (2013-12-31)
On the receiving device on a PW where proactive two-way frame delay measurement


1061

Equipment
3 Reliability

Scenario
Procedure
Point-topoint
scenario
1. Run:
test-id test-id

2. Run:

Point-tomultipoint
scenario
1. Run:
test-id test-id

2. Run:
3.
On the transmitting device on a PW where proactive two-way frame delay

Scenario
Procedure
Point-topoint
scenario

1. Run:
test-id test-id

2. Run:
delay-measure two-way continual send test-id test-id
Proactive two-way frame delay measurement is configured for a

PW.
Point-tomultipoint
scenario
1. Run:
test-id test-id

2. Run:
delay-measure two-way continual send test-id test-id
Proactive two-way frame delay measurement is configured for a

PW.
----End

Run the display y1731 statistic-type twoway-delay md test-id test-id [ count count-value ]
command on the device that initiates two-way frame delay measurement to check statistics about
the delay in bidirectional frame transmission on a PW.
Issue 02 (2013-12-31)

1062

Equipment
3 Reliability
Run the display y1731 statistic-type twoway-delay md md-name ma ma-name [ count countvalue ] command on the device that initiates two-way frame delay measurement to check
statistics about the delay in bidirectional frame transmission on an AC.
NOTE
Currently, you can check the configuration of two-way frame delay measurement on in VPLS networking
frame transmission on an AC.
<HUAWEI>display y1731 statistic-type twoway-delay md md1 ma ma1
-------------------------------------------------------------------------------Index
Delay(usec)
-------------------------------------------------------------------------------1
0
2
0
0
3
0
0
4
0
0
5
0
0
6
0
0
7
0
0
8
0
0
9
0
0
10
0
0
0
0
0
0
0
0
Configuring Single-ended SLM in VPLS Networking

virtual private LAN service (VPLS) networking. To collect performance statistics for frame loss
on point-to-multipoint or multipoint-to-multipoint links, deploy single-ended SLM, which helps
monitor link quality.
Context
In VPLS networking, single-ended SLM includes on-demand and proactive SLM functions. Ondemand SLM collects single-ended frame loss statistics at one or more specific times for
diagnosis. It is used on the pseudo wire (PW) or attachment circuit (AC) side. Proactive SLM
collects single-ended frame loss statistics periodically. It is used on the PW side only.
Procedure
l

Configure single-ended on-demand SLM on the PW side.
1.
Perform the following steps on the devices at both ends of a PW where singleended on-demand SLM will be implemented:
a.
Run:
system-view

b.
Run:
cfm md md-name
Issue 02 (2013-12-31)

1063

Equipment
3 Reliability

c.
Run:
ma ma-name

d.
Run:
map vsi vsi-name

e.

f.
Operation
Command
Configure a
PW-based
MEP.

Run:

g.
Run:
description ]

2.
the PW side:
Run:
timeout-value ]

3.
on-demand SLM on the PW side:
Run:

Configure single-ended on-demand SLM on the AC side.
1.
Perform the following steps on the devices at both ends of an AC where singleended on-demand SLM will be implemented:
a.
Run:
system-view

b.
Run:
cfm md md-name

Issue 02 (2013-12-31)

1064

Equipment
c.
3 Reliability
Run:
ma ma-name

d.
Perform the following steps on the devices at both ends of the AC:
On the CE, run:
map vlan vlan-id

Run:
map vsi vsi-name

e.
Run:
mep mep-id
f.
Run:
g.
Run:
mep ccm-send enable

h.
Run:

i.
Run:
description ]

2.
the AC side:
Run:
timeout-value ]

3.
on-demand SLM on the AC side:
Run:

l

1.
Perform the following steps on the devices at both ends of a PW where single-ended
proactive SLM will be implemented:
a.
Run:
system-view
Issue 02 (2013-12-31)

1065

Equipment
3 Reliability

b.
(Optional) Run:

c.
(Optional) Run:
y1731 record-upload

server.
exclusive.
d.
Run:
cfm md md-name

e.
Run:
ma ma-name

f.
Run:
map vsi vsi-name

g.

h.
Operation
Command
Configure a
PW-based
MEP.
Run:
i.
Run:
test-id test-id-value mep mep-id remote-mep mep-id [ 8021p 8021pvalue ] [ description description ]

2.
Perform the following configuration on the RMEP that receives SLM frames on the
PW side:
Run:
timeout-value ]

Issue 02 (2013-12-31)

1066

Equipment
3.
3 Reliability
proactive SLM on the PW side:
Run:
loss-measure single-ended-synthetic continual send test-id test-id
interval interval [ sending-count count ] [ time-out timeout ]

----End

frames.
-------------------------------------------------------------------------------Index
-------------------------------------------------------------------------------667
1000
1000
1000
0
0
0
0.0000%
0.0000%
668
1000
1000
1000
0
0
0
0.0000%
0.0000%
669
1000
1000
1000
0
0
0
0.0000%
0.0000%
670
1000
1000
1000
0
0
0
0.0000%
0.0000%
671
1000
1000
1000
0
0
0
0.0000%
0.0000%
672
1000
1000
1000
0
0
0
0.0000%
0.0000%
673
1000
1000
1000
0
0
0
0.0000%
0.0000%
674
1000
1000
1000
0
0
0
0.0000%
0.0000%
675
1000
1000
1000
0
0
0
0.0000%
0.0000%
676
1000
1000
1000
0
0
0
0.0000%
0.0000%
677
1000
1000
1000
0
0
0
0.0000%
0.0000%
678
1000
1000
1000
0
0
0
0.0000%
0.0000%
679
1000
1000
1000
0
0
0
0.0000%
0.0000%
680
1000
1000
1000
0
0
0
0.0000%
0.0000%
681
1000
1000
1000
0
0
0
0.0000%
0.0000%
682
1000
1000
1000
0
0
0
0.0000%
0.0000%
683
1000
1000
1000
0
0
0
0.0000%
0.0000%
684
1000
1000
1000
0
0
0
0.0000%
0.0000%
685
1000
1000
1000
0
0
0
0.0000%
0.0000%
686
1000
1000
1000
0
0
0
0.0000%
0.0000%
687
1000
1000
1000
0
0
0
0.0000%
0.0000%
688
1000
1000
1000
0
0
0
0.0000%
0.0000%
689
1000
1000
1000
0
0
0
0.0000%
0.0000%
690
1000
1000
1000
0
0
0
0.0000%
0.0000%
691
1000
1000
1000
0
0
0
0.0000%
0.0000%
692
1000
1000
1000
0
0
0
0.0000%
0.0000%
693
1000
1000
1000
0
0
0
0.0000%
0.0000%
694
1000
1000
1000
0
0
0
0.0000%
0.0000%
695
1000
1000
1000
0
0
0
0.0000%
0.0000%
696
1000
1000
1000
0
0
0
0.0000%
0.0000%
697
1000
1000
1000
0
0
0
0.0000%
0.0000%
698
1000
1000
1000
0
0
0
0.0000%
0.0000%
699
1000
1000
1000
0
0
0
0.0000%
0.0000%
700
1000
1000
1000
0
0
0
0.0000%
0.0000%
701
1000
1000
1000
0
0
0
0.0000%
0.0000%
702
1000
1000
1000
0
0
0
0.0000%
0.0000%
703
1000
1000
1000
0
0
0
0.0000%
0.0000%
704
1000
1000
1000
0
0
0
0.0000%
0.0000%
705
1000
1000
1000
0
0
0
0.0000%
0.0000%
706
1000
1000
1000
0
0
0
0.0000%
0.0000%
707
1000
1000
1000
0
0
0
0.0000%
0.0000%
708
1000
1000
1000
0
0
0
0.0000%
0.0000%
Issue 02 (2013-12-31)

1067

Equipment
3 Reliability
709
1000
1000
1000
0
0
0
0.0000%
0.0000%
710
1000
1000
1000
0
0
0
0.0000%
0.0000%
711
1000
1000
1000
0
0
0
0.0000%
0.0000%
712
1000
1000
1000
0
0
0
0.0000%
0.0000%
713
1000
1000
1000
0
0
0
0.0000%
0.0000%
714
1000
1000
1000
0
0
0
0.0000%
0.0000%
715
1000
1000
1000
0
0
0
0.0000%
0.0000%
716
1000
1000
1000
0
0
0
0.0000%
0.0000%
717
1000
1000
1000
0
0
0
0.0000%
0.0000%
718
1000
1000
1000
0
0
0
0.0000%
0.0000%
719
1000
1000
1000
0
0
0
0.0000%
0.0000%
720
1000
1000
1000
0
0
0
0.0000%
0.0000%
721
1000
1000
1000
0
0
0
0.0000%
0.0000%
722
1000
1000
1000
0
0
0
0.0000%
0.0000%
723
1000
1000
1000
0
0
0
0.0000%
0.0000%
724
1000
1000
1000
0
0
0
0.0000%
0.0000%
725
1000
1000
1000
0
0
0
0.0000%
0.0000%
726
1000
1000
1000
0
0
0
0.0000%
0.0000%
0
0.0000%
0
0.0000%
0
0.0000%
0
0.0000%
0
0.0000%
0
0.0000%
Configuring AIS
Context
NOTE
Issue 02 (2013-12-31)

1068

Equipment
3 Reliability
Figure 3-71 Networking diagram of configuring AIS in VPLS networking
CE1
AIS packets
PE1
VLAN/QinQ
PE2 AIS packets CE2

VPLS
VLAN/QinQ
MD2 Level 3
MD1 Level 6
Procedure
1.
Run:
system-view

2.
Run:
cfm md md-name

3.
Run:
ma ma-name

4.
Run:
map vsi vsi-name

5.
Run:
ais enable

6.
(Optional) Run:
ais link-status

7.
(Optional) Run:

Issue 02 (2013-12-31)

1069

Equipment
3 Reliability

NOTE
8.
Run:

9.
Run:
vid { low-vid [ to high-vid ] } &<1-10> } mep mep-id

1.
Run:
system-view

2.
Run:
cfm md md-name

3.
Run:
ma ma-name

4.
Run:
map vlan vlan-id
The MA is bound to the current VLAN.

5.
Run:
ais enable

6.
Run:
ais suppress-alarm

7.
Run:
mep alarm disable
----End
Issue 02 (2013-12-31)

1070

Equipment
3 Reliability

l

The command output shows that the Sending Ais Packet field is displayed as Yes.
<PE> display cfm ma md md1 ma ma1The total number of MAs is 1
MD Name
: md1
MD Name Format
: string
Level
: 3
MIP Create-type
: none
MA Name
: ma1
MA Name Format
: string
Interval
: 1000
Priority
: 4
Vlan ID
: -VSI Name
: -L2VC ID
: 100 tagged
MEP Number
: 1
RMEP Number
: 2
Interface TLV
: disabled
RDI Track-action
: --

<CE> display cfm ma md md1 ma ma1The total number of MAs is 1
MD Name
: md2
MD Name Format
: string
Level
: 6
MIP Create-type
: none
MA Name
: ma2
MA Name Format
: string
Interval
: 10000
Piority
: 4
Vlan ID
: 7
VSI Name
: -L2VC ID
: 100 tagged
MEP Number
: 21
RMEP Number
: 22
Suppressing Alarms : Yes
Sending Ais Packet : No
Interface TLV
: disabled
RDI Track-action
: --
3.8.4 Configuring Y.1731 Functions in VLAN Networking

This section describes how to config Y.1731 functions including single-ended frame loss
measurement, dual-ended frame loss measurement, one-way frame delay measurement, twoway frame delay measurement, AIS, and multicast MAC ping in VLAN networking.
Before You Start

Before configuring Y.1731 functions in VLAN networking, familiarize yourself with the usage
Issue 02 (2013-12-31)

1071

Equipment
3 Reliability
As shown in Figure 3-72, Y.1731 is used to implement fast fault detection and performance
monitoring for end-to-end services. When a user considers that the quality of purchased Ethernet
tunnel services deteriorates or when an operator needs to conduct regular Service level agreement
(SLA) monitoring, the following performance monitoring functions defined by Y.1731 can be
used to monitor links:
Figure 3-72 Typical Y.1731 deployment scenario
Services
Access
CE
Metro
PE1
PE2
PE3
Core
Infrastructure
Maintenance
EFM
Service
Maintenance
EFM
Y.1731
Subscriber
Maintenance
BFD for PW/LSP

CFM/Y.1731
CFM/Y.1731
CFM
MEP
MIP
BFD
This section describes how to configure Y.1731 functions for the link between CEs in VLAN
networking.
On the VLAN shown in Figure 3-73, to collect performance statistics for a link, use the following
monitoring functions defined by Y.1731:
l
Multicast MAC ping
Multicast MAC ping
Issue 02 (2013-12-31)

1072

Equipment
3 Reliability
Figure 3-73 Networking diagram for configuring Y.1731 functions in VLAN networking
CE2
User
Network
VLL/VPLS
/VLAN
User
Network
CE1
PE1
CE3
PE2
User
Network
All Y.1731 functions can collect performance statistics for a point-to-point link in VLAN
networking. In addition, SLM, one-way frame delay measurement, and two-way frame delay
measurement can collect performance statistics for point-to-multipoint links, such as the links
between CE1 and CE2 and between CE1 and CE3.
The type of an interface supported in VLAN networking is as follows:
l
Common interface
QinQ stacking sub-interface
Before configuring Y.1731 functions in VLAN networking, complete the following tasks:
l
Complete VLAN-related configurations on the peer MEPs.
Data Preparation
To configure Y.1731 functions in VLAN networking, you need the following data.
Binding an MA to a VLAN
Binding an MA to a VLAN is a prerequisite for configuring single-ended frame loss
measurement, dual-ended frame loss measurement, one-way frame delay measurement, or twoway frame delay measurement in VLAN networking.
Context
Perform the following steps on the devices configured with MEPs at two ends of a link:
Procedure
Step 1 Run:
system-view

Step 2 Run:
cfm md md-name
Issue 02 (2013-12-31)

1073

Equipment
3 Reliability

Step 3 Run:
ma ma-name

Step 4 Run:
map vlan vlan-id

----End
Configuring Single-ended Frame Loss Measurement in VLAN Networking

In VLAN networking, CFM is enabled. CCMs are not used to monitor link connectivity,
preventing them from using a lot of network bandwidth resources. If frame loss measurement
needs to be performed for a link, single-ended frame loss measurement can be configured to
monitor the quality of the link.
Context
Single-ended frame loss measurement in VLAN networking can be either on-demand or
proactive. On-demand single-ended frame loss measurement is manually initiated for diagnosis
of frame loss in a limited time. It can be singular or periodic measurement. Proactive singleended frame loss measurement is performed continuously to permit proactive reporting of frame
loss or performance results.
To implement singular or periodic single-ended frame loss measurement, configure on-demand
single-end frame loss measurement in VLAN networking.
To implement continual single-ended frame loss measurement, configure proactive single-ended
frame loss measurement in VLAN networking.
Procedure
l
Configure on-demand single-ended frame loss measurement.

1.
Perform the following steps on the devices configured with MEPs at both ends of a
link:
a.
Run:
system-view

b.
Run:
cfm md md-name

c.
Run:
ma ma-name

d.
Run:
map vlan vlan-id
Issue 02 (2013-12-31)

1074

Equipment
3 Reliability

e.
Run:
mep mep-id

f.
Run:

g.
Run:
mep ccm-send enable

h.
Run:

2.

3.
On the device that initiates single-ended frame loss measurement, run:

loss-measure single-ended send mep mep-id [
interval interval count count-value
remote-mep mep-id ]
Single-ended frame loss measurement on a VLAN is enabled.

l

1.
Perform the following steps on the devices at both ends of a link where proactive
a.
Run:
system-view

b.
(Optional) Run:

c.
(Optional) Run:

statistics.
d.
(Optional) Run:
y1731_record-upload

server.
mutually exclusive.
e.
Run:
cfm md md-name
Issue 02 (2013-12-31)

1075

Equipment
3 Reliability

f.
Run:
ma ma-name

g.
Run:
mapvlanvlan-id

h.
Run:
mep mep-id

i.
Run:

j.
Run:
mep ccm-send enable

k.
Run:

l.
(Optional) Run:
loss-measure single-ended local-ratio-threshold mep mep-id upperlimit upper-limit lower-limit lower-limit
Lower and upper thresholds are set for the near-end frame loss rate in proactive
single-ended frame loss measurement.
m. (Optional) Run:
loss-measure single-ended remote-ratio-threshold mep mep-id upperlimit upper-limit lower-limit lower-limit
Lower and upper thresholds are set for the far-end frame loss rate in proactive
single-ended frame loss measurement.
2.
On the receiving device on a link where proactive single-ended frame loss

loss-measure single-ended receive mep mep-id [ 8021p { 8021p-value } &<1
3> ]

If the 8021p 8021p-value parameter is specified, the device that is to receive LMMs
computes the frame loss ratio based on the specified 802.1p priority. If this parameter
is not specified, the device that is to receive LMMs computes the frame loss ratio for
all packets.
3.
On the transmitting device on a link where proactive single-ended frame loss

loss-measure single-ended continual send mep mep-id [
interval interval [ 8021p { 8021p-value } &<13> ]
remote-mep mep-id ]
Proactive single-ended frame loss measurement is enabled.

If the 8021p 8021p-value parameter is specified, LMMs with a specified 802.1p
priority are used for single-ended frame loss measurement. If the parameter is not
Issue 02 (2013-12-31)

1076

Equipment
3 Reliability
specified, LMMs with all 802.1p priorities are used for single-ended frame loss
measurement.
----End

After completing the configuration, run the display y1731 statistic-type single-loss md mdname ma ma-name [ count count-value ] command on the MEP that initiates single-ended frame
loss measurement and verify the configuration.
NOTE
Currently, you can check the configuration of single-ended frame loss measurement in VLAN networking
Run the display y1731 statistic-type command to view statistics about single-ended frame loss.
<HUAWEI> display y1731 statistic-type single-loss md md1 ma ma1
-------------------------------------------------------------------------------Index
Local-loss
Local-loss ratio
Remote-loss
Remote-loss ratio
-------------------------------------------------------------------------------1
20
50.0000%
30
75.0000%
2
20
50.0000%
30
75.0000%
3
20
50.0000%
30
75.0000%
4
20
50.0000%
30
75.0000%
5
20
50.0000%
30
75.0000%
6
20
50.0000%
30
75.0000%
7
20
50.0000%
30
75.0000%
8
20
50.0000%
30
75.0000%
9
20
50.0000%
30
75.0000%
10
20
50.0000%
30
75.0000%
11
20
50.0000%
30
75.0000%
12
20
50.0000%
30
75.0000%
13
20
50.0000%
30
75.0000%
14
20
50.0000%
30
75.0000%
20
20
20
30
30
30
Configuring Dual-ended Frame Loss Measurement in VLAN Networking

In VLAN networking, CFM is enabled to monitor link connectivity. if accurate frame loss
Context
Dual-ended frame loss measurement in VLAN networking is carried out continuously to permit
proactive reporting of frame loss or performance results.
Dual-ended frame loss measurement in VLAN networking is usually deployed on end-to-end
MEPs. Frame loss statistics are collected based on the transmit and receive counters carried by
CCMs. Dual-ended frame loss measurement can be successfully performed only when the
remote MEP is in the Up state.
Issue 02 (2013-12-31)

1077

Equipment
3 Reliability
Procedure
l
Perform the following steps on the devices initiates dual-ended frame loss measurement:
1.
Run:
system-view

2.
(Optional) Run:

3.
(Optional) Run:

to the NMS.
4.
(Optional) Run:
y1731_record-upload
A device is enabled to send Y.1731 proactive performance statistics files to a server.

The y1731 pm-mode enable and y1731_record-upload commands are mutually
exclusive.
5.
Run:
cfm md md-name

6.
Run:
ma ma-name

7.
Run:
map vlan vlan-id

8.
Run:
mep mep-id

9.
Run:

10. Run:
mep ccm-send enable

11. Run:

12. (Optional) Run:
Issue 02 (2013-12-31)

1078

Equipment
3 Reliability
13. (Optional) Run:
loss measurement.
14. Run:
Dual-ended frame loss measurement is configured for a VLAN.

----End

NOTE
Currently, you can check the configuration of dual-ended frame loss measurement in VLAN networking
-------------------------------------------------------------------------------Index
Local-loss
Local-loss ratio
Remote-loss
Remote-loss ratio
-------------------------------------------------------------------------------1
0
0.0000%
0
0.0000%
2
0
0.0000%
0
0.0000%
3
5
50.0000%
10
50.0000%
4
0
0.0000%
0
0.0000%
5
5
50.0000%
10
50.0000%
6
10
50.0000%
5
50.0000%
7
5
50.0000%
10
50.0000%
8
10
50.0000%
5
50.0000%
9
10
50.0000%
5
50.0000%
10
5
50.0000%
10
50.0000%
11
5
50.0000%
10
50.0000%
12
10
50.0000%
5
50.0000%
13
5
50.0000%
10
50.0000%
14
10
50.0000%
5
50.0000%
15
5
50.0000%
10
50.0000%
16
10
50.0000%
5
50.0000%
5
10
0
0.0000%
6
10
0
0.0000%
Configuring One-way Frame Delay Measurement in VLAN Networking

In VLAN networking, the clock frequency between the two ends are synchronized and CFM is
Issue 02 (2013-12-31)

1079

Equipment
3 Reliability
of the link.
Context
One-way frame delay measurement in a VLAN can be implemented in either of the following
modes:
l
On-demand mode: manually collects delay statistics once or a specified number of times
during diagnosis.
Proactive mode: periodically collects delay statistics.
Configure on-demand one-way frame delay measurement.
Procedure
1.
Perform the following steps on the MEP and RMEP:

a.
Run:
system-view

b.
Run:
cfm md md-name

c.
Run:
ma ma-name

d.
Run:
map vlan vlan-id

e.
Run:
mep mep-id

f.
Run:

g.
Run:
mep ccm-send enable

h.
Run:

i.
(Optional) Run:
delay-measure one-way threshold threshold-value
An alarm threshold is set for on-demand one-way frame delay measurement.

2.
Issue 02 (2013-12-31)
On the receiver RMEP, run:

1080

Equipment
3 Reliability

Scenario
Procedure
Point-topoint
scenario

Run:
The RMEP is enabled to receive 1DM messages.

1. Run:
test-id test-id

2. Run:

Point-tomultipoint
scenario
1. Run:
test-id test-id

2. Run:
3.
On the initiator MEP, run:

Scenario
Procedure
Point-topoint
scenario

Run:
delay-measure one-way send mep mep-id {
remote-mep mep-id }
On-demand one-way frame delay measurement is configured in a

VLAN.
1. Run:
test-id test-id

2. Run:

VLAN.
Issue 02 (2013-12-31)

1081

Equipment
Scenario
Procedure
Point-tomultipoint
scenario
1. Run:
3 Reliability
test-id test-id

2. Run:

VLAN.
VLAN-specific on-demand one-way frame delay measurement is implemented based

on an RMEP ID or destination MAC address.
If an MEP has not learned the MAC address of the RMEP, specify the RMEP ID
before implementing one-way frame delay measurement.
If an MEP has learned the MAC address of the RMEP, specify the RMEP MAC
address or ID before implementing one-way frame delay measurement.
----End

Run the display y1731 statistic-type oneway-delay md md-name ma ma-name [ count countvalue ] command on the device that initiates one-way frame delay measurement to check
statistics about the delay in unidirectional frame transmission.
NOTE
Currently, you can check the configuration of one-way frame delay measurement on in VLAN networking
unidirectional frame transmission.
-------------------------------------------------------------------------------Index
Delay(usec)
-------------------------------------------------------------------------------1
10000
2
10000
0
3
10000
0
4
10000
0
5
10000
0
6
10000
0
7
10000
0
8
10000
0
9
10000
0
10
10000
0
11
10000
0
12
40000
30000
13
10000
30000
14
10000
0
15
10000
0
16
10000
0
17
10000
0
11764
3750
Issue 02 (2013-12-31)

1082

Equipment
3 Reliability
40000
10000

30000
0
Configuring Two-way Frame Delay Measurement in VLAN Networking

In VLAN networking, the clock frequency between the two ends are not synchronized and CFM
is enabled to monitor link connectivity. if the bidirectional delay measurement needs to be
performed for a link, two-way frame delay measurement can be configured to monitor the quality
of the link.
Context
Two-way frame delay measurement in a VLAN can be implemented in either of the following
modes:
l
On-demand mode: manually collects delay statistics once or a specified number of times
during diagnosis.
Proactive mode: periodically collects delay statistics.
Configure on-demand two-way frame delay measurement.
Procedure
1.

a.
Run:
system-view

b.
Run:
cfm md md-name

c.
Run:
ma ma-name

d.
Run:
map vlan vlan-id

e.
Run:
mep mep-id

f.
Run:

g.
Run:
mep ccm-send enable

h.
Run:
Issue 02 (2013-12-31)

1083

Equipment
3 Reliability

i.
(Optional) Run:
delay-measure two-way threshold threshold-value
An alarm threshold is set for two-way frame delay measurement.

2.
On the receiver RMEP, run:

Scenario
Procedure
Point-topoint
scenario

Run:
The receiver is enabled to receive DMMs.

1. Run:
test-id test-id

2. Run:

Point-tomultipoint
scenario
1. Run:
test-id test-id

2. Run:
3.
On the initiator MEP, run:

Scenario
Procedure
Point-topoint
scenario

Run:
delay-measure two-way send mep mep-id {
remote-mep mep-id }
Two-way frame delay measurement is configured in a VLAN.

1. Run:
test-id test-id

2. Run:

Issue 02 (2013-12-31)

1084

Equipment
Scenario
Procedure
Point-tomultipoint
scenario
1. Run:
3 Reliability
test-id test-id

2. Run:
VLAN-specific on-demand two-way frame delay measurement is implemented based

on an RMEP ID or destination MAC address.
If an MEP has not learned the MAC address of the RMEP, specify the RMEP ID
before implementing two-way frame delay measurement.
If an MEP has learned the MAC address of the RMEP, specify the RMEP MAC
address or ID before implementing two-way frame delay measurement.
----End

Run the display y1731 statistic-type twoway-delay md md-name ma ma-name [ count countvalue ] command on the device that initiates two-way frame delay measurement to check
statistics about the delay in bidirectional frame transmission.
NOTE
Currently, you can check the configuration of two-way frame delay measurement on in VLAN networking
frame transmission.
<HUAWEI> display y1731 statistic-type twoway-delay md md1 ma ma1
-------------------------------------------------------------------------------Index
Delay(usec)
-------------------------------------------------------------------------------1
0
2
0
0
3
0
0
4
0
0
5
0
0
6
0
0
7
0
0
8
0
0
9
0
0
10
0
0
0
0
0
0
0
0
Configuring Single-ended SLM in VLAN Networking

virtual local area network (VLAN) networking. To collect performance statistics for frame loss
Issue 02 (2013-12-31)

1085

Equipment
3 Reliability
on point-to-multipoint or multipoint-to-multipoint links, deploy single-ended SLM, which helps

monitor link quality.
Context
In VLAN networking, single-ended SLM includes on-demand and proactive SLM functions.
On-demand SLM collects single-ended frame loss statistics at one or more specific times for
diagnosis. It is used on the pseudo wire (PW) or attachment circuit (AC) side. Proactive SLM
collects single-ended frame loss statistics periodically. It is used on the PW side only.
Procedure
l

1.
Perform the following steps on the devices at both ends of a link on a VLAN where
single-ended on-demand SLM will be implemented:
a.
Run:
system-view

b.
Run:
cfm md md-name

c.
Run:
ma ma-name

d.
Run:
map vlan vlan-id
The maintenance association (MA) is bound to a VLAN.

e.
Run:
mep mep-id
A maintenance association end point (MEP) is configured.

f.
Run:

g.
Run:
mep ccm-send enable
The MEP is enabled to send continuity check messages (CCMs).

h.
Run:

i.
Run:
description ]

2.
Perform the following configuration on the RMEP that receives SLM frames:
Run:
Issue 02 (2013-12-31)

1086

Equipment
3 Reliability

timeout-value ]

3.
on-demand SLM:
Run:

l

1.
Perform the following steps on the devices at both ends of a link on a VLAN where
single-ended proactive SLM will be implemented:
a.
Run:
system-view

b.
(Optional) Run:

c.
(Optional) Run:
y1731 record-upload

server.
exclusive.
d.
Run:
cfm md md-name

e.
Run:
ma ma-name

f.
Run:
map vlan vlan-id

g.
Run:
mep mep-id
h.
Run:
i.
Run:
mep ccm-send enable
Issue 02 (2013-12-31)

1087

Equipment
3 Reliability

j.
Run:

k.
(Optional) Run:
loss-measure single-ended local-ratio-threshold mep-id mep-id upperlimit upper-limit lower-limit lower-limit
The frame loss measurement range is configured for near-end single-ended

proactive SLM.
l.
(Optional) Run:
loss-measure single-ended remote-ratio-threshold mep-id mep-id upperlimit upper-limit lower-limit lower-limit
The frame loss measurement range is configured for far-end single-ended

proactive SLM.
m. Run:
description ]

2.
Perform the following configuration on the RMEP that receives SLM frames:
Run:
timeout-value ]

3.
Perform the following configuration on the MEP that send SLM frames to initiate
proactive SLM:
Run:

----End

frames.
-------------------------------------------------------------------------------Index
-------------------------------------------------------------------------------667
1000
1000
1000
0
0
0
0.0000%
0.0000%
668
1000
1000
1000
0
0
0
0.0000%
0.0000%
669
1000
1000
1000
0
0
0
0.0000%
0.0000%
670
1000
1000
1000
0
0
0
0.0000%
0.0000%
671
1000
1000
1000
0
0
0
0.0000%
0.0000%
672
1000
1000
1000
0
0
0
0.0000%
0.0000%
673
1000
1000
1000
0
0
0
0.0000%
0.0000%
674
1000
1000
1000
0
0
0
0.0000%
0.0000%
Issue 02 (2013-12-31)

1088

Equipment
3 Reliability
675
1000
1000
1000
0
0
0
0.0000%
0.0000%
676
1000
1000
1000
0
0
0
0.0000%
0.0000%
677
1000
1000
1000
0
0
0
0.0000%
0.0000%
678
1000
1000
1000
0
0
0
0.0000%
0.0000%
679
1000
1000
1000
0
0
0
0.0000%
0.0000%
680
1000
1000
1000
0
0
0
0.0000%
0.0000%
681
1000
1000
1000
0
0
0
0.0000%
0.0000%
682
1000
1000
1000
0
0
0
0.0000%
0.0000%
683
1000
1000
1000
0
0
0
0.0000%
0.0000%
684
1000
1000
1000
0
0
0
0.0000%
0.0000%
685
1000
1000
1000
0
0
0
0.0000%
0.0000%
686
1000
1000
1000
0
0
0
0.0000%
0.0000%
687
1000
1000
1000
0
0
0
0.0000%
0.0000%
688
1000
1000
1000
0
0
0
0.0000%
0.0000%
689
1000
1000
1000
0
0
0
0.0000%
0.0000%
690
1000
1000
1000
0
0
0
0.0000%
0.0000%
691
1000
1000
1000
0
0
0
0.0000%
0.0000%
692
1000
1000
1000
0
0
0
0.0000%
0.0000%
693
1000
1000
1000
0
0
0
0.0000%
0.0000%
694
1000
1000
1000
0
0
0
0.0000%
0.0000%
695
1000
1000
1000
0
0
0
0.0000%
0.0000%
696
1000
1000
1000
0
0
0
0.0000%
0.0000%
697
1000
1000
1000
0
0
0
0.0000%
0.0000%
698
1000
1000
1000
0
0
0
0.0000%
0.0000%
699
1000
1000
1000
0
0
0
0.0000%
0.0000%
700
1000
1000
1000
0
0
0
0.0000%
0.0000%
701
1000
1000
1000
0
0
0
0.0000%
0.0000%
702
1000
1000
1000
0
0
0
0.0000%
0.0000%
703
1000
1000
1000
0
0
0
0.0000%
0.0000%
704
1000
1000
1000
0
0
0
0.0000%
0.0000%
705
1000
1000
1000
0
0
0
0.0000%
0.0000%
706
1000
1000
1000
0
0
0
0.0000%
0.0000%
707
1000
1000
1000
0
0
0
0.0000%
0.0000%
708
1000
1000
1000
0
0
0
0.0000%
0.0000%
709
1000
1000
1000
0
0
0
0.0000%
0.0000%
710
1000
1000
1000
0
0
0
0.0000%
0.0000%
711
1000
1000
1000
0
0
0
0.0000%
0.0000%
712
1000
1000
1000
0
0
0
0.0000%
0.0000%
713
1000
1000
1000
0
0
0
0.0000%
0.0000%
714
1000
1000
1000
0
0
0
0.0000%
0.0000%
715
1000
1000
1000
0
0
0
0.0000%
0.0000%
716
1000
1000
1000
0
0
0
0.0000%
0.0000%
717
1000
1000
1000
0
0
0
0.0000%
0.0000%
718
1000
1000
1000
0
0
0
0.0000%
0.0000%
719
1000
1000
1000
0
0
0
0.0000%
0.0000%
720
1000
1000
1000
0
0
0
0.0000%
0.0000%
721
1000
1000
1000
0
0
0
0.0000%
0.0000%
722
1000
1000
1000
0
0
0
0.0000%
0.0000%
723
1000
1000
1000
0
0
0
0.0000%
0.0000%
724
1000
1000
1000
0
0
0
0.0000%
0.0000%
725
1000
1000
1000
0
0
0
0.0000%
0.0000%
726
1000
1000
1000
0
0
0
0.0000%
0.0000%
0
0.0000%
0
0.0000%
0
0.0000%
0
0.0000%
0
0.0000%
0
0.0000%
Configuring AIS
Issue 02 (2013-12-31)

1089

Equipment
3 Reliability
Context
NOTE
Figure 3-74 Networking diagram of configuring AIS in VLAN networking
CE1
AIS packets PE1

VLAN/QinQ
PE2 AIS packets CE2

VLAN
VLAN/QinQ
MD2 Level 3
MD1 Level 6
Procedure
1.
Run:
system-view

2.
Run:
cfm md md-name

3.
Run:
ma ma-name

4.
Run:
map vlan vlan-id

5.
Run:
ais enable

Issue 02 (2013-12-31)

1090

Equipment
3 Reliability

6.
(Optional) Run:
ais link-status

7.
(Optional) Run:

NOTE
8.
Run:

9.
Run:
vid { low-vid [ to high-vid ] } &<1-10>} mep mep-id

1.
Run:
system-view

2.
Run:
cfm md md-name

3.
Run:
ma ma-name

4.
Run:
map vlan vlan-id

5.
Run:
ais enable

6.
Run:
ais suppress-alarm

Issue 02 (2013-12-31)

1091

Equipment
3 Reliability

7.
Run:
mep alarm disable
----End

l

The command output shows when the device receives the right AIS packets then the
Sending Ais Packet field is displayed as Yes.
<PE>display cfm ma md md1 ma ma1
MD Name
: md1
MD Name Format
: string
Level
: 3
MIP Create-type
: none
MA Name
: ma1
MA Name Format
: string
Interval
: 1000
Priority
: 4
Vlan ID
: -VSI Name
: -L2VC ID
: 100 tagged
MEP Number
: 1
RMEP Number
: 2
Interface TLV
: disabled
RDI Track-action
: --

<CE>display cfm ma md md1 ma ma1The total number of MAs is 1
MD Name
: md2
MD Name Format
: string
Level
: 6
MIP Create-type
: none
MA Name
: ma2
MA Name Format
: string
Interval
: 10000
Piority
: 4
Vlan ID
: 7
VSI Name
: -L2VC ID
: 100 tagged
MEP Number
: 21
RMEP Number
: 22
Sending Ais Packet : No
Interface TLV
: disabled
RDI Track-action
: --
Issue 02 (2013-12-31)

1092

Equipment
3 Reliability

This section provides several examples showing how to configure Y.1731 functions in different
scenarios. In each configuration example, the networking requirements, configuration roadmap,
and data preparation are provided.
Example for Configuring Single-ended Frame Loss Measurement in VLL

Networking
This section provides an example showing how to configure single-ended frame loss
measurement in VLL networking.
With the increasing popularization and wide application of the Internet, various value-added
services such as IPTV, video conferencing, and VoIP services are widely deployed. Link
connectivity and network performance determine the Quality of Services (QoS) on bearer
networks. Therefore, performance monitoring is especially important for service transmission
channels.
As shown in Figure 3-75, CFM is configured between each CE and PE and between PEs. CCMs
are not used to monitor link connectivity, preventing them from using a lot of network banwdith
resources. To provide high-quality video services, providers hope to monitor the unidirectional
delay over mobile bearer links in real time, while monitoring link connectivity. Monitoring the
unidirectional delay over mobile bearer links allows the providers to respond quickly to video
service quality deterioration.
Figure 3-75 Networking diagram for configuring Y.1731 function on a VLL+VLAN networking
PE1
GE1/0/2
PE2
VLL
GE1/0/1
GE1/0/1
GE0/2/1
GE0/2/1
CE2
CE1
User
Network
Issue 02 (2013-12-31)
GE1/0/2

User
Network
1093

Equipment
3 Reliability
1.
Configure on-demand single-ended frame loss measurement for the AC between the PEs
to periodically collect frame loss statistics.
2.
Configure proactive single-ended frame loss measurement for the AC between the PEs to
periodically collect frame loss statistics.
Data Preparation
l
Configure the ID of an L2VC of a VLL between PE1 and PE2.
Configure the names of the MD and MA between PE1 and PE2 and between CE1 and PE1.
Configure a VLAN ID on CE interfaces for collecting AC-side packet statistics.
Configure the interval at which LM messages are sent and the number of times when ondemand LM messages are sent.
Procedure
Step 1 Configure on-demand single-ended frame loss measurement for the AC between the PEs.
1.
Configure a VLL connection.

Configure a VLL connection between PE1 and PE2. The configuration details are not
provided here. For details, see the chapter "VLL Configuration" in the Configuration Guide
- VPN or configuration files in this configuration example.
After completing the configuration, run the display mpls l2vc command on each PE to
view information about the VC and AC.
<PE1> display mpls l2vc
total LDP VC : 1
1 up
0 down
*client interface
Administrator PW
: no
session state
: up
AC status
: up
VC state
: up
Label state
: 0
Token state
: 0
VC ID
: 2
VC type
: VLAN
destination
: 2.2.2.2
local VC label
: 1027
remote VC label
control word
: disable
forwarding entry
: exist
local group ID
: 0
manual fault
: not set
active state
: active
link state
: up
local VC MTU
: 1500
remote VC MTU
tunnel policy name
: -traffic behavior name: -PW template name
: -primary or secondary : primary
create time
: 0 days, 0 hours, 1 minutes, 12
up time
last change time
VC last up time
: 2010/10/13 15:02:23
VC total up time
Issue 02 (2013-12-31)

: 1025
: 1500
seconds
seconds
seconds
seconds
1094

Equipment
CKey
NKey
AdminPw interface
AdminPw link state
2.
3 Reliability
:
:
:
:
4
3
---
Configure basic Ethernet CFM functions and specify the MEP type as inward.
Configure basic Ethernet CFM functions on each PE. Create an MD named md1 and an
MA named ma1, and bind the MA to the VLL.
# Configure PE1.
[PE1] cfm enable
[PE1] cfm md md1
[PE1-md-md1] ma ma1
[PE1-md-md1-ma-ma1] map mpls l2vc 2 tagged
[PE1-md-md1-ma-ma1] mep mep-id 1 interface gigabitethernet1/0/1.1 inward
[PE1-md-md1-ma-ma1] mep ccm-send mep-id 1 enable
[PE1-md-md1-ma-ma1] remote-mep ccm-receive mep-id 2 enable
# Configure PE2.
[PE2] cfm enable
[PE2] cfm md md1
[PE2-md-md1] ma ma1
3.
Configure the LMM reception function on PE2.

# Configure PE2.
[PE2-md-md1-ma-ma1] loss-measure single-ended receive mep 2
[PE2-md-md1] quit
4.
Enable on-demand single-ended frame loss measurement for the AC.

# Configure PE1.
[PE1-md-md1-ma-ma1] loss-measure single-ended send mep 1 remote-mep 2 interval
1000 count 20
[PE1-md-md1] quit
5.

Run the display y1731 statistic-type command on PE1 to view single-ended frame loss
statistics.
<PE1> display y1731 statistic-type single-loss md md1 ma ma1
------------------------------------------------------------------------------Index
Local-loss
Local-loss ratio
Remote-loss
Remote-loss ratio
------------------------------------------------------------------------------1
20
50.0000%
30
75.0000%
2
20
50.0000%
30
75.0000%
3
20
50.0000%
30
75.0000%
4
20
50.0000%
30
75.0000%
5
20
50.0000%
30
75.0000%
6
20
50.0000%
30
75.0000%
7
20
50.0000%
30
75.0000%
8
20
50.0000%
30
75.0000%
Issue 02 (2013-12-31)

1095

Equipment
3 Reliability
9
20
50.0000%
30
75.0000%
10
20
50.0000%
30
75.0000%
11
20
50.0000%
30
75.0000%
12
20
50.0000%
30
75.0000%
13
20
50.0000%
30
75.0000%
14
20
50.0000%
30
75.0000%
------------------------------------------------------------------------------Average Local-loss :
20
20
20
30
30
30
Step 2 Configure proactive single-ended frame loss measurement for an AC.

NOTE
Proactive single-ended frame loss measurement can be configured to continuously monitor the performance
of an AC.
1.
Cancel the configuration of the LMM reception function on PE2.

[PE2] cfm md md1
[PE2-md-md1] ma ma1
[PE2-md-md1-ma-ma1] undo loss-measure single-ended receive mep 2
[PE2-md-md1] quit
2.
Configure the LMM reception function on PE2.

# Configure PE2.
[PE2] cfm md md1
[PE2-md-md1] ma ma1
[PE2-md-md-ma-ma1] loss-measure single-ended receive mep 2
[PE2-md-md1] quit
3.
Enable proactive single-ended frame loss measurement.

# Configure PE1.
[PE1] cfm md md1
[PE1-md-md1] ma ma1
[PE1-md-md1-ma-ma1] loss-measure single-ended continual send mep 1 remote-mep
2 interval 30000
[PE1-md-md1] quit
4.

Run the display y1731 statistic-type command on PE1 to view single-ended frame loss
statistics.
<PE1> display y1731 statistic-type single-loss md md1 ma ma1
Latest single-ended loss statistics
------------------------------------------------------------------------------Index
Local-loss
Local-loss ratio
Remote-loss
Remote-loss ratio
------------------------------------------------------------------------------1
20
50.0000%
30
75.0000%
2
20
50.0000%
30
75.0000%
3
20
50.0000%
30
75.0000%
4
20
50.0000%
30
75.0000%
5
20
50.0000%
30
75.0000%
6
20
50.0000%
30
75.0000%
20
Issue 02 (2013-12-31)

1096

Equipment
Maximum
Minimum
Average
Maximum
Minimum
Local-loss
Local-loss
Remote-loss
Remote-loss
Remote-loss
:
:
:
:
:
3 Reliability
20
20
30
30
30
Maximum
Minimum
Average
Maximum
Minimum
Local-loss Ratio
Local-loss Ratio
Remote-loss Ratio
Remote-loss Ratio
Remote-loss Ratio
:
:
:
:
:
50.0000%
50.0000%
75.0000%
75.0000%
75.0000%
----End
Configuration Files
l

#
sysname CE1
#
vlan batch 2
#
cfm enable
#
cfm md md1
ma ma2
map vlan 2
remote-mep mep-id 4
#
return

#
sysname PE1
#
cfm enable
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
mpls ldp
#
vlan-type dot1q 2
mpls l2vc 2.2.2.2 2
#
undo shutdown
ip address 100.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 100.1.1.0 0.0.0.255
#
cfm md md1
ma ma1
map mpls l2vc 2 tagged
Issue 02 (2013-12-31)

1097

Equipment
3 Reliability
mep mep-id 1 interface GigabitEthernet1/0/1.1 inward

remote-mep mep-id 2
loss-measure single-ended continual send mep 1 remote-mep 2 interval 30000
ma ma2
mep mep-id 4 interface GigabitEthernet1/0/1.1 outward
remote-mep mep-id 3
loss-measure single-ended receive mep 4
#
return

#
sysname PE2
#
cfm enable
#
mpls lsr-id 2.2.2.2
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 1
peer 1.1.1.1
#
mpls ldp
#
#
vlan-type dot1q 2
mpls l2vc 1.1.1.1 2
#
undo shutdown
ip address 100.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 100.1.1.0 0.0.0.255
#
cfm md md1
ma ma1
remote-mep mep-id 1
loss-measure single-ended receive mep 2 8021p 1 2
#
return
Issue 02 (2013-12-31)

1098

Equipment
3 Reliability
Example for Configuring Dual-ended Frame Loss Measurement in VLL

Networking
This section provides an example showing how to configure dual-ended frame loss measurement
in VLL networking.
channels.
As shown in Figure 3-76, CFM is configured between each CE and PE and between PEs. To
provide high-quality audio services, providers hope to monitor the frame loss over mobile bearer
links in real time, while monitoring link connectivity. Monitoring the frame loss over mobile
bearer links allows the providers to respond quickly to video service quality deterioration.
PE1
GE1/0/2
PE2
VLL
GE1/0/2
GE1/0/1
GE1/0/1
GE0/2/1
GE0/2/1
CE2
CE1
User
Network
User
Network
1.
Configure on-demand dual-ended frame loss measurement for the AC between each PE
and its attached CE to periodically collect frame loss statistics.
Data Preparation
Issue 02 (2013-12-31)

1099

Equipment
3 Reliability
Configure the interval at which LM messages are sent.
Procedure
Step 1 Configure dual-ended frame loss measurement for the AC between the PEs.
1.

total LDP VC : 1
1 up
0 down
*client interface
Administrator PW
: no
session state
: up
AC status
: up
VC state
: up
Label state
: 0
Token state
: 0
VC ID
: 2
VC type
: VLAN
destination
: 2.2.2.2
local VC label
: 1027
remote VC label
control word
: disable
forwarding entry
: exist
local group ID
: 0
manual fault
: not set
active state
: active
link state
: up
local VC MTU
: 1500
remote VC MTU
tunnel policy name
create time
up time
last change time
VC last up time
: 2010/10/13 15:02:23
VC total up time
CKey
: 4
NKey
: 3
AdminPw interface
: -AdminPw link state
: --
2.
: 1025
: 1500
seconds
seconds
seconds
seconds
# Configure PE1.
[PE1] cfm enable
[PE1] cfm md md1
[PE1-md-md1] ma ma1
Issue 02 (2013-12-31)

1100

Equipment
[PE1-md-md1-ma-ma1]
[PE1-md-md1-ma-ma1]
[PE1-md-md1-ma-ma1]
[PE1-md-md1-ma-ma1]
3 Reliability
mep mep-id 1 interface gigabitethernet1/0/1.1 inward

remote-mep mep-id 2
# Configure PE2.
[PE2] cfm enable
[PE2] cfm md md1
[PE2-md-md1] ma ma1
3.
Enable dual-ended frame loss measurement on the VLL network.

# Configure PE1.
[PE1-md-md1-ma-ma1] loss-measure dual-ended continual mep 1 remote-mep 2
[PE1-md-md1] quit
# Configure PE2.
[PE2-md-md1-ma-ma1] loss-measure dual-ended continual mep 2 remote-mep 1
[PE2-md-md1] quit
4.

Run the display y1731 statistic-type command on PE1 to view dual-ended frame loss
statistics.
<PE1> display y1731 statistic-type dual-loss md md1 ma ma1
------------------------------------------------------------------------------Index
Local-loss
Local-loss ratio
Remote-loss
Remote-loss ratio
------------------------------------------------------------------------------1
0
0.0000%
0
0.0000%
2
0
0.0000%
0
0.0000%
3
5
50.0000%
10
50.0000%
4
0
0.0000%
0
0.0000%
5
5
50.0000%
10
50.0000%
6
10
50.0000%
5
50.0000%
7
5
50.0000%
10
50.0000%
8
10
50.0000%
5
50.0000%
9
10
50.0000%
5
50.0000%
10
5
50.0000%
10
50.0000%
11
5
50.0000%
10
50.0000%
12
10
50.0000%
5
50.0000%
13
5
50.0000%
10
50.0000%
14
10
50.0000%
5
50.0000%
15
5
50.0000%
10
50.0000%
16
10
50.0000%
5
50.0000%
5
10
0
0.0000%
6
10
0
0.0000%
----End
Issue 02 (2013-12-31)

1101

Equipment
3 Reliability
Configuration Files
l

#
sysname CE1
#
vlan batch 2
#
cfm enable
#
portswitch
undo shutdown
port default vlan 2
#
shutdown
#
cfm md md1
ma ma2
map vlan 2
remote-mep mep-id 4
loss-measure dual-ended continual mep 3 remote-mep 4
#
return

#
sysname PE1
#
cfm enable
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
mpls ldp
#
vlan-type dot1q 2
mpls l2vc 2.2.2.2 2
#
undo shutdown
ip address 100.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 100.1.1.0 0.0.0.255
#
cfm md md1
ma ma1
remote-mep mep-id 2
Issue 02 (2013-12-31)

1102

Equipment
3 Reliability

ma ma2
remote-mep mep-id 3
#
return

#
sysname PE2
#
cfm
enable
#
mpls lsr-id
2.2.2.2
mpls
#
mpls
l2vpn
#
mpls
ldp
#
interface
vlan-type dot1q 2
mpls l2vc 1.1.1.1 2
#
interface
undo
shutdown
255.255.255.0
mpls
mpls
ldp
#
interface
LoopBack0
ip address 2.2.2.2
255.255.255.0
#
ospf
1
area
0.0.0.0
network 2.2.2.2
0.0.0.0
network 100.1.1.0
0.0.0.255
#
cfm md md1
ma ma1
Issue 02 (2013-12-31)

1103

Equipment
3 Reliability
remote-mep mep-id 1
#
return
Example for Configuring One-way Frame Delay Measurement in VLL Networking

This section provides an example showing how to configure one-way frame delay measurement
in VLL networking.
channels.
provide high-quality video services, providers hope to monitor the unidirectional delay over
mobile bearer links in real time, while monitoring link connectivity. Monitoring the
unidirectional delay over mobile bearer links allows the providers to respond quickly to video
service quality deterioration.
NOTE
PE1
GE1/0/2
PE2
VLL
GE1/0/1
GE1/0/1
GE0/2/1
GE0/2/1
CE2
CE1
User
Network
Issue 02 (2013-12-31)
GE1/0/2

User
Network
1104

Equipment
3 Reliability
1.
Configure on-demand one-way frame delay measurement for the AC between the PEs to
periodically collect statistics about the delay in frame transmission.
2.
Configure proactive one-way frame delay measurement for the AC between the PEs to
Data Preparation
l
Configure the interval at which 1DM messages are sent and the number of times when ondemand 1DM messages are sent.
Procedure
Step 1 Configure on-demand one-way frame delay measurement for an AC between PEs.
1.

total LDP VC : 1
1 up
0 down
*client interface
Administrator PW
: no
session state
: up
AC status
: up
VC state
: up
Label state
: 0
Token state
: 0
VC ID
: 2
VC type
: VLAN
destination
: 2.2.2.2
local VC label
: 1027
remote VC label
control word
: disable
forwarding entry
: exist
local group ID
: 0
manual fault
: not set
active state
: active
link state
: up
local VC MTU
: 1500
remote VC MTU
tunnel policy name
create time
up time
last change time
VC last up time
: 2010/10/13 15:02:23
VC total up time
Issue 02 (2013-12-31)

: 1025
: 1500
seconds
seconds
seconds
seconds
1105

Equipment
CKey
NKey
AdminPw interface
AdminPw link state
2.
3 Reliability
:
:
:
:
4
3
---
# Configure PE1.
[PE1] cfm enable
[PE1] cfm md md1
[PE1-md-md1] ma ma1
# Configure PE2.
[PE2] cfm enable
[PE2] cfm md md1
[PE2-md-md1] ma ma1
3.
Configure the 1DM reception function on PE2.

# Configure PE2.
[PE2-md-md1-ma-ma1] delay-measure one-way receive mep 2
4.
Enable on-demand one-way frame delay measurement on the AC on a VLL network.

# Configure PE1.
[PE1-md-md1-ma-ma1] delay-measure one-way send mep 1 remote-mep 2 interval
1000 count 20
[PE1-md-md1] quit
5.

Run the display y1731 statistic-type command on PE2 to view the statistics about the
delay in unidirectional frame transmission.
<PE2> display y1731 statistic-type oneway-delay md md1 ma ma1
------------------------------------------------------------------------------Index
Delay(usec)
------------------------------------------------------------------------------1
10000
2
10000
0
3
10000
0
4
10000
0
5
10000
0
6
10000
0
7
10000
0
8
10000
0
9
10000
0
10
10000
0
Issue 02 (2013-12-31)

1106

Equipment
3 Reliability
11
10000
0
12
40000
30000
13
10000
30000
14
10000
0
15
10000
0
16
10000
0
17
10000
0
------------------------------------------------------------------------------Average delay(usec) :
11764
3750
40000
30000
10000
0
Step 2 Configure proactive one-way frame delay measurement for an AC.

NOTE
Proactive one-way frame delay measurement can be configured to continuously monitor the performance
of an AC.
1.
Configure the 1DM reception function on PE2.

# Configure PE2.
[PE2] cfm md md1
[PE2-md-md1] ma ma1
[PE2-md-md1-ma-ma1] delay-measure one-way continual receive mep 2
2.
Enable proactive one-way frame delay measurement.

# Configure PE1.
[PE1] cfm md md1
[PE1-md-md1] ma ma1
[PE1-md-md1-ma-ma1] delay-measure one-way continual send mep 1 remote-mep 2
interval 1000
[PE1-md-md1] quit
3.

delay in unidirectional frame transmission.
<PE2> display y1731 statistic-type oneway-delay md md1 ma ma1
Latest one-way delay statistics
------------------------------------------------------------------------------Index
Delay(usec)
------------------------------------------------------------------------------1
10000
2
10000
0
3
10000
0
4
10000
0
5
10000
0
6
10000
0
7
10000
0
8
10000
0
9
10000
0
10
10000
0
11
10000
0
10000
0
10000
0
10000
0
----End
Issue 02 (2013-12-31)

1107

Equipment
3 Reliability
Configuration Files
l

#
sysname CE1
#
vlan batch 2
#
cfm enable
#
cfm md md1
ma ma2
map vlan 2
remote-mep mep-id 4
#
return

#
sysname PE1
#
cfm enable
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
mpls ldp
#
vlan-type dot1q 2
mpls l2vc 2.2.2.2 2
#
undo shutdown
ip address 100.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 100.1.1.0 0.0.0.255
#
cfm md md1
ma ma1
remote-mep mep-id 2
delay-measure one-way continual send mep 1 remote-mep 2 interval 1000
ma ma2
remote-mep mep-id 3
Issue 02 (2013-12-31)

1108

Equipment
3 Reliability
delay-measure one-way receive mep 4

#
return

#
sysname PE2
#
cfm enable
#
mpls lsr-id 2.2.2.2
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 1
peer 1.1.1.1
#
mpls ldp
#
vlan-type dot1q 2
mpls l2vc 1.1.1.1 2
#
undo shutdown
ip address 100.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 100.1.1.0 0.0.0.255
#
cfm md md1
ma ma1
remote-mep mep-id 1
delay-measure one-way receive mep 2
#
return
Example for Configuring Two-way Frame Delay Measurement in VLL Networking

This section provides an example showing how to configure two-way frame delay measurement
in VLL networking.
channels.
Issue 02 (2013-12-31)

1109

Equipment
3 Reliability
provide high-quality video services, providers hope to monitor the bidirectional delay over
mobile bearer links in real time, while monitoring link connectivity. Monitoring the bidirectional
delay over mobile bearer links allows the providers to respond quickly to video service quality
deterioration.
PE1
GE1/0/2
PE2
VLL
GE1/0/2
GE1/0/1
GE1/0/1
GE0/2/1
GE0/2/1
CE2
CE1
User
Network
User
Network
1.
Configure on-demand two-way frame delay measurement for the AC between the PEs to
2.
Configure proactive two-way frame delay measurement for the AC between the PEs to
Data Preparation
l
Configure the interval at which DMM messages are sent and the number of times when
on-demand DMM messages are sent.
Issue 02 (2013-12-31)

1110

Equipment
3 Reliability
Procedure
Step 1 Configure on-demand two-way frame delay measurement for an AC between PEs.
1.

total LDP VC : 1
1 up
0 down
*client interface
Administrator PW
: no
session state
: up
AC status
: up
VC state
: up
Label state
: 0
Token state
: 0
VC ID
: 2
VC type
: VLAN
destination
: 2.2.2.2
local VC label
: 1027
remote VC label
control word
: disable
forwarding entry
: exist
local group ID
: 0
manual fault
: not set
active state
: active
link state
: up
local VC MTU
: 1500
remote VC MTU
tunnel policy name
create time
up time
last change time
VC last up time
: 2010/10/13 15:02:23
VC total up time
CKey
: 4
NKey
: 3
AdminPw interface
: --
2.
: 1025
: 1500
seconds
seconds
seconds
seconds
# Configure PE1.
[PE1] cfm enable
[PE1] cfm md md1
[PE1-md-md1] ma ma1
# Configure PE2.
Issue 02 (2013-12-31)

1111

Equipment
[PE2] cfm enable
[PE2] cfm md md1
[PE2-md-md1] ma ma1
[PE2-md-md1-ma-ma1]
[PE2-md-md1-ma-ma1]
[PE2-md-md1-ma-ma1]
[PE2-md-md1-ma-ma1]
[PE2-md-md1-ma-ma1]
3.
3 Reliability

mep mep-id 2 interface gigabitethernet1/0/1.1 inward
remote-mep mep-id 1
Configure the DMM reception function on PE2.

# Configure PE2.
[PE2-md-md1-ma-ma1] delay-measure two-way receive mep 2
[PE2-md-md1] quit
4.
Enable on-demand two-way frame delay measurement for the AC on the VLL network.
# Configure PE1.
[PE1-md-md1-ma-ma1] delay-measure two-way send mep 1 remote-mep 2 interval
1000 count 60
[PE1-md-md1] quit
5.

delay in bidirectional frame transmission.
<PE1> display y1731 statistic-type twoway-delay md md1 ma ma1
------------------------------------------------------------------------------Index
Delay(usec)
------------------------------------------------------------------------------1
0
2
0
0
3
0
0
4
0
0
5
0
0
6
0
0
7
0
0
8
0
0
9
0
0
10
0
0
0
0
0
0
0
0
Step 2 Configure proactive two-way frame delay measurement for the AC.
NOTE
Proactive two-way frame delay measurement can be configured to continuously monitor the performance
of an AC.
1.
Configure the DMM reception function on PE2.

# Configure PE2.
[PE2-md-md1-ma-ma1] delay-measure two-way receive mep 2
2.
Enable proactive two-way frame delay measurement.

# Configure PE1.
[PE1-md-md1-ma-ma1] delay-measure two-way continual send mep 1 remote-mep 2
interval 30000
Issue 02 (2013-12-31)

1112

Equipment
3 Reliability
[PE1-md-md1] quit
3.

delay in bidirectional frame transmission.
<PE1> display y1731 statistic-type twoway-delay md md1 ma ma1
Latest two-way delay statistics
------------------------------------------------------------------------------Index
Delay(usec)
------------------------------------------------------------------------------1
0
2
0
0
3
0
0
0
0
0
0
0
0
----End
Configuration Files
l

#
sysname CE1
#
vlan batch 2
#
cfm enable
#
cfm md md1
ma ma2
map vlan 2
remote-mep mep-id 4
#
return

#
sysname PE1
#
cfm enable
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
mpls ldp
#
vlan-type dot1q 2
mpls l2vc 2.2.2.2 2
#
Issue 02 (2013-12-31)

1113

Equipment
3 Reliability
undo shutdown
ip address 100.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 100.1.1.0 0.0.0.255
#
cfm md md1
ma ma1
remote-mep mep-id 2
delay-measure two-way continual send mep 1 remote-mep 2 interval 30000
ma ma2
remote-mep mep-id 3
delay-measure two-way receive mep 4
#
return

#
sysname PE2
#
cfm enable
#
mpls lsr-id 2.2.2.2
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 1
peer 1.1.1.1
#
mpls ldp
#
vlan-type dot1q 2
mpls l2vc 1.1.1.1 2
#
undo shutdown
ip address 100.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 100.1.1.0 0.0.0.255
#
Issue 02 (2013-12-31)

1114

Equipment
3 Reliability
cfm md md1
ma ma1
remote-mep mep-id 1
delay-measure two-way receive mep 2
#
return
Example for Configuring Single-ended SLM in VLL Networking

This section provides an example for configuring single-ended synthetic loss measurement
(SLM) in virtual leased line (VLL) networking.
As networks rapidly develop and applications diversify, various value-added services, such as
Internet Protocol television (IPTV), video conferencing, and voice over Internet Protocol (VoIP),
are more widely used than ever before. Any link connectivity fault or network performance
deterioration directly affects service quality on a live network, making performance monitoring
on the pipes that transmit these services absolutely essential.
On the point-to-multipoint network shown in Figure 3-79, a carrier wants to collect accurate
performance statistics about LM on the link between PE1 and PE3. To monitor network
performance in real time, the carrier can configure single-ended SLM on the VLL network. This
configuration allows the carrier to immediately adjust the network in case of voice quality
deterioration.
Figure 3-79 Single-ended SLM in VLL networking
PE2
PE1
CE1
User
Network
GE0/2/1
VLL
GE0/2/2
CE2
CE3
User
Network
User
Network
GE0/2/2 PE3
1.
Configure single-ended on-demand SLM on an AC between provider edges (PEs).
2.
Configure single-ended proactive SLM on an AC between PEs.
Data Preparation
l
Issue 02 (2013-12-31)
Layer 2 virtual circuit (L2VC) ID

1115

Equipment
3 Reliability
Names of the maintenance domain (MD) and maintenance association (MA) in which CE1,
PE1, and PE2 reside
Procedure
Step 1 Configure single-ended on-demand SLM on an AC between PEs.
1.
Establish a VLL.
Establish a VLL between PE1 and PE2. For configuration details, see "VLL Configuration"
in Configuration Guide - VPN or Configuration Files in this section.
After the preceding configuration is complete, run the display mpls l2vc command on each
PE to view VC and attachment circuit (AC) information. The following example uses the
command output on PE1.
Total LDP VC : 1
1 up
0 down
*client interface
: Eth-Trunk2.1 is
up
Administrator PW
:
no
session state
:
up
AC status
:
up
VC state
:
up
Label state
:
0
Token state
:
0
VC ID
:
10001
VC type
:
VLAN
destination
:
1.1.1.25
local VC label
: 16
remote VC label
16
control word
:
disable
remote control word
:
disable
forwarding entry
:
exist
local group ID
:
0
remote group ID
:
0
local AC OAM State
:
up
local PSN OAM State
:
up
local forwarding state :
forwarding
local status code
:
0x0
remote AC OAM state
:
up
remote PSN OAM state
:
up
remote forwarding state:
forwarding
remote status code
:
Issue 02 (2013-12-31)

1116

Equipment
0x0
ignore standby state
no
BFD for PW
unavailable
VCCV State
up
manual fault
set
active state
active
OAM Protocol
-OAM Status
-OAM Fault Type
-PW APS ID
0
PW APS Status
-TTL Value
1
link state
up
local VC MTU
1500
local VCCV
bfd
remote VCCV
bfd
tunnel policy name
-PW template name
-primary or secondary
primary
load balance type
flow
Access-port
false
Switchover Flag
false
VC tunnel/token info
tokens
NO.0 TNL type
0x203
Backup TNL type
0x0
create time
seconds
up time
seconds
last change time
seconds
VC last up time
10:04:26
VC total up time
seconds
CKey
6
NKey
3
PW redundancy mode
frr
AdminPw interface
--
Issue 02 (2013-12-31)
3 Reliability
:
:
:
: not
:
:
:
:
:
:
:
:
: 1500
remote VC MTU
: alert ttl lsp-ping

: alert ttl lsp-ping
:
:
:
:
:
:
: 1 tunnels/
: lsp
, TNL ID :
: lsp
, TNL ID :

: 2013/04/15
:
:
:
:

1117

Equipment
AdminPw link state
3 Reliability
:
-Diffserv Mode
uniform
Service Class
-Color
-DomainId
-Domain Name
--
2.
:
:
:
:
:
Configure basic Ethernet connectivity fault management (CFM) functions and set the
maintenance association end point (MEP) type to inward.
Configure basic Ethernet CFM functions on each PE. Specify the Ethernet CFM protocol
as IEEE Standard 802.1ag-2007. Create an MD named md1 and an MA named ma1, and
bind the MA to the VLL.
# Configure PE1.
[PE1] cfm enable
[PE1] cfm md md1
[PE1-md-md1] ma ma1
[PE1-md-md1-ma-ma1] mep mep-id 1 interface Eth-Trunk2.1 inward
[PE1-md-md1-ma-ma1] test-id 1 mep 1 remote-mep 2
# Configure PE2.
[PE2] cfm enable
[PE2] cfm md md1
[PE2-md-md1] ma ma1
[PE2-md-md1-ma-ma1] mep mep-id 2 interface Eth-Trunk2.1 inward
3.
Enable PE2 to receive SLM frames.

# Configure PE2.
[PE2-md-md1-ma-ma1] loss-measure single-ended-synthetic receive test-id 1 timeout 300
[PE2-md-md1] quit
4.
Enable PE1 to send SLM frames.

# Configure PE1.
[PE1-md-md1-ma-ma1] loss-measure single-ended-synthetic send test-id 1
interval 1000 sending-count 10 time-out 2
[PE1-md-md1] quit
5.
Issue 02 (2013-12-31)

1118

Equipment
3 Reliability
Run the display y1731 statistic-type command on PE1 to view statistics about singleended on-demand SLM.
<PE1>display y1731 statistic-type single-synthetic-loss test-id 1
------------------------------------------------------------------------------Index
L-send R-send L-recv Unack L-loss R-loss L-loss-ratio R-lossratio
------------------------------------------------------------------------------1016
10
10
10
0
0
0
0.0000%
0.0000%
1017
10
10
10
0
0
0
0.0000%
0.0000%
1018
10
10
10
0
0
0
0.0000%
0.0000%
1019
10
10
10
0
0
0
0.0000%
0.0000%
1020
10
10
10
0
0
0
0.0000%
0.0000%
1021
10
10
10
0
0
0
0.0000%
0.0000%
0
0.0000%
0
0.0000%
0
0.0000%
0
0.0000%
0
0.0000%
0
0.0000%
Step 2 Configure single-ended proactive SLM on an AC between PEs.

1.

# Configure PE2.
[PE2] cfm md md1
[PE2-md-md1] ma ma1
[PE2-md-md-ma-ma1] loss-measure single-ended-synthetic receive test-id 1 timeout 300
[PE2-md-md1] quit
2.

# Configure PE1.
[PE1] cfm md md1
[PE1-md-md1] ma ma1
[PE1-md-md1-ma-ma1] loss-measure single-ended-synthetic continual send test-id
1 interval 1000
[PE1-md-md1] quit
3.

Run the display y1731 statistic-type command on PE1 to view statistics about singleended proactive SLM.
<PE1> display y1731 statistic-type single-synthetic-loss test-id 1
------------------------------------------------------------------------------Index
L-send R-send L-recv Unack L-loss R-loss L-loss-ratio R-loss-
Issue 02 (2013-12-31)

1119

Equipment
3 Reliability
ratio
------------------------------------------------------------------------------1016
10
10
10
0
0
0
0.0000%
0.0000%
1017
10
10
10
0
0
0
0.0000%
0.0000%
1018
10
10
10
0
0
0
0.0000%
0.0000%
1019
10
10
10
0
0
0
0.0000%
0.0000%
1020
10
10
10
0
0
0
0.0000%
0.0000%
1021
10
10
10
0
0
0
0.0000%
0.0000%
0
0.0000%
0
0.0000%
0
0.0000%
0
0.0000%
0
0.0000%
0
0.0000%
----End
Configuration Files
l
PE1 configuration file

#
sysname PE1
#
FTP server
enable
#
y1731 pm-mode
enable
cfm
enable
#
mpls lsr-id
1.1.1.24
mpls
#
mpls
l2vpn
#
mpls
ldp
#
interface EthTrunk2
#
interface EthTrunk2.1
vlan-type dot1q
1
mpls l2vc 1.1.1.25
10001
#
interface
Issue 02 (2013-12-31)

1120

Equipment
3 Reliability
Ethernet0/0/0
undo
shutdown
ip address 10.137.131.24
255.255.254.0
#
interface
undo
shutdown
eth-trunk
2
dcn
#
interface
undo
shutdown
255.255.255.0
mpls
mpls
ldp
dcn
#
interface
LoopBack0
ip address 1.1.1.24
255.255.255.255
#
ospf
1
opaque-capability
enable
area
0.0.0.1
network 1.1.1.1
0.0.0.0
network 1.1.1.24
0.0.0.0
network 2.2.2.24
0.0.0.0
network 10.1.1.0
0.0.0.255
network 192.136.1.0
0.0.0.255
network 192.168.1.0
0.0.0.255
network 192.168.2.0
0.0.0.255
#
cfm md md1
ma ma1
mep mep-id 1 interface Eth-Trunk2.1
inward
enable
remote-mep mep-id 2
test-id 1 mep 1 remote-mep 2
loss-measure single-ended-synthetic continual send test-id 1 interval
1000
Issue 02 (2013-12-31)

1121

Equipment
3 Reliability
#
return

#
sysname PE2
#
cfm
enable
#
mpls lsr-id
1.1.1.25
mpls
#
mpls
l2vpn
#
mpls
ldp
#
interface EthTrunk2
#
vlan-type dot1q
1
mpls l2vc 1.1.1.24
10001
#
interface
Ethernet0/0/0
undo
shutdown
ip address 10.137.131.25
255.255.254.0
#
interface
undo
shutdown
eth-trunk
2
undo
dcn
#
interface
undo
shutdown
255.255.255.0
mpls
mpls
ldp
dcn
#
interface
NULL0
#
interface
LoopBack0
ip address 1.1.1.25
255.255.255.255
Issue 02 (2013-12-31)

1122

Equipment
3 Reliability
#
ospf
1
opaque-capability
enable
area
0.0.0.1
network 1.1.1.25
0.0.0.0
network 2.2.2.2
0.0.0.0
network 2.2.2.25
0.0.0.0
network 10.1.1.0
0.0.0.255
network 11.1.1.0
0.0.0.255
network 192.137.1.0
0.0.0.255
network 192.168.1.0
0.0.0.255
network 192.168.2.0
0.0.0.255
#
cfm md md1
ma ma1
mep mep-id 2 interface Eth-Trunk2.1 inward
remote-mep mep-id
1
enable
loss-measure single-ended-synthetic receive test-id 1 time-out 300
#
return
Example for Configuring Single-ended SLM in VPLS Networking

This section provides an example for configuring single-ended synthetic frame loss
measurement (LM) in virtual private LAN service (VPLS) networking.
On the point-to-multipoint network shown in Figure 3-80, a carrier wants to collect accurate
performance statistics about LM on the link between PE1 and PE2. To monitor network
performance in real time, the carrier can configure single-ended SLM on the VPLS network.
This configuration allows the carrier to immediately adjust the network in case of voice quality
deterioration.
Issue 02 (2013-12-31)

1123

Equipment
3 Reliability
Figure 3-80 Single-ended synthetic frame LM in VPLS networking
PE2
PE1
CE1
User
Network
VPLS
GE0/2/2
GE0/2/1
CE2
CE3
User
Network
User
Network
GE0/2/2 PE3
1.
Configure single-ended on-demand SLM on an AC between provider edges (PEs).
2.
Configure single-ended proactive SLM on an AC between PEs.
Data Preparation
l
Layer 2 virtual circuit (L2VC) ID
Names of the maintenance domain (MD) and maintenance association (MA) in which CE1,
PE1, and PE2 reside
Procedure
Step 1 Configure single-ended on-demand SLM on an AC between PEs.
1.
Configure a VPLS.
Configure a VPLS between PE1 and PE2. For configuration details, see "VPLS
Configuration" in Configuration Guide - VPN or Configuration Files in this section.
After the preceding configuration is complete, run the display vsi command on each PE to
view VC and attachment circuit (AC) information. The following example uses the
command output on PE1.
<PE1> display vsi name ethoam
verbose
***VSI Name
ethoam
Administrator VSI
no
Isolate Spoken
disable
VSI Index
0
PW Signaling
ldp
static
PW MAC Learn Style
unqualify
Encapsulation Type
vlan
Issue 02 (2013-12-31)
:
:
:
:
:
:
:
:

1124

Equipment
MTU
3 Reliability
:
1500
Diffserv Mode
uniform
Service Class
-Color
-DomainId
255
Domain
Name
:
Ignore AcState
disable
P2P VSI
disable
Create Time
seconds
VSI State
up
VSI ID
80000
*Peer Router ID
1.1.1.24
primary
no
VC Label
527
Peer Type
dynamic
Session
up
Tunnel ID
0x25f
Broadcast Tunnel ID
0x25f
0x0
CKey
2
NKey
1
Stp Enable
0
PwIndex
0
Interface Name
Trunk2.1
State
up
Access Port
false
Last Up Time
17:37:09
Total Up Time
seconds
: Eth-
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
: 2013/04/15
**PW
Information:
*Peer Ip Address
1.1.1.24
PW State
Issue 02 (2013-12-31)
:
:

1125

Equipment
3 Reliability
up
Local VC Label
Remote VC Label
527
527
PW Type
label
Tunnel ID
0x25f
Broadcast Tunnel ID
0x25f
0x0
Ckey
0x2
Nkey
0x1
Main PW Token
0x25f
Slave PW Token
0x0
Tnl Type
LSP
OutInterface
Backup
OutInterface
:
Stp Enable
0
PW Last Up Time
17:37:28
PW Total Up Time
2.
:
:
:
:
:
:
:
:
:
:
:
: 2013/04/15
maintenance association end point (MEP) type to outward.
Configure basic Ethernet CFM functions on each PE. Specify the Ethernet CFM protocol
bind the MA to the VPLS.
# Configure PE1.
[PE1] cfm enable
[PE1] cfm md md1
[PE1-md-md1] ma ma1
[PE1-md-md1-ma-ma1] map vsi ethoam
[PE1-md-md1-ma-ma1] mep mep-id 1 peer-ip 2.2.2.2 mac 0001-0001-0001 outward
[PE1-md-md1-ma-ma1] remote-mep mep-id 2 mac 0002-0002-0002
# Configure PE2.
[PE2] cfm enable
[PE2] cfm md md1
[PE2-md-md1] ma ma1
[PE2-md-md1-ma-ma1] mep mep-id 2 peer-ip 1.1.1.1 mac 0002-0002-0002 outward
[PE2-md-md1-ma-ma1] remote-mep mep-id 1 mac 0001-0001-0001
3.

# Configure PE2.
Issue 02 (2013-12-31)

1126

Equipment
3 Reliability
[PE2-md-md1-ma-ma1] loss-measure single-ended-synthetic receive test-id 1 timeout 300

[PE2-md-md1] quit
4.

# Configure PE1.
[PE1-md-md1-ma-ma1] loss-measure single-ended-synthetic send test-id 1
[PE1-md-md1] quit
5.

Run the display y1731 statistic-type command on PE1 to view statistics about singleended on-demand SLM.
<PE1>display y1731 statistic-type single-synthetic-loss test-id 1
------------------------------------------------------------------------------Index
------------------------------------------------------------------------------1016
10
10
10
0
0
0
0.0000%
0.0000%
1017
10
10
10
0
0
0
0.0000%
0.0000%
1018
10
10
10
0
0
0
0.0000%
0.0000%
1019
10
10
10
0
0
0
0.0000%
0.0000%
1020
10
10
10
0
0
0
0.0000%
0.0000%
1021
10
10
10
0
0
0
0.0000%
0.0000%
0
0.0000%
0
0.0000%
0
0.0000%
0
0.0000%
0
0.0000%
0
0.0000%
Step 2 Configure single-ended proactive SLM on an AC between PEs.

1.

# Configure PE2.
[PE2] cfm md md1
[PE2-md-md1] ma ma1
[PE2-md-md-ma-ma1] loss-measure single-ended-synthetic receive test-id 1 timeout 300
[PE2-md-md1] quit
2.

# Configure PE1.
[PE1] cfm md md1
[PE1-md-md1] ma ma1
Issue 02 (2013-12-31)

1127

Equipment
3 Reliability
[PE1-md-md1-ma-ma1] loss-measure single-ended-synthetic continual send test-id

1 interval 1000
[PE1-md-md1] quit
3.

Run the display y1731 statistic-type command on PE1 to view statistics about singleended proactive SLM.
<PE1> display y1731 statistic-type single-synthetic-loss test-id 1
------------------------------------------------------------------------------Index
------------------------------------------------------------------------------1016
10
10
10
0
0
0
0.0000%
0.0000%
1017
10
10
10
0
0
0
0.0000%
0.0000%
1018
10
10
10
0
0
0
0.0000%
0.0000%
1019
10
10
10
0
0
0
0.0000%
0.0000%
1020
10
10
10
0
0
0
0.0000%
0.0000%
1021
10
10
10
0
0
0
0.0000%
0.0000%
0
0.0000%
0
0.0000%
0
0.0000%
0
0.0000%
0
0.0000%
0
0.0000%
----End
Configuration Files
l

#
sysname PE1
#
FTP server
enable
#
y1731 pm-mode
enable
cfm
enable
#
mpls lsr-id
1.1.1.24
mpls
#
mpls
l2vpn
#
mpls
Issue 02 (2013-12-31)

1128

Equipment
3 Reliability
ldp
#
interface EthTrunk2
#
vlan-type dot1q
1
l2 binding vsi ethoam
#
interface
Ethernet0/0/0
undo
shutdown
ip address 10.137.131.24
255.255.254.0
#
interface
undo
shutdown
eth-trunk
2
dcn
#
interface
undo
shutdown
255.255.255.0
mpls
mpls
ldp
dcn
#
interface
LoopBack0
ip address 1.1.1.24
255.255.255.255
#
ospf
1
opaque-capability
enable
area
0.0.0.1
network 1.1.1.1
0.0.0.0
network 1.1.1.24
0.0.0.0
network 2.2.2.24
0.0.0.0
network 10.1.1.0
0.0.0.255
network 192.136.1.0
0.0.0.255
network 192.168.1.0
0.0.0.255
network 192.168.2.0
0.0.0.255
#
cfm md md1
Issue 02 (2013-12-31)

1129

Equipment
3 Reliability
ma ma1
map vsi ethoam
mep mep-id 1 peer-ip 2.2.2.2 mac 0001-0001-0001 outward
remote-mep mep-id 2 mac 0002-0002-0002
loss-measure single-ended-synthetic continual send test-id 1 interval
1000
#
return

#
sysname PE2
#
cfm
enable
#
mpls lsr-id
1.1.1.25
mpls
#
mpls
l2vpn
#
mpls
ldp
#
interface EthTrunk2
#
vlan-type dot1q
1
l2 binding vsi ethoam
#
interface
Ethernet0/0/0
undo
shutdown
ip address 10.137.131.25
255.255.254.0
#
interface
undo
shutdown
eth-trunk
2
undo
dcn
#
interface
undo
shutdown
255.255.255.0
mpls
mpls
ldp
dcn
#
interface
Issue 02 (2013-12-31)

1130

Equipment
3 Reliability
NULL0
#
interface
LoopBack0
ip address 1.1.1.25
255.255.255.255
#
ospf
1
opaque-capability
enable
area
0.0.0.1
network 1.1.1.25
0.0.0.0
network 2.2.2.2
0.0.0.0
network 2.2.2.25
0.0.0.0
network 10.1.1.0
0.0.0.255
network 11.1.1.0
0.0.0.255
network 192.137.1.0
0.0.0.255
network 192.168.1.0
0.0.0.255
network 192.168.2.0
0.0.0.255
#
cfm md md1
ma ma1
map vsi ethoam
mep mep-id 2 peer-ip 1.1.1.1 mac 0002-0002-0002 outward
remote-mep mep-id 1 mac
0001-0001-0001
#
return
Example for Configuring Single-ended SLM in VLAN Networking

This section provides an example for configuring single-ended synthetic loss measurement
(SLM) in virtual local area network (VLAN) networking.
On the point-to-multipoint network shown in Figure 3-81, PE1 and PE2 are connected through
a VLAN. A carrier wants to collect accurate performance statistics about LM on the link between
CE1 and CE2. To monitor network performance in real time, the carrier can configure singleended SLM on the VLAN. This configuration allows the carrier to immediately adjust the
network in case of voice quality deterioration.
Issue 02 (2013-12-31)

1131

Equipment
3 Reliability
Figure 3-81 Single-ended SLM in VLAN networking
CE2
GE0/2/1
CE1
User
Network
GE0/2/1
PE1
PE2
VLL/VPLS
/VLAN
CE3
User
Network
User
Network
1.
Configure single-ended on-demand SLM on a link between customer edges (CEs).
2.
Configure single-ended proactive SLM on a link between CEs.
Data Preparation
l
ID of the VLAN to which the CEs belong
Names of the maintenance domain (MD) and maintenance association (MA) in which CE1
and CE2 reside
Procedure
Step 1 Configure single-ended on-demand SLM.
1.
maintenance association end point (MEP) type to outward.
Configure basic Ethernet CFM functions on each CE. Specify the Ethernet CFM protocol
bind the MA to the VLAN.
# Configure CE1.
[CE1] vlan 2
[CE1] interface gigabitethernet0/2/1
[CE1-GigabitEthernet0/2/1] portswitch
[CE1-GigabitEthernet0/2/1] port link-type trunk
[CE1-GigabitEthernet0/2/1] port trunk allow-pass vlan 2
[CE1] cfm md md3
[CE1-md-md3] ma ma3
[CE1-md-md3-ma-ma3] map vlan 2
[CE1-md-md3-ma-ma3] mep mep-id 3 interface gigabitethernet0/2/1 outward
[CE1-md-md3-ma-ma3] mep ccm-send mep-id 3 enable
[CE1-md-md3-ma-ma3] remote-mep mep-id 4
[CE1-md-md3-ma-ma3] remote-mep ccm-receive mep-id 4 enable
[CE2-md-md3-ma-ma3] test-id 1 mep 3 remote-mep 4
# Configure CE2.
[CE2] vlan 2
Issue 02 (2013-12-31)

1132

Equipment
3 Reliability
[CE2] interface gigabitethernet0/2/1

[CE2-GigabitEthernet0/2/1]portswitch
[CE2-GigabitEthernet0/2/1]port link-type trunk
[CE2-GigabitEthernet0/2/1]port trunk allow-pass 2
[CE2-GigabitEthernet0/2/1]quit
[CE2] cfm enable
[CE2] cfm version standard
[CE2] cfm md md3
[CE2-md-md3] ma ma3
[CE2-md-md3-ma-ma3] mep mep-id 4 interface gigabitethernet0/2/1 outward
[CE2-md-md3-ma-ma3] mep ccm-send mep-id 4 enable
[CE2-md-md3-ma-ma3] remote-mep mep-id 3
[CE2-md-md3-ma-ma3] remote-mep ccm-receive mep-id 3 enable
[CE2-md-md3-ma-ma3] test-id 1 mep 4 remote-mep 3
2.
Enable CE2 to receive SLM frames.

# Configure CE2.
[CE2-md-md3-ma-ma3] loss-measure single-ended-synthetic receive test-id 1 timeout 300
[CE2-md-md3-ma-ma3] quit
[CE2-md-md3] quit
3.
Enable CE1 to send SLM frames.

# Configure CE1.
[CE1-md-md3-ma-ma3] loss-measure single-ended-synthetic send test-id 1
[PE1-md-md3] quit
4.

Run the display y1731 statistic-type command on CE1 to view statistics about singleended on-demand SLM.
<CE1>display y1731 statistic-type single-synthetic-loss test-id 1
------------------------------------------------------------------------------Index
------------------------------------------------------------------------------1016
10
10
10
0
0
0
0.0000%
0.0000%
1017
10
10
10
0
0
0
0.0000%
0.0000%
1018
10
10
10
0
0
0
0.0000%
0.0000%
1019
10
10
10
0
0
0
0.0000%
0.0000%
1020
10
10
10
0
0
0
0.0000%
0.0000%
1021
10
10
10
0
0
0
0.0000%
0.0000%
0
0.0000%
0
0.0000%
0
0.0000%
0
0.0000%
0
0.0000%
Issue 02 (2013-12-31)

1133

Equipment
0.0000%
3 Reliability
0
Step 2 Configure single-ended proactive SLM.

1.
Enable CE2 to receive SLM frames.

# Configure CE2.
[CE2-md-md3-ma-ma3] loss-measure single-ended-synthetic receive test-id 1 timeout 300
[CE2-md-md3] quit
2.
Enable CE1 to send SLM frames.

# Configure CE1.
[CE1] cfm md md1
[CE1-md-md3] ma ma1
[CE1-md-md3-ma-ma1] loss-measure single-ended-synthetic continual send test-id
1 interval 1000
[CE1-md-md3] quit
3.

Run the display y1731 statistic-type command on CE1 to view statistics about singleended proactive SLM.
<CE1> display y1731 statistic-type single-synthetic-loss test-id 1
------------------------------------------------------------------------------Index
------------------------------------------------------------------------------1016
10
10
10
0
0
0
0.0000%
0.0000%
1017
10
10
10
0
0
0
0.0000%
0.0000%
1018
10
10
10
0
0
0
0.0000%
0.0000%
1019
10
10
10
0
0
0
0.0000%
0.0000%
1020
10
10
10
0
0
0
0.0000%
0.0000%
1021
10
10
10
0
0
0
0.0000%
0.0000%
0
0.0000%
0
0.0000%
0
0.0000%
0
0.0000%
0
0.0000%
0
0.0000%
----End
Configuration Files
l
CE1 configuration file

#
Issue 02 (2013-12-31)

1134

Equipment
3 Reliability
sysname CE1
#
vlan batch 2
#
cfm enable
#
portswitch
undo shutdown
#
cfm md md3
ma ma3
map vlan 2
remote-mep mep-id 4
loss-measure single-ended-synthetic continual send test-id 1 interval 1000
#
return
CE2 configuration file

#
sysname CE2
#
vlan 2
#
cfm enable
#
portswitch
undo shutdown
#
cfm md md3
ma ma3
map vlan 2
remote-mep mep-id 3
#
return
Example for Configuring the AIS Function

The AIS function defined in Y.1731 supports VLL, VPLS, and VLAN scenarios. This section
provides an example showing how to configure the AIS function on a VLL network, and briefly
describes the AIS application on a VLAN and VPLS network.
AIS is used to prohibit a MEP in an MD of a higher level from sending the same alarm as that
sent by a MEP in an MD of a lower level to the NMS.
Issue 02 (2013-12-31)

1135

Equipment
3 Reliability
As shown in Figure 3-82, CE1 is connected to PE1 through sub-interfaces, and CE2 is connected
to PE2 through sub-interfaces. A VLL is set up between the PEs, using LDP as the signaling
protocol.
VLL AIS is configured on the PEs and alarm suppression is enabled on the CEs. In the scenarios
of MD nesting, if a MEP in a low-level MD detects a fault, the MEP sends an alarm to the NMS.
After a certain period, a MEP in the MD of a higher level also detects the fault and sends the
same alarm to the NMS. In this case, the MEP in the MD of a higher level must be prohibited
from sending the same alarm to the NMS.
NOTE
The VLL between the PEs is used as an example.
Figure 3-82 Networking diagram of configuring AIS
CE1
AIS packets PE1

VLAN
PE2 AIS packets CE2

VLL/VPLS
/VLAN
VLAN
MD2 Level 3
MD1 Level 6
1.
Add the PEs to an MD, add each PE and its attached CE to an MD, and ensure that the level
of the MD to which the PEs belong is lower than that to which each PE and its attached CE
belong.
2.
Configure alarm suppression to suppress MEPs in MDs of different levels from sending
the same alarm to the NMS.
Data Preparation
l
VC ID
NOTE
l VLAN ID (in VLAN networking)

l VSI name (in VPLS networking)
Issue 02 (2013-12-31)

1136

Equipment
3 Reliability
MD names and MA names on CE1, CE2, PE1, and PE2
Procedure
Step 1 Configure a VLL connection.
Configure a VLL connection between PE1 and PE2. The configuration details are not provided
here. For details, see the chapter "VLL Configuration" in the Configuration Guide - VPN or
configuration files in this configuration example.
By default, the interface type is tagged. The parameter raw can be set in the map mpls l2vc
command used to bind the MA to the L2VC only when the parameter raw has been set in the
mpls l2vc command used to create a dynamic VLL connection.
NOTE
l In the case of VLAN networking, configure the VLAN between PE1 and PE2. The configuration details
are not provided. For details, see the chapter "VLAN Configuration" in the Configuration Guide - LAN
Access and MAN Access or configuration files in this configuration example.
l In the case of VPLS networking, configure a VPLS connection between PE1 and PE2. The
configuration details are not provided here. For details, see the chapter "VPLS Configuration" in the
Configuration Guide - VPN or configuration files in this example.
Step 2 Configure basic Ethernet CFM functions.

Configure basic Ethernet CFM functions on each PE. Create an MD named md1 and an MA
named ma1, and bind the MA to the VLL.
# Configure PE1.
[PE1] cfm enable
[PE1] cfm md md1 level 3
[PE1-md-md1] ma ma1
NOTE
l In VLAN networking, run the following command:

l In VPLS networking, run the following command:

[PE1-md-md1] quit
# Configure PE2.
[PE2] cfm enable
[PE2] cfm md md1 level 3
[PE2-md-md1] ma ma1
NOTE
l In VLAN networking, run the following command:

l In VPLS networking, run the following command:

Issue 02 (2013-12-31)

1137

Equipment
3 Reliability
[PE2-md-md1] quit
Configure basic Ethernet CFM functions on each CE. Specify the Ethernet CFM protocol in the
version of IEEE Standard 802.1ag-2007. Create an MD named md2 and an MA named ma2.
# Configure CE1.
[CE1] interface GigabitEthernet 0/2/1
[CE1-GigabitEthernet0/2/1] undo shutdown
[CE1] cfm enable
[CE1] cfm md md2 level 6
[CE1-md-md1] ma ma2
[CE1-md-md1] quit
# Configure CE2.
[CE2] cfm enable
[CE2] cfm md md2 level 6
[CE2-md-md2] ma ma2
[CE2-md-md2] quit
Step 3 Set the MEP type as inward on the AC-side interface of each PE (in VLAN networking, set the
MEP type on the AC-side interface as outward).
# Configure PE1.
[PE1] cfm md md1
[PE1-md-md1] ma ma1
[PE1-md-md1-ma-ma1] mep mep-id 31 interface gigabitEthernet1/0/1.1 inward
NOTE
In VLAN networking, run the following commands to set the MEP type as outward:
[PE1-md-md1-ma-ma1] mep mep-id 31 interface gigabitEthernet1/0/1 outward
[PE1-md-md1-ma-ma1]
[PE1-md-md1-ma-ma1]
[PE1-md-md1-ma-ma1]
[PE1-md-md1-ma-ma1]
[PE1-md-md1] quit
mep ccm-send enable

remote-mep mep-id 32
quit
# Configure PE2.
[PE2] cfm md md1
[PE2-md-md1] ma ma1
[PE2-md-md1-ma-ma1] mep mep-id 32 interface gigabitEthernet1/0/1.1 inward
NOTE
In VLAN networking, run the following commands to set the MEP type as outward:
[PE2-md-md1-ma-ma1] mep mep-id 31 interface gigabitEthernet1/0/1 outward
Issue 02 (2013-12-31)

1138

Equipment
3 Reliability

[PE2-md-md1] quit
Step 4 Set the MEP type as outward on each CE.

# Configure CE1.
[CE1] cfm md md2
[CE1-md-md2] ma ma2
[CE1-md-md2-ma-ma2]
[CE1-md-md2-ma-ma2]
[CE1-md-md2-ma-ma2]
[CE1-md-md2-ma-ma2]
[CE1-md-md2-ma-ma2]
[CE1-md-md2-ma-ma2]
[CE1-md-md2] quit
mep mep-id 61 interface gigabitEthernet0/2/1 outward

ccm-interval 10000
mep ccm-send enable
quit
# Configure CE2.
[CE2] cfm md md2
[CE2-md-md2] ma ma2
[CE2-md-md2-ma-ma2]
[CE2-md-md2-ma-ma2]
[CE2-md-md2-ma-ma2]
[CE2-md-md2-ma-ma2]
[CE2-md-md2-ma-ma2]
[CE2-md-md2-ma-ma2]
[CE2-md-md2] quit

ccm-interval 10000
mep ccm-send enable
quit
Step 5 Configure the AIS function.

# Configure PE1.
[PE1] cfm md md1
[PE1-md-md1] ma ma1
[PE1-md-md1-ma-ma1]
[PE1-md-md1-ma-ma1]
[PE1-md-md1-ma-ma1]
[PE1-md-md1-ma-ma1]
[PE1-md-md1-ma-ma1]
[PE1-md-md1] quit
ais
ais
ais
ais
ais
enable
link-status interface gigabitEthernet1/0/2
level 6
interval 1
vlan vid 10 mep 31
# Configure PE2.
[PE2] cfm md md1
[PE2-md-md1] ma ma1
[PE2-md-md1-ma-ma1]
[PE2-md-md1-ma-ma1]
[PE2-md-md1-ma-ma1]
[PE2-md-md1-ma-ma1]
[PE2-md-md1-ma-ma1]
[PE2-md-md1-ma-ma1]
[PE2-md-md1] quit
ais enable
ais link-status interface gigabitEthernet1/0/2
ais level 6
ais interval 1
ais vlan vid 10 mep 32
quit
Step 6 Enable alarm suppression.

# Configure CE1.
[CE1] cfm md md2
[CE1-md-md1] ma ma2
[CE1-md-md1-ma-ma1] ais enable
[CE1-md-md1-ma-ma1] ais suppress-alarm
[CE1-md-md1] quit
# Configure CE2.
Issue 02 (2013-12-31)

1139

Equipment
3 Reliability
[CE2] cfm md md2

[CE2-md-md2] ma ma2
[CE2-md-md1-ma-ma1] ais enable
[CE2-md-md2-ma-ma2] ais suppress-alarm
[CE2-md-md2] quit

If a fault occurs in the VLL between PE1 and PE2 after the preceding configuration is complete,
run the display cfm ma md md1 ma ma1 command on PE1. The value of the Sending Ais
Packet field is displayed as Yes in the command output. Run the display cfm ma md md2 ma
ma2 command on CE1. The value of the Suppressing Alarms field is displayed as Yes in the
command output.
[PE1] display cfm ma md md1 ma ma1
MD Name
: md1
MD Name Format
: string
Level
: 3
MIP Create-type
: none
MA Name
: ma1
MA Name Format
: string
Interval
: 1000
Priority
: 4
Vlan ID
: -VSI Name
: -L2VC ID
: 100 tagged
MEP Number
: 31
RMEP Number
: 32
[CE1] display cfm ma md md2 ma ma2
MD Name
: md2
MD Name Format
: string
Level
: 6
MIP Create-type
: none
MA Name
: ma2
MA Name Format
: string
Interval
: 10000
Priority
: 4
Vlan ID
: 10
VSI Name
: -L2VC ID
: -MEP Number
: 61
RMEP Number
: 62
Sending Ais Packet : NO
----End
Configuration Files
l

#
sysname PE1
#
cfm enable
#
mpls lsr-id 1.1.1.1
mpls
#
Issue 02 (2013-12-31)

1140

Equipment
3 Reliability
mpls l2vpn
mpls l2vpn default martini
#
mpls ldp
#
remote-ip 3.3.3.3
#
undo shutdown
#
vlan-type dot1q 10
mpls l2vc 3.3.3.3 100
#
undo shutdown
ip address 100.1.1.1 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 100.1.1.0 0.0.0.3
#
cfm md md1 level 3
ma ma1
mep ccm-send enable
ais enable
ais level 6
ais interval 1
#
return
#
sysname P
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
undo shutdown
ip address 100.2.1.1 255.255.255.252
mpls
mpls ldp
#
undo shutdown
ip address 100.1.1.2 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
Issue 02 (2013-12-31)

1141

Equipment
3 Reliability
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 100.1.1.0 0.0.0.3
network 100.2.1.0 0.0.0.3
#
return

#
sysname PE2
#
cfm enable
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 1.1.1.1
#
undo shutdown
#
vlan-type dot1q 10
mpls l2vc 1.1.1.1 100
#
undo shutdown
ip address 100.2.1.2 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 5.5.5.5 0.0.0.0
network 100.2.1.0 0.0.0.3
#
cfm md md1 level 3
ma ma1
mep ccm-send enable
ais enable
ais level 6
ais interval 1
#
return

#
sysname CE1
#
Issue 02 (2013-12-31)

1142

Equipment
3 Reliability
cfm enable
#
undo shutdown
portswitch
#
cfm md md2 level 6
ma ma2
map mpls vlan 10
ccm-interval 10000
mep ccm-send enable
ais enable
ais suppress-alarm
#
return

#
sysname CE2
#
cfm enable
#
undo shutdown
portswitch
#
cfm md md2 level 6
ma ma2
map mpls vlan 10
ccm-interval 10000
mep ccm-send enable
ais enable
ais suppress-alarm
#
return
3.9 MPLS-TP OAM Configuration

This section introduces the basic principles of Multiprotocol Label Switching Transport Profile
Operation, Administration, and Maintenance (MPLS-TP OAM), describes how to configure the
continuity check (CC), loopback (LB), remote defect indication (RDI), loss measurement (LM),
and delay measurement (DM) functions, and provides configuration examples.
3.9.1 Introduction
Multiprotocol label switching transport profile (MPLS-TP) operation, administration and
maintenance (OAM)is used for MPLS-TP operation and maintenance.
MPLS-TP OAM Introduction

Working at the MPLS-TP client layer and server layer, MPLS-TP OAM can effectively detect,
identify, and locate faults at the client layer and quickly switch traffic when links or nodes
become defective. OAM is an important means to reduce network maintenance expenditure.
Issue 02 (2013-12-31)

1143

Equipment
3 Reliability
MPLS-TP OAM Background

Along with network and service transformation and integration, various new services emerge,
such as triple play services, Next Generation Network (NGN) services, carrier Ethernet services,
and Fiber-to-the-x (FTTx) services. These services require more investment and OAM costs,
and high capabilities of QoS, full service access, and the expansibility, reliability, and
manageability of transport networks. Traditional transport network technologies such as MultiService Transmission Platform (MSTP), Synchronous Digital Hierarchy (SDH), and
Wavelength Division Multiplexing (WDM) cannot meet these requirements because they lack
the control plane. MPLS-TP, however, can meet these requirements because its functions can
be used on both traditional transport networks and next-generation transport networks that are
capable to process packets.
Since traditional transport networks (for example, SDH or OTN networks) set high benchmarks
for reliability and maintenance, MPLS-TP needs to provide powerful OAM capabilities. MPLSTP OAM is used to provide the following functions:
l
Fault management
Performance monitoring
Protection switching
MPLS-TP OAM Functional Components

MPLS-TP OAM functions are performed on maintenance entities (MEs). An ME consists of a
pair of maintenance entity group end points (MEPs) (namely, the two ends of a link).
The details of MPLS-TP OAM functional components are as follows:
l
ME
An ME indicates a relationship between two maintenance ends. On a bidirectional label
switched path (LSP) that has more than one ME, MPLS-TP OAM detection can be
performed on the MEs without affecting one another. One ME can be nested within another
ME but cannot overlap with another ME.
Figure 3-83 Schematic diagram of ME deployment on a bidirectional LSP
In g re ss L S R
T ra n sit L S R
T ra n sit L S R
E g re ss L S R
ME1
ME2
LSP
ME
MEG
A MEG is a maintenance entity group that is formed by one or more MEs that are created
for a transport link. If the transport link is a point-to-point bidirectional path such as a
bidirectional LSP or a PW, a MEG is formed by only one ME.
MEP
A MEP is the source or sink node in a MEG, as shown in Figure 3-84.
Issue 02 (2013-12-31)

1144

Equipment
3 Reliability
Figure 3-84 Schematic diagram of node deployment of an ME

Ingress LER
Transit LER
LSP
Transit LER
Egress LER
Maintenance End Point

Maintenance Intermediate Point
On a bidirectional LSP, only LERs can serve as MEPs. In Figure 3-83, the ingress LER
and egress LER are MEPs.
On a PW, only underlayer PEs (UPEs) can serve as MEPs.
MEPs trigger and control MPLS-TP OAM operations. OAM packets can be generated or
terminated on MEPs.
MPLS-TP OAM Features Supported by the ATN

MPLS-TP OAM provides the performance monitoring and fault detection functions.
Fault Management
As shown in Table 3-58, MPLS-TP OAM supports the link fault detection and alarm suppression
functions.
Table 3-58 MPLS-TP OAM fault management functions
Function
Description
Continuity Check
(CC)
Checks link connectivity periodically.
Connectivity
Verification (CV)
Detects forwarding faults continuously.
Loopback Function
(LB)
Performs loopback.
Performance Monitoring
As shown in Table 3-59, MPLS-TP OAM supports the packet loss measurement and delay
measurement functions.
Issue 02 (2013-12-31)

1145

Equipment
3 Reliability
Table 3-59 MPLS-TP OAM performance monitoring functions

Function
Description
Loss Measurement
(LM)
Packet loss measurement

l Single-ended packet loss measurement
l Dual-ended packet loss measurement
Delay Measurement
(DM)
Delay and delay jitter measurement

l One-way delay and delay jitter measurement
l Two-way delay and delay jitter measurement
3.9.2 Configuring MPLS-TP OAM for an LSP

MPLS-TP OAM configured on the ATN can monitor bidirectional LSPs.
Before You Start

MPLS-TP OAM can be configured to monitor LSPs. Before you configure MPLS-TP OAM, an
LSP to be monitored must be created. Before configuring the MPLS-TP OAM monitoring
functions, familiarize yourself with the usage scenario, complete the pre-configuration tasks,
and obtain the data required for the configuration.
MPLS-TP has been widely used on transport networks. Since traditional transport networks,
such as SDH and OTN networks, set high benchmarks for reliability and maintenance, MPLSTP needs to provide powerful OAM capabilities.
MPLS-TP OAM can detect faults on bidirectional LSPs and collect performance statistics. On
the LSP shown in Figure 3-85, the ingress LER is the local MEP, the egress LER is the remote
MEP (RMEP), and the transit LERs are MIPs. MPLS-TP OAM runs on the MEPs and MIPs
and provide the functions listed in Table 3-60.
Figure 3-85 Networking diagram for a bidirectional LSP
Ingress LER
Transit LER
LSP
Transit LER
Egress LER

Issue 02 (2013-12-31)

1146

Equipment
3 Reliability
Table 3-60 MPLS-TP OAM functions supported by the ATN

Function
Application
Scenario
Fault management
Connectivity check
CC: checks the continuous connectivity

between the ingress LER and the egress
LER of a bidirectional LSP. If a link fault
is detected, an alarm will be generated and
the link status will change to Down.
LB: checks the continuous connectivity
between the ingress LER and the egress
LER of a bidirectional LSP based on
requirements. Check results will be directly
displayed on a terminal.
CV: checks whether MEG configurations
on the ingress LER and egress LER of a
bidirectional LSP are consistent and will
report alarms if any inconsistency is
detected.
Performance statistics
Packet loss statistics
LM: checks statistics about packets

dropped between the ingress LER and
egress LER of a bidirectional LSP.
Delay and delay

jitter measurement
DM: checks statistics about the delay and

delay jitter between the ingress LER and
egress LER of a bidirectional LSP.
Before configuring MPLS-TP OAM for an LSP, complete the following task:
l
Configuring a bidirectional LSP
Enabling the packet statistics function on the LSP interfaces
Data Preparation
To configure MPLS-TP OAM for an LSP, you need the following data.
Issue 02 (2013-12-31)
No.
Data
MEG name
Name of the tunnel interface bound to the ME
(Optional) Interval of Continuity Check Message (CCM) transmissions and priority

of CCMs

1147

Equipment
3 Reliability
No.
Data
(Optional) Interval and number of loss measurement message (LMM) transmissions

and priority of LMMs
(Optional) Interval and number of transmissions of delay measurement packets and

priority of the packets
Creating an ME and Binding It to a Tunnel Interface

This section describes how to create an ME and bind it to a bidirectional LSP.
Context
RSVP tunnels for transmitting TE services are unidirectional, and TE services are transmitted
from the ingress node to the egress node of a tunnel. To transmit TE services from the egress
node to the ingress node of the tunnel, you can only use a route to forward services. This may
cause network congestion. If the path from the egress node to the ingress node is configured as
an RSVP tunnel, two tunnels are established between the ingress node and the egress node. When
a tunnel becomes faulty, but the other one does not receive the fault notification, services will
be interrupted. To solve the preceding problem, you can configure a static bidirectional LSP.
The following static bidirectional LSPs are supported.
l
Static bidirectional co-routed LSP: similar to two LSPs in opposite directions. A

bidirectional co-routed LSP, however, is an integer. It maps two forwarding entries, and
goes Up only when the LSP is Up in the two directions. If the LSP is Down in one direction,
the LSP is in the Down state. The two forwarding entries are associated with each other.
With the IP forwarding capability, any intermediate node can send back a response packet
along the source path.
Static bidirectional co-routed LSPs supported by MPLS-TP can be monitored by TP OAM.
A MEG maps a static bidirectional co-routed LSP, which maps only one ME. The LSP
includes two MEPs at the ingress and egress nodes of the LSP.
Two P2P LSPs in opposite directions are set up over a bidirectional co-routed transport path in
a MEG. This means that there is a single LSP in both directions between a MEP and its RMEP.
A single ME operates along this P2P LSP.
Procedure
Step 1 Run:
system-view

Step 2 Run:
mpls-tp meg meg-name
A MEG is created, and the MEG view is displayed.

----End
Issue 02 (2013-12-31)

1148

Equipment
3 Reliability
(Optional) Configuring CC and CV for an LSP

The CC and CV functions provided by MPLS-TP OAM can be configured for an LSP to check
its continuous connectivity and forwarding correctness.
Context
CC and CV are two different MPLS-TP OAM functions. CC checks loss of continuity (LOC)
defects between two MEPs in a MEG. CV is used to detect consistency of configurations on two
MEPs in a MEG or in different MEGs. The purpose of CC greatly differs from that of CV. The
details are as follows:
l
CC is a pro-active OAM operation. It detects connectivity between any two MEPs in a

MEG. A MEP sends CCMs to its RMEP at intervals. If the RMEP does not receive CCMs
within a period 3.5 times the specified interval, it considers that the connectivity between
the two MEPs is faulty and will report an alarm and enter the Down state. Then, automatic
protection switching (APS) will be triggered on both MEPs. After receiving a CCM from
the MEP, the RMEP will clear the alarm and exit from the Down state.
CV is also a pro-active OAM operation. It enables a MEP to report alarms when the EMP
receives unexpected packets. For example, if a CV-enabled device receives a packet from
an LSP and finds that this packet is mistakenly transmitted by the LSP, the device will
report an alarm indicating a forwarding error.
Transport networks have strict requirements on data forwarding correctness. In addition,
MPLS-TP requires that the data plane be able to work without IP support, which means
that packet forwarding is based on label switching only. Therefore, the correctness of labelbased forwarding must be guaranteed.
In real world situations, CC and CV are usually used together. Therefore, these two functions
are integrated on the ATN. Perform the following steps on the MEP and RMEP:
Procedure
Step 1 Run:
system-view

Step 2 Run:
A MEG is created and the MEG view is displayed.

Step 3 (Optional) Run either of the following commands:
NOTE
Ensure that the same CCM transmission interval is set on the MEP and RMEP; otherwise, an alarm will be
generated.
l To configure the interval between CCM transmissions, run:

cc interval interval-value
CCM transmission intervals and their application scenarios are as follows:

3.3 ms: 300 frames are sent per second. This interval is recommended in protection
switching.
10 ms: 100 frames are sent per second.
Issue 02 (2013-12-31)

1149

Equipment
3 Reliability
100 ms: 10 frames are sent per second. This interval is recommended in performance
monitoring.
1000 ms: 1 frame is sent per second. This interval is recommended in fault management.
10000 ms: 6 frames are sent per minute.
60000 ms: 1 frame is sent per minute.
600000 ms: 6 frames are sent per hour.
Select a proper CCM transmission interval to suit the CC application requirement.
l To configure the priority of CCMs, run:
cc exp exp-value
If the MPLS-TP network is severely congested and the priority of CCMs is low, CCMs cannot
be sent. Therefore, a proper priority needs to be configured for CCMs based on network
conditions.
Step 4 Perform the following steps to enable CC and CV on the MEP and RMEP. This can prevent
MEPs from generating alarms mistakenly during enabling process.
1.
On the MEP, run:

cc send enable
Sending CC/CV packets is enabled on the MEP.

2.
On the RMEP, run:

cc send enable
Sending CC/CV packets is enabled on the RMEP.

3.
On the MEP, run:

cc receive enable
Receiving CC/CV packets is enabled on the MEP.

4.
On the RMEP, run:

cc receive enable
Receiving CC/CV packets is enabled on the RMEP.

----End
(Optional) Using LB for an LSP

LB is the most common tool used to detect connectivity of MPLS-TP links.
Context
LB is used to monitor the connectivity between a MEP and its RMEP or a MIP. Unlike CC or
CV that is performed periodically, LB is performed at a specified time.
Commands can be run to trigger LB, and LB packets are used to check the following items:
l
Availability of the remote device
Round-trip delay in communication between two MEPs
Loss of ping packets
Issue 02 (2013-12-31)

1150

Equipment
3 Reliability
Procedure
l
Run:
ping meg meg-name [ -c count-value | -t timeout-value | { mip ttl ttl-number
{ node-id node-id-value | mip-id mip-id } [ if-num if-number-value ] } ] *
[ request-tlv ]
LB is enabled to monitor the connectivity of an MPLS-TP link.

NOTE
If the network speed is rather slow, timeout-value (a parameter specifies the period for waiting for a
response packet) can be set to a larger value when the ping meg command is configured.
----End
(Optional) Configuring LM for an LSP

This section describes how to configure single-ended or dual-ended packet loss measurement
(LM) to collect the reliability statistics of a bidirectional LSP.
Context
LM is an MPLS-TP performance monitoring (PM) function. Dual-ended LM is implemented
on two MEPs of an LSP. The measurement results are as follows:
l
Near-end packet loss: indicates the number and percentage of dropped packets that are sent
from an RMEP to a MEP.
Far-end packet loss: indicates the number and percentage of dropped packets that are sent
from a MEP to an RMEP.
The ATN supports two LM functions, namely, single-ended LM dual-ended LM. The differences
between them are listed in
Table 3-61 Differences between single-ended LM and dual-ended LM
Item
Single-Ended LM
Dual-Ended LM
Statistic
s display
Statistics can be displayed by running either of

the following commands on the local MEP:
Running the display mpls-tp

oam meg meg-name statistictype lost-measure dualended command on the MEP
can display dual-ended packet
loss statistics.
l Running the lost-measure single-ended

command can display on-demand
monitoring single-ended packet loss statistics
on the device.
l Running the display mpls-tp oam meg megname statistic-type lost-measure singleended command can query single-ended
packet loss statistics.
Applicat
ion
scenario
On-demand monitoring
Proactive monitoring
The procedure for configuring single-ended or dual-ended LM is as follows:

Issue 02 (2013-12-31)

1151

Equipment
3 Reliability
NOTE
All the steps must be performed on the MEP and RMEP unless otherwise specified.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The maintenance entity group (MEG) view is displayed.

Step 3 Select one of the following sub-procedures as needed.
l Configure single-ended frame LM.
1.
Run the lost-measure single-ended receive enable command to enable the RMEP to
receive LMMs from the MEP.
2.
Run any of the following commands:

Run the loss-measure single-ended [ interval interval-value | count count-value |
exp exp-value ] * command to enable single-ended on-demand frame LM on the
MEP.
Run the lost-measure single-ended proactive [ interval interval-value | exp expvalue ] * command to enable single-ended proactive frame LM on the MEP.
(Optional) Run the lost-measure single-ended loss-ratio { threshold1 threshold1value | sd1-continuous-period period-length | sd1-period period-value sd1count sd1-count-value | threshold2 threshold2-value | sd2-continuous-period
period-length | sd2-period period-value sd2-count sd2-count-value } * command
to set an alarm threshold for single-ended frame LM. When the number of dropped
frames reaches or exceeds the alarm threshold, an alarm is generated and an
automatic protection switching (APS) switchover is triggered.
(Optional) Run the lost-measure single-ended loss-ratio revertive-period
revertive-period-value command to set a threshold for an APS switchback. When
the number of times that the number of dropped frames falls below a specified alarm
threshold reaches or exceeds the configured threshold, an APS switchback is
triggered.
l Configure dual-ended frame LM.

1.
(Optional) Run the cc interval interval-value command to configure the interval

between CCM transmissions.
Typical CCM transmission intervals and their application scenarios are as follows:
monitoring.
1000 ms: One frame is sent per second. This interval is recommended in fault
management.
10000 ms: Six frames are sent per minute.
2.
Issue 02 (2013-12-31)
(Optional) Run the cc exp exp-value command to configure the priority of CCMs.
1152

Equipment
3 Reliability
NOTE
If the MPLS-TP network is severely congested and the priority of CCMs is low, CCMs cannot be sent.
Therefore, a proper priority must be configured for CCMs based on network conditions.
3.
Run the cc send enable command on the MEP to enable it to send continuity check
(CC) or connectivity verification (CV) packets.
4.
Run the cc send enable command on the RMEP to enable it to send CC/CV packets.
5.
Run the cc receive enable command on the MEP to enable it to receive CC/CV packets.
6.
Run the cc receive enable command on the RMEP to enable it to receive CC/CV
packets.
7.
(Optional) Run the lost-measure dual-ended loss-ratio { threshold1 threshold1value | threshold2 threshold2-value } command to set an alarm threshold for dual-ended
frame LM.
8.
Run the lost-measure dual-ended enable command to enable dual-ended frame LM.
----End
(Optional) Configuring DM for an LSP

This section describes how to configure one-way and two way delay and delay jitter
measurement (DM) to collect reliability statistics of a bidirectional LSP.
Context
DM is another performance monitoring function provided by MPLS-TP. Based on delay
information, delay variation (jitter) can be known. At present, two DM modes are supported.
l
One-way DM: In a point-to-point ME, a MEP sends DM packets to its RMEP to carry out
one-way DM.
NOTE
If the clocks of the two MEPs are synchronous, one-way DM can be conducted. If the clocks of the two
MEPs are asynchronous, only two-way DM can be conducted.
Two-way DM: In a point-to-point ME, a MEP sends Delay Measurement Messages

(DMMs) to its RMEP and receives Delay Measurement Replies (DMRs) from the RMEP
to carry out two-way DM.
The differences between one-way DM and two-way DM are listed in
Issue 02 (2013-12-31)

1153

Equipment
3 Reliability
Table 3-62 Differences between one-way DM and two-way DM

Item
One-Way DM
Two-Way DM
Statistic
s display
Running the display mpls-tp oam

meg meg-name statistic-type delaymeasure one-way command on the
RMEP can display one-way DM
statistics on the local MEP.
Statistics can be displayed by running

either of the following commands on the
local MEP:
l Running the delay-measure two-way
[ interval interval-value | count countvalue | exp exp-value ]* command can
display two-way DM statistics.
l Running the display mpls-tp oam
meg meg-name statistic-type delaymeasure two-way command can
display two-way DM statistics.
Applicat
ion
scenario
The procedure for configuring one-way and two-way DM is as follows:

NOTE
All the steps must be performed on the MEP and RMEP unless otherwise specified.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The MEG view is displayed.

l Configure one-way frame DM. Run any of the following commands:
Run the delay-measure one-way [ interval interval-value | count count-value | exp expvalue ] * command to enable one-way on-demand frame DM.
Run either of the following commands to view statistics about one-way on-demand frame
DM as needed:
If the delay-measure one-way command has been run on the MEP, run the display
mpls-tp oam meg meg-name statistic-type delay-measure one-way command on
the RMEP to view statistics about one-way on-demand frame DM in the direction
from the MEP to its RMEP.
If the delay-measure one-way command has been run on the RMEP, run the display
Issue 02 (2013-12-31)

1154

Equipment
3 Reliability
the MEP to view statistics about one-way on-demand frame DM in the direction from
the RMEP to the MEP.
Run the delay-measure one-way proactive [ interval interval-value | exp exp-value ]
* command on the MEP to enable one-way proactive frame DM.
Run the delay-measure one-way proactive receive enable command on the RMEP to
enable the RMEP to receive DM packets from the MEP.
Run either of the following commands to view statistics about one-way proactive frame
DM as needed:
If the delay-measure one-way proactive command has been run on the MEP, run
the display mpls-tp oam meg meg-name statistic-type delay-measure one-way
command on the RMEP to view statistics about one-way proactive frame DM in the
direction from the MEP to its RMEP.
If the delay-measure one-way proactive command has been run on the RMEP, run
command on the MEP to view statistics about one-way proactive frame DM in the
direction from the RMEP to the MEP.
l Configure two-way frame DM. Configure either two-way on-demand or proactive frame DM
as follows:
Run the delay-measure two-way [ interval interval-value | count count-value | exp expvalue | two-time-stamp ] * command to enable two-way on-demand frame DM.
Run the delay-measure two-way proactive [ interval interval-value | exp exp-value |
two-time-stamp ] * command to enable two-way proactive frame DM.
----End

After MPLS-TP OAM functions are configured for an LSP, performance statistics and fault
detection information can be queried.
Prerequisites
All configurations of MPLS-TP OAM functions for an LSP are complete.
Procedure
l
Run the display mpls-tp oam current-alarm command to check alarms associated with
a MEG.
Run the display mpls-tp oam me brief command to check information about MEs in a
MEG.
Run the display mpls-tp oam meg command to check MEG information on the MEP.
Run the display mpls-tp oam meg meg-name statistic-type command to check MPLSTP OAM performance statistics.
----End
3.9.3 Configuring MPLS-TP OAM for a PW

MPLS-TP OAM configured on the ATN can check a PW built over a LSP.
Issue 02 (2013-12-31)

1155

Equipment
3 Reliability
Before You Start

MPLS-TP OAM can be configured to monitor PWs. Before you configure MPLS-TP OAM,
PWs to be monitored must be set up. Before configuring the MPLS-TP OAM monitoring
function, familiarize yourself with the usage scenario, complete the pre-configuration tasks, and
obtain the data required for the configuration.
MPLS-TP has been widely used on transport networks. Since traditional transport networks,
such as SDH and OTN networks, set high benchmarks for reliability and maintenance, MPLSTP needs to provide powerful OAM capabilities.
MPLS-TP OAM can detect faults on PWs that are built over bidirectional LSPs and collect
performance statistics. On the PW shown in Figure 3-86, the T-PEs are MEPs, and the S-PEs
are MIPs. MPLS-TP OAM runs on the MEPs and MIPs and provide the functions listed in Table
3-63.
Figure 3-86 Networking diagram for a PW built over a bidirectional LSP
T-PE
S-PE
LSP
S-PE
T-PE

Table 3-63 MPLS-TP OAM functions supported by the ATN

Function
Application
Scenario
Fault management
Connectivity check
Continuity check (CC): checks the

continuous connectivity between the T-PEs
of a PW built over a bidirectional LSP. If a
link fault is detected, an alarm will be
generated and the link status will change to
Down.
Loopback (LB): checks the continuous
connectivity between the T-PEs of a PW
built over a bidirectional LSP based on
requirements. Check results will be
displayed on a terminal.
Issue 02 (2013-12-31)

1156

Equipment
Function
Application
Scenario
3 Reliability
Connectivity Verification (CV): checks
whether CC configurations on the ingress
LER and egress LER of a PW are consistent
and will report alarms if any inconsistency
is detected.
Performance statistics
Packet loss statistics
Loss Measurement (LM): checks

statistics about packets dropped between
the ingress LER and egress LER of a PW
built over a bidirectional LSP.
Delay and delay

jitter measurement
Delay measurement (DM): collects

statistics about delay and delay jitters
between the T-PEs of a PW built over a
bidirectional LSP.
Before configuring MPLS-TP OAM for a PW, complete the following tasks:
l
Set up a PW based on a bidirectional LSP.
Enable the packet measurement function on the access circuit (AC) interface of the LSP.
Data Preparation
To configure MPLS-TP OAM for a PW, you need the following data.
No.
Data
MEG name
ID of the VC bound to the ME
(Optional) Interval of Continuity Check Message (CCM) transmissions and priority

of CCMs
(Optional) Interval and number of loss measurement message (LMM) transmissions

and priority of LMMs
(Optional) Interval and number of transmissions of delay measurement packets and

priority of the packets
Creating an ME and Binding It to a PW

This section describes how to create an ME and bind it to a single-segment or multi-segment
PWE3 PW.
Issue 02 (2013-12-31)

1157

Equipment
3 Reliability
Context
If a transport path is a PW built over a LSP, an ME created for the path must be bound to the
PW before MPLS-TP OAM is configured.
Procedure
Step 1 Run:
system-view

Step 2 Run:
mpls-tp mode { standard | private }
Specifies an MPLS-TP OAM detection mode.

The default mode is standard OAM detection.
Step 3 Run:
A MEG is created, and the MEG view is displayed.

Step 4 Create an ME and bind the ME to a single-segment or multi-segment PWE3 PW:
l If the PW is a single-segment PW, the configuration steps are as follows:
Run the me l2vc peer-ip peer-ip vc-id vc-id vc-type vc-type mep-id mep-id remotemep-id remote-mep-id command on the MEP to create an ME and bind the ME to an SSPW using PWE3.
Run the me l2vc peer-ip peer-ip vc-id vc-id vc-type vc-type mep-id mep-id remotemep-id remote-mep-id command on the RMEP to create an ME and bind the ME to the
same SS-PW using PWE3.
----End
(Optional) Configuring CC and CV for a PW

To continuously check PW connectivity and forwarding, configure the CC/CV function on an
ME instance.
Context
Continuity check (CV) and connectivity verification (CV) are two different MPLS-TP OAM
functions. CC checks loss of continuity (LOC) defects between two MEPs in a MEG. CV is used
to detect consistency of configurations on two MEPs in a MEG or in different MEGs. In real
world situations, CC and CV are usually used together. Therefore, these two functions are
integrated on the ATN. The purpose of CC greatly differs from that of CV. The details are as
follows:
l
Issue 02 (2013-12-31)
CC is a pro-active OAM operation. It detects CCMs between the two MEPs (in a MEG) of
a PW built over a bidirectional LSP. A MEP sends CCMs to its RMEP at intervals. If the
RMEP does not receive CCMs within a period 3.5 times the specified interval, it considers
that the connectivity between the two MEPs is faulty and will report an alarm and enter the
1158

Equipment
3 Reliability
Down state. Then, automatic protection switching (APS) will be triggered on both MEPs.
After receiving a CCM from the MEP, the RMEP will clear the alarm and exit from the
Down state.
l
CV is also a pro-active OAM operation. It enables a MEP to report alarms when receiving
unexpected packets. For example, if a CV-enabled device receives a packet from a PW and
finds that this packet is mistakenly transmitted by the PW, the device will report an alarm
indicating a forwarding error.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The MEG view is displayed.

Step 3 (Optional) Configure an interval at which CCMs are sent and specify a priority for CCMs.
NOTE
Ensure that the same CCM transmission interval is set on the MEP and RMEP; otherwise, CC and CV operations
will fail.
l To configure the interval between CCM transmissions, run the cc interval interval-value
command.
CCM transmission intervals and their application scenarios are as follows:
3.3 ms: 300 frames are sent per second. This interval is recommended in protection
switching.
10 ms: 100 frames are sent per second.
monitoring.
1000 ms: 1 frame is sent per second. This interval is recommended in fault management.
10000 ms: 6 frames are sent per minute.
60000 ms: 1 frame is sent per minute.
600000 ms: 6 frames are sent per hour.
Select a proper CCM transmission interval to suit the CC application requirement.
l To configure the priority of CCMs, run the cc exp exp-value command.
Issue 02 (2013-12-31)

1159

Equipment
3 Reliability
If the MPLS-TP network is severely congested and the priority of CCMs is low, CCMs cannot
be sent. Therefore, a proper priority needs to be configured for CCMs based on network
conditions.
Step 4 Perform the following steps to enable CC and CV on the MEP and RMEP. This can prevent
MEPs from generating alarms mistakenly during enabling process.
1.
On the MEP, run:

cc send enable
Sending CC/CV packets is enabled on the MEP.

2.
On the RMEP, run:

cc send enable
Sending CC/CV packets is enabled on the RMEP.

3.
On the MEP, run:

cc receive enable
Receiving CC/CV packets is enabled on the MEP.

4.
On the RMEP, run: cc receive enable

Receiving CC/CV packets is enabled on the RMEP.
----End
(Optional) Using LB (to Be Performed at a Specified Time) for a PW

LB is the most common tool used to detect connectivity of MPLS-TP links.
Context
LB can monitor the connectivity between two MEPs or between a MEP and a MIP. Unlike CC
or CV that is performed periodically, LB is performed at a specified time.
The ping meg command can be run to trigger LB, and LB packets are used to check the following
items:
l
Availability of the remote device
Round-trip delay in communication between two MEPs
Loss of ping packets
Run:
Procedure
ping meg meg-name [ -c count-value | -t timeout-value | { mip ttl ttl-number
{ node-id node-id-value | mip-id mip-id } [ if-num if-number-value ] } ] *
[ request-tlv ]
LB is enabled to monitor the connectivity of an MPLS-TP link.

NOTE
If the network speed is rather slow, timeout-value (a parameter that specifies the period for waiting for a
response packet) can be set to a larger value when the ping meg command is configured.
----End
Issue 02 (2013-12-31)

1160

Equipment
3 Reliability
(Optional) Configuring Frame LM for a PW

This section describes how to configure single-ended or dual-ended frame loss measurement
(LM) to collect the reliability statistics of a pseudo wire (PW) built over a label switched path
(LSP).
Context
Frame LM is a performance monitoring (PM) function provided by multiprotocol label switching
transport profile (MPLS-TP). Dual-ended frame LM is performed on the two maintenance entity
group end points (MEPs) of a PW. The measurement results are divided into near-end and farend frame loss:
l
Near-end frame loss: indicates the number and percentage of dropped frames that are sent
from a remote MEP (RMEP) to a MEP.
Far-end frame loss: indicates the number and percentage of dropped frames that are sent
from a MEP to an RMEP.
The ATN supports both single-ended and dual-ended frame LM functions. The differences
between them are listed in
Table 3-64 Differences between single-ended and dual-ended frame LM functions
Item
Single-ended Frame LM
Dual-ended Frame LM
Statistic
s display
Statistics can be displayed by

running either of the following
commands on a MEP:
Running the display mpls-tp oam meg

meg-name statistic-type lost-measure
dual-ended command on a MEP displays
dual-ended frame loss statistics.
l Running the lost-measure

single-ended command displays
on-demand monitoring singleended frame loss statistics on the
device.
l Running the display mpls-tp
oam meg meg-name statistictype lost-measure single-ended
command displays single-ended
frame loss statistics.
Applicat
ion
scenario
The procedure for configuring single-ended or dual-ended frame LM is as follows:

NOTE
All the steps must be performed on both the MEP and RMEP unless otherwise specified.
Issue 02 (2013-12-31)

1161

Equipment
3 Reliability
Procedure
Step 1 Run:
system-view

Step 2 Run:

l Configure single-ended frame LM.
1.
Run the lost-measure single-ended receive enable command to enable the RMEP to
receive LMMs from the MEP.
2.
Run any of the following commands:

Run the loss-measure single-ended [ interval interval-value | count count-value |
exp exp-value ] * command to enable single-ended on-demand frame LM on the
MEP.
Run the lost-measure single-ended proactive [ interval interval-value | exp expvalue ] * command to enable single-ended proactive frame LM on the MEP.
3.
(Optional) Run the lost-measure single-ended loss-ratio { threshold1 threshold1value | sd1-continuous-period period-length | sd1-period period-value sd1-count sd1count-value | threshold2 threshold2-value | sd2-continuous-period period-length |
sd2-period period-value sd2-count sd2-count-value } * command to set an alarm
threshold for single-ended frame LM. When the number of dropped frames reaches or
exceeds the alarm threshold, an alarm is generated and an automatic protection
switching (APS) switchover is triggered.
4.
(Optional) Run the lost-measure single-ended loss-ratio revertive-period revertiveperiod-value command to set a threshold for an APS switchback. When the number of
times that the number of dropped frames falls below a specified alarm threshold reaches
or exceeds the configured threshold, an APS switchback is triggered.
l Configure dual-ended frame LM.

1.
(Optional) Run the cc interval interval-value command to configure the interval

between CCM transmissions.
Typical CCM transmission intervals and their application scenarios are as follows:
1000 ms: One frame is sent per second. This interval is recommended in fault
management.
10000 ms: Six frames are sent per minute.
2.
(Optional) Run the cc exp exp-value command to configure the priority of CCMs.
NOTE
If the MPLS-TP network is severely congested and the priority of CCMs is low, CCMs cannot be sent.
Therefore, a proper priority must be configured for CCMs based on network conditions.
Issue 02 (2013-12-31)
3.
Run the cc send enable command on the MEP to enable it to send continuity check
(CC) or connectivity verification (CV) packets.
4.
Run the cc send enable command on the RMEP to enable it to send CC/CV packets.
1162

Equipment
3 Reliability
5.
Run the cc receive enable command on the MEP to enable it to receive CC/CV packets.
6.
Run the cc receive enable command on the RMEP to enable it to receive CC/CV
packets.
7.
(Optional) Run the lost-measure dual-ended loss-ratio { threshold1 threshold1value | threshold2 threshold2-value } command to set an alarm threshold for dual-ended
frame LM.
8.
Run the lost-measure dual-ended enable command to enable dual-ended frame LM.
----End
(Optional) Configuring Frame DM for a PW

This section describes how to configure one-way or two-way delay measurement (DM) to collect
reliability statistics of a pseudo wire (PW) built over a label switched path (LSP).
Context
Frame DM is a performance monitoring function provided by multiprotocol label switching
transport profile (MPLS-TP). Delay variation (jitter) can be calculated based on delay
information. Two DM modes are supported:
l
One-way frame DM: In a point-to-point maintenance entity (ME), a maintenance entity

group end point (MEP) sends DM packets to its remote MEP (RMEP) to perform one-way
frame DM.
NOTE
If the clocks of the two MEPs are synchronous, both one-way and two-way frame DM can be performed.
If the clocks of the two MEPs are asynchronous, only two-way frame DM can be performed.
Two-way frame DM: In a point-to-point ME, a MEP sends Delay Measurement Messages
(DMMs) to its RMEP and receives Delay Measurement Replies (DMRs) from the RMEP
to perform two-way frame DM.
The differences between one-way and two-way frame DM functions are listed in
Table 3-65 Differences between one-way and two-way frame DM functions
Item
One-way Frame DM
Two-way Frame DM
Statistic
s display
Running the display mpls-tp oam

meg meg-name statistic-type delaymeasure one-way command on the
RMEP displays statistics about oneway delay and delay jitters on a MEP.
Statistics can be displayed by running

either of the following commands on a
MEP:
l Running the delay-measure two-way
[ interval interval-value | count countvalue | exp exp-value ] * command
displays statistics about two-way delay
on-demand and delay jitters.
l Running the display mpls-tp oam
meg meg-name statistic-type delaymeasure two-way command displays
statistics about two-way delay and
delay jitters.
Issue 02 (2013-12-31)

1163

Equipment
3 Reliability
Item
One-way Frame DM
Two-way Frame DM
Applicat
ion
scenario
The procedure for configuring one-way and two-way frame DM is as follows.

NOTE
All the steps must be performed on both the MEP and RMEP unless otherwise specified.
Procedure
Step 1 Run:
system-view

Step 2 Run:

l Configure one-way frame DM. Configure either one-way on-demand or proactive frame DM
as follows:
Run the delay-measure one-way [ interval interval-value | count count-value | exp expvalue ] * command to enable one-way on-demand frame DM.
Run either of the following commands to view statistics about one-way on-demand frame
DM as needed:
If the delay-measure one-way command has been run on the MEP, run the display
the RMEP to view statistics about one-way on-demand frame DM in the direction
from the MEP to its RMEP.
If the delay-measure one-way command has been run on the RMEP, run the display
the MEP to view statistics about one-way on-demand frame DM in the direction from
the RMEP to the MEP.
Run the delay-measure one-way proactive [ interval interval-value | exp exp-value ]
* command on the MEP to enable one-way proactive frame DM.
Run the delay-measure one-way proactive receive enable command on the RMEP to
enable the RMEP to receive DM packets from the MEP.
Run either of the following commands to view statistics about one-way proactive frame
DM as needed:
If the delay-measure one-way proactive command has been run on the MEP, run
command on the RMEP to view statistics about one-way proactive frame DM in the
direction from the MEP to its RMEP.
Issue 02 (2013-12-31)

1164

Equipment
3 Reliability
If the delay-measure one-way proactive command has been run on the RMEP, run
command on the MEP to view statistics about one-way proactive frame DM in the
direction from the RMEP to the MEP.
l Configure two-way frame DM. Configure either two-way on-demand or proactive frame DM
as follows:
Run the delay-measure two-way [ interval interval-value | count count-value | exp expvalue | two-time-stamp ] * command to enable two-way on-demand frame DM.
Run the delay-measure two-way proactive [ interval interval-value | exp exp-value |
two-time-stamp ] * command to enable two-way proactive frame DM.
----End

After MPLS-TP OAM functions are configured for a PW, performance statistics and fault
detection information can be queried.
Prerequisites
All configurations of MPLS-TP OAM functions for a PW are complete.
Procedure
l
Run the display mpls-tp oam current-alarm command to check alarms associated with
a MEG.
Run the display mpls-tp oam me meg meg-name [ mep-id mep-id | remote-mep-id
remote-mep-id ] command to check information about MEs in a MEG.
Run the display mpls-tp oam meg command to check MEG information on the MEP.
Run the display mpls-tp oam meg meg-name statistic-type command to check MPLSTP OAM performance statistics.
----End

This section describes the typical application scenarios of MPLS-TP OAM, networking
requirements, configuration roadmap, and data preparation, and provides related configuration
files.
Example for Configuring CC and CV for an LSP

LSRs are connected using a bidirectional LSP. CC and CV need to be configured to monitor the
continuous connectivity between LSRs and detect faults on the MPLS-TP network.
As shown in Figure 3-87, ATNA, CX-B, and CX-C are connected using a bidirectional LSP.
The following deployment is performed to guarantee the connectivity and correct packet
forwarding between ATNA and CX-C:
Issue 02 (2013-12-31)

1165

Equipment
3 Reliability
ATNA and CX-C serve as MEPs.
CX-B serves as a MIP.
Configure CC and CV on the MEPs.

l
CC is a pro-active OAM operation. It detects connectivity between any two MEPs of a

bidirectional LSP in a MEG. A MEP sends CCMs to its RMEP at intervals. If the RMEP
does not receive CCMs within a period 3.5 times the specified interval, it considers that
the connectivity between the two MEPs is faulty and will report an alarm and enter the
Down state.
CV is also a pro-active OAM operation. It enables a MEP to report alarms when the MEP
receives unexpected packets transmitted over bidirectional LSPs. For example, if a CVenabled device receives a packet from an LSP and finds that this packet is mistakenly
transmitted by the LSP, the device will report an alarm indicating a forwarding error.

Loopback1
1.1.1.1/32
Loopback1
2.2.2.2/32
GE0/2/0
2.1.1.1/24
ATNA
GE1/0/0
2.1.1.2/24
Loopback1
3.3.3.3/32
GE2/0/0
GE1/0/0
3.2.1.1/24 3.2.1.2/24
CX-B
CX-C
1.
Create an ME and bind it to a bidirectional LSP.
2.
Configure the interval between CCM transmissions and priority of CCMs.
3.
Enable CC and CV.
Data Preparation
l
MEG name
Name of the TE tunnel bound to the ME
Interval between CCM transmissions and priority of CCMs
Issue 02 (2013-12-31)

1166

Equipment
3 Reliability
Procedure
Step 1 Configure a bidirectional LSP.
For details about the bidirectional LSP that is built based on LSRs, see "Configuring a Static
Bidirectional LSP" in the Configuration Guide-MPLS or information in the configuration files
of this configuration example.
Step 2 Create an ME and bind it to a bidirectional LSP.
# Create an ME named test on ATNA and bind the ME to Tunnel 1/0/0.
[ATNA] mpls-tp meg test
[ATNA-mpls-tp-meg-test] me te interface tunnel 1/0/0 mep-id 1 remote-mep-id 2
# Create an ME named test on CX-C and bind the ME to Tunnel 2/0/0.

[HUAWEI] sysname CX-C
[CX-C] mpls-tp meg test
[CX-C-mpls-tp-meg-test] me te interface tunnel 2/0/0 mep-id 2 remote-mep-id 1
Step 3 Configure the interval between CCM transmissions and priority of CCMs.
NOTE
The same CCM transmission interval and priority of CCMs must be configured on the MEP and RMEP;
otherwise, alarms will be mistakenly reported.
# Set the CCM transmission interval to 100 ms and the priority of CCMs to 6 on ATNA.
[ATNA-mpls-tp-meg-test] cc interval 100
[ATNA-mpls-tp-meg-test] cc exp 6
# Set the CCM transmission interval to 100 ms and the priority of CCMs to 6 on CX-C.
[CX-C-mpls-tp-meg-test] cc interval 100
[CX-C-mpls-tp-meg-test] cc exp 6
Step 4 Enable CC and CV.

# Enable CC and CV on ATNA.
[ATNA-mpls-tp-meg-test] cc send enable
[ATNA-mpls-tp-meg-test] cc receive enable
[ATNA-mpls-tp-meg-test] return
# Enable CC and CV on CX-C.

[CX-C-mpls-tp-meg-test] cc send enable
[CX-C-mpls-tp-meg-test] cc receive enable
[CX-C-mpls-tp-meg-test] return

Run the display mpls-tp oam meg command on ATNA to view MEG information.
<ATNA> display mpls-tp oam meg test
-------------------------------------------------MEG test
-------------------------------------------------meg name
: test
me count
: 1
cc send
: enable
cc receive
: enable
cc interval
: 100
cc exp
: 6
ais
: disable
ais interval
: 1000
Issue 02 (2013-12-31)

1167

Equipment
3 Reliability
ais exp
: 7
lock
: disable
lock interval
: 1000
lock exp
: 7
csf
: disable
csf interval
: 1000
csf exp
: 7
lm single-end receive
: disable
lm dual-end
: enable
lm dual-end SD1 threshold: 1
lm dual-end SD2 threshold: 10
-------------------------------------------------[ME 1]
index
direction
mep id
remote mep id
status board
service type
tunnel-name
:
:
:
:
:
:
:
0
dual
1
2
1
te (cr-static-lsp)
Tunnel1/0/0
lsp name
:
state
: UP
alarm indicate
: no alarm
--------------------------------------------------
----End
Configuration Files
l

#
sysname ATNA
#
mpls lsr-id 1.1.1.1
mpls
mpls te
#
bidirectional static-cr-lsp ingress Tunnel1/0/0
forward nexthop 2.1.1.2 out-label 20 bandwidth ct0 10000
backward in-label 20
#
interface GE0/2/0
undo shutdown
ip address 2.1.1.1 255.255.255.0
mpls
mpls te
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
destination 3.3.3.3
mpls te signal-protocol cr-static
mpls te bidirectional
mpls te commit
#
ip route-static 2.2.2.2 255.255.255.255 2.1.1.2
ip route-static 3.3.3.3 255.255.255.255 2.1.1.2
#
Issue 02 (2013-12-31)

1168

Equipment
3 Reliability
mpls-tp meg test

me te interface Tunnel1/0/0 mep-id 1 remote-mep-id 2
cc interval 100
cc exp 6
cc send enable
cc receive enable
#
return

#
sysname CX-B
#
mpls lsr-id 2.2.2.2
mpls
mpls te
#
bidirectional static-cr-lsp transit lsp1
forward in-label 20 nexthop 3.2.1.2 out-label 40 bandwidth ct0 10000
backward in-label 16 nexthop 2.1.1.1 out-label 20 bandwidth ct0 10000
#
interface GE1/0/0
undo shutdown
ip address 2.1.1.2 255.255.255.0
mpls
mpls te
#
interface GE2/0/0
undo shutdown
ip address 3.2.1.1 255.255.255.0
mpls
mpls te
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ip route-static 1.1.1.1 255.255.255.255 2.1.1.1
ip route-static 3.3.3.3 255.255.255.255 3.2.1.2
#
return

#
sysname CX-C
#
mpls lsr-id 3.3.3.3
mpls
mpls te
#
bidirectional static-cr-lsp egress lsp1
forward in-label 40 lsrid 1.1.1.1 tunnel-id 100
backward nexthop 3.2.1.1 out-label 16 bandwidth ct0 10000
#
interface GE1/0/0
undo shutdown
ip address 3.2.1.2 255.255.255.0
mpls
mpls te
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
Issue 02 (2013-12-31)

1169

Equipment
3 Reliability
#
destination 1.1.1.1
mpls te passive-tunnel
mpls te binding bidirectional static-cr-lsp egress lsp1
mpls te commit
#
ip route-static 1.1.1.1 255.255.255.255 3.2.1.1
ip route-static 2.2.2.2 255.255.255.255 3.2.1.1
#
mpls-tp meg test
cc interval 100
cc exp 6
cc send enable
cc receive enable
#
return
Example for Configuring LB for an LSP

LSRs are connected using a bidirectional LSP. LB needs to be configured to monitor the
connectivity between LSRs and detect faults on the MPLS-TP network.
The following deployment is performed to guarantee the connectivity between ATNA and CXC:
l
LB can be used to check the following items:

l
Reachability of the REMP
Round-trip delay in communication between the MEP and RMEP
Loss of ping packets between the MEP and RMEP

NOTE
LB counts only the ping packets that are lost after being sent out, providing a rough packet loss ratio of
the link between MEPs. The LM function can be used to obtain the accurate packet loss ratio of the link
between MEPs.

Loopback1
1.1.1.1/32
Loopback1
2.2.2.2/32
GE0/2/0
2.1.1.1/24
ATNA
Issue 02 (2013-12-31)
GE1/0/0
2.1.1.2/24
Loopback1
3.3.3.3/32
GE2/0/0
GE1/0/0
3.2.1.1/24 3.2.1.2/24
CX-B

CX-C
1170

Equipment
3 Reliability
1.
2.
Enable LB.
Data Preparation
l
MEG name
Procedure
For details about the bidirectional LSP built based on LSRs, see "Configuring a Static
Bidirectional LSP" in the <Configuration Guide-MPLS or information in the configuration files
# Create an ME named test on ATNA and bind the ME to Tunnel 0/1/1.
[ATNA-mpls-tp-meg-test] me te interface Tunnel 0/1/1 mep-id 1 rmep-id 2

[CX-C-mpls-tp-meg-test] me te interface tunnel 2/0/0 mep-id 2 rmep-id 1
Step 3 Enable LB.

NOTE
LB can be used to detect the connectivity between a MEP and its RMEP or a MIP. In this example, LB is used
to detect the connectivity between ATNA and CX-C.
Enable LB on ATNA.
<ATNA> ping meg test
PING test: 9 data bytes, press CTRL_C
Reply from vsi: bytes=9, Sequence=1
--- ping statistics --3 packet(s) transmitted
0.00% packet loss
round-trip min/avg/max 90/96/100 ms
to break
time=100 ms
time=90 ms
time=100 ms
----End
Issue 02 (2013-12-31)

1171

Equipment
3 Reliability
Configuration Files
l

#
sysname ATNA
#
mpls lsr-id 1.1.1.1
mpls
mpls te
#
bidirectional static-cr-lsp ingress Tunnel 0/1/1
#
interface GE0/2/0
undo shutdown
ip address 2.1.1.1 255.255.255.0
mpls
mpls te
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
interface Tunnel 0/1/1
destination 3.3.3.3
mpls te commit
#
ip route-static 2.2.2.2 255.255.255.255 2.1.1.2
ip route-static 3.3.3.3 255.255.255.255 2.1.1.2
#
mpls-tp meg test
me te interface Tunnel 0/1/1 mep-id 1 remote-mep-id 2
#
return

#
sysname Quidway
#
mpls lsr-id 2.2.2.2
mpls
mpls te
#
#
interface GE1/0/0
undo shutdown
ip address 2.1.1.2 255.255.255.0
mpls
mpls te
#
interface GE2/0/0
undo shutdown
ip address 3.2.1.1 255.255.255.0
mpls
mpls te
Issue 02 (2013-12-31)

1172

Equipment
3 Reliability

#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ip route-static 1.1.1.1 255.255.255.255 2.1.1.1
ip route-static 3.3.3.3 255.255.255.255 3.2.1.2
#
return

#
sysname CX-C
#
mpls lsr-id 3.3.3.3
mpls
mpls te
#
#
interface GE1/0/0
undo shutdown
ip address 3.2.1.2 255.255.255.0
mpls
mpls te
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
destination 1.1.1.1
mpls te commit
#
ip route-static 1.1.1.1 255.255.255.255 3.2.1.1
ip route-static 2.2.2.2 255.255.255.255 3.2.1.1
#
mpls-tp meg test
#
return
Example for Configuring LM for an LSP

LSRs are connected using a bidirectional LSP. LM needs to be configured to monitor packet
loss ratios between LSRs and provide performance statistics about the MPLS-TP network.
As a connection-oriented packet switching technology, MPLS-TP is designed to convert a
transport network from circuit switching to packet switching. The conversion aims to increase
the transmission rate on the transport network.
Link reliability must be guaranteed when MPLS-TP is used to increase bandwidth usage. For
example, users will not sense change in voice quality if the packet loss ratio on voice links is
Issue 02 (2013-12-31)

1173

Equipment
3 Reliability
lower than 10%. If the packet loss ratio is higher than 20%, voice quality will deteriorate
obviously.
NOTE
Percentage of dropped packets = Number of dropped packets/Number of packets sent during the specified
interval The number of dropped packets is the difference between the number of packets sent by the ingress
node and the number of packets received by the egress node on a P2P LSP.
LM can be used to collect packet loss statistics and evaluate link performance. LM is one of the
performance monitoring functions provided by MPLS-TP. It includes single-ended LM and
dual-ended LM.
NOTE
The section uses the configuration of dual-ended LM as an example. The configuration of single-ended LM is
the same as that of dual-ended LM except the configuration for querying packet loss statistics.
The following deployment is performed to ensure the connectivity between ATNA and CX-C:
l

Loopback1
1.1.1.1/32
Loopback1
2.2.2.2/32
GE0/2/0
2.1.1.1/24
GE1/0/0
2.1.1.2/24
ATNA
Loopback1
3.3.3.3/32
GE2/0/0
GE1/0/0
3.2.1.1/24 3.2.1.2/24
CX-B
CX-C
1.
2.
Enable CC on the MEP and RMEP.
3.
Configure an alarm threshold for packet loss measurement.
4.
Enable dual-ended LM.
Data Preparation
l
MEG name
Alarm threshold for packet loss measurement
Issue 02 (2013-12-31)

1174

Equipment
3 Reliability
Procedure
For details about how to configure a bidirectional LSP between T-PEs, see "Configuring a Static
# Create an ME named test on ATNA and bind the ME to Tunnel0/1/1.
[ATNA-mpls-tp-meg-test] me te interface Tunnel0/1/1 mep-id 1 remote-mep-id 2

Step 3 Enable CC on the MEP and RMEP.

# Enable CC on ATNA.
# Enable CC on CX-C.
Step 4 Configure an alarm threshold for packet loss measurement.

# Configure an alarm threshold for packet loss measurement on ATNA.
[ATNA-mpls-tp-meg-test] lost-measure dual-ended loss-ratio threshold1 50
# Configure an alarm threshold for packet loss measurement on CX-C.

[CX-C-mpls-tp-meg-test] lost-measure dual-ended loss-ratio threshold1 50
Step 5 Enable dual-ended LM.

# Enable dual-ended LM on ATNA.
[ATNA-mpls-tp-meg-test] lost-measure dual-ended enable
# Enable dual-ended LM on CX-C.

[CX-C-mpls-tp-meg-test] lost-measure dual-ended enable

Run the display mpls-tp oam command on ATNA to view statistics about packet loss ratios.
<ATNA> display mpls-tp oam meg test statistic-type lost-measure dual-ended
Dual-end loss measurement statistics:
Index Near-end lost frames Loss ratio Far-end lost frames Loss ratio
1
10
12.50%
10
12.50%
Max near-end lost frames:10,frame loss ratio:12.50%
Min near-end lost frames:10,frame loss ratio:12.50%
Average near-end lost frames:10,frame loss ratio:12.50%
Max far-end lost frames:10,frame loss ratio:12.50%
Issue 02 (2013-12-31)

1175

Equipment
3 Reliability
Min far-end lost frames:10,frame loss ratio:12.50%

Average far-end lost frames:10,frame loss ratio:12.50%
----End
Configuration Files
l

#
sysname ATNA
#
mpls lsr-id 1.1.1.1
mpls
mpls te
#
#
interface GE0/2/0
undo shutdown
ip address 2.1.1.1 255.255.255.0
mpls
mpls te
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
destination 3.3.3.3
mpls te commit
#
ip route-static 2.2.2.2 255.255.255.255 2.1.1.2
ip route-static 3.3.3.3 255.255.255.255 2.1.1.2
#
mpls-tp meg test
cc send enable
cc receive enable
#
return

#
sysname Quidway
#
mpls lsr-id 2.2.2.2
mpls
mpls te
#
#
interface GE1/0/0
undo shutdown
ip address 2.1.1.2 255.255.255.0
mpls
mpls te
Issue 02 (2013-12-31)

1176

Equipment
3 Reliability

#
interface GE2/0/0
undo shutdown
ip address 3.2.1.1 255.255.255.0
mpls
mpls te
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ip route-static 1.1.1.1 255.255.255.255 2.1.1.1
ip route-static 3.3.3.3 255.255.255.255 3.2.1.2
#
return

#
sysname CX-C
#
mpls lsr-id 3.3.3.3
mpls
mpls te
#
#
interface GE1/0/0
undo shutdown
ip address 3.2.1.2 255.255.255.0
mpls
mpls te
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
destination 1.1.1.1
mpls te commit
#
ip route-static 1.1.1.1 255.255.255.255 3.2.1.1
ip route-static 2.2.2.2 255.255.255.255 3.2.1.1
#
mpls-tp meg test
cc send enable
cc receive enable
#
return
Issue 02 (2013-12-31)

1177

Equipment
3 Reliability
Example for Configuring DM for an LSP

LSRs are connected using a bidirectional LSP. DM (including delay and delay jitter
measurement) needs to be configured to monitor the delay and delay jitters between LSRs and
provide performance statistics about the MPLS-TP network.
Link reliability must be guaranteed when MPLS-TP is used to increase bandwidth usage. This
configuration example uses voice services as an example. The coding and decoding of voice
packets plus the transmission delay cause the VoIP transmission delay to be much longer than
the delay in common circuit-switching-based voice transmission. If the delay is longer than 400
ms, voice quality is obviously affected. If the delay is longer than 2 seconds, VoIP services are
unavailable. In addition, if the delay jitter is longer than the transmission of a voice packet, voice
quality will drop greatly.
DM can be used to collect packet loss statistics and evaluate link performance. DM is a
performance monitoring function provided by MPLS-TP, including one-way DM and two-way
DM.
NOTE
The configuration of two-way DM is used as an example in this section. The configuration of one-way DM is
the same as that of two-way DM except the configuration for querying packet loss statistics.
Deploy the following items to guarantee the connectivity between ATNA and CX-C:
l

Loopback1
1.1.1.1/32
Loopback1
2.2.2.2/32
GE0/2/0
2.1.1.1/24
ATNA
GE1/0/0
2.1.1.2/24
Loopback1
3.3.3.3/32
GE2/0/0
GE1/0/0
3.2.1.1/24 3.2.1.2/24
CX-B
CX-C
1.
2.
Issue 02 (2013-12-31)

1178

Equipment
3.
3 Reliability
Enable two-way DM.
Data Preparation
l
MEG name
Procedure
For details about how to configure a bidirectional LSP between T-PEs, see "Configuring a Static
# Create an ME named test on ATNA and bind the ME to Tunnel0/1/1.
[ATNA-mpls-tp-meg-test] me te interface Tunnel0/1/1 mep-id 1 remote-mep-id 2

Step 3 Enable two-way DM.

[ATNA-mpls-tp-meg-test] delay-measure two-way
Two-way delay measure statistics
delay(us):
delay variation(us):
182
-182
0
182
0
183
1
182
1
The Max delay:183, The Max delay variation:1
The Min delay:182, The Min delay variation:0
The delay average:182, The delay variation average:1
Total sent Packets Number:5, Total received Packets Number: 5
----End
Configuration Files
l

#
sysname ATNA
#
mpls lsr-id 1.1.1.1
mpls
mpls te
#
Issue 02 (2013-12-31)

1179

Equipment
3 Reliability
#
interface GE0/2/0
undo shutdown
ip address 2.1.1.1 255.255.255.0
mpls
mpls te
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
destination 3.3.3.3
mpls te commit
#
ip route-static 2.2.2.2 255.255.255.255 2.1.1.2
ip route-static 3.3.3.3 255.255.255.255 2.1.1.2
#
mpls-tp meg test
#
return

#
sysname Quidway
#
mpls lsr-id 2.2.2.2
mpls
mpls te
#
#
interface GE1/0/0
undo shutdown
ip address 2.1.1.2 255.255.255.0
mpls
mpls te
#
interface GE2/0/0
undo shutdown
ip address 3.2.1.1 255.255.255.0
mpls
mpls te
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ip route-static 1.1.1.1 255.255.255.255 2.1.1.1
ip route-static 3.3.3.3 255.255.255.255 3.2.1.2
#
return
Issue 02 (2013-12-31)

1180

Equipment
3 Reliability
#
sysname CX-C
#
mpls lsr-id 3.3.3.3
mpls
mpls te
#
#
interface GE1/0/0
undo shutdown
ip address 3.2.1.2 255.255.255.0
mpls
mpls te
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
destination 1.1.1.1
mpls te commit
#
ip route-static 1.1.1.1 255.255.255.255 3.2.1.1
ip route-static 2.2.2.2 255.255.255.255 3.2.1.1
#
mpls-tp meg test
#
return
Example for Configuring CC and CV for a PW

PEs are connected using a PW that is built over a bidirectional LSP. CC and CV are configured
to monitor the connectivity between PEs and detect faults on the MPLS-TP network.
As shown in Figure 3-91, ATNA, CX-B, and CX-C are connected using a PW bulit over a
bidirectional LSP. The following deployment is performed to guarantee the connectivity and
correct packet forwarding between ATNA and CX-C:
l
Configure CC and CV on the MEPs.

l
Issue 02 (2013-12-31)
CC is a pro-active OAM operation. It detects connectivity between the two MEPs of a

bidirectional LSP in a MEG. A MEP sends CCMs to its RMEP at intervals. If the RMEP
does not receives CCMs within a period 3.5 times the specified interval, it considers that
the connectivity between the two MEPs is faulty and will report an alarm and enter the
1181

Equipment
3 Reliability
Down state.
l
CV is also a pro-active OAM operation. It enables a MEP to report alarms when the MEP
receives unexpected packets transmitted over bidirectional LSPs. For example, if a CVenabled device receives a packet from a PW and finds that this packet is mistakenly
transmitted by the PW, the device will report an alarm indicating a forwarding error.
Loopback1
1.1.1.1/32
Loopback1
2.2.2.2/32
GE0/2/0
2.1.1.1/24
GE1/0/0
2.1.1.2/24
ATNA
Loopback1
3.3.3.3/32
GE2/0/0
GE1/0/0
3.2.1.1/24 3.2.1.2/24
CX-B
CX-C
1.
Create an ME and bind it to a PW.
2.
Configure the interval between CCM transmissions and priority of CCMs.
3.
Enable CC and CV.
Data Preparation
l
MEG name
Interval between CCM transmissions and priority of CCMs
Procedure
Step 1 Set up a PW over a bidirectional LSP.
For details about how to set up a PW (between LSRs) based on a bidirectional LSP, see see
"Configuring a PW" in the <Configuration Guide-MPLS or information in the configuration
files of this configuration example.
Step 2 Create an ME and bind it to a PW.
# Create an ME named test on ATNA and bind the ME to the PW.
Issue 02 (2013-12-31)

1182

Equipment
3 Reliability

[ATNA-mpls-tp-meg-test] me l2vc peer-ip 3.3.3.3 vc-id 30000 vc-type vlan mep-id 1
remote-mep-id 2
# Create an ME named test on CX-C and bind the ME to the PW.

[CX-C-mpls-tp-meg-test] me l2vc peer-ip 1.1.1.1 vc-id 30000 vc-type vlan mep-id 2
remote-mep-id 1
Step 3 Enable CC and CV.

# Enable CC and CV on ATNA.
# Enable CC and CV on CX-C.


Run the display mpls-tp oam meg command on ATNA to view MEG information.
<ATNA> display mpls-tp oam meg test
-------------------------------------------------MEG test
-------------------------------------------------meg name
: test
meg level
: 7
me count
: 1
cc send
: enable
cc receive
: enable
cc interval
: 1000
cc exp
: 7
ais
: disable
ais interval
: 1000
ais exp
: 7
lock
: disable
lock interval
: 1000
lock exp
: 7
csf
: disable
csf interval
: 1000
csf exp
: 7
lm single-end receive
: disable
lm single-end pro-active
: enable
lm single-end SD1 threshold
: 1
lm single-end SD2 threshold
: 10
lm dual-end
: disable
[ME 1]
index
direction
mep id
remote mep id
status board
service type
peer ip
remote peer ip
2.2.2.2
vc id
vc type
ttl
state
Issue 02 (2013-12-31)
:
:
:
:
:
:
:
:
0
dual
1
2
3
vll-pw
1.1.1.1
:
:
:
:
30000
VLAN
1
UP

1183

Equipment
3 Reliability
alarm indicate
: no alarm
--------------------------------------------------
----End
Configuration Files
l

#
sysname ATNA
#
mpls lsr-id 1.1.1.1
mpls
mpls te
#
mpls l2vpn
#
#
pw-template tpatoc
control-word
tnl-policy tpatoc
#
interface GE0/2/0
undo shutdown
ip address 2.1.1.1 255.255.255.0
mpls
mpls te
#
interface GE0/2/4.1
vlan-type dot1q 1
mpls
mpls static-l2vc pw-template tpatoc 30000 transmit-vpn-label 101 receive-vpnlabel 101
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
destination 3.3.3.3
mpls te commit
#
ip route-static 2.2.2.2 255.255.255.255 2.1.1.2
ip route-static 3.3.3.3 255.255.255.255 2.1.1.2
#
tunnel-policy tpatoc
#
mpls-tp meg test
me l2vc peer-ip 3.3.3.3 vc-id 30000 vc-type vlan mep-id 1 remote-mep-id 2
cc send enable
cc receive enable
#
return
Issue 02 (2013-12-31)

1184

Equipment
3 Reliability

#
sysname CX-B
#
mpls lsr-id 2.2.2.2
mpls
mpls te
#
#
interface GE1/0/0
undo shutdown
ip address 2.1.1.2 255.255.255.0
mpls
mpls te
ais enable
#
interface GE2/0/0
undo shutdown
ip address 3.2.1.1 255.255.255.0
mpls
mpls te
ais enable
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ip route-static 1.1.1.1 255.255.255.255 2.1.1.1
ip route-static 3.3.3.3 255.255.255.255 3.2.1.2
#
return

#
sysname CX-C
#
mpls lsr-id 3.3.3.3
mpls
mpls te
#
mpls l2vpn
#
#
pw-template tpctoa
control-word
tnl-policy tpctoa
#
interface GE1/0/0
undo shutdown
ip address 3.2.1.2 255.255.255.0
mpls
mpls te
#
interface GE3/0/0.1
vlan-type dot1q 1
Issue 02 (2013-12-31)

1185

Equipment
3 Reliability
mpls static-l2vc pw-template tpctoa 30000 transmit-vpn-label 101 receive-vpnlabel 101

#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
destination 1.1.1.1
mpls te commit
#
ip route-static 1.1.1.1 255.255.255.255 3.2.1.1
ip route-static 2.2.2.2 255.255.255.255 3.2.1.1
#
tunnel-policy tpctoa
#
mpls-tp meg test
cc send enable
cc receive enable
#
return
Example for Configuring LB for a PW

PEs are connected using a PW that is built over a bidirectional LSP. CC and CV are configured
to monitor the connectivity between PEs and detect faults on the MPLS-TP network.
As shown in Figure 3-92, ATNA, CX-B, and CX-C are connected using a PW over a
bidirectional LSP. The following deployment is performed to guarantee the connectivity and
correct packet forwarding between ATNA and CX-C:
l
LB can be used to check the following items:

l
Reachability of the REMP
Round-trip delay in communication between the MEP and RMEP
Loss of ping packets between the MEP and RMEP

NOTE
LB counts only the ping packets that are lost after being sent out, providing a rough packet loss ratio of
the link between MEPs. LM can be used to obtain an accurate packet loss ratios of the link between MEPs.
Issue 02 (2013-12-31)

1186

Equipment
3 Reliability
Loopback1
1.1.1.1/32
Loopback1
2.2.2.2/32
GE0/2/0
2.1.1.1/24
GE1/0/0
2.1.1.2/24
ATNA
Loopback1
3.3.3.3/32
GE2/0/0
GE1/0/0
3.2.1.1/24 3.2.1.2/24
CX-B
CX-C
1.
2.
Enable LB.
Data Preparation
l
MEG name
Procedure
"Configuring a PW" in the ATNMulti-service Access Equipment Configuration Guide-MPLS or
information in the configuration files of this configuration example.
remote-mep-id 2

remote-mep-id 1
Step 3 Enable LB.

NOTE
LB can be used to detect the connectivity between a MEP and its RMEP or a MIP. In this example, LB is used
to detect the connectivity between ATNA and CX-B.
Enable LB on ATNA.
Issue 02 (2013-12-31)

1187

Equipment
<ATNA> ping meg test
PING test: 9 data bytes, press CTRL_C
--- ping statistics --3 packet(s) transmitted
0.00% packet loss
round-trip min/avg/max 90/96/100 ms
3 Reliability
to break
time=100 ms
time=90 ms
time=100 ms
----End
Configuration Files
l

#
sysname ATNA
#
mpls lsr-id 1.1.1.1
mpls
mpls te
#
mpls l2vpn
#
#
pw-template tpatoc
control-word
tnl-policy tpatoc
#
interface GE0/2/0
undo shutdown
ip address 2.1.1.1 255.255.255.0
mpls
mpls te
#
interface GE0/2/4.1
vlan-type dot1q 1
mpls
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
destination 3.3.3.3
mpls te commit
#
ip route-static 2.2.2.2 255.255.255.255 2.1.1.2
ip route-static 3.3.3.3 255.255.255.255 2.1.1.2
#
Issue 02 (2013-12-31)

1188

Equipment
3 Reliability
#
mpls-tp meg test
#
return

#
sysname CX-B
#
mpls lsr-id 2.2.2.2
mpls
mpls te
#
#
interface GE1/0/0
undo shutdown
ip address 2.1.1.2 255.255.255.0
mpls
mpls te
ais enable
#
interface GE2/0/0
undo shutdown
ip address 3.2.1.1 255.255.255.0
mpls
mpls te
ais enable
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ip route-static 1.1.1.1 255.255.255.255 2.1.1.1
ip route-static 3.3.3.3 255.255.255.255 3.2.1.2
#
return

#
sysname CX-C
#
mpls lsr-id 3.3.3.3
mpls
mpls te
#
mpls l2vpn
#
#
pw-template tpctoa
control-word
tnl-policy tpctoa
#
interface GE1/0/0
undo shutdown
ip address 3.2.1.2 255.255.255.0
mpls
Issue 02 (2013-12-31)

1189

Equipment
3 Reliability
mpls te
#
interface GE3/0/0.1
vlan-type dot1q 1
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
destination 1.1.1.1
mpls te commit
#
ip route-static 1.1.1.1 255.255.255.255 3.2.1.1
ip route-static 2.2.2.2 255.255.255.255 3.2.1.1
#
#
mpls-tp meg test
#
return
Example for Configuring LM for a PW

PEs are connected using a PW that is built over a bidirectional LSP. LM needs to be configured
to monitor packet loss ratios between LSRs and provide performance statistics of the MPLS-TP
network.
Link reliability must be guaranteed when MPLS-TP is used to increase bandwidth usage. For
example, users will not sense change in voice quality if the packet loss ratio on voice links is
lower than 10%. If the packet loss ratio is higher than 20%, voice quality will deteriorate
obviously.
LM can be used to collect packet loss statistics and evaluate link performance. LM is one of the
performance monitoring functions provided by MPLS-TP. It includes single-ended LM and
dual-ended LM.
NOTE
The section uses the configuration of dual-ended LM as an example. The configuration of single-ended LM is
the same as that of dual-ended LM except the configuration for querying packet loss statistics.
As shown in Figure 3-93, ATNA, CX-B, and CX-C are connected using a PW over a
bidirectional LSP. The following deployment is performed to guarantee the connectivity
between ATNA and CX-C:
Issue 02 (2013-12-31)

1190

Equipment
3 Reliability
Loopback1
1.1.1.1/32
Loopback1
2.2.2.2/32
GE0/2/0
2.1.1.1/24
GE1/0/0
2.1.1.2/24
ATNA
Loopback1
3.3.3.3/32
GE2/0/0
GE1/0/0
3.2.1.1/24 3.2.1.2/24
CX-B
CX-C
1.
2.
3.
Configure an alarm threshold for packet loss measurement.
4.
Enable dual-ended LM.
Data Preparation
l
MEG name
Alarm threshold for packet loss measurement
Procedure
"Configuring a PW" in the Configuration Guide-MPLS or information in the configuration files
remote-mep-id 2

Issue 02 (2013-12-31)

1191

Equipment
3 Reliability

remote-mep-id 1
Step 3 Enable CC on the MEP and RMEP.

# Enable CC on ATNA.
# Enable CC on CX-C.
Step 4 Configure an alarm threshold for packet loss measurement.

# Configure an alarm threshold for packet loss measurement on ATNA.
[ATNA-mpls-tp-meg-test] lost-measure dual-ended loss-ratio threshold1 50
# Configure an alarm threshold for packet loss measurement on CX-C.

[CX-C-mpls-tp-meg-test] lost-measure dual-ended loss-ratio threshold1 50
Step 5 Enable dual-ended LM.

# Enable dual-ended LM on ATNA.
[ATNA-mpls-tp-meg-test] lost-measure dual-ended enable
# Enable dual-ended LM on CX-C.

[CX-C-mpls-tp-meg-test] lost-measure dual-ended enable

Run the display mpls-tp oam command on ATNA to view statistics about packet loss ratios.
<ATNA> display mpls-tp oam meg test statistic-type lost-measure dual-ended
Dual-end loss measurement statistics:
Index Near-end lost frames Loss ratio Far-end lost frames Loss ratio
1
10
12.50%
10
12.50%
Max near-end lost frames:10,frame loss ratio:12.50%
Min near-end lost frames:10,frame loss ratio:12.50%
Average near-end lost frames:10,frame loss ratio:12.50%
Max far-end lost frames:10,frame loss ratio:12.50%
Min far-end lost frames:10,frame loss ratio:12.50%
Average far-end lost frames:10,frame loss ratio:12.50%
----End
Configuration Files
l

#
sysname ATNA
#
mpls lsr-id 1.1.1.1
mpls
mpls te
#
mpls l2vpn
#
#
pw-template tpatoc
Issue 02 (2013-12-31)

1192

Equipment
3 Reliability
control-word
tnl-policy tpatoc
#
interface GE0/2/0
undo shutdown
ip address 2.1.1.1 255.255.255.0
mpls
mpls te
#
interface GE0/2/4.1
vlan-type dot1q 1
mpls
mpls l2vpn pw traffic-statistics enable
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
destination 3.3.3.3
mpls te commit
#
ip route-static 2.2.2.2 255.255.255.255 2.1.1.2
ip route-static 3.3.3.3 255.255.255.255 2.1.1.2
#
#
mpls-tp meg test
cc send enable
cc receive enable
#
return

#
sysname CX-B
#
mpls lsr-id 2.2.2.2
mpls
mpls te
#
#
interface GE1/0/0
undo shutdown
ip address 2.1.1.2 255.255.255.0
mpls
mpls te
#
interface GE2/0/0
undo shutdown
Issue 02 (2013-12-31)

1193

Equipment
3 Reliability
ip address 3.2.1.1 255.255.255.0

mpls
mpls te
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ip route-static 1.1.1.1 255.255.255.255 2.1.1.1
ip route-static 3.3.3.3 255.255.255.255 3.2.1.2
#
return

#
sysname CX-C
#
mpls lsr-id 3.3.3.3
mpls
mpls te
#
mpls l2vpn
#
#
pw-template tpctoa
control-word
tnl-policy tpctoa
#
interface GE1/0/0
undo shutdown
ip address 3.2.1.2 255.255.255.0
mpls
mpls te
#
interface GE3/0/0.1
vlan-type dot1q 1
mpls l2vpn pw traffic-statistics enable
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
destination 1.1.1.1
mpls te commit
#
ip route-static 1.1.1.1 255.255.255.255 3.2.1.1
ip route-static 2.2.2.2 255.255.255.255 3.2.1.1
#
#
Issue 02 (2013-12-31)

1194

Equipment
3 Reliability
mpls-tp meg test

cc send enable
cc receive enable
#
return
Example for Configuring DM for a PW

PEs are connected using a PW that is built over a bidirectional LSP. DM (including delay and
delay jitter measurement) needs to be configured to monitor delays and delay jitters between
PEs and provide performance statistics about the MPLS-TP network.
Link reliability must be guaranteed when MPLS-TP is used to increase bandwidth usage. This
configuration example uses voice services as an example. The coding and decoding of voice
packets plus the transmission delay cause the VoIP transmission delay to be much longer than
the delay in common circuit-switching-based voice transmission. If the delay is longer than 400
ms, voice quality is obviously affected. If the delay is longer than 2 seconds, VoIP services are
unavailable. In addition, if the delay jitter is longer than the transmission of a voice packet, voice
quality will drop greatly.
DM can be used to collect packet loss statistics and evaluate link performance. DM is a
performance monitoring function provided by MPLS-TP, including one-way DM and two-way
DM.
NOTE
The configuration of two-way DM is used as an example in this section. The configuration of one-way DM is
the same as that of two-way DM except the configuration for querying packet loss statistics.
As shown in Figure 3-94, ATNA, CX-B, and CX-C are connected using a PW built over a
bidirectional LSP. The following deployment is performed to guarantee the connectivity
between ATNA and CX-C:
l
Loopback1
1.1.1.1/32
Loopback1
2.2.2.2/32
GE0/2/0
2.1.1.1/24
ATNA
Issue 02 (2013-12-31)
GE1/0/0
2.1.1.2/24
Loopback1
3.3.3.3/32
GE2/0/0
GE1/0/0
3.2.1.1/24 3.2.1.2/24
CX-B

CX-C
1195

Equipment
3 Reliability
1.
2.
3.
Enable two-way DM.
Data Preparation
l
MEG name
Procedure
"Configuring a PW" in the Configuration Guide-MPLS or information in the configuration files
remote-mep-id 2

remote-mep-id 1
Step 3 Enable two-way DM.

<ATNA> delay-measure two-way
Two-way delay measure statistics
delay(us):
delay variation(us):
100
-100
0
100
0
99
1
100
1
The Max delay:100, The Max delay variation:1
The Min delay:99, The Min delay variation:0
The delay average:100, The delay variation average:1
Total sent Packets Number:5, Total received Packets Number: 5
----End
Configuration Files
l
Issue 02 (2013-12-31)

1196

Equipment
3 Reliability
#
sysname ATNA
#
mpls lsr-id 1.1.1.1
mpls
mpls te
#
mpls l2vpn
#
#
pw-template tpatoc
control-word
tnl-policy tpatoc
#
interface GE0/2/0
undo shutdown
ip address 2.1.1.1 255.255.255.0
mpls
mpls te
#
interface GE0/2/4.1
vlan-type dot1q 1
mpls
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
destination 3.3.3.3
mpls te commit
#
ip route-static 2.2.2.2 255.255.255.255 2.1.1.2
ip route-static 3.3.3.3 255.255.255.255 2.1.1.2
#
#
mpls-tp meg test
#
return

#
sysname CX-B
#
mpls lsr-id 2.2.2.2
mpls
mpls te
#
Issue 02 (2013-12-31)

1197

Equipment
3 Reliability
#
interface GE1/0/0
undo shutdown
ip address 2.1.1.2 255.255.255.0
mpls
mpls te
ais enable
#
interface GE2/0/0
undo shutdown
ip address 3.2.1.1 255.255.255.0
mpls
mpls te
ais enable
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ip route-static 1.1.1.1 255.255.255.255 2.1.1.1
ip route-static 3.3.3.3 255.255.255.255 3.2.1.2
#
return

#
sysname CX-C
#
mpls lsr-id 3.3.3.3
mpls
mpls te
#
mpls l2vpn
#
#
pw-template tpctoa
control-word
tnl-policy tpctoa
#
interface GE1/0/0
undo shutdown
ip address 3.2.1.2 255.255.255.0
mpls
mpls te
#
interface GE3/0/0.1
vlan-type dot1q 1
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
destination 1.1.1.1
Issue 02 (2013-12-31)

1198

Equipment
3 Reliability

mpls te commit
#
ip route-static 1.1.1.1 255.255.255.255 3.2.1.1
ip route-static 2.2.2.2 255.255.255.255 3.2.1.1
#
#
mpls-tp meg test
#
return
3.10 ISSU Configuration

This chapter describes the process of the ISSU and how to configure ISSU to shorten service
interruption during the upgrade and improve device reliability.
3.10.1 Introduction
Only devices with two main control boards (such as ATN 950Bs) support ISSU
configuration.ISSU ensures the uninterrupted traffic forwarding during the software update on
a single device. ISSU is classified into lossy ISSU and lossless ISSU.
Introduction to ISSU
ISSU implements the independent upgrade on a single device of a network and ensures
uninterrupted traffic transmission during the upgrade.
ISSU Overview
In-Service Software Upgrade (ISSU) provides the mechanism in which current service
forwarding is not interrupted to the maximum extent during upgrade or rollback of software
version on the device.
ISSU reduces service interruption time as possible during software upgrade, thus increasing
device reliability; it also minimizes the impact of upgrade failure on the system through rollback.
Requirements on the System

To implement the ISSU on a single device, the system should meet the following requirements:
l
The software version running in the system supports ISSU.
The main boards support 1:1 redundancy backup. During ISSU, the SMB is upgraded to
the new version, and forwarding planes switch from AMB to SMB. Then, the SMB replace
the AMB. Finally, the original AMB is upgraded to the new version and thus ISSU of the
whole device is complete.
The system supports the None Stop Routing (NSR). NRS becomes effective in the realtime synchronization phase during an ISSU upgrade. When the control plane is faulty, the
Issue 02 (2013-12-31)

1199

Equipment
3 Reliability
backup control plane takes over and the services carried by the device will not be affected.
When the device restarts or is undergoing an active/standby switchover, its peer will not
detect the restart or switchover, and the control flow will not be interrupted during the
switchover.
l
The configuration data of different versions before master/slave switch can be synchronized
between the AMB and the SMB. ISSU synchronizes the configuration data of the AMB
and the SMB by restoring configurations. That is, the AMB saves a temporary configuration
file, through which the SMB restores the configurations.
ISSU Supported by the ATN

The ISSU features include the ISSU modes and the ISSU process.
ISSU Mode
ATN supports two ISSU modes:
l
Lossless ISSU
In this mode, the configurations and data of the old AMB are synchronized with the new
AMB. This upgrade mode requires a higher performance of the system.
Lossy ISSU
In this mode, the configurations and data of the old AMB are synchronized with the new
AMB. If a sub-board logic has to be upgraded as required, a logic upgrade results in a reset
on the sub-board after the plane is switched. During the reset, the services on the sub-board
are interrupted.
ISSU Process
The ISSU process is as follows:
1.
ISSU resets the SMB based on the new version. In this manner, the SMB form a new
forwarding plane and control plane.
2.
Data synchronization and configuration restoration are performed between the AMB and
the SMB.
3.
The old control plane and forwarding plane are replaced with the new control plane and
forwarding plane. Then, ISSU is complete.
3.10.2 Implementing ISSU

By implementing ISSU, you can implement the software upgrade on a single device without
service interruption.

Before implementing ISSU, familiarize yourself with the applicable environment, complete the
Issue 02 (2013-12-31)

1200

Equipment
3 Reliability
ISSU ensures the reliability of upgrades, reduces service interruption time, and relieves the
impact of upgrade on users.
Before ISSU, ensure that the current version of the system supports ISSU. During ISSU, it is
recommended that you not make any change on hardware.
Ensure that the control terminal of the ATN is connected to the AMB and SMB on the network.
Before implementing ISSU, complete the following tasks:
l
Powering on the ATN and starting it normally
Downloading resource files of the new version to the AMB, and copy from AMB to
SMB. For the configuration procedures of downloading resource files, refer to the chapter
"FTP and TFTP" in the Configuring the ATN to Be the FTP Client Uploading or
Downloading Files
Data Preparation
To implement ISSU, you need the following data.
No.
Data
Length of the ISSU rollback timer
(Optional) Configuring ISSU Precheck

Before implementing ISSU, the operator must check whether ISSU can be implemented on the
device. The pre-checks include the hardware compatibility check and software compatibility
check.
Context
Before implementing ISSU, you can run the issu precheck command to perform precheck.
ISSU precheck contains hardware compatibility check and software compatibility check.
l
Hardware compatibility check, also called resource check, is performed to determine

whether the interface board supports ISSU.
ISSU software compatibility check is performed to determine the ISSU modes supported
by each module.
ISSU precheck has little impact on the system and does not cause the SMB to reset, and can be
used in non-ISSU phases.
Perform the following steps on the device on which ISSU is performed:
Issue 02 (2013-12-31)

1201

Equipment
3 Reliability
Procedure
Step 1 Run:
issu precheck system-software system-file
The ISSU precheck is performed.

After ISSU precheck is complete, the system automatically provides the precheck result.
----End
(Optional) Configuring the Length of the ISSU Rollback Timer

You can set the value of the ISSU rollback timer. After the configuration, you must complete
the upgrade before the timer expires; otherwise, the upgrade fails.
Context
Perform the following steps on the device on which ISSU is performed:
Procedure
Step 1 Run:
issu timer rollback time
The length of the ISSU rollback timer is set.

When the system enters the ISSU check phase, the ISSU rollback timer is automatically activated
and its length is 120 minutes by default.
----End
Starting ISSU
By implementing ISSU, you can shorten service interruption and improve reliability of a device.
Context
During implementing ISSU, follow the prompts and interactive information of the system.
Do as follows on the device on which ISSU is performed:
Procedure
Step 1 Run:
issu check system-software system-file
ISSU is checked.
Once the command is run, the system has entered the ISSU check phase. ISSU check is performed
to obtain the ISSU modes supported by the system and provides the check result in prompt
information. ISSU check has the following impact on the system:
l The SMB is reset on the basis of the new version, and then it is registered as a new AMB.
l The system view cannot be entered.
Issue 02 (2013-12-31)

1202

Equipment
3 Reliability
l The ISSU rollback timer is activated. ISSU must be finished before the timer expires.
Otherwise, ISSU may fail.
For the interactive information and description during ISSU check, refer to Table 3-66.
Table 3-66 Description of the issu check command output
Interactive information
Description
Warning: The value of the ISSU

rollback timer is 120 minutes. The
system will begin the ISSU upgrade.
Continue? [Y/N]:
Warning: The length of the ISSU rollback timer is

120 minutes. The system will start ISSU.
Continue? [Y/N]
l If you enter y, the system starts ISSU and
performs ISSU check.
l If you enter n, the system aborts the running of
the issu check command and then quits ISSU.
Step 2 Run:
issu start
ISSU is started.
If you need to abort ISSU, run the Step 4 command.
For the interactive information and description during ISSU startup, refer to Table 3-67.
Table 3-67 Description of the issu start command output
Description
Info: The lossless ISSU process will

start. Continue? [Y/N]:
Info: Lossless ISSU will start. Continue? [Y/N]

l If you enter Y, the system starts ISSU in lossless
mode.
l If you enter N, the system aborts the running of
the issu start command and waits for the next
operation.
If you need to continue ISSU, run the issu
start command according to the prompt
before the ISSU rollback timer expires.
If you need to abort ISSU, run the issu
abort command.
If you do not run the issu start or issu
abort command before the ISSU rollback
timer expires, the system rolls back and
quits ISSU.
Step 3 display issu backup state

Issue 02 (2013-12-31)

1203

Equipment
3 Reliability
Through this, you can view the status of data backup between the new AMB and old AMB.
Then, you can determine whether the plane switch is available. The plane switch is available
only when the system is in the real-time backup state.
issu abort
ISSU is aborted.
l If you need to abort ISSU, follow this step instead of Step 5 and Step 6.
l If you need to continue ISSU, skip this step and follow Step 5.
For interactive information and description during ISSU check, refer to Table 3-68.
Table 3-68 Description of the issu abort command output
Description
Warning: The ISSU upgrade will be

aborted, and the system will roll back
to old version. Continue? [Y/N]:
Warning: The ISSU will be aborted, and the system

will roll back to the old version. Continue? [Y/N]
l If you enter y, the ISSU is aborted, and the system
will roll back to the old version.
l If you enter n, the system aborts the running of the
issu abort command and continues ISSU.
Step 5 Run:
issu switchover [ force ]
The planes are switched.

NOTE
During the ISSU plane switch, the Telnet connection may be terminated. This indicates a normal situation
and you need to wait for 30 seconds. After 30 seconds, you can press Enter to re-log in to the device that
performs ISSU.
Step 6 Run:
issu confirm
ISSU is confirmed.
NOTE
If you check the status of the AMB and SMB after the ISSU plane switch is complete, you can find that
the new AMB is still in the slave state. This is because the hardware switch has not finished yet. After you
run the issu confirm command to confirm the ISSU operation and the old AMB restarts with the new
version, check the status of the AMB and SMB. At this time, you can find that both ISSU plane switch and
hardware switch are complete and the status of the new AMB becomes Master.
----End

By viewing the value of the ISSU timer and the backup status, you can check whether the
configurations are successful.
Issue 02 (2013-12-31)

1204

Equipment
3 Reliability
Prerequisites
All configurations of ISSU are complete.
Procedure
l
Run the display issu timer rollback command to view the length of the ISSU rollback
timer.
Run the display issu module command to view the modules that supports ISSU.
Run the display issu check-result command to view the result of ISSU check.
Run the display issu backup state command to view the status of ISSU backup.
Run the display issu backup-result [ state { resource-prepare | backup-prepare |

backup1 | backup2 | backup3 | smooth | smooth-all-over } ] command to view the result
of ISSU backup.
Run the display issu recover-configuration command to view the commands that fail to
restore configurations.
Run the display issu switch-result { check | prepare | age } command to view the result
of ISSU switch check, switch preparation, and the cause of switch failure.
Run the display issu state command to view which ISSU phase the system passes.
----End
Example
Run the display issu timer rollback command to view the length of the ISSU rollback timer.
<HUAWEI> display issu timer rollback
The length of the rollback timer is 60 minutes. There are 31 minutes left.
Run the display issu module command to view the modules that supports ISSU.
<HUAWEI> display issu module
----------------------------------------------------------Slot
ModuleId
ModuleName
----------------------------------------------------------8
0x41470000
AAA
8
0x40E90000
ND
8
0x40E00000
FIB6
8
0x41270000
RPR
8
0x416E0000
ARP
8
0x40A40000
CHDLC
8
0x400F0000
DHCPS
8
0x400D0000
DHCPR
8
0x404A0000
PPP
8
0x40910000
FR
8
0x40CF0000
ATM
8
0x40010000
FIB
-----------------------------------------------------------
Run the display issu check-result command to view the result of ISSU check.
<HUAWEI> display issu check-result
System upgrade type
: lossless
System maximum down time : 5 seconds
Interface board compatibility:
--------------------------------------------------------Slot
Type
SupportStatus
MaxDownTime(s)
Reason
---------------------------------------------------------
Issue 02 (2013-12-31)

1205

Equipment
3 Reliability
Run the display issu backup state command to view the status of ISSU backup.
<HUAWEI> display issu backup state
System backup status: real-time backup
Run the display issu backup-result [ state { resource-prepare | backup-prepare | backup1

| backup2 | backup3 | smooth | smooth-all-over } ] command to view the result of ISSU backup.
<HUAWEI> display issu backup-result
System backup-result:
----------------------------------------------------------------------------State
Result
----------------------------------------------------------------------------resource-prepare
success
backup-prepare
success
backup1
success
backup2
success
backup3
success
smooth
smooth-all-over
----------------------------------------------------------------------------Interface board backup-result:
----------------------------------------------------------------------------Slot
State
Result
---------------------------------------------------------------------------------------------------------------------------------------------------------
Run the display issu recover-configuration command to view the result of ISSU configuration
restoration.
<HUAWEI> display issu recover-configuration
--------------------------------------------------------------Slot
ViewName
Reason
--------------------------------------------------------------8
System-view
display bgp peer
parse failure
8
Interface Ethernet 0/2/0
display this
run failure
---------------------------------------------------------------
Run the display issu switch-result { check | prepare | age } command to view the result of
ISSU switch and switch preparation, and the cause of switch failure.
<HUAWEI> display issu switch-result check
----------------------------------------------------------------------------Slot
Type
Result
----------------------------------------------------------------------------7
old AMB
unknown
8
new AMB
unknown
-----------------------------------------------------------------------------
Run the display issu state command to view which ISSU phase the system passes.
<HUAWEI> display issu state
-----------------------------------------------Phase
State
-----------------------------------------------1.ISSU check
finished
2.ISSU start
finished
3.ISSU switchover
finished
4.ISSU confirm
-----------------------------------------------The cancel ISSU command : issu abort.
Issue 02 (2013-12-31)

1206

Equipment
3 Reliability
3.10.3 Maintaining ISSU

This section describes how to maintain ISSU.
Monitoring the Running Status of ISSU

By monitoring the operating status of ISSU, you can view information about ISSU.
Context
In routine maintenance, you can run the following command in the user view to display the
running of ISSU.
Procedure
l
Run the display issu timer rollback command in the user view to view the length of the
ISSU rollback timer.
Run the display issu module command in the user view to view the modules that support
ISSU.
Run the display issu check-result command in the user view to check the result of ISSU
check.
Run the display issu backup state command in the user view to check the status of ISSU
backup.
Run the display issu backup-result [ state { resource-prepare | backup-prepare |

backup1 | backup2 | backup3 | smooth | smooth-all-over } ] command in the user view
to view the result of ISSU backup.
Run the display issu recover-configuration command in the user view to view the result
of ISSU configuration restoration.
Run the display issu switch-result { check | prepare | age } command in the user view to
view the result of ISSU switch check, switch preparation, and the cause of switch failure.
----End

The following section provides an example of the ISSU process. The configuration example
consists of the networking requirements, configuration roadmap, configuration procedures, and
configuration files.
Example for Implementing ISSU

In this example, through the introduction to the ISSU process, you can configure ISSU to
minimize service interruption during the software upgrade.
ISSU can be performed on a single device in any networking environment.
Issue 02 (2013-12-31)

1207

Equipment
3 Reliability
1.
Set the length of the ISSU rollback timer.
2.
Perform ISSU feasibility check.
3.
Start ISSU.
4.
Switch planes.
5.
Confirm ISSU.
Data Preparation
l
Length of the ISSU rollback timer
Procedure
Step 1 Set the length of the ISSU rollback timer to 240 minutes.
Step 2 Perform ISSU check to determine ISSU mode.
<HUAWEI> issu check system-software ATNV200R003C00.cc
Step 3 Start ISSU.

<HUAWEI> issu start
Step 4 Switch planes.

<HUAWEI> issu switchover
NOTE
During the ISSU plane switch, the Telnet connection may be terminated. This indicates a normal situation
and you need to wait for 30 seconds. After 30 seconds, you can press Enter to re-log in to the device that
performs ISSU.
Step 5 Confirm ISSU on the new AMB.

<HUAWEI> issu confirm
Info: The slave MPU of the new version reboots. After the reboot is complete, the
system automatically exits from ISSU.
NOTE
If you check the status of the AMB and SMB after the ISSU plane switch is complete, you can find that
the new AMB is still in the slave state. This is because the hardware switch has not finished yet. After you
run the ISSU confirm command to confirm the ISSU operation and the old AMB restarts with the new
version, check the status of the AMB and SMB. At this time, you can find that both ISSU plane switch and
hardware switch are complete and the status of the new AMB becomes Master.
Step 6 Check whether the software version of the current system is correct to further confirm ISSU.
MainBoard:
Startup paf file:
Issue 02 (2013-12-31)
cfcard:/ATNV200R003C00.cc
cfcard:/
cfcard:/
default
default

1208

Equipment
SlaveBoard:
Startup paf file:
3 Reliability
default
default
NULL
NULL
cfcard:/
cfcard:/
default
default
default
default
NULL
NULL
----End
Configuration Files
None
3.11 Glossary
Glossary
Description
Numerics
A
AMB
Active Main Board
B
BFD
Bidirectional Forwarding Detection
BGP
D
DMTI
Desired Min TX Interval
F
FRR
Fast ReRoute
G
GR
Graceful Restart
H
HA
Issue 02 (2013-12-31)
High Availability

1209

Equipment
Glossary
3 Reliability
Description
L
LSP
Label Switched Path
M
MTBF
Mean Time Between Failure
R
RMTI
Required Min TX Interval
S
SMB
Second Main Board
SP
service provider
U
URL
uniform resource locator
V
VRRP
W
WTR
Wait To Restore

Acronyms and
Abbreviations
Description
A
AMB
Active Main Board
B
BFD
Bidirectional Forwarding Detection
BGP
D
DMTI
Issue 02 (2013-12-31)
Desired Min TX Interval

1210

Equipment
Acronyms and
Abbreviations
3 Reliability
Description
F
FRR
Fast ReRoute
G
GR
Graceful Restart
H
HA
High Availability
L
LSP
Label Switched Path
M
MPLS TE FRR
MultiProtocol Label Switching Traffic Engineering Fast Reroute
MTBF
Mean Time Between Failure
MTTR
Mean Time to Repair
R
RMTI
Required Min TX Interval
RUI
Redundant User Information
S
SMB
Second Main Board
SP
service provider
U
URL
uniform resource locator
V
VRRP
W
WTR
Issue 02 (2013-12-31)
Wait To Restore

1211

Equipment
4 Interface Management
Interface Management
About This Chapter

The document describes the configuration methods of interface management in terms of basic
for the interface management of the ATN equipment.
4.1 Interface Basic Configuration
This chapter describes common interface types and how to view interface information and
configure the interval for collecting interface traffic.
4.2 Logical Interface Configuration
The information provided here on interface types, configuration procedures, and configuration
examples enable you to make full use of logical interfaces.
4.3 Fast Feeling Configuration
Fast feeling is used to notify the application of physical faults in real time.
4.4 Flapping Control Configuration
Configuring interface flapping control can minimize the impact of frequent interface status
changes on the stability of the device and the network.
4.5 Transmission Alarm Configuration
Configuring transmission alarm suppression can reduce the impact of frequently-generated
transmission alarms on the stability of the network.
4.6 Glossary
This section lists frequently used glossaries in this document.
This section lists frequently used acronyms and abbreviations used in this document.
Issue 02 (2013-12-31)

1212

Equipment
4.1 Interface Basic Configuration

This chapter describes common interface types and how to view interface information and
configure the interval for collecting interface traffic.
4.1.1 Interface Basic Configuration Overview

This section describes common interface types and link layer protocols.
Interface Type
Through interfaces, a device can exchange data and interact with other devices on the network.
Interfaces can be classified into physical and logical interfaces.
Physical Interfaces
Physical interfaces exist physically and have corresponding physical components.
They are further divided into the following types:
l
Local Area Network (LAN) interfaces: ATNs exchange data with devices in a LAN through
LAN interfaces.
The LAN interfaces that the ATN supports include Ethernet interfaces. Ethernet interfaces
include Ethernet electrical interfaces, fast Ethernet interfaces, and Gigabit Ethernet
interfaces.
Wide Area Network (WAN) interfaces: ATNs exchange data with devices of external
networks through WAN interfaces.
The WAN interfaces that the ATN supports include CE1 interfaces and XDSL interfaces.
NOTE
Only ATN 910 supports the XDSL interface.
Logical Interfaces
Logical interfaces can exchange data but does not physically exist, so they must be created
through configuration.
The logical interfaces that the ATN supports include Sub-interfaces, Eth-Trunk interfaces,
VLANIF interfaces, Virtual-Ethernet (VE) interfaces, loopback interfaces, Atm-Bundle
interfaces, Ima-group interfaces, Dsl-group interfaces, Mp-group interfaces, Null interfaces, and
Tunnel interfaces.
Service Interface Numbering Rules On The ATN 910

This section describes the service interface numbering rules on the ATN 910.
On the ATN 910, an interface is numbered in the format of "LPU slot number/PIC number/port
number". The following part describes the details:
The ATN 910 has a CXPI or CXPL board (in physical slot 2).
Issue 02 (2013-12-31)

1213

Equipment
Service interfaces on a CXPI

The GE interfaces are always numbered GE 0/2/0 and GE 0/2/1; the FE interfaces are always
numbered from FE 0/2/2 to FE 0/2/9.
Service interfaces on a CXPL

The GE interfaces are always numbered GE 0/2/0 to GE 0/2/9.
Service interfaces on a subcard

l
Logical slot number of the system control board

It is the logical slot number of the CXPI/CXPL, The logical slot number is always 0.
Physical interface card number

It is the slot number of the physical interface card where service interfaces reside. The
physical interface card numbers on the ATN 910 range from 3 to 4.
Port number
The port numbers of service interfaces on a physical interface card begin with 0. Port
numbering depends on the number of interfaces on the physical interface card.
Figure 4-1 Diagram of the service interface numbering rule of the ATN 910
FE 0/2/2 to FE 0/2/5
GE 0/2/0 to GE 0/2/1
SLOT
5
SLOT
6
SLOT 3
FE 0/2/6 to FE 0/2/9
SLOT 4
SLOT 1 and SLOT 2
Service Interface Numbering Rules On The ATN 910I

This section describes the service interface numbering rules on the ATN 910I.
On the ATN 910I, an interface is numbered in the format of "slot number/subcard number/port
l
Slot number
The slot number of ATN 910I is always 0.
Subcard number
The ATN 910I does not support subcards. Therefore, the subcard number of the ATN 910I
is fixed as 2.
Port number
The port numbers of service interfaces on the ATN 910I begin with 0. Port numbering
depends on the number of interfaces on the ATN 910I.
Issue 02 (2013-12-31)

1214

Equipment
NOTE
The OAM interface is always numbered Ethernet 0/0/0.
Service interfaces on the ATN 910I

NOTE
A GE/FE auto-sensing interface is displayed as a GigabitEthernet interface on the device.
Figure 4-2 Diagram of the service interface numbering rule of the ATN 910I AC (AC power,
4GE(O)+4GE/FE(O)+4GE/FE(E))
GE 0/2/4 to GE 0/2/7
GE 0/2/0 to GE 0/2/3
GE 0/2/8 to GE 0/2/11
Figure 4-3 Diagram of the service interface numbering rule of the ATN 910I-C AC (AC power,
4GE(O)+4GE/FE(O)+4GE/FE(E)+16E1)
GE 0/2/20 to GE 0/2/23
GE 0/2/16 to GE 0/2/19
E1 0/2/0 to E1 0/2/15
GE 0/2/24 to GE 0/2/27
Figure 4-4 Diagram of the service interface numbering rule of the ATN 910I DC (DC power,
4GE(O)+4GE/FE(O)+4GE/FE(E))
GE 0/2/4 to GE 0/2/7
GE 0/2/0 to GE 0/2/3
Issue 02 (2013-12-31)
GE 0/2/8 to GE 0/2/11

1215

Equipment
Figure 4-5 Diagram of the service interface numbering rule of the ATN 910I DC (DC power,
GE 0/2/20 to GE 0/2/23
GE 0/2/16 to GE 0/2/19
E1 0/2/0 to E1 0/2/15
GE 0/2/24 to GE 0/2/27
Figure 4-6 Diagram of the service interface numbering rule of the ATN 910I-TC DC (DC power,
GE 0/2/20 to GE 0/2/23
GE 0/2/16 to GE 0/2/19
E1 0/2/0 to E1 0/2/15
GE 0/2/24 to GE 0/2/27
Service Interface Numbering Rules On The ATN 910B

This section describes the service interface numbering rules on the ATN 910B.
On the ATN 910B, an interface is numbered in the format of "slot number/subcard number/port
l
Slot number
The slot number of ATN 910B is always 0.
Subcard number
The ATN 910B does not support subcards. Therefore, the subcard number of the ATN
910B is fixed as 2.
Port number
The port numbers of service interfaces on the ATN 910B begin with 0. Port numbering
depends on the number of interfaces on the ATN 910B.
NOTE
The OAM interface is always numbered Ethernet 0/0/0.
Service interfaces on the ATN 910B

NOTE
The 10GE interface and GE/FE auto-sensing interface are displayed as a GigabitEthernet interface on the
device.
Issue 02 (2013-12-31)

1216

Equipment
Figure 4-7 Diagram of the service interface numbering rule of the ATN 910B (2*10GE(O)
+16*FE/GE(O)+8*GE(E))
FE/GE(0/2/0 to 0/2/7)
FE/GE(0/2/16 to 0/2/23)
FE/GE(0/2/8 to 0/2/15)
10GE(0/2/24 to 0/2/25)
Figure 4-8 Diagram of the service interface numbering rule of the ATN 910B (2*10GE(O)
+8*FE/GE(O)+8*GE(E)+16*E1)
FE/GE(0/2/24 to 0/2/31)
10GE(0/2/32 to 0/2/33)
FE/GE(0/2/16 to 0/2/23)
E1(0/2/0 to 0/2/15)
Service Interface Numbering Rules On The ATN 950B

This section describes the service interface numbering rules on the ATN 950B.
On the ATN 950B, an interface is numbered in the format of "LPU slot number/PIC number/
port number". The following part describes the details:
Service interfaces on a subcard

l
Logical slot number of the system control board

It is the logical slot number of the CXP, The logical slot number is always 0.
Physical interface card number

It is the slot number of the physical interface card where service interfaces reside. The
physical interface card numbers on the ATN 950B range from 1 to 6.
Port number
The port numbers of service interfaces on a physical interface card begin with 0. Port
numbering depends on the number of interfaces on the physical interface card.
Issue 02 (2013-12-31)

1217

Equipment
Figure 4-9 Diagram of the service interface numbering rule of the ATN 950B
SLOT
10
SLOT
9
SLOT
11
SLOT 7
SLOT 8
SLOT 5
SLOT 6
SLOT 3
SLOT 4
SLOT 1
SLOT 2
GTL License Restrictions on ATN 910I Ports

This topic describes the restrictions of the GTL licenses LANFGEPAYG01 and
LANFCOMBO01 on ATN 910I ports.
As shown in Figure 4-10, the usage status of the three groups of ports on the ATN 910I is
restricted by the GTL licenses LANFGEPAYG01 and LANFCOMBO01.
Figure 4-10 Three groups of ports on the ATN 910I
FE/GE0 FE/GE1 FE/GE2 FE/GE3
Group 1
Group 2
Group 3
NOTE
When a license-restricted port is locked in the shutdown state, the undo shutdown command cannot be
delivered to the port.
For a license-restricted port, the user can enter the port view and deliver configurations to the port but the
physical status of the port is locked in Down.
License LANFGEPAYG01
Control objects: ports in group 1 on ATN 910I, that is, 4 GE ports.
Control policies:
l
When LANFGEPAYG01 is activated, the license-restricted ports can be used properly.
When LANFGEPAYG01 is not activated, the license-restricted ports cannot be used and
are restricted.
When LANFGEPAYG01 is changed from the non-activated state to the activated state, the
restrictions on the license-restricted ports are released and the ports can be used properly.
Issue 02 (2013-12-31)

1218

Equipment
When LANFGEPAYG01 is changed from the activated state to the non-activated state and
the device is not restarted, the license-restricted ports can still be used properly because the
device does not process the status change.
License LANFCOMBO01
Control objects: ports in groups 2 and 3 on ATN 910I, that is, 8 GE/FE auto-sensing ports. The
8 ports are divided into 4 groups, with each group corresponding to a COMBO interface. For
example, the first optical port in group 2 and the first electrical port in group 3 comprise one
group. The rest can be deduced by analogy.
Control policies:
l
When LANFCOMBO01 is activated, all the license-restricted ports can be used properly.
When LANFCOMBO01 is not activated, the two ports in each COMBO interface compete
and only one port is available.
In each COMBO interface, the port whose link state becomes up first is available, and
the other port is restricted. The relationship between the two ports can be changed
dynamically and the link status changes of the ports trigger port competition again.
After the relationship between the two ports in a COMBO interface lasts 30 minutes,
the relationship is locked. To be specific, the link status changes of the ports do not
trigger port competition and the relationship remains the same even though the device
is restarted.
To change the port relationship after it is locked, the user can deliver the shutdown
command to the available port and then the undo shutdown command to the restricted
port.
When LANFCOMBO01 is changed from the non-activated state to the activated state, the
restrictions on the license-restricted ports are released and the ports can be used properly.
When LANFCOMBO01 is changed from the activated state to the non-activated state and
the device is not restarted, the license-restricted ports can still be used properly because the
device does not process the status change.
Interface Views and Prompts

This section describes command views of physical and logical interfaces, and the commands
and prompts used to enter the views of interfaces.
Command views and prompts of physical interfaces supported by the ATN are shown in Table
4-1; command views and prompts of logical interfaces are shown in Table 4-2.
Table 4-1 Command line views and prompts of physical interfaces
Issue 02 (2013-12-31)
Interface
Command
Line View
Command
Prompt
Ethernet
interface
Ethernet
interface view
interface ethernet
0/2/0
[HUAWEI-Ethernet0/2/0]
Gigabit
Ethernet
interface
GE interface
view
interface
gigabitethernet
0/2/0
[HUAWEIGigabitEthernet0/2/0]

1219

Equipment
Interface
Command
Line View
Command
Prompt
CE1 interface
CE1 interface
view
controller e1 0/2/0
[HUAWEI-E1 0/2/0]
Sync serial
interface
(channelized
serial interface)
Sync serial
interface view
interface serial
0/2/0 (the number of
a channelized serial
interface is of fourdimensional, such as
0/2/0:1).
[HUAWEI-Serial0/2/0:1]
POS interface
POS interface
view
interface pos 0/2/0
[HUAWEI-Pos0/2/0]
CPOS
interface view
controller cpos
0/2/0
[HUAWEI-Cpos 0/2/0]
XDSL
interface view
interface xdsl 0/2/0
[HUAWEI-Xdsl0/2/0]
NOTE
Only ATN
950B has the
POS interface.
CPOS
interface
NOTE
Only ATN
950B has the
CPOS
interface.
XDSL
interface
NOTE
Only ATN 910
has the XDSL
interface.
Table 4-2 Command line views and prompts of logical interfaces
Issue 02 (2013-12-31)
Interface
Command
Line View
Command
Prompt
Sub-interface
Sub-interface
view
interface
gigabitethernet
0/2/0.1
[HUAWEIgigabitethernet0/2/0.1]
Virtual-Ethernet
interface
Virtual-Ethernet
interface view
interface
virtual-ethernet
0/0/1
[HUAWEI-VirtualEthernet0/0/1]
Eth-Trunk
interface
Eth-Trunk
interface view
interface ethtrunk 1
[HUAWEI-Eth-Trunk1]
Loopback
interface
Loopback
interface view
interface
loopback 2
[HUAWEI-LoopBack2]

1220

Equipment
Interface
Command
Line View
Command
Prompt
NULL interface
NULL interface
view
interface null 0
[HUAWEI-NULL0]
Tunnel interface
Tunnel interface
view
interface tunnel
0/2/0
[HUAWEI-Tunnel0/2/0]
Dsl-group
interface
Dsl-group
interface view
interface dslgroup 0/2/0
[HUAWEI-Dsl-group0/2/0]
Ima-group
interface
Ima-group
interface view
interface imagroup 0/2/0
[HUAWEI-Ima-group0/2/0]
Mp-group
interface
Mp-group
interface view
interface mpgroup 0/2/0
[HUAWEI-Mp-group0/2/0]
Atm-Bundle
interface
Atm-Bundle
interface view
interface atmBundle 3
[HUAWEI-Atm-Bundle3]
NOTE
If the interface is disabled by default, run the undo shutdown command to enable the interface.
Link Layer Protocols and Access Technologies

This section describes the functions of the link layer and major link layer protocols.
The link layer provides reliable transmission of data between two sites. The link layer receives
packets from the network layer, and then encapsulates packets into frames to deliver them to the
physical layer.
Link layer protocols supported by the ATN are described as follows.
Ethernet
The current LAN mainly refers to the Ethernet. The Ethernet is a broadcast network that is widely
used because it is flexible, simple, and easily extended.
Eth-Trunk
Eth-Trunk interface is a Trunk interface. Eth-Trunk interfaces consist of Ethernet links only.
The Eth-trunk technology features the following advantages:
l
Increases bandwidth: The bandwidth of an interface is the sum of the bandwidth of all
member interfaces.
Enhances reliability: When a member link fails, its traffic is automatically switched to other
available links. This enhances the reliability of the entire trunk link.
Issue 02 (2013-12-31)

1221

Equipment
VLAN
The Virtual Local Area Network (VLAN) divides a physical LAN into several logical sub-nets,
regardless of their physical locations.
Data transmission within a VLAN does not interfere with that in other VLANs. This enhances
network security.
QinQ
The 802.1Q in 802.1Q (QinQ) technology adds a layer of 802.1Q tag on the 802.1Q packet to
expand the VLAN space. In this way, VLAN data can be transparently transmitted in the public
network.
PPP
The Point-to-Point Protocol (PPP) encapsulates an IP datagram over serial links. It supports the
8-bit asynchronous mode, free of parity check and bit-oriented synchronous link.
PPP includes link control protocols to create, configure, and authenticate the data links. It also
includes network control protocols that are oriented to different network layer protocols.
The ATN also supports the Multi-link Protocol (MP), which binds multiple PPP links together
to provide larger bandwidth.
Basic Interface Configurations Supported by the ATN

After familiarizing yourself with basic interface configurations, you can configure common
information for interfaces.
Interface Description
Interface descriptions record the use of interfaces, which helps you memorize the use of
interfaces to rapidly identify interfaces.
Interval for Collecting Interface Traffic Statistics

When you need to know traffic information (including traffic rate) on an interface within a
specific period, you can configure an interval at which interface traffic statistics are collected.
4.1.2 Configuring an Interface Description

This section describes how to configure interface descriptions that help you to recognize the
functions of the interfaces.
Context
To maintain a large number of interfaces, set interface descriptions to accurately and rapidly
recognize the interfaces.
Issue 02 (2013-12-31)

1222

Equipment
Procedure
Step 1 Run:
system-view

Step 2 Depending on the type of interface, adjust the command to enter the interface view.
l Run the interface interface-type interface-number command to enter the Ethernet, Eth-Trunk
interface view.
l Run the controller interface-type interface-number command to enter the CE1 interface
view.
NOTE
You cannot configure the description of an interface in the user interface view that is displayed by using
the user-interface interface-type interface-number command.
Step 3 Run:
description interface-description
The description of the interface is configured.

----End

Run the display interface description command. If the description of the interface is displayed,
the configuration succeeds. For example:
4.1.3 Configuring the Hold-Time Interval After an Interface

Becomes Up/Down
When the status of an interface frequently alternates between Up and Down, flapping may occur.
To prevent the problem, you can configure the hold-time interval after an interface alternates
between Up and Down.
Before You Start

Before you configure the hold-time interval after an interface becomes Up/Down, familiarize
To prevent the problem, the system responds to the change of the interface status only after an
interval.
Before you configure the Hold-Time interval after an interface becomes Up/Down, power on
and start the ATN.
Issue 02 (2013-12-31)

1223

Equipment
Data Preparation
To configure the hold-time interval for an interface, you need the following data.
No.
Data
Interface type and interface number
Hold-time interval after an interface becomes Up/Down
Configuring the Hold-Time Interval After an Interface Becomes Up/Down

To prevent the problem, you can configure the hold-time interval after an interface alternates
between Up and Down.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run the following command as required:
l To configure the hold-time interval after an interface becomes Up, run:
carrier up-hold-time interval
l To configure the hold-time interval after an interface becomes Down, run:

carrier down-hold-time interval
The hold-time interval can be configured on FE and GE interfaces.

----End

After the hold-time interval after an interface becomes Up/Down is configured, you need to
check the configuration and ensure that the configuration is correct.
Prerequisites
Run the following command to check the previous configuration.
Issue 02 (2013-12-31)

1224

Equipment
Procedure
Step 1 Run display current-configuration [ interface-type [ interface-number ] ] command to check
the hold-time interval set for the interface.
----End
4.1.4 Configuring the Interval for Collecting Traffic Statistics on an

Interface
This section describes how to configure the interval for collecting traffic statistics on all
interfaces or a specified interface. Traffic statistics help you to monitor network conditions.
Before You Start

Before configuring the interval for collecting traffic statistics on an interface, familiarize yourself
with the usage scenario, pre-configuration tasks, and required data.
To easily collect traffic volume and rate on interfaces, you can configure the interval for
collecting traffic statistics.
You can collect traffic statistics on all interfaces or a specified interface by configuring the
interval for collecting traffic statistics in the system view or interface view.
NOTE
l The interval set in the interface view takes effect on the current interface.
l The interval set in the system view takes effect on all the interfaces that use the default interval set in
the interface view.
Before you configure the interval for collecting traffic statistics on an interface, power on and
start the ATN.
Data Preparation
To configure the interval for collecting the traffic statistics on an interface, you need the
following data.
Issue 02 (2013-12-31)
No.
Data
Interface type and number
Interval for collecting the traffic statistics

1225

Equipment
Setting the Global Interval for Collecting Traffic Statistics

The global interval for collecting traffic statistics takes effect on all the interfaces that are not
configured with an interval for collecting traffic statistics. This allows you to configure the
interval for collecting traffic statistics for multiple interfaces at one time.
Context
Perform the following steps on the ATN to configure the global interval for collecting traffic
statistics:
Procedure
Step 1 Run:
system-view

Step 2 Run:
set flow-stat interval interval
The global interval for collecting traffic statistics is configured.

NOTE
The new interval takes effect after the original interval expires. Traffic statistics on logical interfaces are
displayed in the second periodical update after the new interval takes effect. Traffic statistics on physical
interfaces are displayed when the new interval takes effect.
----End
Setting the Interval for Collecting Traffic Statistics on an Interface

The procedure that follows sets the interval for collecting traffic statistics on a single interface.
After the interval is configured, you can view the traffic volume and rate on the interface.
Context
Perform the following steps on the ATN to configure the interval for collecting traffic statistics
on an interface:
Procedure
Step 1 Run:
system-view

Step 2 Run:

Issue 02 (2013-12-31)

1226

Equipment
NOTE
On a main control board, the Ethernet interfaces that are used to connect the network management station
or the multi-frame cannot be configured with the interval for collecting traffic statistics.
Step 3 Run:
set flow-stat interval interval
The interval for collecting traffic statistics on the interface is configured.

NOTE
The new interval takes effect after the original interval expires. Traffic statistics on logical interfaces are
displayed in the second periodical update after the new interval takes effect. Traffic statistics on physical
interfaces are displayed when the new interval takes effect.
----End
Configuring Traffic Statistics on Sub-Interfaces

You can configure the traffic statistics collection function on a main interface to collect traffic
statistics on all sub-interfaces of the main interface.
Context
Perform the following steps on the ATN to be configured with traffic statistics collection:
Procedure
Step 1 Run:
system-view

l To collect traffic statistics on sub-interfaces of all interfaces in the system, run:
subinterface traffic-statistics enable
l To collect traffic statistics on sub-interfaces of an interface:

1.
Run the interface interface-type interface-number command to enter the view of a

specific interface.
2.
Run the subinterface traffic-statistics enable command to enable the traffic statistics
collection function on the current Sub-interfaces of the specified interface.
By default, the traffic statistics collection function is enabled on main interfaces.

To enable the traffic statistics collection function on VLANIF interfaces, run the statistic
enable command in the VLAN view.
----End

After configuring traffic statistics on interfaces, you need to check the configuration and ensure
that the configuration is correct.
Issue 02 (2013-12-31)

1227

Equipment
Prerequisites
Procedure
l
Run the display current-configuration configuration system command to check the

global interval for collecting the traffic statistics.
Run the display interface [ interface-type [ interface-number ] ] command to check the

statistics of traffic on an interface.
Run the display interface [ interface-type [ interface-number.subinterface-number ] ]

command to check the statistics of traffic on a sub-interface.
----End
4.1.5 Enabling the Alarm Function on an Interface

If a large number of alarms are generated on a link, the system is busy dealing with various
alarms and the system performance is degraded. To solve this problem, you can enable the alarm
function on an interface.
Before You Start

Before enabling the alarm function on an interface, familiarize yourself with the usage scenario,
If a large number of alarms are generated on a link, the system is busy dealing with various
alarms. The system performance is degraded. In this manner, you can set the threshold that
triggers the alarm for interfaces. When the number of errors exceeds the set threshold, an alarm
is generated. You can then take measures for troubleshooting to ensure the normal transmission
of services.
Before you configure the interface description, power on the ATN and ensure a successful selftest.
Data Preparation
To configure the alarm function for interfaces, you need the following data.
Issue 02 (2013-12-31)
No.
Data
Interface type and interface number
Thresholds for alarms of the CRC error, SDH error, expiration of the input-rate,
and expiration of the output-rate

1228

Equipment
Configuring the Alarm Function for Bandwidth Usage on an Interface

After the bandwidth usage alarm function is enabled on an interface, the system will generate
an alarm when the bandwidth usage received by the interface reaches a specified threshold.
Context
When a device is attacked or is overburdened with network traffic, the bandwidth usage on the
device's interfaces may become extremely high. If the bandwidth usage on interfaces keeps high
for a long time, the device cannot forward service packets properly. The alarm function can be
configured for bandwidth usage on an interface. After this function is enabled, an alarm will be
generated if the bandwidth usage on a specified interface exceeds the alarm threshold, instructing
the administrator to maintain the interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Interfaces that support the alarms of bandwidth utilization of the incoming traffic and bandwidth
utilization of the outgoing traffic are FE, and GE interfaces.
Set the alarm threshold for the interface as required.
l To set the alarm threshold for the bandwidth utilization of the incoming traffic, run:
trap-threshold input-rate bandwidth-in-use [ resume-rate resume-threshold ]
l To set the alarm threshold for the bandwidth utilization of the outgoing traffic, run:
trap-threshold output-rate bandwidth-in-use [ resume-rate resume-threshold ]
By default, the alarm threshold for the bandwidth utilization of the incoming traffic is 100%;
the alarm threshold for the bandwidth utilization of the outgoing traffic is 100%.
----End
Configuring the Alarm Function for CRC Errors on an Interface

After the CRC error packet alarm function is enabled on an interface, the system will generate
an alarm when the number of CRC error packets received by the interface reaches a specified
threshold.
Context
The alarm function can be configured for CRC errors on an interface. After this function is
enabled, an alarm will be generated if the number of packets with CRC errors received by the
interface exceeds the configured alarm threshold, instructing the administrator to maintain the
interface.
Issue 02 (2013-12-31)

1229

Equipment
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
trap-threshold crc-error threshold interval-second interval-value
The alarm threshold for CRC errors is set.

By default, the alarm threshold for CRC errors is 3 and the interval for generating an alarm for
CRC errors is 10 seconds.
----End

After the alarm function is enabled on an interface, you need to check the configuration and
ensure that the configuration is correct.
Prerequisites
Procedure
Step 1 Run the display current-configuration interface [ interface-type [ interface-number ] ]
command to check the alarm messages on the interface.
Step 2 Run the display port-error-info interface interface-type interface-number command to check
the trap information about error codes/error packets of an interface.
----End
4.1.6 Disabling a Device from Sending Traps to an NMS When an

Interface Flaps
This section describes how to disable a device from sending traps to a network management
system (NMS) when an interface flaps, reducing the burden on the NMS.
By default, when the status of an interface on a device changes, the device automatically sends
a trap to an NMS. If the interface flaps, the device repeatedly sends traps to the NMS. To reduce
the burden on the NMS, run the undo enable snmp trapupdown command to disable the device
from sending traps to the NMS when the interface flaps.
Issue 02 (2013-12-31)

1230

Equipment
None
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
undo enable snmp trap updown
The device is disabled from sending a trap to the NMS when the status of the interface changes.
----End

Run the display this command to check configurations on an interface.
# Run the display this command. The command output shows GE 0/2/0 configurations.
[HUAWEI-GigabitEthernet0/2/0] display this
#
undo enable snmp trap updown
#
return
4.1.7 Maintaining Interface Basic Configuration

For maintenance purposes, monitor interface information and clear interface statistics to collect
new statistics.
Clearing Statistics
Interface traffic statistics provide the traffic volume and rate on an interface. To collect traffic
statistics generated in a period, clear the previous statistics.
Context
NOTICE
Statistics cannot be restored after you clear them. Confirm the action before you use the
command.
Issue 02 (2013-12-31)

1231

Equipment
To clear the interface statistics collected using the NMS or display interface command, run the
following commands in the user view to clear previous traffic statistics on the interface.
NOTE
For details on how to view the traffic statistics collected using the NMS, refer to the NMS manual.
Procedure
l
Run the reset counters interface [ interface-type [ interface-number ] ] command in the

user view to clear the interface statistics collected using the display interface command.
Run the reset counters if-mib interface [ interface-type [ interface-number ] ] command

in the user view to clear the interface statistics collected using the NMS.
----End
Monitoring Interface Information

Monitoring interface statistics reveals the traffic volume and rate on interfaces and enables you
to analyze network conditions.
Procedure
l

current operating status of the interface and statistics collected on the interface.
Run the display interface-statistics { interface-type interface-number } &<1-5>

[ interval interval ] [ times times ] or display interface-statistics batch interface-type
interface-number1 [ to interface-number2 ] [ interval interval ] [ times times ] command
in any view to check statistics on traffic on the interface.
Run the display interface brief command in any view to check the brief information about
all the interfaces on the device, including the physical status, protocol status, and bandwidth
utilization of the interface.
Run the display ip interface [ interface-type interface-number ] command in any view to

check the IP configuration of the interface.
Run one of the following commands in any view to check brief IP configuration of the
interface.
display ip interface brief [ interface-type [ interface-number ] ]
Run the display interface phy-option interface-type interface-number command in any

view to check the physical attributes of the specified interface.
Run the display counters rate [ inbound | outbound ] [ interface interface-type

[ interface-number ] ] [ nonzero ] command in any view to check the rate of traffic in the
inbound or outbound direction on an interface.
Run the display counters [ inbound | outbound ] [ interface interface-type [ interfacenumber ] ] [ nonzero ] command in any view to check the traffic statistics on an interface.
----End
4.2 Logical Interface Configuration

The information provided here on interface types, configuration procedures, and configuration
examples enable you to make full use of logical interfaces.
Issue 02 (2013-12-31)

1232

Equipment
4.2.1 Logical Interface Configuration Overview

This section describes main types of logical interfaces.
Introduction
Logical interfaces do not exist physically. They are manually configured for data exchange.
A logical interface refers to an interface that does not physically exist, and can be created only
through manual configuration. Logical interfaces include Sub-interfaces, Eth-Trunk interfaces,
VLANIF interfaces, Virtual-Ethernet interfaces, Loopback interfaces, Null interfaces, and
Tunnel interfaces.
NOTE
l For the configurations of Eth-Trunk interfaces, and VLANIF interfaces logical interfaces, refer to the
Configuration Guide - LAN Access & MAN Access.
l For the details of the tunnel interface, refer to "VPN Tunnel" in the Feature Description - VPN. For
the configuration of the Tunnel interface, refer to the chapter "VPN Tunnel Management
Configuration" in the Configuration Guide - VPN.
Features of the ATN Logical Interfaces

This section describes the applicable environment of logical interfaces.
The ATN mainly supports the following types of logical interfaces:
l
Sub-interface: used to implement communication between a physical link and multiple

remote ends.
Loopback interface: used when the status of the interface needs to be always Up or the
interface needs to be configured with 32-bit subnet mask.
Null interface: used in route filtering because any network packets sent to this interface are
discarded.
4.2.2 Configuring a Loopback Interface

Loopback interfaces always remain in the Up state (once created) and execute the loopback
function.
Before You Start

Before configuring a loopback interface, understand the usage scenario, pre-configuration tasks,
and data required for configuration.
As the loopback interface always remains in the Up state once created and executes the loopback
function, it can be used to improve connection reliability.
Loopback interfaces have the following characteristics:
l
Issue 02 (2013-12-31)
The IP address of a loopback interface can be designated as the source address of packets.
1233

Equipment
The IP address of a loopback interface can be used to control the access interface and filter
logs.
If more than one link can reach the same neighbor, a loopback interface can be used as the
Border Gateway Protocol (BGP) neighbor of the local ATN. This avoids neighbor
relationship failures caused by interface faults when other types of interfaces are used as
BGP neighbors.
Before you configure a loopback interface, power on and start the ATN.
Data Preparation
To configure a loopback interface, you need the following data.
No.
Data
Number of the loopback interface
IP address of the loopback interface
Creating a Loopback Interface and Configuring Its IP Address

After a loopback interface is assigned an IP address, the local device can use this interface to
communicate with other devices.
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface loopback loopback-number
A loopback interface is created and the loopback interface view is displayed.

You can create or delete loopback interface dynamically. After a loopback interface is created,
the link-layer protocol is always Up unless the loopback interface is deleted.
Step 3 Run:
ip address
ip-address [ mask | mask-length ] [ sub ]
The IP address of the loopback interface is configured.

----End

After loopback interfaces are configured, you need to check whether the configuration is correct.
In addition, you can view the statistics about loopback interfaces.
Issue 02 (2013-12-31)

1234

Equipment
Prerequisites
The configurations of a loopback interface are complete.
Procedure
Step 1 Run the display interface loopback [ loopback-number ] command to check the status of a
loopback interface.
----End
4.2.3 Configuring a NULL Interface

All the packets sent to NULL interfaces are discarded.
Before You Start

This section describes the usage scenario, pre-configuration tasks, and data preparation for
configuring null interfaces.
A Null interface is similar to the null devices supported by some operating systems. All packets
sent to a Null interface are dropped. The system automatically creates a Null interface NULL0.
Since all packets sent to a Null interface are dropped, you can specify a Null interface as the
outbound interface for packets to be filtered out. In this case, you do not need to configure an
ACL.
For example, using the following command discards all packets sent to the 192.101.0.0 network
segment.
[HUAWEI] ip route-static 192.101.0.0 255.255.0.0 NULL 0
Before you configure a Null interface, power on and start the ATN .
Data Preparation
None.
Entering the Null Interface View

The system automatically creates a Null interface NULL0.
Procedure
Step 1 Run:
system-view

Issue 02 (2013-12-31)

1235

Equipment
Step 2 Run:
interface NULL 0
The NULL interface view is displayed.

The NULL interface stays in the Up state. It cannot forward data packets. You cannot configure
an IP address for it or encapsulate it with protocols.
----End

After null interfaces are configured, you need to check whether the configuration is correct. In
addition, you can view statistics about null interfaces.
Prerequisites
The configurations of a null interface are complete.
Procedure
Step 1 Run the display interface null [ 0 ] command to check the status of a null interface.
----End
4.3 Fast Feeling Configuration

Fast feeling is used to notify the application of physical faults in real time.
4.3.1 Fast Feeling Configuration Overview

This section describes the characteristics and applicable environment of fast feeling.
Introduction
After fast feeling is enabled, physical faults are rapidly reported to applications and the system
can rapidly respond to the faults.
Traditionally, the periodic monitoring mechanism is adopted to detect physical component
faults. This solution, however, cannot always meet the requirement for sensitive applications.
Fast feeling is used to rapidly notify the physical fault to the application in real time.
Fast Feeling Features Supported by the ATN

Fast feeling is used to rapidly report physical faults.
In the ATN, fast feeling channels are established to rapidly notify the application of the physical
fault for rapid response.
After the fast feeling function is enabled on an interface, when the shutdown command is run
in the interface view, the system can quickly inform the routing module of the event and then
Issue 02 (2013-12-31)

1236

Equipment
inform the device management module after 5 seconds. This ensures that traffic is not
interrupted.
4.3.2 Configuring Fast Feeling

This section describes the applicable environment and configuration procedure of fast feeling.
Before You Start

Fast feeling is applicable to the scenario where the upper layer applications need to sense physical
faults as soon as the faults occur.
When an upper-layer application needs to quickly detect faults on physical components, the fast
fault detection feature can be enabled at interfaces.
None.
Data Preparation
To configure fast feeling, you need the following data.
No.
Data
Number of the interface on the ATN
Enabling Fast Feeling

Fast feeling can be enabled only in the interface view.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The specified interface view is displayed.

Step 3 Run:
fastfeeling
Fast feeling is enabled.

----End
Issue 02 (2013-12-31)

1237

Equipment

After fast feeling is configured, you can view information about fast feeling on the interface to
check whether the configuration is correct.
Prerequisites
The configurations of fast feeling function are complete.
Procedure
Step 1 Run the display fastfeeling [ interface interface-type interface-number ] command to check
the configuration and running status of the fast feeling feature of the interface.
----End
4.3.3 Maintaining Fast Feeling

When fast feeling functions abnormally, you can use maintenance tools to locate the fault.
Monitoring the Running of Fast Feeling

In routine maintenance, you can monitor the running status of fast feeling.
Context
As part of routine maintenance, you can run the following command in any view to check the
operation of fast feeling.
Procedure
Step 1 Run the display fastfeeling [ interface interface-type interface-number ] command in any view
to check the current running status and statistics of fast feeling on the interface.
----End
4.4 Flapping Control Configuration

Configuring interface flapping control can minimize the impact of frequent interface status
changes on the stability of the device and the network.
4.4.1 Flapping Control Configuration Overview

Interface flapping control is used to effectively minimize the impact of frequently-changed
interface status on the stability of the network.
Issue 02 (2013-12-31)

1238

Equipment
Introduction
After interface flapping control is configured, interfaces can be suppressed from changing
frequently between Up and Down. In this manner, the adverse impact on the stability of the
device and network can be reduced.
In the network application, the device interface may change frequently between Up and Down
because of interference of the physical signal and error in link layer configuration. This causes
frequent flapping of routing protocols and MPLS and has severe impacts on the device and
network. Some devices may even become Down and the network becomes unavailable.
The flapping control feature can suppress the interface flapping to a low frequency. This
decreases the effect on the stability of the device and the network.
ATNFlapping Control Supported by the VRP

The VRP supports flapping control using control-flap.
Several key concepts of control-flap are as follows:
l
The suppress penalty value of interfaces (penalty value): This value is calculated by
suppress algorithm according to the status of the interface. The core of the algorithm is that
the suppress penalty value increases with the changing times of the status of the interface
and decays exponentially.
The suppress threshold of interfaces (suppress): When this value is less than the suppress
penalty value, the interface is suppressed. This value must be greater than the reuse
threshold and less than the maximum suppress penalty value.
The reuse threshold value of interfaces (reuse): When this value is greater than the suppress
penalty value, the interface is not suppressed. This value must be less than the suppress
threshold.
The maximum suppress penalty value of interfaces (ceiling): This value does not increase
when the maximum suppress penalty value reaches the maximum. This value must be
greater than the suppress threshold. When an interface alternates between Up and Down
frequently within a short time, the penalty value of the interface becomes very high. When
the interface status is stable, it takes a long time for the penalty value to return to the reuse
threshold. The maximum suppress penalty value is set to reduce the return time.
In the ATN, these parameters can be set to control in the event that the interface becomes Up or
Down.
The relationships among them are shown in Figure 4-11.
Issue 02 (2013-12-31)

1239

Equipment
Figure 4-11 Diagram of the interface flapping control

Penalty Value
ceiling
suppress
reuse
t1
t2
t3
t4
t5
Time
The penalty values are changed since the interface is Down in t1, t2, t3 and t4. The penalty value
exceeds the suppress threshold in t3 and the interface status is suppressed. After t4, the interface
is no longer in Down state. As the time elapses, the penalty value decreases and reaches to the
reuse threshold in t5. The alarm suppression is released and the alarm is reported.
4.4.2 Configuring the Interface Flapping Control

This section describes the applicable environment and configuration procedure of interface
flapping control.

When the link status is unstable, you can configure interface flapping control.
The flapping of routing protocols, MPLS and other protocols caused by the frequent change of
the interface status may influence the stability of the whole network. To avoid this, you can
configure the flapping control feature.
Before configuring the flapping control feature, configure the physical attributes for the ATN
interfaces.
Data Preparation
To configure the flapping control feature, you need the following data.
Issue 02 (2013-12-31)

1240

Equipment
No.
Data
Damp-interface level.
Suppress threshold, reuse threshold, maximum suppress penalty value of the

interface,time taken to decay the penalty value to half.
Enabling Control-Flap and Damp-Interface

Control-flap is only enabled on interfaces.
Procedure
l
Configure control-flap.
NOTE
The NULL interface, and Loopback interface do not support flapping control.
1.
Run:
system-view

2.
Run:

3.
Run:
control-flap [ suppress reuse ceiling decay-ok decay-ng ]
The flapping control feature on the interface is enabled.

The value of suppress is 1000 times the suppress threshold of the interface. It
ranges from 1 to 20000. The default value is 2000. The value of suppress must be
greater than the value of reuse and smaller than the value of ceiling.
The value of reuse is 1000 times the reuse threshold of the interface. It ranges from
1 to 20000. The default value is 750. The value of reuse must be smaller than the
value of suppress.
The value of ceiling is 1000 times the suppress penalty value of the interface. It
ranges from 1001 to 20000. The default value is 6000. The value of ceiling must
be greater than the value of suppress.
The value of decay-ok is the time taken to decay the penalty value to half when
the interface is Up. It ranges from 1 to 900 seconds. The default value is 54 seconds.
The value of decay-ng is the time taken to decay the penalty value to half when
the interface is Down. It ranges from 1 to 900 seconds. The default value is 54
seconds.
----End

After interface flapping control is configured, you need to check whether the configuration is
correct. In addition, you can view the operation of interface flapping control.
Issue 02 (2013-12-31)

1241

Equipment
Prerequisites
The configurations of the configuring the interface flapping control function are complete.
Procedure
Step 1 Run the display control-flap [ interface interface-type interface-number ] command to check
the configuration and running status of the flapping control feature on interfaces.
----End
4.4.3 Maintaining the Flapping Control Feature

When an interface flapping control fault occurs, you can use maintenance tools to locate the
fault.
Clearing Flapping Control Information

Before collecting the statistics on interface flapping control again, clear the operation
information about flapping control on the interface.
Context
NOTICE
Running the reset control-flap command can cancel the configured penalty value or the flapping
times. This may disable the suppressed status of the interface.
Procedure
Step 1 Run the reset control-flap { penalty | counter } interface interface-type interface-number
command in the user view to clear the running status or statistics of the flapping control feature.
----End
Monitoring the Flapping Control on the Interface

As part of routine maintenance, you can monitor the operation of interface flapping control.
Context
Run the following commands in any view to check the flapping control on the interface as part
of routine maintenance.
Issue 02 (2013-12-31)

1242

Equipment
Procedure
Step 1 Run the display control-flap [ interface interface-type interface-number ] command in any
view to check the operation of the current running status and statistics of the flapping control
feature on the interface.
----End
4.5 Transmission Alarm Configuration

Configuring transmission alarm suppression can reduce the impact of frequently-generated
transmission alarms on the stability of the network.
Follow-up Procedure
NOTE
Only the E1/CE1 or T1/CT1 interfaces on the ATN support the transmission alarm feature.
4.5.1 Transmission Alarm Configuration Overview

This section describes the concepts and characteristics of transmission alarm customization and
suppression.
Introduction
Transmission alarm suppression can efficiently filter and suppress alarm signals. This protects
the interface from frequently flapping. In addition, alarm customization efficiently controls the
impact of alarms on the status change of interfaces.
At present, the carrier-class network requires higher reliability for the IP network. Therefore,
the device in the network is required to rapidly detect the fault.
If fast detection works on the interface, the physical status of the interface frequently changes
between Up and Down because alarms are notified faster. As a result, the network flaps
frequently.
Alarms need to be filtered and suppressed to prevent the network from frequently flapping.
Transmission alarm suppression can efficiently filter and suppress the alarm signals. This
prevents the interface from frequently flapping. In addition, alarm customization efficiently
controls the impact of alarms on the status change of the interface.
Transmission alarm customization and suppression implement the following functions:
l
Customize alarms. This can specify the alarms that can cause the status change of the
interface.
Suppress alarms. This can filter the burr and prevent the network from frequently flapping.
Features of Transmission Alarm Customization and Suppression in the ATN

Transmission alarm customization and suppression are supported only on the physical interfaces
encapsulated with PDH.
Issue 02 (2013-12-31)

1243

Equipment
Supported Interface Type

Only the physical interfaces encapsulated with the Plesiochronous Digital Hierarchy (PDH)
support transmission alarm customization and suppression. The supported interfaces are E1/CE1
or T1/CT1 interfaces.
Active/Standby Switchover
During the active/standby switchover, the system can normally process various alarm signals of
transmission alarms, and the configurations of transmission alarms also take effect.
NOTE
Only ATN 950B supports the active/standby switchover.
4.5.2 Configuring Transmission Alarm Customization

After a transmission alarm type is customized, the alarms of this type affect the feature status
of interfaces.
Before You Start

This section describes the usage scenario, pre-configuration tasks, and required data of
transmission alarm customization.
When the transmission equipment is connected to a ATN, a large number of burr alarms are
generated if the network is unstable. These alarms, however, make the physical status of the
interface frequently change between Up and Down. To make the network device ignore these
burr alarms by customizing some alarms, configure transmission alarm customization.
Before configuring transmission alarm customization, power on and start the ATN.
Data Preparation
To configure transmission alarm customization, you need the following data.
No.
Data
Type of alarm that can affect the physical status of the interface
(Optional) Type of alarm that can record logs
Configuring the Type of Alarms That Can Affect the Physical Status of the Interface
Transmission alarm customization can be configured only in the interface view. Alarm types
that can be customized vary with the hardware.
Issue 02 (2013-12-31)

1244

Equipment
Procedure
Step 1 Run:
system-view

Step 2 Run:
controller interface-type interface-number

The supported interfaces are E1/CE1 or T1/CT1 interfaces.
Step 3 Run:
transmission-alarm down { auais | b1tca | b2tca | b3tca | lais | lof | lom | lop |
los | lrdi | lrei | oof| pais | pplm | prdi | prei | puneq | rdool | rrool |
sdbere | sfbere | trool } *
The alarm that can affect the physical status of the interface is customized.
NOTICE
LAIS, LOF, and LOS alarms provide alarms for the status change of the link. Disabling these
alarms affects the precise forwarding of service data. Therefore, it is recommended to enable
these alarms.
----End
(Optional) Configuring the Respective Thresholds of B1TCA, B2TCA, B3TCA,

BIP2TCA, SDBERE, and SFBERE Alarms
Thresholds of B1TCA, B2TCA, B3TCA, BIP2TCA, SDBERE, and SFBERE alarms can be
configured. No alarm is reported if the number of alarms does not reach the threshold.
Context
Perform the following steps on the interface connected to the transmission equipment:
NOTE
Only ATN 950B supports this configuration.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Issue 02 (2013-12-31)

1245

Equipment
The supported interface is CPOS interface.

Step 3 Run:
transmission-alarm threshold { b3tca
b3tca | sdbere sdbere | sfbere sfbere }
and
transmission-alarm threshold { b1tca b1tca | b2tca b2tca | bip2tca bip2tca }
The alarm threshold that determines whether B1TCA, B2TCA, B3TCA, BIP2TCA, SDBERE,
and SFBERE alarms can be reported by the transmission equipment to the ATN 950B is
configured.
NOTE
The threshold of the six types of alarms is expressed in 10-n, in which the exponent n is specified by the
parameter value of each type of alarms configured in the transmission-alarm threshold command. The
value of sdbere cannot be smaller than that of sfbere. That is, the threshold of SDBERE alarms cannot be
greater than that of SFBERE alarms.
By default, the respective threshold of B1TCA, B2TCA, B3TCA, SDBERE, and BIP2TCA alarms is
10-6, and the respective threshold of SFBERE is 10-3.
----End
(Optional) Configuring the Type of Alarms That Can Be Recorded to Logs

Recording alarms to logs helps you to query if necessary.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
transmission-alarm log { auais | b1tca | b2tca | b3tca | lais | lof | lom | lop |
los | lrdi | lrei | oof| pais | pplm | prdi | prei | puneq | rdool | rrool |
sdbere | sfbere | trool } *
The alarms recorded to logs after being generated are enabled.

----End

After transmission alarm customization is configured, you need to check whether the
configuration is correct. In addition, you can view the status and statistics about alarms on the
interface.
Issue 02 (2013-12-31)

1246

Equipment
Prerequisites
The configurations of the configuring transmission alarm customization function are complete.
Procedure
l
Run the display transmission-alarm interface-type interface-number [ auais | b1tca |

b2tca | b3tca | lais | lof | lom | lop | los | lrdi | lrei | oof| pais | pplm | prdi | prei | puneq |
rdool | rrool | sdbere | sfbere | trool ] * command to check alarm configuration on the
interface.
----End
4.5.3 Configuring the Interval for Filtering Transmission Alarms

Configuring the interval for filtering transmission alarms can lower the frequency at which
alarms are generated, and minimize the impact on the stability of the network.
Before You Start

This section describes the usage scenario, pre-configuration tasks, and required data for
configuring the interval for filtering transmission alarms.
When the transmission equipment is connected to the network, a large number of burr alarms
are generated if the network is unstable. These alarms, however, make the physical status of the
interface frequently change between Up and Down. If some alarms that are generated and cleared
in a certain period can be ignored, the interval for filtering transmission alarms needs to be
configured.
Before configuring the interval for filtering transmission alarms, complete the following tasks:
l
Power on and start the ATN.
Configure transmission alarm customization on the interface.

NOTE
The filtering function can be enabled only after the interface is enabled with transmission alarm
customization.
Data Preparation
To configure the interval for filtering transmission alarms, you need the following data.
Issue 02 (2013-12-31)
No.
Data
Filtering timer parameter

1247

Equipment
Setting the Interval for Filtering Transmission Alarms

If the interval of alarm generating and disappearing is smaller than the set interval, the alarm
signal is regarded as a burr and is filtered. Otherwise, the alarm signal is normal.
Context
To configure transmission alarm filtering on multiple interfaces, you can repeat Step 2 and Step
3.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 You can select one or more of the following configurations according to the alarm message to
be filtered out.
l Run the transmission-alarm holdoff-timer holdoff-time command to enable the device
management module to filter out the alarm message indicating that the interface goes Down
and set the filtering interval.
When the interface goes Down, the device management module generates an alarm message
and takes corresponding actions to process the alarm message according to the following
situations:
If the device management module receives an alarm message indicating that the interface
goes Up within the specified filtering interval, the device management module filters out
the alarm message indicating that the interface goes Down. That is, the device
management module does not send the alarm message to the upper-layer application.
If the device management module does not receive an alarm message indicating that the
interface goes Up within the specified filtering interval, the device management module
sends the alarm message indicating that the interface goes Down to the upper-layer
application after the filtering interval expires.
l Run the transmission-alarm holdup-timer holdup-time command to enable the device
management module to filter out the alarm message indicating that the interface goes Up and
set the filtering interval.
When the interface goes Up, the device management module generates an alarm message
and takes corresponding actions to process the alarm message according to the following
situations:
If the device management module receives an alarm message indicating that the interface
goes Down within the specified filtering interval, the device management module filters
out the alarm message indicating that the interface goes Up. That is, the device
management module does not send the alarm message to the upper-layer application.
If the device management module does not receive an alarm message indicating that the
interface goes Down within the specified filtering interval, the device management
Issue 02 (2013-12-31)

1248

Equipment
module sends the alarm message indicating that the interface goes Up to the upper-layer
application after the filtering interval expires.
By default, the device management module does not filter out the alarm message indicating that
the interface goes Up or Down. That is, once the device management module receives the alarm
message indicating that the interface goes Up or Down, it immediately sends the alarm message
to the upper-layer application.
----End

After the interval for filtering transmission alarms is configured, you need to check whether the
configuration is correct. In addition, you can view the status and statistics about alarms on the
interface.
Prerequisites
The configurations of the configuring the interval for filtering transmission alarms function are
complete.
Procedure
l
Run the display transmission-alarm interface-type interface-number [ auais | b3tca |

lais | lof | lom | lop | los | lrdi | lrei | oof| pais | pplm | prdi | prei | puneq | rdool | rrool |
sdbere | sfbere | trool ] * command to check the alarm configuration.
Run thedisplay transmission-alarm configuration [ interface-type interface-number ]

command to review alarm customization and suppression configurations for a specified
interface.
----End
4.5.4 Configuring Transmission Alarm Suppression Function

This section describes how to configure transmission alarm suppression and specify the
suppression threshold.
Before You Start

This section describes the usage scenario, pre-configuration tasks, and required data of
transmission alarm suppression.
When the transmission equipment is connected to the network, a large number of burr alarms
are generated if the network is unstable. These alarms, however, make the physical status of the
interface frequently change between Up and Down. To prevent these alarms from frequently
flapping or to make the network device ignore these burr alarms, enable alarm suppression.
Before configuring transmission alarm suppression, complete the following tasks:
Issue 02 (2013-12-31)

1249

Equipment
Power on and start the ATN.
Configure transmission alarm customization on the interface.
NOTE
The suppression function takes effect on interfaces only after alarm customization is enabled on the
interfaces.
Data Preparation
To configure transmission alarm suppression, you need the following data.
No.
Data
Interface Type and number.
Alarm ceiling threshold, alarm reuse threshold, alarm suppression threshold, half-life
of alarm generation, and half-life of alarm clearance.
Configuring Transmission Alarm Suppression

After the suppression threshold of transmission alarms is set, alarms are reported only when the
number of alarms reaches the threshold.
Procedure
Step 1 Run:
system-view

Step 2 Run:
controller
interface-type interface-number

Step 3 Run:
transmission-alarm damping [ suppress suppress | reuse reuse | ceiling ceiling |
decay-ok decay-ok | decay-ng decay-ng ] *
Suppression is enabled and suppression parameters are set.

By default, transmission alarm suppression is not enabled.
----End

After transmission alarm suppression is configured, you need to check whether the configuration
is correct. In addition, you can view the status and statistics about alarms on the interface.
Prerequisites
The configurations of the configuring transmission alarm suppression function are complete.
Issue 02 (2013-12-31)

1250

Equipment
Procedure
Step 1 Run the display transmission-alarm configuration [ interface-type interface-number ]
command to check the alarm configuration of the interface.
----End
4.5.5 Maintaining
When a transmission alarm customization or suppression fault occurs, you can use maintenance
tools to locate the fault.
Clearing Transmission Alarm Information

Before re-collecting the statistics about transmission alarms on an interface, clear all
transmission alarm information on the interface.
Context
NOTICE
Clearing transmission alarm information on the interface may cause all alarm statistics on the
interface to be reset. Confirm the action before you use the command.
Procedure
Step 1 Run the reset transmission-alarm statistics command in the interface view to clear all the
transmission alarm running statistics on the interface.
----End
4.6 Glossary
This section lists frequently used glossaries in this document.
A
Issue 02 (2013-12-31)
ATM
Asynchronous Transfer Mode (ATM). A data transmission

technology in which data is transferred at high data rates in fixed
length, 53 bytes.
Authentication
An act that decides whether a user can be awarded with access right
or what kinds of users can access a network.
Authorization
An act that accredits a user with access to certain services.
AUX
Auxiliary interface that provides an EIA/TIA-232 DTE interface. By

using the AUX interface and the Modem, a user can access a network
through dialup.
1251

Equipment
C
Callback
A call mode in which both ends of the communication participate in

the call. One end is called the Client, while the other end is caller the
Server. The Client initiates a call, and the Server decides whether to
call back. If a callback is needed, the Server tears down the connection
and then initiates a call to the Client.
Called Number
Number of the called party.
Calling Number
Number of the calling party.
P
POS
A MAN and LAN technology that provides a point to point

connection. The POS interface is based on SONET.
Q
QinQ
The QinQ technology adds one a layer of 802.1Q tag on the 802.1Q
packet to expand the VLAN space. In this way, data of the VLAN can
be transparently transmitted in the public network.
S
SONET
Synchronous Optical Network (SONET). A standard for synchronous

data transfer over optical networks. The standard contains a series of
transmission speed, including SDH Transport Module (STM) -1 (155
Mbit/s), STM-4c (622 Mbit/s) and STM-16c/STM-16 (2.5 Gbit/s).
V
VLAN
The Virtual Local Area Network (VLAN) divides a physical LAN into
several logical sub-nets, regardless of their physical locations. Data
transmission within a VLAN does not interfere with that in other
VLANs. This enhances the network security.
W
WAN
Wide Area Network. A network that covers a large geographic area.
X
X.21
Issue 02 (2013-12-31)
ITU-T standard for serial communications over synchronous digital

lines. It is mainly used in Europe and Japan.

1252

Equipment
X.25
A data link layer protocol. A protocol that defines the establishment

and maintenance of connections between the DTE devices and the
DCE devices.

This section lists frequently used acronyms and abbreviations used in this document.
A
AA
Anonymous Access
AAA
AAL
ATM Adaptation Layer
AAL1
ATM Adaptation Layer Type 1
AAL2
AAL3
AAL5
ACL
Access Control List
ADSL
AM
Analog Modem
AMI
Alternate Mark Inversion
ANSI
American National Standard Institute
ARP
ATM
AU
Administrative Unit
AUG
Administrative Unit Group
AUX
Auxiliary (port)
AUAIS
Administrative Unit Alarm Indication Signal
Issue 02 (2013-12-31)
B3TCA
B3 Threshold Crossing Alarm
BAS
Broadband Access Server
BGP
BRI

1253

Equipment
C
CAR
Committed Access Rate
CBR
Constant Bit Rate
CC
Call Control
CCITT
International Telegraph and Telephone Consultative Committee
CD
Carrier Detect
CDV
Cell Delay Variation
CHAP
CPE
Customer Premises Equipment
CSMA
Carrier Sense Multiple Access
CUG
Closed User Group
D
DCC
DCD
Data Carrier Detected
DCE
DDN
Digital Data Network
DHCP
DIP
Dual-In-line Package
DLCI
Data Link Control Identifier
DLSw
Data Link Switching
DNS
Domain Name System
DSL
Digital Subscriber Line
DSLAM
DSL Access Multiplexer
DSR
Data Set Ready
DSS1
Digital Subscriber Signaling No.1
DTE
E
EIA
Issue 02 (2013-12-31)

1254

Equipment
ESF
Extended Service Frame
ETSI
European Telecommunications Standards Institute
F
FCS
Frame Check Sequence
FDDI
Fiber Distributed Digital Interface
FE
Fast Ethernet
FIFO
First In First Out
FR
Frame Relay
FRF
Frame Relay Forum
FRMR
Frame Rejection
FS
Forced Switch
FTP
G
GE
Gigabit Ethernet
GPRS
General Packet Radio Service
GRE
H
HDB3
High Density Bipolar of Order 3
HDLC
HDSL
High-bit-rate Digital Subscriber Link
HFC
Hybrid Fiber-Coaxial
HIC
Highest Incoming-only Channel
HOC
Highest Outgoing-only Channel
HTTP
Issue 02 (2013-12-31)
IAD
Integrated Access Device
IBGP
Internal BGP

1255

Equipment
ICP
IMA Control Protocol
ID
Identification
IEEE
Institute of Electrical and Electronics Engineers
IETF
IF
Information Frame
IGMP
Internet Group Management Protocol
IMA
Inverse Multiplexing on ATM
IP
Internet Protocol
IPC
Inter-Process Communication
IPCP
IP Control Protocol
IPHC
IPoA
IPoE
IP over Ethernet
IPoEoA
IPX
Internet Packet Exchange
ISDN
ISO
International Organization for Standardization
ISP
ITU-T
International Telecommunication Union - Telecommunication Standardization

Sector
Issue 02 (2013-12-31)
L2TP
LAIS
Line Alarm Indication Signal
LAN
Local Area Network
LAPB
LC
Line Card
LCD
Loss of Code Group Synchronization
LCI
Logic Channel Identifier
LCP
Link Control Protocol
LDD
Laser Detector Diode
LED
Light Emitting Diode

1256

Equipment
LIC
Lowest Incoming-only Channel
LOC
Loss of Continuity
LOF
Loss of Frame
LOM
Loss of Tributary Multiframe
LOS
Loss of Signal
LOP
Loss of Pointer
LQR
Link Quality Reports
LRDI
Line Remote Defect Indication
LREI
Line Remote Error Indication
LTC
Lowest Two-way Channel
M
MAP
Mobile Application Part
MD5
Message Digest 5
MIB
MODEM
Modulator DEModulator
MP
Multilink PPP
MTU
MUX
Multiplex
N
NAT
NBMA
Non Broadcast Multiple Access
NCP
Network Control Protocol
NE
NetEngine
NNI
Network Node Interface
NT
Network Terminal
Issue 02 (2013-12-31)
OAM
OC-3
OC-3

1257

Equipment
OOF
Out of Frame
OSI
P
PAD
Packet Assembler/ Disassembler
PAIS
Path Alarm Indication Signal
PAP
PBX
Private Branch Exchange
PC
Personal Computer
PCI
Protocol Control Information
PCM
Pulse-Code Modulation
POH
Path Overhead
POS
PPP
PPLM
Path Signal Label Mismatch
PPPoA
PPPoA
PPPoE
PPP over Ethernet
PRDI
Path Remote Defect Indication
PREI
Path Remote Error Indication
PRI
PSE
Packet Switching Exchange
PSTN
PUNEQ
Path Unequipped Indication
PVC
Q
QoS
Quality of Service
Issue 02 (2013-12-31)
RADIUS
RAS
Remote Access Server

1258

Equipment
RDOOL
Receive Data Out of Lock
RFC
RIP
ROA
Recognized operating Agency
RPC
Raman Pump Amplifier Unit For C-band
RROOL
Receive Reference Out of Lock
RSOH
Regenerator Section Overhead
RSU
Routing Switch Unit
RTP
Real-time Transport Protocol
RTU
Remote Test Unit
Issue 02 (2013-12-31)
SABM
Set Asynchronous Balanced Mode
SDBERE
Signal Degrade Threshold Alarm
SDH
Synchronous Digital Hierarchy
SDLC
SDSL
Symmetrical Digital Subscriber Line
SF
Signal Failure
SFBERE
Signal Fail Threshold Alarm
SGSN
Serving GPRS Support Node
SLIP
SNA
SNAP
Sub Network Access Point
SNMP
SNP
Sequence Number PDUs
SOH
Section Overhead
SONET
Synchronous Optical Network
SP
Service Provider
STM-1
SVC
Switched Virtual Channel

1259

Equipment
T
TA
Terminal Adapter
TACAC
S
Terminal Access Controller Access Control System
TCP
TFTP
TROOL
Transmit Reference Out of Lock
TU
Tributary Unit
TUG
Tributary Unit Group
U
UA
Unnumbered Acknowledge
UBR
Unspecified Bit Rate
UDP
UNI
User Network Interface
UP
User Plane
Issue 02 (2013-12-31)
VA
Virtual Access
VBR
Variable Bit Rate
VC
Virtual Circuit
VCI
Virtual Channel Identifier
VCN
Virtual Circuit Number
VDSL
Very High Speed DSL
VIU
Versatile Interface Unit
VLAN
VP
Virtual Path
VPI
Virtual Path Identifier
VPLS
Virtual Private LAN Service
VPN
VRP
VT
Virtual-Template

1260

Equipment
W
WLNK
WAN Interface Link Status Alarm
WWW
World Wide Web
X
XOT
Issue 02 (2013-12-31)
X.25 Over TCP

1261

Equipment
5 LAN Access and MAN Access
LAN Access and MAN Access
About This Chapter

The document describes the configuration methods of LAN access and MAN access in terms of
basic principles, implementation of protocols, configuration procedures and configuration
examples for the LAN access and MAN access of the ATN equipment.
5.1 MAC Address Table Configuration
Each workstation or server that is connected to the Ethernet interface on a device has a unique
Medium Access Control (MAC) address. The MAC address table on the device contains the
MAC addresses of all the other devices that are connected to this device. The MAC address table
is used for data forwarding.
5.2 Ethernet Interface Configuration
Being flexible, simple, and easy to implement, the Ethernet becomes the most important LAN
networking technology.
5.3 Eth-Trunk Interface Configuration
Eth-Trunk interfaces have all functions of Ethernet interfaces and are more reliable due to the
use of the link aggregation technique.
5.4 VLAN Configuration
Virtual Local Area Networks (VLANs) have advantages of broadcast domain isolation, security
enhancement, flexible networking, and good extensibility.
5.5 QinQ Configuration
The QinQ technology makes up for the shortage of public VLAN ID resources, and also provides
a simpler Layer 2 VPN solution for LANs or small-scale MANs.
5.6 STP/RSTP Configuration
The Spanning Tree Protocol (STP) trims a ring network into a loop-free tree network. It prevents
replication and circular propagation of packets, provides multiple redundant paths for virtual
LAN (VLAN) data traffic, and enables load balancing. The Rapid Spanning Tree Protocol
(RSTP) was developed based on STP to implement faster convergence. RSTP defines edge ports
and provides protection functions.
5.7 MSTP Configuration
Issue 02 (2013-12-31)

1262

Equipment
The Multiple Spanning Tree Protocol (MSTP) trims a ring network into a loop-free tree network.
It prevents replication and circular propagation of packets, provides multiple redundant paths
for Virtual LAN (VLAN) data traffic, and enables load balancing.
5.8 RRPP Configuration
The Rapid Ring Protection Protocol (RRPP) features fast convergence, because the convergence
time is irrelevant to the number of the nodes on the ring.
5.9 LLDP Configuration
Network devices obtain the status of their directly-connected devices through the Link Layer
Discovery Protocol (LLDP).
5.10 Automatic Link Discovery Configuration
Automatic link discovery is a Huawei-specific feature used by ATNs to discover neighbors at
the link layer.
5.11 Transparent Transmission of Layer 2 Protocol Packets Configuration
This chapter describes the principles and application scenarios of configuring transparent
transmission of interface-based, VLAN-based, and hybrid VLAN-based Layer 2 protocol
packets.
5.12 ERPS (G.8032) Configuration
Ethernet Ring Protection Switching (ERPS) is a standard protocol issued by the ITU-T to prevent
loops on ring networks. ERPS provides carrier-class relaibility with a fast convergence speed.
ERPS takes effect on a ring network if all ATN devices on a ring network support it.
Issue 02 (2013-12-31)

1263

Equipment
5.1 MAC Address Table Configuration

Each workstation or server that is connected to the Ethernet interface on a device has a unique
Medium Access Control (MAC) address. The MAC address table on the device contains the
MAC addresses of all the other devices that are connected to this device. The MAC address table
is used for data forwarding.
5.1.1 MAC Address Table Introduction

A MAC address table is an interface-based Layer 2 forwarding table. It stores information about
the MAC addresses learned by the device.
MAC Address Table Overview

This section briefly describes the basic concept of a MAC address table, modes for generating
MAC address entries, MAC address entry classification, and MAC address-based packet
forwarding.
Basic Concept of a MAC Address Table

Each device maintains a MAC address table. As shown in Table 5-1, a MAC address table is
used to store the MAC addresses, VLAN IDs, and outbound interfaces learned from other
devices. To forward data, the device searches the MAC address table to locate the outbound
interface quickly based on the destination MAC address and VLAN ID in the data frame. This
implementation reduces broadcast traffic.
Table 5-1 MAC address entries
MAC Address
VLAN ID
Outbound Interface
0001-0001-0001
10
GE0/2/1
0011-0022-0034
20
GE0/2/2
1011-0022-0034
30
Eth-Trunk 10
If a destination host is added to multiple VLANs, one MAC address corresponds to multiple
VLAN IDs in the MAC forwarding entries on a switch.
Modes for Generating MAC Address Entries

l
Automatic generation
Usually, a device automatically generates a MAC address table by learning source MAC
addresses. The MAC address table needs to be updated constantly to meet the requirements
of the network changes. The entries automatically generated are not always valid. If the
MAC address entry is not updated before the double aging time expires, the entry will be
Issue 02 (2013-12-31)

1264

Equipment
deleted. The lifecycle is one time or two times the aging time. If an entry is updated before
double aging time expires, the aging time will be recalculated for the entry.
l
Manual configuration
When a device sets up a MAC address table automatically by learning source MAC
addresses, the system cannot identify whether the packets are sent from authorized users
or hackers, bringing security risks. If hackers disguise the source MAC address of attack
packets as the authorized MAC address and send the attack packets with forged MAC
address to the device through another interface, the device will learn incorrect MAC address
entries. As a result, the packets that should be forwarded to authorized users are forwarded
to hackers. To improve interface security, a network administrator can add specific MAC
address entries to the MAC address table to bind the user device to the interface. In this
way, the device can stop the unauthorized users from intercepting data. The configured
MAC address entries take precedence over the automatically generated entries.
Classification of MAC Address Entries

MAC address entries can be classified into dynamic static and blackhole MAC address entries.
l
Dynamic entries
Dynamic entries are learned and stored on interface boards. The dynamic entries expire
and are lost after hot swapping or interface-board resetting, or device rebooting.
Static entries
Static entries are configured by users. Static entries do not expire and are not lost after
device rebooting, hot swapping, or interface-board resetting.
Blackhole entries
Blackhole entries, configured by users, are used to discard frames containing specified
destination MAC addresses. The blackhole entries do not expire and are not lost after device
rebooting, hot swapping or interface-board resetting.
MAC Address-based Packet Forwarding

A device forwards packets in either of the following modes based on MAC address entries:
l
Unicast mode: If the MAC address table contains the entry matching the destination MAC
address of a packet, the device forwards the packet from the outbound interface contained
in the entry.
Broadcast mode: If a packet received by a device is a broadcast or a multicast packet, or if

the MAC address table of the device does not contain an entry matching the destination
MAC address of the packet, the device broadcasts the packet to all the interfaces except
the interface that has received the packet.
5.1.2 Configuring the MAC Address Table Based on the VLAN and
Layer 2 Interface
If user networks are connected through Layer 2 devices and do not forward data through Layer
3 routing, you can configure a MAC address table based on Layer 2 interfaces and VLANs for
data forwarding. Therefore, user networks can communicate with each other.
Issue 02 (2013-12-31)

1265

Equipment
Before You Start

Before configuring a MAC address table based on Layer 2 interfaces and VLANs, familiarize
Generally, a device automatically creates MAC address tables by learning source addresses.
To enhance the security of an interface, network administrators can manually bind a MAC
address and an interface in the table. This can prevent malicious users with counterfeit MAC
address from logging in to the local device through other switches.
To discard the frames to the specified destination MAC address, configure blackhole entries.
Before configuring the MAC address table based on the VLAN and Layer 2 interface, complete
the following tasks:
l
Create a VLAN.
Ensure that the Layer 2 ports in the MAC address entries are added to the VLAN.
Data Preparation
To configure the MAC address table based on the VLAN and Layer 2 interface, you need the
following data.
No.
Data
MAC address, interface type and number, and VLAN ID
Configuring MAC Address Entries

To enhance the security of an interface and to prevent the unauthorized users from accessing the
interface, the network administrator can manually configure static MAC address entries and bind
MAC addresses to the interface, or discard the packets with specified destination MAC
addresses. The interface to which the MAC addresses are bound must be a Layer 2 interface,
and must be added to a specified VLAN, or the interface allows the packets with specified VLAN
IDs to pass through.
Procedure
Step 1 Run:
system-view

Step 2 Run:
mac-address static mac-address interface-type interface-number vlan vlan-id
Issue 02 (2013-12-31)

1266

Equipment
MAC address entries are added.

Note the following:
l You can add only unicast MAC addresses rather than multicast MAC addresses or special
MAC addresses to a MAC address table. Special MAC addresses are reserved for special
usage, such as MAC addresses of special packets.
l The interface type can be physical interface such as Ethernet interface and GE interface, or
logical interface such as Eth-Trunk interface and MAC-Tunnel. The interface specified in
the mac-address static command must be an outbound interface for Layer 2 forwarding.
l The vlan-id must be associated with ports. That is, the VLAN contains the port. Alternatively,
this interface allows the VLAN to pass through.
l A maximum of 1024 non-dynamic entries can be added.
Step 3 Run:
mac-address blackhole mac-address vlan vlan-id
The blackhole MAC address entry is configured.

----End
Follow-up Procedure
After a board or an interface card is removed, the static MAC address entries configured on its
interfaces are saved as temporary MAC address entries. If the board or interface card is reinserted, the static MAC address entries are restored.
However, if the board or interface card do not need to be re-inserted, the temporary MAC address
entries are useless and still occupy the MAC address resources of the system. In this situation,
run the undo mac-address temporary command to delete all temporary MAC address entries
in the system.

After the MAC address table based on Layer 2 interfaces and VLANs is successfully configured,
you can view the destination MAC addresses, outbound interfaces, and MAC address types.
Prerequisites
The configurations of the MAC address table based on the VLAN and layer 2 interface are
complete.
Procedure
l
Run the display mac-address [ mac-address [ vlan vlan-id | vsi vsi-name | verbose ] ]
command to check information about all MAC address entries.
Run the display mac-address blackhole [ vlan vlan-id | vsi vsi-name ] to check information
about black-hole MAC address entries.
Run the display mac-address static [ vlan vlan-id | vsi vsi-name ] to check information
about static MAC address entries.
Run the following commands to check information about dynamic MAC address entries.
Run the display mac-address dynamic verbose command.
Issue 02 (2013-12-31)

1267

Equipment
Run the display mac-address summary command to check statistic information about
MAC address entries.
----End
5.1.3 Configuring the MAC Address Table Based on the VSI and
Layer 3 Interface
If user networks are connected through a Virtual Private LAN Service (VPLS) network, you can
configure a MAC address table based on Layer 3 interfaces and Virtual Switch Instances (VSIs).
Therefore, user networks can communicate with each other.
Before You Start

Before configuring a MAC address table based on Layer 3 interfaces and VSIs, familiarize
In a Virtual Private LAN Service (VPLS) network, provider edges (PEs) learn MAC addresses.
A PE learns the MAC address of the remote PE through the pseudo wire (PW) and learns the
MAC address of the customer edge (CE) that directly accesses the PE through the Attachment
Circuit (AC). In this manner, the PE automatically establishes the MAC address table.
To improve the network security, configure the mapping between the MAC address of the CE
and the PE interface in the MAC address table of the PE, that is, the static MAC address entries
on the AC side. On the PE, binding a MAC address to an interface can prevent illegal users from
accessing the network.
To discard the frames to the specified destination MAC address, configure blackhole entries.
NOTE
For concepts and configurations in VPLS, refer to the "VPLS Configuration" in the Configuration Guide
- VPN.
Before configuring the MAC address table based on the virtual switching instance (VSI) and
Layer 3 interface, complete the following tasks:
l
Configure the VPLS and binding the VSI to the outbound interface.
Configure the sub-interface with qinq stacking if the outbound interface is a sub-interface.
NOTE
For the configuration of qinq stacking on a sub-interface, refer to QinQ Configuration.
Data Preparation
To configure the MAC address table based on the VSI and Layer 3 interface, you need the
following data.
Issue 02 (2013-12-31)

1268

Equipment
No.
Data
VSI name
MAC addresses
PE VLAN ID
CE VLAN ID
Configuring MAC Address Entries

To enhance the security of an interface and to prevent the unauthorized users from connecting
to the interface, the network administrator can manually configure static MAC address entries
and bind MAC addresses to the main interface or sub-interfaces, or discard the packets with
specified destination MAC addresses. An interface that is bound to certain MAC addresses must
be bound to a specified virtual switching instance (VSI).
Context
Perform the following steps on the equipment where the VSI is created:
Procedure
Step 1 Run:
system-view

Step 2 Run:
mac-address static mac-address interface-type interface-number vsi vsi-name [ pevid pe-vid ]
MAC address entries are added.

Note the following:
l You can add only unicast MAC addresses rather than multicast MAC addresses or special
MAC addresses to a MAC address table. Special MAC addresses are reserved for special
usage, such as MAC addresses of special packets.
l The interface type can be Ethernet interface, Ethernet sub-interface, GE interface, GE subinterface, Eth-Trunk interface, or Eth-Trunk sub-interface.
l Ensure that the interface in this command is bound to the VSI specified by vsi-name.
l When pe-vid is used, the interface specified by interface-type interface-number must be a
sub-interface. In addition, this sub-interface must be configured with qinq stacking and bound
to the VSI.
l A maximum of 1024 non-dynamic entries can be added.
Step 3 Run:
mac-address blackhole mac-address vsi vsi-name
Issue 02 (2013-12-31)

1269

Equipment
The blackhole MAC address entry is configured.

----End
Follow-up Procedure
After a board or an interface card is removed, the static MAC address entries configured on its
interfaces are saved as temporary MAC address entries. If the board or interface card is reinserted, the static MAC address entries are restored.
However, if the board or interface card do not need to be re-inserted, the temporary MAC address
entries are useless and still occupy the MAC address resources of the system. In this situation,
run the undo mac-address temporary command to delete all temporary MAC address entries
in the system.

After the MAC address table based on Layer 3 interfaces and VSIs is successfully configured,
you can view the destination MAC addresses, outbound interfaces, and MAC address types.
Prerequisites
The configurations of the MAC address table based on the VSI and layer 3 interface are complete.
Procedure
l
Run the display mac-address [ mac-address [ vlan vlan-id | vsi vsi-name | verbose ] ]
command to check information about all MAC address entries.
Run the display mac-address blackhole [ vlan vlan-id | vsi vsi-name ] to check information
about black-hole MAC address entries.
Run the display mac-address static [ vlan vlan-id | vsi vsi-name ] to check information
about static MAC address entries.
Run the following commands to check information about dynamic MAC address entries.
Run the display mac-address dynamic verbose command.
Run the display mac-address dynamic [ slot-id ] [ vlan vlan-id | vsi vsi-name | sourceslot source-slot-id | interface-type interface-number ] command.
Run the display mac-address summary command to check statistic information about
MAC address entries.
----End
5.1.4 Configuring the Aging Time of a MAC Address Table

As network topologies change constantly, a device learns more and more MAC addresses. To
avoid the explosive growth of MAC address entries, you can set a proper aging time to have the
invalid MAC address entries deleted in time.
Issue 02 (2013-12-31)

1270

Equipment
Before You Start

Before configuring the aging time of MAC address entries, familiarize yourself with the usage
After the network topology changes, dynamic MAC entries are not automatically updated in
time. In this case, user traffic cannot be normally forwarded because the device cannot learn the
new MAC address.
Therefore, you need to configure the aging time of dynamic MAC addresses. When the set aging
time expires, dynamic MAC address entries are automatically deleted. The device re-learns
MAC addresses to generate a new dynamic MAC address type.
The aging time is valid only on dynamic MAC address entries.
The configurations in this section are optional.
None
Data Preparation
To configure the aging time of a MAC address table, you need the following data.
No.
Data
Aging time
Setting the Aging Time of a MAC Address Table

After the aging time of MAC address entries is configured, the dynamic MAC address entries
are automatically deleted if the aging time expires.
Context
Perform the following steps on all the devices:
Procedure
Step 1 Run:
system-view

Step 2 Run:
mac-address aging-time seconds
The aging time of a MAC address table is set.

Issue 02 (2013-12-31)

1271

Equipment
In a MAC address table, only dynamic entries age.

The aging time ranges from 60 to 38400 seconds. The default is 300 seconds.
The aging time 0 means that no MAC address entry is aged.
----End

After the aging time of MAC address entries is successfully configured, you can view
information about the aging time of MAC address entries.
Prerequisites
The configurations of the aging time of a MAC address table are complete.
Procedure
Step 1 Run the display mac-address aging-time command to check the aging time of MAC address
entries.
----End
5.1.5 Maintaining MAC Address Table

This section provides commands used to maintain MAC address tables, including the command
that is used to delete dynamic MAC address tables.
Clearing the Dynamic MAC Address

The ATN provides two methods of deleting dynamic MAC addresses. You can either use a
command to delete dynamic MAC addresses or wait for the system to delete MAC entries that
have become invalid after interfaces go Down, VLANs are deleted, or VSIs are deleted. In
addition, the ATN supports the batch deletion of dynamic MAC addresses in a VLAN, in a VSI,
on an interface, on an interface of a VLAN, or on an interface of a VSI.
Context
After the network topology changes, the ATN's failure to learn new MAC addresses interrupts
the forwarding of user traffic if the dynamic MAC entries are not refreshed in time.
The ATN needs to provide various entry deletion methods to:
l
Minimize the effect on normal services
Promptly delete the invalid MAC entries
Release MAC address resources
Ensure the generation of new MAC entries
Issue 02 (2013-12-31)

1272

Equipment
Procedure
l
To delete the dynamic MAC entries based on a VLAN, run the undo mac-address
dynamic vlan vlan-id command.
To delete the dynamic MAC entries based on a VSI, run the undo mac-address
dynamic vsi vsi-name command.
To delete the dynamic MAC entries based on a port, run the undo mac-address
dynamic { ethernet | gigabitethernet | eth-trunk } interface-number command.
To delete the dynamic MAC entries based on a port in a VLAN, run the undo mac-address
dynamic { ethernet | gigabitethernet | eth-trunk } interface-number vlan vlan-id
command.
To delete the dynamic MAC entries based on a port and the VSI, run the undo mac-address
dynamic { ethernet | gigabitethernet | eth-trunk } interface-number vsi vsi-name
command.
----End
5.1.6 Configuring the Usage Threshold for a MAC Address Table

This section describes how to configure the usage threshold for a Media Access Control (MAC)
address table to control the usage of the MAC address table on a device and facilitate device
management.
Procedure
Step 1 Run:
system-view

Step 2 Run:
mac-address-usage threshold threshold
The usage threshold is configured for a MAC address table.

----End
Example
Run the display mac-address-usage command in the user view to view the usage of the MAC
address table.
<HUAWEI> display mac-address-usage
MAC address usage information:
Slot #
Type
Use-Rate Threshold
0
CXP
0%
90%

This section lists networking requirements, configuration roadmap, and data preparation to
describe the typical application scenarios of MAC address tables, and provides related
Issue 02 (2013-12-31)

1273

Equipment
Example for Configuring the MAC Address Table Based on the Interface and
VLAN
Generally, a device automatically sets up a MAC address table by learning the source MAC
addresses of connected devices. In this networking, the network administrator binds MAC
addresses of user devices to the access interface, which can prevent invalid users from accessing
the network through other switching devices.
As shown in Figure 5-1, GE 0/2/1, GE 0/2/2, GE 0/2/3, and GE 0/2/4 on the ATN belong to
VLAN 2.
Set MAC address entries of NodeBs on the ATN as static entries.
Set the aging time of dynamic entries to 600 seconds.
Figure 5-1 Networking diagram of configuring the MAC address table based on the interface
and VLAN
ATN
GE0/2/1
GE0/2/3
GE0/2/4
GE0/2/2
VLAN 2
NodeB1
NodeB2
NodeB3
NodeB4
1.
Create a VLAN and add an interface to the VLAN.
2.
Configure static MAC address entries.
3.
Configure the aging time.
Data Preparation
l
MAC address of NodeB1 to NodeB4: 0011-2233-44aa, 0011-2233-44bb, 0011-2233-44cc

and 0011-2233-44dd
VLAN ID
The outbound interface on the ATN that is connected to NodeB
Issue 02 (2013-12-31)

1274

Equipment
Aging time
Procedure
Step 1 Switch GE 0/2/1, GE 0/2/2, GE 0/2/3, and GE 0/2/4 to Layer 2 ports.
<ATN> system-view
Step 2 Create VLAN 2 and add GE0/2/1, GE0/2/2,GE0/2/3, GE0/2/4 to VLAN 2.

[ATN] vlan 2
[ATN-vlan2] port gigabitethernet 0/2/1 0/2/2 0/2/3 0/2/4
[ATN-vlan2] quit
Step 3 Configure static MAC address entries.

[ATN]
[ATN]
[ATN]
[ATN]
mac-address
mac-address
mac-address
mac-address
static
static
static
static
0011-2233-44aa
0011-2233-44dd
0011-2233-44bb
0011-2233-44cc
gigabitethernet
gigabitethernet
gigabitethernet
gigabitethernet
0/2/1
0/2/2
0/2/3
0/2/4
vlan
vlan
vlan
vlan
2
2
2
2
Step 4 Set the aging time of dynamic entries to 600 seconds.

[ATN] mac-address aging-time 600

# View the static MAC address table.
[ATN] display mac-address static
MAC address table of slot 0:
-------------------------------------------------------------------------------MAC Address
VLAN/
PEVLAN
CEVLAN
Port
Type
LSP/LSR-ID
VSI/SI
MAC-Tunnel
-------------------------------------------------------------------------------0011-2233-44dd
2
GE0/2/4
static
0011-2233-44cc
2
GE0/2/3
static
0011-2233-44bb
2
GE0/2/2
static
0011-2233-44aa
2
GE0/2/1
static
-------------------------------------------------------------------------------Total matching items on slot 0 displayed = 4
# View the aging time of the dynamic MAC address table.

[ATN] display mac-address aging-time
Aging time: 600 second(s)
----End
Configuration Files
#
Issue 02 (2013-12-31)

1275

Equipment
sysname ATN
#
vlan batch 2
#
mac-address aging-time 600
#
undo shutdown
portswitch
port default vlan 2
#
undo shutdown
portswitch
port default vlan 2
#
undo shutdown
portswitch
port default vlan 2
#
undo shutdown
portswitch
port default vlan 2
#
mac-address static 0011-2233-44aa
mac-address static 0011-2233-44bb
mac-address static 0011-2233-44cc
mac-address static 0011-2233-44dd
#
return
vlan
vlan
vlan
vlan
2
2
2
2
Example for Configuring the MAC Address Table Based on the Interface and VSI
You can configure a static MAC address table based on an interface of a VSI and set the aging
time for dynamic MAC entries.
For an existing user, MAC address is 0011-2233-4455, VSI name is vsi2 and the port is GE
0/2/1.
Set this entry as static to prevent it from aging and set the aging time of other dynamic entries
as 600 seconds.
1.
Create a VSI, and then configure port to join the VSI.
2.
Configure the static address entry.
3.
Configure the aging time.
Data Preparation
l
Issue 02 (2013-12-31)
MAC address: 0011-2233-4455

1276

Equipment
VSI name and the interface
Aging time
Procedure
Step 1 Create vsi2 and configure interface GE 0/2/1 to join the vsi.
Step 2 Configure static MAC address entries.
[HUAWEI] mac-address static 0011-2233-4455 gigabitethernet 0/2/1 vsi2
Step 3 Set the aging time of dynamic entries to 600 seconds.

[HUAWEI] mac-address aging-time 600

# View the aging time of the dynamic MAC address table.
[HUAWEI] display mac-address aging-time
Aging time: 600 second(s)
----End
Configuration Files
#
sysname HUAWEI
#
mac-address aging-time 600
#
mac-address static 0011-2233-4455 GigabitEthernet0/2/1 vsi 2
#
return
5.2 Ethernet Interface Configuration

Being flexible, simple, and easy to implement, the Ethernet becomes the most important LAN
networking technology.
5.2.1 Ethernet Interface Introduction

Ethernet interfaces include traditional Ethernet interfaces, Fast Ethernet (FE) interfaces, Gigabit
Ethernet (GE) interfaces, 10 Gigabit Ethernet (XGE) interfaces.
Introduction
An Ethernet interface works in either half-duplex or full-duplex mode, and supports autonegotiation.
Both the Ethernet and token ring networks are typical types of LANs. The Ethernet technology
has become the most important LAN networking technology because it is flexible, simple, and
easy to implement.
The ATN supports the following types of Ethernet interfaces:
Issue 02 (2013-12-31)

1277

Equipment
Conventional Ethernet interfaces comply with 10Base-T physical layer specifications and
work at 10 Mbit/s.
FE interfaces comply with 100Base-TX physical layer specifications and are compatible
with 10Base-T physical layer specifications.
GE interfaces comply with 1000Base-TX physical layer specifications and are compatible
with the 10Base-T and 100Base-TX physical layer specifications.
XGE interfaces comply with 10GBASE-R physical layer specifications and are compatible
with the 10Base-T, 100Base-TX and 1000Base-TX physical layer specifications.
Electrical Ethernet interfaces can work in either full duplex or half duplex mode. They support
auto-negotiation. In auto-negotiation mode, they negotiate with other network devices for the
most suitable duplex mode and rate. This simplifies system configuration and management.
Features of Ethernet Interfaces Supported by the ATN

In a LAN, an Ethernet interface can transmit Layer 2 and Layer 3 services according to different
interface attributes. An Ethernet interface has both Layer 2 and Layer 3 attributes.
Ethernet Sub-interface
You can create the sub-interface on an Ethernet main interface. LAN interfaces that can be
configured with sub-interfaces include the following types:
l
Ethernet interfaces
GE interfaces
Eth-Trunk interfaces
The ATN supports the configuration of sub-interfaces on both the Layer 3 Ethernet interface
and the Layer 2 Ethernet interface. After Ethernet sub-interfaces are encapsulated with 802.1Q
and associated with the VLAN, the VLAN can communicate with devices out of the VLAN
through Ethernet sub-interface. An Ethernet sub-interface can associate with one VLAN.
5.2.2 Configuring Ethernet Interfaces of the Interface Board

You can configure Ethernet interfaces on the Interface Boards to ensure correct physical
connections between ATNs.
Before You Start

Before configuring Ethernet interfaces, familiarize yourself with the usage scenario, complete
When configuring an Ethernet interface, you must assign an IP address to it. For other
parameters, you can use default values. If you have to change them, keep them consistent with
the peer device.
When a ATN has the function of the Layer 2 switch and the function is in use, you need to
configure the Layer 2 parameters of the Ethernet interface.
Issue 02 (2013-12-31)

1278

Equipment
NOTE
For the application of the Layer 2 features, refer to "VLAN Configuration" and "MSTP Configuration" in
this manual.
None
Data Preparation
To configure an Ethernet interface, you need the following data.
No.
Data
Interface number
IP address and mask of the Ethernet interface
MTU of the Ethernet interface
Assigning an IP Address to an Ethernet Interface

You need to assign IP addresses to Ethernet interfaces to implement communication between
network devices.
Context
For more information about IP address configuration, refer to the Configuration Guide - IP
Services.
Perform the following steps on each ATN:
Procedure
Step 1 Run:
system-view

Step 2 Run:
The Ethernet interface view is displayed.

Step 3 Run:
ip address ip-address { mask | mask-length } [ sub ]
The IP address of the Ethernet interface is configured.

When you configure two or more IP addresses on an Ethernet interface, the IP address except
for the first one can be indicated by the key word sub.
----End
Issue 02 (2013-12-31)

1279

Equipment
Configuring the MTU of an Ethernet Interface

The Maximum Transfer Unit (MTU), which is expressed in bytes, is closely associated with the
link layer protocol. The MTU varies according to the network type. Correctly configuring MTUs
is a prerequisite to network communication.
Context
NOTE
l After changing the MTU on a specified interface, you need to restart the interface to validate the newly
configured value. To restart the interface, run the shutdown and the undo shutdown commands in
succession.
l If there are sub-interfaces, the shutdown and the undo shutdown commands must be configured at
an interval of at least 15 seconds.
Procedure
l
Configuring the IPv4 MTU

1.
Run:
system-view

2.
Run:

3.
Run:
mtu mtu
TheIPv4 MTU of the Ethernet interface is configured.

The MTU is expressed in bytes. The MTU range of Ethernet interfaces depends on
devices. By default, the MTU is 1500 bytes.
----End
Configuring Flow Control on the GE Interface

Configuring flow control on an interface ensures that the interface can properly process received
frames.
Context
Perform the following steps on the ATNs:
Procedure
Step 1 Run:
system-view

Issue 02 (2013-12-31)

1280

Equipment
Step 2 Run:
interface gigabitethernet interface-number
The GE interface view is displayed.

Step 3 Run:
flow control [ receive | send ]
The flow control function is enabled.

By default, flow control is enabled on a GE interface.
After flow control is enabled on an interface, the interface sends a Pause frame to notify the peer
interface to send traffic at a slower rate, if the received traffic reaches the set threshold (for
example, when the traffic rate on a GE interface exceeds 1 Gbit/s). If the peer interface also
supports flow control, it sends traffic at a slower rate after receiving the Pause frame so that the
local interface can process received frames properly.
----End
Configuring the Working Mode on the GE electrical Interface

A GE electrical port works in either master or slave mode. You can manually set the working
modes for GE electrical ports to ensure that they agree with the clock tracing relationships.
Context
A GE electrical port works in either master or slave mode. Two GE ports can be interconnected
only when one of them works in master mode and the other works in slave mode. Usually, ports
auto-negotiate their working modes. If a GE electrical port works in master mode, it uses the
local system clock when sending data. Then the interconnected GE electrical port works in slave
mode and it uses the clock received from the master port when sending data. However, the local
system clock may be asynchronous with the received clock. The inherent master and slave
relationships between GE electrical ports conflict with the relationships established on a clock
synchronization network, and a clock tracing loop results.
Figure 5-2 shows how a clock tracing loop is generated.
Figure 5-2 Generation of a clock tracing loop
GE1
ATNA
GE2
ATNB
ATN A's GE1 is connected to ATN B's GE2. After auto-negotiation on their working modes,
ATN A's GE1 works in master mode and ATN B's GE2 works in slave mode. According to the
master/slave relationships, ATN B's GE2 uses the clock received from the ATN A's GE1 when
sending data. According to the clock tracing relationships, ATN A traces ATN B. Specifically,
Issue 02 (2013-12-31)

1281

Equipment
ATN A extracts the clock from the signals from ATN B and uses them as the system clock. Then
ATN A uses its system clock when sending data to ATN B. Then a clock loop is generated.
The service carried over a GE port involved in Ethernet synchronization may be interrupted in
case of a clock source switchover. Specifying the working mode for the GE port helps avoid this
risk.
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface gigabitethernet interface-type interface-number

Step 3 Run:
set negotiation-mode
The Working Mode can be configured on Gigabit electrical interfaces.

----End
Switching the Working Mode of an Ethernet Interface

By default, Ethernet interfaces on the ATN are Layer 3 interfaces. To use Layer 2 attributes of
Ethernet interfaces, you need to convert Ethernet interfaces into Layer 2 interfaces.
Context
After a Layer 3 interface switches to the Layer 2 mode, the Layer 3 ID and functions are disabled,
and the MAC address is adopted.
Procedure
l
Switching the Working Mode of a Specified Ethernet Interface

1.
Run:
system-view

2.
Run:
The specified Ethernet interface is displayed.

3.
Run:
portswitch
The Ethernet interface is switched to a Layer 2 interface.

l
Issue 02 (2013-12-31)
Switching the Working Mode of Ethernet Interfaces in Batch

1282

Equipment
1.
Run:
system-view

2.
Run:
portswitch batch interface-type { interface-number1 [ to interfacenumber2 ] } &<1-10>
The working modes of Ethernet interfaces are switched in batch.

By default, Ethernet interfaces work in the Layer 3 mode.
----End

After an Ethernet interface is configured, you can check information about the interface,
including the IP address, MTU, speed, working mode, interface mode, and number of received
and sent frames.
Procedure
l
Run the display interface { ethernet | gigabitethernet } [ interface-number ] command

to check the status of the specified Ethernet interface.
Run the display interface ethernet brief command to check the brief information about
the Ethernet interface.
----End
5.2.3 Configuring an Ethernet Sub-interface

If a Layer 3 Ethernet interface needs to identify VLAN packets, configure sub-interfaces on the
Layer 3 Ethernet interface. Then different VLAN packets can be forwarded from different subinterfaces, providing great flexibility.
Before You Start

Before configuring an Ethernet sub-interface, familiarize yourself with the usage scenario,
On the ATN, sub-interfaces can be configured on Layer 3 and Layer 2 Ethernet interfaces.
NOTE
l For the application of Ethernet sub-interfaces in VLANs, refer to Configuring Sub-interfaces for
Inter-VLAN Communication.
l For the application of Ethernet sub-interfaces in QinQ, see QinQ Configuration.
Besides, Layer 2 Ethernet sub-interfaces can be used as follows:

When Multiprotocol Label Switching Traffic Engineering (MPLS TE) features are required on
the devices that communicate with each other through Layer 2 Ethernet interfaces, MPLS TE
cannot be configured on the main interface. Then, you can create a Layer 2 Ethernet sub-interface
Issue 02 (2013-12-31)

1283

Equipment
and configure MPLS TE on the sub-interface. In this way, a physical link can transmit Layer 2
and Layer 3 services at the same time.
Before configuring an Ethernet sub-interface, complete the following tasks:
l
Correctly connect the physical interface of the sub-interface.
Configure a Layer 3 main interface.
Data Preparation
To configure an Ethernet sub-interface, you need the following data.
No.
Data
Numbers of the main interface and sub-interfaces
IP Address of an Ethernet sub-interface
VLAN IDs associated with the sub-interface
(Optional) Thresholds of outbound and inbound bandwidth usage
Creating an Ethernet Sub-interface

A sub-interface and a main interface are relatively independent. Sub-interfaces share the
configuration parameters with physical interfaces, though those sub-interfaces have their own
configuration parameters on the link layer and the network layer.
Procedure
l
Creating a Layer 3 Ethernet Sub-interface

1.
Run:
system-view

2.
Run:
The Ethernet sub-interface view is displayed.

The parameter subinterface-number specifies the number of the Ethernet subinterface.
NOTE
A subinterface cannot be created on an Eth-Trunk member interface.
Creating a Sub-interface for a Layer 2 Ethernet Interface

1.
Run:
system-view
Issue 02 (2013-12-31)

1284

Equipment

2.
Run:

3.
Run:
portswitch
The Ethernet interface is switched to the Layer 2 interface.

By default, Ethernet interfaces work in the Layer 3 mode.
4.
Run:
The Layer 2 Ethernet sub-interface is created.

----End
Configuring an IP address for an Ethernet Sub-interface

Assign IP addresses to Ethernet sub-interfaces to implement communication between network
devices.
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface { ethernet | gigabitethernet | xgigabitethernet | 40ge | 100ge }
interface-number.subinterface-number
The specified Ethernet sub-interface view is displayed.

Step 3 Run:
The IP address of the Ethernet sub-interface is configured.

For the configuration of an IP address, refer to the ATNMulti-service Access
EquipmentConfiguration Guide - IP Services.
NOTE
When two or more IP addresses are configured for an Ethernet interface, the keyword sub must be used to
indicate the second IP address and the following IP addresses.
----End
Configuring the Encapsulation Type for an Ethernet Sub-interface

Before a Layer 3 device is directly connected to a Layer 2 device through Ethernet interfaces,
the directly connected interfaces are added to a specified VLAN. You need to configure the
encapsulation type of the Ethernet sub-interface on the Layer 3 device to ensure the normal
communication between the Layer 2 device and the Layer 3 device.
Issue 02 (2013-12-31)

1285

Equipment
Context
For information about the configuration of dot1q and QinQ termination sub-interfaces, see the
QinQ Configuration.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The Ethernet sub-interface view is displayed.

Step 3 Run:
vlan-type dot1q vlan-id
The encapsulation type and the associated VLAN ID are configured on the Ethernet subinterface.
NOTE
In the ATN, an Ethernet sub-interface can be associated with a maximum number of 64 VLANs. Otherwise,
the maximum number of VLANs with which a sub-interface is associated depends on specific products.
By default, no encapsulation type or the associated VLAN ID is configured on the sub-interface.

For the connectivity of VLANs, the VLAN IDs on interfaces of both ends must be consistent.
The VLAN ID set to the Ethernet sub-interface cannot be the same as that set to the Ethernet
main interface.
----End
(Optional) Configuring the Outbound and Inbound Bandwidth Usage Threshold

of a Sub-interface
After the bandwidth usage threshold is configured for incoming and outgoing traffic on a subinterface, the system sends an alarm to the NMS when the bandwidth usage exceeds the
threshold. When the bandwidth usage falls below the threshold, the system displays a clear alarm.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The specified Ethernet sub-interface view is displayed.

Issue 02 (2013-12-31)

1286

Equipment
Step 3 Run:
trap-threshold { input-rate | output-rate } bandwidth-in-use
The threshold of the outbound or inbound bandwidth usage is configured for the sub-interface.
By default, the threshold of the outbound and inbound bandwidth usage is 100%.
----End

After configuring an Ethernet sub-interface, you can view the MTU, IP address, mask, and
working mode of the Ethernet sub-interface.
Prerequisites
An Ethernet sub-interface has been configured.
Procedure
l
Run the display interface [ interface-type [ interface-number ] | slot slot-id ] command to

check the status of the specified Ethernet interface.
Run the display interface ethernet brief command to check brief information about the
Ethernet interface.
----End
Example
Run the display interface command. If the parameters of the Ethernet sub-interface, such as the
physical status, protocol status, MTU, IP address and mask, and interface mode, are displayed,
the configuration succeeds. For example:
<HUAWEI> display interface gigabitethernet 1/0/0.1
gigabitethernet1/0/1.1 current state : UP
Last line protocol up time : 2000-04-09 05:40:57
Description:HUAWEI, gigabitethernet1/0/1.1 Interface
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fccb-2371
Encapsulation dot1q Virtual LAN, The number of Vlan is 1, Vlan ID 10
Input: 6 packets,574 bytes,
0 errors,0 drops,
Output:6 packets,574 bytes,
0 errors,0 drops
0%
0%
Run the display interface ethernet brief command. If the physical status, auto-negotiation
method, duplex mode, interface rate, and latest average inbound and outbound bandwidth
utilization are displayed, the configuration succeeds. For example:
Issue 02 (2013-12-31)

1287

Equipment
<HUAWEI> display interface ethernet brief
PHY: Physica
*down: administratively down
^down: standby
(l): loopback
(b): BFD down
InUti/OutUti: input utility/output utility
Interface
PHY
Auto-Neg Duplex
down
enable
full
GigabitEthernet3/0/1.1 down
enable
full
Bandwidth
100M
100M
InUti
0%
0%
OutUti
0%
0%
Trunk
---
5.2.4 Configuring the Alarm Thresholds and Log Thresholds for

Inbound and Outbound Bandwidth Usage for an Interface
Monitoring bandwidth usage helps you learn about current device load. If the bandwidth usage
exceeds a configured threshold, an alarm is generated, indicating that bandwidth resources
become insufficient and need an increase.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
trap-threshold { input-rate | output-rate } bandwidth-in-use [ resume-rate resumethreshold ]
The alarm threshold for inbound or outbound bandwidth usage is configured for the interface.
The default alarm threshold for inbound and outbound bandwidth usage is 100%.
If the difference between the bandwidth-in-use and resume-threshold values is too small, alarms
may be frequently generated or cleared.
Step 4 Run:
log-threshold { input-rate | output-rate } bandwidth-in-use [ resume-rate resumethreshold ]
The log threshold for inbound or outbound bandwidth usage is configured for the interface.
The default log threshold for inbound and outbound bandwidth usage is 100%.
If the difference between the bandwidth-in-use and resume-threshold values is too small, alarms
may be frequently generated or cleared.
----End
Example
Run the display this command in the interface view to view the alarm thresholds and log
thresholds for inbound and outbound bandwidth usage.
Issue 02 (2013-12-31)

1288

Equipment
[HUAWEI-GigabitEthernet0/2/1] display this

#
trap-threshold input-rate 80 resume-rate 40
log-threshold input-rate 80 resume-rate 40
#
5.2.5 Maintaining Ethernet Interfaces

The commands related to Ethernet interfaces can be used to locate the faults on an Ethernet
interface.
Testing the Loop of Ethernet Interfaces

To test an Ethernet interface itself, you can run the loopback command in the Ethernet interface
view. When the interface works normally, you must disable the loopback function.
Context
The loop of Ethernet interfaces is generally used to test the interfaces. Run the following
command in the Ethernet interface view.
When interfaces work normally, disable the loop.
Procedure
Step 1 Run the loopback { local | remote } command in Ethernet interface view or GE interface view
to enable the loop on interfaces.
----End

This section lists the networking requirements, configuration roadmap, and data preparation to
describe the typical application scenarios of Ethernet interfaces, and provides related
Example for Configuring a Layer 3 Ethernet Interface

In this networking, you need to configure only the IP address, because other configuration items
retain their default values. If the values of other configuration items need to be changed, you
must set them to be the same as those on the remote device.
As shown in Figure 5-3, Ethernet interfaces of ATNA, CX-B and CX-C are connected to the
IP network 202.38.165.0/24.
Issue 02 (2013-12-31)

1289

Equipment
Figure 5-3 Networking diagram of Ethernet interface configuration

ATNA
CX-B
GE0/2/1
GE1/0/0
202.38.165.2/24
202.38.165.1/24
GE1/0/0
202.38.165.3/24
CX-C
1.
Configure description about each device.
2.
Configure IP addresses for interfaces on each device.
Data Preparation
To configure an Ethernet interface, you need the following data:
l
Interface number
IP address of the interface
Procedure
[HUAWEI] syname ATNA
[ATNA-GigabitEthernet0/2/1] description ATNA
[ATNA-GigabitEthernet0/2/1] ip address 202.38.165.1 255.255.255.0
Step 2 Configure CX-B.

[HUAWEI] syname CX-B
[CX-B-GigabitEthernet1/0/0] undo shutdown
[CX-B-GigabitEthernet1/0/0] description CX-B
[CX-B-GigabitEthernet1/0/0] ip address 202.38.165.2 255.255.255.0
Step 3 Configure CX-C.

[HUAWEI] syname CX-C
[CX-C-GigabitEthernet1/0/0] undo shutdown
[CX-C-GigabitEthernet1/0/0] description CX-C
[CX-C-GigabitEthernet1/0/0] ip address 202.38.165.3 255.255.255.0
Issue 02 (2013-12-31)

1290

Equipment

After the configuration, using the following methods, you can check whether the interface works
normally with the configuration.
l In the case of small traffic volume, ping Ethernet interfaces of a device from another device.
The interfaces are normal if all the ping packets are returned.
l Check the statistics of a device. The interfaces are normal if the number of received error
frames does not change.
Check the interface status of each device. In the normal situation, the physical status and protocol
status are Up.
Take ATNA as an example:
<ATNA> display ip interface brief
!down: FIB overload down
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 2
The number of interface that is DOWN in Physical is 0
The number of interface that is UP in Protocol is 2
The number of interface that is DOWN in Protocol is 0
Interface
IP Address/Mask
Physical
202.38.165.1
up
NULL0
unassigned
up
Protocol
up
up(s)
----End
Configuration Files
l

#
sysname ATNA
#
undo shutdown
ip address 202.38.165.1 255.255.255.0
description ATNA
#
return

#
sysname CX-B
#
undo shutdown
ip address 202.38.165.2 255.255.255.0
description CX-B
#
return

#
sysname CX-C
#
undo shutdown
ip address 202.38.165.3 255.255.255.0
description CX-C
#
Issue 02 (2013-12-31)

1291

Equipment
return
Example for Configuring a Layer 2 Ethernet Interface to Join a VLAN

After Layer 2 Ethernet interfaces are assigned to specific VLANs, interfaces in different VLANs
cannot directly communicate with each other whereas Layer 2 Ethernet interfaces in the same
VLAN can communicate.
Context
For details, refer to Example for Configuring a VLAN Based on Layer 2 Ports.
5.3 Eth-Trunk Interface Configuration

Eth-Trunk interfaces have all functions of Ethernet interfaces and are more reliable due to the
use of the link aggregation technique.
5.3.1 Overview of Eth-Trunk Interfaces

Eth-Trunk bundles physical interfaces together to increase interface bandwidth. In addition to
the interface bandwidth increase, Eth-Trunk can implement load balancing and link backup.
Introduction
Multiple physical interfaces can be bundled into an Eth-Trunk using the link aggregation
technique. The Eth-Trunk interface is a logical interface, having all functions of an Ethernet
interface and is more reliable.
Brief Introduction
As the volume of services deployed on networks increases, the bandwidth provided by a single
P2P physical link working in full-duplex mode cannot meet the requirements of service traffic.
To increase bandwidth, the existing interface boards can be replaced with interface boards of
higher bandwidth capacity. However, this would waste existing device resources and increase
upgrade expenditure. If more links are used to interconnect devices, each Layer 3 interface must
be configured with an IP address, wasting IP addresses.
To increase bandwidth without replacing the existing interface boards or wasting IP address
resources, bundle physical interfaces into a logical interface using the link aggregation technique
to provide higher bandwidth.
Trunk is a bundling technique. Trunk can be used to bundle physical interfaces into a logical
interface, which is called a trunk interface. An Eth-Trunk interface is formed by bundling
Ethernet interfaces.
Concepts
This part describes the link aggregation mode, load balancing mode, member interface
backup, and maximum/minimum number of Up member links for Eth-Trunk interfaces.
Issue 02 (2013-12-31)

1292

Equipment
Table 5-2 shows the Eth-Trunk link aggregation modes.

Table 5-2 Eth-Trunk link aggregation modes
EthTrunk
Link
Aggreg
ation
Mode
Description
Usage Scenario
Static
Link
Aggregat
ion
Control
Protocol
(LACP)
mode
In static LACP mode, two ends exchange

LACP packets to negotiate link aggregation
parameters to determine active and inactive
interfaces.
If the directly-connected
two ends support LACP,
configuring the static
LACP mode is
recommended.
Manual
load
balancin
g mode
In manual load balancing mode, you can

manually add interfaces to an Eth-Trunk
interface. All the member interfaces are in the
forwarding state and carry out load balancing.
The static LACP mode is called M:N mode,

which implements both load balancing and
link backup. M active links in the link
aggregation group are responsible for
forwarding data, while the other N inactive
links are standby and do not forward data. If an
active link becomes faulty, the system selects
the link with the highest priority from the N
inactive links.
If either of the directlyconnected two ends does

not support LACP,
configure the manual load
balancing mode.
Load balancing
Per-destination load balancing: Packets with the same source and destination IP
addresses or with the same source and destination MAC addresses are transmitted over
the same member link.
Per-destination load balancing: Packets with the same source and destination IP
addresses or with the same source and destination MAC addresses are transmitted over
the same member link.
Layer 2 Eth-Trunk interfaces support per-destination load balancing based on the MAC
addresses or the IP addresses of packets.
Layer 3 Eth-Trunk interfaces only support per-destination load balancing based on the
IP addresses of packets.
Per-packet load balancing: Packets are transmitted over different member links.
Both Layer 2 and Layer 3 Eth-Trunk interfaces support per-packet load balancing.
Maximum/Minimum number of Up member links

The number of Up member links determines the status and bandwidth of an Eth-Trunk
interface. To keep stability, set the maximum and minimum numbers of Up member links
to reduce the impact of Eth-Trunk member link status changes.
Issue 02 (2013-12-31)

1293

Equipment
Minimum number of Up member links: After the number of Up member links falls
below the set value, the Eth-Trunk interface goes Down.
Maximum number of Up member links: After the number of Up member links reaches
the set value, the bandwidth of the Eth-Trunk interface does not increase regardless of
whether more member links go Up.
Eth-Trunk Interface Features That the ATN Supports

This section describes Ethernet interface features supported by the ATN. Familiarizing yourself
with these features helps you complete the configuration tasks quickly and accurately.
Eth-Trunk is a bundling technique. You can use Eth-Trunk to bundle Ethernet interfaces into a
logical interface to increase bandwidth.
An Eth-Trunk interface can be configured with a proper link aggregation mode to increase
bandwidth, implement load balancing, and improve network reliability. Table 5-3 shows the
usage of link aggregation modes.
Table 5-3 Eth-Trunk link aggregation modes
Eth-Trunk Link
Aggregation Mode
Usage Scenario
Static Link Aggregation

Control Protocol (LACP)
mode
If the directly-connected two ends support LACP, as shown in

Figure 5-4, configuring the static LACP mode is recommended.
Manual load balancing

mode
If either of the directly-connected two ends does not support

LACP, as shown in Figure 5-5, configure the manual load
balancing mode.
Figure 5-4 Schematic diagram for Eth-Trunk interfaces in static LACP mode
ATNA
Eth-Trunk1
Eth-Trunk1
GE 0/2/1
GE 0/2/2
GE 0/2/3
GE 1/0/1
GE 1/0/2
GE 1/0/3
Eth-Trunk
CX-B
Active links
Backup links
On the network shown in Figure 5-4, PE1 and PE2 are directly connected. Both PEs support
LACP. Eth-Trunk interfaces working in static LACP mode can be configured on the two PEs
to implement load balancing and link backup.
Figure 5-5 Schematic diagram for Eth-Trunk interfaces in manual load balancing mode
ATNA
Issue 02 (2013-12-31)
Eth-Trunk1
GE 0/2/1
GE 0/2/2
GE 0/2/3
Eth-Trunk
Eth-Trunk1 CX-B
GE 1/0/1
GE 1/0/2
GE 1/0/3

1294

Equipment
On the network shown in Figure 5-5, PE1 and PE2 are directly connected. PE1 or PE2 does not
support LACP (or neither PE1 nor PE2 supports LACP). Eth-Trunk interfaces working in manual
load balancing mode can be configured on the two PEs to implement load balancing.
5.3.2 Configuring an Eth-Trunk Interface to Work in Static LACP

Mode
If two LACP-capable devices are directly connected through an Eth-Trunk link, you can
configure the Eth-Trunk interfaces on the two devices to work in static LACP mode. Eth-Trunk
interfaces working in static LACP mode implement both load balancing and link backup.
Before You Start

Before configuring an Eth-Trunk interface to work in static LACP mode, familiarize yourself
with the usage scenario, complete the pre-configuration tasks, and obtain the data required for
the configuration. This helps you complete the configuration task quickly and accurately.
As network services expand, the bandwidth provided by a single P2P physical link working in
full-duplex mode cannot meet the requirement.
To increase bandwidth without obtaining more hardware resources or requiring more IP
addresses, configure Eth-Trunk interfaces using the link aggregation technique. Configuring an
Eth-Trunk interface to work in static LACP mode increases interface bandwidth and provides
reliability. When an Eth-Trunk member link fails, traffic is automatically switched to other
available links, preventing traffic interruption. In addition, Eth-Trunk interfaces working in static
LACP mode can implement load balancing. The configuration is simple and easy to upgrade.
NOTE
Interfaces on different boards can be added to the same Eth-Trunk interface working in static LACP mode.
Before configuring an Eth-Trunk interfaces to work in static LACP mode, connect interfaces
and setting their physical parameters to ensure that the physical interface status is Up.
Data Preparation
To configure an Eth-Trunk interface to work in static LACP mode, you need the following data.
Issue 02 (2013-12-31)
No.
Data
Eth-Trunk ID and LACP system priority value
Type and number of each Eth-Trunk member interface

1295

Equipment
No.
Data
l Public parameters for Layer 2 and Layer 3 Eth-Trunk interfaces: maximum

number of Up member links, minimum number of Up member links, load
balancing mode of the Eth-Trunk interface, mode used by the Eth-Trunk
interface to select active member interfaces, LACP preemption delay, and
timeout period for the Eth-Trunk interface to receive LACP packets
l Parameter for a Layer 2 Eth-Trunk interface: maximum number of Up member
links that determine the Eth-Trunk link bandwidth
l Parameters for a Layer 3 Eth-Trunk interface: IP address, MAC address, and
Maximum Transmission Unit (MTU) of the Eth-Trunk interface
Weight and LACP priority of each member interface
(Optional) IP address, encapsulation type, associated VLAN ID, and MTU of an

Eth-Trunk sub-interface
Creating an Eth-Trunk Interface and Configuring It to Work in Static LACP Mode

Before bundling physical interfaces into an Eth-Trunk, create an Eth-Trunk interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:
lacp priority priority
The LACP system priority is configured.

The default LACP system priority is 32768. The smaller the value, the higher the priority.
To configure one end as the Actor, set its LACP system priority to a value smaller than the
default value. This end can serve as the Actor because the other end uses the default LACP
system priority.
Step 3 Run:
interface eth-trunk trunk-id
An Eth-Trunk interface is created and the Eth-Trunk interface view is displayed.

portswitch
The Eth-Trunk interface is switched to the Layer 2 mode.

By default, an Eth-Trunk interface works in Layer 3 mode.
Issue 02 (2013-12-31)

1296

Equipment
NOTE
Physical interfaces can be added to an Eth-Trunk interface regardless of which mode the Eth-Trunk
interface works in. If the Eth-Trunk interface needs to work in Layer 3 mode, skip this step and go to the
next step.
Step 5 Run:
mode lacp-static
The Eth-Trunk interface is configured to work in static LACP mode.

By default, an Eth-Trunk interface works in manual load balancing mode.
----End
Adding Physical Interfaces to the Eth-Trunk Interface

After an Eth-Trunk interface is created and configured to work in static LACP mode, add
physical interfaces to the Eth-Trunk interface to increase interface bandwidth, carry out load
balancing, and improve reliability.
Context
There are two methods for adding physical interfaces to an Eth-Trunk interface:
l
Add physical interfaces in the view of the Eth-Trunk interface. Using this method, you can
add a single physical interface or physical interfaces in batches.
Add a physical interface in the view of the physical interface. When adding physical
interfaces to an Eth-Trunk interface, note the following points:
Eth-Trunk interfaces cannot be added to Eth-Trunk interfaces.
Different Ethernet interfaces can be added to the same Eth-Trunk interface.
Ethernet interfaces on different interface boards can be added to the same Eth-Trunk
interface.
Eth-Trunk interfaces work in either Layer 2 or Layer 3 mode. Ethernet interfaces can
join an Eth-Trunk interface regardless of which mode the Eth-Trunk interface works
in.
NOTE
A physical interface added to an Eth-Trunk interface is affected by the Eth-Trunk interface:

l
If the shutdown command is run on the Eth-Trunk interface before or after the physical interface is
added, the physical status of the Eth-Trunk interface becomes Administratively DOWN.
Accordingly, the configuration file shows that the physical interface is shutdown and its physical
status is Administratively DOWN.
If the undo shutdown command is run on the Eth-Trunk interface after the physical interface is
added, the configuration file shows that the physical interface is undo shutdown.
Procedure
l
Add one or more physical interfaces in the Eth-Trunk interface view.

1.
Run:
system-view

Issue 02 (2013-12-31)

1297

Equipment
2.
Run:
The Eth-Trunk interface view is displayed.

3.
Run either of the following commands as required:

To add physical interfaces to the Eth-Trunk interface in batches and configure the
mode in which member interfaces of an Eth-Trunk interface send packets., run:
trunkport interface-type { interface-number1 [ to interface-number2 ] }
&<1-8> [ mode { active | passive } ]
A maximum of 8 interfaces can be added to an Eth-Trunk interface in batches.

To add a single physical interface to an Eth-Trunk interface, run:
trunkport interface-type interface-number
Add a physical interface to an Eth-Trunk interface in the view of the physical interface.
1.
Run:
system-view

2.
Run:
The view of a physical interface that needs to be added to an Eth-Trunk interface is

displayed.
3.
Run:
eth-trunk trunk-id [ mode { active | passive } ]
The physical interface is added to the Eth-Trunk interface.

NOTE
l Each Eth-Trunk interface contains a maximum of 8 member interfaces.

l Member interfaces cannot be configured with services or Layer 3 configurations such as
IP addresses.
l Member interfaces cannot be manually configured with MAC addresses.
l An Ethernet interface can be added to only one Eth-Trunk interface. The Ethernet interface
must be deleted from the original Eth-Trunk interface before joining another Eth-Trunk
interface.
l If an Eth-Trunk member interface is directly connected to an interface on the peer, the
interface must also be an Eth-Trunk member interface; otherwise, the devices cannot
communicate with each other.
----End
Follow-up Procedure
You can configure Eth-Trunk member interfaces to send trap messages after the status of the
Eth-Trunk member interfaces changes. After receiving a trap message, check whether the device
fails or recovers.
If you need to know the status change of the member interface of a specified Eth-Trunk interface,
run the trunk-member trap in private-mib enable command to enable Eth-Trunk member
interfaces to use the proprietary MIB to send trap messages. The trap messages sent by using
the proprietary MIB carry Eth-Trunk IDs, whereas the trap messages sent by using the public
MIB do not carry Eth-Trunk IDs.
Issue 02 (2013-12-31)

1298

Equipment
After the trunk-member trap in private-mib enable command is configured, Eth-Trunk

member interfaces only use the proprietary MIB to send trap messages. To view these trap
messages, use the Huawei proprietary MIB.
Configuring Eth-Trunk Interface Parameters

Layer 2 and Layer 3 Eth-Trunk interfaces need to be configured with different parameters.
Configure the parameters as required.
Prerequisites
An Eth-Trunk interface works in Layer 3 mode by default. Before configuring Layer 2
parameters for an Eth-Trunk interface, run the portswitch command to configure the Eth-Trunk
interface to work in Layer 2 mode.
Context
Different types of Eth-Trunk interfaces need to be configured with different parameters, shown
in Table 5-4. Configure the parameters as required.
Table 5-4 Eth-Trunk interface parameters
Interfac
e Type
Parameter Type
Description
Layer 2
and
Layer 3
EthTrunk
interface
s
Maximum number
of Up member links
Setting the maximum number of Up member links

improves network reliability on the basis of sufficient
bandwidth.
After the number of Up member links reaches the upper
limit, the bandwidth of the Eth-Trunk interface does not
increase even if more member links go Up.
Minimum number of
Up member links
Setting the minimum number of Up member links aims to

ensure the minimum bandwidth of the Eth-Trunk
interface.
Load balancing
mode
l Per-destination load balancing differentiates data

flows based on MAC or IP addresses of packets to
ensure that the packets of the same data flow are
transmitted over the same member link.
l Per-destination load balancing guarantees the data
sequence but not the bandwidth usage.
Issue 02 (2013-12-31)

1299

Equipment
Interfac
e Type
Parameter Type
Description
LACP preemption
delay
Enabling LACP preemption on an Eth-Trunk interface

ensures that member interfaces with higher priorities are
selected as active interfaces. For example, if an active
member interface with a high priority fails and then
recovers, LACP preemption helps the interface to become
active again. If LACP preemption is disabled, this member
interface cannot become active again.
LACP preemption delay refers to the period of time that
an inactive member interface of an Eth-Trunk interface in
static LACP mode waits for becoming active.
Layer 2
EthTrunk
interface
Layer 3
EthTrunk
interface
Timeout period for

an Eth-Trunk
interface to receive
LACP packets
If a local member interface does not receive any LACP

packets within the configured timeout period, it goes
Down immediately and no longer forwards data.
Maximum number
of Up member links
that determine the
Eth-Trunk link
bandwidth
This parameter directly affects effective link bandwidth

and indirectly affects interface costs. If the cost of an EthTrunk needs to be changed for other configurations, such
as STP calculation, this parameter must be configured.
IP address of the EthTrunk interface
IP addresses are assigned to Layer 3 Eth-Trunk interfaces

for data communication between network devices.
MAC address of the

Eth-Trunk interface
When a Layer 3 router is connected to a Layer 2 switch

through two Eth-Trunk links to transmit different services,
if both Eth-Trunk interfaces on the router use the default
system MAC address, the switch can learn the system
MAC address from either of the two Eth-Trunk interfaces.
This probably causes a loop between the two devices. To
prevent loops, change the MAC address of an Eth-Trunk
interface as required. Configuring the source and
destination MAC addresses for the two Eth-Trunk links
guarantees transmission of service data flows and
improves network reliability.
NOTE
After the number of Up member links that determine the EthTrunk link bandwidth reaches the upper limit, the STP calculation
is not affected even if more member links go Up.
If an Eth-Trunk interface is configured with a large

number of sub-interfaces, and the MAC address of the
Eth-Trunk interface is changed, it sends a large number of
ARP updates to its peer. If the peer is configured with the
Central Processing-Committed Access Rate (CP-CAR),
increasing bandwidth for receiving ARP packets is
recommended to prevent loss of ARP updates.
Issue 02 (2013-12-31)

1300

Equipment
Interfac
e Type
Parameter Type
Description
MTU of the EthTrunk interface
Generally, the IP layer limits the length of a packet to be

sent each time. Any time the IP layer receives an IP packet
to be sent, it checks to which local interface the packet
needs to be sent and obtains the MTU configured on the
interface. Then, the IP layer compares the MTU with the
packet length. If the packet length is longer than the MTU,
the IP layer disassembles the packet to fragments, each no
longer than the MTU.
If forcible unfragmentation is configured, some packets
may be discarded when being transmitted at the IP layer.
To ensure that large packets are not discarded during
transmission, configure forcible fragmentation for large
packets.
Procedure
l
Configure parameters for a Layer 2 Eth-Trunk interface.

1.
Run:
system-view

2.
Run:

3.
Perform one or more operations shown in Table 5-5 as needed.

Table 5-5 Configuring parameters for a Layer 2 Eth-Trunk interface
Issue 02 (2013-12-31)
Parameter for a
Layer 2 Eth-Trunk
Interface
Operation
Maximum number of
Up member links that
determine the EthTrunk link
bandwidth
Run the max bandwidth-affected-linknumber linknumber command.
Maximum number of
Up member links
Run the max active-linknumber link-number command.
Minimum number of
Up member links
Run the least active-linknumber link-number command.
The default value is 1 to 8.

NOTE
To ensure normal forwarding, you are advised to configure the two
ends of an Eth-Trunk link with the same upper limit.
The default maximum number is 1 to 8.
The default minimum number is 1. An Eth-Trunk interface

is Up as long as one member interface is Up.

1301

Equipment
Parameter for a
Layer 2 Eth-Trunk
Interface
Operation
Load balancing
mode
Run the load-balance { src-dst-mac | src-dst-ip }

command.
By default, a Layer 2 Eth-Trunk interface carries out load
balancing based on MAC addresses.
LACP preemption
delay
1. Run the lacp preempt enable command to enable

LACP preemption.
2. Run the lacp preempt delay delay-time command to
configure an LACP preemption delay.
The default LACP preemption delay is 30 seconds.
NOTE
l To ensure that an Eth-Trunk works properly, you are
advised to enable or disable LACP preemption on both
ends.
l The two ends of an Eth-Trunk link can be configured with
different LACP preemption delays. If the two ends are
configured with different preemption delays, Eth-Trunk
uses the greater delay-time value as the preemption delay.
Timeout period for

an Eth-Trunk
LACP packets
Run the lacp timeout { fast [ user-defined user-defined ]

| slow } command.
By default, the lacp timeoutslow command is used to set
the timeout period to 90 seconds and the interval at which
the peer sends LACP packets to 30 seconds.
If the lacp timeout fast [ user-defined user-defined ]
command is used, the timeout period is 3 seconds and the
peer sends LACP packets every second.
NOTE
The two ends of an Eth-Trunk link can be configured with different
timeout periods. To facilitate maintenance, you are advised to
configure the same timeout period for both ends.

1.
Run:
system-view

2.
Run:

3.
Issue 02 (2013-12-31)

1302

Equipment
Table 5-6 Configuring parameters for a Layer 3 Eth-Trunk interface

Parameter for a
Layer 3 Eth-Trunk
Interface
Operation
Run the ip address ip-address { mask | mask-length }

[ sub ] command.
MAC address of the

Eth-Trunk interface
Run the mac-address mac-address command.
Run the mtu mtu command.
The default MAC address of an Eth-Trunk interface is the

system MAC address, namely, the MAC address of the
Ethernet interface on the main control board.
The MTU is measured in bytes and the default MTU is 1500

bytes.
NOTICE
l The MTUs of two directly-connected interfaces must be the
same. After using the mtu mtu command to change the MTU
of an interface, change the MTU of the directly-connected
interface on another device to ensure that the MTUs of the two
ends are the same. Otherwise, services may be interrupted.
Maximum number of
Up member links
Run the max active-linknumber link-number command.
Minimum number of
Up member links
Load balancing
mode
The default maximum number is 1 to 8.

command.
balancing based on IP addresses.
LACP preemption
delay
1. Run the lacp preempt enable command to enable

LACP preemption.
2. Run the lacp preempt delay delay-time command to
configure an LACP preemption delay.
The default LACP preemption delay is 30 seconds.
NOTE
l To ensure that an Eth-Trunk works properly, you are
advised to enable or disable LACP preemption on both
ends.
l The two ends of an Eth-Trunk link can be configured with
different LACP preemption delays. If the two ends are
configured with different preemption delays, Eth-Trunk
uses the greater delay-time value as the preemption delay.
Issue 02 (2013-12-31)

1303

Equipment
Parameter for a
Layer 3 Eth-Trunk
Interface
Operation
Timeout period for

an Eth-Trunk
LACP packets
Run the lacp timeout { fast [ user-defined user-defined ]

| slow } command.
By default, the lacp timeoutslow command is used to set
the timeout period to 90 seconds and the interval at which
the peer sends LACP packets to 30 seconds.
If the lacp timeout fast [ user-defined user-defined ]
command is used, the timeout period is 3 seconds and the
peer sends LACP packets every second.
NOTE
The two ends of an Eth-Trunk link can be configured with different
timeout periods. To facilitate maintenance, you are advised to
configure the same timeout period for both ends.
----End
Configuring Parameters for Eth-Trunk Member Interfaces

To ensure reliable communication between Eth-Trunk interfaces, properly configure parameters
for Eth-Trunk member interfaces.
Procedure
Step 1 Run:
system-view

Step 2 Run:
interfaceinterface-typeinterface-number
The view of an Eth-Trunk member interface is displayed.

Step 3 Run:
distribute-weight weight-value
The load balancing weight is configured for the Eth-Trunk member interface.
The default weight of an Eth-Trunk member interface is 1.
The total load balancing weights of all member interfaces of an Eth-Trunk interface cannot be
greater than 8.
The Eth-Trunk interface performs load balancing based on the weights of its member interfaces.
The greater the weight of an Eth-Trunk member interface, the heavier the load carried by the
member interface.
Issue 02 (2013-12-31)

1304

Equipment
NOTE
Assume that an Eth-Trunk interface transmits multicast traffic. If the distribute-weight command is run
to change the load balancing weight of its member interface, run the shutdown command and the undo
shutdown command to restart this member interface.
Step 4 Run:
lacp priority priority
The LACP priority is configured for the member interface.

The default LACP interface priority value is 32768.
NOTE
The LACP interface priority indicates the preference of the interface to become active. The smaller the
value, the higher the priority.
----End
(Optical) Configuring an Eth-Trunk Sub-interface

To transmit both Layer 2 and Layer 3 services over the same physical link, create a sub-interface
on a Layer 2 Eth-Trunk interface.
Context
If Layer 2 switching devices belong to different VLANs, and hosts in the VLANs need to
communicate with each other, you need to create sub-interfaces on the Eth-Trunk interface
connecting a Layer 3 device to a Layer 2 switching device, bind a VLAN to each sub-interface,
configure 802.1Q encapsulation on the sub-interfaces, and assign an IP address to each subinterface.
After the configuration is complete, hosts in the VLANs can use these sub-interfaces to
communicate with each other. Eth-Trunk sub-interfaces can be configured to terminate dot1q .
After sub-interfaces are configured for Layer 2 Eth-Trunk interfaces, the Eth-Trunk interfaces
provide Layer 2 functions, and their sub-interfaces provide Layer 3 functions.
Figure 5-6 Typical usage scenario of Layer 2 Eth-Trunk sub-interfaces
VPLS/MPLS/IP
PE2
PE1
Eth-Trunk
Sub-interface
Eth-Trunk
CE2
CE1
S1
S2
VLA
N
Issue 02 (2013-12-31)
S4
S3
VLA
N

1305

Equipment
NOTE
l For applications of Eth-Trunk sub-interfaces in VLAN services, see VLAN Configuration.

l For applications of Eth-Trunk sub-interfaces in QinQ services, see QinQ Configuration.
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface eth-trunk trunk-id.subnumber
A Layer 2 Eth-Trunk sub-interface is created.

An Eth-Trunk sub-interface is created.
A maximum of 4094 sub-interfaces can be created on an Eth-Trunk interface and a maximum
of 16376 Eth-Trunk sub-interfaces can be created on the device.
Step 3 Run:
An IP address is assigned to the Eth-Trunk sub-interface.

When more than one IP address is configured for an Eth-Trunk interface, the keyword sub must
be used to indicate the second and later IP addresses.
Step 4 Run:
The encapsulation type and associated VLAN ID is configured for the Eth-Trunk sub-interface.
By default, an Eth-Trunk sub-interface is not configured with any encapsulation types or
associated with any VLAN IDs.
The VLAN IDs associated with the two communicating Eth-Trunk sub-interfaces must be the
same.
The VLAN ID associated with a sub-interface of a Layer 2 Eth-Trunk interface cannot be the
VLAN ID associated with the Eth-Trunk interface.
NOTE
On the ATN, a sub-interface can be associated with only one VLAN ID.
Step 5 Run:
mtu mtu
The MTU is configured for the Eth-Trunk sub-interface.

The MTU value of an Eth-Trunk interface ranges from 46 to 9600, in bytes. The default value
is 1500.
Issue 02 (2013-12-31)

1306

Equipment
NOTE
The Quality of Service (QoS) queue length is limited. If the MTU is too small whereas the packet size is
large, the packet is probably divided into many fragments and discarded by the QoS queue. To avoid this
situation, lengthen the QoS queue accordingly.
Step 6 Run:
arp send-speed-limit limit
The rate at which the Eth-Trunk interface sends gratuitous Address Resolution Protocol (ARP)
packets is configured.
The default rate is 2000 packets per second.
To prevent the peer from discarding gratuitous ARP packets, configure the rate at which the EthTrunk interface on the local end sends gratuitous ARP packets to a proper value so that the peer
can process all the gratuitous packets from the local end.
----End

After an Eth-Trunk interface in static LACP mode is successfully configured, you can view
information about the Eth-Trunk interface, including the interface ID, working mode, member
interface status, LACP system priority, LACP interface priority, and LACP preemption delay.
Prerequisites
An Eth-Trunk interface in static LACP mode has been configured.
Procedure
l
Run the display trunkmembership eth-trunk trunk-id command to check information

about member interfaces of the Eth-Trunk interface.
Run the display eth-trunk [ trunk-id [ interface interface-type interface-number ] ]

command to check information about the Eth-Trunk link aggregation group and active
member interfaces.
Run the display interface eth-trunk [ trunk-id | main ] command to check the status of
the Eth-Trunk interface.
Run the display interface brief command to check brief information about the Eth-Trunk
interface, including the physical status, link protocol status, and bandwidth usage.
Run the display trunkfwdtbl eth-trunk trunk-id [ slot slot-id ] command to check the
forwarding table on the Eth-Trunk interface.
----End
Example
Run the display trunkmembership eth-trunk command to view the configured working mode
and LACP system priority of the Eth-Trunk interface, LACP priority of each member interface,
and active member interfaces.
<ATNA> display trunkmembership eth-trunk 1
Trunk ID: 1
used status: VALID
TYPE: ethernet
Issue 02 (2013-12-31)

1307

Equipment
Working Mode : Static

Number Of Ports in Trunk = 3
Number Of UP Ports in Trunk = 2
operate status: up
Interface GigabitEthernet0/2/1, valid, operate up, weight=1
Interface GigabitEthernet0/2/3, valid, operate down, weight=1
Run the display eth-trunk command to view information about the Eth-Trunk link aggregation
group and active member interfaces.
<ATNA> display eth-trunk 1
Eth-Trunk1's state information is:
Local:
LAG ID: 1
WorkingMode: STATIC
Preempt Delay: Disabled
Hash arithmetic: According to MAC
System Priority: 10
System ID: 00e0-fca8-041a
Least Active-linknumber: 1 Max active-linknumber: 2
Operate status: up
Number Of Up Port In Trunk: 2
-----------------------------------------------------------------------------ActorPortName
Status
PortType PortPri PortNo PortKey
PortState
Weight
Selected 1GE
32768
387
561
11111100
1
Selected 1GE
10
388
561
11111100
1
GigabitEthernet0/2/3 Selected 1GE
32768
389
561
11111100
1
Partner:
-----------------------------------------------------------------------------PartnerPortName
SysPri
SystemID PortPri PortNo PortKey
PortState
32768 00e0-fca6-7f85 32768 387
561
11111100
32768 00e0-fca6-7f85 32768 388
561
11111100
32768 00e0-fca6-7f85 32768 389
561
11111100
Run the display interface eth-trunk command to view the status of the Eth-Trunk interface.
For example:
<HUAWEI> display interface eth-trunk 1
Description : Eth-Trunk1 Interface
Route Port,Hash arithmatic : According to flow,The Maximum Transmit Unit is 1500
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc09-9722
Statistics last cleared: 2008-03-02 15:32:27
Input:
24 packets,3 bytes,
7 unicast,9 broadcast,8 multicasts
10 errors,5 drops,11 unknowprotocol
Output:
39 packets,4 bytes,
15 errors,6 drops
----------------------------------------------------PortName
Status
Weight
UP
1
Issue 02 (2013-12-31)

1308

Equipment
UP
1
Run the display interface brief command to view brief information about the Eth-Trunk
interface, including the physical status, link protocol status, bandwidth usage, and statistics about
error packets. For example:
<HUAWEI> display interface brief | begin Eth-Trunk
PHY: Physical
^down: standby
(l): loopback
(s): spoofing
(b): BFD down
(d): Dampening Suppressed
Interface
PHY
Protocol InUti
Eth-Trunk1
up
up
0%
up
up
0%
up
up
0%
Eth-Trunk1.1
up
up
0%
OutUti
0%
0%
0%
0%
inErrors
0
0
0
0
outErrors
0
0
0
0
Run the display trunkfwdtbl eth-trunk command to view the forwarding table on the EthTrunk interface. For example:
<HUAWEI> display trunkfwdtbl eth-trunk 1
Show the Trunk Forwarding Table
Eth-Trunk1's forwarding table is:
MASTER
SLAVE
5.3.3 Configuring an Eth-Trunk Interface to Work in Manual Load

Balancing Mode
Of the two directly-connected devices between which an Eth-Trunk is set up, if at least one
device does not support LACP, you can create an Eth-Trunk interface working in manual load
balancing mode on each device, and add physical interfaces to the Eth-Trunk interfaces to
increase bandwidth and improve reliability.
Before You Start

Before configuring an Eth-Trunk interface to work in manual load balancing mode, familiarize
yourself with the usage scenario, complete the pre-configuration tasks, and obtain the data
Issue 02 (2013-12-31)

1309

Equipment
required for the configuration. This helps you complete the configuration task quickly and
accurately.
As the volume of services deployed on networks expands, the bandwidth provided by a single
P2P physical link working in full-duplex mode cannot meet the requirement.
addresses, configure Eth-Trunk interfaces using the link aggregation technique. When at least
one of the devices at the two ends of an Eth-Trunk link does not support LACP, you can configure
the Eth-Trunk interface to work in manual load balancing mode. In addition, you can add multiple
member interfaces to increase the bandwidth between the two devices and improve reliability.
NOTE
An Eth-Trunk interface working in manual load balancing mode can contain member interfaces at different
rates, in different duplex modes, and on different boards.
Before configuring an Eth-Trunk interface to work in manual load balancing mode, connect
interfaces and configuring physical parameters for the interfaces to make sure that the physical
status of the interfaces is Up.
Data Preparation
To configure an Eth-Trunk interface to work in manual load balancing mode, you need the
following data.
No.
Data
Eth-Trunk ID of an Eth-Trunk interface that needs to work in manual load

balancing mode
Type and number of each Eth-Trunk member interface
l Public parameters for both Layer 2 and Layer 3 Eth-Trunk interfaces: minimum
number of Up member links and load balancing mode of the Eth-Trunk
interface
l Parameter for a Layer 2 Eth-Trunk interface: maximum number of Up member
links that determine the Eth-Trunk link bandwidth
l Parameters for a Layer 3 Eth-Trunk interface: IP address, MAC address, and
MTU of the Eth-Trunk interface
Issue 02 (2013-12-31)
Load balancing weight of each Eth-Trunk member link
(Optional) IP address, encapsulation type, associated VLAN ID, and MTU of an

Eth-Trunk sub-interface and the rate at which the Eth-Trunk sub-interface sends
gratuitous ARP packets

1310

Equipment
Creating an Eth-Trunk Interface and Configuring It to Work in Manual Load

Balancing Mode
You can add physical interfaces to an Eth-Trunk interface working in manual load balancing
mode. All the member interfaces are in the forwarding state and carry out load balancing.
Procedure
Step 1 Run:
system-view

Step 2 Run:

portswitch
The Eth-Trunk interface is switched to the Layer 2 mode.

By default, an Eth-Trunk interface works in Layer 3 mode.
NOTE
Physical interfaces can be added to an Eth-Trunk interface regardless of which mode the Eth-Trunk
interface works in. If the Eth-Trunk interface needs to work in Layer 3 mode, skip this step and go to the
next step.
Step 4 Run:
mode manual load-balance
The Eth-Trunk interface is configured to work in manual load balancing mode.

By default, an Eth-Trunk interface works in manual load balancing mode.
----End
Adding Physical Interfaces to the Eth-Trunk Interface

After an Eth-Trunk interface is created and configured to work in manual load balancing mode,
add physical interfaces to the Eth-Trunk interface to increase interface bandwidth and improve
reliability.
Context
There are two methods for adding physical interfaces to an Eth-Trunk interface:
l
Add physical interfaces in the view of the Eth-Trunk interface. Using this method, you can
add a single physical interface or physical interfaces in batches.
Add a physical interface in the view of the physical interface. When adding physical
interfaces to an Eth-Trunk interface, note the following points:
Eth-Trunk interfaces cannot be added to Eth-Trunk interfaces.
Different Ethernet interfaces can be added to the same Eth-Trunk interface.
Issue 02 (2013-12-31)

1311

Equipment
Ethernet interfaces on different interface boards can be added to the same Eth-Trunk
interface.
Eth-Trunk interfaces work in either Layer 2 or Layer 3 mode. Ethernet interfaces can
join an Eth-Trunk interface regardless of which mode the Eth-Trunk interface works
in.
NOTE
A physical interface added to an Eth-Trunk interface is affected by the Eth-Trunk interface:

l
If the shutdown command is run on the Eth-Trunk interface before or after the physical interface is
added, the physical status of the Eth-Trunk interface becomes Administratively DOWN.
Accordingly, the configuration file shows that the physical interface is shutdown and its physical
status is Administratively DOWN.
If the undo shutdown command is run on the Eth-Trunk interface after the physical interface is
added, the configuration file shows that the physical interface is undo shutdown.
Procedure
l
Add one or more physical interfaces in the Eth-Trunk interface view.

1.
Run:
system-view

2.
Run:

3.
Run either of the following commands as required:

To add physical interfaces to the Eth-Trunk interface in batches and configure the
mode in which member interfaces of an Eth-Trunk interface send packets., run:
trunkport interface-type { interface-number1 [ to interface-number2 ] }
&<1-8>
A maximum of 8 interfaces can be added to an Eth-Trunk interface in batches.

To add a single physical interface to an Eth-Trunk interface, run:
trunkport interface-type interface-number
Add a physical interface to an Eth-Trunk interface in the view of the physical interface.
1.
Run:
system-view

2.
Run:
The view of a physical interface that needs to be added to an Eth-Trunk interface is

displayed.
3.
Run:
eth-trunk trunk-id
The physical interface is added to the Eth-Trunk interface.
Issue 02 (2013-12-31)

1312

Equipment
NOTE
l Each Eth-Trunk interface contains a maximum of 8 member interfaces.

l Member interfaces cannot be configured with services or Layer 3 configurations such as
IP addresses.
l Member interfaces cannot be manually configured with MAC addresses.
l An Ethernet interface can be added to only one Eth-Trunk interface. The Ethernet interface
must be deleted from the original Eth-Trunk interface before joining another Eth-Trunk
interface.
l If an Eth-Trunk member interface is directly connected to an interface on the peer, the
interface must also be an Eth-Trunk member interface; otherwise, the devices cannot
----End
Follow-up Procedure
You can configure Eth-Trunk member interfaces to send trap messages after the status of the
Eth-Trunk member interfaces changes. After receiving a trap message, check whether the device
fails or recovers.
If you need to know the status change of the member interface of a specified Eth-Trunk interface,
run the trunk-member trap in private-mib enable command to enable Eth-Trunk member
interfaces to use the proprietary MIB to send trap messages. The trap messages sent by using
the proprietary MIB carry Eth-Trunk IDs, whereas the trap messages sent by using the public
MIB do not carry Eth-Trunk IDs.
After the trunk-member trap in private-mib enable command is configured, Eth-Trunk
member interfaces only use the proprietary MIB to send trap messages. To view these trap
messages, use the Huawei proprietary MIB.
Configuring Eth-Trunk Interface Parameters

Eth-Trunk interfaces in manual load balancing mode working in Layer 2 and Layer 3 modes
need to be configured with different parameters.
Prerequisites
An Eth-Trunk interface works in Layer 3 mode by default. Before configuring Layer 2
parameters for an Eth-Trunk interface, run the portswitch command to configure the Eth-Trunk
interface to work in Layer 2 mode.
Context
Different types of Eth-Trunk interfaces need to be configured with different parameters, shown
in Table 5-7. Configure the parameters as required.
Issue 02 (2013-12-31)

1313

Equipment

Interfac
e Type
Parameter Type
Description
Layer 2
and
Layer 3
EthTrunk
interface
s
Load balancing
mode
l Per-destination load balancing differentiates data

flows based on MAC or IP addresses of packets to
ensure that the packets of the same data flow are
transmitted over the same member link.
Layer 2
EthTrunk
interface
Layer 3
EthTrunk
interface
l Per-destination load balancing guarantees the data

sequence but not the bandwidth usage.
Minimum number of
Up member links
Setting the minimum number of Up member links aims to

ensure the minimum bandwidth of the Eth-Trunk
interface.
Maximum number
of Up member links
that determine the
Eth-Trunk link
bandwidth
This parameter directly affects effective link bandwidth

and indirectly affects interface costs. If the cost of an EthTrunk needs to be changed for other configurations, such
as STP calculation, this parameter must be configured.
IP addresses are assigned to Layer 3 Eth-Trunk interfaces

for data communication between network devices.
MAC address of the

Eth-Trunk interface
When a Layer 3 router is connected to a Layer 2 switch

through two Eth-Trunk links to transmit different services,
if both Eth-Trunk interfaces on the router use the default
system MAC address, the switch can learn the system
MAC address from either of the two Eth-Trunk interfaces.
This probably causes a loop between the two devices. To
prevent loops, change the MAC address of an Eth-Trunk
interface as required. Configuring the source and
destination MAC addresses for the two Eth-Trunk links
guarantees transmission of service data flows and
improves network reliability.
NOTE
After the number of Up member links that determine the EthTrunk link bandwidth reaches the upper limit, the STP calculation
is not affected even if more member links go Up.
If an Eth-Trunk interface is configured with a large

number of sub-interfaces, and the MAC address of the
Eth-Trunk interface is changed, it sends a large number of
ARP updates to its peer. If the peer is configured with the
Central Processing-Committed Access Rate (CP-CAR),
increasing bandwidth for receiving ARP packets is
recommended to prevent loss of ARP updates.
Issue 02 (2013-12-31)

1314

Equipment
Interfac
e Type
Parameter Type
Description
Generally, the IP layer limits the length of a packet to be

sent each time. Any time the IP layer receives an IP packet
to be sent, it checks to which local interface the packet
needs to be sent and obtains the MTU configured on the
interface. Then, the IP layer compares the MTU with the
packet length. If the packet length is longer than the MTU,
the IP layer disassembles the packet to fragments, each no
longer than the MTU.
If forcible unfragmentation is configured, some packets
may be discarded when being transmitted at the IP layer.
To ensure that large packets are not discarded during
transmission, configure forcible fragmentation for large
packets.
Procedure
l

1.
Run:
system-view

2.
Run:

3.

Table 5-8 Parameter for a Layer 2 Eth-Trunk Interface
Issue 02 (2013-12-31)
Parameter for a
Layer 2 Eth-Trunk
Interface
Operation
Maximum number of
Up member links that
determine the EthTrunk link
bandwidth
Run the max bandwidth-affected-linknumber linknumber command.
Minimum number of
Up member links
The default value is 1 to 8.

NOTE
To ensure normal forwarding, you are advised to configure the two
ends of an Eth-Trunk link with the same upper limit.


1315

Equipment
Parameter for a
Layer 2 Eth-Trunk
Interface
Operation
Load balancing
mode

command.
balancing based on MAC addresses.

1.
Run:
system-view

2.
Run:

3.

Parameter for a
Layer 3 Eth-Trunk
Interface
Operation
Run the ip address ip-address { mask | mask-length }

[ sub ] command.
MAC address of the

Eth-Trunk interface
Run the mac-address mac-address command.
Run the mtu mtu command.
The default MAC address of an Eth-Trunk interface is the

system MAC address, namely, the MAC address of the
Ethernet interface on the main control board.
The MTU is measured in bytes and the default MTU is 1500

bytes.
NOTICE
l The MTUs of two directly-connected interfaces must be the
same. After using the mtu mtu command to change the MTU
of an interface, change the MTU of the directly-connected
interface on another device to ensure that the MTUs of the two
ends are the same. Otherwise, services may be interrupted.
Minimum number of
Up member links
Issue 02 (2013-12-31)


1316

Equipment
Parameter for a
Layer 3 Eth-Trunk
Interface
Operation
Load balancing
mode

command.
balancing based on IP addresses.
----End
Configuring Parameters for Eth-Trunk Member Interfaces

To ensure reliable communication between Eth-Trunk interfaces, properly configure parameters
for Eth-Trunk member interfaces.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of an Eth-Trunk member interface is displayed.

Step 3 Run:
distribute-weight weight-value
The load balancing weight is configured for the Eth-Trunk member interface.
The default weight of an Eth-Trunk member interface is 1.
The total load balancing weights of all member interfaces of an Eth-Trunk interface cannot be
greater than 8.
The Eth-Trunk interface performs load balancing based on the weights of its member interfaces.
The greater the weight of an Eth-Trunk member interface, the heavier the load carried by the
member interface.
NOTE
Assume that an Eth-Trunk interface transmits multicast traffic. If the distribute-weight command is run
to change the load balancing weight of its member interface, run the shutdown command and the undo
shutdown command to restart this member interface.
----End
(Optical) Configuring an Eth-Trunk Sub-interface

To transmit both Layer 2 and Layer 3 services over the same physical link, create a sub-interface
on a Layer 2 Eth-Trunk interface.
Issue 02 (2013-12-31)

1317

Equipment
Context
If Layer 2 switching devices belong to different VLANs, and hosts in the VLANs need to
communicate with each other, you need to create sub-interfaces on the Eth-Trunk interface
connecting a Layer 3 device to a Layer 2 switching device, bind a VLAN to each sub-interface,
configure 802.1Q encapsulation on the sub-interfaces, and assign an IP address to each subinterface.
After the configuration is complete, hosts in the VLANs can use these sub-interfaces to
communicate with each other. Eth-Trunk sub-interfaces can be configured to terminate dot1q .
After sub-interfaces are configured for Layer 2 Eth-Trunk interfaces, the Eth-Trunk interfaces
provide Layer 2 functions, and their sub-interfaces provide Layer 3 functions.
Figure 5-7 Typical usage scenario of Layer 2 Eth-Trunk sub-interfaces
VPLS/MPLS/IP
PE2
PE1
Eth-Trunk
Sub-interface
Eth-Trunk
CE2
CE1
S1
S2
S4
S3
VLA
N
VLA
N
NOTE
l For applications of Eth-Trunk sub-interfaces in VLAN services, see VLAN Configuration.

l For applications of Eth-Trunk sub-interfaces in QinQ services, see QinQ Configuration.
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface eth-trunk trunk-id.subnumber
A Layer 2 Eth-Trunk sub-interface is created.

An Eth-Trunk sub-interface is created.
A maximum of 4094 sub-interfaces can be created on an Eth-Trunk interface and a maximum
of 16376 Eth-Trunk sub-interfaces can be created on the device.
Issue 02 (2013-12-31)

1318

Equipment
Step 3 Run:
An IP address is assigned to the Eth-Trunk sub-interface.

When more than one IP address is configured for an Eth-Trunk interface, the keyword sub must
be used to indicate the second and later IP addresses.
Step 4 Run:
The encapsulation type and associated VLAN ID is configured for the Eth-Trunk sub-interface.
By default, an Eth-Trunk sub-interface is not configured with any encapsulation types or
associated with any VLAN IDs.
The VLAN IDs associated with the two communicating Eth-Trunk sub-interfaces must be the
same.
The VLAN ID associated with a sub-interface of a Layer 2 Eth-Trunk interface cannot be the
VLAN ID associated with the Eth-Trunk interface.
NOTE
On the ATN, a sub-interface can be associated with only one VLAN ID.
Step 5 Run:
mtu mtu
The MTU is configured for the Eth-Trunk sub-interface.

The MTU value of an Eth-Trunk interface ranges from 46 to 9600, in bytes. The default value
is 1500.
NOTE
The Quality of Service (QoS) queue length is limited. If the MTU is too small whereas the packet size is
large, the packet is probably divided into many fragments and discarded by the QoS queue. To avoid this
situation, lengthen the QoS queue accordingly.
Step 6 Run:
arp send-speed-limit limit
The rate at which the Eth-Trunk interface sends gratuitous Address Resolution Protocol (ARP)
packets is configured.
The default rate is 2000 packets per second.
To prevent the peer from discarding gratuitous ARP packets, configure the rate at which the EthTrunk interface on the local end sends gratuitous ARP packets to a proper value so that the peer
can process all the gratuitous packets from the local end.
----End

After an Eth-Trunk interface in manual load balancing mode is successfully configured, you can
view information about the Eth-Trunk interface, including the Eth-Trunk ID, working mode,
and status of member interfaces.
Issue 02 (2013-12-31)

1319

Equipment
Prerequisites
An Eth-Trunk interface in manual load balancing mode has been configured.
Procedure
l
Run the display trunkmembership eth-trunk trunk-id command to check information

about member interfaces of the Eth-Trunk interface.
Run the display eth-trunk [ trunk-id [ interface interface-type interface-number ] ]

command to check information about the Eth-Trunk link aggregation group and active
member interfaces.
Run the display interface eth-trunk [ trunk-id | main ] command to check the status of
the Eth-Trunk interface.
Run the display interface brief command to check brief information about the Eth-Trunk
interface, including the physical status, link protocol status, and bandwidth usage.
Run the display trunkfwdtbl eth-trunk trunk-id [ slot slot-id ] command to check the
forwarding table on the Eth-Trunk interface.
----End
Example
Run the display trunkmembership eth-trunk command to view the configured working mode
and LACP system priority of the Eth-Trunk interface, LACP priority of each member interface,
and active member interfaces.
<ATNA> display trunkmembership eth-trunk 1
Trunk ID: 1
used status: VALID
TYPE: ethernet
Working Mode : Static
operate status: up
Run the display eth-trunk command to check information about the Eth-Trunk link aggregation
group and active member interfaces.
WorkingMode: NORMAL
Hash arithmetic: According to flow
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 16
Operate status: up
-------------------------------------------------------------------------------PortName
Status
Weight
Up
1
Up
1
Up
1
Run the display interface eth-trunk command to view the status of the Eth-Trunk interface.
For example:
<HUAWEI> display interface eth-trunk 1
Issue 02 (2013-12-31)

1320

Equipment
Description : Eth-Trunk1 Interface

Route Port,Hash arithmatic : According to flow,The Maximum Transmit Unit is 1500
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc09-9722
Statistics last cleared: 2008-03-02 15:32:27
Input:
24 packets,3 bytes,
10 errors,5 drops,
Output:
39 packets,4 bytes,
15 errors,6 drops
----------------------------------------------------PortName
Status
Weight
UP
1
UP
1
Run the display interface brief command to view brief information about the Eth-Trunk
interface, including the physical status, link protocol status, bandwidth usage, and statistics about
error packets. For example:
<HUAWEI> display interface brief | begin Eth-Trunk
PHY: Physical
^down: standby
(l): loopback
(s): spoofing
(b): BFD down
(d): Dampening Suppressed
Interface
PHY
Protocol InUti
Eth-Trunk1
up
up
0%
up
up
0%
up
up
0%
Eth-Trunk1.1
up
up
0%
OutUti
0%
0%
0%
0%
inErrors
0
0
0
0
outErrors
0
0
0
0
Run the display trunkfwdtbl eth-trunk command to view the forwarding table on the EthTrunk interface. For example:
<HUAWEI> display trunkfwdtbl eth-trunk 1
Show the Trunk Forwarding Table
Eth-Trunk1's forwarding table is:
MASTER
SLAVE

This section describes the typical application scenario of an Eth-Trunk interface, including
networking requirements, configuration roadmap, and data preparation, and provides related
Issue 02 (2013-12-31)

1321

Equipment
Example for Configuring Eth-Trunk Interfaces to Work in Static LACP Mode

Eth-Trunk interfaces working in static LACP mode exchange LACP packets to determine active
and inactive member interfaces, then implement load balancing and interface backup to improve
link reliability.
The link aggregation technique can be used to configure Eth-Trunk interfaces to increase link
bandwidth and save IP addresses without deploying new hardware. If the two directly-connected
devices support LACP, Eth-Trunk interfaces working in static LACP mode can be configured
on the devices. Eth-Trunk interfaces working in static LACP mode exchange LACP packets to
determine active and inactive member interfaces. Traffic is transmitted over active links in load
balancing mode. If an active link fails, traffic transmitted over the link is automatically switched
to an available link, preventing service interruption. In addition, it is simple to configure EthTrunk interfaces to work in static LACP mode.
As shown in Figure 5-8, the static LACP link aggregation groups are configured on two PEs to
increase bandwidth and reliability between the two devices.
Figure 5-8 Networking diagram for configuring Eth-Trunk interfaces to work in static LACP
mode
ATNA
Eth-Trunk1
Eth-Trunk1
GE 0/2/1
GE 0/2/2
GE 0/2/3
GE 1/0/1
GE 1/0/2
GE 1/0/3
Eth-Trunk
CX-B
Active links
Backup links
1.
Configure an Eth-Trunk interface on each PE to increase bandwidth and implement load

balancing and link backup.
a.
Configure the Eth-Trunk interfaces to work in static Eth-Trunk mode.
b.
Configure a system priority for each PE to determine the active end.
2.
Add member interfaces to the Eth-Trunk interface.
3.
Configure the following Eth-Trunk interface parameters:

l Configure the maximum number of active member interfaces to improve network
reliability without affecting interface bandwidth.
Issue 02 (2013-12-31)

1322

Equipment
l Enable LACP preemption and the delay time for LACP preemption on the Eth-Trunk
interface to ensure that a member interface with the highest LACP priority is selected
as an active interface.
4.
Configure member interface parameters, including interface priorities for determining

active links.
5.
Data Preparation
l
Number of the link aggregation group on each PE
Device priorities
Maximum number of active Eth-Trunk member interfaces
Delay time for LACP preemption
LACP priorities of active member interfaces
Procedure
Step 1 Create Eth-Trunk 1 and configure it to work in static LACP mode.
# Configure ATNA.
[ATNA] interface eth-trunk 1
[ATNA-Eth-Trunk1] mode lacp-static
[ATNA-Eth-Trunk1] quit
# Configure PE2.
[HUAWEI] sysname CX-B
[CX-B] interface eth-trunk 1
[CX-B-Eth-Trunk1] mode lacp-static
[CX-B-Eth-Trunk1] quit
Step 2 Configure the LACP system priority on ATNA to be 100, allowing ATNA to function as the
LACP active end.
[ATNA] lacp priority 100
Step 3 Add member interfaces to Eth-Trunk 1.

# Configure ATNA.
[ATNA-Gigabitethernet0/2/1] undo shutdown
[ATNA-Gigabitethernet0/2/1] eth-trunk 1
[ATNA-Gigabitethernet0/2/1] quit
# Configure CX-B.
Issue 02 (2013-12-31)

1323

Equipment

[CX-B-Gigabitethernet1/0/1] undo shutdown
[CX-B-Gigabitethernet1/0/1] eth-trunk 1
[CX-B-Gigabitethernet1/0/1] quit
Step 4 Configure the maximum number of active member interfaces on ATNA to be 2.

[ATNA-Eth-Trunk1] max active-linknumber 2
NOTE
As PA1 is the active end, the maximum number of active member interfaces does not need to be configured
on CX-B.
Step 5 Configure LACP preemption and the LACP preemption delay time.
# Configure ATNA.
[ATNA-Eth-Trunk1] lacp preempt enable
[ATNA-Eth-Trunk1] lacp preempt delay 20
# Configure CX-B.
[CX-B-Eth-Trunk1] lacp preempt enable
[CX-B-Eth-Trunk1] lacp preempt delay 20
Step 6 Configure interface priorities to determine active links.

# Configure ATNA.
[ATNA] interface gigabitethernet
[ATNA-Gigabitethernet0/2/1] lacp
0/2/1
priority 100
0/2/2
priority 100
0/2/3
priority 150
# Configure CX-B.
[CX-B] interface gigabitethernet
[CX-B-Gigabitethernet1/0/1] lacp
1/0/1
priority 100
1/0/2
priority 100
1/0/3
priority 150

Issue 02 (2013-12-31)

1324

Equipment
# Check Eth-Trunk information about each PE and check whether Eth-Trunk link negotiation
succeeds.
[ATNA] display eth-trunk 1
Local:
LAG ID: 1
WorkingMode: STATIC
Preempt Delay: 20
System Priority: 100
System ID: 00e0-fca8-0417
Least Active-linknumber: 1
Max active-linknumber: 2
Operate status: up
-------------------------------------------------------------------------------ActorPortName
Status
PortType PortPri PortNo PortKey PortState Weight
Selected 1GE
100
6145
2865
11111100 1
Selected 1GE
100
6146
2865
11111100 1
Unselect 1GE
150
6147
2865
11100000 1
Partner:
----------------------------------------------------------------------------ActorPortName
SysPri
SystemID
PortPri PortNo PortKey
PortState
32768
00e0-fca6-7f85
32768
6145
2609
11111100
32768
00e0-fca6-7f85
32768
6146
2609
11111100
32768
00e0-fca6-7f85
32768
6147
2609
11110000
[CX-B] display eth-trunk 1
Local:
LAG ID: 1
WorkingMode: STATIC
Preempt Delay: 20
System Priority: 32768
System ID: 00e0-fca6-7f85
Least Active-linknumber: 1
Max active-linknumber: 16
Operate status: up
--------------------------------------------------------------------------------ActorPortName
Status
PortType PortPri PortNo PortKey PortState Weight
Selected 1GE
32768
6145
2609
11111100 1
Selected 1GE
32768
6146
2609
11111100 1
Unselect 1GE
32768
6147
2609
11100000 1
Partner:
-----------------------------------------------------------------------------ActorPortName
SysPri
SystemID
PortPri PortNo PortKey
PortState
32768
00e0-fca8-0417
100
6145
2865
11111100
32768
00e0-fca8-0417
100
6146
2865
11111100
32768
00e0-fca8-0417
150
6147
2865
11110000
The preceding information indicates that the system priority of ATNA is 100, which is higher
than the system priority of CX-B. GE 0/2/1 and GE 0/2/2 of the Eth-Trunk interface are in the
Selected state, and GE 0/2/3 of the Eth-Trunk interface is in the Unselect state. The links of
GE0/2/1 and GE0/2/2 are the M links that are used for load balancing, and the link of GE
0/2/3 is the N link that functions as a backup link.
----End
Configuration Files
l

#
sysname ATNA
#
lacp priority 100
#
mode lacp-static
max active-linknumber 2
lacp preempt enable
lacp preempt delay 20
Issue 02 (2013-12-31)

1325

Equipment
#
undo shutdown
eth-trunk 1
lacp priority 100
#
undo shutdown
eth-trunk 1
lacp priority 100
#
undo shutdown
eth-trunk 1
lacp priority 150
#
return

#
sysname CX-B
#
mode lacp-static
lacp preempt enable
lacp preempt delay 20
#
undo shutdown
eth-trunk 1
lacp priority 100
#
undo shutdown
eth-trunk 1
lacp priority 100
#
undo shutdown
eth-trunk 1
lacp priority 150
#
return
Example for Configuring Eth-Trunk Interfaces to Work in Manual Load Balancing

Mode
All active member interfaces of an Eth-Trunk interface working in manual load balancing mode
participate in data forwarding. Traffic is distributed among these member links, improving link
reliability.
addresses, configure Eth-Trunk interfaces using the link aggregation technique. When at least
one of the two directly-connected devices in communication does not support LACP, you can
configure an Eth-Trunk interface in manual load balancing mode on each device. Then, add
interfaces to each Eth-Trunk interface to increase the bandwidth between the two devices and
improve reliability.
Issue 02 (2013-12-31)

1326

Equipment
As shown in Figure 5-9, the links between the two ATNs (ATNA and CX-B) need high
reliability and need to implement traffic load balancing.
Figure 5-9 Networking diagram for configuring Eth-Trunk interfaces to work in manual load
balancing mode
ATNA
Eth-Trunk1
GE 0/2/1
GE 0/2/2
GE 0/2/3
Eth-Trunk
Eth-Trunk1 CX-B
GE 1/0/1
GE 1/0/2
GE 1/0/3
1.
Create an Eth-Trunk interface in order to increase bandwidth.
2.
Add member interfaces to the Eth-Trunk interface.
3.

NOTE
By default, a created Eth-Trunk interface works in manual load balancing mode. Therefore, this mode does
not need to be configured. If the current work mode is not the manual load balancing mode, run the
mode command to change the working mode.
Data Preparation
l
Number of the link aggregation group
Types and numbers of Eth-Trunk member interfaces
Procedure
Step 1 Create an Eth-Trunk interface on each PE.
# Configure ATNA.
# Configure CX-B.
Step 2 Add member interfaces to each Eth-Trunk interface.

# Configure ATNA.
Issue 02 (2013-12-31)

1327

Equipment
# Configure CX-B.

Run the display trunkmembership command in any view. You can check whether Eth-Trunk
1 on ATNA has been created, and whether the member interfaces have been added to Eth-Trunk
1. Use the display on ATNA as an example.
[ATNA] display trunkmembership eth-trunk 1
Trunk ID: 1
used status: VALID
TYPE: ethernet
Working Mode : Normal
Working State: Normal
operate status: up
----End
Configuration Files
l

#
sysname ATNA
#
#
undo shutdown
eth-trunk 1
#
undo shutdown
eth-trunk 1
#
undo shutdown
Issue 02 (2013-12-31)

1328

Equipment
eth-trunk 1
#
return

#
sysname CX-B
#
#
undo shutdown
eth-trunk 1
#
undo shutdown
eth-trunk 1
#
undo shutdown
eth-trunk 1
#
return
5.4 VLAN Configuration

Virtual Local Area Networks (VLANs) have advantages of broadcast domain isolation, security
enhancement, flexible networking, and good extensibility.
5.4.1 VLAN Introduction

The VLAN technology logically divides a physical LAN into multiple broadcast domains
(VLANs).
Introduction
The VLAN technology is important for forwarding on Layer 2 networks. This section describes
the background, functions, and advantages of the VLAN technology.
Overview of VLAN
The Ethernet technology is for sharing communication mediums and data based on the Carrier
Sense Multiple Access/Collision Detect (CSMA/CD). If there are a large number of PCs on an
Ethernet network, collision becomes a serious problem and can lead to broadcast storms. As a
result, network performance deteriorates. This can even cause the Ethernet network to become
unavailable. Switches can be used to interconnect local area networks (LANs). Switches forward
information received by inbound ports to specified outbound ports, thereby preventing access
collision in a shared medium. If no specified outbound port is found for information received
by an inbound port, the switch will forward the information from all ports except the inbound
port. This forms a broadcast domain.
To prevent broadcast domains from being too broad and causing problems, you can divide a
network into segments. In this manner, a large broadcast domain is divided into multiple small
broadcast domains to confine the possible scope of broadcast packets. Routers can be deployed
at the network layer to separate broadcast domains, but this method has disadvantages, which
Issue 02 (2013-12-31)

1329

Equipment
include: complex network planning, inflexible networking, and high levels of expenditure. The
Virtual Local Area Network (VLAN) technology can divide a large Layer 2 network into
broadcast domains to prevent broadcast storms and protect network security.
Definition of VLAN
The VLAN technology is used to divide a physical LAN into multiple logical broadcast domains,
each of which is called a VLAN. Each VLAN contains a group of PCs that have the same
requirements. A VLAN has the same attributes as a LAN. PCs of a VLAN can be placed on
different LAN segments. If two PCs are located on one LAN segment but belong to different
VLANs, they do not broadcast packets to each other. With VLAN, the broadcast traffic volume
is reduced; fewer devices are required; network management is simplified; and network security
is improved.
Basic VLAN Concepts and Principles

l
802.1Q and VLAN frame format

A conventional Ethernet frame is encapsulated with the Length/Type field for an upperlayer protocol following the Destination address and Source address fields, as shown in
Figure 5-10.
Figure 5-10 Conventional Ethernet frame format
6bytes
Destination
address
6bytes
2bytes
46-1500bytes 4bytes
Source
Data
FCS
Length/Type
address
IEEE 802.1Q is an Ethernet networking standard for a specified Ethernet frame format. It
adds a 32-bit field between the Source address and the Length/Type fields of the original
frame, as shown in Figure 5-11.
Figure 5-11 802.1Q frame format
6bytes
6bytes
4bytes
Destination Source 802.1Q

address
address
Tag
TPID
2bytes
PRI
2bytes 46-1500bytes 4bytes

Length/
Type
Data
FCS
CFI VID
3bits 1bit 12bits
Tag Protocol Identifier (TPID): a 16-bit field set to a value of 0x8100 in order to identify
the frame as an IEEE 802.1Q-tagged frame. If an 802.1Q-incapable device receives an
802.1Q frame, it will discard the frame.
Priority (PRI): a 3-bit field which indicates the frame priority. The value ranges from 0
to 7. The greater the value, the higher the priority. These values can be used to prioritize
Issue 02 (2013-12-31)

1330

Equipment
different classes of traffic to ensure that frames with high priorities are transmitted first
when traffic is heavy.
For details, see the Configuration Guide - QoS.
Canonical Format Indicator (CFI): a 1-bit field. If the value of this field is 1, the MAC
address is in the non-canonical format. If the value is 0, the MAC address is in the
canonical format. CFI is used to ensure compatibility between Ethernet networks and
Token Ring networks. It is always set to zero for Ethernet switches.
VLAN Identifier (VID): a 12-bit field specifying the VLAN to which the frame belongs.
On the ATN, VLAN IDs range from 0 to 4095. The values 0 and 4095 are reserved, and
therefore VLAN IDs range from 1 to 4094.
Each frame sent by an 802.1Q-capable switch carries a VLAN ID. On a VLAN, Ethernet
frames are classified into the following types:
Tagged frames: frames with 32-bits 802.1Q tags.
Untagged frames: frames without 32-bits 802.1Q tags.
l
Port types
Table 5-10 lists VLAN port types.
Table 5-10 Port types
Port
Type
Method of
Processing
Received
Untagged Frames
Method of
Processing
Received
Tagged
Frames
Method of
Sending
Frames
Application
Access
port
Accepts an untagged
frame and adds a tag
with the default
VLAN ID to the
frame.
l Discards the
frame.
Removes the tag

from a frame and
sends the frame.
An access port
connects a
switch to a PC
and can be
added to only
one VLAN.
Trunk
port
Discards the frame.
l Accepts a
tagged
frame if the
port permits
the VLAN
ID carried in
the frame.
Sends a received
frame if the port
permits the
VLAN ID
carried in the
frame.
A trunk port
can be added to
multiple
VLANs to send
and receive
frames for these
VLANs. A
trunk port
connects a
switch to
another switch
or to a router.
l Discards a
tagged
frame if the
port denies
the VLAN
ID carried in
the frame.
Issue 02 (2013-12-31)

1331

Equipment
Port
Type
Method of
Processing
Received
Untagged Frames
Method of
Processing
Received
Tagged
Frames
Method of
Sending
Frames
Application
Hybrid
port
Accepts an untagged
frame and adds a tag
with the default
VLAN ID to the
frame.
l Accepts a
tagged
frame if the
port permits
the VLAN
ID carried in
the frame.
l Removes the
tag from a
received
frame and
sends the
frame if the
VLAN ID
carried in the
frame is the
same as the
default
VLAN ID
and
permitted by
the port.
A hybrid port
can be added to
multiple
VLANs to send
and receive
frames for these
VLANs. A
hybrid port can
connect a
switch to a PC
or connect a
network device
to another
network
device.
l Discards a
tagged
frame if the
port denies
the VLAN
ID carried in
the frame.
l Accepts a
tagged
frame if the
VLAN ID
carried in
the frame is
the same as
the default
VLAN ID.
QinQ
port
l Directly
sends a
received
frame if the
VLAN ID
carried in the
frame is
different
from the
default
VLAN ID
but permitted
by the port.
QinQ ports are enabled with the IEEE 802.1QinQ protocol. A QinQ port adds
a tag to a single-tagged frame, and therefore supports a maximum of 4094 x
4094 VLAN tags, which meets the requirement of a Metropolitan Area
Network (MAN)for the number of VLANs.
For details about QinQ, see 5.5 QinQ Configuration.
Each access, hybrid, or QinQ port can be configured with a default VLAN, namely, the
port default VLAN ID (PVID) to specify the VLAN to which the port belongs.
The PVID of an access port indicates the VLAN to which the port belongs.
As a hybrid port can be added to multiple VLANs, the port must be configured with
PVIDs.
By default, a port is added to VLAN 0.
Issue 02 (2013-12-31)

1332

Equipment
VLANIF interface
A VLANIF interface is a Layer 3 logical interface, which can be configured on either a
Layer 3 switch or a router.
To allow that new data flows are correctly forwarded based on the routing table, be sure
that the routing table's routing entries are correct. Therefore, VLANIF interfaces and
routing protocols must be configured on Layer 3 switches for reachable Layer 3 routes.
NOTE
Key points are summarized as follows:

l
A PC does not need to know the VLAN to which it belongs. It sends only untagged frames.
After receiving an untagged frame from a PC, a switching device determines the VLAN to which
the frame belongs. The determination is based on the configured VLAN division method such as port
information, and then the switching device processes the frame accordingly.
If the frame needs to be forwarded to another switching device, the frame must be transparently
transmitted along a trunk link. Frames transmitted along trunk links must carry VLAN tags to allow
other switching devices to properly forward the frame based on the VLAN information.
Before sending the frame to the destination PC, the switching device connected to the destination PC
removes the VLAN tag from the frame to ensure that the PC receives an untagged frame.
Generally, only tagged frames are transmitted on trunk links; only untagged frames are transmitted on
access links. In this manner, switching devices on the network can properly process VLAN information
and PCs are not concerned about VLAN information.
VLAN Features Supported by the ATN

This section describes the VLAN features supported by the ATN to help you better understand
the process of configuring VLANs.
The VLAN technology partitions a single Layer 2 network into multiple broadcast domains that
are mutually isolated. Each of the broadcast domain can be referred to as a VLAN, and the VLAN
technology implements both intra-VLAN and inter-VLAN communication. The general process
of configuring VLANs is described as follows.
1.
After VLANs are configured, users in a VLAN can communicate with each other.
2.
Further configurations are needed for users in different VLANs to communicate with each
other.
NOTE
Intra-VLAN communication and inter-VLAN communication are basic VLAN functions.
3.
Security configurations are needed to ensure reliable VLAN data transmission.
4.
The following VLAN features are also supported to meet the requirements of special
applications and implement extended functions:
l VLAN policy: allows user traffic of different types in a VPN to be distinguished and
scheduled on the backbone network. This provides better quality of service (QoS) for
users.
Port-based VLAN Division

Ports on Layer 2 switches can be added to a specific VLAN to forward frames of the VLAN.
PCs in the VLAN can directly communicate with each other, whereas PCs in different VLANs
cannot directly communicate with each other. With port-based VLAN division, broadcast
packets can be forwarded only within a single VLAN.
Issue 02 (2013-12-31)

1333

Equipment
To classify VLANs based on ports, you need to add ports on Layer 2 switches to VLANs. Portbased VLAN classification is applicable to large-scale and topology-stable networks.
Inter-VLAN Communication
After VLANs are configured, users in the same VLAN can communicate with each other. Users
in different VLANs cannot directly communicate with each other. Table 5-11 lists the schemes
for inter-VLAN communication.
Table 5-11 Schemes for inter-VLAN communication
Issue 02 (2013-12-31)
Inter-VLAN
Communica
tion Scheme
Advantage
Disadvantage
Usage Scenario
Sub-interface
After sub-interfaces are

configured, users in
different VLANs and
network segments can
communicate with
each other as long as
routes are reachable.
l Both Layer 2 and

Layer 3 devices are
required, which
increases
expenditure.
This scheme is
applicable to smallscale networks on
which users belong to
different network
segments.
l If multiple users on a
network belong to
different VLANs,
each VLAN requires
a sub-interface on a
Layer 3 device. Each
sub-interface needs
to be assigned an IP
address. This
increases
configuration
workload and
requires a large
number of IP
addresses.

If traffic is forwarded
mainly at Layer 3, use
sub-interfaces.
1334

Equipment
Inter-VLAN
Communica
tion Scheme
Advantage
Disadvantage
Usage Scenario
VLANIF
interface
After VLANIF
interfaces are
different VLANs and
communicate with
If multiple users on a
network belong to
different VLANs, each
VLAN requires a
VLANIF interface.
Each VLANIF interface
needs to be assigned an
IP address. This
increases the
configuration workload
and requires a lot of IP
addresses.
This scheme is
different network
segments and IP
addresses of these
users are seldom
changed.
IP addresses of users in
different VLANs must
belong to the same
network segment.
This scheme is
applicable to largescale networks on
which multiple users
belong to one network
segment.
Inter-VLAN
communication can
also be implemented by
Layer 3 switches if
This scheme reduces
the operating costs.
VLAN
mapping
This scheme is easy to

configure and does not
rely on routes.
If a large number of
VLANs are configured
and both Layer 2 and
Layer 3 forwarding of
packets are involved,
use VLANIF
interfaces.
VLAN Security Deployment

Table 5-12 lists the schemes that can be deployed to ensure reliable transmission of VLAN data.
Issue 02 (2013-12-31)

1335

Equipment
Table 5-12 Security schemes for VLANs
Issue 02 (2013-12-31)
Securit
y
Schem
e
Description
Advantage
Disadvantage
Usage
Scenario
Disabli
ng a
port
from
broadca
sting
packets
to other
ports in
the
same
VLAN
If a port in a
VLAN receives
broadcast or
unknown unicast
packets, it will
broadcast the
packets to other
ports in the
VLAN. If the
broadcast or
unknown unicast
packets are attack
packets, system
resources are
wasted and device
performance
deteriorates or
even the device
malfunctions.
Disabling the port
from broadcasting
packets to other
ports in the VLAN
prevents such
malicious attacks.
This security
scheme is
applicable to
topology-stable
networks or
networks on
which MAC
addresses are
configured and
forwarding
paths are
specified.

1336

Equipment
Securit
y
Schem
e
Description
Advantage
Disadvantage
Usage
Scenario
Disabli
ng
MAC
address
learning
in a
VLAN
l If a device has
only one
inbound port
and one
outbound port,
MAC address
learning in a
VLAN can be
disabled.
l MAC address
entries are
saved.
This security scheme

requires that the
network has fixed
users and forwarding
paths have been
established by using
dynamic MAC
address learning or
by manually
configuring MAC
addresses.
This security
scheme is
applicable to
topology-stable
networks or
networks on
which MAC
addresses are
configured and
forwarding
paths are
specified.
l This security
scheme is
applicable to
networks that
do not provide
access for new
users.
l Security is
enhanced
because new
users are not
allowed to
access the
network.
users are connected
to a switch, each user
needs to be
configured a static
forwarding path.
This imposes a heavy
configuration burden
on network
administrators.
prohibits new users
from accessing the
network.
Port Isolation in a VLAN

The ATN supports port isolation in a VLAN. A group of ports can be isolated in the VLAN.
For port-based isolation in a VLAN, the isolated ports cannot communicate with each other at
the data link layer. To enable communication between the ports, ARP proxy in the VLAN must
be configured for the isolated ports. In this way, traffic in the VLAN can be monitored at the
network layer.
5.4.2 Dividing a LAN into VLANs

A LAN can be divided into several VLANs and users in each VLAN can communicate with
each other. Currently, the ATN supports several VLAN division modes. You can choose one of
them as required.
Issue 02 (2013-12-31)

1337

Equipment
Before You Start

Before dividing a LAN into VLANs, familiarize yourself with the usage scenario, complete the
Currently, the ATN supports the following VLAN division modes. You can choose one of them
as required. lists VLAN division modes.
Before dividing a LAN into VLANs, connect ports and configuring physical parameters of the
ports, ensuring that the ports are physically Up.
Data Preparation
To dividing a LAN into VLANs, you need the following data.
No.
Data
VLAN ID, number of each Ethernet port to be added to the VLAN, and (optional)
attribute of Ethernet ports
Dividing a LAN into VLANs Based on Ports

Dividing a LAN into VLANs based on ports is the most simple and effective VLAN division
mode.
Context
1.
Create VLANs.
2.
Configure the port type and features.
3.
a.
Configure the port type (access, trunk, hybrid, or QinQ).
b.
(Optional) Configure port priorities to ensure frames received by ports with high
priorities are first forwarded.
Add ports to VLANs.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id
Issue 02 (2013-12-31)

1338

Equipment
A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been created,
the VLAN view is directly displayed.
The VLAN ID ranges from 1 to 4094. If VLANs need to be created in batches, run the vlan
batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to create VLANs in batches, and then run
the vlan vlan-id command to enter the view of a specified VLAN.
NOTE
If a device is configured with multiple VLANs, configuring names for these VLANs is recommended:
Run the name vlan-name command in the VLAN view. After a VLAN name is configured, you can run
the vlan vlan-name vlan-name command in the system view to enter the corresponding VLAN view.
Step 3 Run:
quit

Step 4 Configure the port type and features.
1.
Run the interface { ethernet | gigabitethernet } interface-number command to enter the

view of an Ethernet port to be added to the VLAN.
2.
Run the port link-type { access | hybrid | trunk | dot1q-tunnel } command to configure
the port type.
By default, the port type is hybrid.
l If a Layer 2 Ethernet port is directly connected to a terminal, set the port type to access
or hybrid.
l If a Layer 2 Ethernet port is connected to another switch, the port type can be set to
access, trunk, hybrid, or QinQ.
Step 5 Add ports to the VLAN.

Run either of the following commands as needed:
l For access ports:
Run the port default vlan vlan-id command to add a port to a specified VLAN.
To add ports to a VLAN in batches, run the port interface-type { interface-number1 [ to
interface-number2 ] } &<1-10> command in the VLAN view.
NOTE
The input port format must be correct. The port number following to must be greater than the port
number before to. If a group of ports are specified, ensure that these ports are of the same type and all
specified ports exist.
In one port command, a maximum of 10 groups of ports can be specified by using to.
l For trunk ports:

Run the port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } command
to add the port to specified VLANs.
l For hybrid ports:
Run the port default vlan vlan-id or port trunk allow-pass vlan { { vlan-id1 [ to vlanid2 ] } &<1-10> | all } command to add the port to specified VLANs.
By default, all ports are added to VLAN 1.
----End
Issue 02 (2013-12-31)

1339

Equipment

After dividing a LAN into VLANs, you can view information about VLANs configured in
different modes. For example, which VLANs are classified based on ports or MAC addresses.
Prerequisites
VLAN division has been configured.
Procedure
l
Run the display vlan [ vlan-id [ verbose ] ] command to check information about all
VLANs or a specified VLAN.
----End
Example
Run the display vlan command. The command output shows information about all VLANs,
including the VLAN ID, VLAN type, and VLAN status. For example:
<HUAWEI> display vlan
The total number of vlans is : 4
VLAN ID Type
Status
MAC Learning Broadcast/Multicast/Unicast Property
-------------------------------------------------------------------------------10
common
enable
enable
forward
forward
forward default
20
common
enable
enable
forward
forward
forward default
30
common
enable
enable
forward
forward
forward default
40
common
enable
enable
forward
forward
forward default
5.4.3 Configuring a VLANIF Interface

VLANIF interfaces are Layer 3 logical interfaces. After creating VLANIF interfaces on Layer
2 devices, you can configure Layer 3 features on these interfaces.
Before You Start

Before creating a VLANIF interface, familiarize yourself with the usage scenario, complete the
To allow that new data flows are correctly forwarded based on the routing table, be sure that the
routing table's routing entries are correct. Therefore, VLANIF interfaces and routing protocols
must be configured on Layer 3 switches for reachable Layer 3 routes.
Before creating a VLANIF interface, create a VLAN.
Data Preparation
To create a VLANIF interface, you need to the following data.
Issue 02 (2013-12-31)

1340

Equipment
No.
Data
VLAN ID and VLAN name
IP address to be assigned to the VLANIF interface
(Optional) Delay after which the VLANIF interface goes Down
(Optional) Bandwidth of the VLANIF interface
Creating a VLANIF Interface

Before configure Layer 3 features on a Layer 2 device, you must create a VLANIF interface on
the device.
Procedure
Step 1 Run:
system-view

Step 2 Run:
A VLANIF interface is created and the VLAIF interface view is displayed.

The VLAN ID specified in this command must be the ID of an existing VLAN.
NOTE
A VLANIF interface is Up only when at least one physical port added to the corresponding VLAN is Up.
----End
Assigning an IP Address to a VLANIF Interface

As a VLANIF interface is a Layer 3 logical interface, it can communicate with other interfaces
at the network layer only after being assigned an IP address.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
Issue 02 (2013-12-31)

1341

Equipment
An IP address is assigned to the VLANIF interface for communication at the network layer.
NOTE
If IP addresses assigned to VLANIF interfaces on a Layer 3 device belong to different network segments,
a routing protocol must be configured on the Layer 3 switch to provide reachable routes. Otherwise,
VLANIF interfaces cannot communicate with each other at the network layer. For configurations of routing
protocols, see the Configuration Guide - IP Routing.
----End
Follow-up Procedure
If you do not want users in a VLAN to communicate with users in another VLAN through a
VLANIF interface, run the shutdown command in the VLANIF interface view. In this situation,
the users in the same VLAN can still communicate with each other.
Traffic on a VLANIF interface includes Layer 2 and Layer 3 traffic. If you run the shutdown
command in the VLANIF interface view, only Layer 3 traffic on the VLANIF interface is shut
down. In this case, if you run the display interface vlanif command for several times, the
command outputs show that the traffic on the VLANIF interface increases.
To shut down all traffic on a VLANIF interface, run the shutdown vlan command in the VLAN
view.
(Optional) Setting a Delay After Which a VLANIF Interface Goes Down

Setting a delay after which a VLANIF interface goes Down prevents network flapping caused
by changes of VLANIF interface status. This function is also called VLAN damping.
Context
If a VLAN goes Down because all ports in the VLAN go Down, the system immediately reports
the VLAN Down event to the corresponding VLANIF interface, instructing the VLANIF
interface to go Down.
To prevent network flapping caused by changes of VLANIF interface status, enable VLAN
damping on the VLANIF interface. After the last Up port in a VLAN goes Down, the system
starts a delay timer and informs the corresponding VLANIF interface of the VLAN Down event
after the timer expires. If a port in the VLAN goes Up during the delay period, the VLANIF
interface remains Up.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Issue 02 (2013-12-31)

1342

Equipment

Step 3 Run:
damping time delay-time
The delay for VLAN damping is set.

The delay-time value ranges from 0 to 20, in seconds. By default, the value is 0 seconds,
indicating that VLAN damping is disabled.
----End
(Optional) Configuring Bandwidth for a VLANIF Interface

After configuring bandwidth for VLANIF interfaces, you can use the NMS to query the
bandwidth. This facilitates traffic monitoring.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
bandwidth bandwidth
The VLANIF interface is configured with bandwidth.

By default, the bandwidth of a VLANIF interface is 1000 Mbit/s.
----End

After a VLANIF interface is configured for communication at the network layer, you can check
the IP address and status of a specified VLANIF interface.
Prerequisites
A VLANIF interface has been configured.
Procedure
l
Run the display interface vlanif [ vlan-id | main ] command to check the physical status,
link protocol status, description, and IP address of the VLANIF interface.
----End
Issue 02 (2013-12-31)

1343

Equipment
Example
Run the display interface vlanif command. The command output shows the physical status,
link protocol status, IP address, and mask of a VLANIF interface. For example:
<HUAWEI> display interface Vlanif 10
Vlanif1 current state : DOWN
Line protocol current state : DOWN
Description:HUAWEI, Vlanif1 Interface
IP Sending Frames" Format is PKTFMT_ETHNT_2, Hardware address is 3a9f-9783-7687
Physical is VLANIF
Input bandwidth utilization : -Output bandwidth utilization : --
5.4.4 Configuring Inter-VLAN Communication

Configuring inter-VLAN communication allows users in different VLANs to communicate with
each other.
Before You Start

Before configuring inter-VLAN communication, familiarize yourself with the usage scenario,
Currently, schemes listed in Table 5-13 are provided for inter-VLAN communication. You can
choose one of them based on the real world situation.
Issue 02 (2013-12-31)

1344

Equipment
Table 5-13 Schemes for inter-VLAN communication

Inter-VLAN
Communica
tion Scheme
Advantage
Disadvantage
Usage Scenario
Sub-interface
After sub-interfaces are

different VLANs and
communicate with
l Both Layer 2 and

Layer 3 devices are
required, which
increases
expenditure.
This scheme is
different network
segments.
After VLANIF
interfaces are
different VLANs and
communicate with
If multiple users on a
network belong to
different VLANs, each
VLAN requires a
VLANIF interface.
Each VLANIF interface
needs to be assigned an
IP address. This
increases the
configuration workload
and requires a lot of IP
addresses.
This scheme is
different network
segments and IP
addresses of these
users are seldom
changed.
IP addresses of users in
different VLANs must
belong to the same
network segment.
This scheme is
applicable to largescale networks on
which multiple users
belong to one network
segment.
VLANIF
interface
Inter-VLAN
communication can
also be implemented by
Layer 3 switches if
This scheme reduces
the operating costs.
VLAN
mapping
Issue 02 (2013-12-31)
This scheme is easy to

configure and does not
rely on routes.
l If multiple users on a
network belong to
different VLANs,
each VLAN requires
a sub-interface on a
Layer 3 device. Each
sub-interface needs
to be assigned an IP
address. This
increases
configuration
workload and
requires a large
number of IP
addresses.

If traffic is forwarded
mainly at Layer 3, use
sub-interfaces.
VLANs are configured
and both Layer 2 and
Layer 3 forwarding of
packets are involved,
use VLANIF
interfaces.
1345

Equipment
Before configuring inter-VLAN communication, create VLANs.
Data Preparation
To configure inter-VLAN communication, you need the following data.
No.
Data
Number of each Ethernet sub-interface, IP address and mask of the sub-interface,

and VLAN ID associated with the sub-interface
VLAN ID, VLANIF interface number, IP address and mask of the VLANIF
interface, and (optional) bandwidth of the VLANIF interface
(Optional) Port type, VLAN ID before mapping, and VLAN ID after mapping
Configuring Sub-interfaces for Inter-VLAN Communication

If users belong to different VLANs and reside on different network segments, sub-interfaces can
be created on a ATN and assigned IP addresses to allow these users to communicate with each
other at the network layer.
Context
During communication at the data link layer on a LAN, source MAC addresses identify where
data comes from, and destination MAC addresses guide data to destinations. If the source and
destination PCs reside on different network segments, a Layer 2 network is unable to send data
from the source to the destination. In this case, data has to be forwarded at the network layer 3.
After the default gateway address of the switch is specified as the IP address of the ATN, the
switch sends data that needs to be forwarded at the network layer to the ATN. After receiving
a packet, the ATN searches its routing table according to the destination address in the packet.
If the ATN finds a matching route in the routing table, the ATN directly forwards the packet to
another network segment. If the ATN does not find any matching route, it discards the packet.
On the network shown in Figure 5-12, VLANs 2 to n belong to different network segments. To
allow users in VLANs 2 to n to communicate with each other, you can create a sub-interface on
the ATN for each VLAN and assign an IP address to each sub-interface. After VLANs are
configured, the switch is logically divided into n parts. Accordingly, the ATN must have n logical
interfaces corresponding to n VLANs. The detailed implementation process is as follows:
1.
A PC in VLAN 2 checks the destination IP address and finds that the destination PC in
VLAN n is on a different network segment.
2.
The PC in VLAN 2 sends an ARP request. After receiving the request, the ATN considers
itself the destination, translates its MAC address into an IP address, and sends an ARP reply
to the PC in VLAN 2.
3.
After receiving data from the PC in VLAN 2, the Layer 2 switch adds a VLAN tag to the
data and searches the MAC address table for an outbound port.
4.
The ATN receives the frame and sends it to sub-interface 2.
Issue 02 (2013-12-31)

1346

Equipment
5.
Sub-interface 2 removes the VLAN tag from the frame, searches for an ARP entry based
on the IP address in the IP header, and forwards the packet at the network layer.
6.
Sub-interface n receives the packet, reencapsulates the packet with the VLAN ID of n and
the destination MAC address of the MAC address of the destination PC, and sends the
frame.
7.
After receiving the frame, the Layer 2 switch searches the MAC address table for the
destination MAC address based on the VLAN ID carried in the packet to determine the
outbound port.
8.
The PC in VLAN n receives the frame from VLAN 2.

If a PC in VLAN n sends a packet to a PC in VLAN 2, the process is similar and not
described in this document.
Figure 5-12 Networking diagram for configuring sub-interfaces for inter-VLAN

communication
ATN
GE0/2/1.2
IP Address:x.x.x.x/x
GE0/2/1.n
IP Address:x.x.x.x/x
Trunk
Switch
Access port
VLAN2
VLANn
On the network shown in Figure 5-12, downstream ports on the switch are separately added to
VLAN 2 to VLAN n. The configuration roadmap for communication between these VLANs is
as follows:
1.
Create n-1 sub-interfaces on the Etherent interface connecting the ATN to the switch.
2.
The sub-interface is associated with a VLAN.
3.
Assign an IP address to each sub-interface for communication at the network layer.
4.
Configure the port connecting the switch to the ATN as a trunk or hybrid port to allow
frames with VLAN IDs from 2 to n to pass through.
NOTE
The default gateway address of each PC in a VLAN must be the IP address of the corresponding subinterface. Otherwise, inter-VLAN communication fails.
Issue 02 (2013-12-31)

1347

Equipment
Procedure
l

1.
Run:
system-view

2.
Run:
interface { ethernet | gigabitethernet } interface-number.subinterfacenumber
An Ethernet sub-interface is created and the view of the Ethernet sub-interface is

displayed.
The Ethernet interface in this step is the interface connecting the ATN to the switch.
3.
Run:
The sub-interface is associated with a VLAN.

NOTE
Sub-interfaces of different interfaces can be associated with the same VLAN; sub-interfaces
of one interface cannot be associated with the same VLAN.
4.
Run:
An IP address is assigned to the sub-interface for communication at the network layer.

l
Perform the following steps on the switch:

Configure VLANs. For details, see 5.4.2 Dividing a LAN into VLANs.
----End
Configuring VLANIF Interfaces for Inter-VLAN Communication

Configuring VLANIF interfaces for inter-VLAN communication saves expenditure and helps
implement fast forwarding.
Context
VLAIF interfaces are Layer 3 logical interfaces. After being assigned IP addresses, VLANIF
interfaces are able to communicate at the network layer. Layer 3 switches and routers can be
configured with VLANIF interfaces.
By using VLANIF interfaces to implement inter-VLAN communication, you need to configure
a VLANIF interface for each VLAN and assign an IP address to each VLANIF interface. The
communication process by using VLANIF interfaces is similar to that by using sub-interfaces.
NOTE
The default gateway address of each PC in a VLAN must be the IP address of the corresponding VLANIF
interface. Otherwise, inter-VLAN communication will fail.
Issue 02 (2013-12-31)

1348

Equipment
Procedure
Step 1 Run:
system-view

Step 2 Run:
A VLANIF interface is created and the VLAIF interface view is displayed.

NOTE
A VLANIF interface is Up only when at least one physical port added to the corresponding VLAN is Up.
Step 3 Run:
An IP address is assigned to the VLANIF interface.

VLANIF interfaces must belong to different network segments.
----End
Configuring VLAN Mapping for Inter-VLAN Communication

The configuration of VLAN mapping is simple and independent of Layer 3 routing.
Context
VLAN mapping is also called VLAN translation. With VLAN mapping, a switch maps the
VLAN tag of a frame to another VLAN tag after receiving the frame and before sending the
frame. On the network shown in Figure 5-13, ports connecting CE 1 to users are added to VLAN
2 and ports connecting CE 2 to users are added to VLAN 3. To allow users in VLAN 2 and
VLAN 3 to communicate with each other, configure VLAN mapping on GE1 connecting CE 1
to CE 2.
l
Before sending a frame to VLAN 3, GE1 on CE 1 replaces the VLAN ID 2 in the frame
with the VLAN ID 3.
After receiving a frame from VLAN 3, GE1 on CE 1 replaces the VLAN ID 3 in the frame
with the VLAN ID 2.
Issue 02 (2013-12-31)

1349

Equipment
Figure 5-13 Networking diagram for configuring VLAN mapping for inter-VLAN
communication
VLAN2
VLAN3
CE1
GE1
172.16.0.1/16
CE2
172.16.0.7/16
NOTE
Before configuring VLAN mapping to allow PCs in two VLANs to communicate, IP addresses of the PCs
must belong to the same network segment. Otherwise, devices in different VLANs must communicate with
each other at the network layer. In this case, VLAN mapping does not make sense.
Currently, the ATN supports the following mapping modes:

l
1 to 1 VLAN mapping
After receiving a single-tagged frame, the device replaces the tag with a specified tag.
Procedure
Step 1 Run:
system-view

Step 2 Add ports connecting CE 1 and CE 2 to users to separate VLANs.
Step 3 Configure the Layer 2 port type.
1.
Run the interface interface-ytpe interface-number command to enter the view of an

Ethernet port to be configured with VLAN mapping.
2.
Run the port link-type trunk command to configure the Layer 2 Ethernet port as a trunk
port.
By default, the port type is hybrid.
Step 4 Configure VLAN mapping.

l 1 to 1 VLAN mapping
Issue 02 (2013-12-31)

1350

Equipment
To map the tag of a single-tagged frame to a specified tag, run the port vlan-mapping
vlan vlan-id1 map-vlan vlan-id2 [ remark-8021p 8021p-value3 ] command.
----End

After inter-VLAN communication is configured, you can check whether users in different
VLANs can communicate with each other and check information about VLANs to which users
belong.
Prerequisites
Inter-VLAN communication has been configured.
Procedure
l
Run the ping [ ip ] [ -a source-ip-address | -c count | -d | -f | -h ttl-value | -i interfacetype interface-number | -m time | -n | -p pattern | -q | -r | -s packetsize | -system-time | -t
timeout | -tos tos-value | -v | -vpn-instance vpn-instance-name ] * host command to check
whether users in different VLANs can communicate with each other.
If the ping fails, you can run the following commands to locate the fault:
Run the display interface vlanif [ vlan-id | main ] command to check information about
VLANIF interfaces.
Before running this command, ensure that VLANIF interfaces have been configured.
----End
Example
Check whether the PC at 10.1.1.2 is reachable.
<HUAWEI> ping 10.1.1.2
0.00% packet loss
ms
ms
ms
ms
ms
If the ping fails, you can run the following commands to locate the fault:
l
Run the display vlan command. The command output shows the VLAN ID, VLAN type,
and VLAN status. For example:
VLAN ID Type
Status
MAC Learning Broadcast/Multicast/Unicast
Property
------------------------------------------------------------------------------
Issue 02 (2013-12-31)

1351

Equipment
-10
20
common
common
enable
enable
enable
enable
forward
forward
forward
forward
forward default
forward default
Run the display interface vlanif command. The command output shows the physical
status, link protocol status, IP address, and mask of a VLANIF interface. For example:
<HUAWEI> display interface Vlanif 10
Vlanif1 current state :
DOWN
Line protocol current state :
DOWN
Description:HUAWEI, Vlanif1
Interface
Route Port,The Maximum Transmit Unit is
1500
Internet protocol processing :
disabled
IP Sending Frames" Format is PKTFMT_ETHNT_2, Hardware address is
3a9f-9783-7687
Physical is
VLANIF
Current system time: 2000-05-11
09:02:49
Last 300 seconds input rate 0 bits/sec, 0 packets/
sec
Last 300 seconds output rate 0 bits/sec, 0 packets/
sec
Realtime 97 seconds input rate 0 bits/sec, 0 packets/
sec
Realtime 97 seconds output rate 0 bits/sec, 0 packets/
sec
Input: 0 packets,0
bytes
Output:0 packets,0
bytes
-Output bandwidth utilization :
--
5.4.5 Configuring VLAN Security Attributes

Configuring VLAN security attributes ensures reliable transmission of user package. Currently,
the ATN supports several security attributes. You can configure security attributes as required.
Before You Start

Before configuring VLAN security attributes, familiarize yourself with the usage scenario,
Table 5-14 lists VLAN security attribute schemes.
Issue 02 (2013-12-31)

1352

Equipment
Table 5-14 Security schemes for VLANs
Issue 02 (2013-12-31)
Securit
y
Schem
e
Description
Advantage
Disadvantage
Usage
Scenario
Disabli
ng a
port
from
broadca
sting
packets
to other
ports in
the
same
VLAN
If a port in a
VLAN receives
broadcast or
unknown unicast
packets, it will
broadcast the
packets to other
ports in the
VLAN. If the
broadcast or
unknown unicast
packets are attack
packets, system
resources are
wasted and device
performance
deteriorates or
even the device
malfunctions.
Disabling the port
from broadcasting
packets to other
ports in the VLAN
prevents such
malicious attacks.
This security
scheme is
applicable to
topology-stable
networks or
networks on
which MAC
addresses are
configured and
forwarding
paths are
specified.

1353

Equipment
Securit
y
Schem
e
Description
Advantage
Disadvantage
Usage
Scenario
Disabli
ng
MAC
address
learning
in a
VLAN
l If a device has
only one
inbound port
and one
outbound port,
MAC address
learning in a
VLAN can be
disabled.
l MAC address
entries are
saved.

requires that the
network has fixed
users and forwarding
paths have been
established by using
dynamic MAC
address learning or
by manually
configuring MAC
addresses.
This security
scheme is
applicable to
topology-stable
networks or
networks on
which MAC
addresses are
configured and
forwarding
paths are
specified.
l This security
scheme is
applicable to
networks that
do not provide
access for new
users.
l Security is
enhanced
because new
users are not
allowed to
access the
network.
users are connected
to a switch, each user
needs to be
configured a static
forwarding path.
This imposes a heavy
configuration burden
on network
administrators.
prohibits new users
from accessing the
network.
Before configuring VLAN security attributes, create VLANs.
Data Preparation
To configure VLAN security attributes, you need the following data.
No.
Data
VLAN ID and (optional) VLAN name
Disabling a Port from Broadcasting Packets to Other Ports in the Same VLAN
Disabling a port from broadcasting packets to other ports in the same VLAN prevents malicious
attacks and improves network security.
Issue 02 (2013-12-31)

1354

Equipment
Context
If a port in a VLAN receives broadcast or unknown unicast packets, it will broadcast the packets
to other ports in the VLAN. If the broadcast or unknown unicast packets are attack packets,
system resources are wasted and device performance deteriorates or even the device
malfunctions. Disabling the port from broadcasting packets to other ports in the VLAN prevents
such malicious attacks.
This security scheme is applicable to topology-stable networks or networks on which MAC
addresses are configured and forwarding paths are specified.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id
The VLAN view is displayed.

NOTE
If a device is configured with multiple VLANs, do as follows to configure a name for each VLAN:
Step 3 Run:
broadcast discard
The port is disabled from broadcasting packets to other ports in the same VLAN.
By default, a port can broadcast packets to other ports in the same VLAN.
----End
Disabling MAC Address Learning in a VLAN

If a device has only one inbound port and one outbound port, or the network topology is stable,
MAC address learning in a VLAN can be disabled.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id

Issue 02 (2013-12-31)

1355

Equipment
NOTE
Step 3 Run:
mac-address learning disable
MAC address learning in a VLAN is disabled.

By default, MAC address learning is enabled in a VLAN.
----End
Follow-up Procedure
After MAC address learning in a VLAN is disabled, to guarantee high forwarding efficiency,
do as follows:
l
Limit the number of MAC addresses in the MAC address table.
Select an action to be taken when the number of MAC addresses exceeds the upper
threshold, such as discard, forward, or alarm.

After VLAN security attributes are configured, you can check whether a VLAN is enabled with
the broadcast function and the MAC address learning function.
Prerequisites
VLAN security attributes have been configured.
Procedure
l
----End
Example
Run the display vlan command. The command output shows that VLANs have been enabled
with the broadcast function and the MAC address learning function. For example:
VLAN ID Type
Status
-------------------------------------------------------------------------------10
common
enable
enable
forward
forward
forward default
20
common
enable
enable
forward
forward
forward default
30
common
enable
enable
forward
forward
forward default
40
common
enable
enable
forward
forward
forward default
5.4.6 Configuring VLAN Aggregation to Save IP Addresses

VLAN aggregation prevents the waste of IP addresses and implements inter-VLAN
communication.
Issue 02 (2013-12-31)

1356

Equipment
Before You Start

Before configuring VLAN aggregation, familiarize yourself with the usage scenario, complete
As networks expand, address resources become insufficient. VLAN aggregation is developed
to save IP addresses.
In VLAN aggregation, one super-VLAN is associated with multiple sub-VLANs. Physical ports
cannot join a super-VLAN but a VLANIF interface can be created for the super-VLAN and an
IP address can be assigned to the VLANIF interface. Physical ports can join a sub-VLAN but
no VLANIF interface can be created for the sub-VLAN. All the ports in the sub-VLAN use the
same IP address with the VLANIF interface of the super-VLAN. This saves subnet IDs, default
gateway addresses of the subnets, and directed broadcast addresses of the subnets. In addition,
different broadcast domains can use the addresses in the same subnet segment. As a result, subnet
differences are eliminated, addressing becomes flexible, and the number of idle addresses is
reduced. VLAN aggregation allows each sub-VLAN to function as a broadcast domain and
reduces the waste of IP addresses to be assigned to ordinary VLANs.
Figure 5-14 shows the typical VLAN aggregation networking.
Figure 5-14 Typical networking diagram for VLAN aggregation
PE
Super
VLAN4
CE1
CE2
Sub-VLAN 2
Sub-VLAN 3
Before configuring VLAN aggregation, connect ports and configuring physical parameters of
the ports, ensuring that the ports are physically Up.
Issue 02 (2013-12-31)

1357

Equipment
Data Preparation
To configure VLAN aggregation, you need the following data.
No.
Data
ID of each sub-VLAN and number of each port belonging to the sub-VLAN and
(optional) VLAN name of each sub-VLAN
ID of a super-VLAN
IP address and mask of a VLANIF interface
Creating a Sub-VLAN
Each sub-VLAN functions as a broadcast domain.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id
A sub-VLAN is created and the sub-VLAN view is displayed.

NOTE
Step 3 Run:
port interface-type { interface-number1 [ to interface-number2 ] } &<1-10>
A port is added to the sub-VLAN.

----End
Creating a Super-VLAN
A super-VLAN consists of several sub-VLANs. No physical port can be added to a super-VLAN,
but a VLANIF interface can be configured for the super-VLAN and an IP address can be assigned
to the VLANIF interface.
Context
NOTE
Before configuring a super-VLAN, ensure that sub-VLANs have been configured.
Issue 02 (2013-12-31)

1358

Equipment
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id
A VLAN is created, and the VLAN view is displayed.

The VLAN ID of a super-VLAN must be different from every sub-VLAN ID.
Step 3 Run:
aggregate-vlan
A super-VLAN is created.
Using the undo aggregate-vlan command in the VLAN view changes a super-VLAN to a subVLAN.
Step 4 Run:
access-vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
A sub-VLAN is added to a super-VLAN.

Only sub-VLANs can be added to a super-VLAN. Before adding sub-VLANs to a super-VLAN
in batches, ensure that these sub-VLANs are not configured with VLANIF interfaces.
----End
Assigning an IP Address to the VLANIF Interface of a Super-VLAN

The IP address of the VLANIF interface of a super-VLAN must contain the subnet segments
where users in sub-VLANs reside. All the sub-VLANs use the IP address of the VLANIF
interface of the super-VLAN, therefore saving IP addresses.
Procedure
Step 1 Run:
system-view

Step 2 Run:
A VLANIF interface is created for a super-VLAN, and the view of the VLANIF interface is
displayed.
Step 3 Run:
An IP address is assigned to the VLANIF interface.

----End
Issue 02 (2013-12-31)

1359

Equipment
(Optional) Enabling Proxy ARP on the VLANIF Interface of a Super-VLAN

PCs in different sub-VLANs cannot directly communicate with each other in Layer2 network.
To allow these PCs to communicate with each other at Layer 3, enable proxy ARP on the
VLANIF interface of the super-VLAN.
Context
VLAN aggregation allows sub-VLANs to use the same subnet address, but prevents PCs in
different sub-VLANs from communicating with each other at the network layer.
PCs in ordinary VLANs can communicate with each other at the network layer by using different
gateway addresses. In VLAN aggregation, PCs in a super-VLAN use the same subnet address
and gateway address. As PCs in different sub-VLANs belong to one subnet, they communicate
with each other only at Layer 2, not Layer 3. These PCs are isolated from each other at Layer
2. Consequently, PCs in different sub-VLANs cannot communicate with each other.
Proxy ARP is required to enable PCs in a sub-VLAN to communicate with PCs in another subVLAN or PCs on other networks. After a super-VLAN and its VLANIF interface are created,
proxy ARP must be enabled to allow the super-VLAN to forward or process ARP request and
reply packets. Proxy ARP helps PCs in sub-VLANs communicate with each other at the network
layer.
NOTE
An IP address must have been assigned to the VLANIF interface corresponding to the super-VLAN.
Otherwise, proxy ARP cannot take effect.
VLAN aggregation simplifies configurations for the network where many VLANs are
configured and PCs in different VLANs need to communicate with each other.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of the VLANIF interface of the super-VLAN is displayed.

Step 3 Run:
arp-proxy inter-sub-vlan-proxy enable
Inter-sub-VLAN proxy ARP is enabled.

----End

After VLAN aggregation is configured, you can view VLAN types and information about
VLANIF interfaces, such as the physical status, link protocol status, IP address, and mask.
Issue 02 (2013-12-31)

1360

Equipment
Prerequisites
The VLAN aggregation has been configured.
Procedure
l
Run the display vlan [ vlan-id [ verbose ] ] command to check VLAN information.
Run the display interface vlanif [ vlan-id | main ] command to check information about
a specific VLANIF interface.
Run the display sub-vlan command to check mappings between sub-VLANs and superVLANs.
Run the display super-vlan command to check sub-VLANs contained in a super-VLAN.
----End
Example
Run the display vlan verbose command. The command output shows the VLAN type. For
example:
<HUAWEI> display vlan 40 verbose
VLAN ID
: 40
VLAN Name
:
VLAN Type
: Super
Description
: VLAN 0040
Status
: Enable
Broadcast
: Enable
MAC Learning
: Enable
Smart MAC Learning
: Disable
Current MAC Learning Result : Enable
Statistics
: Disable
Property
: Default
VLAN State
: Down
--------------------Sub-VLAN list: 2-3
Run the display interface vlanif command. The command output shows the physical status,
link protocol status, IP address, and mask of a VLANIF interface. For example:
<HUAWEI> display interface vlanif 2
Vlanif1 current state : UP
Description:HUAWEI, Vlanif1 Interface
IP Sending Frames" Format is PKTFMT_ETHNT_2, Hardware address is 3a9f-9783-7687
Physical is VLANIF
Input bandwidth utilization : -Output bandwidth utilization : --
Run the display sub-vlan command. The command output shows mappings between subVLANs and super-VLANs.
<HUAWEI> display sub-vlan
Issue 02 (2013-12-31)

1361

Equipment
VLAN ID
Super-VLAN
----------------------------10
40
20
40
30
40
Run the display super-vlan command. The command output shows sub-VLANs contained in
a super-VLAN.
<HUAWEI> display super-vlan
VLAN ID
Sub-VLAN
-------------------------40
10 20 30
5.4.7 Configuring VLAN Policy-based VPN Access

VLAN policy-based VPN access allows VLLs, VSIs, or VPN instances to transmit separate
services.
Before You Start

Before configuring VLAN policy-based VPN access, familiarize yourself with the usage
On a Metro Ethernet (ME) network, VLAN IDs are used to identify various services or user
packets before them access to various VSIs, VLLs, or VPN instances. If multiple types of
services share one VLAN ID, as shown in Figure 5-15, services cannot be differentiated merely
by using VLAN IDs. As a result, part of high-priority traffic over the operator's network cannot
be scheduled in time, which deteriorates users' experience.
Figure 5-15 Networking diagram for multiple types of services sharing one VLAN ID
BTV VOD
Platform
SR
UPE
HSI
VoIP
PW1
ATNA
PW2
IPTV
VLAN 10
Video
Internet
BRAS
Data flow1
Data flow2
It is required that the UPE be able to identify VLAN IDs carried in frames and parse priorities
of the frames. The UPE sends frames to different PWs based on the VLAN IDs and priorities
of the frames. In this manner, frames with high priorities can be scheduled in time.
Issue 02 (2013-12-31)

1362

Equipment
Before configuring VLAN policy-based VPN access, ensure that the UPE receives only
untagged or single-tagged frames.
Data Preparation
To configure VLAN policy-based VPN access, you need the following data.
No.
Data
802.1p priority value
Number of the interface connecting the UPE to users and IP address of this
interface
l Data for configuring an L2VPN, including:
VSI ID (Two ends of a PW must be configured with the same VSI ID.)
MPLS LSR ID
VSI name
l Data for configuring an L3VPN, including:
VPN instance name and RD
VPN target
AS number of the UPE
IP address and interface by which the UPE establishes a BGP peer
relationship
Mode for the UPE and switch to exchange routing information: static
routes, Routing Information Protocol (RIP), Open Shortest Path First
(OSPF), Intermediate System to Intermediate System (IS-IS), or Border
Gateway Protocol (BGP)
(Optional) Description of the VPN instance
(Optional) Routing policy for sending and receiving VPN routing
information
(Optional) Tunnel policy
(Optional) Maximum number of routes allowed by the VPN instance
Configuring a VLAN Policy

VLAN policies refer to VLAN+802.1p policies. With VLAN policies, a device can send services
to corresponding VLLs, VSIs, or VPN instances. In this manner, Different types of services are
transmitted in separate VLLs, VSIs, or VPN instances.
Context
If non-IP services are transmitted between the Base Transceiver Station (BTS) and the CSG,
either of the following policies can be configured:
Issue 02 (2013-12-31)

1363

Equipment
VLAN+802.1p
On the network shown in Figure 5-16, Asynchronous Transfer Mode (ATM) or Time
Division Multiplex (TDM) links interconnect the BTS and CSG, and the Mobile
Aggregation Site Gateway (MASG) and Base Station Controller (BSC). To transmit ATM
services from the BTS to the remote BSC, you need to configure PWE3 between the CSG
and the MASG to transparently transmit ATM cells.
Figure 5-16 uses the VLAN+802.1p-based L2VPN access as an example. The process for
VLAN+802.1p-based L3VPN access is similar and not described in this document.
Figure 5-16 Networking diagram for VLAN+802.1p-based L2VPN access
PWE3
Signal
xDSL
Voice
Manage
Data
BTS
CSG
IP/Eth
IP DSLAM
PE1
IP/Eth
VSI
VSI
VSI
VSI
PE2
MASG
BSC
PE4
PE3
Per Service Per VSI

ATM/TDM
Ethernet
Ethernet
over VSI
Ethernet ATM/TDM
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface { ethernet | gigabitethernet } interface-number.subinterface-number
The view of an Ethernet sub-interface connecting PE 1 to users is displayed.

Step 3 Run:
vlan-type dot1q vlanid { 8021p { 8021p-value1 [ to 8021p-value2 ] } &<1-10>
default }
A VLAN policy is configured on the sub-interface for dot1q VLAN tag termination.
NOTE
If the sub-interfaces of one interface are configured with the same VLAN ID, only one type of VLAN
policies (VLAN+802.1p) can be configured on these sub-interfaces.
A VLAN ID can be assigned to a maximum of eight sub-interfaces.
l If the default parameter is configured, all the services that do not match any VLAN policy
will be processed by the default sub-interface.
l If the vlan-type dot1q command has been used in the view of an Ethernet sub-interface, the
sub-interface exclusively uses this VLAN, and the VLAN ID can no longer be configured
in any VLAN policy for other sub-interfaces.
l If the undo vlan-type dot1q command is used with a specified VLAN ID and an 802.1p
priority value only the specified VLAN policy associated with this VLAN ID is deleted from
Issue 02 (2013-12-31)

1364

Equipment
the sub-interface. If the undo vlan-type dot1q vlanid command is used with a specified
VLAN ID but not an 802.1p priority value, all VLAN policies associated with this VLAN
ID are deleted from the sub-interface.
----End
Configuring a VPN
After a VLAN matching policy is configured, you need to configure a VPN so that users over
an L2VPN and an L3VPN can communicate with each other.
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface { ethernet | gigabitethernet } interface-number.subinterface-number
The view of an Ethernet sub-interface to be configured with a VLAN policy is displayed.

Step 3 Configure the VPN service.
Deploy one of the following services as required:
l L2VPN
For detailed information, see the chapters "VLL Configuration", "PWE3 Configuration", and
"VPLS Configuration" in the Configuration Guide - VPN.
l L3VPN
For detailed information, see the chapter "BGP MPLS IP VPN Configuration" in the
Configuration Guide - VPN.
----End

After VLAN policy-based VPN access is configured, you can check information about subinterfaces with the same VLAN ID on an interface.
Prerequisites
VLAN policy-based VPN access has been configured.
Procedure
l
Run the display interface interface-type interface-number vlan { vlan-id | untagged }

command to check VLAN policies configured for sub-interfaces with a specified VLAN
ID or without VLAN IDs.
----End
Issue 02 (2013-12-31)

1365

Equipment
Example
Run the display interface vlan command. The command output shows VLAN policies
configured for sub-interfaces on an interface with a specified VLAN ID. For example:
<HUAWEI> display interface gigabitethernet0/2/1 vlan 1
Sub-Interface VlanPolicy
----------------------------------------------------------GE0/2/1.1
8021p 1 3 to 7
GE0/2/1.2
default
----------------------------------------------------------Interface:GE0/2/1 VLAN ID: 1 Sub-Interface num: 2
5.4.8 Configuring Interface Isolation in a VLAN

After interface isolation in a VLAN is configured, interfaces in the VLAN cannot communicate
with each other. To have isolated interfaces communicate with each other, you need to configure
ARP proxy in the VLAN. In this manner, you can monitor traffic in the VLAN at Layer 3.
Before You Start

Before configuring interface isolation in a VLAN, familiarize yourself with the applicable
environment, pre-configuration tasks, and required data. This can help you complete the
When some interfaces are limited not to connect directly, you can configure the interface
isolation in a VLAN.
When the interfaces isolated in a VLAN need to connect, the connection must be implemented
through the layer 3 route. In this way, the users in a VLAN can be managed and controlled
flexibly.
Before configuring the interface isolation in VLAN, complete the configuration of VLAN based
on the interface.
Data Preparation
To configure the interface isolation in VLAN, you need the following data.
Issue 02 (2013-12-31)
No.
Data
VLAN number
Numbers of interfaces that need to be isolated in a VLAN
IP addresses and sub net masks of the VLANIF interfaces

1366

Equipment
Configuring Interface Isolation in a VLAN

Isolated interfaces in a VLAN cannot communicate with each other, but can communicate with
non-isolated interfaces.
Context
The device provides the following two methods of isolating the interfaces in a VLAN:
l
Enabling the interface isolation state in a VLAN.
Configuring the interfaces that need to be isolated in the VLAN view.
You can choose one of the following methods as required:
Procedure
l
Enabling the Ethernet interface Isolation

1.
Run:
system-view

2.
Run:
interface { ethernet | gigabitethernet | eth-trunk } interface-number
The specified Ethernet interface view is displayed.

3.
Run:
portswitch
The interface is set to the switched interface.

4.
Run:
port default vlan vlan-id
The default VLAN to which the port belongs is configured.

5.
Run:
port isolate-state enable vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
The interface isolation is enabled in a VLAN.

When this command is run, the VLAN should include this interface.
l
Configuring the Interface Isolation in the VLAN View

1.
Run:
system-view

2.
Run:
vlan vlan-id

3.
Run:
port isolate { { interface-type interface-number} &<1-10> | all }
The interfaces that need to be isolated are configured in a VLAN.

----End
Issue 02 (2013-12-31)

1367

Equipment
Enabling ARP Proxy in a VLAN

To have isolated interfaces in a VLAN communicate with each other, you must create a VLANIF
interface and enable ARP proxy in the VLAN.
Context
Perform the following steps on the devices:
Procedure
Step 1 Run:
system-view

Step 2 Run:
The VLANIF interface is created.

Step 3 Run:
The IP addresses are configured for the VLANIF interfaces.

The IP addresses of the VLANIF interfaces and those of the hosts in the VLAN are on the same
network segment.
The IP addresses of different VLANIF interfaces should be on the different network segments,
so that there are reachable routes between the users in different VLANs.
Step 4 Run:
arp-proxy inner-sub-vlan-proxy enable
The ARP proxy is enabled in a VLAN.

----End
5.4.9 Maintaining VLAN

A command of clearing statistics helps to locate the faults in a VLAN.
Clearing the Statistics of VLAN Packets

Before collecting traffic statistics in a specified time period on an interface, you need to reset
the original statistics on the interface.
Issue 02 (2013-12-31)

1368

Equipment
Context
NOTICE
Statistics about VLAN packets cannot be restored after you clear it. So, confirm the action before
you use the command.
To clear the Statistics of VLAN Packets, run the following reset command in the user view:
Procedure
l
Run the reset vlan statistics [ vid ] vlan-id command to clear packets of a specified VLAN
statistics.
Run the reset vlan statistics interface interface-type interface-number.subinterfacenumber command to clear the VLAN packets on a specified sub-interface statistics.
----End

This section describes the typical application scenarios of VLANs, including networking
files.
Example for Dividing a LAN into VLANs Based on Ports

It is easy to divide a LAN into VLANs based on ports. After ports are added to different VLANs,
users in the same VLAN can directly communicate with each other, whereas users in different
VLANs cannot directly communicate with each other.
It is required that on the network shown in Figure 5-17, employees in the same group be able
to communicate with each other, whereas employees in different groups not communicate with
each other.
Issue 02 (2013-12-31)

1369

Equipment
Figure 5-17 Networking diagram for dividing a LAN into VLANs based on ports
ATN
GE 0/2/0
GE 0/2/3
GE 0/2/1
GE 0/2/2
Group 1
VLAN 2
Group 2
VLAN 3
1.
Create VLANs and determine mappings between employees and VLANs.
2.
Configure port types to determine the device connected to each port.
3.
Add the port connected to group 1 to VLAN 2 and the port connected to group 2 to VLAN
3 to prevent employees in group 1 from communicating with employees in group 2.
Data Preparation
l
Number of each port connecting a switch to a PC
ID of each VLAN
Procedure
Step 1 Create VLANs.
[ATNA] vlan batch 2 3
Step 2 Configure port types.

[ATNA] interface GigabitEthernet 0/2/0
[ATNA-GigabitEthernet0/2/0] portswitch
[ATNA-GigabitEthernet0/2/0] port link-type access
Issue 02 (2013-12-31)

1370

Equipment

Step 3 Add ports to VLANs.

# Add GE 0/2/0 and GE 0/2/1 to VLAN 2.
[ATNA] vlan 2
[ATNA-vlan2] port GigabitEthernet 0/2/0 to 0/2/1
[ATNA-vlan2] quit
# Add GE 0/2/2 and GE 0/2/3 to VLAN 3.

[Switch] vlan 3
[ATNA-vlan3] port GigabitEthernet 0/2/2 to 0/2/3
[SATNA-vlan3]quit

After the configurations are complete, run the display vlan command to view the VLAN status.
[ATNA] display vlan
VLAN ID Type
Status
-------------------------------------------------------------------------------2
common
enable
enable
forward
forward
forward default
3
common
enable
enable
forward
forward
forward default
Ping a PC in group 2 from a PC in group 1. The ping fails. PCs in the same group can ping each
other successfully.
----End
Configuration Files
#
sysname ATNA
#
vlan batch 2 3
#
portswitch
port link-type access
port default vlan 2
#
portswitch
port default vlan 2
#
portswitch
port default vlan 3
#
portswitch
port default vlan 3
#
Issue 02 (2013-12-31)

1371

Equipment
return
Example for Configuring Inter-VLAN Communication by Using VLANIF

Interfaces
On the network shown in Figure 5-18, users in NodeB1 to NodeB4 belong to different VLANs
in different network segments but require the same online service. It is required that these users
communicate with each other at a low operating cost.
Figure 5-18 Networking diagram for configuring inter-VLAN communication by using
VLANIF interfaces
VLANIF30: 10.110.3.3/24
VALNIF40: 10.110.4.3/24
GE0/2/1
GE0/2/3
PE
VLANIF10: 10.110.5.3/24
VALNIF20: 10.110.6.3/24
GE0/2/2
GE0/2/3
CE1
GE0/2/1
VLAN 40
10.110.4.0/24
GE0/2/2
VLAN 30
10.110.3.0/24
CE2
GE0/2/1
GE0/2/2
VLAN 20
10.110.6.0/24
VLAN 10
10.110.5.0/24
1.
Create VLANs on CEs and determine mappings between users and VLANs.
2.
Configure trunk ports on switches to allow frames with certain VLAN IDs to pass through.
3.
Create VLANIF interfaces on the PE and assign IP addresses to the interfaces to allow
Layer 3 communication.
NOTE
The default gateway address of each PC in a VLAN must be the IP address of the corresponding VLANIF
interface. Otherwise, inter-VLAN communication will fail.
Data Preparation
l
User VLAN ID
User IP address
Number of each port connecting a CE to a PC
Issue 02 (2013-12-31)

1372

Equipment
Number of the ports interconnecting switches
Number and IP address of each VLANIF interface on the PE
Procedure
Step 1 Create VLANs on CE 1 and CE 2.
# Configure CE 1.
[CE1] vlan batch 30 40
[CE1-GigabitEthernet0/2/1] port link-type access
[CE1-GigabitEthernet0/2/1] port default vlan 30
# Configure CE 2.
[CE2] vlan batch 10 20
Step 2 Configure trunk ports on CE 1 and CE 2 to allow frames with certain VLAN IDs to pass through.
# Configure CE 1.
[CE1-GigabitEthernet0/2/3] port trunk allow-pass vlan 30 40
# Configure CE 2.
[CE2-GigabitEthernet0/2/3] port trunk allow-pass vlan 10 20
Step 3 Create VLANIF interfaces on PE and assign IP addresses to the VLANIF interfaces.
Issue 02 (2013-12-31)

1373

Equipment
[HUAWEI] sysname PE
[PE] vlan batch 10 to 40
[PE] interface gigabitethernet 0/2/1
[PE-GigabitEthernet0/2/1] portswitch
[PE-GigabitEthernet0/2/1] undo shutdown
[PE-GigabitEthernet0/2/1] port link-type trunk
[PE-GigabitEthernet0/2/1] port trunk allow-pass vlan 30 40
[PE-GigabitEthernet0/2/1] quit
[PE] interface gigabitethernet 0/2/2
[PE-GigabitEthernet0/2/2] port link-type trunk
[PE-GigabitEthernet0/2/2] port trunk allow-pass vlan 10 20
[PE-GigabitEthernet0/2/2] quit
[PE] interface Vlanif 10
[PE-Vlanif10]ip address 10.110.5.3 24
[PE-Vlanif10]quit
[PE-Vlanif20]quit
[PE-Vlanif30]quit
[PE-Vlanif40]quit

On PCs in VLAN 10, configure the IP address 10.110.6.3/24 of VLANIF 10 as the default
gateway address.
gateway address.
gateway address.
gateway address.
After the configurations, PCs in VLANs 10, 20, 30, and 40 can ping each other successfully.
----End
Configuration Files
l
Configuration file of CE 1
#
sysname CE1
#
vlan batch 30 40
#
portswitch
undo shutdown
#
portswitch
undo shutdown
#
Issue 02 (2013-12-31)

1374

Equipment
portswitch
undo shutdown
port link-type trunk
port trunk allow-pass vlan 30 40
#
return
#
sysname CE2
#
vlan batch 10 20
#
portswitch
undo shutdown
#
portswitch
undo shutdown
#
portswitch
undo shutdown
#
return
Configuration file of PE
#
sysname PE
#
vlan batch 10 to 40
#
interface Vlanif10
ip address 10.110.5.3 255.255.255.0
#
interface Vlanif20
ip address 10.110.6.3 255.255.255.0
#
interface Vlanif30
ip address 10.110.3.3 255.255.255.0
#
interface Vlanif40
ip address 10.110.4.3 255.255.255.0
#
#
#
return
Example for Configuring 1 to 1 VLAN Mapping for Inter-VLAN Communication

1 to 1 VLAN mapping allows user VLAN IDs and the ISP VLAN ID to be replaced with each
other to help users in different VLANs to communicate with each other.
Issue 02 (2013-12-31)

1375

Equipment
Users in different residential compounds use IPTV, VoIP, and Internet services. To simplify
management, the network administrator of each residential compound configures a separate
VLAN for each type of services. After the configuration, users using the same type of services
in different residential compounds belong to different VLANs, but they need to communicate
with each other.
On the network shown in Figure 5-19, the same type of services in residential compounds 1 and
2 belong to different VLANs. It is required that these users communicate with each other at a
low operating cost.
Figure 5-19 Networking diagram for configuring 1 to 1 VLAN mapping
PE1
GE1/0/1
GE0/2/3
CE1
GE0/2/1
GE1/0/2
GE0/2/3
VLAN Mapping
GE0/2/2
Community1
VLAN1
GE0/2/1
CE2
GE0/2/2
Community2
VLAN2
1.
Add ports connecting switch 1 to residential compound 1 to VLAN 1. Add ports connecting
switch 2 to residential compound 2 to VLAN 2.
2.
Configure 1 to 1 VLAN mapping on switches 3 and 4 at the edge of the ISP network to
map user VLAN IDs to the ISP VLAN ID to allow users in different VLANs to
Data Preparation
l
Number of each port connecting a ATN to a user device
Number of the ports interconnecting ATNs
VLAN IDs configured on ATNs
Issue 02 (2013-12-31)

1376

Equipment
VLAN ID provided by the ISP
Procedure
Step 1 Add ports connecting switches to user devices to specified VLANs.
# Configure CE 1.
[CE1] vlan 1
[CE1-vlan1] quit
# Configure CE 2.
[CE2] vlan 2
[CE2-vlan2] quit
# Configure PE 1.
[PE1] vlan 2
[PE1-vlan2] quit
[PE1] interface GigabitEthernet 1/0/1
[PE1-GigabitEthernet1/0/1] port link-type trunk
[PE1-GigabitEthernet1/0/2] port link-type trunk
Step 2 Configure 1 to 1 VLAN mapping.

# Configure CE1.
Issue 02 (2013-12-31)

1377

Equipment

[CE1] vlan 1
[CE1-vlan1] quit
[CE1-GigabitEthernet0/2/3] port vlan-mapping vlan 2 map-vlan 1

After completing the configurations, run the display vlan command to check information about
1 to 1 VLAN mapping. Use the display on PE 1 as an example.
[CE1] display vlan 1
VLAN ID Type
Status
-------------------------------------------------------------------------------Tagged
Port: GigabitEthernet0/2/1
---------------QinQ-map
---------------Interface
Physical
UP
UP
UP
Users in residential compounds 1 and 2 can communicate with each other.

----End
Configuration Files
l
#
sysname CE1
#
vlan batch 1
#
undo shutdown
portswitch
#
undo shutdown
portswitch
#
undo shutdown
portswitch
port vlan-mapping vlan 2 map-vlan 1
#
return
#
sysname CE2
#
vlan batch 2
#
Issue 02 (2013-12-31)

1378

Equipment
undo shutdown
portswitch
#
undo shutdown
portswitch
#
undo shutdown
portswitch
#
return
Configuration file of PE 1
#
sysname PE1
#
vlan batch 2
#
undo shutdown
portswitch
#
undo shutdown
portswitch
#
return
Example for Configuring VLAN+802.1p for L2VPN Access (on a Common Subinterface)
In the networking of this configuration example, VLAN+802.1p is configured on the subinterface at the AC side of PE1; the sub-interface is bound to different VSIs. Packets are
transmitted through different VSIs based on the 802.1p priorities of the packets. The following
takes the scenario where a CSG accesses IP services as an example.
On an ME network, VLAN IDs are used to identify various services or user packets before they
access various VSIs, VLLs, or VPN instances. If multiple user packets or services share one
VLAN ID, part of high-priority traffic over the operators' network cannot be scheduled in time,
which deteriorates users' experience.
On the network shown in Figure 5-20, various services are tagged with the same VLAN ID.
After receiving these services, PE1 cannot identify them, resulting in a failure in traffic
distribution. To help resolve this problem, a VLAN matching policy needs to be configured on
PE1. PE1 maps a VLAN ID to a packet priority before distributing a packet to a specific PW,
ensuring correct scheduling of packets.
Issue 02 (2013-12-31)

1379

Equipment
NOTE
In this example, PE1 parses 802.1p values in the received packets for scheduling.
Figure 5-20 Networking diagram for VLAN+802.1p-based L2VPN access

Loopback1
2.2.2.9/32
V
80 LA
2. N=
1p 10
=3
PE2
V
80 LA
2. N=
1p 10
=2
GE1/0/2
20.1.1.1/30
GE1/0/1.1
PE3
Loopback1
3.3.3.9/32
VLAN
RNC1
GE0/2/3
20.1.1.2/30
PE1
Loopback1
1.1.1.9/32
GE1/0/2
10.1.1.1/30
GE0/2/2
10.1.1.2/30
GE0/2/1.2
GE0/2/1.1
VLAN10
GE1/0/1.1
PW
RNC2
VLAN
NOTE
L2VPN includes VLL, PWE3, and VPLS. You can configure any one of them as required. The following
takes the VPLS application as an example.

1.
Configure basic VPLS functions.

a.
Run an IGP to ensure intercommunication between ATN on the backbone network.
b.
Configure basic MPLS functions on the backbone network.
c.
Set up LSPs between PEs.
d.
e.
Create VSIs on PEs.
2.
Configure VLAN+802.1p.
3.
Bind AC interfaces to the VSIs.
Data Preparation
l
IP addresses of interfaces
MPLS LSR IDs of PEs
VSI names and VSI IDs on PEs
Issue 02 (2013-12-31)

1380

Equipment
Names of the interfaces bound to the VSIs
Procedure
Step 1 Configure basic VPLS functions.
# Set up a VPLS connection between PE1 and PE2, and between PE1 and PE3, with LDP being
the signaling protocol; configure the VSI names to be LDP1 and LDP2. The detailed
configurations are not mentioned here. You can refer to the chapter "VPLS Configuration" in
the Configuration Guide - VPN or the configuration files in this configuration example.
Step 2 Configure VLAN+802.1p.
# Configure PE1.
<PE1> system-view
[PE1-GigabitEthernet0/2/1.1] vlan-type dot1q 10 8021p 3
# Configure PE2.
<PE2> system-view
# Configure PE31.
<PE3> system-view
Step 3 Bind each sub-interface to a VSI.

# Configure PE1.
# Configure PE2.
# Configure PE3.
Issue 02 (2013-12-31)

1381

Equipment
Step 4 Configure basic functions of the CSG(PE1).

The detailed configurations are not mentioned here. It is required that the CSG support the
following:
l Configures the 802.1p priorities of packets through commands.
l Differentiates service types (voice, data, or signal) based on timeslots in TDM or PVCs in
ATM in the case that the CSG accesses non-IP services.
NOTE
Packets sent from CSG to PE1 carry VLAN tags with different 802.1p priorities.

After the preceding configurations, run the display vsi name ldp1 verbose command on PEs,
and you can view that a PW to PE2 is set up for a VSI named ldp1 and the VSI is in the Up
state.
Take the command output on PE1 as an example.
[PE1] display vsi name ldp1 verbose
***VSI Name
Administrator VSI
Isolate Spoken
VSI Index
PW Signaling
PW MAC Learn Style
Encapsulation Type
MTU
Diffserv Mode
Service Class
Color
DomainId
Domain Name
Ignore AcState
Create Time
VSI State
VSI ID
*Peer Router ID
VC Label
Peer Type
Session
Tunnel ID
Broadcast Tunnel ID
CKey
NKey
StpEnable
PwIndex
Interface Name
State
Last Up Time
Total Up Time
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
ldp1
no
disable
1
ldp
static
unqualify
vlan
1500
uniform
--255
:
:
:
:
:
:
:
:
:
:
:
1
2.2.2.9
30720
dynamic
up
0x81000b
0x81000b
2
1
0
0
:
:
:
:
up
2009/09/01 16:10:40
:
:
:
:
:
:
2.2.2.9
up
30720
30720
label
0x81000b
disable
up
**PW Information:
*Peer Ip Address
PW State
Local VC Label
Remote VC Label
PW Type
Tunnel ID
Issue 02 (2013-12-31)

1382

Equipment
Broadcast Tunnel ID
Ckey
Nkey
Main PW Token
Slave PW Token
Tnl Type
OutInterface
Stp Enable
Mac Flapping
PW Last Up Time
PW Total Up Time

:
:
:
:
:
:
:
:
:
:
:
0x81000b
0x2
0x1
0x81000b
0x0
LSP
0
0
2009/09/01 16:10:40
Run the display interface vlan command, and you can view the matching policy with the
specified VLAN ID on a main interface.
[PE1] display interface gigabitethernet0/2/1 vlan 10
Interface
VlanPolicy
----------------------------------------------------------GE0/2/1.1
8021p 3
GE0/2/1.2
8021p 2
----End
Configuration Files
l

#
sysname PE1
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 1
peer 2.2.2.9
#
vsi ldp2 static
pwsignal ldp
vsi-id 2
peer 3.3.3.9
#
mpls ldp
#
undo shutdown
#
undo shutdown
vlan-type dot1q 10 8021p 3
l2 binding vsi ldp1
#
undo shutdown
l2 binding vsi ldp2
#
undo shutdown
ip address 10.1.1.2 255.255.255.252
Issue 02 (2013-12-31)

1383

Equipment
mpls
mpls ldp
#
undo shutdown
ip address 20.1.1.2 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 10.1.1.0 0.0.0.3
network 20.1.1.0 0.0.0.3
#
return

#
sysname PE2
#
mpls lsr-id 2.2.2.9
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 1
peer 1.1.1.9
#
mpls ldp
#
undo shutdown
#
undo shutdown
vlan-type dot1q 10
l2 binding vsi ldp1
#
undo shutdown
ip address 10.1.1.1 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.3
#
return

#
sysname PE3
#
mpls lsr-id 3.3.3.9
mpls
#
Issue 02 (2013-12-31)

1384

Equipment
mpls l2vpn
#
vsi ldp2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.9
#
mpls ldp
#
undo shutdown
#
undo shutdown
vlan-type dot1q 10
l2 binding vsi ldp2
#
undo shutdown
ip address 20.1.1.1 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 20.1.1.0 0.0.0.3
#
return
Example for Configuring VLAN+802.1p for L3VPN Access (on a Common Subinterface)
In the networking of this configuration example, VLAN+802.1p is configured on the subinterface at the AC side of a PE1; the sub-interfaces are bound to different VPN instances.
Packets are transmitted through different VPN instances based on the 802.1p priorities of the
packets. The following takes the scenario where a CSG accesses IP services as an example.
On an ME network, VLAN IDs are used to identify various services or user packets before they
access various VSIs, VLLs, or VPN instances. If multiple user packets or services share one
VLAN ID, part of high-priority traffic over the operators' network cannot be scheduled in time,
which deteriorates users' experience.
As shown in Figure 5-21, different service packets are added with the same tag on the PE1.
Therefore, when PE1 receives packets, it cannot identify services based on tags, which affects
the traffic distribution. To address the problem, you can deploy a VLAN policy on PE1. PE1
distributes traffic to different VPN instances based on VLAN IDs and packet priorities. This
ensures that packets can be scheduled in time.
NOTE
In this example, PE1 parses 802.1p values in the received packets for scheduling.
Issue 02 (2013-12-31)

1385

Equipment
Figure 5-21 Networking diagram of VLAN+802.1p-based L3VPN access

L3VPN1 for VLAN=10 802.1p=2
G
20 E0
.1 /2
.1 /3
.1
/2
Loopback1
4
1.1.1.9/32
GE0/2/1.1
100.1.1.1/24
20 G
.1 E1
.1 /0
.2 /3
/2
4
GE0/2/1.2
GE1/0/1 100.1.1.1/24
10 GE1
.1.
1.2 /0/2
/24
PE2
/2
0/2 4
G E 1 . 1/ 2
PE1 0.1.
1
RNC
GE1/0/1.1
100.2.1.1/24
GE1/0/1.2
100.2.1.1/24
Loopback1
2.2.2.9/32
L3VPN2 for VLAN=10 802.1p=default
1.
Configure basic L3VPN functions.

a.
Run an IGP to ensure intercommunication between ATN on the backbone network.
b.
Configure basic MPLS functions and MPLS LDP, and set up MPLS LSPs on the
backbone network.
c.
Set up LSPs between PEs.
d.
Create VPN instances on PEs.
2.
Configure VLAN+802.1p and bind AC interfaces to the VPN instances.
3.
Configure the basic Layer 2 forwarding function on PE1.
Data Preparation
l
Names of the VPN instances on PEs
RDs and VPN targets of the VPN instances
Interfaces bound to the VPN instances
Procedure
Step 1 Configure basic L3VPN functions.
1.
Configure the IP addresses of interfaces on CEs and PEs as described in Figure 5-21. The
detailed configurations are not mentioned here. You can see the configuration files in this
configuration example.
2.
Configure an IGP on the MPLS backbone network. In this example, OSPF is adopted as
an IGP.
Issue 02 (2013-12-31)

1386

Equipment
The detailed configurations are not mentioned here. You can see the configuration files in
this configuration example.
After the preceding configurations, PE1 and PE2, and PE1 and PE3 have routes discovered
through OSPF to Loopback 1 of each other. PE1 and PE2, and PE1 and PE3 can ping
through each other.
<PE1> display ip routing-table
Routing Tables: Public
Destinations : 9
Destination/Mask
Proto
1.1.1.9/32 Direct
2.2.2.9/32 OSPF
10.1.1.0/30 Direct
10.1.1.2/32 Direct
20.1.1.0/30 Direct
20.1.1.2/32 Direct
127.0.0.0/8
Direct
127.0.0.1/32 Direct
Routes : 9
Pre
Cost
Flags NextHop
0
10
0
1
D
D
127.0.0.1
10.1.1.1
10.1.1.2
0
0
0
0
D
D
127.0.0.1
20.1.1.2
0
0
0
0
0
0
D
D
D
127.0.0.1
127.0.0.1
127.0.0.1
<PE1> ping 2.2.2.9

Interface
InLoopBack0
InLoopBack0
time=120 ms
time=90 ms
time=90 ms
time=90 ms
time=90 ms

0.00% packet loss
3.
Enable basic MPLS functions and LDP on the MPLS backbone network.
The detailed configurations are not mentioned here. You can see the configuration files in
After the preceding configurations, MPLS LSPs are successfully created, and LDP sessions
are set up between PE1 and PE2 and between PE1 and PE3. Run the display mpls ldp
session command, and you can view that the Status field is displayed as Operational.
<PE1> display mpls ldp session
Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
-----------------------------------------------------------------------------PeerID
Status
LAM SsnRole SsnAge
KASent/Rcv
-----------------------------------------------------------------------------2.2.2.9:0
Operational DU
Passive 0000:00:00 3/3
4.
Configure VPN instances.

# Configure PE1.
<PE1> system-view
[PE1] ip vpn-instance vpn1
Issue 02 (2013-12-31)

1387

Equipment
[PE1-vpn-instance-vpn1] route-distinguisher 100:1

[PE1-vpn-instance-vpn1] vpn-target 100:1 both
[PE1-vpn-instance-vpn1] quit
# Configure PE2.
<PE2> system-view
# Configure PE3.
<PE3> system-view
Step 2 Configure VLAN+802.1p, and bind common sub-interfaces to the VPN instances.
# Configure PE1.
<PE1> system-view
[PE1-GigabitEthernet0/2/1.1] ip binding vpn-instance vpn1
[PE1-GigabitEthernet0/2/1.1] ip address 100.1.1.1 24
# Configure PE2.
<PE2> system-view
After the preceding configurations, run the display ip vpn-instance verbose command on PEs,
and you can view the configurations of the VPN instances.
[PE1] display ip vpn-instance verbose
Total VPN-Instances configured : 2
VPN-Instance Name and ID : vpn1, 1
Create date : 2009/09/01 17:22:49
Up time : 0 days, 00 hours, 11 minutes and 46 seconds
Route Distinguisher : 100:1
Export VPN Targets : 100:1
Import VPN Targets : 100:1
Label Policy : label per route
Issue 02 (2013-12-31)

1388

Equipment
The diffserv-mode Information is : uniform

The ttl-mode Information is : pipe
Log Interval : 5
Interfaces : GigabitEthernet0/2/2.1
Create date : 2009/09/01 17:27:07
Label Policy : label per route
The ttl-mode Information is : pipe
Log Interval : 5
Step 3 Configure basic functions of the CSG(PE1).

following:
NOTE
Packets sent from CSG to PE1 carry VLAN tags with different 802.1p priorities.

Run the display ip routing-table vpn-instance command on PEs, and you can view the routes
to remote CEs.
[PE1] display ip routing-table vpn-instance vpn1
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: vpn1
Destinations : 3
Routes : 3
Destination/Mask
Proto
Pre
Cost
Flags NextHop
Interface
100.1.1.0/24
Direct 0
0
D
100.1.1.1
100.1.1.1/32
Direct 0
0
D
127.0.0.1
InLoopBack1
100.2.1.0/24
OSPF
255 0
RD
2.2.2.9
[PE1] display ip routing-table vpn-instance vpn2
Destinations : 3
Routes : 3
Destination/Mask
Proto
Pre
Cost
100.1.1.0/24
Direct 0
0
100.1.1.1/32
Direct 0
0
100.2.1.0/24
OSPF
255 0
Flags NextHop
D
100.1.1.1
127.0.0.1
2.2.2.9
RD
Interface
InLoopBack1
Run the display interface vlan command, and you can view the matching policy configured on
sub-interfaces in VLAN 10.
Issue 02 (2013-12-31)

1389

Equipment
[PE1] display interface gigabitethernet0/2/1 vlan 10

Interface
VlanPolicy
----------------------------------------------------------GE0/2/1.2
default
GE0/2/1.1
8021p 2
----End
Configuration Files
l

#
sysname PE1
#
mpls lsr-id 1.1.1.9
mpls
mpls
te
mpls rsvp-te
#
mpls ldp
#
explicit-path
toPE28
next hop
10.1.1.2
next hop 2.2.2.9
#
interface
Tunnel0/0/8
LoopBack1
te
destination 2.2.2.9
mpls te tunnel-id
8
mpls te path explicit-path
toPE28
mpls te
commit
#
tunnel-policy
toPE28
#
ip vpn-instance vpn1
ipv4-family
tnl-policy toPE28
apply-label per-instance
traffic-statistics enable
#
explicit-path
toPE29
next hop
20.1.1.2
next hop 2.2.2.9
Issue 02 (2013-12-31)

1390

Equipment
#
interface
Tunnel0/0/9
LoopBack1
te
destination 2.2.2.9
mpls te tunnel-id
9
toPE29
mpls te
commit
#
tunnel-policy
toPE29
#
ipv4-family
tnl-policy toPE29
#
ip binding vpn-instance vpn1
ip address 100.1.1.1 255.255.255.0
#
vlan-type dot1q 10 default
ip address 100.1.1.1 255.255.255.0
#
undo shutdown
ip address 10.1.1.1 255.255.255.252
mpls
mpls ldp
#
undo shutdown
ip address 20.1.1.1 255.255.255.252
mpls
mpls ldp
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 10.1.1.0 0.0.0.3
network 20.1.1.0 0.0.0.3
network 100.1.1.0 0.0.0.3
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
return
Issue 02 (2013-12-31)

1391

Equipment
#
sysname PE2
#
mpls lsr-id 2.2.2.9
mpls
mpls
te
mpls rsvp-te
#
explicit-path
toPE18
next hop
10.1.1.1
next hop 1.1.1.9
#
mpls ldp
#
interface
Tunnel0/0/8
LoopBack1
te
destination 1.1.1.9
mpls te tunnel-id
8
toPE18
mpls te
commit
#
tunnel-policy
toPE18
#
ipv4-family
tnl-policy toPE18
#
explicit-path
toPE19
next hop
20.1.1.1
next hop 1.1.1.9
#
interface
Tunnel0/0/9
LoopBack1
te
destination 1.1.1.9
mpls te tunnel-id
9
toPE19
Issue 02 (2013-12-31)

1392

Equipment
mpls te
commit
#
explicit-path
toPE19
next hop
20.1.1.1
next hop 1.1.1.9
tunnel-policy
toPE19
#
ipv4-family
tnl-policy toPE19
#
ip address 100.2.1.1 255.255.255.0
#
vlan-type dot1q 10 default
ip address 100.2.1.1 255.255.255.0
#
undo shutdown
ip address 10.1.1.2 255.255.255.252
mpls
mpls ldp
#
undo shutdown
ip address 20.1.1.2 255.255.255.252
mpls
mpls ldp
address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.3
network 20.1.1.0 0.0.0.3
network 100.2.1.0 0.0.0.3
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
return
5.5 QinQ Configuration

The QinQ technology makes up for the shortage of public VLAN ID resources, and also provides
a simpler Layer 2 VPN solution for LANs or small-scale MANs.
Issue 02 (2013-12-31)

1393

Equipment
5.5.1 QinQ Introduction

The QinQ protocol is a Layer 2 tunneling protocol based on the IEEE 802.1Q standard.
QinQ Overview
The QinQ technology improves the utilization of VLANs by adding another 802.1Q tag to a
packet with an 802.1Q tag. In this manner, services from the private VLAN can be transparently
transmitted through the public network.
In intercommunication between Layer 2 LANs on the basis of the traditional IEEE 802.1Q
protocol, when two user networks access each other through an Internet Service Provider (ISP),
the ISP must assign VLAN IDs to users of different VLANs, as shown in Figure 5-22. Suppose
User Network1 and User Network2 access the backbone network through PE1 and PE2 of an
ISP.
Figure 5-22 Intercommunication between Layer 2 LANs on the basis of the traditional IEEE
802.1Q protocol
Trunk
VLAN100~200
PE1
Trunk
VLAN100~200
P
User
Network1
ISP
Network
Trunk
VLAN100~200
Trunk
VLAN100~200
PE2
User
Network2
To connect VLAN 100 - VLAN 200 on User Network1 to VLAN 100 - VLAN 200 on User
Network2, you must change the attribute of the interfaces of CE1, PE1, and P that connect PE2
and CE2 to the trunk and allow packets of VLAN 100 - VLAN 200 to pass.
This configuration makes user's VLANs visible on the backbone network. In this case, the VLAN
ID resources (4094 VLAN IDs) of an ISP are wasted. In addition, the ISP has to manage user
VLAN IDs and users have no right to manage their VLANs.
A rush of too many users accessing the network may cause the ISP network to be short of VLAN
IDs because an ISP network has only 4094 VLAN IDs.
In addition, different users cannot use the same VLAN ID and user's VLAN IDs must be planned
by an ISP.
QinQ is a technology used to expand the VLAN space by encapsulating a packet that carries an
802.1Q tag in another 802.1Q tag. The private VLANs therefore can transparently transmit
packets over the public network and the preceding problem is solved.
Issue 02 (2013-12-31)

1394

Equipment
The QinQ technology expands the VLAN space by encapsulating a packet that carries an 802.1Q
tag in another 802.1Q tag. The private VLANs therefore can transparently transmit packets over
the public network. This function is the same as the Layer 2 VPN. Packets that are forwarded
over the backbone network carry two 802.1Q tags, one for the public network and the other for
the private network. This is called 802.1Q-in-802.1Q, or QinQ for short.
The ISP network only provides one VLAN ID for different VLANs from the same user network.
This saves VLAN IDs of an ISP. Meanwhile, the QinQ provides a simple Layer 2 VPN solution
to a small metropolitan area network (MAN) or a local area network (LAN).
The QinQ technology has been widely used on ISPs' networks because of its easy application.
The QinQ technology can be applied to multiple services in a metropolitan area Ethernet solution.
The emergence of flexible QinQ that is VLAN stacking enables QinQ services to widely spread
among ISPs.
This technology has the following features:
l
Private networks are effectively segregated from the public network.
ISP's VLAN IDs are saved to the maximum.
With the development of the metropolitan area Ethernet, all device vendors have put forward
their solutions to the metropolitan area Ethernet. The QinQ technology plays an important role
in the solutions because of its simplicity and flexibility.
QinQ Feature Supported by the ATN

Owing to its simplicity and flexibility, QinQ plays an important role in solutions.
QinQ of Layer 2 Interfaces

l
QinQ tunnel
Compatibility of QinQ EType in the outer tag or inner tag.
As shown in Figure 5-23, 802.1Q defines that the Ethernet encapsulation type field (EType)
value of the Tag Protocol Identifier (TPID) is 0x8100. In QinQ encapsulation, the value of the
EType in the inner TPID of devices from each vendor is 0x8100. The value of the EType in the
outer TPID, however, varies with vendors.
Figure 5-23 802.1 encapsulation
802.1Q Encapsulation
DA
6 Bytes
SA
ETYPE
6 Bytes 2 Bytes
DATA
TAG LEN/ETYPE
FCS
46 Byte~1500 Bytes 4 Bytes
2 Bytes 2 Bytes
QinQ Encapsulation
DA
6 Bytes
SA
TAG ETYPE
ETYPE
TAG
6 Bytes 2 Bytes 2 Bytes 2 Bytes 2 Bytes
LEN/ETYPE
2 Bytes
DATA
FCS
46 Byte~1500 Bytes 4 Bytes
The ATN supports the compatibility of ETypes in different QinQ outer TPIDs. That is, the ATN
can identify and encapsulate packets with different outer ETypes, thus implementing interoperation among devices from different vendors.
Issue 02 (2013-12-31)

1395

Equipment
NOTE
IEEE 802.1ad defines the value of the EType field in the outer TPID to 0x88a8.
As shown in Figure 5-24, on ATNB, the inbound interface can identify the QinQ packet with
the Etype value in the outer TPID being 0x9100 and the outbound interface can set ETypes in
the outer TPID to different values according to vendors, such as 0x9100, 0x8100, or other values.
Thus, ATNB can inter-operate with the devices of different vendors.
Figure 5-24 Compatibility of Etypes in the outer TPIDs of QinQ packets
0x9
100
0x9100
NodeBA
IP/MPLS
Core
CX-A
ATNB
0x8
100
NodeBC
As shown in Figure 5-25, RouterA and SwitchA are non-Huawei devices, and ATNB is a
Huawei Datacom device. By default, the inbound interface on ATNB can identify the QinQ
packets with ETypes of both inner and outer tags being 0x8100. Then, to implement interworking
between non-Huawei devices and the Huawei device, you should configure the compatibility of
ETypes of the tags carried in the QinQ packets sent by the devices of different vendors.
Figure 5-25 Compatibility of ETypes in the outer TPIDs of QinQ packets
xxxx 0x9100
10
xxxx
xxxx 0x9100
100
0x9100
10
xxxx
GE1/0/1
RouterA
SwitchA
ATNB
5.5.2 Configuring the QinQ Tunnel Function

This section describes how to configure a QinQ Layer 2 tunnel. Therefore, packets with double
tags can be transmitted. In addition, the EthType in the outer tag can be flexibly configured.
Before You Start

Before configuring a QinQ Layer 2 tunnel, familiarize yourself with the usage scenario, complete
Issue 02 (2013-12-31)

1396

Equipment
When multiple VLANs are required, the QinQ tunnel need be configured. You can add the outer
tag to the VLAN so that the range of available number of VLANs is wide; therefore, the number
of VLANs is no longer insufficient.
Before configuring the QinQ tunnel, complete the following tasks:
l
Ensure that the device is powered on correctly and operates properly.
Configure basic attributes of the Ethernet interface.
Data Preparation
To configure the QinQ tunnel, you need the following data.
No.
Data
Interface number of the QinQ tunnel
ID of the outer VLAN tag
Creating the Outer VLAN Tag for a Layer 2 Interface

After a QinQ Layer 2 tunnel is configured, different outer tags can be added to packets and the
EthType in QinQ tags can be flexibly configured.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id
A VLAN is created and its view is displayed.

The VLAN ID refers to the value of the outer tag specified in the QinQ tunnel function. The
VLAN ID ranges from 1 to 4094.
----End
Configuring QinQ for a Layer 2 Interface

After a QinQ Layer 2 tunnel is configured, the interface adds an outer VLAN tag to the packet
that carries an inner VLAN tag so that the packet can be forwarded on the public network.
Issue 02 (2013-12-31)

1397

Equipment
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of the Ethernet interface that need be configured with the QinQ tunnel is displayed.
portswitch
The interface is configured as a Layer 2 interface.

If the interface is a Layer 2 interface, this step is unnecessary.
Step 4 Run:
port link-type dot1q-tunnel
The interface type is configured as a QinQ interface.

Step 5 Run:
port default vlan vlan-id
The outer tag is configured; namely, the default VLAN ID of the interface is configured.
NOTE
The outer tag value should be the same as the VLAN ID created in Creating the Outer VLAN Tag for a
Layer 2 Interface.
----End
(Optional) Configuring the Protocol Type for the Outer Tag

To implement interworking between devices of different vendors, in the case that QinQ is
configured, devices of different vendors use 0x8100 as the value of the EType in the inner Tag
Protocol Identifier (TPID) but use different values as the values of EType in the outer TPID. In
addition, the protocol type of the outer tag need be configured.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
qinq protocol ethertype-value
The protocol type of the outer tag is configured.

Issue 02 (2013-12-31)

1398

Equipment
l IEEE 802.1ad defines the value of the EType field in the outer TPID to 0x88a8.
l The value of ethertype-value ranges from 0x0600 to 0xFFFF, and the default value is 0x8100.
NOTE
qinq protocol is applicable to only the packets with double tags.
----End

After a Layer 2 QinQ tunnel is successfully configured, you can view whether the VLAN is
enabled with the broadcast function, VLAN status, whether address learning is enabled, and
whether the configured Layer 2 QinQ tunnel interface is a QinQ stack interface.
Prerequisites
The QinQ tunnel function has been configured.
Procedure
l
----End
Example
Running the display vlan command, you can view whether broadcast, VLAN status, and address
learning are enabled and view whether the interface configured with the QinQ tunnel function
is an untagged interface.
For example:
VLAN ID
: 10
VLAN Type
: Common
Description : VLAN 0010
Status
: Enable
Broadcast
: Enable
MAC learning : Enable
Statistics
: Disable
---------------Untagged
5.5.3 Configuring Selective QinQ on a Layer 2 Interface

This section describes how to configure Layer 2 selective QinQ. Therefore, a packet with
different outer VLAN tags can be transmitted and the EthType in the outer VLAN tag can be
flexibly configured.
Before You Start

Before configuring Layer 2 selective QinQ, familiarize yourself with the usage scenario,
Issue 02 (2013-12-31)

1399

Equipment
Layer 2 selective QinQ is an extension of the QinQ tunnel. Layer 2 selective QinQ is more
flexible than the QinQ tunnel.
The major difference is as follows:
l
QinQ tunnel
It attaches the same outer tag to all the frames entering the Layer 2 QinQ interface.
Selective QinQ on the Layer 2 interface

It can attach different outer tags to the frames entering the Layer 2 QinQ interface according
to different inner tags.
Before configuring selective QinQ on a Layer 2 interface, complete the following tasks:
l
Ensure that the device is powered on correctly and operates properly.
Configure basic attributes of the Ethernet interface.
Data Preparation
To configure selective QinQ on a Layer 2 interface, you need the following data.
No.
Data
ID of the outer VLAN tag
Interface number of the selective QinQ on the Layer 2 interface, ID of the inner VLAN
tag
(Optional) The protocol type for the outer tag
Creating the Outer VLAN Tag for a QinQ Interface

After a QinQ Layer 2 tunnel is configured, different outer tags can be added to packets and the
EthType in QinQ tags can be flexibly configured.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vlan vlan-id
A VLAN is created and its view is displayed.

Issue 02 (2013-12-31)

1400

Equipment
The VLAN ID refers to the value of the outer tag specified in the QinQ tunnel function. The
VLAN ID ranges from 1 to 4094.
----End
Configuring Selective QinQ Interface on a Layer 2 Interface

After selective QinQ is configured on a Layer 2 interface, the interface adds a public VLAN tag
to the user packet that carries a private VLAN tag so that the user packet can be forwarded on
the public network.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of the Ethernet interface that need be configured with the Layer 2 selective QinQ is
displayed.
portswitch
The interface is configured as a Layer 2 interface.

If the interface is a Layer 2 interface, this step is unnecessary.
Step 4 Run the port vlan-stacking { vlan vlan-id1 [ to vlan-id2 ] stack-vlan vlan-id3
[ remark-8021p 8021p-value3 ] | ce-default-vlan stack-vlan vlan-id3 } command to configure
the interface type as a Layer 2 selective QinQ interface.
In this step, vlan-id1 and vlan-id2 specify the range of the inner tag of the frame received by the
interface; vlan-id3 is the value of the outer tag attached to the frame by the interface.
Step 5 (Optional) Run the statistics enable vlan command to enable packet statistics.
----End
(Optional) Configuring the Protocol Type for the Outer Tag

To implement interworking between devices of different vendors, in the case that QinQ is
configured, devices of different vendors use 0x8100 as the value of the EType in the inner Tag
Protocol Identifier (TPID) but use different values as the values of EType in the outer TPID. In
addition, the protocol type of the outer tag need be configured.
Procedure
Step 1 Run:
system-view

Issue 02 (2013-12-31)

1401

Equipment
Step 2 Run:
Step 3 Run:
qinq protocol ethertype-value
The protocol type of the outer tag is configured.

l IEEE 802.1ad defines the value of the EType field in the outer TPID to 0x88a8.
l The value of ethertype-value ranges from 0x0600 to 0xFFFF, and the default value is 0x8100.
NOTE
qinq protocol is applicable to only the packets with double tags.
----End

After Layer 2 selective QinQ is successfully configured, you can view whether the VLAN is
enabled with the broadcast function, VLAN status, whether address learning is enabled, and
whether the interface configured with the QinQ Layer 2 tunnel is a QinQ stack interface.
Prerequisites
Selective QinQ on a layer 2 interface has been configured.
Procedure
l
----End
Example
Run the display vlan command, and you can view whether broadcast, VLAN status, and address
learning are enabled and view whether the interface configured with the QinQ tunnel is a QinQ
stack interface. For example:
VLAN ID
: 10
VLAN Type
: Common
Status
: Enable
Broadcast
: Enable
Statistics
: Disable
---------------QinQ-stack Port: GigabitEthernet0/2/5
5.5.4 Configuring the Sub-interface for VLAN Tag Termination to

Access the IP Service
IP services include proxy ARP, and DHCP services. You can deploy IP services on subinterfaces for VLAN tag termination to enable the interworking between users in different
Issue 02 (2013-12-31)

1402

Equipment
VLANs, therefore ensuring reliable, stable, and uninterrupted connections between the users
and the network.
Before You Start

Before configuring the sub-interface for VLAN tag termination to access the IP service,
the required data. This helps you complete the configuration task quickly and accurately.
IP services are classified into the following types:
l
Proxy Address Resolution Protocol (ARP)

The sub-interface for VLAN tag termination can connect different VLANs to the same
network segment. If users on the same network segment belong to different VLANs, they
cannot communicate with each other on the Layer 2 network unless the sub-interface for
VLAN tag termination supports ARP proxy and thus implements IP forwarding.
Dynamic Host Configuration Protocol (DHCP)

The sub-interface for VLAN tag termination can be configured with the Dynamic Host
Configuration Protocol (DHCP) server function to assign IP addresses to users.
The sub-interface for VLAN tag termination can be configured with the DHCP relay
function to provide reference for the DHCP server to assign IP addresses and parameters
by inserting tag information into Option82.
NOTE
Proxy ARP and VRRP are different types of IP services, you can deploy one of them on the sub-interface
for VLAN tag termination as required.
Before configuring the sub-interface for VLAN tag termination to access the IP service, complete
l
Ensure that devices are connected correctly.
Configure the correct VLANs of users to enable the packets received by the sub-interface
for VLAN tag termination to carry one or double tags.
Data Preparation
To configure the sub-interface for VLAN tag termination to access the IP service, you need the
following data.
Issue 02 (2013-12-31)
No.
Data
Control VLAN ID of the termination sub-interface
Range of the termination tag of the interface
Priorities of the ATNs in the backup group

1403

Equipment
No.
Data
Preemption mode
IP addresses that are forbidden to assign
Number of the address pool
Configuring the Interface Mode as the User-Termination Mode

You can run the dot1q-related command on the sub-interface only when the interface works in
user-termination mode.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of the Ethernet interface receiving user packets is displayed.

Step 3 Run:
mode user-termination
The mode of the Ethernet interface is configured as user-termination mode.

----End
Configuring the Sub-interface for dot1q VLAN Tag Termination

The sub-interface that terminates a single tag is called the sub-interface for dot1q VLAN tag
termination.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The Ethernet sub-interface view or the Eth-Trunk sub-interface view is displayed.

Step 3 Run:
control-vid vid dot1q-termination [ rt-protocol ]
The VLAN ID of the sub-interface for VLAN tag termination is set to terminate the packets with
one tag.
Issue 02 (2013-12-31)

1404

Equipment
Step 4 (Optional) Create a user VLAN group.

1.
Run the vlan-group group-id command to create a user VLAN group.
2.
(Optional) Run the group mode single ommand to configure the working mode of the
user VLAN group.
By default, the user VLAN group works in single mode.
3.
Run the quit command to return to the Ethernet sub-interface view or the Eth-Trunk subinterface view.
Step 5 Run:
dot1q termination vid low-pe-vid [ to high-pe-vid ]
The VLAN tag termination function is configured for the dot1q sub-interface.
----End
Configuring the Sub-interface for QinQ VLAN Tag Termination

If the route sub-interface that terminates double tags is called a sub-interface for QinQ VLAN
tag termination.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
control-vid vid qinq-termination [ local-switch | [ rt-protocol | dynamic ]
double tags.
1.
2.
user VLAN group.
3.
Step 5 Run:
qinq termination pe-vid pe-vid [ to high-pe-vid ] ce-vid { low-ce-vid [ to high-cevid ] | any } [ vlan-group group-id ]
The sub-interface for VLAN tag termination is configured.

----End
Issue 02 (2013-12-31)

1405

Equipment
Configuring the IP Service

After the sub-interface for VLAN tag termination is successfully configured, you need to
configure an IP service. In this manner, the user can access the IP service through the subinterface for VLAN tag termination.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of the sub-interface for VLAN tag termination is displayed.

Step 3 Configure the IP service.
l Proxy ARP
Configure proxy ARP on the device. For detailed configuration, see the chapter "ARP
Configuration" in the Configuration Guide - IP Services.
Enabling or disabling the ARP broadcast on the sub-interface makes the route status change
from Down to Up on the sub-interface. This may lead to route flapping on the entire network,
and even affect the running services.
l DHCP
Configure DHCP on the device. For detailed configuration, see the chapter "DHCP
Configuration" in the Configuration Guide - IP Services.
On a rather large network, if the PCs are connected to a ATN through other devices instead
of being directly connected to the ATN through Ethernet interfaces, the DHCP server based
on a global address pool needs to be configured so that the PCs can dynamically obtain IP
addresses from the ATN.
If a local network does not have a DHCP server, the DHCP relay function can be enabled on
the ATN. In this manner, the DHCP Request packet from the client can be transmitted to the
DHCP server through the DHCP relay.
NOTE
When configuring VRRP and static ARP on the dot1q termination sub-interface or VLANIF interface at
the same time, note the following:
l Do not configure the IP address mapping to the static ARP entry on the interface as the VRRP virtual
address.
Otherwise, incorrect host routes are generated. This affects packet forwarding between devices.
----End

After successfully configuring the sub-interface for VLAN tag termination to access the IP
service, you can view detailed configurations on the sub-interface for VLAN tag termination.
Issue 02 (2013-12-31)

1406

Equipment
Prerequisites
The configurations of the sub-interface for VLAN tag termination to access the IP service are
complete.
Procedure
l
Run the display dot1q information termination [ interface interface-type interfacenumber [.subinterface-number ] ] command to check information about the sub-interface
for dot1q VLAN tag termination.
----End
5.5.5 Configuring the Sub-interface for VLAN Tag Termination to

Access the VPN Service
VPN services are classified into L2VPN services and L3VPN services. You can configure subinterfaces for VLAN tag termination on PEs to access VPNs to enable the interworking between
CEs and users.
Before You Start

Before configuring the sub-interface for VLAN tag termination to access the VPN service,
the required data. This helps you complete the configuration task quickly and accurately.
VPN services are classified into the following types:
l
Layer 2 virtual private network (L2VPN)

Pseudo-Wire Emulation Edge to Edge (PWE3)/Virtual Leased Line (VLL)
The access of the sub-interface for QinQ/dot1q VLAN tag termination to PWE3/VLL
means that the sub-interface for QinQ/dot1q VLAN tag termination is configured with
PWE3/VLL functions.
Virtual Private LAN Service (VPLS)
The support of VPLS by the sub-interface for QinQ/dot1q VLAN tag termination refers
to configuring VPLS on the sub-interface for VLAN tag termination.
Layer 2 virtual private network (L3VPN)

The access of the sub-interface for QinQ/dot1q VLAN tag termination to L3VPN means
that the sub-interface for QinQ/dot1q VLAN tag termination is configured with L3VPN
functions.
NOTE
When a sub-interface for dot1q VLAN tag termination accesses user services, if it is required to differentiate
the service types, you can deploy VLAN + 8021.p on the device configured with the sub-interface.
l Services can be differentiated according to the 8021.p priority . Services are mapped to different VSIs
according to their 8021.p priorities, and then transmitted to the peer.
l Services can be differentiated according to the 8021.p priority . Services are mapped to different VSIs
according to their 8021.p priorities, and then transmitted to the peer.
Issue 02 (2013-12-31)

1407

Equipment
Before configuring the sub-interface for VLAN tag termination to access the VPN service,
l
Ensure that devices are correctly connected and that the physical interfaces of each device
are in the Up state.
Configure the correct VLANs of users to enable the packets received by the sub-interface
for VLAN tag termination to carry one or double tags.
Data Preparation
To configure the sub-interface for VLAN tag termination to access the VPN service, you need
the following data.
No.
Data
Range of the dot1q termination tag of the interface,

802.1p priorities
(Optional) Mode of the sub-interface for QinQ VLAN tag

termination, (optional) VLAN group ID, VLAN ID range
to be terminated by the sub-interface for QinQ VLAN tag
termination

l VLL
IP address of the interface, The L2VC IDs of two PW
ends (The two IDs must be the same), MPLS LSR-ID
l VPLS
IP address of the interface, The VC IDs of two PW
ends (The two IDs must be the same), VSI names,
MPLS LSR-ID
l L3VPN
IP address of the interface, Name of the VPN
instances, RD and VPN target of the VPN instances

Procedure
Step 1 Run:
system-view

Issue 02 (2013-12-31)

1408

Equipment
Step 2 Run:

Step 3 Run:

----End
Configuring the Sub-interface for dot1q VLAN Tag Termination

The sub-interface that terminates a single tag is called the sub-interface for dot1q VLAN tag
termination.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
control-vid vid dot1q-termination [ rt-protocol ]
one tag.
1.
2.
(Optional) Run the group mode single command to configure the working mode of the
user VLAN group.
3.

arp broadcast enable
The ARP broadcast of the sub-interface for VLAN tag termination is enabled.
NOTE
This configuration takes effect only when a sub-interface for QinQ VLAN tag termination accesses an
L3VPN. So, after configuring a sub-interface for QinQ VLAN tag termination to access an L3VPN, you
must enable the ARP broadcast function on the sub-interface.
Issue 02 (2013-12-31)

1409

Equipment
Enabling or disabling the ARP broadcast on the sub-interface makes the route status change
from Down to Up on the sub-interface. This may lead to route flapping on the entire network,
and even affect the running services.
----End
Configuring the Sub-interface for QinQ VLAN Tag Termination

If the route sub-interface that terminates double tags is called a sub-interface for QinQ VLAN
tag termination.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
control-vid vid qinq-termination [ local-switch | [ rt-protocol | dynamic ]
double tags.
1.
2.
user VLAN group.
3.
Step 5 Run:
qinq termination pe-vid pe-vid [ to high-pe-vid ] ce-vid { low-ce-vid [ to high-cevid ] | any } [ vlan-group group-id ]
The sub-interface for VLAN tag termination is configured.

----End
Configuring the VPN Service

After successfully configuring the sub-interface for VLAN tag termination, you need to
configure the Virtual Private Network (VPN) service. In this manner, users can communicate
with each over an Layer 2 virtual private network (L2VPN) or an Layer 3 virtual private network
(L3VPN).
Issue 02 (2013-12-31)

1410

Equipment
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of the sub-interface for VLAN tag termination is displayed.

Step 3 Configure the VPN service.
l L2VPN
For detailed information, see the chapters "Virtual Leased Line (VLL) Configuration",
"Pseudo-Wire Emulation Edge to Edge (PWE3) Configuration", and "Virtual Private LAN
Service (VPLS) Configuration" in the Configuration Guide - VPN.
The sub-interface for QinQ VLAN tag termination can be bound to a homogeneous VLL in
the following modes:
Local Circuit Cross Connect (CCC) connection
Remote SVC connection
Remote Martini connection
The sub-interface for dot1q VLAN tag termination can be bound to a homogeneous VLL or
a heterogeneous VLL in the following modes:
Local Martini connection
The sub-interface for dot1q VLAN tag termination can be bound to VPLS in the following
modes:
Martini VPLS
l L3VPN
For detailed information, see the chapter "Border Gateway Protocol (BGP) Multiprotocol
Label Switching (MPLS) IP VPN Configuration" in the CConfiguration Guide - VPN.
----End

After successfully configuring the sub-interface for VLAN tag termination to access the VPN
service, you can view detailed configurations on the sub-interface for VLAN tag termination.
Prerequisites
The configurations of the sub-interface for VLAN tag termination to access the VPN service are
complete.
Issue 02 (2013-12-31)

1411

Equipment
Procedure
l
Run the display dot1q information termination [ interface interface-type interfacenumber [.subinterface-number ] ] command to check information about the sub-interface
for dot1q VLAN tag termination.
View the configuration of the L2VPN in SVC mode:

Run the display mpls static-l2vc [ interface interface-type interface-number ]
command to check information about the SVC L2VPN connection.
Run the display l2vpn ccc-interface vc-type static-vc { up | down } command to check
information about the SVC interface in the Up or Down state.
View the configuration of the L2VPN in Martini mode:

Run the display mpls l2vc [ vc-id | interface interface-type interface-number ]
command to check information about the Martini MPLS L2VPN connection on the PE.
Run the display mpls l2vc remote-info [ vc-id ] command to check information about
the remote Martini MPLS L2VPN connection on the PE.
Run the display interface interface-type interface-number vlan vlanid command to view
configurations of all sub-interfaces on a main interface.
----End
5.5.6 Configuring the Sub-interface for QinQ Stacking to Access an

L2VPN
You can configure sub-interfaces for QinQ stacking on PEs to access Layer 2 virtual private
networks (L2VPNs) so that the inner tags of user packets are invisible on the Internet Service
Provider (ISP) network.
Before You Start

Before configuring the Sub-interface for VLAN stacking to access L2VPN, familiarize yourself
with the usage scenario, complete the pre-configuration tasks, and obtain the required data. This
helps you complete the configuration task quickly and accurately.
The packet of the user that accesses the CE has one tag. The CE accesses the Internet Service
Provider (ISP) network through PEs.
It is required to configure a VLL or PWE3 on the PE for the sub-interface for VLAN stacking.
In this way, the user VLAN tags can be transparently transmitted on the ISP network, and the
user networks connected to the CEs can communicate.
To enable the PE to add an outer VLAN tag to received single-tagged packets, you can configure
QinQ stacking+802.1p on the PE. Then, each packet entering an Ethernet sub-interface is
attached with an outer VLAN tag based on the matching policy.
Before configuring the sub-interface for VLAN stacking to access L2VPN, complete the
following tasks:
Issue 02 (2013-12-31)

1412

Equipment
Connect devices correctly.
Configure the VLAN of the CE and the basic Layer 2 forwarding function to make the
packets sent from the CE to the PE carry one tag.
Data Preparation
To configure the sub-interface for VLAN stacking to access L2VPN, you need the following
data.
No.
Data
The VLAN ID of the outer tag, (optional) VLAN group ID, 802.1p priorities

l Virtual Leased Line (VLL)
IP address of the interface, The L2VC IDs of two PW ends (The two IDs
must be the same), MPLS LSR-ID
l Virtual Private LAN Service (VPLS)
IP address of the interface, The VC IDs of two PW ends (The two IDs must
be the same), VSI names, MPLS LSR-ID

Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:

----End
Configuring the Sub-interface for VLAN Stacking

If a physical interface is used to access user packets, the interface can only access packets of a
single user. In this case, you can bind sub-interfaces for QinQ stacking to VSIs or L2VCs to
access an L2VPN so that a physical interface can simultaneously access packets of multiple
users.
Issue 02 (2013-12-31)

1413

Equipment
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of the Ethernet sub-interface on the PE connecting to users is displayed.

1.
2.
(Optional) Run the group mode single command to configure the working mode of the
user VLAN group.
3.

l Run:
qinq stacking vid low-ce-vid [ to high-ce-vid ] pe-vid pe-vid [ vlan-group groupid ]
User packets with VLAN IDs within the specified range are attached with an outer VLAN
tag and QinQ stacking is configured to transparently transmit the user packets.
User packets received on Ethernet sub-interface can carry a single VLAN tag or double
VLAN tags. If an Ethernet sub-interface receives an untagged packet or a packet whose outer
VLAN VLAN tag is not the user VLAN tag, the Ethernet sub-interface discards the packet.
When running the qinq stacking vid command on different sub-interfaces of a main
interface, the values of ce-vid cannot overlap.
l Run:
qinq stacking vid low-ce-vid [ to high-ce-vid ] { 8021p { 8021p-value1 [ to 8021pvalue2 ] } &<1-10> | default }
User packets received on Ethernet sub-interfaces are attached with an outer VLAN tag based
on the matching policy. The matching policy can be VLAN+802.1.
NOTE
l When you run the qinq stacking vid low-ce-vid [ to high-ce-vid ] [vlan-group group-id]command on
a sub-interface without configuring default or specifying 8021p-value, dscp-value, or eth-type-value,
it indicates that the VLAN range is exclusively occupied by the sub-interface and thus any VLAN
within this range cannot be used in VLAN+802.1p on other sub-interfaces.
----End
Configuring the L2VPN

L2VPNs includes VLL, PWE3, and VPLS networks. A VLL simulates the traditional leased
line on the IP network, and provides asymmetric and low-cost digital data network (DDN)
services. The VLL is a point-to-point virtual private wire technology that can support almost all
the link layer protocols. PWE3 is an implementation mode of the VLL and the extension of the
Martini protocol. PWE3 extends the new signaling, reduces the cost of signaling, and defines
Issue 02 (2013-12-31)

1414

Equipment
the multi-hop negotiation mode. This makes the networking more flexible. The VPLS
technology realizes a multipoint-to-multipoint VPN networking. Through this technology, the
ISP can provide Ethernet-based multipoint-to-multipoint services for users through an MPLS
backbone network.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of a sub-interface for QinQ stacking is displayed.

Step 3 Configure the L2VPN.
For detailed information, see the chapters "Virtual Leased Line (VLL) Configuration", "PseudoWire Emulation Edge to Edge (PWE3) Configuration" in the Configuration Guide - VPN.
l A sub-interface for QinQ stacking can be configured with various VLL connections,
including:
Local Circuit Cross Connect (CCC) connection
Remote SVC connection
l A sub-interface for QinQ stacking can be configured with various VPLS connections,
including:
Martini VPLS
----End

After successfully configuring the sub-interface for QinQ stacking to access an L2VPN, you can
view detailed configurations on the sub-interface.
Prerequisites
The configurations of the sub-interface for QinQ stacking to access an L2VPN are complete.
Procedure
l
View the configuration of the L2VPN in SVC mode:

Run the display mpls static-l2vc [ interface interface-type interface-number ]
command to check information about the SVC L2VPN connection.
Run the display l2vpn ccc-interface vc-type static-vc { up | down } command to check
information about the SVC interface in the Up or Down state.
l
Issue 02 (2013-12-31)
View the configuration of the L2VPN in Martini mode:

1415

Equipment
Run the display mpls l2vc [ vc-id | interface interface-type interface-number ]

command to check information about the Martini MPLS L2VPN connection on the PE.
Run the display mpls l2vc remote-info [ vc-id ] command to check information about
the remote Martini MPLS L2VPN connection on the PE.
l
Run the display interface interface-type interface-number vlan vlanid command to view
configurations of all sub-interfaces on a main interface.
----End
5.5.7 Maintaining QinQ

Commands of clearing statistics on a QinQ interface helps to locate the faults on a QinQ interface.
Clearing QinQ Statistics

You can run the reset command to clear the QinQ statistics before recollecting QinQ statistics.
Context
NOTICE
Statistics about QinQ packets cannot be restored after you clear it. So, confirm the action before
you use the command.
To clear the QinQ Statistics, run the following reset command in the user view:
Procedure
Step 1 Run the reset qinq statistic interface interface-type interface-number.subinterface-number
vlan-group group-id command to clear the QinQ statistics.
----End
Monitoring the Operating Status of the Termination Sub-interface

In routine maintenance, you can run the following display commands in any view to check the
operation of the sub-interface for dot1q VLAN tag termination.
Procedure
l
Run the display dot1q information termination [ interface interface-type interfacenumber [.subinterface-number ] ] command in any view to check information about the
sub-interface for dot1q VLAN tag termination.
----End
Issue 02 (2013-12-31)

1416

Equipment

This section describes the typical application scenarios of QinQ, including networking
files.
Example for Configuring the QinQ Tunnel

After a Layer 2 QinQ tunnel is configured, different enterprises can plan their own VLANs. In
this manner, offices in different locations of the same enterprise can communicate whereas
different enterprises cannot.
In the network as shown in Figure 5-26,
It is required to configure the QinQ tunnel on ATNA and ATNB. Thus, office networks with
the same VLAN ID can interwork but office networks with the different VLAN ID cannot
interwork.
Figure 5-26 Typical networking diagram of the QinQ tunnel
ATNA
ATNB
GE0/2/0
GE0/2/1
VLAN200
GE0/2/2
VLAN100
GE0/2/0
GE0/2/1
VLAN200
GE0/2/2
VLAN100
1.
Configure the default outer VLAN tag.
2.
Configure QinQ for a Layer 2 interface.
3.
Configure the interfaces disabled with QinQ and allow the packets carrying the specific
outer tags to pass through the interface.
Data Preparation
l
Number of the interface
Default VLAN ID of the QinQ interface
Issue 02 (2013-12-31)

1417

Equipment
Procedure
Step 1 Create the default outer VLAN tag for a Layer 2 interface.
# Configure ATNA.
[ATNA] vlan batch 10 20
# Configure ATNB.
[ATNB] vlan batch 10 20
Step 2 Configure QinQ for a Layer 2 interface.

# Configure ATNA.
[ATNA-GigabitEthernet0/2/1] port link-type dot1q-tunnel
[ATNA-GigabitEthernet0/2/1] port default vlan 10
[ATNA-GigabitEthernet0/2/2] port link-type dot1q-tunnel
[ATNA-GigabitEthernet0/2/2] port default vlan 20
# Configure ATNB.
[ATNB-GigabitEthernet0/2/1] portswitch
[ATNB-GigabitEthernet0/2/1] port link-type dot1q-tunnel
[ATNB-GigabitEthernet0/2/1] port default vlan 10
[ATNB-GigabitEthernet0/2/2] port link-type dot1q-tunnel
[ATNB-GigabitEthernet0/2/2] port default vlan 20
Step 3 Configure other interfaces.

# Allow the packets in VLAN 10 and VLAN 20 to pass through GE 0/2/0 on ATNA.
[ATNA-GigabitEthernet0/2/0] port trunk allow-pass vlan 10 20
# Allow the packets in VLAN 10 and VLAN 20 to pass through GE 0/2/0 on ATN-B.
[ATNB-GigabitEthernet0/2/0] portswich
[ATNB-GigabitEthernet0/2/0] port trunk allow-pass vlan 10 20
Issue 02 (2013-12-31)

1418

Equipment

Devices with the same VLAN can ping through each other in enterprise 1.
Devices with the same VLAN can ping through each other in enterprise 2.
Devices with the different VLAN cannot ping through each other.
----End
Configuration Files
l

#
sysname ATNA
#
vlan batch 10 20
#
undo shutdown
portswitch
#
undo shutdown
portswitch
#
undo shutdown
portswitch
#
return
Configuration file of ATNB

#
sysname ATNB
#
vlan batch 10 20
#
undo shutdown
portswitch
#
undo shutdown
portswitch
#
undo shutdown
portswitch
#
return
Issue 02 (2013-12-31)

1419

Equipment
Layer 2 Flexible QinQ Configuration Examples

Layer 2 flexible QinQ is the extension of Layer 2 tunnel QinQ and proves to be more flexible.
This section uses examples to describe how to add different outer tags to the frames that enter
Layer 2 QinQ interfaces based on different inner tags using Layer 2 flexible QinQ. Layer 2
flexible QinQ provides more specific user VLAN classification.
Mobile bearer and broadband services for operators need to be differentiated by user or base
station, and can be divided into IPTV services, voice services, and data services. In a stacking
VLAN, outer tags are added to user packets based on user packet tags or priorities, so that
different users can be differentiated.
As shown in Figure 5-27, the three service flows generated by the base station, that is, NMS,
signaling, and media, are differentiated by VLAN (for example, 1001 represents the NMS, 1002
the signaling, and 1003 the media). On the ATN device, S-VLAN tags are added to these service
flows to differentiate base stations (or users). For example, S-VLAN 1000 represents NodeB 1
and S-VLAN 2000 NodeB 2.
It is required that Layer 2 QinQ be configured for the GE0/2/1 interface on ATN.
Figure 5-27 Typical networking of Layer 2 flexible QinQ
Node1:
vlan1001
vlan1002
vlan1003
:cvlan1001+svlan1000
Node1
Vlan stacking
GE0/2/1
vlan1001
vlan1002
vlan1003
GE0/2/2
GE1/3/4
GE0/2/4
Node2
GE0/2/3
RNC
Native ETH
Vlan stacking
vlan1001
vlan1002
vlan1003
Node3
Node3:
The configuration principle is as follows:
1.
Configure the default outer VLAN tag.
2.
Configure flexible QinQ for Layer 2 interfaces.
3.
Enable packets with the specified outer tag to traverse interfaces for which flexible QinQ
is not enabled.
Issue 02 (2013-12-31)

1420

Equipment
Data Preparation
l
Numbers of the interfaces connecting to base stations 1 and 2
Values of outer VLAN tags added to packets from different base stations on Layer 2
interfaces of ATN and CX
Procedure
Step 1 Configure the default outer VLAN tag for Layer 2 interfaces.
# Configures the ATN.
[ATNA] vlan batch 1000 2000 3000
# Configures the CX.

<CX> system-view
[CX] sysname CXB
[CXB] vlan batch 1000 2000 3000
Step 2 Configure flexible QinQ for Layer 2 interfaces.

# Configures ATN A.
[ATNA-GigabitEthernet0/2/1] port vlan-stacking vlan 1001 to 1004 stack-vlan 1000
Step 3 Configure other interfaces.

# Enables packets with the VLAN tag 1000,2000 and 3000 to pass the GE0/2/4 interface on
ATN.
[ATNA-GigabitEthernet0/2/4] port trunk allow-pass vlan 1000 2000 3000
# Enables packets with the VLAN tag tag 1000,2000 and 3000 to pass the GE1/3/4 interface on
CX.
[CXB] interface gigabitethernet 1/3/4
[CXB-GigabitEthernet1/3/4] portswitch
[CXB-GigabitEthernet1/3/4] port trunk allow-pass vlan 1000 2000 3000
[CXB-GigabitEthernet1/3/4] undo shutdown
[CXB-GigabitEthernet1/3/4] quit
Issue 02 (2013-12-31)

1421

Equipment

For Enterprise 1, hosts in different office locations within the same VLAN can ping each other.
For Enterprise 2, hosts in different office locations within the same VLAN can ping each other.
Any two hosts at base stations 1 and 2 cannot ping each other.
----End
Configuration Files
l
ATNA
#
sysname ATNA
#
vlan batch 1000 2000 3000
#
undo shutdown
portswitch
port vlan-stacking vlan 1001 to
#
undo shutdown
portswitch
#
undo shutdown
portswitch
#
undo shutdown
portswitch
#
return
1004 stack-vlan 1000
2000 3000
CXB
#
sysname CXB
#
vlan batch 1000 2000 3000
#
undo shutdown
portswitch
port trunk allow-pass vlan 1000 2000 3000
#
return
Example for Configuring the Sub-interface for dot1q VLAN Tag Termination to
Support Proxy ARP
This example shows how to configure a sub-interface for dot1q VLAN tag termination to support
proxy ARP, and how to enable the interworking between users in the same network segment but
in different VLANs.
Issue 02 (2013-12-31)

1422

Equipment
Network Requirements
As shown in Figure 5-28, ATN 1 and ATN 2 are connected through Ethernet sub-interfaces.
GE 0/2/0 and GE 0/2/1 on ATN belong to different VLANs. ATN 2 is connected to NodeB1
and NodeB2. NodeB1 and NodeB 2 are in the same network segment. NodeB1 and PNodeB2
are not configured with the default gateway. Proxy ARP thus needs to be configured on the subinterface GE 0/2/0.1 of ATN 1 so that NodeB1 and NodeB2 can communicate with each other.
Figure 5-28 Typical networking diagram of configuring the sub-interface for dot1q VLAN tag
termination to support proxy ARP
ATN1
GE0/2/0.1
10.1.1.254/24
GE0/2/2
ATN2
GE0/2/0
GE0/2/1
VLAN20
VLAN10
10.1.1.2/24
10.1.1.1/24
1.
Switch the Layer 3 interface of ATN 2 into a Layer 2 interface.
2.
Configure the basic Layer 2 forwarding function for ATN 2.
3.
Configure a dot1q termination sub-interface for ATN 1 and enable proxy ARP.
Data Preparation
l
Name of the sub-interface for dot1q VLAN tag termination
VLAN IDs of the interfaces on ATN 2
Procedure
Step 1 Switch the interface to a Layer 2 interface.
# Configure ATN 2.
[HUAWEI] sysname ATN2
[ATN2] interface gigabitethernet 0/2/0
[ATN2-GigabitEthernet0/2/0] portswitch
[ATN2-GigabitEthernet0/2/0] undo shutdown
[ATN2-GigabitEthernet0/2/0] quit
Issue 02 (2013-12-31)

1423

Equipment
NOTE
If the interface is already a Layer 2 interface, the preceding operation is not required.
Step 2 Configure the basic Layer 2 forwarding function.

# Configure ATN 2.
[ATN2] vlan 10
[ATN2-vlan10] port gigabitethernet 0/2/0
[ATN2-vlan10] quit
[ATN2] vlan 20
[ATN2-vlan20] port gigabitethernet 0/2/1
[ATN2-vlan20] quit
[ATN2-GigabitEthernet0/2/2] port trunk allow-pass vlan 10 20
Step 3 Configure the sub-interface for dot1q VLAN tag termination and enable proxy ARP on the subinterface.
# Configure ATN 1.
[HUAWEI] sysname ATN1
[ATN1-GigabitEthernet0/2/0] mode user-termination
[ATN1] interface gigabitethernet 0/2/0.1
[ATN1-GigabitEthernet0/2/0.1] control-vid 1 dot1q-termination
[ATN1-GigabitEthernet0/2/0.1] dot1q termination vid 10
[ATN1-GigabitEthernet0/2/0.1] dot1q termination vid 20
[ATN1-GigabitEthernet0/2/0.1] ip address 10.1.1.254 24
[ATN1-GigabitEthernet0/2/0.1] arp-proxy inter-sub-vlan-proxy enable
[ATN1-GigabitEthernet0/2/0.1] arp broadcast enable
[ATN1-GigabitEthernet0/2/0.1] undo shutdown
[ATN1-GigabitEthernet0/2/0.1] quit

Ping NodeB2 from NodeB1. The ping succeeds. If viewing the ARP table on NodeB1, you can
find that the MAC address corresponding to NodeB2 is the MAC address of GE 0/2/0 on
ATN 1.
----End
Configuration Files
l
Configuration file of ATN 1

#
sysname ATN1
#
undo shutdown
#
undo shutdown
Issue 02 (2013-12-31)

1424

Equipment
control-vid 1 dot1q-termination
dot1q termination vid 10
ip address 10.1.1.254 255.255.255.0
arp-proxy inter-sub-vlan-proxy enable
#
return
Configuration file of ATN 2

#
sysname ATN2
#
vlan batch 10 20
#
undo shutdown
portswitch
#
undo shutdown
portswitch
#
undo shutdown
portswitch
#
return
Example for Configuring the Sub-interface for QinQ VLAN Tag Termination to
Access an L3VPN
PEs are connected through an L3VPN. Each of the user packets sent to the PEs carries double
tags. This example shows how to enable the users to communicate through the L3VPN and how
to configure the L3VPN and sub-interfaces for QinQ VLAN tag termination.
As shown in Figure 5-29, NodeB is connected to the ATN through microwave, a VLAN ID is
planned for services of the same type at the NodeB, and an outer VLAN tag is added to each
upstream packet traversing microwave to differentiate NodeBs. In this manner, each user packet
sent from the NodeB to the PE has two tags. On the PE, the sub-interface for QinQ VLAN tag
termination is configured to access an L3VPN to implement interworking between CE1 and
NodeB.
Issue 02 (2013-12-31)

1425

Equipment
Figure 5-29 Typical networking diagram of configuring the sub-interface for QinQ VLAN tag
termination to access an L3VPN
Loopback1
2.2.2.9/32
Loopback1
1.1.1.9/32
GE0/2/2
100.1.1.1/24
PE1
GE0/2/1.1
10.1.1.1/24
GE0/2/1.2
20.1.1.1/24
GE1/0/0
100.1.1.2/24
Loopback1
3.3.3.9/32
GE0/2/2
100.1.2.2/24
GE2/0/0
100.1.2.1/24
GE0/2/1.2
20.2.1.1/24
PE2
GE0/2/1.1
10.2.1.1/24
QinQ termination
Switch1
Switch2
VPN1
VLAN:10
VPN2
VLAN:20
VPN1
VLAN:10
VPN2
VLAN:20
1.
Run IGP to interconnect the devices on the backbone network.
2.
Configure the basic MPLS capabilities on the backbone network.
3.
Create a VPN instance on the PE, and bind the sub-interface for QinQ VLAN tag
termination to the VPN instance.
Data Preparation
l
Name of the interface of the PE connected with the CE
VPN instance names on PE1 and PE2
RD and VPN-Target of the VPN instance
Tag value of the sub-interface for QinQ VLAN tag termination
Procedure
Step 1 Configure the interface mode to user termination.
# Configure PE1.
Issue 02 (2013-12-31)

1426

Equipment

[PE1-GigabitEthernet0/2/1] mode user-termination
# Configure PE2.
Step 2 Configure IGP on the MPLS backbone network. OSPF is used in this example.
According to Figure 5-29, configure the addresses for the interfaces on PE and P. Configure
OSPF to advertise the addresses of the loopback interfaces on PE1, P, and PE3.
# Configure PE1.
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure P.
[HUAWEI] sysname P
[P] interface LoopBack 1
[P-LoopBack1] ip address 2.2.2.9 32
[P-LoopBack1] quit
[P] interface pos 1/0/0
[P-Pos1/0/0] ip address 100.1.1.2 24
[P-Pos1/0/0] undo shutdown
[P-Pos1/0/0] quit
[P] interface pos 2/0/0
[P-Pos2/0/0] ip address 100.1.2.1 24
[P-Pos2/0/0] undo shutdown
[P-Pos2/0/0] quit
[P] ospf
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
[PE2-gigabitethernet0/2/2] ip address 100.1.2.2 24
[PE2-gigabitethernet0/2/2] undo shutdown
Issue 02 (2013-12-31)

1427

Equipment
[PE2-gigabitethernet0/2/2] quit
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
After this step, PE1 and PE2 learn the routes to the loopback interface of the peer through the
OSPF protocol. PE1 and PE2 can ping through each other.
Take the display on PE1 as an example:
Destinations : 9
Routes : 9
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
1.1.1.9/32 Direct 0
0
D 127.0.0.1
LoopBack1
2.2.2.9/32 OSPF
10
2
D 100.1.1.2
3.3.3.9/32 OSPF
10
3
D 100.1.1.2
100.1.1.0/24 Direct 0
0
D 100.1.1.1
100.1.1.1/32 Direct 0
0
D 127.0.0.1
100.1.1.2/32 Direct 0
0
D 100.1.1.2
100.1.2.0/24 OSPF
10
2
D 100.1.1.2
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
[PE1] ping 100.1.2.2
0.00% packet loss
Step 3 Enable the basic MPLS capabilities and LDP on the MPLS backbone network.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
# Configure P.
[P] mpls lsr-id 2.2.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface GigabitEthernet0/2/1
[P-GigabitEthernet0/2/1] mpls
[P-GigabitEthernet0/2/1] mpls ldp
[P-GigabitEthernet0/2/1] quit
[P] interface GigabitEthernet0/2/2
Issue 02 (2013-12-31)

1428

Equipment
[P-GigabitEthernet0/2/2] mpls
[P-GigabitEthernet0/2/2] mpls ldp
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
After the configuration, the sessions between PE1 and P and between PE2 and P are set up.
Running the display mpls ldp session command, you can view that the status is "Operational".
Running the display mpls ldp lsp command, you can view the establishing status of LDP LSP.
For example, the following displays the session information on PE1:
-----------------------------------------------------------------------------Peer-ID
Status
LAM SsnRole SsnAge
KA-Sent/Rcv
-----------------------------------------------------------------------------2.2.2.9:0
Operational DU
Passive 000:00:01
5/5
[PE1] display mpls ldp lsp
LDP LSP Information
-----------------------------------------------------------------------------SN
DestAddress/Mask
In/OutLabel
Next-Hop
In/Out-Interface
-----------------------------------------------------------------------------1
1.1.1.9/32
3/NULL
127.0.0.1
GigabitEthernet0/2/1/InLoop0
2
2.2.2.9/32
NULL/3
100.1.1.2
-------/GigabitEthernet0/2/1
3
3.3.3.9/32
NULL/1024
100.1.1.2
4
100.1.2.0/24
NULL/3
100.1.1.2
-----------------------------------------------------------------------------TOTAL: 4 Normal LSP(s) Found.
TOTAL: 0 Liberal LSP(s) Found.
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USCB or DSCB is stale
Step 4 Configure VPN instances on PEs and bind the VPN instances to the sub-interface for QinQ
VLAN tag termination.
# Configure PE1.
[PE1-GigabitEthernet0/2/1.1] control-vid 1 qinq-termination
[PE1-GigabitEthernet0/2/1.1] qinq termination pe-vid 100 ce-vid 10
[PE1-GigabitEthernet0/2/1.1] arp broadcast enable
Issue 02 (2013-12-31)

1429

Equipment

# Configure PE2.
NOTE
When you run the qinq termination command on the same primary interface, the ce-vid values cannot be
the same if the pe-vid values of the two different sub-interfaces are the same.
After the preceding configurations, run the display ip vpn-instance verbose command on PEs
to view the configurations of VPN instances.
[PE1] display ip vpn-instance verbose
Total VPN-Instances configured : 2
Create date : 2007/03/03 16:43:43
Label policy : label per route
The ttl-mode Information is : uniform
Create date : 2007/03/03 16:45:21
Label policy : label per route
The ttl-mode Information is : uniform
Issue 02 (2013-12-31)

1430

Equipment
Step 5 Import VPN routes.

# Configure PE1.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpn1
[PE1-bgp-vpn1] import-route direct
[PE1-bgp-vpn1] quit
[PE1-bgp-vpn1] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp-vpn1] quit
[PE2-bgp-vpn1] quit
After the configuration, running the display bgp peer or display bgp vpnv4 all peer command
on the PE, you can view that the BGP peer relationships between the PEs are set up and are in
the Established state.
[PE1] display bgp vpnv4 vpn-instance vpn1 peer
Total number of peers : 1
Peers in established state : 1
Peer
V
AS MsgRcvd MsgSent
OutQ Up/Down
State PrefRcv
10.1.1.2
4 65410
6
7
0 00:02:58 Established
1
Step 6 Set up MP-IBGP peer relationships between the PEs.

# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 3.3.3.9 as-number 100
[PE1-bgp] peer 3.3.3.9 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 3.3.3.9 enable
[PE1-bgp-af-vpnv4] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.9 connect-interface loopback 1
[PE2-bgp-af-vpnv4] quit
After the configuration, running the display bgp peer or display bgp vpnv4 all peer command
on the PE, you can view that the BGP peer relationships between the PEs are set up and are in
the Established state.
[PE1] display bgp peer
Peer
V
AS MsgRcvd
3.3.3.9
4
100
5
[PE1] display bgp vpnv4 all peer
Issue 02 (2013-12-31)
MsgSent
5

OutQ Up/Down
State PrefRcv
0

1431

Equipment
Peer
V
AS MsgRcvd
3.3.3.9
4
100
5
Peer of vpn instance :
vpn instance vpn1 :
10.1.1.2
4 65410
6
vpn instance vpn2 :
20.1.1.2
4 65411
3
MsgSent
5

OutQ Up/Down
State PrefRcv
2
0 00:07:59
Established
0 00:06:39
Established

Running the display qinq information termination command, you can view the QinQ
termination information.
For example, the following displays the QinQ information on PE1:
[PE1] display qinq information termination interface gigabitethernet 0/2/1
L3VPN bound
Total QinQ Num: 1
qinq termination pe-vid 100 ce-vid 10
Total vlan-group Num: 0
control-vid 1 qinq-termination
L3VPN bound
Total QinQ Num: 1
----End
Configuration Files
l
configuration file of PE1

#
sysname PE1
#
#
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
undo shutdown
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
Issue 02 (2013-12-31)

1432

Equipment
undo shutdown
ip address 20.1.1.1 255.255.255.0
#
ip address 100.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
import-route direct
#
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 100.1.1.0 0.0.0.255
#
return
configuration file of P
#
sysname P
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
ip address 100.1.1.2 255.255.255.0
mpls
mpls ldp
#
ip address 100.1.2.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 100.1.1.0 0.0.0.255
Issue 02 (2013-12-31)

1433

Equipment
network 100.1.2.0 0.0.0.255

#
return
configuration file of PE2

#
sysname PE2
#
#
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
undo shutdown
#
undo shutdown
ip address 10.2.1.1 255.255.255.0
#
undo shutdown
ip address 20.2.1.1 255.255.255.0
#
undo shutdown
ip address 100.1.2.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
import-route direct
#
Issue 02 (2013-12-31)

1434

Equipment

import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 100.1.2.0 0.0.0.255
#
return
Example for Configuring the Sub-interface for dot1q VLAN Tag Termination to
Access VPLS
PEs are connected through a VPLS network. Each of the user packets sent to the PEs carries one
tag. This example shows how to configure the users to communicate through the VPLS network
and how to configure the VPLS network and sub-interfaces for dot1q VLAN tag termination.
As shown in Figure 5-30, CEs are connected to PEs through switches. The packet sent from the
CE to the switch carries no VLAN tag. The switch then labels the packets from the CE with
different outer tags based on the inbound interface and then sends the packets to the PE. It is
required to configure the sub-interface for dot1q VLAN tag termination to access VPLS to
implement interworking between CEs 1 to 6. The backbone network adopts Martini VPLS and
uses LDP to set up PWs.
Issue 02 (2013-12-31)

1435

Equipment
Figure 5-30 Typical networking diagram of configuring the sub-interface for dot1q VLAN tag
termination to access a VPLS Network
VPN1
VLAN20
CE3
VPN1
VLAN20
CE6
GE1/0/0
10.1.1.6/24
GE1/0/0
10.1.1.3/24
GE1/0/1
GE1/0/2
Switch3
GE1/0/0
GE2/0/0.1
POS1/0/1
100.1.2.1/30
GE1/0/0
100.1.1.2/30
PE3
Loopback1
3.3.3.9/32
GE0/2/2
100.1.1.1/30
Loopback1
1.1.1.9/32
PE1
GE0/2/1
100.1.3.1/30
GE0/2/0.1
GE1/0/0
Switch1
GE1/0/1
CE1
VPN1
VLAN10
GE1/0/0
100.1.3.2/30
GE2/0/0.1
GE1/0/0
Loopback1
2.2.2.9/32
PE2
Switch2
GE1/0/2
GE1/0/0
10.1.1.4/24
GE1/0/0
10.1.1.1/24
POS1/0/1
100.1.2.2/30
CE4
VPN1
VLAN20
GE1/0/1
GE1/0/0
10.1.1.2/24
CE2
VPN1
VLAN10
GE1/0/2
GE1/0/0
10.1.1.5/24
CE5
VPN1
VLAN20
1.
Run IGP on the backbone network and interconnect the devices on the backbone network.
2.
Configure the routing protocol on the backbone network to interconnect the devices and
enable the basic MPLS capabilities.
3.
Set up the LSP tunnel between PEs.
4.
Enable MPLS L2VPN on PE.
5.
Create and then configure the VSI.
Issue 02 (2013-12-31)

1436

Equipment
6.
Configure the sub-interface for dot1q VLAN tag termination and bind the AC interface to
the VSI.
7.
Configure the Layer 2 forwarding function on switches.
Data Preparation
l
VSI IDs on PEs (The VSI IDs must be consistent)
MPLS LSR-IDs on PEs
VSI names on PE1, PE2, and PE3
Interface bound to VSI
Procedure
# Configure PE1.
# Configure PE2.
# Configure PE3.
According to Figure 5-30, configure the addresses for the interfaces on PE and P. Configure
OSPF to advertise the addresses of the loopback interfaces on PE1, PE2, and PE3.
# Configure PE1.
[PE1-gigabitEthernet0/2/1] ip address 100.1.3.1 30
[PE1-gigabitEthernet0/2/1] undo shutdown
[PE1-gigabitEthernet0/2/1] quit
Issue 02 (2013-12-31)

1437

Equipment

[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure PE2.
[PE2] interface pos 1/0/1
[PE2-Pos1/0/1] ip address 100.1.2.2 30
[PE2-Pos1/0/1] undo shutdown
[PE2-Pos1/0/1] quit
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
# Configure PE3.
[PE3-Pos1/0/1] ip address 100.1.2.1 30
[PE3-Pos1/0/1] quit
[PE3] ospf
[PE3-ospf-1] area 0
[PE3-ospf-1] quit
After the preceding step, PE1 and PE2 both have routes, discovered through OSPF, to the
loopback1 interface of each other. PE1 and PE3 also have routes, discovered through OSPF, to
the loopback1 interface of each other.
Destinations : 12
Routes : 13
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
1.1.1.9/32 Direct 0
0
D 127.0.0.1
2.2.2.9/32 OSPF
10
2
D 100.1.3.2
Issue 02 (2013-12-31)

1438

Equipment
3.3.3.9/32
100.1.1.0/30
100.1.1.1/32
100.1.1.2/32
100.1.2.0/30
OSPF
10
2
D 100.1.1.2
Direct 0
0
D 100.1.1.1
Direct 0
0
D 127.0.0.1
Direct 0
0
D 100.1.1.2
OSPF
10
2
D 100.1.1.2
PGigabitEthernet0/2/2
OSPF
10
2
D 100.1.3.2
100.1.3.0/30 Direct 0
0
D 100.1.3.1
100.1.3.1/32 Direct 0
0
D 127.0.0.1
100.1.3.2/32 Direct 0
0
D 100.1.3.2
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
[PE1] ping 100.1.2.2
0.00% packet loss
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-gigabitEthernet 0/2/1] mpls
[PE1-gigabitEthernet 0/2/1] mpls ldp
[PE1-gigabitEthernet 0/2/1] quit
[PE1-gigabitEthernet 0/2/2] mpls
[PE1-gigabitEthernet 0/2/2] mpls ldp
[PE1-gigabitEthernet 0/2/2] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface pos1/0/1
[PE2-Pos1/0/1] mpls
[PE2-Pos1/0/1] mpls ldp
[PE2-Pos1/0/1] quit
# Configure PE3.
[PE3] mpls
[PE3-mpls] quit
[PE3] mpls ldp
[PE3-mpls-ldp] quit
[PE3-gigabitEthernet1/0/0] mpls
Issue 02 (2013-12-31)

1439

Equipment
[PE3-gigabitEthernet1/0/0] mpls ldp

[PE3-Pos1/0/1] mpls
[PE3-Pos1/0/1] quit
After the preceding configurations, LDP sessions are set up between PEs. Running the display
mpls ldp session command, you can view that the Status field is "Operational".
For example, the following displays the session information on PE1:
-----------------------------------------------------------------------------PeerID
Status
LAM SsnRole SsnAge
KASent/Rcv
-----------------------------------------------------------------------------2.2.2.9:0
Operational DU
Passive 0000:00:09 37/37
3.3.3.9:0
Operational DU
Passive 0000:00:03 13/13
NOTE
If PEs are not directly connected, run the mpls ldp remote-peer command and the remote-ip command
to set up a remote LDP sessions between PEs.
Step 4 Enable MPLS L2VPN on PEs.

# Configure PE1.
[PE1] mpls l2vpn
# Configure PE2.
[PE2] mpls l2vpn
# Configure PE3.
[PE3] mpls l2vpn
Step 5 Create VSIs and specify LDP as the signaling protocol on VSIs.
# Configure PE1
# Configure PE2.
# Configure PE3.
Issue 02 (2013-12-31)

1440

Equipment
Step 6 Configure the sub-interface for dot1q VLAN tag termination and bind VSIs and AC interfaces.
# Configure PE1.
[PE1-GigabitEthernet0/2/0.1] control-vid 1 dot1q-termination
[PE1-GigabitEthernet0/2/0.1] dot1q termination vid 10
# Configure PE2.
# ConfigurePE3.
NOTE
On the same primary interface, but on different sub-interfaces, the vid values cannot overlap.
Step 7 Configure the Layer 2 forwarding function.

# Configure Switch 1.
[HUAWEI] sysname Switch1
[Switch1] vlan 10
[Switch1-vlan10] port gigabitethernet 1/0/1
[Switch1-vlan10] quit
[Switch1] vlan 20
[Switch1] interface gigabitethernet 1/0/0
[Switch1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10 20
[Switch1-GigabitEthernet1/0/0] undo shutdown
[Switch1-GigabitEthernet1/0/0] quit
[Switch2] vlan 10
[Switch2] vlan 20
Issue 02 (2013-12-31)

1441

Equipment
[Switch3] vlan 10
[Switch3] vlan 20
Configure IP addresses of the interfaces on CEs based on Figure 5-30. Set the packet sent from
the CE to the switch to carry no VLAN tag.
# Configure CE1.
[CE1-GigabitEthernet1/0/0] ip address 10.1.1.1 24
# Configure CE2.
# Configure CE3.
# Configure CE4
# Configure CE5.
# Configure CE6.
Issue 02 (2013-12-31)

1442

Equipment


Running the display qinq information termination interface command, you can view the
dot1q information.
The following displays the stacking information on PE1:
[PE1] display dot1q information termination interface gigabitethernet 0/2/0
VSI bound
Total QinQ Num: 2
After the preceding configuration, run the display vsi name ldp1 verbose command on PE1.
you can find that PWs to PE2 and PE3 are set up on the VSI named ldp1. The VSI status is Up.
[PE1] display vsi name ldp1 verbose
***VSI Name
: ldp1
Administrator VSI
: no
Isolate Spoken
: disable
VSI Index
: 0
PW Signaling
: ldp
PW MAC Learn Style
: unqualify
Encapsulation Type
: vlan
MTU
: 1500
Mode
: uniform
Service Class
: -Color
: -DomainId
: 0
Domain Name
:
VSI State
: up
VSI ID
: 2
*Peer Router ID
: 3.3.3.9
VC Label
: 142336
Peer Type
: dynamic
Session
: up
Tunnel ID
: 0x80800b,
*Peer Router ID
: 2.2.2.9
VC Label
: 142337
Peer Type
: dynamic
Session
: up
Tunnel ID
: 0x608006,
Interface Name
State
: up
**PW Information:
*Peer Ip Address
: 3.3.3.9
PW State
: up
Local VC Label
: 142336
Remote VC Label
: 142336
PW Type
: label
Tunnel ID
: 0x80800b,
*Peer Ip Address
: 2.2.2.9
PW State
: up
Local VC Label
: 142337
Remote VC Label
: 142336
PW Type
: label
Tunnel ID
: 0x608006,
Issue 02 (2013-12-31)

1443

Equipment
Hosts attached to CE1, CE2, and CE3 can ping through each other.
[CE1] ping 10.1.1.2
0.00% packet loss
[CE1] ping 10.1.1.3
0.00% packet loss
----End
Configuration Files
l

#
sysname PE1
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 2
peer 3.3.3.9
peer 2.2.2.9
#
mpls ldp
#
undo shutdown
#
undo shutdown
l2 binding vsi ldp1
#
undo shutdown
ip address 100.1.3.1 255.255.255.252
mpls
mpls ldp
#
Issue 02 (2013-12-31)

1444

Equipment
undo shutdown
ip address 100.1.1.1 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 100.1.1.0 0.0.0.3
network 100.1.3.0 0.0.0.3
#
return

#
sysname PE2
#
mpls lsr-id 2.2.2.9
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 2
peer 1.1.1.9
peer 3.3.3.9
#
mpls ldp
#
undo shutdown
#
undo shutdown
l2 binding vsi ldp1
#
undo shutdown
ip address 100.1.3.2 255.255.255.252
mpls
mpls ldp
#
interface interface Pos1/0/1
link-protocol ppp
undo shutdown
ip address 100.1.2.2 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 100.1.3.0 0.0.0.3
network 100.1.2.0 0.0.0.3
#
return
Issue 02 (2013-12-31)

1445

Equipment

#
sysname PE3
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 2
peer 1.1.1.9
peer 2.2.2.9
#
mpls ldp
#
undo shutdown
#
undo shutdown
l2 binding vsi ldp1
#
undo shutdown
ip address 100.1.1.2 255.255.255.252
mpls
mpls ldp
#
interface Pos1/0/1
link-protocol ppp
undo shutdown
ip address 100.1.2.1 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 100.1.1.0 0.0.0.3
network 100.1.2.0 0.0.0.3
#
return
Configuration file of Switch 1

#
sysname Switch1
#
vlan batch 10 20
#
undo shutdown
#
undo shutdown
#
Issue 02 (2013-12-31)

1446

Equipment
undo shutdown
#
return

#
sysname Switch2
#
vlan batch 10 20
#
undo shutdown
#
undo shutdown
#
undo shutdown
#
return

#
sysname Switch3
#
vlan batch 10 20
#
undo shutdown
#
undo shutdown
#
undo shutdown
#
return

#
sysname CE1
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
return

#
sysname CE2
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
return

#
Issue 02 (2013-12-31)

1447

Equipment
sysname CE3
#
undo shutdown
ip address 10.1.1.3 255.255.255.0
#
return

#
sysname CE4
#
undo shutdown
ip address 10.1.1.4 255.255.255.0
#
return

#
sysname CE5
#
undo shutdown
ip address 10.1.1.5 255.255.255.0
#
return

#
sysname CE6
#
undo shutdown
ip address 10.1.1.6 255.255.255.0
#
return
Example for Configuring the Sub-interface for VLAN Stacking to Access a VLL
VLL is a point-to-point L2VPN. Because the VLANIF interface does not support VLL, you
have to use the main interface to access VPN. Such a configuration is not flexible because the
same physical interface cannot be accessed by multiple users. To make one physical interface
accessed by multiple users, you can use the VLAN-based QinQ function at different subinterfaces as mentioned previously. In this case, CE-VLANs on both sides must be symmetrical.
As shown in Figure 5-31, the packet sent from the CE to the switch carries no tag. The switch
then labels the packets from the CE with different outer tags according to the inbound interface.
The packets sent from the switch to the PE carries one VLAN tag. It is required to configure the
sub-interface for VLAN stacking on the PE to access an L2VPN to implement intercommunication between CE1 and CE2, and between CE3 and CE4.
Issue 02 (2013-12-31)

1448

Equipment
Figure 5-31 Typical networking diagram of configuring the sub-interface for VLAN stacking
to access a VLL
RNC
Loopback1
1.1.1.9/32
Loopback1
3.3.3.9/32
GE0/2/1
100.1.1.1/24
PE1
GE1/3/1
100.1.1.2/24
GE0/2/0.1
PE
GE1/0/0
GE1/0/1
Switch1
GE0/2/1
100.1.2.2/24
GE1/3/2
100.1.2.1/24
Loopback1
2.2.2.9/32
GE1/0/0
20.1.1.1/24
CE3
CE1
VPN1
VLAN10
VPN1
VLAN20
GE0/2/0.1
Switch2
GE1/0/0
GE1/0/1
GE1/0/2
GE1/0/0
10.1.1.1/24
PE2
GE1/0/0
10.1.1.2/24
GE1/0/2
GE1/0/0
20.1.1.2/24
CE2
VPN1
VLAN10
CE4
VPN1
VLAN20
1.
Configure the interface mode on PE1 and PE2 as the user termination mode.
2.
Run IGP on the backbone network to interconnect the devices.
3.
Enable basic MPLS capabilities to set up an LSP in the backbone network.
4.
Set up MPLS LDP remote peer relationship between the PEs at both ends of the PW.
5.
Configure the sub-interface for QinQ VLAN stacking on the client side to access an L2VPN
on the PE.
6.
Configure Layer 2 forwarding on Switch.
Data Preparation
l
Names of the interfaces through which the PEs and the CEs are connected
L2VC IDs that must be identical at both ends of the PW
MPLS LSR IDs on the PEs and Ps
IP addresses of the remote peers of the PEs
Procedure
# Configure PE1.
Issue 02 (2013-12-31)

1449

Equipment

# Configure PE2.
Step 2 Configure IGP on the MPLS backbone network. OSPF is configured in this example.
Configure the IP addresses of the interfaces on the PEs and Ps, as shown in Figure 5-31. When
you configure OSPF, advertise the IP addresses of the loopback interfaces on PE1, P, and PE2.
# Configure PE1.
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure PE.
[HUAWEI] sysname PE
[PE] interface LoopBack 1
[PE-LoopBack1] ip address 2.2.2.9 32
[PE-LoopBack1] quit
[PE] interface gigabitEthernet1/3/1
[PE-gigabitEthernet1/3/1] ip address 100.1.1.2 24
[PE-gigabitEthernet1/3/1] undo shutdown
[PE-gigabitEthernet1/3/1] quit
[PE] interface GigabitEthernet 1/3/2
[PE-gigabitEthernet1/3/2] ip address 100.1.2.1 24
[PE-gigabitEthernet1/3/2] undo shutdown
[PE] ospf
[PE-ospf-1] area 0
[PE-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0
[PE-ospf-1-area-0.0.0.0] quit
[PE-ospf-1] quit
# Configure PE2.
Issue 02 (2013-12-31)

1450

Equipment
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
After this step, PE1 and PE2 can discover the routes of Loopback1 through OSPF and ping
through each other.
Destinations : 9
Routes : 9
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
1.1.1.9/32 Direct 0
0
D 127.0.0.1
LoopBack1
2.2.2.9/32 OSPF
10
2
D 100.1.1.2
gigabitEthernet0/2/1
3.3.3.9/32 OSPF
10
3
D 100.1.1.2
100.1.1.0/24 Direct 0
0
D 100.1.1.1
100.1.1.1/32 Direct 0
0
D 127.0.0.1
100.1.1.2/32 Direct 0
0
D 100.1.1.2
100.1.2.0/24 OSPF
10
2
D 100.1.1.2
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
[PE1] ping 100.1.2.2
0.00% packet loss
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface gigabitEthernet0/2/1
# Configure PE.
[PE] mpls lsr-id 2.2.2.9
[PE] mpls
[PE-mpls] quit
[PE] mpls ldp
[PE-mpls-ldp] quit
[PE] interface gigabitEthernet 1/3/1
[PE-gigabitEthernet1/3/1] mpls
[PE-gigabitEthernet1/3/1] mpls ldp
[PE] interface gigabitEthernet 1/3/2
Issue 02 (2013-12-31)

1451

Equipment
[P-gigabitEthernet1/3/2] mpls
[P-gigabitEthernet1/3/2] mpls ldp
[P-gigabitEthernet1/3/2] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
After the preceding configurations, LDP sessions are set up between PE1 and P, and between
PE1 and PE2. Running the display mpls ldp session command, you can view that the Status
field is "Operational". Running the display mpls ldp lsp command, you can view the
establishment status of the LDP LSP.
-----------------------------------------------------------------------------Peer-ID
Status
LAM SsnRole SsnAge
KA-Sent/Rcv
-----------------------------------------------------------------------------2.2.2.9:0
Operational DU
Passive 000:00:01
5/5
LDP LSP Information
-----------------------------------------------------------------------------SN
DestAddress/Mask
In/OutLabel
Next-Hop
In/Out-Interface
-----------------------------------------------------------------------------1
1.1.1.9/32
3/NULL
127.0.0.1
gigabitEthernet0/2/1/InLoop0
2
2.2.2.9/32
NULL/3
100.1.1.2
-------/gigabitEthernet0/2/1
3
3.3.3.9/32
NULL/1024
100.1.1.2
4
100.1.2.0/24
NULL/3
100.1.1.2
Step 4 Set up remote LDP sessions between the PEs.

# Configure PE1.
[PE1] mpls ldp remote-peer 1
[PE1-mpls-ldp-remote-1] remote-ip 3.3.3.9
[PE1-mpls-ldp-remote-1] quit
# Configure PE2.
[PE2] mpls ldp remote-peer 1
[PE2-mpls-ldp-remote-1] remote-ip 1.1.1.9
[PE2-mpls-ldp-remote-1] quit
After the configuration, LDP sessions can be set up between PE1 and P and between PE2 and
P.
Running the display mpls ldp session command, you can view that the Status is "Operational".
Running the display mpls ldp lsp command, you can view the setup of the LDP LSP.
Issue 02 (2013-12-31)

1452

Equipment
Take PE1 as an example.

-----------------------------------------------------------------------------Peer-ID
Status
LAM SsnRole SsnAge
KA-Sent/Rcv
-----------------------------------------------------------------------------2.2.2.9:0
Operational DU
Passive 000:00:15
64/64
3.3.3.9:0
Operational DU
Passive 000:00:01
5/5
LDP LSP Information
-----------------------------------------------------------------------------SN
DestAddress/Mask
In/OutLabel
Next-Hop
In/Out-Interface
-----------------------------------------------------------------------------1
1.1.1.9/32
3/NULL
127.0.0.1
gigabitEthernet0/2/1/InLoop0
2
2.2.2.9/32
NULL/3
100.1.1.2
3
3.3.3.9/32
NULL/1025
100.1.1.2
4
100.1.1.0/24
3/NULL
100.1.1.1
5
100.1.2.0/24
NULL/3
100.1.1.2
*6
100.1.2.0/24
Liberal
Step 5 Enable MPLS L2VPN on the PEs and set up VCs, and configure the Sub-interface for VLAN
Stacking.
# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
[PE1] interface gigabitethernet gigabitEthernet0/2/0.1
[PE1-gigabitEthernet0/2/0.1] qinq stacking vid 10
[PE1-gigabitEthernet0/2/0.1] qinq stacking vid 20
[PE1-gigabitEthernet0/2/0.1] mpls l2vc 3.3.3.9 101
[PE1-gigabitEthernet0/2/0.1] undo shutdown
[PE1-gigabitEthernet0/2/0.1] quit
# Configure PE2.
[PE2] mpls l2vpn
[PE1-l2vpn] quit
[PE2-GigabitEthernet0/2/0.1] qinq stacking vid 10
[PE2-GigabitEthernet0/2/0.1] mpls l2vc 1.1.1.9 101
NOTE
Here, when configuring the sub-interface for QinQ VLAN stacking, you need to specify the value of only
the inner VLAN tag. The value of the outer tag is not required. The outer VLA tag is appended automatically
by the system.
Step 6 Configure the basic Layer 2 forwarding function and set the packet sent from the switch to the
PE to carry one VLAN tag.
Issue 02 (2013-12-31)

1453

Equipment
[Switch1] vlan 10
[Switch1] vlan 20
[Switch2] vlan 10
[Switch2] vlan 20
# Configure CE1.
# Configure CE2.
# Configure CE3.
# Configure CE4.

On the PEs, you can view that an L2 VC is set up and is in the Up state.
Issue 02 (2013-12-31)

1454

Equipment

[PE1] display mpls l2vc
Total ldp vc : 2
2 up
0 down
*Client Interface
Session State
: up
AC Status
: up
VC State
: up
VC ID
: 102
VC Type
: vlan
Destination
: 3.3.3.9
Local VC Label
: 21505
Remote VC Label
: 21505
Control Word
: Disable
Local VC MTU
: 1500
Remote VC MTU
: 1500
Tunnel Policy Name
: -Traffic Behavior Name: -PW Template Name
: -Create time
: 0 days, 0 hours, 16 minutes,
UP time
Last change time
*Client Interface
Session State
: up
AC Status
: up
VC State
: up
VC ID
: 101
VC Type
: vlan
Destination
: 3.3.3.9
Local VC Label
: 21504
Remote VC Label
: 21504
Control Word
: Disable
Local VC MTU
: 1500
Remote VC MTU
: 1500
Tunnel Policy Name
: -Traffic Behavior Name: -PW Template Name
: -Create time
UP time
Last change time
41 seconds
52 seconds
52 seconds
23 seconds
23 seconds
23 seconds
The hosts attached to CEs can ping through each other if they are in the same VLAN.
Take the display on CE1 as an example:
[CE1] ping 10.1.1.2
0.00% packet loss
ms
ms
ms
ms
ms
----End
Configuration Files
l

#
sysname PE1
#
Issue 02 (2013-12-31)

1455

Equipment
mpls lsr-id 1.1.1.9

mpls
mpls l2vpn
#
#
mpls ldp
#
mpls ldp remote-peer 1
remote-ip 3.3.3.9
#
undo shutdown
#
undo shutdown
qinq stacking vid 10
mpls l2vc 3.3.3.9 101
#
link-protocol ppp
undo shutdown
ip address 100.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 100.1.1.0 0.0.0.255
#
return
Configuration file of PE
#
sysname PE
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface gigabitEthernet1/3/1
undo shutdown
ip address 100.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface gigabitEthernet1/3/2
ip address 100.1.2.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 100.1.1.0 0.0.0.255
network 100.1.2.0 0.0.0.255
#
Issue 02 (2013-12-31)

1456

Equipment
return

#
sysname PE2
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
mpls ldp
#
mpls ldp remote-peer 1
remote-ip 1.1.1.9
#
undo shutdown
#
undo shutdown
mpls l2vc 1.1.1.9 101
#
ip address 100.1.2.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 100.1.2.0 0.0.0.255
#
return
Configuration file of Switch1

#
sysname Switch1
#
vlan batch 10 20
#
undo shutdown
#
undo shutdown
#
undo shutdown
#
return

#
sysname Switch2
#
vlan batch 10 20
Issue 02 (2013-12-31)

1457

Equipment
#
undo shutdown
#
undo shutdown
#
undo shutdown
#
return

#
sysname CE1
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
return

#
sysname CE2
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
return

#
sysname CE3
#
undo shutdown
ip address 20.1.1.1 255.255.255.0
#
return

#
sysname CE4
#
undo shutdown
ip address 20.1.1.2 255.255.255.0
#
return
Example for Configuring the Sub-interface for QinQ VLAN Stacking to Access a
VPLS Network
This example shows how to configure a Layer 3 sub-interface for QinQ stacking to access a
VPLS network. The sub-interface adds an outer VLAN tag of the ISP network to the user packet.
The sub-interface is bound to a VSI and accesses the VPLS network.
Issue 02 (2013-12-31)

1458

Equipment
As shown in Figure 5-32, CEs are connected to PEs through switches. The packet sent from the
switch to the switch carries no VLAN tags. The switch then labels the packets from the CE with
different outer tags according to the inbound interface and send the packets to the PE. It is
required to configure the sub-interface for QinQ VLAN stacking to access VPLS to implement
interworking between CE1, CE2, and CE3, and between CE4, CE5, and CE6. The backbone
network adopts Martini VPLS and uses LDP to set up PWs.
Figure 5-32 Typical networking diagram of configuring the sub-interface for VLAN stacking
to access VPLS
VPN1
VLAN20
VPN1
VLAN10
CE6
CE3
GE1/0/0
10.1.1.3/24
GE1/0/0
20.1.1.3/24
GE1/0/2
GE1/0/1
Switch3
GE1/0/0
GE2/0/0.1
GE1/3/0
100.1.1.2/30
POS1/0/1
100.1.2.1/30
PE3
Loopback1
3.3.3.9/32
GE0/2/1
100.1.1.1/30
Loopback1
1.1.1.9/32
PE1
POS1/0/1
100.1.2.2/30
GE0/2/0
100.1.3.1/30
GE1/3/0
100.1.3.2/30
GE0/2/2.1
GE2/0/0.1
GE1/0/0
Switch2
GE1/0/1
GE1/0/0
GE1/0/0
10.1.1.2/24
20.1.1.1/24
GE1/0/2
GE1/0/0
10.1.1.1/24
CE1
VPN1
VLAN10
PE2
GE1/0/0
Switch1
GE1/0/1
Loopback1
2.2.2.9/32
CE4
VPN1
VLAN20
CE2
VPN1
VLAN10
GE1/0/2
GE1/0/0
20.1.1.2/24
CE5
VPN1
VLAN20
1.
Run the IGP protocol to connect the devices on the backbone network.
2.
Configure the basic MPLS capabilities on the backbone network.
3.
Set up the LSP tunnel between PEs.
4.
5.
Create and then configure the VSI.
6.
Configure the sub-interface for QinQ VLAN stacking on PEs and bind VSIs and AC
interfaces.
Issue 02 (2013-12-31)

1459

Equipment
7.
Configure the Layer 2 forwarding function on switches.
Data Preparation
l
Consistent L2VC IDs on the both ends of PW
MPLS LSR-IDs on PEs
VSI names on PE1, PE2, and PE3
Interface bound to VSI
Procedure
# Configure PE1.
# Configure PE2.
# Configure PE3.
According to Figure 5-32, configure the addresses for the interfaces on PE. Configure OSPF to
advertise the addresses of the loopback interfaces on PE1, PE2, and PE3.
# Configure PE1.
[PE1- GigabitEthernet0/2/0] ip address 100.1.3.1 30
[PE1- GigabitEthernet0/2/0] undo shutdown
[PE1- GigabitEthernet0/2/0] quit
Issue 02 (2013-12-31)

1460

Equipment
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
network 1.1.1.9 0.0.0.0

network 100.1.1.0 0.0.0.3
network 100.1.3.0 0.0.0.3
quit
# Configure PE2.
[PE2-gigabitethernet 1/3/0] ip address 100.1.3.2 30
[PE2-gigabitethernet 1/3/0] undo shutdown
[PE2-Pgigabitethernet 1/3/0] quit
[PE2-Pos1/0/1] ip address 100.1.2.2 30
[PE2-Pos1/0/1] quit
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
# Configure PE3.
[PE3-gigabitethernet 1/3/0] ip address 100.1.1.2 30
[PE3-gigabitethernet 1/3/0] undo shutdown
[PE3-gigabitethernet 1/3/0] quit
[PE3-Pos1/0/1] ip address 100.1.2.1 30
[PE3-Pos1/0/1] quit
[PE3] ospf
[PE3-ospf-1] area 0
[PE3-ospf-1] quit
After the preceding step, PE1 and PE2 both have routes, discovered through OSPF, to the
loopback1 interface of each other. PE1 and PE3 also have routes, discovered through OSPF, to
the loopback1 interface of each other.
Destinations : 12
Routes : 13
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
1.1.1.9/32 Direct 0
0
D 127.0.0.1
LoopBack1
2.2.2.9/32 OSPF
10
2
D 100.1.3.2
3.3.3.9/32 OSPF
10
2
D 100.1.1.2
100.1.1.0/30 Direct 0
0
D 100.1.1.1
100.1.1.1/32 Direct 0
0
D 127.0.0.1
Issue 02 (2013-12-31)

1461

Equipment
100.1.1.2/32
100.1.2.0/30
Direct 0
0
D 100.1.1.2
OSPF
10
2
D 100.1.1.2
OSPF
10
2
D 100.1.3.2
100.1.3.0/30 Direct 0
0
D 100.1.3.1
100.1.3.1/32 Direct 0
0
D 127.0.0.1
100.1.3.2/32 Direct 0
0
D 100.1.3.2
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
[PE1] ping 100.1.2.2
0.00% packet loss
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-gigabitethernet1/3/0] mpls
[PE2-gigabitethernet1/3/0] mpls ldp
[PE2] interface pos1/0/1
[PE2-Pos1/0/1] mpls
[PE2-Pos1/0/1] quit
# Configure PE3.
[PE3] mpls
[PE3-mpls] quit
[PE3] mpls ldp
[PE3-mpls-ldp] quit
[PE3-gigabitethernet1/3/0] mpls
[PE3-gigabitethernet1/3/0] mpls ldp
[PE3-gigabitethernet1/3/0] quit
[PE3-Pos1/0/1] mpls
Issue 02 (2013-12-31)

1462

Equipment
[PE3-Pos1/0/1] quit
After the configuration, the sessions between PE1, PE2 and PE3 are set up. Running the display
mpls ldp session command, you can view that the Status field is "Operational".
For example, the following displays the session information on PE1.
-----------------------------------------------------------------------------PeerID
Status
LAM SsnRole SsnAge
KASent/Rcv
-----------------------------------------------------------------------------2.2.2.9:0
Operational DU
Passive 0000:00:09 37/37
3.3.3.9:0
Operational DU
Passive 0000:00:03 13/13
NOTE
If PEs are not directly connected, run the mpls ldp remote-peer command and the remote-ip command
to set up a remote LDP sessions between PEs.
Step 4 Enable MPLS L2VPN on the PE.

# Configure PE1.
[PE1] mpls l2vpn
# Configure PE2.
[PE2] mpls l2vpn
# Configure PE3.
[PE3] mpls l2vpn
Step 5 Create VSIs and specify LDP as the signaling protocol on VSIs.
# Configure PE1.
# Configure PE2.
# Configure PE3.
Step 6 Configure the sub-interface for QinQ VLAN stacking, and bind VSIs and AC interfaces.
# Configure PE1
Issue 02 (2013-12-31)

1463

Equipment

# Configure PE2.
# ConfigurePE3
NOTE
Here, when configuring the sub-interface for QinQ VLAN stacking, you need to specify the value of only
the inner VLAN tag. The value of the outer tag is not required. The outer VLA tag is appended automatically
by the system.
Step 7 Configure the Layer 2 forwarding function and set the packet sent from the switch to the PE to
carry one VLAN tag.
[Switch1] vlan 10
[Switch1] vlan 20
[Switch2] vlan 10
[Switch2] vlan 20
Issue 02 (2013-12-31)

1464

Equipment
[Switch3] vlan 10
[Switch3] vlan 20
# Configure CE1.
# Configure CE2.
# Configure CE3.
# Configure CE4.
# Configure CE5.
# Configure CE6.
Issue 02 (2013-12-31)

1465

Equipment

Running the display qinq information stacking interface command, you can view the stacking
information.
The following displays the stacking information on PE1:
[PE1] display qinq information stacking interface gigabitethernet 0/2/2
VSI bound
Total QinQ Num: 2
qinq Stacking vid 10
qinq Stacking vid 20
After the preceding configuration, run the display vsi ldp1 verbose command on PE1. You can
find that PWs to PE2 and PE3 are set up on the VSI named ldp1. The VSI status is Up.
[PE1] display vsi bgp1 verbose
***VSI Name
: ldp1
VSI Index
: 0
PW Signaling
: ldp
PW MAC Learn Style
: unqualify
Encapsulation Type
: vlan
MTU
: 1500
VSI State
: up
VSI ID
: 2
*Peer Router ID
: 3.3.3.9
VC Label
: 23552
Peer Type
: dynamic
Session
: up
Tunnel ID
: 0x6002003,
*Peer Router ID
: 2.2.2.9
VC Label
: 23553
Peer Type
: dynamic
Session
: up
Tunnel ID
: 0x6002000,
Interface Name
State
: up
**PW Information:
*Peer Ip Address
: 2.2.2.9
PW State
: up
Local VC Label
: 23553
Remote VC Label
: 23552
PW Type
: label
Tunnel ID
: 0x6002000,
*Peer Ip Address
: 3.3.3.9
PW State
: up
Local VC Label
: 23552
Remote VC Label
: 23552
PW Type
: label
Tunnel ID
: 0x6002003,
The hosts attached to CE1, CE2, and CE3 can ping through each other.
[CE1] ping 10.1.1.2
0.00% packet loss
Issue 02 (2013-12-31)

1466

Equipment

[CE1] ping 10.1.1.3
0.00% packet loss
ms
ms
ms
ms
ms
----End
Configuration Files
l

#
sysname PE1
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 2
peer 3.3.3.9
peer 2.2.2.9
#
mpls ldp
#
undo shutdown
#
undo shutdown
l2 binding vsi ldp1
#
link-protocol ppp
undo shutdown
ip address 100.1.3.1 255.255.255.252
mpls
mpls ldp
#
link-protocol ppp
undo shutdown
ip address 100.1.1.1 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 100.1.1.0 0.0.0.3
Issue 02 (2013-12-31)

1467

Equipment
network 100.1.3.0 0.0.0.3

#
return

#
sysname PE2
#
mpls lsr-id 2.2.2.9
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 2
peer 1.1.1.9
peer 3.3.3.9
#
mpls ldp
#
undo shutdown
#
undo shutdown
l2 binding vsi ldp1
#
ip address 100.1.3.2 255.255.255.252
mpls
mpls ldp
#
interface Pos1/0/1
link-protocol ppp
undo shutdown
ip address 100.1.2.2 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 100.1.3.0 0.0.0.3
network 100.1.2.0 0.0.0.3
#
return

#
sysname PE3
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 2
peer 1.1.1.9
Issue 02 (2013-12-31)

1468

Equipment
peer 2.2.2.9
#
mpls ldp
#
undo shutdown
#
undo shutdown
l2 binding vsi ldp1
#
ip address 100.1.1.2 255.255.255.252
mpls
mpls ldp
#
interface Pos1/0/1
link-protocol ppp
undo shutdown
ip address 100.1.2.1 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 100.1.1.0 0.0.0.3
network 100.1.2.0 0.0.0.3
#
return

#
sysname Switch1
#
vlan batch 10 20
#
undo shutdown
#
undo shutdown
#
udno shutdown
#
return

#
sysname Switch2
#
vlan batch 10 20
#
undo shutdown
#
Issue 02 (2013-12-31)

1469

Equipment
undo shutdown
#
und shutdown
#
return

#
sysname Switch3
#
vlan batch 10 20
#
undo shutdown
#
undo shutdown
#
undo shutdown
#
return

#
sysname CE1
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
return

#
sysname CE2
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
return

#
sysname CE3
#
undo shutdown
ip address 10.1.1.3 255.255.255.0
#
return

#
sysname CE4
#
undo shutdown
ip address 20.1.1.1 255.255.255.0
Issue 02 (2013-12-31)

1470

Equipment
#
return

#
sysname CE5
#
undo shutdown
ip address 20.1.1.2 255.255.255.0
#
return

#
sysname CE6
#
undo shutdown
ip address 20.1.1.3 255.255.255.0
#
return
Example for Configuring QinQ Stacking Sub-interface+802.1p for L2VPN Access

In this networking, PE1 receives tagged packets with different 802.1p priorities; QinQ stacking
+802.1p is configured on the sub-interface at the AC side of PE1 so that an outer VLAN tag of
the ISP network is added to packets on the sub-interface; the sub-interface is bound to different
VSIs for L2VPN access. Packets are transmitted through different VSIs based on the 802.1p
priorities of the packets. The following takes the scenario where a CSG accesses IP services as
an example.
As shown in Figure 5-33, the CSG sends packets tagged with different VLAN IDs and different
802.1p priorities to PE1. It is required that QinQ stacking sub-interfaces be configured on PEs
to access the L2VPN and differentiated service transmission be implemented. In such a scenario,
you can deploy QinQ stacking+802.1p on the sub-interfaces at the AC side of PEs so that PEs
can differentiate services based on the 802.1p priorities and hence different services can be
transmitted through different PWs.
Issue 02 (2013-12-31)

1471

Equipment
Figure 5-33 Networking diagram of QinQ stacking sub-interface+802.1p-based L2VPN access

Loopback1
2.2.2.9/32
VLAN 10
CE1
PE2
Switch
80
2.1
GE1/0/2
p=
3
GE1/0/1
192.1.1.1/24
GE0/2/1.1
GE1/0/1 GE0/2/1.2
QinQ
GE1/0/3 Stacking PE1
GE1/0/2
10.1.1.1/30
GE0/2/2
10.1.1.2/30
GE0/2/3
20.1.1.2/30
Loopback1
1.1.1.9/32
2.1
80
p=
GE1/0/1
192.1.1.4/24
GE1/0/1.1
GE1/0/2
20.1.1.1/30
GE1/0/1.1
PE3
CE2
VLAN 20
Loopback1
3.3.3.9/32
VLAN
PW
VLAN
NOTE
L2VPN includes the VLL, PWE3, and VPLS. You can configure any one of them as required. The following
takes the VPLS application as an example.

1.
Configure the interface mode on PEs to user termination.
2.
Run an IGP to ensure intercommunication between ATNs on the backbone network.
3.
Configure basic MPLS functions, and set up LSPs between PEs.
4.
5.
Set up VSIs and then configure them.
6.
Configure QinQ stacking sub-interfaces on PEs and bind AC interfaces to VSIs.
7.
Configure the basic Layer 2 forwarding function on the CSG.
Data Preparation
l
VSI IDs on PEs (VSI IDs must be consistent)
MPLS LSR IDs on PEs
Names of the VSIs on PEs
Names of interfaces bound to the VSIs
Issue 02 (2013-12-31)

1472

Equipment
Procedure
Step 1 Configure basic VPLS functions.
# Set up a VPLS connection between PE1 and PE2, and between PE1 and PE3, with LDP being
the signaling protocol; configure the VSI names to be LDP1 and LDP2. The detailed
configurations are not mentioned here. You can refer to the chapter "VPLS Configuration" in
the Configuration Guide - VPN or the configuration files in this configuration example.
Step 2 Configure the interface mode on PEs to user termination.
# Configure PE1.
<PE1> system-view
# Configure PE2.
<PE2> system-view
# Configure PE3.
<PE3> system-view
Step 3 Configure QinQ stacking+802.1p, and bind AC interfaces to VSIs.

# Configure PE1.
<PE1> system-view
8021p 3
8021p 3
8021p 2
8021p 2
# Configure PE2.
<PE2> system-view
# Configure PE3.
<PE3> system-view
Issue 02 (2013-12-31)

1473

Equipment

Step 4 Configure basic functions of the CSG.

following:
NOTE
Packets sent from the CSG to PE1 carry VLAN tags with different 802.1p priorities.
Step 5 Configure the Layer 2 forwarding function on CEs.

The detailed configurations are not mentioned here. You can refer to the configuration files in
Run the display qinq information stacking interface command, and you can view
configurations of QinQ stacking sub-interfaces.
<PE1> display qinq information stacking interface gigabitethernet 0/2/1
Total QinQ Num: 2
Total QinQ Num: 2
After the preceding configurations, run the display vsi name ldp1 verbose command on PE1,
and you can view that a PW to PE2 is set up for a VSI named ldp1, and the VSI is in the Up
state.
<PE1> display vsi name ldp1 verbose
***VSI Name
Administrator VSI
Isolate Spoken
VSI Index
PW Signaling
PW MAC Learn Style
Encapsulation Type
MTU
Diffserv Mode
Service Class
Color
DomainId
Domain Name
Ignore AcState
Create Time
VSI State
VSI ID
Issue 02 (2013-12-31)
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
ldp1
no
disable
0
ldp
static
unqualify
vlan
1500
uniform
--255
disable
up
: 1

1474

Equipment
*Peer Router ID
VC Label
Peer Type
Session
Tunnel ID
Broadcast Tunnel ID
CKey
NKey
StpEnable
PwIndex
Interface Name
State
Last Up Time
Total Up Time

:
:
:
:
:
:
:
:
:
:
2.2.2.9
30720
dynamic
up
0x810004
0x810004
2
1
0
0
:
:
:
:
up
2009/09/02 12:22:04
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
2.2.2.9
up
30720
30720
label
0x810004
0x810004
0x2
0x1
0x810004
0x0
LSP
0
0
2009/09/02 12:22:40
**PW Information:
*Peer Ip Address
PW State
Local VC Label
Remote VC Label
PW Type
Tunnel ID
Broadcast Tunnel ID
Ckey
Nkey
Main PW Token
Slave PW Token
Tnl Type
OutInterface
Stp Enable
Mac Flapping
PW Last Up Time
PW Total Up Time
Run the display interface vlan command, and you can view the matching policy with the
specified VLAN ID on a specified interface.
<PE1> display interface gigabitethernet0/2/1 vlan 10
Interface
VlanPolicy
----------------------------------------------------------GE0/2/1.1
8021p 3
GE0/2/1.2
8021p 2
1
----End
Configuration Files
l

#
sysname PE1
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
vsi ldp1 static
Issue 02 (2013-12-31)

1475

Equipment
pwsignal ldp
vsi-id 1
peer 2.2.2.9
#
vsi ldp2 static
pwsignal ldp
vsi-id 2
peer 3.3.3.9
#
mpls ldp
#
undo shutdown
#
qinq stacking vid 10 8021p 3
l2 binding vsi ldp1
#
l2 binding vsi ldp2
#
undo shutdown
ip address 10.1.1.2 255.255.255.252
mpls
mpls ldp
#
undo shutdown
ip address 20.1.1.2 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.3
network 20.1.1.0 0.0.0.3
network 1.1.1.9 0.0.0.3
#
return

#
sysname PE2
#
mpls lsr-id 2.2.2.9
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 1
peer 1.1.1.9
#
mpls ldp
#
undo shutdown
Issue 02 (2013-12-31)

1476

Equipment
#
l2 binding vsi ldp1
#
undo shutdown
ip address 10.1.1.1 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.3
#
return

#
sysname PE3
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
vsi ldp2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.9
#
mpls ldp
#
undo shutdown
#
l2 binding vsi ldp2
#
undo shutdown
ip address 20.1.1.1 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 20.1.1.0 0.0.0.3
#
return

#
sysname CE1
#
Issue 02 (2013-12-31)

1477

Equipment
undo shutdown
ip address 192.1.1.1 255.255.255.0
#
return

#
sysname CE2
#
undo shutdown
ip address 192.1.1.4 255.255.255.0
#
return
5.6 STP/RSTP Configuration

The Spanning Tree Protocol (STP) trims a ring network into a loop-free tree network. It prevents
replication and circular propagation of packets, provides multiple redundant paths for virtual
LAN (VLAN) data traffic, and enables load balancing. The Rapid Spanning Tree Protocol
(RSTP) was developed based on STP to implement faster convergence. RSTP defines edge ports
and provides protection functions.
5.6.1 STP/RSTP Overview

STP is a management protocol on the data link layer. It is used to block redundant links on Layer
2 networks and trim a network into a loop-free tree. The Rapid Spanning Tree Protocol (RSTP)
is a supplement to STP and implements rapid convergence.
Introduction
STP/RSTP is used to block redundant links on Layer 2 networks and trim a network into a loopfree tree topology.
Background
Network designers tend to deploy multiple physical links between two devices (one link is the
master and the others are backups) to fulfill network redundancy requirements. Loops are bound
to occur on such types of complex networks.
Loops will cause broadcast storms, thereby exhausting network resources and paralyzing the
network. Loops also cause MAC address flapping that damages MAC address entries.
Devices can run STP to discover loops on the network by exchanging information with each
other, and trim the ring topology into a loop-free tree topology by blocking an interface. These
capabilities help prevent replication and circular propagation of packets on the network which
in turn helps avoid degradation of switching device performance.
With all its merits, STP is not able to converge network topologies quickly. In 2001, the IEEE
published document 802.1w, which introduces an evolution in the Spanning Tree Protocol:
Rapid Spanning Tree Protocol (RSTP). Although based on the same principles, RSTP was
developed for rapid convergence and far outperforms STP.
Issue 02 (2013-12-31)

1478

Equipment
Concepts
l
Root bridge
A tree topology must have a root.
There is only one root bridge on the entire STP/RSTP-capable network. The root bridge is
the logical center but is not necessarily the physical center of the entire network. Another
switching device can serve as the root bridge following a change in the network topology.
ID
Bridge ID
As defined in IEEE 802.1D, a bridge ID (BID) is composed of a 2-byte bridge priority
and a 6-byte bridge MAC address.
On an STP-capable network, the device with the smallest BID is selected as the root
bridge.
Port ID
A 16-bit port ID (PID) is composed of a 4-bit port priority and a 12-bit port number.
PIDs are used to select a designated port. When the root path costs and the sender BIDs
of two ports are the same, the port with a smaller PID is selected as the designated port.
As shown in Figure 5-34, the root path costs and sender BIDs of port A and port B on
S2 are the same. Port A has a smaller PID, and is selected as the designated port.
Path cost
A path cost is port-specific and is used by STP/RSTP to select a link. STP/RSTP calculates
the path cost to select robust links and blocks redundant links to trim the network into a
loop-free tree topology.
On an STP/RSTP-capable network, the accumulative cost of the path from a certain port
to the root bridge is the sum of the costs of the segment paths into which the path is separated
by the ports on the transit bridges.
STP port roles

Root port
The root port is the port that is nearest to the root bridge. The root port is determined
based on the path cost. Among all the STP-capable ports on the network bridge, the port
with the lowest root path cost is the root port. There is only one root port on an STPcapable device, but there is no root port on the root bridge.
Designated Port
The designated port on a switching device forwards bridge protocol data units (BPDUs)
to the downstream switching device. All ports on the root bridge are designated ports.
A designated port is selected for each network segment. The device on which the
designated port resides is called the designated bridge.
RSTP port roles

Compared with STP, RSTP has two additional types of ports, the alternate port and backup
port. More port roles are defined to simplify deployment of STP.
Issue 02 (2013-12-31)

1479

Equipment
Figure 5-34 Diagram of port roles

S1
Root bridge
S2
S3
S1
Root bridge
S2
A
S3
B
b
Root port
Designated port
Alternate port
Backup port
As shown in Figure 5-34, RSTP defines four port roles: root port, designated port, alternate
port, and backup port.
The functions of the root port and designated port are the same as those defined in STP.
The functions of the alternate port and backup port are as follows:
From the perspective of configuration BPDU transmission:
The alternate port is blocked after learning the configuration BPDUs sent by other
bridges.
The backup port is blocked after learning the configuration BPDUs sent by itself.
From the perspective of user traffic:
The alternate port backs up the root port and provides an alternate path from the
designated bridge to the root bridge.
The backup port backs up the designated port and provides an alternate path from
the root node to the leaf node.
After all ports are assigned roles, topology convergence is completed.
l
STP port state

Table 5-15 shows the port status of an STP-capable port.
Issue 02 (2013-12-31)

1480

Equipment
Table 5-15 STP port state
Port state
Purpose
Description
Forwarding
A port in the Forwarding state forwards

user traffic and BPDUs.
Only the root port and

designated port can enter the
Forwarding state.
Learning
When a port is in the Learning state, a

device creates a MAC address table
based on the received user traffic but does
not forward the traffic.
This is a transition state,

which is designed to prevent
temporary loops.
Listening
A port in the Listening state is

participating in election of the root
bridge, root port, or designated port.
This is a transition state.
Blocking
A port in the Blocking state receives and

forwards only BPDUs but does not
forward user traffic.
This is the final state of a

blocked port.
Disabled
A port in the Disabled state forwards

neither BPDUs nor user traffic.
The port is Down.
RSTP port state

Table 5-16 shows the port status of an RSTP-capable port.
Table 5-16 RSTP port state
Port state
Description
Forwarding
A port in the Forwarding state can send and receive BPDUs as

well as forward user traffic.
Learning
This is a transition state. A port in the Learning state learns MAC

addresses from user traffic to construct a MAC address table.
In the Learning state, the port can send and receive BPDUs, but
cannot forward user traffic.
Discarding
A port in the Discarding state can only receive BPDUs.
NOTICE
MSTP is the default mode for all Huawei datacom devices. After a device experiences the
transition from the MSTP mode to the STP mode, an STP-capable port supports the same
port states as those supported by an MSTP-capable port, including the Forwarding,
Learning, and Discarding states. For details, see Table 5-16.
l
Issue 02 (2013-12-31)
Three timers
1481

Equipment
Hello Timer
Sets the interval at which BPDUs are sent.
Forward Delay Timer
Sets the time spent in the Listening and Learning states.
Max Age
Sets the maximum lifetime of a BPDU on the network. When the Max Age time is
reached, the connection to the root bridge is considered broken.
Comparison between STP, RSTP, and MSTP

Table 5-17 compares STP, RSTP, and MSTP in terms of the characteristics of each protocol
and their applicable environments.
Table 5-17 Comparison between STP, RSTP, and MSTP
Spanning
Tree
Protocol
Characteristics
Applicable
Environment
Precautions
STP
Ensures a loop-free tree

topology that helps
prevent broadcast storms
and allows for redundant
links between switches.
Irrespective of users or
services, all VLANs
share one spanning
tree.
l If the current
switching device
supports STP and
RSTP, RSTP is
recommended.
RSTP
l Ensures a loop-free
tree topology that helps
prevent broadcast
storms and allows for
redundant links
between switches.
l Provides a feedback
mechanism to confirm
topology convergence,
implementing rapid
convergence.
Issue 02 (2013-12-31)

l If the current
switching device
supports STP/RSTP
and MSTP, MSTP
is recommended.
See MSTP
Configuration.
1482

Equipment
Spanning
Tree
Protocol
Characteristics
Applicable
Environment
MSTP
l Ensures a loop-free
tree topology that helps
prevent broadcast
storms and allows for
redundant links
between switches in an
MSTP region.
User or service-specific
load balancing is
required. Traffic for
different VLANs is
forwarded through
different spanning
trees, which are
independent of each
other.
implementing rapid
convergence.
Precautions
l Implements load
balancing among
VLANs. Traffic in
different VLANs is
transmitted along
different paths.
STP/RSTP Features Supported by the ATN

Before configuring STP/RSTP, familiarize yourself with basic STP/RSTP functions, topology
convergence, STP/RSTP protection, and STP/RSTP interoperability between Huawei devices
and non-Huawei devices.
STP/RSTP also supports the following features to meet the requirements of special applications
and extended functions:
l
Provides a feedback mechanism to confirm topology convergence, implementing rapid

convergence.
RSTP provides the protection functions listed in Table 5-18.
Supports STP/RSTP interoperability between Huawei devices and non-Huawei devices.

Certain parameters must be set on Huawei devices to ensure uninterrupted communication.
Issue 02 (2013-12-31)

1483

Equipment
Table 5-18 RSTP Protection Function
Issue 02 (2013-12-31)
Protection
Function
Scenario
Configuration Impact
BPDU
protection
An edge port changes into

a non-edge port after
receiving a BPDU, which
triggers spanning tree
recalculation. If an attacker
keeps sending pseudo
BPDUs to a switching
device, network flapping
occurs.
After BPDU protection is enabled, the

switching device shuts down the edge port
if the edge port receives an RST BPDU.
Then the device notifies the NMS of the
shutdown event. The attributes of the edge
port are not changed.
Topology
Change (TC)
protection
Generally, after receiving

TC BPDUs (packets for
advertising network
topology changes), a
switching device needs to
delete MAC entries and
ARP entries. Frequent
deletions exhaust CPU
resources.
TC protection is used to suppress TC

BPDUs. You can configure the number of
times a switching device processes TC
BPDUs within a given time period. If the
number of TC BPDUs that the switching
device receives within a given time
exceeds the specified threshold, the
switching device processes only the
specified number of TC BPDUs. After the
specified time period expires, the device
processes the excess TC BPDUs for once.
This function prevents the switching
device from frequently deleting MAC
entries and ARP entries, saving CPU
resources.
Root
protection
Due to incorrect
configurations or
malicious attacks on the
network, a root bridge may
receive BPDUs with a
higher priority than its own
priority. Consequently, the
legitimate root bridge is no
longer able to serve as the
root bridge and the
network topology is
changed, triggering
spanning tree
recalculation. This may
transfer traffic from highspeed links to low-speed
links, causing traffic
congestion.
If a designated port is enabled with the root

protection function, the role of the port
cannot be changed. Once a designated port
that is enabled with root protection
receives RST BPDUs with a higher
priority, the port enters the Discarding state
and does not forward packets. If the port
does not receive any RST BPDUs with a
higher priority before a period (generally
two Forward Delay periods) expires, the
port automatically enters the Forwarding
state.

1484

Equipment
Protection
Function
Scenario
Loop
protection
A root port or an alternate

port will age if link
congestion or a one-way
link failure occurs. After
the root port ages, a
switching device may reselect a root port
incorrectly. After the
alternate port ages, the port
enters the Forwarding
state. Loops may occur in
such a situation.
After loop protection is configured, if the

root port or alternate port does not receive
RST BPDUs from the upstream switching
device for a long time, the switching device
notifies the NMS that the port enters the
Discarding state. The blocked port remains
in the Blocked state and no longer forwards
packets. This function helps prevent loops
on the network. The root port transitions to
the Forwarding state after receiving new
BPDUs.
5.6.2 Configuring Basic STP/RSTP Functions

Context
STP/RSTP is commonly configured on switching devices to trim a ring network into a loop-free
network. Devices start spanning tree calculation after the STP/RSTP working mode is set and
STP/RST is enabled. Use any of the following methods if you need to intervene in the spanning
tree calculation:
l
Set a priority for a switching device: The lower the numerical value, the higher the priority
of the switching device and the more likely the switching device becomes a root bridge;
the higher the numerical value, the lower the priority of the switching device and the less
likely that the switching device becomes a root bridge.
Set a path cost for a port: With the same calculation method, the lower the numerical value,
the smaller the cost of the path from the port to the root bridge and the more likely the port
becomes a root port; the higher the numerical value, the larger the cost of the path from the
port to the root bridge and the less likely that the port becomes a root port.
Set a priority for a port: The lower the numerical value, the more likely the port becomes
a designated port; the higher the numerical value, the less likely that the port becomes a
designated port.
Before You Start

Before configuring basic STP/RSTP functions, familiarize yourself with the usage scenario,
Issue 02 (2013-12-31)

1485

Equipment
STP/RSTP can be deployed on a network to eliminate loops. If a loop is detected, STP/RSTP
blocks one port to eliminate the loop.
As shown in Figure 5-35, CX-A, CX-B, ATNC and CX-D form a ring network, and STP/RSTP
is enabled on the ring network to eliminate loops, enhancing reliability of the network.
Figure 5-35 Diagram of a ring network
Network
Root
Bridge
CX-A
CX-B
ATNC
CX-D
PC1
PC2
Blocked port
NOTE
If the current switching device supports STP and RSTP, RSTP is recommended.
Before configuring basic STP/RSTP functions, connect interfaces and setting physical
parameters for the interfaces to ensure that the interfaces are physically Up.
Data Preparation
To configure basic STP/RSTP functions, you need the following data.
Issue 02 (2013-12-31)
No.
Data
(Optional) Priority of a switching device
(Optional) Priority of a port
(Optional) Path cost of a port

1486

Equipment
Configuring the STP/RSTP Mode

Before configuring basic STP/RSTP functions on a switching device, set the working mode to
STP or RSTP. RSTP is compatible with STP.
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp mode { stp | rstp }
The working mode of the switching device is set to STP or RSTP.

By default, the working mode of a switching device is MSTP. MSTP is compatible with STP
and RSTP.
On a ring network running only STP, set the working mode of a switching device to STP; on a
ring network running RSTP, set the working mode of a switching device to RSTP. In other cases,
use the default working mode MSTP.
----End
(Optional) Configuring Switching Device Priorities

Select a switching device (functioning as a root bridge) from switching devices for each spanning
tree. You can configure the priorities of the switching devices to preferentially select a root
bridge. The lower the numerical value is, the higher priority a switching device has and the more
likely the switching device will be selected as a root bridge.
Context
On an STP/RSTP-capable network, there is only one root bridge, which is the logic center of
the entire spanning tree. During root bridge selection, a high-performance switching device at
a high network layer should be selected as the root bridge; however, the priority of such a device
may not be the highest on the network. It is therefore necessary to set a high priority for the
switching device to ensure that the device functions as a root bridge.
Low-performance devices at lower network layers are not fit to serve as a root bridge. Therefore,
set low priorities for these devices.
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp priority
priority
The priority of a switching device is configured.

Issue 02 (2013-12-31)

1487

Equipment
The default priority value of a switching device is 32768.

NOTE
l To configure a switching device as the primary root bridge, run the stp root primary command. The
priority value of this switching device is 0.
l To configure a switching device as a secondary root bridge, run the stp root secondary command. The
priority value of this switching device is 4096.
A switching device cannot act as a primary root bridge and as a secondary root bridge at the same time.
l If you want to change the priority of a switching device after you run the stp root primary command
or the stp root secondary command to configure the switching device as the primary root bridge or
secondary root bridge, disable the root bridge function or secondary root bridge function, and then run
the stp priority priority command to set a priority.
----End
(Optional) Configuring the Path Cost for a Port

The STP/RSTP path cost determines root port selection. The port from which to the root port
costs the least is selected as the root port.
Context
A path cost is port-specific and is used by STP/RSTP to select a link.
The path cost value range is determined by the calculation method. After the calculation method
is determined, it is recommended that you set a relatively small path cost value for the ports with
high link rates.
In the Huawei proprietary calculation method for example, the link rate determines the
recommended value for the path cost. Table 5-19 lists the recommended path costs for ports
with different link rates.
Table 5-19 Mappings between link rates and path cost values
Link Rate
Recommended
Path Cost
Recommended
Path Cost Range
Path Cost Range
10 Mbit/s
2000
200 to 20000
1 to 200000
100 Mbit/s
200
20 to 2000
1 to 200000
1 Gbit/s
20
2 to 200
1 to 200000
10 Gbit/s
2 to 20
1 to 200000
Over 10 Gbit/s
1 to 2
1 to 200000
If a network has loops, it is recommended that you set a relatively large path cost for ports with
low link rates. STP/RSTP then blocks these ports.
Issue 02 (2013-12-31)

1488

Equipment
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp pathcost-standard { dot1d-1998 | dot1t | legacy }
A path cost calculation method is configured.

By default, the IEEE 802.1t standard (dot1t) is used to calculate the default path cost.
All switching devices on a network must use the same path cost calculation method.
Step 3 Run:

portswitch
The interface is switched to a Layer 2 interface.

NOTE
If the interface itself is a Layer 2 interface, this step can be skipped. Run the display this command in the
interface view. If "portswitch" is displayed in the command output, the interface is a Layer 2 interface.
Step 5 Run:
stp cost cost
A path cost is set for the interface.

l When the Huawei proprietary calculation method is used, cost ranges from 1 to 200000.
l When the IEEE 802.1d standard method is used, cost ranges from 1 to 65535.
l When the IEEE 802.1t standard method is used, cost ranges from 1 to 200000000.
----End
(Optional) Configuring Port Priorities

In each spanning tree, select a designated port for each connection according to the bridge ID,
the cost of path and port IDs. The lower the numerical value, the more likely the port on a
switching device becomes a designated port; the higher the numerical value, the more likely the
port is to be blocked.
Context
Whether a port will be selected as a designated port is determined by its priority. For details, see
Introduction.
To block a port to eliminate loops, set the port priority value to be larger than the default value
when the devices have the same bridge ID and path cost. This port will be blocked during
designated port selection.
Issue 02 (2013-12-31)

1489

Equipment
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of the Ethernet interface participating in STP calculation is displayed.

portswitch

NOTE
Step 4 Run:
stp port priority priority
The port priority is configured.

The default priority value of a port on a switching device is 128.
----End
Enabling STP/RSTP
After STP/RSTP is enabled, spanning trees are calculated.
Context
After STP/RSTP is enabled on a ring network, STP/RSTP immediately calculates spanning trees
on the network. Configurations on the switching device, such as the switching device priority
and port priority, will affect spanning tree calculation. Any change to the configurations may
cause network flapping. Therefore, to ensure rapid and stable spanning tree calculation, perform
basic configurations on the switching device and its ports, and enable STP/RSTP.
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp enable
STP/RSTP is enabled on the switching device.

By default, STP/RSTP is enabled on a ATN.
----End
Issue 02 (2013-12-31)

1490

Equipment

After basic STP/RSTP functions are configured, you can view the information such as the port
roles and port status to check the spanning tree calculation.
Prerequisites
Basic STP/RSTP functions have been configured.
Procedure
l
Run the display stp [ interface interface-typeinterface-number ] [ brief ] command to view

the spanning-tree status and statistics.
----End
5.6.3 Configuring STP/RSTP Parameters on an Interface

STP does not have a mechanism to confirm topology convergence, whereas RSTP provides a
feedback mechanism to implement rapid convergence.
Context
STP does not implement rapid convergence; however, STP parameters such as the network
diameter, Hello timer, Max Age timer, and Forward Delay timer, may affect network
convergence. RSTP is a refinement of STP and implements rapid convergence. In addition to
the preceding parameters, the link type, rapid transition mechanism, and maximum number of
sent BPDUs also affect STP/RSTP topology convergence.
Table 5-20 shows the STP/RSTP parameters that affect STP/RSTP topology convergence.
Table 5-20 Parameters affecting the STP/RSTP topology convergence
Issue 02 (2013-12-31)
Paramete
r
Description
Commands
Remarks
System
parameter
Network
diameter, timer
values (Hello
timer, Forward
Delay timer,
Max Age
timer), and
timeout period
to wait for
BPDUs from
the upstream
device (3 x
Hello timer
value x Time
factor)
l stp bridge-diameter
diameter
It is recommended that you

set the network diameter to
determine the timer value.
The switching device
automatically calculates
the Forward Delay period,
Hello time, and Max Age
time based on the network
diameter. Then, you can
run the stp timer-factor
factor command to set the
timeout period for waiting
for BPDUs from the
upstream (3 x Hello timer
value x Time factor).
l stp timer hello hello-time

l stp timer forward-delay
forward-delay
l stp timer max-age maxage
l stp timer-factor factor

1491

Equipment
Paramete
r
Description
Commands
Remarks
Port
parameter
Link type of a
port
l stp point-to-point { auto |

force-false | force-true }
A P2P link helps

implement rapid
convergence.
l If the port works in fullduplex mode, the link
connecting to the port is
a P2P link.
l If the port works in
half-duplex mode, you
can forcibly switch the
link connecting to the
port to a P2P link.
l In other cases, you can
enable the port to
automatically
determine whether to
connect to a P2P link.
Port transition
to the RSTP
mode
l stp mcheck
On a switching device
running RSTP, if an
interface is connected to a
device running STP, the
interface automatically
transitions to the STP
mode.
Enable MCheck on an
interface if the interface
fails to automatically
transition to the RSTP
mode.
Issue 02 (2013-12-31)

1492

Equipment
Paramete
r
Description
Commands
Remarks
Maximum
number of
BPDUs sent by
the interface per
second
l stp transmit-limit packetnumber
If the maximum number of

BPDUs sent by the
interface per second is set
properly, the rate at which
BPDUs are sent can be
restricted. This parameter
prevents RSTP from
consuming too much
bandwidth if network
flapping occurs.
NOTE
If the maximum number of
BPDUs sent per second
needs to be configured for all
interfaces of the device, run
the stp transmit-limit
(system view) command in
the global view.
Edge ports
l stp edged-port enable
The ports connected to

terminals do not participate
in STP/RSTP calculation.
If a port is configured as an
edge port, the port does not
participate in STP/RSTP
calculation.
After BPDU protection is
configured on a switching
device, an edge port is shut
down when receiving
BPDUs. You can
configure the port to go Up
after a specified delay has
elapsed.
Before You Start

Before configuring parameters affecting STP/RSTP rapid convergence, familiarize yourself
On some specific networks, proper RSTP parameter settings will help implement rapid network
convergence.
Issue 02 (2013-12-31)

1493

Equipment
NOTE
The default configurations for the parameters described in this section help implement RSTP rapid
convergence. Therefore, the configuration process and all involved procedures described in this section
are optional.
Before configuring STP/RSTP parameters, configure basic STP/RSTP functions.
Data Preparation
To configure STP/RSTP parameters, you need the following data.
No.
Data
Network diameter
Hello timer, Forward Delay timer, Max Age timer, and timeout period for waiting
for BPDUs from the upstream (3 x Hello timer value x Time factor)
Link type of a port
Whether a port is enabled with rapid transition mechanism
Whether a port needs to transition to the RSTP mode
Maximum number of sent BPDUs
Whether a port needs to be configured as an edge port
Whether auto recovery needs to be configured for an edge port being shut down
Whether a port needs to clear statistics of the spanning tree
10
Whether the edge port needs to be configured as a BPDU filter
Configuring System Parameters

STP/RSTP parameters that may affect network convergence include the network diameter, Hello
timer, and timeout period for waiting for BPDUs from the upstream device (3 x Hello timer
value x Time factor). Therefore, STP/RSTP parameters must be set properly to help implement
rapid network convergence.
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp bridge-diameter diameter
The network diameter is configured.

Issue 02 (2013-12-31)

1494

Equipment
By default, the network diameter is 7.

l RSTP uses a single spanning tree instance on the entire network. As a result, performance
deterioration cannot be prevented when the network scale grows. Therefore, the network
diameter cannot be larger than 7.
l It is recommended that you run the stp bridge-diameter diameter command to set the
network diameter. Then, the switching device calculates the optimal Forward Delay period,
Hello timer value, and Max Age timer value based on the set network diameter.
Step 3 Run:
stp timer-factor factor
The timeout period for waiting for BPDUs from the upstream device is set.
By default, the timeout period is 9 times the Hello timer value.
Step 4 (Optional) If the current device is at the edge of a network, run both or either of the following
commands as needed:
l To configure all ports on the devices as edge ports, run:
stp edged-port default
By default, a port is a non-edge port.

After ports on a network edge device are configured as edge ports, the ports no longer
participate in spanning tree calculation. This speeds up network topology convergence and
improves network stability.
l To configure all ports on the devices as BPDU filter ports, run:
stp bpdu-filter default
By default, a port is a non-BPDU filter port.

After ports on a network edge device are configured as BPDU filter ports, the ports no longer
process or send BPDUs.
NOTE
After the stp bpdu-filter default and stp edged-port default commands are run in the system view, all
ports on the device no longer actively send BPDUs or negotiate with directly-connected ports; instead, all
the ports are in the Forwarding state. This may lead to a loop on the network, causing broadcast storms.
Exercise caution when running these commands.
Step 5 (Optional) To set the Forward Delay period, Hello timer, and Max Age timer, perform the
l Run the stp timer forward-delay forward-delay command to set the Forward Delay timer.
The default Forward Delay timer of a switching device is 1500 centiseconds.
l Run the stp timer hello hello-time command to set the Hello timer.
The default Hello timer of a switching device is 200 centiseconds.
l Run the stp timer max-age max-age command to set the Max Age timer.
The default Max Age timer of a switching device is 2000 centiseconds.
Issue 02 (2013-12-31)

1495

Equipment
NOTE
The values of the Hello timer, Forward Delay timer, and Max Age timer must comply with the following
formulas; otherwise, network flapping occurs.
l 2 x (Forward Delay - 1.0 second) >= Max Age
l Max Age >= 2 x (Hello Time + 1.0 second)
----End
Configuring Port Parameters

Port parameters that may affect RSTP topology convergence include the link type and maximum
number of sent BPDUs. Proper port parameter settings help implement rapid topology
convergence.
Procedure
Step 1 Run:
system-view

Step 2 Run:

portswitch

NOTE

stp point-to-point { auto | force-false | force-true }
The link type is configured for the interface.

By default, an interface automatically determines whether to connect to a P2P link. The P2P link
supports rapid network convergence.
l If the Ethernet port works in full-duplex mode, the port is connected to a P2P link. In this
case, force-true can be configured to implement rapid network convergence.
l If the Ethernet port works in half-duplex mode, you can run stp point-to-point force-true
to forcibly set the link type to P2P.
Step 5 Run:
stp mcheck
MCheck is enabled.
On a port of switching device running RSTP is connected to a device running STP, the port
automatically transitions to the STP interoperable mode.
Issue 02 (2013-12-31)

1496

Equipment
Enabling MCheck on the port is required because the port may fail to automatically transition
to the RSTP mode in the following situations:
l The switching device running STP is shut down or moved.
l The switching device running STP transitions to the RSTP mode.
NOTE
If you run the stp mcheck command in the system view, the MCheck operation is performed on all the
interfaces.
Step 6 Run:
stp transmit-limit packet-number
The maximum number of BPDUs sent by a port per second is set.

By default, the maximum number of BPDUs that a port sends per second is 147.
NOTE
If the maximum number of BPDUs sent per second needs to be configured for all interfaces of the device,
run the stp transmit-limit (system view) command in the global view.

stp edged-port enable
The port is configured as an edge port.

If a device port is connected to a terminal, you can run this command to configure the port as
an edge port.
If the current port has been configured as an edge port, the port can still send BPDUs. This may
cause BPDUs to be sent to other networks, leading to network flapping. To prevent this problem,
run the stp bpdu-filter enable command to configure the edge port as a BPDU filter port and
disable the port from processing or sending BPDUs.
NOTE
After the stp bpdu-filter enable command is run on a port, the port no longer processes or sends BPDUs.
The port will not negotiate with the directly-connected port to establish an STP connection.
Step 8 Run:
quit

----End
Follow-up Procedure
When the topology of a spanning tree changes, the forwarding paths to associated VLANs are
changed. The ARP entries corresponding to those VLANs on the switching device need to be
updated. STP/RSTP processes ARP entries in either fast or normal mode.
l
In fast mode, ARP entries to be updated are directly deleted.
In normal mode, ARP entries to be updated are rapidly aged.
Issue 02 (2013-12-31)

1497

Equipment
The remaining lifetime of ARP entries to be updated is set to 0. The switching device rapidly
processes these aged entries. If the number of ARP aging probe attempts is not set to 0,
ARP implements aging probe for these ARP entries.
In either fast or normal mode, MAC entries are directly deleted.
You can run the stp converge { fast | normal } command in the system view to configure the
STP/RSTP convergence mode.
By default, the normal STP/RSTP convergence mode is used.
NOTE
The normal mode is recommended. If the fast mode is adopted, ARP entries will be frequently deleted,
causing the CPU usage on the MPU or LPU to reach 100%. As a result, network flapping will frequently
occur.

After configuring STP/RSTP parameters that affect the topology convergence, you can check
the configurations.
Prerequisites
The parameters that affect topology convergence have been configured.
Procedure
l
Run the display stp [ interface interface-type interface-number ] [ brief ] command to

view spanning-tree status and statistics.
----End
Example
Run the display stp command to view the values of the Hello timer, Max Age timer, Forward
Delay timer, maximum number of sent BPDUs within each Hello time interval, and whether a
port is connected to a P2P link.
<HUAWEI> display stp interface gigabitethernet 0/2/1
----[Port1(GigabitEthernet0/2/1)][FORWARDING]---Port Protocol
:enabled
Port Role
:Root Port
Port Priority
:128
Port Cost(Legacy)
:Config=auto / Active=20
Desg. Bridge/Port
:0.00e0-e70a-4d00 / 128.5
Port Edged
:Config=default / Active=disabled
Point-to-point
:Config=auto / Active=true
Transit Limit
:6 packets/hello-time
Protection Type
:None
Port Stp Mode
:RSTP
Port Protocol Type :Config=auto / Active=dot1s
BPDU Encapsulation :Config=stp / Active=stp
PortTimes
:Hello 2s MaxAge 14s FwDly 10s RemHop 0
TC or TCN send
:1
TC or TCN received :0
BPDU Sent
:4
TCN: 0, Config: 0, RST: 4, MST: 0
BPDU Received
:22
Last forwarding time: 2012/04/23 20:06:08 UTC+00:00
Issue 02 (2013-12-31)

1498

Equipment
5.6.4 Configuring RSTP Protection Functions

This section describes how to configure RSTP protection functions. You can configure one or
more functions.
Before You Start

Before configuring RSTP protection functions, familiarize yourself with the usage scenario,
RSTP provides the protection functions listed in Table 5-21.
Table 5-21 RSTP Protection Function
Issue 02 (2013-12-31)
Protection
Function
Scenario
BPDU
protection
An edge port changes into a

non-edge port after
occurs.

switching device shuts down the edge port if
the edge port receives an RST BPDU. Then
the device notifies the NMS of the shutdown
event. The attributes of the edge port are not
changed.
Topology
Change (TC)
protection

advertising network
delete MAC entries and ARP
entries. Frequent deletions
exhaust CPU resources.
TC protection is used to suppress TC BPDUs.

You can configure the number of times a
switching device processes TC BPDUs
within a given time period. If the number of
TC BPDUs that the switching device receives
within a given time exceeds the specified
threshold, the switching device processes
only the specified number of TC BPDUs.
After the specified time period expires, the
device processes the excess TC BPDUs for
once. This function prevents the switching
device from frequently deleting MAC entries
and ARP entries, saving CPU resources.

1499

Equipment
Protection
Function
Scenario
Root
protection
Due to incorrect
configurations or malicious
attacks on the network, a
root bridge may receive
BPDUs with a higher
priority than its own priority.
Consequently, the legitimate
root bridge is no longer able
to serve as the root bridge
and the network topology is
changed, triggering
spanning tree recalculation.
This may transfer traffic
from high-speed links to
low-speed links, causing
traffic congestion.
If a designated port is enabled with the root

protection function, the role of the port cannot
be changed. Once a designated port that is
enabled with root protection receives RST
BPDUs with a higher priority, the port enters
the Discarding state and does not forward
packets. If the port does not receive any RST
BPDUs with a higher priority before a period
(generally two Forward Delay periods)
expires, the port automatically enters the
Forwarding state.
Loop
protection

congestion or a one-way link
failure occurs. After the root
port ages, a switching device
may re-select a root port
incorrectly. After the
enters the Forwarding state.
Loops may occur in such a
situation.
After loop protection is configured, if the root

port or alternate port does not receive RST
BPDUs from the upstream switching device
for a long time, the switching device notifies
the NMS that the port enters the Discarding
state. The blocked port remains in the
Blocked state and no longer forwards packets.
This function helps prevent loops on the
network. The root port transitions to the
Forwarding state after receiving new BPDUs.
Before configuring basic RSTP functions, complete the following task:
l
Configure basic RSTP functions.

NOTE
Configure an edge port on the switching device before configuring BPDU protection.
Data Preparation
To configure basic RSTP functions, you need the following data.
Issue 02 (2013-12-31)
No.
Data
Number of the port on which root protection is to be enabled
Number of the port on which loop protection is to be enabled

1500

Equipment
Configuring BPDU Protection on a Switching Device

After BPDU protection is enabled, a switching device shuts down an edge port if the edge port
receives a BPDU, and notifies the NMS of the shutdown event.
Context
Edge ports are directly connected to user terminal and will not receive BPDUs. Attackers may
send pseudo BPDUs to attack the switching device. If the edge ports receive the BPDUs, the
switching device configures the edge ports as non-edge ports and triggers a new spanning tree
calculation. Network flapping then occurs. BPDU protection can be used to protect switching
devices against malicious attacks.
Perform the following steps on a switching device that has an edge port.
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp bpdu-protection
BPDU protection is enabled on the switching device.

By default, BPDU protection is disabled on the switching device.
----End
Configuring Root Protection on a Port

The root protection function on a switching device protects a root bridge by preserving the role
of a designated port.
Context
Due to incorrect configurations or malicious attacks on the network, a root bridge may receive
BPDUs with a higher priority. Consequently, the legitimate root bridge is no longer able to serve
as the root bridge and the network topology is changed, triggering spanning tree recalculation.
This also may cause the traffic that should be transmitted over high-speed links to be transmitted
over low-speed links, leading to network congestion. The root protection function on a switching
device is used to protect the root bridge by preserving the role of the designated port.
NOTE
Root protection takes effect only on designated ports.
Perform the following steps on the root bridge.
Procedure
Step 1 Run:
system-view
Issue 02 (2013-12-31)

1501

Equipment

Step 2 Run:

portswitch

NOTE
Step 4 Run:
stp root-protection
Root protection is enabled on the interface.

By default, root protection is disabled.
----End
Configuring Loop Protection on a Port

The loop protection function suppresses loops caused by link congestion.
Context
On a network running RSTP, a switching device maintains the root port status and status of
blocked ports by receiving BPDUs from an upstream switching device. If the switching device
cannot receive BPDUs from the upstream device because of link congestion or unidirectionallink failure, the switching device re-selects a root port. The original root port becomes a
designated port and the original blocked ports change to the Forwarding state. This switching
may cause network loops, which can be mitigated by configuring loop protection.
After loop protection is configured, if the root port or alternate port does not receive BPDUs
from the upstream switching device, the root port is blocked and the switching device notifies
the NMS that the port enters the Discarding state. The blocked port remains in the Blocked state
and no longer forwards packets. This function helps prevent loops on the network. The root port
transitions to the Forwarding state after receiving new BPDUs.
NOTE
An alternate port is a backup port for a root port. If a switching device has an alternate port, you need to
configure loop protection on both the root port and the alternate port.
Perform the following steps to configure loop protection on the root port and alternate port of a
switching device.
Procedure
Step 1 Run:
system-view
Issue 02 (2013-12-31)

1502

Equipment

Step 2 Run:

portswitch

NOTE
Step 4 Run:
stp loop-protection
Loop protection for the root port or the alternate port is configured on the switching device.
By default, loop protection is disabled.
----End

After RSTP protection functions are configured, you can verify that the configurations take
effect.
Prerequisites
RSTP protection functions have been configured.
Procedure
l

view the status of a spanning tree, including the status of protection functions on a switching
device.
----End
5.6.5 Configuring STP/RSTP Interoperability Between Huawei

Devices and Non-Huawei Devices
To supports STP/RSTP interoperability between Huawei devices and non-Huawei devices,
proper parameters are required on Huawei devices running STP/RSTP to ensure nonstop
communication.
Before You Start

Before configuring STP/RSTP interoperability between Huawei devices and non-Huawei
devices, familiarize yourself with the usage scenario, complete the pre-configuration tasks, and
obtain the required data.
Issue 02 (2013-12-31)

1503

Equipment
On a network running STP/RSTP, inconsistent protocol packet formats and BPDU keys may
lead to a communication failure. Configuring proper STP/RSTP parameters on Huawei devices
ensures interoperability between Huawei devices and non-Huawei devices.
Before configuring STP/RSTP interoperability between Huawei devices and non-Huawei
devices, configure basic STP/RSTP functions.
Data Preparation
To configure STP/RSTP interoperability between Huawei devices and non-Huawei devices, you
No.
Data
BPDU format
Configuring the Proposal/Agreement Mechanism

To enable Huawei Datacom devices to communicate with non-Huawei devices, a proper rapid
transition mechanism needs to be configured on Huawei devices based on the Proposal/
Agreement mechanism on non-Huawei devices.
Context
The rapid transition mechanism is also called the Proposal/Agreement mechanism. Switching
devices currently support the following modes:
l
Enhanced mode: The current interface counts a root port when it counts the synchronization
flag bit.
An upstream device sends a Proposal message to a downstream device, requesting rapid
status transition. After receiving the message, the downstream device sets the port
connected to the upstream device to a root port and blocks all non-edge ports.
The upstream device then sends an Agreement message to the downstream device. After
the downstream device receives the message, the root port transitions to the Forwarding
state.
The downstream device responds the Proposal message with an Agreement message.
After receiving the message, the upstream device sets the port connected to the
downstream device as a designated port. The designated port then transitions to the
Forwarding state.
Common mode: The current interface ignores the root port when it counts the
synchronization flag bit.
connected to the upstream device to a root port and blocks all non-edge ports. The root
port then transitions to the Forwarding state.
Issue 02 (2013-12-31)

1504

Equipment
The downstream device responds the Proposal message with an Agreement message.
Forwarding state.
When Huawei datacom devices are interworking with non-Huawei devices, select either mode
depending on the Proposal/Agreement mechanisms on non-Huawei devices.
Procedure
Step 1 Run:
system-view

Step 2 Run:

portswitch

NOTE
Step 4 Run:
stp no-agreement-check
The common rapid transition mechanism is configured.

By default, the interface uses the enhanced rapid transition mechanism.
----End

After MSTP parameters are configured for the interoperability between Huawei devices and
non-Huawei devices, you can verify that the configurations take effect.
Prerequisites
Parameters have been configured to ensure MSTP interoperability between Huawei devices and
non-Huawei devices.
Procedure
l

view spanning-tree status.
----End
Issue 02 (2013-12-31)

1505

Equipment
Example
Run the display stp command to view the working mode of the spanning tree and the BPDU
format. For example:
<HUAWEI> display stp interface gigabitethernet 0/2/1
:enabled
Port Role
:Root Port
Port Priority
:128
Port Cost(Legacy)
Desg. Bridge/Port
:0.00e0-e70a-4d00 / 128.5
Port Edged
Point-to-point
Transit Limit
Protection Type
:None
Port Stp Mode
:RSTP
BPDU Encapsulation:Config=stp / Active=stp
PortTimes
TC or TCN send
:1
BPDU Sent
:4
BPDU Received
:22
5.6.6 Maintaining STP/RSTP

STP/RSTP maintenance includes clearing STP/RSTP statistics.
Clearing STP/RSTP Statistics

You can run the reset commands to clear STP/RSTP statistics.
Context
NOTICE
STP/RSTP statistics cannot be restored after being cleared.
Procedure
Step 1 Run the reset stp [ interface interface-type interface-number ] statistics command to clear
spanning-tree statistics.
----End

This section describes the networking requirements, configuration roadmap, data preparation,
and procedures for some typical application scenarios for STP/RSTP. This section also provides
the related configuration files.
Issue 02 (2013-12-31)

1506

Equipment
Example for Configuring Basic STP Functions

This example shows how to configure basic STP functions.
On a complex network, loops are inevitable. With the requirement for network redundancy
backup, network designers tend to deploy multiple physical links between two devices, one of
which is the master and the others are the backup. Loops are likely or bound to occur in such a
situation.
network. Loops also cause flapping of MAC address tables and thus damages MAC address
entries.
STP can be deployed on a network to eliminate loops by blocking some ports. On the network
shown in Figure 5-36, after CX-A, CX-B, ATNC, and CX-D running STP discover loops on
the network by exchanging information with each other, they trim the ring topology into a loopfree tree topology by blocking a certain port. In this manner, replication and circular propagation
of packets are prevented on the network and the switching devices are released from processing
duplicated packets, thereby improving their processing performance.
Figure 5-36 Networking diagram of configuring basic STP functions
RNC
GE1/0/3
CX-D
GE1/0/1 GE1/0/1
GE1/0/3
Root
Bridge
GE1/0/2
GE1/0/2
CX-A
STP
GE0/2/3
ATNC
GE1/0/3
GE0/2/1
GE1/0/1
CX-B
GE1/0/2
GE0/2/2
Blocked port
1.
Issue 02 (2013-12-31)
Configure basic STP functions, including:

a.
Configure the STP mode for the ring network.
b.
Configure primary and secondary root bridges.

1507

Equipment
c.
Set path costs for ports to block certain ports.
d.
Enable STP to eliminate loops, including:
l Enable STP globally.

l Enable STP on all the interfaces except the interfaces connected to terminals.
NOTE
STP is not required on the interfaces connected to NodeB and RNC because these interfaces
do not need to participate in STP calculation.
By default, STP is enabled on a Layer 2 interface but not enabled on a Layer 3 interface.
Data Preparation
l
GE interface number, as shown in Figure 5-36
Primary root bridge CX-A and secondary root bridge CX-D
Path cost of a port to be blocked (20000 is used in this example)
Procedure
Step 1 Configure basic STP functions.
1.
Configure the STP mode for the devices on the ring network.
# Configure the STP mode on CX-A.
[HUAWEI] sysname CX-A
[CX-A] stp mode stp
# Configure the STP mode on CX-B.

[CX-B] stp mode stp
# Configure the STP mode on ATNC.

[ATNC] stp mode stp
# Configure the STP mode on CX-D.

[HUAWEI] sysname CX-D
[CX-D] stp mode stp
2.

# Configure CX-A as a primary root bridge.
[CX-A] stp root primary
# Configure CX-D as a secondary root bridge.

[CX-D] stp root secondary
3.
Set path costs for ports in each MSTI to block certain ports.
NOTE
l The values of path costs depend on path cost calculation methods. Use the Huawei proprietary
calculation method as an example to set the path costs of the ports to be blocked to 20000.
l All switching devices on a network must use the same path cost calculation method.
# Set the path cost of GE0/2/1 on ATNC to 20000.

Issue 02 (2013-12-31)

1508

Equipment

[ATNC-GigabitEthernet0/2/1] stp cost 20000
4.
Enable STP to eliminate loops.

l Disable STP on interfaces connected to NodeB and RNC.
# Disable STP on GE 1/0/2 on CX-B.
[CX-B-GigabitEthernet1/0/2] stp disable
# Disable STP on GE 0/2/2 on ATNC.

[ATNC-GigabitEthernet0/2/2] stp disable
l Enable STP globally.

# Enable STP globally on CX-A.
[CX-A] stp enable
# Enable STP globally on CX-B.

[CX-B] stp enable
# Enable STP globally on ATNC.

[ATNC] stp enable
# Enable STP globally on CX-D.

[CX-D] stp enable
l Enable STP on all the interfaces except the interfaces connected to terminals.
# Enable STP on GE 1/0/1 and GE 1/0/2 on CX-A.
[CX-A] interface gigabitethernet 1/0/1
[CX-A-GigabitEthernet1/0/1] undo shutdown
[CX-A-GigabitEthernet1/0/1] portswitch
[CX-A-GigabitEthernet1/0/1] stp enable
[CX-A-GigabitEthernet1/0/1] quit
# Enable STP on GE 1/0/1 and GE 1/0/3 on CX-B.

[CX-B-GigabitEthernet1/0/1] stp enable
# Enable STP on GE 0/2/1 and GE 0/2/3 on ATNC.

[ATNC-GigabitEthernet0/2/1] stp enable
# Enable STP on GE 1/0/1 and GE 1/0/2 on CX-D.

[CX-D-GigabitEthernet1/0/1] undo shutdown
[CX-D-GigabitEthernet1/0/1] portswitch
[CX-D-GigabitEthernet1/0/1] stp enable
Issue 02 (2013-12-31)

1509

Equipment


After the previous configurations, run the following commands to verify the configuration when
the network is stable:
# Run the display stp brief command on CX-A to view the interface status and protection type.
The displayed information is as follows:
[CX-A] display stp brief
MSTID Port
0
0
Role
DESI
DESI
STP State
FORWARDING
FORWARDING
Protection
NONE
NONE
After CX-A is configured as a root bridge, GE 1/0/2 and GE 1/0/1 connected to CX-B and CXD respectively are elected as designated ports in spanning tree calculation.
# Run the display stp interface gigabitethernet 1/0/1 brief command on CX-B to view status
of GE 1/0/1. The displayed information is as follows:
[CX-B] display stp interface gigabitethernet 1/0/1 brief
MSTID Port
Role STP State
Protection
0
DESI FORWARDING
NONE
GE 1/0/1 is elected as a designated port in spanning tree calculation and is in the Forwarding
state.
# Run the display stp interface gigabitethernet 0/2/3 brief command on ATNC to view status
[ATNC] display stp interface gigabitethernet 0/2/3 brief
MSTID Port
Role STP State
Protection
0
ROOT FORWARDING
NONE
state.
# Run the display stp command on CX-D to view the interface status and protection type. The
displayed information is as follows:
[CX-D] display stp
-------[CIST Global Info][Mode STP]------CIST Bridge
:4096 .00e0-2c09-9200
Bridge Times
:Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC
:0
.00e0-0543-6a00 / 20000
CIST RegRoot/IRPC
:4096 .00e0-2c09-9200 / 0
CIST RootPortId
:128.1
BPDU-Protection
:disabled
CIST Root Type
:SECONDARY root
TC count per hello :0
STP Converge Mode
:Normal
Share region-configuration :enabled
Time since last TC :0 days 0h:5m:44s
:enabled
Port Role
:Root Port
Port Priority
:128
Port Cost(Dot1T )
Desg. Bridge/Port
:0.00e0-0543-6a00 / 128.1
Issue 02 (2013-12-31)

1510

Equipment
Port Edged
Point-to-point
Transit Limit
Protection Type
:None
Port Stp Mode
:STP
PortTimes
TC or TCN send :4
BPDU Sent
:5
BPDU Received
:177
:enabled
Port Role
:Designated Port
Port Priority
:128
Port Cost(Dot1T )
Desg. Bridge/Port
:4096.00e0-2c09-9200 / 128.2
Port Edged
Point-to-point
Transit Limit
Protection Type
:None
Port Stp Mode
:STP
PortTimes
TC or TCN send :2
BPDU Sent
:165
BPDU Received
:2
----End
Configuration Files
l

#
sysname CX-A
#
stp mode
stp
stp instance 0 root
primary
stp
enable
#
interface
portswitch
undo shutdown
#
interface
portswitch
undo shutdown
#
return

#
sysname CX-B
#
Issue 02 (2013-12-31)

1511

Equipment
stp mode
stp
stp
enable
#
interface
portswitch
undo shutdown
#
stp
disable
#
interface
portswitch
undo shutdown
#
return

#
sysname ATNC
#
stp mode
stp
stp
enable
#
interface
stp instance 0 cost
20000
#
interface
portswitch
undo shutdown
stp
disable
#
interface
portswitch
undo shutdown
#
return
#

#
sysname CX-D
#
stp mode
stp
stp instance 0 root
secondary
stp
enable
#
interface
undo shutdown
portswitch
Issue 02 (2013-12-31)

1512

Equipment
#
interface
undo shutdown
portswitch
#
return
Example for Configuring Basic RSTP Functions

This example shows how to configure basic RSTP functions.
situation.
entries.
RSTP can be deployed on a network to eliminate loops by blocking some ports, and it is
developed to implement the rapid convergence based on STP but outperforms STP. On the
network shown in Figure 5-37, after A, CX-B, ATNC, and CX-D running RSTP discover loops
on the network by exchanging information with each other, they trim the ring topology into a
loop-free tree topology by blocking a certain port. In this manner, replication and circular
propagation of packets are prevented on the network and the switching devices are released from
processing duplicated packets, thereby improving their processing performance.
Issue 02 (2013-12-31)

1513

Equipment
Figure 5-37 Networking diagram of configuring basic RSTP functions
Network
GE1/0/3
CX-D
GE1/0/3
Root
GE1/0/1 GE1/0/1
Bridge
CX-A
GE1/0/2
GE1/0/2
RSTP
GE0/2/3
GE1/0/3
ATNC
GE0/2/1
CX-B
GE1/0/1
GE0/2/2
GE1/0/2
PC1
PC2
Blocked port
1.
Configure basic RSTP functions, including:

a.
Configure the RSTP mode for the ring network.
b.
c.
Set path costs for ports in each MSTI to block certain ports.
d.
Enable RSTP to eliminate loops, including:

l Enable RSTP globally.
l Enable RSTP on all the interfaces except the interfaces connected to terminals.
NOTE
RSTP is not required on the interfaces connected to terminals because these interfaces do not
need to participate in RSTP calculation.
By default, RSTP is enabled on a Layer 2 interface but not enabled on a Layer 3 interface.
2.
Configure RSTP protection functions, for example, root protection on a designated port of
a root bridge in each MSTI.
Data Preparation
Issue 02 (2013-12-31)

1514

Equipment
GE interface number, as shown in Figure 5-37
Primary root bridge CX-A and secondary root bridge CX-D
Path cost of a port to be blocked (20000 is used in this example)
Procedure
Step 1 Configure basic RSTP functions.
1.
Configure the RSTP mode for the devices on the ring network.
# Configure the RSTP mode on CX-A.
[CX-A] stp mode rstp
# Configure the RSTP mode on CX-B.

[CX-B] stp mode rstp
# Configure the RSTP mode on ATNC.

[ATNC] stp mode rstp
# Configure the RSTP mode on CX-D.

[CX-D] stp mode rstp
2.

# Configure CX-A as a primary root bridge.
[CX-A] stp root primary
# Configure CX-D as a secondary root bridge.

[CX-D] stp root secondary
3.
Set path costs for ports in each spanning tree to block certain ports.
NOTE
l The values of path costs depend on path cost calculation methods. Use the Huawei proprietary
calculation method as an example to set the path costs of the ports to be blocked to 20000.
l All switching devices on a network must use the same path cost calculation method.
# On CX-A, configure the path cost calculation method as the Huawei proprietary method.
[CX-A] stp pathcost-standard legacy
# On CX-B, configure the path cost calculation method as the Huawei proprietary method.
[CX-B] stp pathcost-standard legacy
# On ATNC, configure the path cost calculation method as the Huawei proprietary method
and set the path cost of GE 0/2/1 to 20000.
[ATNC] stp pathcost-standard legacy
[ATNC-GigabitEthernet0/2/1] stp cost 20000
# On CX-D, configure the path cost calculation method as the Huawei proprietary method.
[CX-D] stp pathcost-standard legacy
4.
Issue 02 (2013-12-31)
Enable RSTP to eliminate loops.

1515

Equipment
l Disable RSTP on interfaces connected to PCs.

# Disable RSTP on GE 1/0/2 on CX-B.
# Disable RSTP on GE 1/0/2 on ATNC.

l Enable RSTP globally.

# Enable RSTP globally on CX-A.
[CX-A] stp enable
# Enable RSTP globally on CX-B.

[CX-B] stp enable
# Enable RSTP globally on ATNC.

[ATNC] stp enable
# Enable RSTP globally on CX-D.

[CX-D] stp enable
l Enable RSTP on all the interfaces except the interfaces connected to terminals.
# Enable RSTP on GE 1/0/1 and GE 1/0/2 on CX-A.
# Enable RSTP on GE 1/0/1 and GE 1/0/3 on CX-B.

[CX-B-GigabitEthernet1/0/1] portswitch
# Enable RSTP on GE 0/2/1 and GE 0/2/3 on ATNC.

# Enable RSTP on GE 1/0/1 and GE 1/0/2 on CX-D.

Issue 02 (2013-12-31)

1516

Equipment
Step 2 Configure RSTP protection functions, for example, root protection on a designated port of a root
bridge in each MSTI.
# Enable root protection on GE 1/0/1 on CX-A.
[CX-A-GigabitEthernet1/0/1] stp root-protection
# Enable root protection on GE 1/0/2 on CX-A.


After the previous configurations, run the following commands to verify the configuration when
the network is stable:
MSTID Port
0
0
Role
DESI
DESI
STP State
FORWARDING
FORWARDING
Protection
ROOT
ROOT
After CX-A is configured as a root bridge, GE 1/0/2 and GE 1/0/1 connected to CX-B and CXD respectively are elected as designated ports in spanning tree calculation. The root protection
function is enabled on the designated ports.
# Run the display stp interface gigabitethernet 1/0/1 brief command on CX-B to view status
[CX-B] display stp interface gigabitethernet 1/0/1 brief
MSTID Port
Role STP State
Protection
0
DESI FORWARDING
NONE
state.
# Run the display stp interface gigabitethernet 0/2/3 brief command on ATNC to view status
MSTID Port
Role STP State
Protection
0
ROOT FORWARDING
NONE
state.
# Run the display stp command on CX-D to view the interface status and protection type. The
displayed information is as follows:
[CX-D] display stp
-------[CIST Global Info][Mode RSTP]------CIST Bridge
:4096 .00e0-2c09-9200
CIST Root/ERPC
CIST RegRoot/IRPC
CIST RootPortId
Issue 02 (2013-12-31)
:0
.00e0-0543-6a00 / 20000
:4096 .00e0-2c09-9200 / 0
:128.1

1517

Equipment
BPDU-Protection
:disabled
CIST Root Type
:SECONDARY root
TC count per hello :0
STP Converge Mode
:Normal
Share region-configuration :enabled
Time since last TC :0 days 0h:5m:44s
:enabled
Port Role
:Root Port
Port Priority
:128
Port Cost(Dot1T )
Desg. Bridge/Port
:0.00e0-0543-6a00 / 128.1
Port Edged
Point-to-point
Transit Limit
Protection Type
:None
Port Stp Mode
:RSTP
PortTimes
TC or TCN send :4
BPDU Sent
:5
BPDU Received
:177
:enabled
Port Role
:Designated Port
Port Priority
:128
Port Cost(Dot1T )
Desg. Bridge/Port
:4096.00e0-2c09-9200 / 128.2
Port Edged
Point-to-point
Transit Limit
Protection Type
:None
Port Stp Mode
:RSTP
PortTimes
TC or TCN send :2
BPDU Sent
:165
BPDU Received
:2
----End
Configuration Files
l

#
sysname CX-A
#
stp mode
rstp
stp instance 0 root
primary
stp pathcost-standard
legacy
stp
enable
#
Issue 02 (2013-12-31)

1518

Equipment
interface
stp rootprotection
#
interface
stp rootprotection
#
return

#
sysname CX-B
#
stp mode
rstp
legacy
stp
enable
#
interface
#
stp
disable
#
interface
#
return

#
sysname ATNC
#
stp mode
rstp
legacy
stp
enable
#
interface
stp instance 0 cost
20000
#
interface
stp
disable
#
interface
#
return
#

#
sysname CX-D
#
stp mode
Issue 02 (2013-12-31)

1519

Equipment
rstp
stp instance 0 root
secondary
legacy
stp
enable
#
interface
#
interface
#
return
5.7 MSTP Configuration

The Multiple Spanning Tree Protocol (MSTP) trims a ring network into a loop-free tree network.
It prevents replication and circular propagation of packets, provides multiple redundant paths
for Virtual LAN (VLAN) data traffic, and enables load balancing.
5.7.1 MSTP Overview

MSTP enables multiple VLANs to be grouped into a spanning-tree instance, forming a VLAN
mapping table. Each instance has a spanning-tree topology independent of other spanning-tree
instances. This architecture provides multiple forwarding paths for data traffic and enables load
balancing.
MSTP Introduction
The Multiple Spanning Tree Protocol (MSTP) incorporates the functions of the Spanning Tree
Protocol (STP) and Rapid Spanning Tree Protocol (RSTP), and outperforms them. It enables
rapid convergence and provides load balancing across redundant paths.
Background
STP and RSTP are used in a LAN to prevent loops. Devices can run STP to discover loops on
the network by exchanging information with each other, and trim the ring topology into a loopfree tree topology by blocking an interface. These capabilities help prevent replication and
circular propagation of packets on the network which in turn helps avoid degradation of
switching device performance.
STP and RSTP share a similar limitation: All VLANs on a LAN use one spanning tree, which
means that inter-VLAN load balancing cannot be performed. A link will no longer transmit
traffic once it is blocked, which wastes bandwidth and causes forwarding failures in some
VLANs.
To address the deficiencies in STP and RSTP, the IEEE released the 802.1s standard in 2002,
which defines MSTP. MSTP is compatible with STP and RSTP. It implements rapid
convergence and provides multiple paths to load balance VLAN traffic.
Table 5-22 compares STP, RSTP, and MSTP in terms of the characteristics of each protocol
and their applicable environments.
Issue 02 (2013-12-31)

1520

Equipment
Table 5-22 Comparison between STP, RSTP, and MSTP

Spanning Tree
Protocols
Characteristics
Application
Scenarios
Precautions
STP
Ensures a loop-free tree

topology that helps prevent
broadcast storms and allows
for redundant links between
switches.
Irrespective of
users or services,
all VLANs share
one spanning tree.
RSTP
l Ensures a loop-free tree

topology that helps
links between switches.
l If the current
switching
device
supports only
STP, STP is
recommende
d. For details,
see STP/
RSTP
Configurati
on.
implementing rapid
convergence.
MSTP
l Ensures a loop-free tree

topology that helps
links between switches in
an MSTP region.
implementing rapid
convergence.
l Implements load
balancing among VLANs.
Traffic in different
VLANs is transmitted
along different paths.
User or servicespecific load

balancing is
required. Traffic
for different
VLANs is
forwarded
through different
spanning trees,
which are
independent of
each other.
l If the current
switching
device
supports both
STP and
RSTP, RSTP
is
recommende
d. For details,
see STP/
RSTP
Configurati
on.
l If the current
switching
device
supports STP
or RSTP, and
MSTP,
MSTP is
recommende
d.
Introduction
MSTP, compatible with STP and RSTP, uses multiple instances to isolate service traffic and
provides multiple paths to load balance VLAN traffic.
Issue 02 (2013-12-31)

1521

Equipment
If MSTP is deployed on a LAN, The Multiple Spanning Tree Instances (MSTIs) are generated,
as shown in Figure 5-38.
Figure 5-38 Multiple spanning trees in an MST region
VLAN3
CX-D
CX-A
VLAN2
Host C
(VLAN3)
Host A
(VLAN2)
VLAN2
VLAN3
CX-B
CX-E
VLAN2
VLAN2
VLAN3
Host B
(VLAN2)
VLAN2
Host D
(VLAN3
)
VLAN3
VLAN3
ATNC
CX-F
MSTI1 (root switch: CX-D)

MSTI2 (root switch: CX-F)
VLAN2
VLAN3
MSTI1
MSTI2
MSTI 1 uses CX-D as the root switching device to forward packets of VLAN 2.
MSTI 2 uses CX-F as the root switching device to forward packets of VLAN 3.
Devices within the same VLAN can communicate with each other and packets of different
VLANs are load-balanced along different paths.
Basic MSTP Concepts

l
MST region
An MST region contains multiple switching devices and network segments between them.
The switching devices have the following characteristics:
MSTP-enabled
Same region name
Same VLAN-to-instance mapping
Same MSTP revision number
A LAN can comprise several MST regions that are directly or indirectly connected. You
can use MSTP configuration commands to group multiple switching devices into an MST
region.
As shown in Figure 5-39, the MST region D0 contains the switching devices S1, S2, S3,
and S4. The region has three MSTIs.
Issue 02 (2013-12-31)

1522

Equipment
Figure 5-39 MST region

AP1
D0
Master Bridge
MSTI1
root switch:CX-D
CX-A
MSTI2
root switch:CX-B
CX-D
CX-B
ATNC
MSTI0 (IST)
root switch:CX-A
VLAN1
MSTI1
VLAN2,VLAN3 MSTI2
other VLANs MSTI0
VLAN mapping table

The VLAN mapping table is an attribute of the MST region. It describes mappings between
VLANs and MSTIs.
Figure 5-39 shows the VLAN mapping table of the MST region D0:
VLAN 1 is mapped to MSTI 1.
VLAN 2 and VLAN 3 are mapped to MSTI 2.
Other VLANs are mapped to MSTI 0.
Regional root
Regional roots are classified into Internal Spanning Tree (IST) and MSTI regional roots.
In the region B0, C0, and D0 on the network shown in Figure 5-41, the switching devices
closest to the Common and Internal Spanning Tree (CIST) root are IST regional roots.
An MST region can contain multiple spanning trees, each called an MSTI. An MSTI
regional root is the root of the MSTI. On the network shown in Figure 5-40, each MSTI
has its own regional root.
Issue 02 (2013-12-31)

1523

Equipment
Figure 5-40 MSTI

MST Region
VLA
N10
&20
VLAN
10&20&30
VLAN 20&30
VLAN
10&30
VLAN
30
VLAN
10&30
VLAN
20
VLAN 10
Root
Root
MSTI
corresponding to
VLAN 10
MSTI
corresponding to
VLAN 20
MSTI Root
corresponding to
VLAN 30
MSTI links
MSTI links blocked by the protocol
MSTIs are independent of each other. An MSTI can correspond to one or more VLANs,
but a VLAN can be mapped to only one MSTI.
l
CIST root
On the network shown in Figure 5-41, the CIST root is the root bridge of a CIST. The
CIST root is a device in A0.
Figure 5-41 MSTP network
A0
CIST Root
D0
Region Root
B0
Region Root
C0
Region Root
IST
CST
Issue 02 (2013-12-31)

1524

Equipment
CST
A Common Spanning Tree (CST) connects all the MST regions on a switching network.
Each MST region can be considered a node. A CST is calculated by using STP or RSTP
based on all the nodes.
As shown in Figure 5-41, the MST regions are connected to form a CST.
IST
An IST resides within an MST region.
An IST is a special MSTI with an MSTI ID of 0, called MSTI 0.
An IST is a segment of the CIST in an MST region.
As shown in Figure 5-41, the switching devices in an MST region are connected to form
an IST.
CIST
A CIST, calculated by using STP or RSTP, connects all the switching devices on a switching
network.
As shown in Figure 5-41, the ISTs and the CST form a complete spanning tree (CIST).
SST
A Single Spanning Tree (SST) is formed in either of the following situations:
A switching device running STP or RSTP belongs to only one spanning tree.
An MST region has only one switching device.
As shown in Figure 5-41, the switching device in B0 is an SST.
Port roles
Compared with RSTP which defined root ports, designated ports, alternate ports, backup
ports, and edge ports, MSTP has two additional port types: master ports and regional edge
ports.
Table 5-23 lists all port roles in MSTP.
NOTE
Except edge ports, all ports participate in MSTP calculation.

A port can play different roles in different MSTIs.
Table 5-23 Port roles

Port
Roles
Description
Root port
A root port is the non-root bridge port closest to the root bridge. Root bridges
do not have root ports.
Root ports are responsible for sending data to root bridges.
As shown in Figure 5-42, S1 is the root; CP1 is the root port on S3; BP1 is
the root port on S2; DP1 is the root port on S4.
Issue 02 (2013-12-31)

1525

Equipment
Port
Roles
Description
Designat
ed port
The designated port on a switching device forwards bridge protocol data

units (BPDUs) to the downstream switching device.
As shown in Figure 5-42, AP2 and AP3 are designated ports on S1; BP2 is
a designated port on S2; CP2 is a designated port on S3.
Alternate
port
l An alternate port is blocked after it receives a BPDU sent by another

switching devices.
l An alternate port provides an alternate path to the root bridge. This path
is different than using the root port.
As shown in Figure 5-42, BP2 and AP4 are alternate ports.
Backup
port
l A backup port is blocked after it receives a BPDU sent by itself.

l A backup port provides a redundant path to a segment and is the backup
for the root port.
As shown in Figure 5-42, CP3 is a backup port.
Master
port
A master port is on the shortest path connecting MST regions to the CIST
root.
BPDUs of an MST region are sent to the CIST root through the master port.
Master ports are special regional edge ports, functioning as root ports on
ISTs or CISTs and master ports in instances.
As shown in Figure 5-42, S1, S2, S3, and S4 form an MST region. AP1 on
S1, being the nearest port in the region to the CIST root, is the master port.
Regional
edge port
A regional edge port is located at the edge of an MST region and connects
to another MST region or an SST.
During MSTP calculation, the roles of a regional edge port in the MSTI and
the CIST instance are the same. If the regional edge port is the master port
in the CIST instance, it is the master port in all the MSTIs in the region.
As shown in Figure 5-42, AP1, DP2, and DP3 in an MST region are directly
connected to other regions, and therefore they are all regional edge ports of
the MST region.
As shown in Figure 5-42, AP1 is a regional edge port and also a master port
in the CIST. Therefore, AP1 is the master port in every MSTI in the MST
region.
Edge
port
An edge port is located at the edge of an MST region and does not connect
to any switching device.
Generally, edge ports are directly connected to terminals.
As shown in Figure 5-42, BP3 is an edge port.
Issue 02 (2013-12-31)

1526

Equipment
Figure 5-42 Port roles

AP1
AP4
MST Region
Root port
AP3
AP2
Designated port
Alternate
port
Backup port
S1
Root Bridge
CP1
S3
CP2
BP1
S2
BP2
CP3
Regional edge port
BP3
Master port
Edge port
DP1
DP2
S4
PC
DP4
DP3
Port status
Table 5-24 lists the MSTP port status, which is the same as the RSTP port status.
Table 5-24 Port status
Port
Status
Description
Forwardi
ng
A port in the Forwarding state can send and receive BPDUs as well as
Learning
This is a transition state. A port in the Learning state learns MAC addresses
from user traffic to construct a MAC address table.
In the Learning state, the port can send and receive BPDUs, but cannot
Discardi
ng
A port in the Discarding state can only receive BPDUs.
The port status is not determined by the port role. Table 5-25 lists the port status supported
by each port role.
Table 5-25 Status of port roles
Issue 02 (2013-12-31)
Port
Status
Root Port/
Master
Port
Designate
d Port
Regional
Edge Port
Alternate
Port
Backup
Port
Forwardi
ng
Yes
Yes
Yes
No
No
Learning
Yes
Yes
Yes
No
No

1527

Equipment
Port
Status
Root Port/
Master
Port
Designate
d Port
Regional
Edge Port
Alternate
Port
Backup
Port
Discardi
ng
Yes
Yes
Yes
Yes
Yes
Yes: The port supports this status.

No: The port does not support this status.
MSTP Features Supported by the ATN

Before configuring MSTP, familiarize yourself with the concepts of basic MSTP functions,
topology convergence, MSTP protection, and MSTP interoperability between Huawei devices
MSTP is used to block redundant links on the Layer 2 network and trim a network into a loopfree tree. In MSTP, multiple MSTIs can be created and VLANs are mapped into different
instances to load-balance VLAN traffic. The basic configuration roadmap for MSTP is as
follows:
1.
In a ring network, divide regions and create different instances for regions.
2.
Select a switching device to function as the root bridge for each instance.
3.
In each instance, calculate the shortest paths from the other switching devices to the root
bridge, and select a root port for each non-root switching device.
4.
In each instance, select a designated port for each connection based on port IDs.
Some networks may have master ports and backup ports. For details about master ports and
backup ports, see MSTP Introduction.
MSTP also supports the following features to meet the requirements of special applications and
extended functions:
l
Proposal/Agreement mechanism to implement rapid convergence.
Protection functions listed in Table 5-26.
MSTP interoperability between Huawei devices and non-Huawei devices. Certain

parameters must be set on Huawei devices to ensure uninterrupted communication.
Issue 02 (2013-12-31)

1528

Equipment
Table 5-26 MSTP protection
Issue 02 (2013-12-31)
MSTP
Protection
Scenario
BPDU
protection

non-edge port after
occurs.

changed.
Topology
Change (TC)
protection

advertising network

Root
protection
Due to incorrect
BPDUs with a higher
changed, triggering
traffic congestion.
To address this issue, the root protection

function can be configured to protect the root
bridge by preserving the role of the
designated port. With this function, when the
designated port receives RST BPDUs with a
higher priority, the port enters the Discarding
state and does not forward the BPDUs. If the
port does not receive any RST BPDUs with a
higher priority for a certain period (double the
Forward Delay), the port transitions to the
Forwarding state.

1529

Equipment
MSTP
Protection
Scenario
Loop
protection

incorrectly and after the
situation.
The loop protection function can be used to

prevent such network loops. If the root port
or alternate port cannot receive RST BPDUs
from the upstream switching device, the root
port is blocked and the switching device
Discarding state. The blocked port remains in
the Blocked state and no longer forwards
packets. This function helps prevent loops on
the network. The root port transitions to the
5.7.2 Configuring Basic MSTP Functions

MSTP based on the basic STP/RSTP function divides a switching network into multiple regions,
each of which has multiple spanning trees that are independent of each other. MSTP isolates
user traffic and service traffic, and load-balances VLAN traffic.
Context
MSTP is commonly configured on switching devices to trim a ring network to a loop-free
network. Devices start spanning tree calculation after the working mode is set and MSTP is
enabled. Use any of the following methods if you need to intervene in the spanning tree
calculation:
l
Set a priority for a switching device in an MSTI: The lower the numerical value, the higher
the priority of the switching device and the more likely the switching device becomes a
root bridge; the higher the numerical value, the lower the priority of the switching device
and the less likely that the switching device becomes a root bridge.
Set a path cost for a port in an MSTI: With the same calculation method, the lower the
numerical value, the smaller the cost of the path from the port to the root bridge and the
more likely the port becomes a root port; the higher the numerical value, the larger the cost
of the path from the port to the root bridge and the less likely that the port becomes a root
port.
Set a priority for a port in an MSTI: The lower the numerical value, the more likely the port
becomes a designated port; the higher the numerical value, the less likely that the port
becomes a designated port.
Before You Start

Before configuring basic MSTP functions, familiarize yourself with the usage scenario,
Issue 02 (2013-12-31)

1530

Equipment
MSTP can be deployed on a network to eliminate loops. If a loop is detected, MSTP blocks one
or more ports to eliminate the loop. In addition, the Multiple Spanning Tree Instances (MSTIs)
can be configured to load balance VLAN traffic.
As shown in Figure 5-43, CX-A, CX-B, ATNC and CX-D all support MSTP. In this scenario,
you need to create MSTI 1 and MSTI 2, configure a root bridge for each MSTI, and set the ports
to be blocked to load balance traffic of VLANs 1 to 10 and VLANs 11 to 20 among different
paths.
Figure 5-43 Networking diagram of basic MSTP configurations
Network
MST Region
CX-A
CX-B
ATNC
CX-D
PC1
PC2
VLAN1~10
VLAN11~20
MSTI1
MSTI2
MSTI1:
Root Switch:CX-A
Blocked port
MSTI2:
Root Switch:CX-B
Blocked port
NOTE
If the current device supports MSTP, configuring MSTP is recommended.
Issue 02 (2013-12-31)

1531

Equipment
Before configuring basic MSTP functions, complete the following task:
l
Connect interfaces and setting physical parameters for the interfaces to ensure that the
interfaces are physically Up.
Data Preparation
To configure basic MSTP functions, you need the following data.
No.
Data
MSTP working mode
Multiple Spanning Tree (MST) region name, VLAN-to-instance mapping, and

MSTP revision number
(Optional) ID of an MSTI
(Optional) Priority of a switching device in an MSTI
(Optional) Priority of a port in an MSTI
(Optional) Path cost of a port in an MSTI
Configuring the MSTP Mode

Before configuring basic MSTP functions, set the working mode of a switching device to MSTP.
MSTP is compatible with STP and RSTP.
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp mode mstp
The working mode of the switching device is set to MSTP. By default, the working mode is
MSTP.
STP and MSTP cannot recognize packets of each other, but MSTP and RSTP can. If an MSTPenabled switching device is connected to switching devices running STP, interfaces of the
MSTP-enabled switching device connected to devices running STP automatically transition to
STP mode, and other interfaces still work in MSTP mode. This enables devices running different
spanning tree protocols to interwork with each other.
----End
Issue 02 (2013-12-31)

1532

Equipment
Configuring and Activating an MST Region

MSTP divides a switching network into multiple Multiple Spanning Tree (MST) regions. After
an MST region name, VLAN-to-instance mappings, and an MSTP revision number are
configured, you must activate the MST region to make the configurations effective.
Context
An MST region contains multiple switching devices and network segments. These switching
devices are directly connected and have the same region name, same VLAN-to-instance
mapping, and the same configuration revision number after MSTP is enabled. One switching
network can have multiple MST regions. You can use MSTP commands to group multiple
switching devices into one MST region.
NOTICE
Two switching devices belong to the same MST region when they have the same:
l
Name of the MST region
Mapping between VLANs and Multiple Spanning Tree Instances (MSTIs)
Revision level of the MST region
Perform the following steps on a switching device that needs to join an MST region.
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp region-configuration
The MST region view is displayed.

Step 3 Run:
region-name name
The name of an MST region is configured.

By default, the MST region name is the MAC address of the management network interface on
the MPU of the switching device.
Step 4 Perform either of the following steps to configure VLAN-to-instance mappings.
l Run the instance instance-id vlan { vlan-id1 [ to vlan-id2 ] }&<1-10> command to configure
VLAN-to-instance mappings.
l Run the vlan-mapping modulo modulo command to enable VLAN-to-instance mapping
assignment based on a default algorithm.
By default, all VLANs in an MST region are mapped to MSTI 0.
Issue 02 (2013-12-31)

1533

Equipment
NOTE
l The VLAN-to-instance mappings generated using the vlan-mapping modulo modulo commands
cannot meet network requirements. It is recommended that you run the instance instance-id vlan
{ vlan-id1 [ to vlan-id2 ] }&<1-10> command to configure VLAN-to-instance mappings.
l The vlan-mapping modulo specifies the formula (VLAN ID-1)%modulo+1. In the formula, (VLAN
ID-1)%modulo means the remainder of (VLAN ID-1) divided by the value of modulo. This formula
is used to map a VLAN to the corresponding MSTI. The calculation result of the formula is the ID of
the mapping MSTI.

revision-level level
The MSTP revision number is set.

By default, the MSTP revision number is 0.
If the revision number of the MST region is not 0, this step is necessary.
NOTE
Changing MST region configurations (especially change of the VLAN mapping table) triggers spanning
tree recalculation and causes route flapping. Therefore, after configuring an MST region name, VLAN-toinstance mappings, and an MSTP revision number, run the check region-configuration command in the
MST region view to verify the configuration. After confirming the region configurations, run the active
region-configuration command to activate MST region configurations.
Step 6 Run:
active region-configuration
MST region configurations are activated so that the configured region name, VLAN-to-instance
mappings, and revision number can take effect.
If this step is not done, the preceding configurations cannot take effect.
If you have changed MST region configurations on the switching device after MSTP starts, run
the active region-configuration command to activate the MST region so that the changed
configurations can take effect.
----End
(Optional) Configuring a Priority for a Switching Device in an MSTI

A switching device with a high priority is more likely to be selected as the root bridge in an
MSTI. A smaller priority value indicates a higher priority.
Context
In an MSTI, there is only one root bridge, which is the logic center of the MSTI. During root
bridge selection, a high-performance switching device at a high network layer should be selected
as the root bridge; however, the priority of such a device may not be the highest on the network.
It is therefore necessary to set a high priority for the switching device to ensure that the device
functions as a root bridge.
Low-performance devices at lower network layers are not fit to serve as a root bridge. Therefore,
set low priorities for these devices.
Issue 02 (2013-12-31)

1534

Equipment
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp [ instance instance-id ] priority priority
A priority is set for the switching device in an MSTI.

The default priority value of the switching device is 32768.
If the instance is not designated, a priority is set for the switching device in MSTI0.
NOTE
l To configure a switching device as the primary root bridge, run the stp [ instance instance-id ] root
primary command directly. The priority value of this switching device is 0.
l To configure a switching device as the secondary root bridge, run the stp [ instance instance-id ] root
secondary command. The priority value of this switching device is 4096.
In an MSTI, a switching device cannot act as the primary root bridge and secondary root bridge at the
same time.
l To change the priority of a switching device after you run the stp root primary command or the stp
[ instance instance-id ] root secondary command to configure the switching device as a primary root
bridge or a secondary root bridge, disable the root bridge function or secondary root bridge function
and then run the stp [ instance instance-id ] priority priority command to re-set a priority.
----End
(Optional) Configuring a Path Cost of a Port in an MSTI

The MSTP path cost determines root port selection in an MSTI. The port with the lowest path
cost to the root bridge is selected as the root port.
Context
A path cost is port-specific and is used by MSTP to select a link.
Path costs of ports are an important basis for calculating spanning trees. If you set different path
costs for a port in different MSTIs, VLAN traffic can be transmitted along different physical
links for load balancing.
In the Huawei proprietary calculation method for example, the link rate determines the
recommended value for the path cost. The following table lists the recommended path costs for
ports with different link rates.
Table 5-27 Mappings between link rates and path cost values
Issue 02 (2013-12-31)
Link Rate
Recommended
Path Cost
Recommended
Path Cost Range
Path Cost Range
10 Mbit/s
2000
200 to 20000
1 to 200000
100 Mbit/s
200
20 to 2000
1 to 200000

1535

Equipment
Link Rate
Recommended
Path Cost
Recommended
Path Cost Range
Path Cost Range
1 Gbit/s
20
2 to 200
1 to 200000
10 Gbit/s
2 to 20
1 to 200000
Higher than 10 Gbit/

s
1 to 2
1 to 200000
If a network has loops, it is recommended that you set a relatively large path cost for ports with
low link rates. MSTP then blocks these ports.
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp pathcost-standard { dot1d-1998 | dot1t | legacy }
A path cost calculation method is configured.

By default, the IEEE 802.1t standard (dot1t) is used to calculate the default path cost.
All switching devices on a network must use the same path cost calculation method.
Step 3 Run:

portswitch

NOTE
Step 5 Run:
stp instance instance-id cost cost
A path cost is set for the port in the current MSTI.

l When the Huawei proprietary calculation method is used, cost ranges from 1 to 200000.
l When the IEEE 802.1d standard method is used, cost ranges from 1 to 65535.
l When the IEEE 802.1t standard method is used, cost ranges from 1 to 200000000.
----End
Issue 02 (2013-12-31)

1536

Equipment
(Optional) Configuring a Port Priority in an MSTI

A port with a smaller priority value is more likely to be selected as a designated port, and a port
with a larger priority value is more likely to be blocked.
Context
During spanning tree calculation, port priorities in Multiple Spanning Tree Instances (MSTIs)
determine which ports are selected as designated ports.
To block a port in an MSTI to eliminate loops, set the port priority value to larger than the default
value. This port will be blocked during designated port selection.
Procedure
Step 1 Run:
system-view

Step 2 Run:

portswitch

NOTE
Step 4 Run:
stp
instance instance-id port priority priority
A port priority is set in an MSTI.

By default, the port priority is 128.
The value range of the priority is from 0 to 240, in steps of 16.
----End
Enabling MSTP
After configuring basic MSTP functions on a switching device, enable MSTP function.
Context
After MSTP is enabled on a ring network, it immediately calculates spanning trees on the
network. Configurations on the switching device, such as, the switching device priority and port
priority, will affect spanning tree calculation. Any change to the configurations may cause
network flapping. Therefore, to ensure rapid and stable spanning tree calculation, perform basic
configurations on the switching device and its ports and enable MSTP.
Issue 02 (2013-12-31)

1537

Equipment
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp enable
MSTP is enabled on the switching device.

By default, the MSTP function is enabled on the ATN.
----End

After configuring basic MSTP functions, you can check the configurations.
Prerequisites
Basic MSTP functions have been configured.
Procedure
l
Run the display stp [ instance instance-id ][ interface { interface-type interfacenumber } ] [ brief ] command to view spanning-tree status and statistics.
Run the display stp region-configuration command to view configurations of activated

MST regions.
Run the display stp region-configuration digest command to view the digest
configurations of activated MST regions.
----End
5.7.3 Configuring MSTP Parameters on an Interface

Proper MSTP parameter settings achieve rapid convergence.
Before You Start

Before configuring basic MSTP parameters, familiarize yourself with the usage scenario,
On some networks, MSTP parameters will affect the speed of network convergence. Proper
MSTP parameter settings help implement rapid network convergence.
NOTE
The default parameters can also be used to complete MSTP rapid convergence. Therefore, the configuration
procedures and steps in this command task are all optional.
Issue 02 (2013-12-31)

1538

Equipment
Before configuring MSTP parameters, configuring basic MSTP functions.
Data Preparation
To configure MSTP parameters, you need the following data.
No.
Data
Network diameter, Hello time, forwarding delay time, maximum aging time, and
timeout period for waiting for BPDUs from the upstream (3 x hello time x time factor),
and Maximum hop count in a Multiple Spanning Tree (MST) region
Link type of a port, and Maximum number of sent bridge protocol data units (BPDUs)
Configuring System Parameters

MSTP parameters that may affect network convergence include the network diameter, Hello
timer, and timeout period for waiting for BPDUs from the upstream device (3 x Hello timer
value x Time factor). Proper MSTP parameter settings help implement rapid network
convergence.
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp bridge-diameter diameter
The network diameter is configured.

By default, the network diameter is 7.
l RSTP uses a single spanning tree instance on the entire network. As a result, performance
deterioration cannot be prevented when the network scale grows. Therefore, the network
diameter cannot be larger than 7.
l It is recommended that you run the stp bridge-diameter diameter command to set the
network diameter. Then, the switching device calculates the optimal Forward Delay period,
Hello timer value, and Max Age timer value based on the set network diameter.
Step 3 Run:
stp timer-factor factor
The timeout period for waiting for BPDUs from the upstream device is set.
By default, the timeout period is 9 times the Hello timer value.
Step 4 (Optional) If the current device is at the edge of a network, run both or either of the following
commands as needed:
Issue 02 (2013-12-31)

1539

Equipment
l To configure all ports on the devices as edge ports, run:

stp edged-port default

After ports on a network edge device are configured as edge ports, the ports no longer
participate in spanning tree calculation. This speeds up network topology convergence and
improves network stability.
l To configure all ports on the devices as BPDU filter ports, run:
stp bpdu-filter default
By default, a port is a non-BPDU filter port.

After ports on a network edge device are configured as BPDU filter ports, the ports no longer
process or send BPDUs.
NOTE
After the stp bpdu-filter default and stp edged-port default commands are run in the system view, all
ports on the device no longer actively send BPDUs or negotiate with directly-connected ports; instead, all
the ports are in the Forwarding state. This may lead to a loop on the network, causing broadcast storms.
Exercise caution when running these commands.
Step 5 (Optional) To set the Forward Delay period, Hello timer, and Max Age timer, perform the
l Run the stp timer forward-delay forward-delay command to set the Forward Delay timer.
The default Forward Delay timer of a switching device is 1500 centiseconds.
l Run the stp timer hello hello-time command to set the Hello timer.
The default Hello timer of a switching device is 200 centiseconds.
l Run the stp timer max-age max-age command to set the Max Age timer.
The default Max Age timer of a switching device is 2000 centiseconds.
NOTE
The values of the Hello timer, Forward Delay timer, and Max Age timer must comply with the following
formulas; otherwise, network flapping occurs.
l 2 x (Forward Delay - 1.0 second) >= Max Age
l Max Age >= 2 x (Hello Time + 1.0 second)
Step 6 Run:
stp max-hops hop
The maximum hop count is set for the Multiple Spanning Tree (MST) region.
By default, the maximum hop count in an MST region is 20.
Step 7 Run:
stp mcheck
MCheck is enabled.
On a switching device running MSTP, if an interface is connected to a device running STP, the
interface automatically transitions to the STP mode.
Enabling MCheck on the interface is required because the interface may fail to automatically
transition to the MSTP mode in the following situations:
Issue 02 (2013-12-31)

1540

Equipment
l The switching device running STP transitions to the MSTP mode.

NOTE
If you run the stp mcheck command in the system view, the MCheck operation is performed on all the
interfaces.
----End
Configuring Port Parameters

Port parameters that may affect MSTP topology convergence include the link type and maximum
number of sent BPDUs. Proper port parameter settings help implement rapid topology
convergence.
Procedure
Step 1 Run:
system-view

Step 2 Run:

portswitch

NOTE

stp point-to-point { auto | force-false | force-true }
The link type is configured for the interface.

By default, an interface automatically determines whether to connect to a P2P link. The P2P link
supports rapid network convergence.
l If the Ethernet port works in full-duplex mode, the port is connected to a P2P link. In this
case, force-true can be configured to implement rapid network convergence.
l If the Ethernet port works in half-duplex mode, you can run stp point-to-point force-true
to forcibly set the link type to P2P.
Step 5 Run:
stp mcheck
MCheck is enabled.
On a switching device running MSTP, if an interface is connected to a device running STP, the
interface automatically transitions to the STP mode.
You must enable MCheck on the interface because the interface may fail to automatically
transition to the MSTP mode in the following situations:
Issue 02 (2013-12-31)

1541

Equipment

l The switching device running STP transitions to the MSTP mode.
Step 6 Run:
stp transmit-limit packet-number
The maximum number of BPDUs sent by a port per second is set.

By default, the maximum number of BPDUs that a port sends per second is 147.
NOTE
If the maximum number of BPDUs sent per second needs to be configured for all interfaces of the device,
run the stp transmit-limit (system view) command in the global view.

stp edged-port enable
The port is configured as an edge port.

If a device port is connected to a terminal, you can run this command to configure the port as
an edge port.
If the current port has been configured as an edge port, the port can still send BPDUs. This may
cause BPDUs to be sent to other networks, leading to network flapping. To prevent this problem,
run the stp bpdu-filter enable command to configure the edge port as a BPDU filter port and
disable the port from processing or sending BPDUs.
NOTE
After the stp bpdu-filter enable command is run on a port, the port no longer processes or sends BPDUs.
The port will not negotiate with the directly-connected port to establish an STP connection.
Step 8 Run:
quit

----End
Follow-up Procedure
When the topology of a spanning tree changes, the forwarding paths to associated VLANs are
changed. The ARP entries corresponding to those VLANs on the switching device need to be
updated. MSTP processes ARP entries in either fast or normal mode.
l
In fast mode, ARP entries to be updated are directly deleted.
In normal mode, ARP entries to be updated are rapidly aged.

The remaining lifetime of ARP entries to be updated is set to 0. The switching device rapidly
processes these aged entries. If the number of ARP aging probe attempts is not set to 0,
ARP implements aging probe for these ARP entries.
In either fast or normal mode, MAC entries are directly deleted.
You can run the stp converge { fast | normal } command in the system view to configure the
MSTP convergence mode.
Issue 02 (2013-12-31)

1542

Equipment
By default, the MSTP convergence is configured as normal.

NOTE
The normal mode is recommended. If the fast mode is adopted, ARP entries will be frequently deleted,
causing the CPU usage on the MPU or LPU to reach 100%. As a result, network flapping will frequently
occur.

After MSTP parameters are configured, you can check the configurations.
Prerequisites
MSTP parameters have been configured.
Procedure
l
Run the display stp [ instance instance-id ] [ interface { interface-type interfacenumber } ] [ brief ] command to view spanning-tree status and statistics.
----End
5.7.4 Configuring MSTP Protection Functions

This section describes how to configure MSTP protection functions. You can configure one or
more functions.
Before You Start

Before configuring MSTP protection functions, familiarize yourself with the usage scenario,
MSTP provides the protection functions listed in Table 5-28.
Table 5-28 MSTP protection
Issue 02 (2013-12-31)
MSTP
Protection
Scenario
BPDU
protection

non-edge port after
occurs.

changed.

1543

Equipment
MSTP
Protection
Scenario
Topology
Change (TC)
protection

advertising network

Root
protection
Due to incorrect
BPDUs with a higher
changed, triggering
traffic congestion.
To address this issue, the root protection

function can be configured to protect the root
bridge by preserving the role of the
designated port. With this function, when the
designated port receives RST BPDUs with a
higher priority, the port enters the Discarding
state and does not forward the BPDUs. If the
port does not receive any RST BPDUs with a
higher priority for a certain period (double the
Forward Delay), the port transitions to the
Forwarding state.
Loop
protection

incorrectly and after the
situation.
The loop protection function can be used to

prevent such network loops. If the root port
or alternate port cannot receive RST BPDUs
from the upstream switching device, the root
port is blocked and the switching device
Discarding state. The blocked port remains in
the Blocked state and no longer forwards
packets. This function helps prevent loops on
the network. The root port transitions to the
NOTE
l After a device normally starts, there is a default MSTP process with the ID 0. MSTP configurations in
the system view and interface view both belong to this process.
Issue 02 (2013-12-31)

1544

Equipment
Before configuring MSTP protection functions on a switching device, configure basic MSTP
functions.
l
NOTE
Configure an edge port on the switching device before configuring BPDU protection.
Data Preparation
To configure MSTP protection functions on a switching device, you need the following data.
No.
Data
Number of the port on which root protection is to be enabled
Number of the port on which loop protection is to be enabled
Configuring BPDU Protection on a Switching Device

After BPDU protection is enabled on a switching device, the switching device shuts down an
edge port if the edge port receives a BPDU, and notifies the NMS of the shutdown event.
Context
Edge ports are directly connected to user terminal and will not receive BPDUs. Attackers may
send pseudo BPDUs to attack the switching device. If the edge ports receive the BPDUs, the
switching device configures the edge ports as non-edge ports and triggers a new spanning tree
calculation. Network flapping then occurs. BPDU protection can be used to protect switching
devices against malicious attacks.
Perform the following steps on a switching device that has an edge port.
Procedure
Step 1 Run:
system-view

Step 2 Run:
stp bpdu-protection
BPDU protection is enabled on the switching device.

By default, BPDU protection is not enabled on the switching device.
----End
Configuring Root Protection on an Interface

The root protection function on a switching device protects a root bridge by preserving the role
of a designated port.
Issue 02 (2013-12-31)

1545

Equipment
Context
Due to incorrect configurations or malicious attacks on the network, a root bridge may receive
BPDUs with a higher priority. Consequently, the legitimate root bridge is no longer able to serve
as the root bridge and the network topology is changed, triggering spanning tree recalculation.
This also may cause the traffic that should be transmitted over high-speed links to be transmitted
over low-speed links, leading to network congestion. The root protection function on a switching
device is used to protect the root bridge by preserving the role of the designated port.
NOTE
Root protection takes effect only on designated ports.
Perform the following steps on the root bridge in an MST region.
Procedure
Step 1 Run:
system-view

Step 2 Run:

portswitch

NOTE
Step 4 Run:
stp root-protection
Root protection is configured on the switching device.

By default, root protection is disabled.
----End
Configuring Loop Protection on an Interface

The loop protection function suppresses loops caused by link congestion.
Context
On a network running MSTP, a switching device maintains the root port status and status of
blocked ports by receiving BPDUs from an upstream switching device. If the switching device
cannot receive BPDUs from the upstream device because of link congestion or unidirectionallink failure, the switching device re-selects a root port. The original root port becomes a
designated port and the original blocked ports change to the Forwarding state. This switching
may cause network loops, which can be mitigated by configuring loop protection.
Issue 02 (2013-12-31)

1546

Equipment
After loop protection is configured, if the root port or alternate port does not receive BPDUs
from the upstream switching device, the root port is blocked and the switching device notifies
the NMS that the port enters the Discarding state. The blocked port remains in the Blocked state
and no longer forwards packets. This function helps prevent loops on the network. The root port
transitions to the Forwarding state after receiving new BPDUs.
NOTE
An alternate port is a backup port for a root port. If a switching device has an alternate port, you need to
configure loop protection on both the root port and the alternate port.
Perform the following steps on the root port and alternate port on a switching device in an MST
region.
Procedure
Step 1 Run:
system-view

Step 2 Run:

portswitch

NOTE
Step 4 Run:
stp loop-protection
Loop protection for the root port is configured on the switching device.
By default, loop protection is disabled.
----End

After MSTP protection functions are configured, check whether the configurations take effect.
Prerequisites
All configurations of MSTP protection functions are complete.
Procedure
l
Run the display stp [ instance instance-id ] [ interface interface-type interface-number ]

[ brief ] command to view spanning-tree status and statistics.
----End
Issue 02 (2013-12-31)

1547

Equipment
5.7.5 Configuring MSTP Interoperability Between Huawei Devices

and Non-Huawei Devices
To enable Huawei devices to work with non-Huawei devices on an MSTP-capable network,
configure the BPDU format, MSTP protocol packet format, and digest snooping function on the
Huawei devices.
Before You Start

Before configuring MSTP interoperability between Huawei devices and non-Huawei devices,
On an MSTP network, inconsistent protocol packet formats and BPDU keys may lead to a
communication failure. Setting MSTP parameters correctly on Huawei devices ensures
interoperability between Huawei devices and non-Huawei devices.
Before configuring MSTP interoperability between Huawei devices and non-Huawei devices,
configure basic MSTP functions.
Data Preparation
To configure MSTP interoperability between Huawei devices and non-Huawei devices, you
No.
Data
BPDU format
MSTP protocol packet format
Configuring a Proposal/Agreement Mechanism

To enable Huawei devices to communicate with non-Huawei devices, configure an appropriate
rapid transition mechanism on Huawei devices according to the Proposal/Agreement mechanism
on non-Huawei devices.
Context
The rapid transition mechanism is also called the Proposal/Agreement mechanism. All switching
devices support the following modes:
l
Issue 02 (2013-12-31)
Enhanced mode: The current interface counts the root port calculation when it computes
the synchronization flag bit.
1548

Equipment

connected to the upstream device as a root port and blocks all non-edge ports.
The upstream device then sends an Agreement message to the downstream device. After
the downstream device receives the message, the root port transitions to the Forwarding
state.
The downstream device responds to the Proposal message with an Agreement message.
downstream device as a designated port, and the designated port transitions to the
Forwarding state.
l
Common mode: The current interface ignores the root port when it computes the
synchronization flag bit.
connected to the upstream device as a root port and blocks all non-edge ports. The root
port then transitions to the Forwarding state.
The downstream device responds to the Proposal message with an Agreement message.
Forwarding state.
When Huawei devices are connected to non-Huawei devices, select the same mode as that used
on non-Huawei devices.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
stp no-agreement-check
The common rapid transition mechanism is configured.

By default, the interface uses the enhanced rapid transition mechanism.
----End
Configuring the MSTP Protocol Packet Format on an Interface

MSTP protocol packets can be transmitted in auto, dot1s, or legacy mode. The default mode is
auto.
Context
MSTP protocol packets have two formats: dot1s (IEEE 802.1s standard packets) and legacy
(proprietary protocol packets). The auto mode was designed to allow an interface to
Issue 02 (2013-12-31)

1549

Equipment
automatically use the format of MSTP protocol packets sent from the remote interface. In this
manner, the two interfaces use the same MSTP protocol packet format.
Procedure
Step 1 Run:
system-view

Step 2 Run:

portswitch

NOTE
Step 4 Run:
stp compliance { auto | dot1s | legacy }
The MSTP protocol packet format is configured on the interface.

The auto mode is used by default.
NOTE
The negotiation will fail if the format of MSTP packets is set to dot1s on one end and legacy on the other
end.
----End
Enabling the Digest Snooping Function

Interconnected Huawei and non-Huawei devices cannot communicate with each other if they
have the same region name, revision number, and VLAN-to-instance mappings but different
BPDU keys. To address this problem, enable the digest snooping function on the Huawei device.
Context
Perform the following steps on a switching device in a Multiple Spanning Tree (MST) region
to enable the digest snooping function.
Procedure
Step 1 Run:
system-view

Issue 02 (2013-12-31)

1550

Equipment
Step 2 Run:

Step 3 Run:
stp config-digest-snoop
The digest snooping function is enabled.

----End

After MSTP parameters are configured for the interoperability between Huawei devices and
non-Huawei devices, you can check the configurations.
Prerequisites
The interoperability between Huawei devices and non-Huawei devices has been configured.
Procedure
l
Run the display stp [ instance instance-id ] [ interface { interface-type interfacenumber } ] [ brief ] command to view spanning-tree status and statistics.
----End
5.7.6 Maintaining MSTP

MSTP maintenance includes clearing MSTP statistics.
Clearing MSTP Statistics

You can run the reset command to clear MSTP statistics.
Context
NOTICE
MSTP statistics cannot be restored after being cleared.
Procedure
Step 1 Run the reset stp [ interface interface-type interface-number ] statistics command to clear
spanning-tree statistics.
----End
Issue 02 (2013-12-31)

1551

Equipment

This section describes the networking requirements, configuration roadmap, data preparation,
and procedures for some typical application scenarios for MSTP, and also provides the related
Example for Configuring Basic MSTP Functions

This example shows how to configure basic MSTP functions.
situation.
entries.
MSTP can be deployed to eliminate loops. MSTP blocks redundant links on a Layer 2 network
and trims the network into a loop-free tree.
As shown in Figure 5-44, to load balance traffic of VLANs 1 to 10 and traffic of VLANs 11 to
20, multiple MSTIs are created. MSTP defines a VLAN mapping table in which VLANs are
associated with spanning tree instances. In addition, MSTP divides a switching network into
multiple regions, each of which has multiple independent spanning tree instances.
As shown in Figure 5-44, CX-A, CX-B, ATNC, and CX-D all run MSTP.
Issue 02 (2013-12-31)

1552

Equipment
Figure 5-44 Networking diagram of configuring basic MSTP functions

RNC
RG1
CX-A
CX-B
GE1/0/2 GE1/0/2
GE1/0/1
GE1/0/1
GE1/0/3
GE0/2/3
ATNC
GE0/2/2
GE0/2/1
CX-D
GE1/0/2
GE1/0/1
VLAN1~10
VLAN11~20
MSTI1
MSTI2
MSTI1:
Root Switch:CX-A
Blocked port
MSTI2:
Root Switch:CX-B
Blocked port
1.
Configure basic MSTP functions:

a.
Configure an MST region and create multiple MSTIs to implement load balancing.
b.
In the MST region, configure a primary root bridge and secondary root bridge for each
MSTI.
c.
Set path costs for ports to be blocked in each MSTI.
d.
Enable MSTP to eliminate loops, including:

l Enable MSTP globally.
l Enable MSTP on all the interfaces except the interfaces connected to terminals.
NOTE
MSTP is not required on the interfaces connected to terminals because these interfaces do not
need to participate in MSTP calculation.
By default, MSTP is enabled on a Layer 2 interface but not enabled on a Layer 3 interface.
Issue 02 (2013-12-31)

1553

Equipment
2.
Configure MSTP protection functions, for example, configure root protection on a

designated port of a root bridge in each MSTI.
3.
Configure the Layer 2 forwarding function on devices.
Data Preparation
l
Region name RG1
MSTIs, MSTI 1 and MSTI 2
GE interface numbers
Primary and secondary root bridges of MSTI 1 (CX-A and CX-B respectively) and primary
and secondary root bridges of MSTI 2 (CX-B and CX-A respectively)
Path costs of the ports to be blocked (20000)
VLAN IDs (1 to 20)
VLAN to which PC1 belongs (VLAN 10) and VLAN to which PC2 belongs (VLAN 20)
Procedure
Step 1 Configure basic MSTP functions.
1.
Add CX-A, CX-B, ATNC, and CX-D to MST region RG1, and create two MSTIs, MSTI
1 and MSTI 2.
# Add CX-A to RG1.
[CX-A] stp region-configuration
[CX-A-mst-region] region-name RG1
[CX-A-mst-region] instance 1 vlan 1 to 10
[CX-A-mst-region] instance 2 vlan 11 to 20
[CX-A-mst-region] active region-configuration
[CX-A-mst-region] quit
# Add CX-B to RG1.

[CX-B] stp region-configuration
[CX-B-mst-region] region-name RG1
[CX-B-mst-region] instance 1 vlan 1 to 10
[CX-B-mst-region] instance 2 vlan 11 to 20
[CX-B-mst-region] active region-configuration
[CX-B-mst-region] quit
# Add ATNC to RG1.

[ATNC] stp region-configuration
[ATNC-mst-region] region-name RG1
[ATNC-mst-region] instance 1 vlan 1 to 10
[ATNC-mst-region] instance 2 vlan 11 to 20
[ATNC-mst-region] active region-configuration
[ATNC-mst-region] quit
# Add CX-D to RG1.

[CX-D] stp region-configuration
Issue 02 (2013-12-31)

1554

Equipment
[CX-D-mst-region]
[CX-D-mst-region]
[CX-D-mst-region]
[CX-D-mst-region]
[CX-D-mst-region]
2.
region-name RG1
instance 1 vlan 1 to 10
instance 2 vlan 11 to 20
quit
In RG1, configure primary and secondary root bridges for MSTI 1 and MSTI 2.
l Configure primary and secondary root bridges for MSTI 1.
# Configure CX-A as a primary root bridge of MSTI 1.
[CX-A] stp instance 1 root primary
# Configure CX-B as a secondary root bridge of MSTI 1.

[CX-B] stp instance 1 root secondary
l Configure primary and secondary root bridges for MSTI 2.

# Configure CX-B as a primary root bridge of MSTI 2.
[CX-B] stp instance 2 root primary
# Configure CX-A as a secondary root bridge of MSTI 2.

[CX-A] stp instance 2 root secondary
3.
Set the path costs of the ports to be blocked in MSTI 1 and MSTI 2 to be larger than the
default value.
NOTE
l Different calculation methods define different path costs. Use the Huawei proprietary calculation
method as an example to set the path costs of the ports to be blocked in MSTI 1 and MSTI 2 to
20000.
l All switching devices on a network must use the same calculation for path costs.
# On CX-A, configure the path cost calculation method as the Huawei proprietary method.
[CX-A] stp pathcost-standard legacy
# On CX-B, configure the path cost calculation method as the Huawei proprietary method.
[CX-B] stp pathcost-standard legacy
# On ATNC, configure the path cost calculation method as the Huawei proprietary method
and set the path cost of GE 0/2/2 in MSTI 2 to 20000.
[ATNC] stp pathcost-standard legacy
[ATNC-GigabitEthernet0/2/2] stp instance 2 cost 20000
# On CX-D, configure the path cost calculation method as the Huawei proprietary method
and set the path cost of GE 1/0/2 in MSTI 1 to 20000.
[CX-D] stp pathcost-standard legacy
[CX-D-GigabitEthernet1/0/2] stp instance 1 cost 20000
4.
Enable MSTP to eliminate loops.

l Disable MSTP on interfaces connected to PCs.
# Disable MSTP on GE 0/2/1 of ATNC.
# Disable MSTP on GE 1/0/1 of CX-D.

[CX-D-GigabitEthernet1/0/1] stp disable
Issue 02 (2013-12-31)

1555

Equipment
l Enable MSTP globally.

# Enable MSTP on CX-A.
[CX-A] stp enable
# Enable MSTP on CX-B.

[CX-B] stp enable
# Enable MSTP on ATNC.

[ATNC] stp enable
# Enable MSTP on CX-D.

[CX-D] stp enable
l Enable MSTP on all the interfaces except the interfaces connected to terminals.
# Enable MSTP on GE 1/0/1 of CX-A.
# Enable MSTP on GE 1/0/2 of CX-A.

# Enable MSTP on GE 1/0/1 of CX-B.

# Enable MSTP on GE 1/0/2 of CX-B.

# Enable MSTP on GE 0/2/2 of ATNC.

# Enable MSTP on GE 0/2/3 of ATNC.

# Enable MSTP on GE 1/0/2 of CX-D.

# Enable MSTP on GE 1/0/3 of CX-D.

Issue 02 (2013-12-31)

1556

Equipment
Step 2 Configure MSTP protection functions, for example, configure root protection on a designated
port of a root bridge in each MSTI.
# Enable root protection on GE 1/0/1 of CX-A.
# Enable root protection on GE 1/0/1 of CX-B.

[CX-B-GigabitEthernet1/0/1] stp root-protection
Step 3 Configure the Layer 2 forwarding function on devices in the ring.

l Create VLANs 1 to 20 on CX-A, CX-B, ATNC, and CX-D.
# Create VLANs 1 to 20 on CX-A.
[CX-A] vlan batch 1 to 20
# Create VLANs 1 to 20 on CX-B.

[CX-B] vlan batch 1 to 20
# Create VLANs 1 to 20 on ATNC.

[ATNC] vlan batch 1 to 20
# Create VLANs 1 to 20 on CX-D.

[CX-D] vlan batch 1 to 20
l Add interfaces on the switching devices in the ring to VLANs.

# Add GE 1/0/1 on CX-A to VLANs.
[CX-A-GigabitEthernet1/0/1] port trunk allow-pass vlan 1 to 20
# Add GE 1/0/2 on CX-A to VLANs.

# Add GE 1/0/1 on CX-B to VLANs.

[CX-B-GigabitEthernet1/0/1] port trunk allow-pass vlan 1 to 20
# Add GE 1/0/2 on CX-B to VLANs.

[CX-B-GigabitEthernet1/0/2] port trunk allow-pass vlan 1 to 20
# Add GE 0/2/2 on ATNC to VLANs.

[ATNC-GigabitEthernet0/2/2] port trunk allow-pass vlan 1 to 20
# Add GE 0/2/3 on ATNC to VLANs.

[ATNC-GigabitEthernet0/2/3] port trunk allow-pass vlan 1 to 20
# Add GE 1/0/2 on CX-D to VLANs.

[CX-D] interface gigabitEthernet 1/0/2
[CX-D-GigabitEthernet1/0/2] port trunk allow-pass vlan 1 to 20
Issue 02 (2013-12-31)

1557

Equipment
# Add GE 1/0/3 on CX-D to VLANs.


After completing the previous configurations, run the following commands to verify the
configurations.
MSTID
Port
0
0
1
1
2
2
Role STP State

DESI FORWARDING
DESI FORWARDING
DESI FORWARDING
DESI FORWARDING
DESI FORWARDING
ROOT FORWARDING
Protection
NONE
NONE
NONE
NONE
NONE
NONE
In MSTI 1, CX-A is a root bridge and thus GE 1/0/2 and GE 1/0/1 on CX-A are designated ports.
In MSTI 2, GE 1/0/1 on Switch A is a designated port and GE 1/0/2 is a root port.
# Run the display stp brief command on CX-B. The displayed information is as follows:
[CX-B] display stp brief
MSTID
Port
0
0
1
1
2
2
Role STP State

DESI FORWARDING
ROOT FORWARDING
DESI FORWARDING
ROOT FORWARDING
DESI FORWARDING
DESI FORWARDING
Protection
NONE
NONE
NONE
NONE
NONE
NONE
In MSTI 2, CX-B is a root bridge and thus GE 1/0/1 and GE 1/0/2 on CX-B are designated ports.
In MSTI 1, GE 1/0/1 of CX-B is a designated port and GE 1/0/2 is a root port.
# Run the display stp interface brief command on ATNC. The displayed information is as
follows:
MSTID
Port
Role STP State
0
ROOT FORWARDING
1
ROOT FORWARDING
2
ROOT FORWARDING
MSTID
Port
Role STP State
0
DESI FORWARDING
1
DESI FORWARDING
2
ALTE DISCARDING
Protection
NONE
NONE
NONE
Protection
NONE
NONE
NONE
# Run the display stp interface brief command on CX-D. The displayed information is as
follows:
[CX-D] display stp interface gigabitethernet 1/0/3 brief
MSTID
Port
Role STP State
0
ALTE DISCARDING
1
ROOT FORWARDING
2
ROOT FORWARDING
[CX-D] display stp interface gigabitethernet 1/0/2 brief
MSTID
Port
Role STP State
Issue 02 (2013-12-31)

Protection
NONE
NONE
NONE
Protection
1558

Equipment
0
1
2

ROOT
ALTE
DESI
FORWARDING
DISCARDING
FORWARDING
NONE
NONE
NONE
GE 1/0/3 on CX-D is a root port in both MSTI 1 and MSTI 2. GE 1/0/2 on CX-D is blocked in
MSTI 1 but is calculated to be a designated port in MSTI 2.
----End
Configuration Files
l

#
sysname CX-A
#
vlan batch 1 to
20
#
stp instance 1 root
primary
stp instance 2 root
secondary
legacy
stp enable
#
stp regionconfiguration
region-name
RG1
instance 1 vlan 1 to
10
20
active regionconfiguration
#
interface
undo shutdown
portswitch
port trunk allow-pass vlan 1 to
20
stp rootprotection
#
interface
undo shutdown
portswitch
#
return

#
sysname CX-B
#
vlan batch 1 to
20
#
stp instance 1 root
secondary
stp instance 2 root
primary
Issue 02 (2013-12-31)

1559

Equipment
legacy
stp enable
#
region-name
RG1
10
20
#
interface
undo shutdown
portswitch
20
stp rootprotection
#
interface
undo shutdown
portswitch
20
#
return

#
sysname ATNC
#
vlan batch 1 to
20
#
legacy
stp
enable
#
region-name
RG1
10
20
#
interface
stp
disable
#
interface
20
stp instance 2 cost
20000
#
Issue 02 (2013-12-31)

1560

Equipment
interface
20
#
return

#
sysname CX-D
#
vlan batch 1 to
20
#
legacy
stp
enable
#
region-name
RG1
10
20
#
interface
stp
disable
#
interface
20
stp instance 1 cost
20000
#
interface
20
#
return
5.8 RRPP Configuration

The Rapid Ring Protection Protocol (RRPP) features fast convergence, because the convergence
time is irrelevant to the number of the nodes on the ring.
5.8.1 RRPP Introduction

To shorten the convergence time and reduce the impact of the network size on convergence
speed, Huawei has developed RRPP, which is a link layer protocol applied to an Ethernet ring.
Overview of RRPP
RRPP is a link layer protocol applied to an Ethernet ring. RRPP features fast convergence and
can prevent broadcast storms caused by data loops.
Issue 02 (2013-12-31)

1561

Equipment
For most MANs and LANs, the ring network is adopted to provide high reliability. A fault of
any single node on the ring, however, affects the service. In general, the technology of the ring
network is the Resilient Packet Ring (RPR) or Ethernet ring. A special hardware is required to
adopt RPR, which increases the costs. Therefore, increasing number of MANs and LANs are
moving towards adopting the Ethernet ring as it is technologically advanced and the costs
involved are comparatively less.
The Rapid Spanning Tree Protocol (RSTP) or Multiple Spanning Tree Protocol (MSTP) and
Rapid Ring Protection Protocol (RRPP) are generally adopted to address the Layer 2 network
loop. RSTP/MSTP is highly adaptable; however, the convergence time is measured in seconds.
Compared with other Ethernet ring technologies, RRPP has the following features:
l
Fast convergence.
Convergence time is not related to the number of nodes on a ring network. Therefore, RRPP
can be applied to a large-scale network.
RRPP can prevent broadcast storm caused by loops when an Ethernet ring network is
complete.
On an Ethernet ring network, when a link is disconnected, a backup link immediately

resumes the normal communication between nodes.
RRPP Features Supported by the ATN

This part describes basic principles and application scenarios of RRPP in terms of RRPP basic
functions, Hello and Fail timers, monitoring interface.
Basic Functions of RRPP

This section describes several RRPP concepts as shown in Figure 5-45.
Figure 5-45 Application of crossed RRPP rings in the MAN
RRPP Domain
Master
Node
ATNA
Edge Node
CX-B
Transit Node
RRPP Sub-Ring 1
CX-A
RRPP Major-Ring
Master
Node
Assistant Node
CX-C
Master Node
Transit Node
RRPP Sub-Ring 2
ATNB
Issue 02 (2013-12-31)

1562

Equipment
RRPP domain
An RRPP domain is identified uniquely with the domain ID, which is an integer.
The RRPP domain comprises a group of switches that are connected and configured with
the same domain ID and control VLAN. One RRPP domain consists of elements such as
the RRPP major ring and sub-ring, control VLAN, master node, transit node, common port
and edge port, and primary port and secondary port.
RRPP ring
One RRPP ring corresponds only to one Ethernet ring topology. An RRPP ring is a part of
the RRPP domain. An RRPP domain can consist of one RRPP ring or multiple crossed
RRPP rings.
RRPP major ring and sub-ring

If an RRPP domain consists of multiple crossed RRPP rings, you can set one ring to be the
major ring and other rings to be sub-rings by specifying their levels.
In one RRPP domain, there is only one RRPP major ring.
The protocol packets of the sub-ring are transmitted as data packets in the major ring. The
packets of the major ring are transmitted only in the major ring.
Control VLAN of RRPP

The control VLAN is a concept related to the data VLAN. In the RRPP domain, the control
VLAN is only used to transmit RRPP protocol packets. The control VLAN contains only
RRPP interfaces.
One RRPP domain is configured with two control VLANs, that is, the major control VLAN
and sub-control VLAN. During configuration, you must specify only the major control
VLAN, and set the VLAN whose ID is equal to the major control VLAN ID plus 1 to the
sub-control VLAN.
The data VLAN is used to transmit data packets as against the control VLAN. The data
VLAN can contain both the RRPP port and non-RRPP port.
Master node
On the Ethernet ring, each switch is called a node. On each RRPP ring, there must be only
one master node.
Transit node
On an RRPP major ring, all nodes are transit nodes except the master node.
The transit node monitors the status of its directly connected RRPP links. When the link
status is changed, the transit node informs the master node. The master node decides how
to process the change.
Edge node and assistant edge node

A switch is an edge node or an assistant edge node on the sub-ring, and it is a transit node
on the major ring.
On an RRPP sub-ring, either of the two nodes crossing with the major ring can be specified
as the edge node. On one sub-ring, there must be only one edge node.
On an RRPP sub-ring, if one of the two nodes crossed with the major ring is specified as
the edge node, the other node is the assistant edge node.
Issue 02 (2013-12-31)

1563

Equipment
Primary port and secondary port

On both the master node and transit node, one of the two ports to the Ethernet ring is the
primary port, and the other is the secondary port. The role of a port is decided by the user
configuration.
Common port and Edge port

On an edge node or an assistant edge node, the port shared by the sub-ring and major ring
is called the common port. The port only on the sub-ring is called the edge port.
Hello Timer and Fail Timer

When RRPP detects the link status of the Ethernet ring, the master node sends the Hello packet
according to the Hello timer. The master node then assesses whether the secondary port receives
the Hello packet according to the Fail timer.
l
The value of the Hello timer specifies the period taken by the master node to send the Hello
packet from the primary port.
The value of the Fail timer specifies the maximum period delayed by the Hello packet to
reach the secondary port from the primary port.
Monitoring Interface
As shown in Figure 5-46, Metro Ethernet RRPP networking solution can realize the switchover
of Network Provider Edge (NPE).
Figure 5-46 Networking diagram of Metro Ethernet RRPP solution
Master: VLAN1-100
Backup: VLAN101-200
UPE
NPE A
ATN
RRPP ring
VLAN:101-200
LANSwitch
DSLAM
PE-AGG A BFD
BFD for VRRP

RRPP ring
VLAN:1-100
UPE
PE-AGG B
ATN
BFD
Core
network
NPE B
Master: VLAN101-200
Backup: VLAN1-100
Track interface
DSLAM: Digital Subscriber Line Access Multiplexer
PE-AGG: PE-Aggregation
UPE: Underlayer Provider Edge
NPE: Network Provider Edge
BFD: Bidirectional Forwarding Detection
VRRP: Virtual Router Redundancy Protocol
After monitoring interfaces are configured on PE-AGG nodes, RRPP rings can monitor the status
of the connections between PE-AGG nodes and NPEs. When the status of monitoring interfaces
or the status of bidirectional forwarding detection (BFD) on interfaces changes, each node on
RRPP rings updates its dynamic MAC address table. This ensures the continuity of the traffic
between master/backup NPEs and PE-AGG nodes.
Issue 02 (2013-12-31)

1564

Equipment
5.8.2 Configuring RRPP Functions

Through RRPP, devices on an Ethernet ring are configured to be the nodes with different roles
on RRPP rings. The nodes on an RRPP ring detect the ring status and transmit topology changes
by sending and receiving RRPP protocol packets. The master node on an RRPP ring blocks or
opens secondary ports according to the ring status. In this manner, if a fault occurs on a node or
a link on the RRPP ring, traffic can be fast switched to the backup link and data loops can be
prevented.
Before You Start

If you have already enabled RRPP on a port, you cannot enable STP on it. That is, the two
protocols cannot coexist on a port.
RRPP is used for the networking of the single-ring or multiple crossed rings. When configuring
RRPP, you must configure all nodes on the RRPP ring.
NOTE
The RRPP or the STP cannot coexist on a port.

RRPP contains no auto election mechanism. Therefore, to ensure the detection and protection of the ring
network through RRPP, you must correctly configure each node on the ring.
Pre-Configuration Tasks
Before configuring RRPP functions, complete the following tasks:
l
Establish g the ring topology.
Configure the link attributes of the interface.
Data Preparation
To configure RRPP functions, you need the following data.
Issue 02 (2013-12-31)
No.
Data
ID of the RRPP domain
ID of the control VLAN in the RRPP domain
IDs of all RRPP rings in the RRPP domain
Values of the Hello timer and Fail timer in the RRPP domain
Port name of the RRPP ring

1565

Equipment
Creating the RRPP Domain

A group of connected switches that have the same domain ID and the same control VLANs
constitute an RRPP domain. An RRPP domain mainly consists of RRPP rings, control VLANs,
and master nodes.
Context
Perform the following steps on all switches in the RRPP domain:
Procedure
Step 1 Run:
system-view

Step 2 Run:
rrpp domain domain-id
The RRPP domain is created.

When creating the RRPP domain, you must specify the domain ID. If the domain exists, the
domain view is directly displayed.
NOTE
The maximum number of RRPP rings that can be configured on a device is determined by the relevant
license. To purchase the License, you can contact the Huawei technical support personnel.

description text
A description is configured for the RRPP domain.

By default, no description is configured for an RRPP domain.
After RRPP is configured on a device, you can run the description command to configure the
description of the RRPP domain, including the RPPP domain ID, to facilitate maintenance.
----End
Creating the Control VLAN

Each RRPP ring has two control VLANs. The major control VLAN transmits mainly the protocol
packets of the major ring; the sub-control VLAN transmits mainly the protocol packets of the
sub-rings.
Context
Procedure
Step 1 Run:
system-view
Issue 02 (2013-12-31)

1566

Equipment

Step 2 Run:
The domain view is displayed.

Step 3 Run:
control-vlan vlan-id
The control VLAN is created.

The control VLAN specified by vlan-id and the sub-control VLAN specified by vlan-id+1 must
be uncreated and not used in port trunk, mapping, or stacking mode.
After configuring the control VLAN, you cannot directly modify it. Instead, you can delete the
domain and reconfigure the control VLAN. Or you can delete the control VLAN using the undo
control-vlan command, and reconfigure the control VLAN. The sub-control VLAN is also
deleted when you delete the domain.
----End
(Optional) Setting the Values of RRPP Domain Timers

Two timers, that is, the Hello timer and the Fail timer are used when master nodes are sending
and receiving RRPP protocol packets. The Hello timer is used when primary ports are sending
Hello packets. The Fail timer is used when secondary ports are receiving the Hello packets sent
by the local node.
Context
Perform the following steps on the master node in the RRPP domain:
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
timer hello-timer hello-value fail-timer fail-value
The values of RRPP domain timers are set.

The value of the Fail timer is equal to or more than three times the value of the Hello timer.
The value of the Edge-hello timer defaults to half the value of the Hello timer of the master node
on the major ring.
Set consistent Hello timers and Fail timers on all the nodes in the same RRPP ring domain;
otherwise, the edge ports of the edge nodes might be unstable.
Issue 02 (2013-12-31)

1567

Equipment
Setting the Fail timer to 30 seconds is recommended. Temporary loop may occur if the default
value is used. For example, when RRPP multi-instance is used and multiple domains are
configured on one ring, a loop may occur if the default Fail timer is used.
----End
Configuring the Ports on an RRPP Ring

The ports on an RRPP ring are called RRPP ports. RRPP ports have to allow the packets from
both control VLANs and data VLANs to pass through, so you can configure the type of the
RRPP ports as trunk or hybrid.
Context
NOTICE
If the board where the ports reside is pulled out, all RRPP configurations on the port are lost and
cannot recover automatically. To restore the RRPP configurations on the ports, run all the
commands about RRPP again.
Perform the following steps at the port that needs to be added into RRPP ring.
Procedure
Step 1 Run:
system-view
The system view displayed.

Step 2 Run:

The Layer 2 ports supported by RRPP are Ethernet, GigabitEthernet, and Eth-Trunk on Layer
2.
Interfaces enabled with MSTP and Eth-Trunk member interfaces cannot be configured as RRPP
ports.
Step 3 Run:
portswitch
The port is switched to a switched port.

The port is configured as a trunk port.

By default, the port is a hybrid port.
Issue 02 (2013-12-31)

1568

Equipment
The RRPP port should be set to a trunk or hybrid port because it allows packets from both the
control VLAN and the data VLAN to pass through.
Step 5 Run:
port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
The RRPP port is configured to allow the data VLAN frames to pass through.
NOTE
l The control VLAN is specified by the control-vlan command in the RRPP domain view and
automatically becomes the VLAN that is allowed on all RRPP interfaces. Therefore, you only need to
specify the data VLAN in this step.
l When RRPP ports are to be added to a VLAN, if VLANIF interfaces in this VLAN are enabled with
RRPP snooping, the RRPP ports cannot be added to the VLAN.
Step 6 Run:
stp disable
STP is disabled at the port.

By default, STP is enabled on all ports of the device. Before creating an RRPP ring, you need
to disable STP at all ports to be added to the RRPP ring.
----End
Creating the RRPP Ring

An RRPP ring physically corresponds to an Ethernet ring. An RRPP domain consists of one or
multiple crossed RRPP rings. In an RRPP domain, only one RRPP ring is the major ring and the
others are sub-rings. Whether a ring is a major ring or a sub-ring depends on the level specified
for that ring.
Context
NOTE
By default, STP is enabled on all interfaces of the device. Before creating the RRPP ring, therefore, you
need to use the stp disable command to disable the STP function on the interfaces to be added to the RRPP
ring.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ring ring-id node-mode { master | transit } primary-port interface-type interfacenumber secondary-port interface-type interface-number level level-value
Issue 02 (2013-12-31)

1569

Equipment
The RRPP ring is created.

RRPP can be used on the ports such as Ethernet, GigabitEthernet, Eth-Trunk.
The level 0 refers to the major ring, while level 1 refers to the sub-ring. In one domain, there
must be only one major ring. The sub-ring can be created only after creating the major ring.
NOTE
When a major ring and a sub-ring are intersectant, it is recommended that you configure the major ring
before configuring the sub-ring. If you configure the sub-ring first, the broadcast storm of the protocol
packets may easily occur. The protocol packets of the major ring are then discarded by a transit node. It
causes the secondary port to fail to receive the protocol packets and therefore fail to be blocked. As a result,
the state of the RRPP ring is incorrect.
Step 4 Run:
ring ring-id node-mode { edge | assistant-edge } common-port interface-type
interface-number edge-port interface-type interface-number
The edge node and assistant edge node on the RRPP sub-ring are configured.
The common port of the edge node and assistant edge node must be on the major ring.
The system automatically sets the level of the ring where the edge node and assistant edge node
reside to 1.
NOTE
l The maximum number of RRPP rings that can be created on a device or in a domain is determined by
the relevant license. To purchase the license, you can contact the Huawei technical support personnel.
l The assistant edge node and edge node belong to an RRPP domain, and you cannot configure a device
as both the assistant edge node and edge node.
l If two devices are configured as assistant edge nodes incorrectly, broadcast storms may occur in the
sub-ring.
----End
Enabling the RRPP Ring

The protocol packets of sub-rings are transmitted on the major ring as data packets; the protocol
packets of the major ring are transmitted on only the major ring. An RRPP ring can take effect
only when it is enabled.
Context
NOTE
l The RRPP ring can be activated only when both the RRPP ring and RRPP protocol are enabled.
l RRPP and RRPP snooping cannot be configured on the same interface.
Procedure
Step 1 Run:
system-view

Issue 02 (2013-12-31)

1570

Equipment
Step 2 Run:

Step 3 Run:
ring ring-id enable
The RRPP ring is enabled.

----End
Enabling RRPP
To activate an RRPP ring, you must enable RRPP and the RRPP ring.
Context
NOTE
The RRPP ring can be activated only when both the RRPP ring and RRPP protocol are enabled.
Procedure
Step 1 Run:
system-view

Step 2 Run:
rrpp enable
The RRPP protocol is enabled.

----End

After the basic RRPP functions are successfully configured, you can view the mode of the nodes
on the RRPP ring, RRPP protocol status, protection VLAN, control VLAN, link recovery delay,
and timer value.
Prerequisites
The configurations of RRPP function are complete.
Procedure
l
Run the display stp region-configuration command to check the mapping between the
VLAN and instance.
Run the display rrpp brief command to check the brief information about the RRPP
domain.
Issue 02 (2013-12-31)

1571

Equipment
Run the display rrpp verbose domain domain-id [ ring ring-id ] command to check the
detailed information about the RRPP domain.
Run the display rrpp statistics domain domain-id [ ring ring-id ] command to check the
packet statistics of the RRPP domain.
----End
5.8.3 Configuring the Monitoring Interface

A monitoring interface is used in the networking scheme where master and backup NPEs
connected to RRPP rings support fast switching of Layer 2 services. When the status of the
monitoring interface or the status of the BFD session changes, the node where the monitoring
interface resides clears the dynamic MAC entries, and meanwhile sends a COMMON-FLUSHFDB packet to notify other nodes on the RRPP ring to clear their dynamic MAC entries.
Before You Start

The port that is configured as a monitoring interface supports hot swapping. Each time it is pulled
out or inserted, dynamic MAC entries start to be cleared on the RRPP ring. When the port that
is configured as a monitoring interface is pulled out and a different port is inserted, the original
configuration of the monitoring interface is cleared.
The monitoring interface is used for the networking of NPEs connecting to RRPP switchover.
Figure 5-47 Networking diagram of the applicable environment of monitoring interfaces
UPE
PE-AGG A
UPE
NPE A
RRPP ring
UPE
RRPP ring
UPE
UPE
PE-AGG B
NPE B
Track interface
Before configuring an RRPP monitoring interface, complete RRPP ring configuration with
normal RRPP performance.
Issue 02 (2013-12-31)

1572

Equipment
Data Preparation
To configure an RRPP monitoring interface, you need the following data.
No.
Data
RRPP domain ID
RRPP ring ID
Number of the monitoring interface
Setting the Monitoring Interface

A monitoring interface can be configured on any node of an RRPP major ring or a sub-ring, but
it cannot be a port on an RRPP ring. Different RRPP rings can share one monitoring interface.
Context
Perform the following steps on the nodes connecting to NPE on the RRPP ring:
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ring ring-id track interface interface-type interface-number
Set the monitoring interface.

The monitoring interface cannot be a port on the RRPP ring.
The interface types are available as Ethernet interface, GigabitEthernet interface, Eth-Trunk
interface, Ethernet sub-interface, GigabitEthernet sub-interface, Eth-Trunk sub-interface, and
VLANIF interface.
When configuring Eth-Trunk as the monitoring interface, note that:
l If an Eth-Trunk interface is a monitoring interface, its member interface cannot be configured
as a monitoring interface.
l If a member interface of Eth-Trunk interface is configured as a monitoring interface, the EthTrunk interface cannot be configured as a monitoring interface.
Repeat the process when you need to configure more than one monitoring interfaces. On an
RRPP ring, a maximum of 8 monitoring interfaces can be configured.
Different RRPP rings can share one monitoring interface.
Issue 02 (2013-12-31)

1573

Equipment
NOTE
The maximum number of track interfaces that can be configured on a device is determined by the relevant
license. To purchase the License, you can contact the Huawei technical support personnel.
----End

After a monitoring interface is successfully configured, you can view information about the
monitoring interface in a specified RRPP domain.
Prerequisites
The configurations of the monitoring interface function are complete.
Procedure
Step 1 Run the display rrpp verbose domain domain-id [ ring ring-id ] command to check information
about the monitoring interface on the RRPP.
----End
5.8.4 Maintaining RRPP

Commands of clearing statistics helps to locate the RRPP faults on a device.
Clearing RRPP Running Information

You can run the reset command to reset the RRPP statistics before recollecting RRPP statistics.
Context
NOTICE
RRPP statistics cannot be restored once cleared. Therefore, confirm the action before you use
the command.
To clear the RRPP statistics, run the following reset command in the user view:
Procedure
Step 1 Run the reset rrpp statistics domain domain-id [ ring ring-id ] command in the user view to
clear the statistics of RRPP.
----End
Issue 02 (2013-12-31)

1574

Equipment

This section describes the typical application scenario of RRPP, including networking
files.
Example for Configuring a Single RRPP Ring

This part takes an example of the networking of a single RRPP ring to describe how to configure,
use, and apply basic RRPP functions.
As shown in Figure 5-48, ATNA, CX-B, and CX-C support the RRPP function. ATNA, CXB, and CX-C construct ring 1 in domain 1.
Figure 5-48 Networking diagram of configuring a single RRPP ring
CX-B
GE2/0/2
GE2/0/1
GE2/0/1
Ring 1
GE0/2/2
GE2/0/2
CX-C
GE0/2/1
ATNA
1.
ATNA, CX-B, and CX-C construct ring 1 in domain 1.
2.
Configure ATNA as the master node in ring 1, and CX-B and CX-C as transit nodes in ring
1.
Data Preparation
l
Number of the RRPP interface
Control VLAN ID of ring 1
Procedure
Step 1 Create an RRPP domain and its control VLAN.
# Configure the domain of ATNA, the master node of ring 1, to be 1, and the ID of the major
control VLAN to be 20.
<ATNA> system-view
Issue 02 (2013-12-31)

1575

Equipment
[ATNA] rrpp domain 1

[ATNA-rrpp-domain-region1] control-vlan 20
[ATNA-rrpp-domain-region1] quit
# Configure the domain of CX-B, a transit node of ring 1, to be 1, and the ID of the major control
VLAN to be 20.
<CX-B> system-view
[CX-B] rrpp domain 1
[CX-B-rrpp-domain-region1] control-vlan 20
[CX-B-rrpp-domain-region1] quit
# Configure the domain of CX-C, a transit node of ring 1, to be 1, and the ID of the major control
VLAN to be 20.
<CX-C> system-view
[CX-C] rrpp domain 1
[CX-C-rrpp-domain-region1] control-vlan 20
[CX-C-rrpp-domain-region1] quit
Step 2 Disable the STP function on the interfaces to be added to the RRPP ring.
# Disable the STP function on the interfaces to be added to the RRPP ring on ATNA.
<ATNA> system-view
[ATNA-GigabitEthernet0/2/1] stp disable
[ATNA-GigabitEthernet0/2/2] stp disable
# Disable the STP function on the interfaces to be added to the RRPP ring on CX-B.
<CX-B> system-view
# Disable the STP function on the interfaces to be added to the RRPP ring on CX-C.
<CX-C> system-view
[CX-C-GigabitEthernet2/0/1] portswitch
[CX-C-GigabitEthernet2/0/1] stp disable
Step 3 Create an RRPP ring.

# Configure ATNA as the master node of RRPP ring 1 and specify primary and secondary
interfaces.
Issue 02 (2013-12-31)

1576

Equipment
<ATNA> system-view
[ATNA] rrpp domain 1
[ATNA-rrpp-domain-region1] ring 1 node-mode master primary-port gigabitethernet
0/2/1 secondary-port gigabitethernet 0/2/2 level 0
[ATNA-rrpp-domain-region1] ring 1 enable
[ATNA-rrpp-domain-region1] quit
# Configure CX-B as a transit node of RRPP major ring 1 and specify primary and secondary
interfaces.
<CX-B> system-view
[CX-B] rrpp domain 1
[CX-B-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet
[CX-B-rrpp-domain-region1] ring 1 enable
[CX-B-rrpp-domain-region1] quit
# Configure CX-C as a transit node of RRPP ring 1 and specify primary and secondary interfaces.
<CX-C> system-view
[CX-C-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet
[CX-C-rrpp-domain-region1] ring 1 enable
Step 4 Enable RRPP.

After configuring an RRPP ring, you need to enable RRPP on each node on the ring. In this
manner, the RRPP ring can be activated. The configuration procedure is as follows:
# Enable RRPP on ATNA.
<ATNA> system-view
[ATNA] rrpp enable
# Enable RRPP on CX-B.

<CX-B> system-view
[CX-B] rrpp enable
# Enable RRPP on CX-C.

<CX-C> system-view
[CX-C] rrpp enable

After the configuration, perform the following procedures to verify the previous configuration.
Take the display on ATNA as an example:
l On ATNA, run the display rrpp brief command. The following results are displayed.
<ATNA> display rrpp brief
Abbreviations for Switch Node Mode :
M - Master , T - Transit , E - Edge , A - Assistant-Edge
RRPP Protocol Status: Enable
Number of RRPP Domains: 1
Domain Index : 1
Control VLAN : major 20
sub 21
Hello Timer
: 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
Ring
Ring
Node
Primary
Secondary/Edge
Is
ID
Level
Mode
Port
Port
Enabled
--------------------------------------------------------------------------1
0
M
Yes
You can view that RRPP is enabled on ATNA. In domain 1, VLAN 20 is the major control
VLAN, VLAN 21 is the sub-control VLAN, and ATNA is the master node in major ring 1
Issue 02 (2013-12-31)

1577

Equipment
with the primary interface and secondary interface respectively as GigabitEthernet 0/2/1 and
GigabitEthernet 0/2/2.
l On ATNA, run the display rrpp verbose domain command. The following results are
displayed.
# View detailed information about ATNA in domain 1.
<ATNA> display rrpp verbose domain 1
Domain Index : 1
sub 21
Hello Timer
RRPP Ring
: 1
Ring Level
: 0
Node Mode
: Master
Ring State
: Complete
Is Enabled
: Enable
Is Active : Yes
Primary port : GigabitEthernet0/2/1
Port status: UP
Secondary port: GigabitEthernet0/2/2
Port status: BLOCKED
----End
Configuration Files
l

#
sysname ATNA
#
rrpp domain 1
control-vlan 20
ring 1 node-mode master primary-port GigabitEthernet 0/2/1 secondary-port
GigabitEthernet 0/2/2 level 0
ring 1 enable
#
undo shutdown
portswitch
stp disable
#
undo shutdown
portswitch
stp disable
#
rrpp enable
#

#
sysname CX-B
#
rrpp domain 1
control-vlan 20
ring 1 node-mode transit primary-port GigabitEthernet 2/0/1 secondary-port
ring 1 enable
#
undo shutdown
portswitch
stp disable
#
Issue 02 (2013-12-31)

1578

Equipment
undo shutdown
portswitch
stp disable
#
rrpp enable
#
return
#

#
sysname CX-C
#
rrpp domain 1
control-vlan 20
ring 1 node-mode transit primary-port GigabitEthernet 2/0/1 secondary-port
ring 1 enable
#
undo shutdown
portswitch
stp disable
#
undo shutdown
portswitch
stp disable
#
rrpp enable
#
return
Example for Configuring a Crossed RRPP Ring

A metro Ethernet adopts an architecture of two-level rings. One is the convergence layer and is
configured with an RRPP major ring; the other is the access layer and is configured with an
RRPP sub-ring. In this networking, the major ring and sub-ring have two intersection points
(two nodes), and there is no other node between the two nodes. The two intersection nodes can
be configured only as transit nodes. On a sub-ring, if one of the two transit nodes is configured
as an edge node, the other node must be configured as an assistant edge node.
As shown in Figure 5-49, CX-A, ATNB, CX-C, and CX-D support the RRPP function.
Configure CX-A, ATNB, and CX-D to be major Ring 1 in Domain 1. CX-A, CX-C, and CX-D
to be Sub-Ring 2 in Domain 1 are configured. Control VLAN ID is 10. This RRPP ring sends
data of VLAN 1 to VLAN 9.
Issue 02 (2013-12-31)

1579

Equipment
Figure 5-49 Networking diagram of a crossed RRPP ring

CX-C
GE1/0/2
sub- ring
GE1/0/1
ATNB
GE1/0/3
GE1/0/1
CX-A
GE1/0/2
GE1/0/3
GE1/0/2
CX-D
GE0/2/1 major ring
GE1/0/1
GE0/2/2
1.
The configuration roadmap is as follows: Configure CX-A, ATNB, and CX-D as the major
Ring 1 in domain 1. Major control VLAN ID is 10.The VLAN IDs whose service traffic
is allowed to pass through the major ring and sub-ring are VLAN 1 to VLAN 9.
2.
Configure CX-A, ATNB, and CX-D as the Sub-ring 2 in domain 1.
3.
Configure ATNB as the master node on the major ring and CX-A and CX-D as transit nodes
on the major ring.
4.
Configure CX-C as the master node on the sub-ring. Configure CX-A as the edge node on
the sub-ring and CX-D as the assistant edge node on the sub-ring.
Data Preparation
To configure this, you need the following data:
l
Number of the interface to be added to RRPP ring
Control VLAN ID and data VLAN ID
Procedure
Step 1 Configure ATNB as the master node of the major ring.
# Create data VLAN 1 to VLAN 9 on ATNB.
[ATNB] vlan batch 1 to 9
# Configure Domain 1 on ATNB and set VLAN 10 to be the major control VLAN.
[ATNB] rrpp enable
[ATNB] rrpp domain 1
[ATNB-rrpp-domain-region1] control-vlan 10
[ATNB-rrpp-domain-region1] quit
# Disable STP on the interfaces to be added to the RRPP ring, and set the RRPP port as trunk
port.
Issue 02 (2013-12-31)

1580

Equipment

[ATNB-GigabitEthernet0/2/1] port link-type trunk
[ATNB-GigabitEthernet0/2/1] port trunk allow-pass vlan 1 to 9
[ATNB-GigabitEthernet0/2/1] stp disable
[ATNB-GigabitEthernet0/2/2] port link-type trunk
[ATNB-GigabitEthernet0/2/2] port trunk allow-pass vlan 1 to 9
[ATNB-GigabitEthernet0/2/2] stp disable
# Configure the primary port and secondary port of the master node on the RRPP major ring.
[ATNB] rrpp domain 1
[ATNB-rrpp-domain-region1] ring 1 node-mode master primary-port gigabitethernet
[ATNB-rrpp-domain-region1] ring 1 enable
[ATNB-rrpp-domain-region1] quit
Step 2 Configure CX-C to be the master node of the sub-ring..

# Create data VLAN 1 to VLAN 9 on CX-C
[CX-C] vlan batch 1 to 9
# Configure Domain 1 on CX-C and set VLAN 10 to be the major control VLAN.
[CX-C] rrpp enable
[CX-C-rrpp-domain-region1] control-vlan 10
# Disable STP on the port to be added to the RRPP ring, and set the RRPP port as a trunk port.
[CX-C] interface gigabitethernet1/0/1
[CX-C-GigabitEthernet1/0/1] port link-type trunk
[CX-C-GigabitEthernet1/0/1] port trunk allow-pass vlan 1 to 9
[CX-C] interface gigabitethernet1/0/2
[CX-C-GigabitEthernet1/0/2] port link-type trunk
[CX-C-GigabitEthernet1/0/2] port trunk allow-pass vlan 1 to 9
# Configure the primary port and secondary port of the master node on the RRPP sub-ring.
[CX-C-rrpp-domain-region1] ring 2 node-mode master primary-port gigabitethernet
[CX-C-rrpp-domain-region1] ring 2 enable
Step 3 Configure CX-A to be the transit node in the major ring and the edge node on the sub-ring
respectively.
# Create data VLAN 1 to VLAN 9 on CX-A.
[CX-A] vlan batch 1 to 9
# Configure Domain 1 on CX-A and set VLAN 10 to be the major control VLAN.
Issue 02 (2013-12-31)

1581

Equipment
[CX-A] rrpp enable

[CX-A] rrpp domain 1
[CX-A-rrpp-domain-region1] control-vlan 10
[CX-A-rrpp-domain-region1] quit
# Disable STP on the ports that will be added to RRPP ring, and set RRPP port as a trunk port.
[CX-A] interface gigabitethernet1/0/1
[CX-A-GigabitEthernet1/0/1] port link-type trunk
[CX-A-GigabitEthernet1/0/1] stp disable
# Configure the primary port and secondary port of the transit node on the RRPP major ring.
[CX-A-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet
[CX-A-rrpp-domain-region1] ring 1 enable
# Configure the common port and edge port of the edge node on the RRPP sub-ring.
[CX-A-rrpp-domain-region1] ring 2 node-mode edge common-port gigabitethernet 1/0/2
edge-port gigabitethernet 1/0/3
[CX-A-rrpp-domain-region1] ring 2 enable
Step 4 Configure CX-D to be the transit node on the major ring and the assistant edge node on the subring respectively.
# Create data VLAN 1 to VLAN 9 on ATNB.
[CX-D] vlan batch 1 to 9
# Configure Domain 1 on CX-D and set VLAN 10 to be the major control VLAN.
[CX-D] rrpp enable
[CX-D] rrpp domain 1
[CX-D-rrpp-domain-region1] control-vlan 10
[CX-D-rrpp-domain-region1] quit
# Disable STP on the port to be added to RRPP ring, and set the RRPP port as trunk port.
[CX-D] interface gigabitethernet1/0/1
[CX-D-GigabitEthernet1/0/1] port link-type trunk
Issue 02 (2013-12-31)

1582

Equipment

# Configure the primary port and secondary port of the transit node on the RRPP major ring.
[CX-D-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet
[CX-D-rrpp-domain-region1] ring 1 enable
# Configure the common port and edge port of the assistant edge node on the RRPP sub-ring.
[CX-D-rrpp-domain-region1] ring 2 node-mode assistant-edge common-port
gigabitethernet 1/0/2 edge-port gigabitethernet 1/0/3
[CX-D-rrpp-domain-region1] ring 2 enable
Step 5 Check the configuration

You can run the following commands to verify the previous configurations:
l On ATNB, run the display rrpp brief command. The configurations are displayed as
follows:
<ATNB> display rrpp brief
Domain Index : 1
sub 11
Hello Timer
Ring
Ring
Node
Primary
Secondary/Edge
Is
ID Level
Mode
Port
Port
Enabled
-----------------------------------------------------------------------------1
0
M
GigabitEthernet0/2/1 GigabitEthernet0/2/2 Yes
You can view that RRPP on ATNB is enabled. The major control VLAN ID is 10, and the
sub control VLAN ID is 11. ATNB is the master node on the major ring with the primary
port and the secondary port as GE 0/2/1 and GE 0/2/2 respectively.
l On ATNB, run the display rrpp verbose domain command. The configuration is displayed
as follows:
<ATNB> display rrpp verbose domain 1
Domain Index : 1
sub 11
Hello Timer
: 1 sec(default is 1 sec)
RRPP Ring
Ring Level
Node Mode
Ring State
Is Enabled
Issue 02 (2013-12-31)
:
:
:
:
:
Fail Timer : 6 sec(default is 6 sec)
1
0
Master
Completed
Enable
Is Active : Yes

1583

Equipment
Primary port : GigabitEthernet0/2/1
Secondary port: GigabitEthernet0/2/2

Port status: UP
You can view that the ring is in the Complete state and the secondary port of the master node
is blocked.
l On CX-C, run the display rrpp brief command. The configuration is displayed as follows:
<CX-C> display rrpp brief
Domain Index : 1
sub 11
Hello Timer
Ring
Ring
Node
Primary
Secondary/Edge
Is
ID Level
Mode
Port
Port
Enabled
------------------------------------------------------------------------2
1
M
Here, RRPP on CX-C is enabled. The major control VLAN ID is 10, and the sub control
VLAN ID is 11. CX-C is the master node on the sub-ring, with the primary port and the
secondary port as GE 1/0/1 and GE 1/0/2 respectively.
l On CX-C, run the display rrpp verbose domain command. The configuration is displayed
as follows:
<CX-C> display rrpp verbose domain 1
Domain Index : 1
sub 11
Hello Timer
RRPP Ring
:
Ring Level
:
Node Mode
:
Ring State
:
Is Enabled
:
Primary port :
Secondary port:
2
1
Master
Completed
Enable
Is Active : Yes
Port status: UP
You can view that the sub-ring is in the Complete state and the secondary port of the master
node on the sub-ring is blocked.
l On CX-A, run the display rrpp brief command. The configuration is displayed as follows:
<CX-A> display rrpp brief
Domain Index : 1
sub 11
Hello Timer
Ring
Ring
Node
Primary
Secondary/Edge
Is
ID
Level
Mode
Port
Port
Enabled
------------------------------------------------------------------------1
0
T
2
1
E
RRPP is enabled on CX-A. The major control VLAN ID is 10 and the sub control VLAN
ID is 11. CX-A is the transit node on the major Ring 1, with the primary port and secondary
port as GE 1/0/2 and GE 1/0/1 respectively. At the same time, CX-A is the edge node on the
sub-ring 2, the common port is GE 1/0/2, and the edge port is GE 1/0/3.
l On CX-A, run the display rrpp verbose domain command. The configuration is displayed
as follows:
<CX-A> display rrpp verbose domain 1
Issue 02 (2013-12-31)

1584

Equipment
Domain Index
Control VLAN
Hello Timer
: 1
: major 10
sub 11
RRPP Ring
:
Ring Level
:
Node Mode
:
Ring State
:
Is Enabled
:
Primary port :
Secondary port:
RRPP Ring
:
Ring Level
:
Node Mode
:
Ring State
:
Is Enabled
:
Common port
:
Edge port
:
1
0
Transit
Linkup
Enable
Is Active : Yes
2
1
Edge
Linkup
Disable
Is Active : No
Port status: UP
Port status: UP
Port status: UP
Port status: UP
l On CX-D, run the display rrpp brief command. The configuration is displayed as follows:
<CX-D> display rrpp brief
Domain Index : 1
sub 11
Hello Timer
Ring
Ring
Node
Primary
Secondary/Edge
Is
ID
Level
Mode
Port
Port
Enabled
------------------------------------------------------------------------1
0
T
2
1
A
RRPP is enabled on CX-D. VLAN 10 is the major control VLAN and VLAN 11 is the sub
control VLAN. CX-D is the transit node on the major ring 1, with the primary interface and
secondary interface as GE 1/0/2 and GE 1/0/1 respectively. CX-D is the assistant edge node
on the sub-ring 2, with the common interface and edge interface as GE 1/0/2 and GE 1/0/3
respectively.
l On CX-D, run the display rrpp verbose domain command. The configuration is displayed
as follows:
<CX-D> display rrpp verbose domain 1
Domain Index : 1
sub 11
Hello Timer
RRPP Ring
:
Ring Level
:
Node Mode
:
Ring State
:
Is Enabled
:
Primary port :
Secondary port:
RRPP Ring
:
Ring Level
:
Node Mode
:
Ring State
:
Is Enabled
:
Common port
:
Edge port
:
1
0
Transit
Linkup
Enable
Is Active : Yes
2
1
Assistant-edge
Linkup
Disable
Is Active : No
Port status: UP
Port status: UP
Port status: UP
Port status: UP
----End
Issue 02 (2013-12-31)

1585

Equipment
Configuration Files
l

#
sysname CX-A
#
vlan batch 1 to 11
#
rrpp enable
#
rrpp domain 1
control-vlan 10
ring 1 node-mode transit primary-port gigabitethernet 1/0/2 secondary-port
gigabitethernet 1/0/1 level 0
ring 1 enable
ring 2 node-mode edge common-port gigabitethernet 1/0/2 edge-port
gigabitethernet 1/0/3
ring 2 enable
#
undo shutdown
portswitch
stp disable
#
undo shutdown
portswitch
stp disable
#
undo shutdown
portswitch
port trunk allow-pass vlan 1 to 9 11
stp disable
#
return
Configuration file of ATNB

#
sysname ATNB
#
vlan batch 1 to 11
#
rrpp enable
#
rrpp domain 1
control-vlan 10
ring 1 node-mode master primary-port gigabitethernet 0/2/1 secondary-port
gigabitethernet 0/2/2 level 0
ring 1 enable
#
undo shutdown
portswitch
stp disable
#
undo shutdown
portswitch
Issue 02 (2013-12-31)

1586

Equipment

stp disable
#
return

#
sysname CX-C
#
vlan batch 1 to 11
#
rrpp enable
#
rrpp domain 1
control-vlan 10
ring 2 node-mode master primary-port GigabitEthernet1/0/1 secondary-port
GigabitEthernet1/0/2 level 1
ring 2 enable
#
undo shutdown
portswitch
stp disable
#
undo shutdown
portswitch
stp disable
#
return
Configuration file on CX-D

#
sysname CX-D
vlan batch 1 to 11
#
rrpp enable
#
rrpp domain 1
control-vlan 10
ring 1 node-mode transit primary-port GigabitEthernet1/0/2 secondary-port
GigabitEthernet1/0/1 level 0
ring 1 enable
ring 2 node-mode assistant-edge common-port GigabitEthernet1/0/2 edge-port
ring 2 enable
#
undo shutdown
portswitch
stp disable
#
undo shutdown
portswitch
stp disable
#
undo shutdown
Issue 02 (2013-12-31)

1587

Equipment
portswitch
stp disable
#
return
5.9 LLDP Configuration

Network devices obtain the status of their directly-connected devices through the Link Layer
Discovery Protocol (LLDP).
5.9.1 Introduction
LLDP is a Layer 2 discovery protocol defined in the IEEE 802.1ab.
Overview of LLDP
LLDP is used to obtain the link layer information of the network.
Background
At present, the Ethernet technology is widely used in the LAN and Metropolitan Area Network
(MAN). The increasing demand for large-scale networks poses higher requirements on the
capability of the Network Management System (NMS). For example, the NMS should address
problems such as obtaining topology of interconnected devices and conflicts in configurations
on different devices.
Recently, the NMS software adopts the automated discovery function to trace topology changes.
However, most NMS software can at best analyze the Layer 3 network topology and group
devices to different IP subnets. Data provided by the NMS concern only the basic events of
adding or deleting devices. The NMS cannot get information about which interfaces on a device
are used to connect another device. That is, the NMS cannot locate a device and judge its
operation mode.
Introduction
The Layer 2 Discovery (L2D) protocol can precisely obtain information about which interfaces
are attached to the devices and which devices are connected to other devices. In addition, L2D
displays the paths between the client, switch, router, application server, and network server. The
preceding detailed information helps find the root cause for the network failure.
The Link Layer Discovery Protocol (LLDP) is an L2D protocol defined in the IEEE 802.1ab.
The LLDP protocol specifies that the status information is stored on all the interfaces and the
device can send its status to the neighbor stations. The interfaces can also send status upgrade
information to the neighbor stations as required. The neighbor stations then store the received
information in the standard Management Information Base (MIB) of the Simple Network
Management Protocol (SNMP). The NMS can search for the Layer 2 information in the MIB.
As specified in the IEEE 802.1ab standard, the NMS can also find the unreasonable Layer 2
configurations based on the information provided by LLDP.
When the LLDP protocol runs on the devices, the NMS can obtain the Layer 2 information about
all the devices that it connects and the detailed network topology information. This expands the
Issue 02 (2013-12-31)

1588

Equipment
scope of network management. LLDP also helps find unreasonable configurations on the
network and reports the incorrect configurations to the NMS. In this manner, the incorrect
configurations can be removed timely.
LLDP Features Supported by the ATN

LLDP features supported by the ATN include the MIB, NSAP identifier, LLDP agent, LLPD
management address, and LLDP trap function.
MIB
MIB is short for the Management Information Base. MIB is classified into the LLDP local system
MIB and the LLDP remote system MIB.
The LLDP local system MIB stores information about the local station, including the chassis
ID, port ID, system name, system description, port description, system capabilities, and
management address.
The LLDP remote system MIB stores information about adjacent stations, including the chassis
ID, port ID, system name, system description, port description, system capabilities, and
management address.
NSAP Identifier
The MAC service access point (NSAP) identifier consists of the chassis ID and the port ID. The
identifier is used as an index in the MIB.
LLDP Agent
An LLDP agent is the protocol entity that manages LLDP operations for an interface.
An LLDP agent performs the following tasks:
l
Maintains current information in the LLDP local system MIB.
Extracts and sends LLDP local system MIB information to neighbor stations when the
status of the local device changes. An LLDP agent also extracts and sends LLDP local
system MIB information to neighbor stations at regular intervals when no status change
occurs on the local device.
Identifies and processes received LLDP packets.
Maintains current information in the LLDP remote system MIB.
Sends LLDP traps to the NMS when the status of LLDP local system MIB or the LLDP
remote system MIB changes.
LLDP Management Address

The LLDP management address (the management address) is used by the NMS to identify the
device and implement network management. The management address identifies a device. This
facilitates layout of the network topology and network management with a clear view of the
topology status. The management address is carried in the management address Type-LengthValue (TLV) field of an LLDP packet to be transmitted to neighbor stations.
Issue 02 (2013-12-31)

1589

Equipment
LLDP Traps
When the LLDP local system MIB or the LLDP remote system MIB changes, the device sends
traps to the NMS for updating the topology. The traps can be triggered in the following cases:
l
LLDP is enabled or disabled globally.
The local management address changes.
Neighbor information changes.
The LLDP alarm function is of global significance for the ATN. That is, it provides the alarm
function on all the interfaces.
5.9.2 Configuring LLDP

In addition to describing how to enable LLDP, this section introduces the logical relationships
between configuration tasks.
Before You Start

Before enabling LLDP, familiarize yourself with the usage scenario, complete the preconfiguration tasks, and obtain the required data.
LLDP is used to obtain neighbor information and discover topology. As shown in Figure
5-50, when the NMS needs to collect the topology information on ATN A and ATN B, you need
to enable LLDP on ATN A and ATN B. In this manner, ATN A and ATN B can exchange their
status information, therefore, the NMS can obtain the topology information. You also need to
set the management address of LLDP on ATN A and ATN B so that the NMS can pinpoint ATN
A and ATN B. ATN A or ATN B sends traps to the NMS for updating the topology when any
of the following conditions is met:
l
LLDP is enabled or disabled globally.
Management address changes.
Neighbor information changes.
This requires that the LLDP alarm function be enabled on ATN A or ATN B.
Issue 02 (2013-12-31)

1590

Equipment
Figure 5-50 Networking diagram of LLDP application
SNMP
SNMP
NMS
LL
D
PD
LLDPDU
ATNA
LL
D
PD
ATNB
NodeB
RNC
Interfaces enabled with LLDP

Interfaces disabled with LLDP
NMS: Network Management System
Before configuring LLDP, set the IP address used as the management address of LLDP.
The management address of LLDP carried in an LLDP frame is used to identify a device.
Therefore, you need to select an IP address that the NMS can identify and manage easily. The
IP address can be a management address and must be configured before the management address
of LLDP is configured.
Data Preparation
To configure LLDP, you need the following data.
Issue 02 (2013-12-31)
No.
Data
IP address used as the management address of LLDP
Interval for sending LLDP packets
Delay in sending LLDP packets
Time multiplier of device information held in the neighbor stations

1591

Equipment
No.
Data
Delay for the LLDP module on the interface to be re-enabled from the disabled state
Delay in sending traps of neighbor changes
(Optional) Enabling the LLDP Alarm Function

After the LLDP trap function is enabled on a router, when LLDP is enabled or disabled globally,
the management address of LLDP changes, or the neighbor information changes, the router sends
a trap to instruct the NMS to update the topology information.
Context
The LLDP alarm function must be enabled on the ATN so that the ATN can send traps to the
NMS for updating the topology when LLDP is enabled or disabled, the management address of
LLDP changes, or the neighbor information changes.
Perform the following steps on ATN A and ATN B:
Procedure
Step 1 Run:
system-view

Step 2 Run:
snmp-agent trap enable feature-name lldp [ trap-name { hwlldpdisabled |
hwlldpenabled | hwlldplocmanipaddrchange | lldpremtableschange } ]
The LLDP alarm function is enabled.

----End
Enabling LLDP Globally

When a router and its neighbors are all enabled with LLDP, the router notifies the neighbors of
its status and obtains the status of its neighbors by exchanging LLDP packets.
Context
When the ATN and its neighbors are all enabled with LLDP, the ATN notifies the neighbors of
its status and obtains the status of the neighbors by exchanging LLDP packets. The NMS can
obtain information about Layer 2 connection status of the ATN and then analyze the network
topology.
Procedure
Step 1 Run:
Issue 02 (2013-12-31)

1592

Equipment
system-view

Step 2 Run:
lldp enable
LLDP is enabled globally.

----End
(Optional) Disabling LLDP on an Interface

When LLDP is enabled globally on a router, all the interfaces on the router are enabled with
LLDP by default. In the case that LLDP needs to be enabled on some interfaces and to be disabled
on other interfaces, you can run the undo lldp enable command in the view of corresponding
interfaces to disable LLDP.
Context
NOTE
You can disable LLDP on an interface only after LLDP is enabled globally on the ATN.
When LLDP is enabled globally on the ATN, all the interfaces are enabled with LLDP by default.
For the interfaces that do not need the LLDP function, you can run the undo lldp enable
command in the interface view to disable the LLDP function on these interfaces.
Perform the following steps on the interfaces that connect ATN A and ATN B to devices that
do not need the LLDP function:
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
undo lldp enable
LLDP is disabled on the interface.

----End
(Optional) Configuring the Management Address of LLDP

The LLDP management address enables the NMS to uniquely identify and manage devices. A
management address identifies a device. This facilitates layout of a network topology and
network management with a clear view of the topology status.
Issue 02 (2013-12-31)

1593

Equipment
Context
NOTE
You can configure the management address of LLDP only after LLDP is enabled globally on the ATN.
An LLDP management address must be a unicast IP address that is legal and exists on the device.
Procedure
Step 1 Run:
system-view

Step 2 Run:
lldp management-address ip-address
The management address of LLDP is configured.

----End
(Optional) Configuring LLDP Attributes

You can configure LLDP attributes, including the interval at which LLDP frames are sent, delay
in sending LLDP frames, multiplier of the hold time of local information on neighbors, delay in
re-enabling LLDP, and delay in sending LLDP traps.
Procedure
l
(Optional) Setting the interval for sending LLDP packets.

Perform the following steps on ATN A and ATN B as required:
1.
Run:
system-view

2.
Run:
lldp message-transmission interval interval
The interval for sending LLDP packets is set.

The default value is 30 seconds.
The interval for sending LLDP packets must be set properly. You need to adjust the
value of the parameter timely according to network load.
The greater the value is, the less frequently LLDP packets are exchanged. This
saves resources of the system. However, if the value is too great, that is, the delay
for sending LLDP packets is too long, the ATN cannot notify the neighbors of its
status timely. As a result, the NMS cannot timely discover topology changes in
the network.
The smaller the value is, the more frequently the local status information is sent to
the neighbors. This helps the NMS to timely discover topology changes in the
Issue 02 (2013-12-31)

1594

Equipment
network. However, if the value is too small, LLDP packets are exchanged too
frequently. This increases the burden on the system and wastes resources.
You must consider the value of delay when adjusting the value of interval because
the two values affect each other.
If the value of interval is smaller than or equal to 32768, you can increase the value
of interval regardless of the value of delay.
If the value of interval is reduced, it must be no less than four times of the value
of delay. Therefore, when the value of interval to be set is less than four times of
the value of delay, the value of delay must be adjusted to be smaller than or equal
to a quarter of the value of interval. After that, the value of interval can be set.
l
(Optional) Setting the delay in sending LLDP packets

1.
Run:
system-view

2.
Run:
lldp message-transmission delay delay
The delay in sending LLDP packets is set.

The delay in sending LLDP packets must be set properly. You need to adjust the value
of the parameter according to network load.
The greater the value is, the less frequently LLDP packets are exchanged. This
saves resources of the system. However, if the value is too great, that is, the delay
in sending LLDP packets is too long, the ATN cannot timely notify the neighbors
of its status. As a result, the NMS cannot timely discover topology changes in the
network.
The smaller the value is, the more frequently the local status information is sent to
the neighbors. This helps the NMS to timely discover topology changes in the
network. However, if the value is too small, LLDP packets are exchanged too
frequently. This increases the burden on the system and wastes resources.
You must consider the value of interval when adjusting the value of delay because
the two values affect each other.
If the value of delay is greater than or equal to 1, you can decrease the value of
delay regardless of the value of interval.
If the value of delay is increased, it must be no greater than a quarter of the value
of interval. Therefore, when the value of delay to be set is greater than a quarter
of the value of interval, the value of interval must be adjusted to be greater than
or equal to four times of the value of delay. After that, the value of delay can be
set.
l
(Optional) Setting the time multiplier of device information held in the neighbor stations.
Issue 02 (2013-12-31)

1595

Equipment
1.
Run:
system-view

2.
Run:
lldp message-transmission hold-multiplier hold
The time multiplier of device information held in the neighbor stations is set.
The default value is 4.
The greater the value is, the longer device information is held in the neighbor stations.
l
(Optional) Setting the delay in re-enabling LLDP on an interface.

1.
Run:
system-view

2.
Run:
lldp restart-delay delay
The delay in re-enabling LLDP on an interface is set.

delay is configured to control the status change of LLDP on an interface. This reduces
the topology flapping of the neighbor stations.
l
(Optional) Setting the delay in sending traps of changes in neighbor information to the
NMS.
1.
Run:
system-view

2.
Run:
lldp trap-interval interval
The delay in sending traps of changes in neighbor information to the NMS is set.
When the neighbor information changes frequently, you can prolong the delay so that
the ATN sends traps to the NMS less frequently. This suppresses the topology
flapping.
----End

After enabling LLDP, you can check whether LLDP-related configurations can meet the
requirement.
Issue 02 (2013-12-31)

1596

Equipment
Context
Run the following command to check the previous configuration.
Procedure
l
Run display lldp local [ interface interface-type interface-number ] command to check

the status of LLDP on the device.
----End
5.9.3 Maintaining LLDP

This section describes how to maintain LLDP, including debugging and monitoring LLDP, and
clearing LLDP statistics.
Clearing the Statistics of LLDP

You can run the reset lldp statistics command to clear the LLDP statistics.
Procedure
l
Run reset lldp statistic [ interface interface-type interface-number ] command to clear the
statistics on LLDP of an interface. The statistics include the number of received packets,
the number of sent packets, and the number of error frames.
----End
Monitoring the Running Status of LLDP

You can run the display lldp local, display lldp statistics, and display lldp neighbor commands
to monitor the operating status of LLDP.
Context
To check the running status of LLDP during routine maintenance, run the following display
commands in any view.
Procedure
l
Run display lldp local [ interface interface-type interface-number ] command to check

the LLDP status globally or on a specified interface.
Run display lldp statistics [ interface interface-type interface-number ] command to check

the statistics on LLDP packets sent and received on an interface.
Run display lldp neighbor [ interface interface-type interface-number ] command to

check the neighbor information on an interface.
----End

You can understand the configuration procedures through the configuration flowchart. This
section describes the networking requirements, configuration roadmap, and configuration notes.
Issue 02 (2013-12-31)

1597

Equipment
Example for Configuring LLDP

Reachable routers exist between two routes that are directly connected through Ethernet
interfaces. When LLDP is enabled on both routers, the two routers can obtain the status of each
other through LLDP.
As shown in Figure 5-51, ATNA and CX-B are connected through the Ethernet interfaces. Both
ATNA and CX-B have reachable routes to the NMS. It is required that ATNA and CX-B can
obtain the status of each other through the LLDP protocol and the NMS can find ATNA and
CX-B based on the management address of LLDP to discover the topology. When the
management address of LLDP changes, LLDP is disabled globally, or neighbor information
changes, ATNA is required to send LLDP traps to the NMS.
Figure 5-51 Diagram of configuring LLDP
M
SN
SN
M
NMS
10.10.10.1
LLDPDU
NodeB
ATNA
Interfaces enabled with
LLDP
NMS: Network Management
System
10.10.10.2
CX-B
LLDPDU
SNMP packets
1.
Enable the LLDP alarm function on ATNA and CX-B.
2.
Enable LLDP globally on ATNA and CX-B.
3.
Assign the management addresses to ATNA and CX-B.
4.
Configure the LLDP attributes of ATNA and CX-B.
Data Preparation
Issue 02 (2013-12-31)

1598

Equipment
The management address of ATNA is 10.10.10.1, and the management address of CX-B
is 10.10.10.2
The interval for sending LLDP packets is 60 seconds, the delay in sending LLDP packets
is 9 seconds, and the delay in sending traps of changes in neighbor information to the NMS
is 10 seconds
Procedure
Step 1 Enable the LLDP alarm function on ATNA and CX-B.
# Enable the LLDP alarm function on ATNA.
[ATNA]snmp-agent trap enable feature-name lldp
# Enable the LLDP alarm function on CX-B.

[CX-B] snmp-agent trap enable feature-name lldp
Step 2 Enable LLDP globally on ATNA and CX-B.

# Enable LLDP globally on ATNA.
[ATNA] lldp enable
# Enable LLDP globally on CX-B

[CX-B] lldp enable
Step 3 Assign the management addresses to ATNA and CX-B respectively.

# Assign the management address to ATNA.
[ATNA] lldp management-address 10.10.10.1
# Assign the management address to CX-B.

[CX-B] lldp management-address 10.10.10.2
Step 4 Configure the LLDP attributes of ATNA and CX-B.

# Configure the LLDP attributes of ATNA.
[ATNA] lldp message-transmission interval 60
[ATNA] lldp message-transmission delay 9
[ATNA] lldp trap-interval 10
# Configure the LLDP attributes of CX-B.

See the configuration on ATNA.
# Check whether LLDP is enabled, whether the management address of LLDP is set, whether
the LLDP alarm function is enabled, and whether the value of LLDP attributes is properly set.
l Check the configuration on ATNA.
<ATNA> display lldp local
System information:
ChassisIdSubtype: macAddress
Issue 02 (2013-12-31)

1599

Equipment
ChassisId: 00e0-fcc8-1b31
SysName: ATNA
SysDesc: Huawei Versatile Routing Platform Software
VRP (R) software, Version 5.150 (ATN V200R003C00)
Copyright (C) 2000-2010 Huawei Technologies Co., Ltd.
Multi-service Access Equipment
SysCapSupported: bridge router
SysCapEnabled: bridge router
LLDPUpTime: 2010/6/20 15:41:49
System configuration:
LLDP enable status:
enable
(default is disable)
LldpMsgTxInterval:
60s
(default is 30s)
LldpMsgTxHoldMultiplier:
4
(default is 4)
LldpReinitDelay:
2s
(default is 2s)
LldpTxDelay:
9s
(default is 2s)
LldpNotificationInterval:
10s
(default is 5s)
LldpNotificationEnable:
enable
Management address:
IP: 10.10.10.1
Remote Table Statistics:
RemTablesLastChangeTime:
RemTableInserts:
0
RemTableDeletes:
0
RemTableDrops:
0
RemTablesAgeouts:
0
Neighbors Total:
0
Port information:
Interface GigabitEthernet0/2/0:
PortId Subtype: interfaceName
PortId: GigabitEthernet0/2/0
PortDesc: GigabitEthernet0/2/0 Interface
LLDP Enable Status:
enable
LLDP Running Status:
running
Neighbors Total:
0
l Check the configuration on CX-B.

See the displayed information on ATNA.
----End
Configuration Files
l
Configuration file of ATNA.

#
sysname ATNA
#
lldp enable
#
snmp-agent trap enable feature-name lldp
#
lldp message-transmission interval 60
#
lldp message-transmission delay 9
#
lldp trap-interval 10
#
lldp management-address 10.10.10.1
#
return
Configuration file of CX-B.

#
sysname CX-B
#
lldp enable
Issue 02 (2013-12-31)

1600

Equipment
#
snmp-agent trap enable feature-name lldp
#
lldp message-transmission interval 60
#
lldp message-transmission delay 9
#
lldp trap-interval 10
#
#
return
Example for Configuring LLDP on the Network with Eth-Trunk

Two routers are directly connected through Eth-Trunk interfaces. You can enable some
interfaces in the Eth-Trunk interface of each router to send and receive LLDP frames for
obtaining the status of the other router. At the same time, you can disable other interfaces in the
Eth-Trunk interface of each router from sending and receiving LLDP frames.
As shown in Figure 5-52, ATNA and CX-B are connected through an Eth-Trunk. It is required
that three Ethernet interfaces on both ATNA and CX-B be respectively added to the Eth-Trunk.
Among the three Ethernet interfaces on both ATNA and CX-B that are respectively added to
the Eth-Trunk, two of them should send and receive LLDP packets to obtain the status of each
other. The other Ethernet interface is disabled from sending and receiving LLDP packets.
Figure 5-52 Diagram of configuring LLDP on the network with Eth-Trunk
GE0/2/3
GE0/2/2 GE2/0/2
GE2/0/3
10.10.10.1
NodeB
10.10.10.2
GE0/2/1
ATNA
GE2/0/1
Eth-Trunk1
CX-B
RNC
1.
Enable LLDP globally on ATNA and CX-B.
2.
Assign the management addresses to ATNA and CX-B so that the NMS can identify the
devices.
3.
Add the physical Ethernet interfaces on ATNA and CX-B to the Eth-Trunk.
4.
Disable LLDP on the member interfaces on ATNA and CX-B that are added to the EthTrunk but do not need to send or receive LLDP packets.
Data Preparation
Issue 02 (2013-12-31)

1601

Equipment
The management address of ATNA is 10.10.10.1, and the management address of CX-B
is 10.10.10.2
The number of the Eth-Trunk that connects ATNA and CX-B, and the number of the
interfaces that are added to the Eth-Trunk
Procedure
Step 1 Enable LLDP globally on ATNA and CX-B.
[ATNA] lldp enable
# Enable LLDP globally on CX-B.

See the configuration of ATNA.
Step 2 Assign the management addresses to ATNA and CX-B so that the NMS can identify the devices.
# Assign the management address to CX-B.

[CX-B] lldp management-address 10.10.10.2
Step 3 Add interfaces on ATNA and CX-B to the Eth-Trunk.

# Add interfaces on ATNA to Eth-Trunk 1.
[ATNA-GigabitEthernet0/2/1] eth-trunk 1
# Add interfaces on CX-B to Eth-Trunk 1.

Step 4 Disable LLDP on the member interfaces of ATNA and CX-B that are added to the Eth-Trunk
but do not need to send or receive LLDP packets.
# Disable LLDP on GE 1/0/3 of ATNA.
[ATNA] interface gigabitEthernet0/2/3
[ATNA-GigabitEthernet0/2/3] undo lldp enable
# Disable LLDP on GE 2/0/3 of CX-B.

[CX-B] interface gigabitEthernet2/0/3
[CX-B-GigabitEthernet2/0/3] undo lldp enable

Issue 02 (2013-12-31)

1602

Equipment
# Check whether LLDP is enabled, whether the management address of LLDP is assigned, and
whether the LLDP status on the member interfaces of Eth-Trunk 1 is displayed as configured.
l Check the configuration of ATNA.
System information:
SysName: ATNA

ATN
LLDPUpTime: 2010/6/21 14:46:58
LLDP enable status:
enable
LldpMsgTxInterval:
30s
(default is 30s)
4
(default is 4)
LldpReinitDelay:
2s
(default is 2s)
LldpTxDelay:
2s
(default is 2s)
5s
(default is 5s)
enable
Management address:
IP: 10.10.10.1
RemTableInserts:
0
RemTableDeletes:
0
RemTableDrops:
0
RemTablesAgeouts:
0
Neighbors Total:
0
Port information:
LLDP Enable Status:
enable
running
Neighbors Total:
0
LLDP Enable Status:
enable
running
Neighbors Total:
0
LLDP Enable Status:
disable
stop
Neighbors Total:
0
l Check the configuration of CX-B.

See the displayed information about ATNA.
# Check whether the member interfaces are added to Eth-Trunk 1.
Eth-Trunk1"s state information is:
WorkingMode: NORMAL
Hash arithmetic: According to flow
Issue 02 (2013-12-31)

1603

Equipment
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8

Operate status: up
-------------------------------------------------------------------------------PortName
Status
Weight
Up
1
Up
1
Up
1
l Check the configuration of CX-B.

See the displayed information about ATNA.
----End
Configuration Files
l

#
sysname ATNA
#
lldp enable
#
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
undo lldp enable
#
#
return
Configuration file of CX-B.

#
sysname CX-B
#
lldp enable
#
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
undo lldp enable
#
#
return
Issue 02 (2013-12-31)

1604

Equipment
Example for Configuring LLDP on the Network Where an Interface Has Multiple
Neighbors
Multiple routers can exchange LLDP frames through reachable links to obtain the status of each
other. In addition, the NMS can locate a router based on the LLDP management address to
discover the network topology.
As shown in Figure 5-53, there are reachable links between ATNA, ATNB, and ATNC. Both
ATNA and ATNC have reachable links to the NMS. It is required that ATNA, ATNB, and
ATNC exchange LLDP packets through reachable links to obtain the status of each other. In
addition, the NMS can find ATNA and ATNC based on the management address of LLDP to
discover the topology.
Figure 5-53 Diagram of configuring LLDP on the network where an interface has multiple
neighbors
SNMP
SNMP
NMS
LLDPDU
CX-D
CX-F
PD
U
LLDPDU
LL
D
PD
LL
D
CX-E
10.10.10.1 10.10.10.2
ATNA
LL
D
PD
10.10.10.3
ATNC
ATNB
Interfaces enabled with LLDP

NMS:Network Management System
SNMP packets
LLDPDU
1.
Issue 02 (2013-12-31)
Enable LLDP globally on ATNA, ATNB, and ATNC.

1605

Equipment
2.
Assign the management addresses to ATNA, ATNB, and ATNC so that the NMS can
identify the devices.
Data Preparation
l
The management addresses of ATNA, ATNB, and ATNC
Procedure
Step 1 Enable LLDP globally on ATNA, ATNB, and ATNC.
[ATNA] lldp enable
# Enable LLDP globally on ATNB.

# Enable LLDP globally on ATNC.
Step 2 Assign the management addresses to ATNA, ATNB, and ATNC.
# Assign the management address to ATNB.

[ATNB] lldp management-address 10.10.10.2
# Assign the management address to ATNC.

[ATNC] lldp management-address 10.10.10.3

# Check whether LLDP is enabled and whether the management address of LLDP is assigned.
System information:
SysName: ATNA

ATN
LLDPUpTime: 2008/6/20 15:41:49
LLDP enable status:
enable
(default
LldpMsgTxInterval:
30s
(default
4
(default
LldpReinitDelay:
2s
(default
Issue 02 (2013-12-31)

is
is
is
is
disable)
30s)
4)
2s)
1606

Equipment
LldpTxDelay:
2s
(default is 2s)
5s
(default is 5s)
disable
Management address:
IP: 10.10.10.1
RemTableInserts:
0
RemTableDeletes:
0
RemTableDrops:
0
RemTablesAgeouts:
0
Neighbors Total:
0
Port information:
LLDP Enable Status:
enable
running
Neighbors Total:
0
l Check the configuration of ATNB

See displayed information about ATNA.
l Check the configuration of ATNC
See displayed information about ATNA.
----End
Configuration Files
l

#
sysname ATNA
#
lldp enable
#
lldp management-address
#
return
Configuration file of ATNB.

#
sysname ATNB
#
lldp enable
#
#
return
10.10.10.2
Configuration file of ATNC.

#
sysname ATNC
#
lldp enable
#
#
return
Issue 02 (2013-12-31)
10.10.10.1
10.10.10.3

1607

Equipment
5.10 Automatic Link Discovery Configuration

Automatic link discovery is a Huawei-specific feature used by ATNs to discover neighbors at
the link layer.
5.10.1 Overview
This section describes automatic link discovery and its applications on ATNs.
Introduction
Background
The Ethernet technology is widely used on local area networks (LANs) and metropolitan area
networks (MANs). Large-scale networks demand increased network management capabilities,
such as the capability to automatically obtain the topology status of connected devices and the
capability to detect configuration conflicts between devices.
Currently, a majority of network management systems (NMSs) use an automated discovery
function to trace changes in the network topology, but most can only analyze the network-layer
topology. You can learn basic events like the addition or deletion of devices from network-layer
topology information, but cannot learn information about the interfaces used by one device to
connect to other devices. Network-layer topology information cannot identify the location of
devices or the real-time network topology status.
Automatic link discovery can identify the interfaces on a network device and provide detailed
information about connections between devices. Automatic link discovery can also display paths
between clients, ATNs, and network servers. The detailed information helps you efficiently
locate network faults.
You can use an NMS to send link-layer neighbor query requests to managed devices. Upon
receipt, the managed devices send Link Detect packets to their neighbors. After these devices
receive Link Reply packets from their neighbors, these devices store neighbor information
locally. Then, the NMS can obtain link-layer neighbor information of managed devices from
the MIBs of these devices and generate the topology map of the entire network.
Automatic link discovery enables ATNs to obtain link-layer neighbor information, providing
network administrators with detailed network topology information. This function expands the
network management range and helps you detect and modify inappropriate configurations
promptly.
Principles
Automatic link discovery includes the following types:
l
Automatic link discovery between directly connected neighbors

As shown in Figure 5-54, after automatic link discovery is enabled on ATN A, ATN A
performs automatic link discovery as follows:
Issue 02 (2013-12-31)

1608

Equipment
1.
ATN A encapsulates information about the interface that connects ATN A to ATN B
into a Link Detect packet and sends the Link Detect packet to ATN B over a direct
link.
2.
Upon receipt, ATN B analyzes the Link Detect packet, encapsulates received
information and information about the interface that connects ATN B to ATN A into
a Link Reply packet, and sends the Link Reply packet to ATN A.
3.
Upon receipt, ATN A stores received information locally as a piece of link-layer

neighbor information.
Figure 5-54 Automatic link discovery between directly connected neighbors
ATNA
ATNB
Link Detect Packets
Link Reply Packets
Automatic link discovery between remote neighbors

Remote neighbors are connected by means of intermediary devices. The process of
automatic link discovery between remote neighbors is similar to that between directly
connected neighbors. The only difference is that two remote neighbors can exchange Link
Detect and Link Reply packets only if automatic link discovery is disabled on intermediary
device interfaces along the link between the two remote neighbors.
As shown in Figure 5-55, CE1 and CE2 are indirectly connected. To enable CE1 and CE2
to exchange Link Detect and Link Reply packets, disable automatic link discovery on PE1,
P, and PE2 interfaces along the link between CE1 and CE2.
NOTE
Automatic link discovery between remote neighbors is usually used in Layer 2 virtual private network
(L2VPN) scenarios.
Issue 02 (2013-12-31)

1609

Equipment
Figure 5-55 Automatic link discovery between remote neighbors
L2VPN Network
PE1
PE2
P
CE1
CE2
Link Detect Packets

Link Reply Packets
Automatic Link Discovery Features Supported by the ATN

Automatic link discovery can discover link-layer neighbor information based on interfaces or
devices.
NOTE
Automatic link discovery allows you to query and view link-layer neighbor information, but does not allow
you to resolve link faults.
Compared with the Link Layer Discovery Protocol (LLDP), automatic link discovery provides
more powerful functions, including:
l
Manages devices based on network element (NE) IDs. An NE ID is an integer that uniquely
identifies a device. You can plan NE IDs for devices based on actual needs. Managing
devices based on NE IDs is much easier than managing devices based on IP addresses
(LLDP manages devices based on IP addresses).
Discovers link-layer neighbor information for sub-interfaces, Eth-Trunks, and low-speed

interfaces.
Allows you to launch link-layer neighbor queries on demand, instead of automatically

sending protocol packets to trigger link-layer neighbor queries.
5.10.2 Configuring Automatic Link Discovery

This section describes how to configure automatic link discovery to obtain link-layer neighbor
information of devices. If the link-layer neighbor information of a device changes, reconfigure
automatic link discovery to obtain the latest link-layer neighbor information of the device.
Issue 02 (2013-12-31)

1610

Equipment
Before You Start

Before you configure automatic link discovery, familiarize yourself with the usage scenario,
Automatic link discovery enables devices to obtain link-layer neighbor information, providing
network administrators with detailed network topology information. This function expands the
network management range and helps you detect and modify inappropriate configurations
promptly.
Before you configure automatic link discovery, set the physical parameters of interfaces to
ensure that these interfaces are physically Up.
Data Preparation
To configure automatic link discovery, you need the following data:
l
(Optional) Network element (NE) ID of each device
Interface numbers and corresponding slot IDs
Configuring Automatic Link Discovery

To obtain link-layer neighbor information about devices, configure automatic link discovery.
Context
Before you configure automatic link discovery, learn the following information:
l
An NE ID uniquely identifies a device. By default, each device has a default NE ID. If no

NE ID is set for a device, its default NE ID is used. In most cases, default NE IDs are
random and are difficult to manage and memorize if a large number of devices exist on the
live network. For the sake of convenience, configure an NE ID for each device based on
network planning.
To discover link-layer neighbor information based on interfaces, boards, or devices, run

the link detect command.
Automatic link discovery is enabled on all interfaces by default. If you do not need this
function on some interfaces, run the undo link-detect enable command in the views of
these interfaces.
To obtain link-layer neighbor information of a device, perform the following steps on the device.
Procedure
set neid neid neid
An NE ID is set.
Issue 02 (2013-12-31)

1611

Equipment
Step 2 Run:
link detect { all | interface interface-type interface-number }
Automatic link discovery is configured.

After the link-layer neighbor information about a device changes, you need to run the link
detect command again to obtain the latest link neighbor information about the device.
Step 3 (Optional) Enable automatic link discovery on an interface.
1.
Run:
system-view

2.
Run:

3.
Run:
link-detect enable
Automatic link discovery is enabled.

Automatic link discovery is enabled on all interfaces by default.
NOTE
If two remote neighbors, usually two customer edge devices (CEs) at different sides of an L2VPN,
need to discover each other using automatic link discovery but automatic link discovery is enabled
on all interfaces of intermediary devices, the two remote neighbors cannot exchange Link Detect or
Link Reply packets. As a result, the two remote neighbors cannot discover each other. To solve this
problem, run the undo link-detect enable command on intermediary device interfaces along the link
between the two remote neighbors.
----End

After you configure automatic link discovery on a device, you can view the link-layer neighbor
information of the device.
Procedure
Step 1 Run the display neid command to check the NE ID of a device.
Step 2 Run the display link neighbor { all | slot slot-id | interface interface-type interface-number }
command to check the link-layer neighbor information of a device.
----End
Example
Run the display neid command to view the NE ID of a device.
<HUAWEI> display neid
NEId : 0x10009
Run the display link neighbor command to view link-layer neighbor information of a device.
<HUAWEI> display link neighbor interface gigabitethernet 0/2/1
Issue 02 (2013-12-31)

1612

Equipment
GigabitEthernet0/2/1 has neighbors:
TxNeId
TxInterface TxVlanOrVc12 TxVc4Id
RxVlanOrVc12 RxVc4Id
0x10008
ETH0/2/1
0
0
0
0
Total records :1
---
RxNeId
---
RxInterface
0x10009
ETH2/0/0
5.10.3 Maintenance
This section describes how to clear link-layer neighbor information.
Clearing Link-Layer Neighbor Information

If link-layer neighbor information on a device reaches the specified capacity, the device reports
an alarm to the network management system (NMS), and the link-layer neighbor query function
fails to take effect. To solve these problems, run the clear link neighbor command to clear
unwanted link-layer neighbor information.
Procedure
Step 1 Run the clear link neighbor command in the user view to clear link-layer neighbor information.
----End
5.11 Transparent Transmission of Layer 2 Protocol Packets

Configuration
This chapter describes the principles and application scenarios of configuring transparent
transmission of interface-based, VLAN-based, and hybrid VLAN-based Layer 2 protocol
packets.
Context
NOTE
Only ATN 910/ATN 910B/ATN 910I/ATN 950B(AND2CXPB/AND2CXPE) supports Layer 2 protocol

transparent transmission.
5.11.1 Overview of Transparent Transmission of Layer 2 Protocol

Packets
Packets of some Layer 2 protocols, such as the Multiple Spanning Tree Protocol (MSTP),
Huawei Group Management Protocol (HGMP), and Link Aggregation Control Protocol (LACP)
running between user networks, need to traverse the Internet Service Provider (ISP) network to
perform Layer 2 protocol calculation.
Introduction
Background of Transparent Transmission of Layer 2 Protocol Packets
Packets of some Layer 2 protocols, such as Multiple Spanning Tree Protocol (MSTP), HUAWEI
Group Management Protocol (HGMP), and Link Aggregation Control Protocol (LACP) running
Issue 02 (2013-12-31)

1613

Equipment
between user networks, need to traverse the Internet Service Provider (ISP) network to perform
Layer 2 protocol calculation.
As shown in Figure 5-56, a certain Layer 2 protocol, such as MSTP, is running in user network1
and user network2. This requires the Layer 2 protocol packets in user network1 to traverse the
ISP network to reach user network2 to perform Spanning Tree Protocol (STP) calculation.
Generally, the destination MAC addresses of Layer 2 protocol packets are the same. For example,
the protocol packets of the MSTP protocol are Bridge Protocol Data Units (BPDUs), of which
the destination MAC address is 0180-C200-0000. Therefore, when a Layer 2 protocol packet
reaches a PE in the ISP network, the PE sends the protocol packet to the CPU to perform STP
calculation, without identifying whether the protocol packet comes from a user network or the
ISP network.
In this manner, devices in user network1 perform STP calculation together with PE1 rather than
with devices in user network2. As a result, the Layer 2 protocol packets in user network1 cannot
traverse the ISP network to reach user network2.
Figure 5-56 Transparent transmission of Layer 2 protocol packets in the ISP network
ISP
network
PE2
PE1
CE1
CE2
User
network1
User
network2
To address the preceding problem, you can configure transparent transmission of Layer 2
protocol packets. Currently, the ATN supports the transparent transmission of the packets of the
following Layer 2 protocols:
l
Cisco Discovery Protocol (CDP)
Device link detection protocol(DLDP)
Dynamic Trunking Protocol (DTP)
Ethernet Operation, Administration, and Maintenance 802.3ah (EOAM3ah)
Generic Multicast Registration Protocol (GMRP)
Generic VLAN Registration Protocol (GVRP)
HUAWEI Group Management Protocol (HGMP)
Link Aggregation Control Protocol (LACP)
Link Layer Discovery Protocol (LLDP)
Port Aggregation Protocol (PAGP)
Per VLAN Spanning Tree Plus (PVST+)
Spanning Tree Protocol (STP)
Unidirectional Link Detection (UDLD)
Issue 02 (2013-12-31)

1614

Equipment
VLAN Trunking Protocol (VTP)
User-defined protocols
If Layer 2 protocol packets need to be transparently transmitted in the ISP network, the following
conditions must be met during packet transmission:
l
All sites of a user network can receive the Layer 2 protocol packets from other sites.
The Layer 2 protocol packets of a user network cannot be processed by the CPU of the
devices in the ISP network.
Layer 2 protocol packets of different user networks must be isolated from and do not affect
each other.
Layer 2 protocol packets are transparently transmitted based on the following principles:
l
On the PE of the ISP network, the destination multicast MAC address of the Layer 2
protocol packet is replaced with the specified multicast MAC address.
The PE in the ISP network determines whether to add an outer VLAN tag to the protocol
packet whose MAC address is replaced according to the configured transparent
transmission mode.
When the Layer 2 protocol packet reaches the egress, the destination multicast MAC
address is restored to the standard destination multicast MAC address according to the
mapping between the specified destination multicast MAC address and the Layer 2
protocol. In addition, the egress determines whether to remove the outer VLAN tag
according to the configured transparent transmission mode, and then forwards the protocol
packet to the CE.
Transparent Transmission Features of Layer 2 Protocol Packets Supported by the

ATN
The ATN supports the following transparent transmission features of Layer 2 protocol packets
in different application scenarios:
l
Interface-based transparent transmission of Layer 2 protocol packets
VLAN-based transparent transmission of Layer 2 protocol packets
QinQ-based transparent transmission of Layer 2 protocol packets
Hybrid VLAN-based transparent transmission of Layer 2 protocol packets
Currently, the ATN supports the transparent transmission of the packets of the following Layer
2 protocols:
l
Cisco Discovery Protocol (CDP)
Device link detection protocol(DLDP)
Dynamic Trunking Protocol (DTP)
Ethernet Operation, Administration, and Maintenance 802.3ah (EOAM3ah)
Generic Multicast Registration Protocol (GMRP)
Generic VLAN Registration Protocol (GVRP)
HUAWEI Group Management Protocol (HGMP)
Link Aggregation Control Protocol (LACP)
Issue 02 (2013-12-31)

1615

Equipment
Link Layer Discovery Protocol (LLDP)
Port Aggregation Protocol (PAGP)
Per VLAN Spanning Tree Plus (PVST+)
Spanning Tree Protocol (STP)
Unidirectional Link Detection (UDLD)
VLAN Trunking Protocol (VTP)
User-defined protocols
Interface-based Transparent Transmission of Layer 2 Protocol Packets

Figure 5-57 Interface-based transparent transmission of Layer 2 protocol packets
Port based
VLAN 200
Port based
VLAN 200
LAN-B
MSTP
LAN-B
MSTP
ISP Network
PE1
Port based
VLAN 300
LAN-A
MSTP
BPDU Tunnel 200

BPDU Tunnel 300
PE2
Port based
VLAN 300
PE3
LAN-A
MSTP
Port based
VLAN 200
LAN-B
MSTP
As shown in Figure 5-57, each interface on a PE connects to one user network. The user networks
belong to different LANs, that is, LAN-A and LAN-B. In this case, Layer 2 protocol packets
sent from user networks to PEs do not carry any VLAN tags. The PEs, however, need to identify
which LAN the Layer 2 protocol packets come from. Layer 2 protocol packets of a user network
in LAN-A must be sent to the other user networks in LAN-A, rather than to the user networks
in LAN-B. In addition, Layer 2 protocol packets cannot be processed by the devices in the ISP
network.
In this application scenario, there are two processing methods:
l
Issue 02 (2013-12-31)
Change the default multicast MAC address of the Layer 2 protocol packets that can be
identified by the devices in the ISP network into another multicast MAC address.
1.
Set the roles of all devices in the ISP network to Provider. Therefore, the destination
MAC address of the Layer 2 protocol packets sent by the ISP network is changed to
01-80-C2-00-00-08 instead of the original 01-80-C2-00-00-00.
2.
Set the roles of all devices in a user network to Customer. Therefore, the destination
MAC address of the Layer 2 protocol packets sent by the user network is still 01-80C2-00-00-00.
3.
On the PEs in the ISP network, add the interfaces that connect to the same user network
to the same VLAN. After receiving a Layer 2 protocol packet sent from the user
1616

Equipment
network, a device in the ISP network adds a VLAN ID to the Layer 2 protocol packet
according to the default VLAN ID of the interface that receives the packet.
4.
The device (of the provider type) in the ISP network does not take the packet as the
Layer 2 protocol packet and does not send the packet to the CPU for processing.
Instead, the device selects a corresponding Layer 2 tunnel according to the default
VLAN ID of the interface to forward the packet.
5.
The Layer 2 protocol packet is transmitted as an ordinary Layer 2 packet by the devices
in the ISP network, therefore successfully traversing the ISP network.
6.
When reaching the egress on the ISP network, the Layer 2 protocol packet is forwarded
to the CE without being changed.
Replace the original multicast MAC address of the Layer 2 protocol packet with the
specified multicast MAC address.
NOTE
This method applies to transparent transmission of all types of Layer 2 protocol packets.
Issue 02 (2013-12-31)
1.
After receiving and identifying a Layer 2 protocol packet (such as a BPDU of the STP
protocol) sent from a user network, a device in the ISP network adds a VLAN ID to
the Layer 2 protocol packet according to the default VLAN ID of the interface that
receives the packet.
2.
According to the mapping between the specified destination multicast MAC address
and the Layer 2 protocol, the device in the ISP network change the standard destination
multicast MAC address of the Layer 2 protocol packet into the specified destination
multicast MAC address.
3.
After the MAC address is changed, the Layer 2 protocol packet is transmitted as an
ordinary Layer 2 packet by the devices in the ISP network, therefore successfully
traversing the ISP network.
4.
When the Layer 2 protocol packet reaches the egress, the egress restores the destination
multicast MAC address to the standard destination multicast MAC address according
to the mapping between the specified destination multicast MAC addresses and Layer
2 protocols, and then forwards the Layer 2 protocol packet to the CE.

1617

Equipment
VLAN-based Transparent Transmission of Layer 2 Protocol Packets

Figure 5-58 VLAN-based transparent transmission of Layer 2 protocol packets
LAN-B
MSTP
LAN-B
MSTP
CE-VLAN 100
CE-VLAN 100
PE 1
ISP Network
PE 2
BPDU Tunnel
CE-VLAN 200
Trunk
100-200
Trunk
100-200
PE 3
CE-VLAN 200
CE-VLAN 100
LAN-A
MSTP
LAN-A
MSTP
LAN-B
MSTP
In most cases, a PE serves as a convergence device. As shown in Figure 5-58, the convergence
interface on PE 1 receives the Layer 2 protocol packets from LAN-A and LAN-B. To
differentiate the two LANs, Layer 2 protocol packets sent from the CE to the PE must carry
VLAN tags (VLAN IDs). The VLAN ID of LAN-A is 200; the VLAN ID of LAN-B is 100.
Currently, some Layer 2 protocol packets, such as packets of STP, do not carry VLAN tags. If
receiving the Layer 2 protocol packets with VLAN tags, the devices in the ISP network consider
them as illegal packets and discard them. To avoid this problem, you can configure VLAN-based
transparent transmission of Layer 2 protocol packets on the devices in the ISP network. In this
manner, the Layer 2 protocol packets can traverse the ISP network through Layer 2 tunnels.
Similar to the interface-based transparent transmission of Layer 2 protocol packets, there are
two processing methods in this application scenario:
l
Issue 02 (2013-12-31)
Change the default multicast MAC address of the Layer 2 protocol packets that can be
identified by the devices in the ISP network into another multicast MAC address.
1.
Set the roles of all devices in the ISP network to Provider. Therefore, the destination
MAC addresses of the Layer 2 protocol packets sent by the devices in the ISP network
are changed to 01-80-C2-00-00-08 instead of the original 01-80-C2-00-00-00.
2.
Set the roles of all devices in a user network to Customer. Therefore, the destination
MAC addresses of the Layer 2 protocol packets sent by the user network are still
01-80-C2-00-00-00.
3.
Configure the Layer 2 protocol packets that are sent from a user network to the ISP
network to carry specific VLAN IDs.
4.
Configure the devices in the ISP network to identify the Layer 2 protocol packets with
VLAN IDs and allow the packets to pass.
1618

Equipment
5.
The device (of the provider type) in the ISP network does not take the packet as the
Layer 2 protocol packet and does not send the packet to the CPU for processing.
Instead, the device selects a corresponding Layer 2 tunnel to forward the packet
according to the VLAN IDs with which the packets are allowed to pass.
6.
7.
When reaching the egress on the ISP network, the Layer 2 protocol packet is forwarded
to the CE without being changed.
NOTE
This method applies to all types of transparent transmission of Layer 2 protocol packets.
1.
Configure the Layer 2 protocol packets that are sent from a user network to the ISP
network to carry specific VLAN IDs.
2.
Configure the devices in the ISP network to identify the Layer 2 protocol packets with
VLAN IDs and allow the packets to pass.
3.
According to the mapping between the special destination multicast MAC addresses
and Layer 2 protocols, the devices in the ISP network change the standard destination
multicast MAC address of the Layer 2 protocol packet into the specified destination
multicast MAC address.
4.
5.
When the Layer 2 protocol packet reaches the egress, the egress restores the destination
multicast MAC address to the standard destination multicast MAC address according
to the mapping between the specified destination multicast MAC addresses and Layer
2 protocols, and then forwards the packet to the CE.
QinQ-based Transparent Transmission of Layer 2 Protocol Packets

l
QinQ overview
The QinQ protocol is a Layer 2 tunneling protocol based on the IEEE 802.1Q technology.
The QinQ technology improves the utilization of VLANs by adding another 802.1Q tag.
In this manner, services in the private VLAN can be transparently transmitted on the public
network. The packet transmitted in the ISP network carries double 802.1Q tags (a public
VLAN tag and a private VLAN tag), that is, 802.1Q-in-802.1Q. It is also called the QinQ
protocol.
Figure 5-59 shows the format of a QinQ packet. Compared with the 802.1Q packet, the
QinQ packet has a tag suffixed to the source address (SA). This tag is known as the outer
tag or public tag, used for carrying the VLAN ID of a public network. The inner tag is
usually known as the private tag, used for carrying the VLAN ID of a private network.
NOTE
The QinQ function configured on a Layer 2 interface is also called VLAN stacking.
Issue 02 (2013-12-31)

1619

Equipment
Figure 5-59 802.1Q Encapsulation and QinQ Encapsulation

802.1Q Encapsulation
ETYPE TAG LEN/ETYPE
DA
SA
DATA
FCS
6 Bytes 6 Bytes 2 Bytes 2 Bytes 2 Bytes 46 Byte~1500 Bytes 4 Bytes
QinQ
Encapsulation
DA
SA ETYPE TAG ETYPE TAG LEN/ETYPE
DATA
FCS
6 Bytes 6 Bytes 2 Bytes 2 Bytes 2 Bytes 2 Bytes 2 Bytes 46 Byte~1500 Bytes 4 Bytes
0x8100
Priority
CFI VLAN ID
QinQ-based transparent transmission of Layer 2 protocol packets

Figure 5-60 QinQ-based transparent transmission of Layer 2 protocol packets
LAN-B
MSTP
LAN-B
MSTP
PE-VLAN20:CE-VLAN 100~199
PE 1
CE-VLAN 100
ISP Network
PE 2
BPDU Tunnel
CE-VLAN 100
BPDU Tunnel
CE-VLAN 200
CE-VLAN 200
PE-VLAN30:CE-VLAN 200~299
LAN-A
MSTP
LAN-A
MSTP
If Layer 2 protocol packets are still transmitted transparently in VLAN-based mode when
many user networks are connected to the ISP network, a large number of VLAN IDs of the
ISP network are required. This may result in insufficient VLAN ID resources. In this case,
you can configure the QinQ function to forward Layer 2 protocol packets.
As shown in Figure 5-60, the convergence interfaces on the PEs are configured with the
function of QinQ-based transparent transmission of Layer 2 protocol packets. Then, the
PEs add different outer tags to the packets from different user networks.
Issue 02 (2013-12-31)
1.
Set specific VLAN IDs for the Layer 2 protocol packets that are sent from user
networks to the ISP network.
2.
Configure transparent transmission of Layer 2 protocol packets and the QinQ function
on the interfaces of the ingress in the ISP network.

1620

Equipment
3.
According to the user VLAN IDs, the ingress in the ISP network allocates different
outer tags, that is, the public VLAN IDs, to the Layer 2 protocol packets.
4.
The ingress in the ISP network selects different Layer 2 tunnels according to different
outer tags. Then, the layer 2 protocol packets are transmitted as ordinary Layer 2
packets by the devices in the ISP network.
5.
Configure transparent transmission of Layer 2 protocol packets and the QinQ function
on the interfaces of the egress in the ISP network.
6.
The egress removes the outer tags and forwards the Layer 2 protocol packets to the
corresponding user networks according to the inner tags.
As shown in Figure 5-60, if receiving a Layer 2 protocol packet from VLAN 100 to VLAN
199, PE1 adds VLAN 20 as an outer VLAN ID to the packet, and forwards the packet in
the ISP network through a Layer 2 tunnel. If receiving a Layer 2 protocol packet from
VLAN 200 to VLAN 299, PE1 adds VLAN 30 as an outer VLAN ID to the packet, and
forwards the packet in the ISP network through a Layer 2 tunnel. In this manner, Layer 2
protocol packets from different user networks can be transparently transmitted in the ISP
network, and VLAN ID resources of the operator can be saved.
Hybrid VLAN-based Transparent Transmission of Layer 2 Protocol Packets

Figure 5-61 Hybrid VLAN-based transparent transmission of Layer 2 protocol packets
VLAN1
PE2
LAN-A
VLAN1
LAN-C
ISP
VLAN2
CE1
VLAN2
VLAN1
CE2
VLAN1
VLAN2
PE1
VLAN2
PE3
LAN-B
CE3
LAN-D
As shown in Figure 5-61, PE1, PE2, and PE3 are connected to construct a Layer 2 network;
VLAN 1 and VLAN 2 are respectively created in user networks LAN-A and LAN-C and in user
networks LAN-B and LAN-D; Layer 2 protocol packets with VLAN IDs as VLAN 1 and VLAN
2 are sent from LAN-A and LAN-B, and then forwarded by CE1, CE2, and CE3. In addition, a
standard Layer 2 protocol, such as the Link Layer Discovery Protocol (LLDP), of the untagged
type needs to be run between CE1, CE2, and CE3.
In this scenario, PE1 may receive Layer 2 protocol packets with VLAN IDs and without VLAN
IDs. In this case, you can configure hybrid VLAN-based transparent transmission of Layer 2
protocol packets on the egress of the ISP network to support transparent transmission of the
Layer 2 protocol packets with VLAN tags and without VLAN tags.
5.11.2 Configuring Interface-based Transparent Transmission of

Layer 2 Protocol Packets
When each interface on the PE of the ISP network is connected to only one user network, and
the Layer 2 protocol packets sent from the user network do not need to carry VLAN tags, you
can configure interface-based transparent transmission of Layer 2 protocol packets.
Issue 02 (2013-12-31)

1621

Equipment
Before You Start

Before configuring interface-based transparent transmission of Layer 2 protocol packets, you
need to learn the usage scenario and complete the pre-configuration tasks and data preparation
for the configuration. This helps you rapidly and correctly finish the configuration task.
When each interface on the PE of the ISP network is connected to only one user network, and
the Layer 2 protocol packets sent from the user network do not need to carry VLAN tags, you
can configure interface-based transparent transmission of Layer 2 protocol packets. Layer 2
protocol packets from user networks are transmitted through different Layer 2 tunnels in the ISP
network to reach destination user networks. Therefore, protocol calculation is performed.
Before configuring interface-based transparent transmission of Layer 2 protocol packets,
l
Connect all interfaces correctly.
Configure VLANs on Layer 2 interfaces.
Data Preparation
To configure interface-based transparent transmission of Layer 2 protocol packets, you need the
following data.
No.
Data
Name of the user-defined protocol
Group MAC address and protocol MAC address
Name and VLAN ID of the interface on the PE that is connected to CEs
(Optional) Defining Information About a Layer 2 Transparent Transmission

Protocol
When the protocol packets (non-standard Layer 2 protocol packets) with specific destination
multicast MAC addresses from user networks need to be transparently transmitted in the ISP
network, you can define information about the Layer 2 transparent transmission protocol on PEs.
Context
Perform the following steps on PEs:
Procedure
Step 1 Run:
Issue 02 (2013-12-31)

1622

Equipment
system-view

Step 2 Run:
l2protocol-tunnel user-defined-protocol protocol-name protocol-mac protocol-mac
[ encap-type { { ethernetii | snap } protocol-type protocol-type } | llc { dsap dsapvalue ssap ssap-value } ] group-mac { group-mac | default-group-mac }
Information about a Layer 2 transparent transmission protocol is defined, including the name of
protocol, encapsulation type, destination MAC address, replaced multicast MAC address, and
packet priority.
When you define information about a Layer 2 transparent transmission protocol, none of the
following multicast MAC addresses can be specified as the multicast MAC address that replaces
the original MAC address:
l Bridge Protocol Data Units (BPDUs): 0180-C200-0000~0180-C200-002F
l Smart Link protocol packets: 010F-E200-0004
l Special multicast MAC address: 0100-0CCC-CCCC and 0100-0CCC-CCCD
l Ordinary multicast MAC addresses that have been used on the local device
----End
Specifying a Transparent Transmission Mode of Layer 2 Protocol Packets

This section describes how to specify a transparent transmission mode of Layer 2 protocol
packets, including how to change the default multicast MAC address of Layer 2 protocol packets
that can be identified by the devices in the ISP network into other multicast MAC addresses,
and how to replace the original multicast MAC addresses of the Layer 2 protocol packets from
user networks with specific multicast MAC addresses.
Context
You can perform the following operations on PEs according to the Layer 2 protocol type and
the transparent transmission mode.
Procedure
l
1.
Run:
system-view

2.
Run:
l2protocol-tunnel { cdp | dldp | dtp | eoam3ah | gmrp | gvrp | hgmp |
lacp | lldp | pagp | pvst+ | stp | udld | vtp } group-mac group-mac
The destination multicast MAC address of the Layer 2 protocol packet is replaced
with a specific multicast MAC address, and the priority of the protocol packet is
specified.
Issue 02 (2013-12-31)

1623

Equipment
NOTE
When you configure transparent transmission of Layer 2 protocol packets, none of the following
multicast MAC addresses can be specified as the multicast MAC address that replaces the original
MAC address:
l Bridge Protocol Data Units (BPDUs): 0180-C200-0000 to 0180-C200-002F
----End
Enabling Transparent Transmission of Layer 2 Protocol Packets on an Untagged

Interface
This section describes the function of enabling or disabling transparent transmission of Layer 2
protocol packets on an untagged interface.
Context
Perform the following steps on the PEs according to the type of the protocol packets that need
to be transparently transmitted:
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of the interface on the PE that is connected to users is displayed.

Step 3 Run:
l2protocol-tunnel { { all |protocol-name | user-defined-protocol protocol-name }
enable
Transparent transmission of Layer 2 protocol packets is enabled on an untagged interface.

NOTE
l For the configuration of an untagged interface, refer to the "VLAN configuration" in the Configuration
Guide - LAN Access and MAN Access, or the port default vlan command in the VLAN configuration
commands.
l Before running the l2protocol-tunnel enable command to enable the transparent transmission of selfdefined protocol packets on an untagged interface, you need to run the l2protocol-tunnel user-definedprotocol command to define information about the Layer 2 transparent transmission protocol. In addition,
only STP protocol packets have a global group MAC address. Therefore, you must configure a global group
MAC address before enabling transparent transmission of other protocol packets. For details, see the
l2protocol-tunnel group-mac command.
l You cannot configure both the l2protocol-tunnel enable command and the l2protocol-tunnel vlan
command on the same interface; otherwise, the system prompts a configuration conflict.

Issue 02 (2013-12-31)

1624

Equipment
l2protocol-tunnel drop-threshold
The threshold for discarding Layer 2 protocol packets is configured on the interface.
----End

This section describes how to check the configuration of interface-based transparent
transmission of Layer 2 protocol packets.
Context
The configuration of interface-based transparent transmission of Layer 2 protocol packets is
complete.
Procedure
l
Run the display l2protocol-tunnel group-mac { all | protocol-name | user-definedprotocol protocol-name } command to check information about the transparent
transmission of all Layer 2 protocols packets or specified Layer 2 protocol packets.
You can also run the following commands to check information about the transparent
transmission of bridge protocol data units (BPDUs) of the spanning tree protocol:
Run the display stp [ brief ] command to view information about STP.
----End
Example
Run the display l2protocol-tunnel group-mac command, and you can check the name and type
of the Layer 2 protocol, multicast destination MAC address, group MAC address, and priority
of the Layer 2 protocol packets. For example:
<HUAWEI> display l2protocol-tunnel group-mac hgmp
Protocol ProtocolType Protocol-MAC
Group-MAC
Priority
------------------------------------------------------------stp
0x88a7
0180-c200-000a 0100-5e00-0011 1
On the devices in user networks, run the display stp [ brief ] command,and you can find the
STP is enabled on interfaces, and the roles of interfaces, such as the designated interfaces and
the root interfaces, are correct. For example:
<CE1> display stp
-------[CIST Global Info] [Mode MSTP] ------CIST Bridge
:32768.00e0-fc9f-3257
Bridge Times
CIST Root/ERPC
:32768.00e0-fc9a-4315 / 199999
CIST RegRoot/IRPC
:32768.00e0-fc9f-3257 / 0
CIST RootPortId
:128.82
BPDU-Protection
:disabled
STP Converge Mode
:Fast
Time since last TC received :0 days 2h:24m:36s
----[Port1(GigabitEthernet1/0/0)] [FORWARDING] ---Port Protocol
:enabled
Port Role
:CIST Root Port
Port Priority
:128
Port Cost(Dot1T )
Issue 02 (2013-12-31)

1625

Equipment
Desg. Bridge/Port
:32768.00e0-fc9a-4315 / 128.82
Port Edged
:Config=disabled / Active=disabled
Point-to-point
Transit Limit
:3 packets/s
Protection Type
:None
PortTimes
BPDU Sent
:6
BPDU Received
:4351
<CE2> display stp
:32768.00e0-fc9a-4315
Bridge Times
CIST Root/ERPC
:32768.00e0-fc9a-4315 / 0
CIST RegRoot/IRPC
:32768.00e0-fc9a-4315 / 0
CIST RootPortId
:0.0
BPDU-Protection
:disabled
STP Converge Mode
:Fast
:enabled
Port Role
:CIST Designated Port
Port Priority
:128
Port Cost(Dot1T )
Desg. Bridge/Port
:32768.00e0-fc9a-4315 / 128.82
Port Edged
Point-to-point
Transit Limit
:3 packets/s
Protection Type
:None
PortTimes
BPDU Sent
:4534
BPDU Received
:6
5.11.3 Configuring VLAN-based Transparent Transmission of

Layer 2 Protocol Packets
When each interface on the PE of the ISP network is connected to multiple user networks, and
the Layer 2 protocol packets sent from the user network need to carry VLAN tags, you can
configure VLAN-based transparent transmission of Layer 2 protocol packets.
Before You Start

Before configuring VLAN-based transparent transmission of Layer 2 protocol packets, you need
to learn the usage scenario and complete the pre-configuration tasks and data preparation for the
configuration. This helps you rapidly and correctly finish the configuration task.
When each interface on the PE of the ISP network is connected to multiple user networks, and
the Layer 2 protocol packets sent from the user network need to carry VLAN tags, you can
configure VLAN-based transparent transmission of Layer 2 protocol packets. Layer 2 protocol
packets from user networks are transmitted through different Layer 2 tunnels in the ISP network
and reach destination user networks. Therefore, protocol calculation is performed.
Issue 02 (2013-12-31)

1626

Equipment
NOTE
The specified VLAN for transparently transmitting Layer 2 protocol packets must be a static VLAN, not
a dynamic VLAN created by a protocol, such as GVRP or VCMP.
Before configuring VLAN-based transparent transmission of Layer 2 protocol packets, complete
l
Connect all interfaces correctly.
Configure a VLAN trunk.
Data Preparation
To configure VLAN-based transparent transmission of Layer 2 protocol packets, you need the
following data.
No.
Data
Name of the user-defined protocol
Name of the interface on the PE that is connected to CEs and range of VLAN IDs
with which packets are allowed to pass

Protocol
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
packet priority.
Issue 02 (2013-12-31)

1627

Equipment
----End

Context
Procedure
l
1.
Run:
system-view

2.
Run:
specified.
NOTE
MAC address:
----End
Issue 02 (2013-12-31)

1628

Equipment
Enabling Transparent Transmission of Layer 2 Protocol Packets on a Tagged

Interface
This section describes the function of enabling or disabling transparent transmission of Layer 2
protocol packets on a tagged interface.
Context
Perform the following steps on the PEs according to the type of the protocol packets that need
to be transparently transmitted:
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of the interface on the PE that is connected to users is displayed.

Step 3 Run:
l2protocol-tunnel { all | cdp | dldp | dtp | eoam3ah | gmrp | gvrp | hgmp | lacp |
lldp | pagp | pvst+ | stp | udld | vtp | user-defined-protocol protocol-name }
{ vlan low-id [ to high-id ] } &<110>
Transparent transmission of Layer 2 protocol packets is enabled on a tagged interface.

NOTE
l For the configuration of a tagged interface, refer to the VLAN configuration in the Configuration Guide LAN Access and MAN Access, or the port trunk allow-pass command in the VLAN configuration
commands.
l Before running the l2protocol-tunnel vlan command to enable the transparent transmission of self-defined
protocol packets on a tagged interface, you need to run the l2protocol-tunnel user-defined-protocol
command to define information about the Layer 2 transparent transmission protocol. In addition, only STP
protocol packets have a global group MAC address. Therefore, you must configure a global group MAC
address before enabling transparent transmission of other protocol packets. For details, see the l2protocoltunnel group-mac command.
l You cannot configure both the l2protocol-tunnel vlan command and the l2protocol-tunnel enable
command on the same interface; otherwise, the system prompts a configuration conflict.
----End

This section describes how to check the configuration of transparent transmission of Layer 2
protocol packets.
Context
The configuration of transparent transmission of Layer 2 protocol packets is complete.
Issue 02 (2013-12-31)

1629

Equipment
Procedure
l
Run the display l2protocol-tunnel group-mac { all | protocol | user-defined-protocol

protocol-name } command, and you can check information about the transparent
transmission of all Layer 2 protocol packets or specific Layer 2 protocol packets.
Run the display stp [ brief ] command to check the spanning tree information.
----End
Example
of the Layer 2 protocol whose packets are transparently transmitted; destination multicast MAC
address, group MAC address, and priorities of these packets. For example:
Group-MAC
Priority
------------------------------------------------------------HGMP
0x88a7
0180-c200-000a 0100-5e00-0011 1
On a device of a user's network, run the display stp [ brief ] command, and you can find that
STP is enabled on relevant interfaces, and the roles, such as Designated and Root, are correctly
assigned to these interfaces. For example:
<CE1> display stp
:32768.00e0-fc9f-3257
Bridge Times
CIST Root/ERPC
:32768.00e0-fc9a-4315 / 199999
CIST RegRoot/IRPC
:32768.00e0-fc9f-3257 / 0
CIST RootPortId
:128.82
BPDU-Protection
:disabled
STP Converge Mode
:Fast
:enabled
Port Role
:CIST Root Port
Port Priority
:128
Port Cost(Dot1T )
Desg. Bridge/Port
:32768.00e0-fc9a-4315 / 128.82
Port Edged
Point-to-point
Transit Limit
:3 packets/s
Protection Type
:None
PortTimes
BPDU Sent
:6
BPDU Received
:4351
<CE2> display stp
:32768.00e0-fc9a-4315
Bridge Times
CIST Root/ERPC
:32768.00e0-fc9a-4315 / 0
CIST RegRoot/IRPC
:32768.00e0-fc9a-4315 / 0
CIST RootPortId
:0.0
BPDU-Protection
:disabled
STP Converge Mode
:Fast
Issue 02 (2013-12-31)

1630

Equipment

:enabled
Port Role
Port Priority
:128
Port Cost(Dot1T )
Desg. Bridge/Port
:32768.00e0-fc9a-4315 / 128.82
Port Edged
Point-to-point
Transit Limit
:3 packets/s
Protection Type
:None
PortTimes
BPDU Sent
:4534
BPDU Received
:6
5.11.4 Configuring QinQ-based Transparent Transmission of Layer

2 Protocol Packets
When each port of the ISP network device is connected to multiple user networks, and packets
from these user networks carry VLAN tags, you can configure QinQ-based transparent
transmission of Layer 2 protocol packets. In this manner, you can implement the transparent
transmission of Layer 2 protocol packets from different user networks on the ISP network, and
save VLAN IDs for the carrier.
Before You Start

Before configuring QinQ-based transparent transmission of Layer 2 protocol packets, you need
to learn the usage scenario, and complete the pre-configuration tasks and data preparation for
the configuration. This helps you rapidly and correctly finish the configuration task.
When each interface of the ISP network device is connected to multiple user networks, and Layer
2 protocol packets from these user networks carry VLAN tags, you can configure QinQ-based
transparent transmission of Layer 2 protocol packets. In this manner, you can implement the
transparent transmission of Layer 2 protocol packets from different user networks on the ISP
network, and save VLAN IDs for the carrier. After QinQ-based transparent transmission of Layer
2 protocol packets is configured, different tunnels are assigned to user networks according to
outer VLAN tags (outer VLAN IDs) of Layer 2 protocol packets, and Layer 2 protocol packets
of different VLANs are then transmitted along different tunnels on the ISP network.
Before configuring QinQ-based transparent transmission of Layer 2 protocol packets, connect
all interfaces correctly.
Data Preparation
Issue 02 (2013-12-31)

1631

Equipment
No.
Data
User-defined protocol name
Name of the interface on the PE that connects to the CE, default VLAN ID, and
the range of the VLAN IDs with which packets are allowed to pass through
Outer VLAN IDs of Layer 2 protocol packets

Protocol
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
packet priority.
----End
Specifying the Transparent Transmission Mode of Layer 2 Protocol Packets

When specifying the transparent transmission mode of Layer 2 protocol packets, you can either
change the default multicast MAC address of the Layer 2 protocol that can be recognized by
Issue 02 (2013-12-31)

1632

Equipment
ISP network devices to another multicast MAC address, or replace the multicast MAC address
of original Layer 2 protocol packets from user networks with the designated multicast MAC
address.
Context
According to the type of the Layer 2 protocol and the mode of transparent transmission, you can
choose either of the following configuration procedures on PEs.
Procedure
l
Change the default multicast MAC address of the Layer 2 protocol that can be recognized
by ISP network devices to another multicast MAC address.
NOTE
This configuration procedure is only applicable to STP, RSTP, and MSTP.
1.
Run:
system-view

2.
Run:
The view of the interface on the PE that is connected to the CE is displayed.

3.
(Optional) Run:
portswitch
The interface is switched to a switching interface.

NOTE
If the interface is a switching interface, this step is not required.
4.
Run:
port vlan-stacking vlan vlan-id1 [ to vlan-id2 ] stack-vlan vlan-id3
The range of outer VLAN tags is specified for the Layer 2 protocol packets.
l
Replace the multicast MAC address of original Layer 2 protocol packets from user networks
with the designated multicast MAC address.
1.
Run:
system-view

2.
Run:
lacp | lldp | pagp | pvst+ | stp | udld | vtp } group-mac { group-mac |
default-group-mac }
The destination multicast MAC address of the Layer 2 protocol packets is changed to
a designated multicast MAC address, and the priority of the Layer 2 protocol packets
is specified.
Issue 02 (2013-12-31)

1633

Equipment
NOTE
When configuring transparent transmission of Layer 2 protocol packets, note that the following
multicast MAC addresses cannot be the designated multicast MAC address:
l Bridge protocol data units (BPDUs): from 0180-C200-0000 to 0180-C200-002F
l Smart Link packets: 010F-E200-0004
l Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD
l Ordinary multicast MAC addresses already used by the device
3.
Run:

4.
(Optional) Run:
portswitch

NOTE
5.
Run:
6.
Run:
l2protocol-tunnel { all | cdp | dldp | dtp | eoam3ah | gmrp | gvrp | hgmp
| lacp | lldp | pagp | pvst+ | stp | udld | vtp | user-defined-protocol
protocol-name } { vlan low-id [ to high-id ] } &<110>
Transparent transmission of Layer 2 protocol packets is enabled on the interface of

the tagged type.
NOTE
l The range of the VLAN tags designated in this step must cover the value of vlan specified
in Step 5.
----End

protocol packets.
Context
Procedure
l

Issue 02 (2013-12-31)

1634

Equipment
----End
Example
Group-MAC
Priority
------------------------------------------------------------HGMP
0x88a7
0180-c200-000a 0100-5e00-0011 1
<CE1> display stp
:32768.00e0-fc9f-3257
Bridge Times
CIST Root/ERPC
:32768.00e0-fc9a-4315 / 199999
CIST RegRoot/IRPC
:32768.00e0-fc9f-3257 / 0
CIST RootPortId
:128.82
BPDU-Protection
:disabled
STP Converge Mode
:Fast
:enabled
Port Role
:CIST Root Port
Port Priority
:128
Port Cost(Dot1T )
Desg. Bridge/Port
:32768.00e0-fc9a-4315 / 128.82
Port Edged
Point-to-point
Transit Limit
:3 packets/s
Protection Type
:None
PortTimes
BPDU Sent
:6
BPDU Received
:4351
<CE2> display stp
:32768.00e0-fc9a-4315
Bridge Times
CIST Root/ERPC
:32768.00e0-fc9a-4315 / 0
CIST RegRoot/IRPC
:32768.00e0-fc9a-4315 / 0
CIST RootPortId
:0.0
BPDU-Protection
:disabled
STP Converge Mode
:Fast
:enabled
Port Role
Port Priority
:128
Port Cost(Dot1T )
Desg. Bridge/Port
:32768.00e0-fc9a-4315 / 128.82
Port Edged
Point-to-point
Transit Limit
:3 packets/s
Issue 02 (2013-12-31)

1635

Equipment
Protection Type
:None
PortTimes
BPDU Sent
:4534
BPDU Received
:6
5.11.5 Configuring Hybrid VLAN-based Transparent Transmission

of Layer 2 Protocol Packets
The ISP network device receives the Layer 2 protocol packets of tags and of no tags at the same
time. In such a situation, you can configure hybrid VLAN-based transparent transmission of
Layer 2 protocol packets to ensure the transparent transmission of all these Layer 2 protocol
packets.
Before You Start

Before configuring hybrid VLAN-based transparent transmission of Layer 2 protocol packets,
you need to learn the usage scenario, and complete the pre-configuration tasks and data
preparation for the configuration. This helps you rapidly and correctly complete the
configuration task.
The ISP network device receives the Layer 2 protocol packets of tags and of no tags at the same
time. In such a situation, you can configure hybrid VLAN-based transparent transmission of
Layer 2 protocol packets to ensure the transparent transmission of all these Layer 2 protocol
packets.
Before configuring hybrid VLAN-based transparent transmission of Layer 2 protocol packets,
connect all interfaces correctly.
Data Preparation
Issue 02 (2013-12-31)
No.
Data
User-defined protocol name
Name of the interface on the PE that is connected to the CE, default VLAN ID,
and the range of the VLAN IDs with which packets are allowed to pass through
Outer VLAN ID of Layer 2 protocol packets

1636

Equipment

Protocol
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
packet priority.
----End

Context
Issue 02 (2013-12-31)

1637

Equipment
Procedure
l
1.
Run:
system-view

2.
Run:
specified.
NOTE
MAC address:
----End
Enabling Interface-based Transparent Transmission of Layer 2 Protocol Packets

Context
A PE receives the Layer 2 protocol packets of VLAN tags and of no VLAN tags at the same
time. In such a situation, you can choose one of the following configuration procedures according
to the type of the Layer 2 protocol and the mode of transparent transmission.
Procedure
l
Default VLAN + VLAN trunk

If you need to implement the following:
Untagged Layer 2 protocol packets are added with the default VLAN ID of the receiving
interface and transparently transmitted.
Tagged Layer 2 protocol packets are transparently transmitted.
You can adopt the default VLAN + VLAN trunk mode and perform the following
operations.
1.
Run:
system-view

2.
Issue 02 (2013-12-31)
Run:
1638

Equipment

3.
(Optional) Run:
portswitch

NOTE
4.
Run:
port defaut vlan vlan-id
The default VLAN ID of the interface is configured.

5.
Run:
port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2] } &<1-10> | all }
The range of the VLAN IDs with which the packets can pass through the interface is
configured.
NOTE
The range of the VLAN IDs specified in this step must cover the VLAN tags of the Layer 2
protocol packets.
6.
Run:
l2protocol-tunnel { { all |protocol-name | user-defined-protocol protocolname } enable

the untagged type.
7.
Run:

the tagged type.
NOTE
l In Step 6 and Step 7, the designated Layer 2 protocols whose protocol packets are transparently
transmitted cannot be the same.
Default VLAN + VLAN Stacking

Untagged Layer 2 protocol packets are encapsulated with the default VLAN ID of the
receiving interface and transparently transmitted.
Received Layer 2 protocol packets of a specified VLAN tag are encapsulated with the
specific outer VLAN ID (carrier's VLAN ID).
You can adopt the default VLAN + VLAN stacking mode and perform the following
operations.
1.
Run:
system-view
Issue 02 (2013-12-31)

1639

Equipment

2.
Run:

3.
(Optional) Run:
portswitch

NOTE
4.
Run:

5.
Run:
NOTE
The range of the VLAN tags designated in this step must cover the outer VLAN tag of the
Layer 2 protocol packets.
6.
Run:

the untagged type.
7.
Run:

the tagged type.
NOTE
l In Step 6 and Step 7, the designated Layer 2 protocols whose protocol packets are
transparently transmitted cannot be the same.
Default VLAN + Dot1q Tunnel

Untagged Layer 2 protocol packets are encapsulated with the default VLAN ID of the
receiving interface and transparently transmitted.
Received tagged Layer 2 protocol packets are encapsulated with the fixed carrier's
VLAN ID, namely, the default VLAN ID of the receiving interface.
You can adopt the default VLAN + Dot1q tunnel mode and perform the following
operations.
1.
Issue 02 (2013-12-31)
Run:
1640

Equipment
system-view

2.
Run:

3.
(Optional) Run:
portswitch

NOTE
4.
Run:
The interface type is configured to Dot1q Tunnel.

5.
Run:

6.
Run:

the untagged type.
7.
Run:

the tagged type.
----End

protocol packets.
Context
Procedure
l

Issue 02 (2013-12-31)

1641

Equipment
----End
Example
Group-MAC
Priority
------------------------------------------------------------HGMP
0x88a7
0180-c200-000a 0100-5e00-0011 1
<CE1> display stp
:32768.00e0-fc9f-3257
Bridge Times
CIST Root/ERPC
:32768.00e0-fc9a-4315 / 199999
CIST RegRoot/IRPC
:32768.00e0-fc9f-3257 / 0
CIST RootPortId
:128.82
BPDU-Protection
:disabled
STP Converge Mode
:Fast
:enabled
Port Role
:CIST Root Port
Port Priority
:128
Port Cost(Dot1T )
Desg. Bridge/Port
:32768.00e0-fc9a-4315 / 128.82
Port Edged
Point-to-point
Transit Limit
:3 packets/s
Protection Type
:None
PortTimes
BPDU Sent
:6
BPDU Received
:4351
<CE2> display stp
:32768.00e0-fc9a-4315
Bridge Times
CIST Root/ERPC
:32768.00e0-fc9a-4315 / 0
CIST RegRoot/IRPC
:32768.00e0-fc9a-4315 / 0
CIST RootPortId
:0.0
BPDU-Protection
:disabled
STP Converge Mode
:Fast
:enabled
Port Role
Port Priority
:128
Port Cost(Dot1T )
Desg. Bridge/Port
:32768.00e0-fc9a-4315 / 128.82
Port Edged
Point-to-point
Transit Limit
:3 packets/s
Issue 02 (2013-12-31)

1642

Equipment
Protection Type
:None
PortTimes
BPDU Sent
:4534
BPDU Received
:6

This section provides configuration examples for interface-based, VLAN-based, QinQ-based,
and hybrid VLAN-based transparent transmission of Layer 2 protocol packets.
Example for Configuring Interface-based Transparent Transmission of Layer 2

Protocol Packets
As shown in Figure 5-62, CEs are interconnected through PEs; STP runs between CEs, and
BPDUs of each CE need to be transparently transmitted on the ISP network between PEs. Each
interface of PEs permits the access of only one CE and receives BPDUs with no VLAN tags
from the CE. Based on the networking, you can configure interface-based transparent
In the configuration example, the multicast MAC address of the original BPDUs from CEs are
replaced by the designated multicast MAC address. In this manner, these BPDUs can be
transparently transmitted on the ISP network. The default role of CEs and PEs is Customer, and
the default destination MAC address of BPDUs is 0180-C200-0000.
Figure 5-62 Networking diagram of Interface-based Transparent Transmission of Layer 2
Protocol Packets
VLAN100
VLAN100
CE1
CE2
GE 1/0/1
GE 1/0/1
GE 0/2/2 PE1
GE 0/2/1
GE 0/2/0
GE 1/0/1
CE3
ISP
network
PE2
GE 0/2/1
GE 0/2/2
GE 0/2/0
GE 1/0/1
VLAN200
CE4
VLAN200
Issue 02 (2013-12-31)

1643

Equipment
1.
Enable STP on CEs and PEs.
2.
Join PE interfaces at the CE side to the designated VLAN.
3.
Disable STP on PE interfaces at the CE side, and then configure Interface-based

Transparent Transmission of Layer 2 Protocol Packets.
4.
Configure PE interfaces at the PSN side to permit BPDUs from VLAN 100 and VLAN 200
to pass through.
Data Preparation
l
VLAN IDs of PE interfaces at the CE side
VLAN range permitted by PE interfaces at the PSN side
Procedure
Step 1 Switch interfaces on PEs and CEs into Layer 2 interfaces.
NOTE
This step is not required for the device whose interfaces are Layer 2 interfaces.
# Configure CE1.
# Configure CE2.
# Configure CE3.
# Configure CE4.
Issue 02 (2013-12-31)

1644

Equipment
# Configure PE1.
# Configure PE2.
Step 2 Enable the spanning tree calculation function on CEs and PEs.
# Configure CE1.
[CE1] stp enable
# Configure CE2.
[CE2] stp enable
# Configure CE3.
[CE3] stp enable
# Configure CE4.
[CE4] stp enable
# Configure PE1.
[PE1] stp enable
# Configure PE2.
[PE2] stp enable
Step 3 Add GE 0/2/2s of PE1 and PE2 to VLAN 100, add GE 0/2/0s of PE1 and PE2 to VLAN 200,
and then enable the BPDU tunnel function on both PEs.
# Configure PE1.
[PE1] vlan 100
[PE1-vlan100] port gigabitethernet 0/2/2
[PE1-vlan100] quit
Issue 02 (2013-12-31)

1645

Equipment
[PE1] vlan 200

[PE1-vlan200] quit
[PE1-GigabitEthernet0/2/2] l2protocol-tunnel stp enable
[PE1-GigabitEthernet0/2/2] stp disable
# Configure PE2.
[PE2] vlan 100
[PE2-vlan100] quit
[PE2] vlan 200
[PE2-vlan200] quit
Step 4 Configure PEs to replace the MAC address of BPDUs from CEs.
# Configure PE1.
[PE1] l2protocol-tunnel stp group-mac 0100-5e00-0011
# Configure PE2.
Step 5 Configure PE interfaces at the PSN side to permit BPDUs from VLAN 100 and VLAN 200 to
pass through.
# Configure PE1.
[PE1-GigabitEthernet0/2/1] port trunk allow-pass vlan 100 200
# Configure PE2.

Run the display l2protocol-tunnel group-mac command on a PE. You can view the name and
type of the Layer 2 protocol whose packets are transparently transmitted, and you can view the
destination multicast MAC address, group MAC address, and BPDU priorities of these packets.
[PE1] display l2protocol-tunnel group-mac stp
Protocol
ProtocolType Protocol-MAC
Group-MAC
Priority
----------------------------------------------------------------------------stp
0180-c200-0000 0100-5e00-0011 0
Issue 02 (2013-12-31)

1646

Equipment
Run the display stp command on CE1 and CE2. You can identify the MSTP root, and find that
the spanning tree calculation is complete between CE1 and CE2, with GE 1/0/1 on CE1 as the
Root interface, and GE 1/0/1 on CE2 as the Designated interface.
[CE1] display stp
:32768.00e0-fc9f-3257
Bridge Times
CIST Root/ERPC
:32768.00e0-fc9a-4315 / 199999
CIST RegRoot/IRPC
:32768.00e0-fc9f-3257 / 0
CIST RootPortId
:128.82
BPDU-Protection
:disabled
STP Converge Mode
:Fast
:enabled
Port Role
:CIST Root Port
Port Priority
:128
Port Cost(Dot1T )
Desg. Bridge/Port
:32768.00e0-fc9a-4315 / 128.82
Port Edged
Point-to-point
Protection Type
:None
PortTimes
BPDU Sent
:6
BPDU Received
:4351
[CE2] display stp
:32768.00e0-fc9a-4315
Bridge Times
CIST Root/ERPC
:32768.00e0-fc9a-4315 / 0
CIST RegRoot/IRPC
:32768.00e0-fc9a-4315 / 0
CIST RootPortId
:0.0
BPDU-Protection
:disabled
STP Converge Mode
:Fast
:enabled
Port Role
Port Priority
:128
Port Cost(Dot1T )
Desg. Bridge/Port
:32768.00e0-fc9a-4315 / 128.82
Port Edged
Point-to-point
Protection Type
:None
PortTimes
BPDU Sent
:4534
BPDU Received
:6
[CE3] display stp
-------[CIST Global
CIST Bridge
Bridge Times
CIST Root/ERPC
CIST RegRoot/IRPC
CIST RootPortId
Issue 02 (2013-12-31)
Info][Mode MSTP]------:32768.000b-0967-58a0
:32768.000b-0952-f13e / 199999
:32768.000b-0967-58a0 / 0
:128.82

1647

Equipment
BPDU-Protection
:disabled
STP Converge Mode
:Fast
:enabled
Port Role
:CIST Root Port
Port Priority
:128
Port Cost(Dot1T )
Desg. Bridge/Port
:32768.000b-0952-f13e / 128.82
Port Edged
Point-to-point
Protection Type
:None
PortTimes
BPDU Sent
:114
BPDU Received
:885
[CE4] display stp
-------[CIST Global Info][Mode MSTP]------CIST Bridge
:32768.000b-0952-f13e
Bridge Times
CIST Root/ERPC
:32768.000b-0952-f13e / 0
CIST RegRoot/IRPC
:32768.000b-0952-f13e / 0
CIST RootPortId
:0.0
BPDU-Protection
:disabled
STP Converge Mode
:Fast
:enabled
Port Role
Port Priority
:128
Port Cost(Dot1T )
Desg. Bridge/Port
:32768.000b-0952-f13e / 128.82
Port Edged
Point-to-point
Protection Type
:None
PortTimes
BPDU Sent
:1834
BPDU Received
:1
----End
Configuration Files
l

#
sysname CE1
#
stp enable
#
undo shutdown
portswitch
#
return

#
sysname CE2
#
stp enable
Issue 02 (2013-12-31)

1648

Equipment
#
undo shutdown
portswitch
#
return

#
sysname CE3
#
stp enable
#
undo shutdown
portswitch
#
return

#
sysname CE4
#
stp enable
#
undo shutdown
portswitch
#
return

#
sysname PE1
#
vlan batch 100 200
#
l2protocol-tunnel stp group-mac 0100-5e00-0011
#
stp enable
#
undo shutdown
portswitch
l2protocol-tunnel stp enable
stp disable
#
undo shutdown
portswitch
#
undo shutdown
portswitch
stp disable
#
return

#
Issue 02 (2013-12-31)

1649

Equipment
sysname PE2
#
vlan batch 100 200
#
#
stp enable
#
undo shutdown
portswitch
stp disable
#
undo shutdown
portswitch
#
undo shutdown
portswitch
stp disable
#
return
Example for Configuring VLAN-based Transparent Transmission of Layer 2

Protocol Packets
As shown in Figure 5-63, CEs are interconnected through PEs; STP runs between CEs; BPDUs
of each CE are transparently transmitted on the ISP network between PEs. Each PE interface is
a convergence interface, which receives tagged BPDUs from CEs (VLAN tags are used to
differentiate users). Based on the networking, you can configure VLAN-based transparent
transmission of Layer 2 protocol packets to achieve the following:
l
Devices in VLAN 100 work jointly to complete the spanning tree calculation.
transparently transmitted on the ISP network. CEs and PEs are bridge devices of the Customer
type, and the default destination multicast MAC address of BPDUs is 0180-C200-0000.
Issue 02 (2013-12-31)

1650

Equipment
Figure 5-63 Networking diagram of VLAN-based Transparent Transmission of Layer 2

Protocol Packets
PE1
P
GE0/2/1
GE1/0/2
PE2
GE0/2/1
GE1/0/1
GE0/2/0
GE0/2/0
Switch1
GE1/0/3
Switch2
GE1/0/2
GE1/0/1
GE1/0/3
GE1/0/1
GE1/0/1
CE1
VLAN
100
GE1/0/2
GE1/0/1
GE1/0/1
CE3
VLAN
200
GE1/0/1
CE2
VLAN 100
CE4
VLAN
200
1.
2.
Configure BPDUs from CEs to PEs to carry specific VLAN tags.
3.
Disable STP on PE interfaces at the CE side, and then configure VLAN-based transparent
4.
Configure PE interfaces at the PSN side to permit BPDUs from VLAN 100 and VLAN 200
to pass through.
5.
Configure the basic Layer 2 forwarding function on the P ATN to permit BPDU
transmission between PEs in ISP network.
Data Preparation
l
VLAN tags of the BPDUs from CEs to PEs
VLAN IDs of PE interfaces and CE interfaces
Procedure
Step 1 Switch interfaces on PEs and CEs into Layer 2 interfaces.
NOTE
Run the portswtich command, and you can switch interfaces on PEs and CEs in Figure 5-63
to Layer 2 interfaces. For detailed configurations, see the configuration files at the end of this
# Configure CE1.
Issue 02 (2013-12-31)

1651

Equipment
[CE1] stp enable
# Configure CE2.
[CE2] stp enable
# Configure CE3.
[CE3] stp enable
# Configure CE4.
[CE4] stp enable
# Configure PE1.
[PE1] stp enable
# Configure PE2.
[PE2] stp enable
Step 3 Configure BPDUs from CE1 and CE2 to PEs to carry VLAN tag 100; configure BPDUs from
CE3 and CE4 to PEs to carry VLAN tag 200.
# Configure CE1.
[CE1] vlan 100
[CE1-vlan100] quit
[CE1-GigabitEthernet1/0/1] stp bpdu vlan 100
# Configure CE2.
[CE2] vlan 100
[CE2-vlan100] quit
# Configure CE3.
[CE3] vlan 200
[CE3-vlan200] quit
# Configure CE4.
[CE4] vlan 200
[CE4-vlan200] quit
Step 4 Configure convergence switches.

# Configure Switch1.
[Switch1] vlan batch 100 to 200
[Switch1-GigabitEthernet1/0/3] port trunk allow-pass vlan 100 to 200
Issue 02 (2013-12-31)

1652

Equipment
[Switch1] interface gigabitethernet
[Switch1-GigabitEthernet1/0/1] undo
[Switch1-GigabitEthernet1/0/1] port

1/0/1
shutdown
trunk allow-pass vlan 100
1/0/2
shutdown
1/0/3
shutdown
trunk allow-pass vlan 100 to 200
1/0/1
shutdown
1/0/2
shutdown
Step 5 Configure PE interfaces to transparently transmit BPDUs from CEs to the P ATN.
# Configure PE1.
[PE1] vlan 100
[PE1-vlan100] quit
[PE1] vlan 200
[PE1-vlan200] quit
[PE1-GigabitEthernet0/2/0] l2protocol-tunnel stp vlan 100 200
# Configure PE2.
[PE2] vlan 100
[PE2-vlan100] quit
[PE2] vlan 200
[PE2-vlan200] quit
[PE2-GigabitEthernet0/2/0] l2protocol-tunnel stp vlan 100 200
Step 6 Configure PEs to change the multicast MAC address of the BPDUs from CEs.
# Configure PE1.
# Configure PE2.
Issue 02 (2013-12-31)

1653

Equipment
Step 7 Configure the basic Layer 2 forwarding function on the P ATN, permitting BPDUs carrying
VLAN tag 100 or 200 from PEs to pass through.
[P] vlan 100
[P-vlan100] quit
[P] vlan 200
[P-vlan200] quit
[P] interface gigabitethernet
[P-GigabitEthernet1/0/2] port
[P] interface gigabitethernet
[P-GigabitEthernet1/0/1] port
1/0/2
trunk allow-pass vlan 100 200
1/0/1
trunk allow-pass vlan 100 200

destination multicast MAC address, group MAC address, and priorities of these packets.
Protocol
Group-MAC
Priority
----------------------------------------------------------------------------stp
0180-c200-0000 0100-5e00-0011 0
[CE1] display stp
:32768.000b-09f0-1b91
Bridge Times
CIST Root/ERPC
:32768.000b-09d4-b66c / 199999
CIST RegRoot/IRPC
:32768.000b-09f0-1b91 / 0
CIST RootPortId
:128.82
BPDU-Protection
:disabled
STP Converge Mode
:Fast
:enabled
Port Role
:CIST Root Port
Port Priority
:128
Port Cost(Dot1T )
Desg. Bridge/Port
:32768.000b-09d4-b66c / 128.82
Port Edged
Point-to-point
Protection Type
:None
PortTimes
BPDU Sent
:237
BPDU Received
:9607
[CE2] display stp
:32768.000b-09d4-b66c
Bridge Times
CIST Root/ERPC
:32768.000b-09d4-b66c / 0
CIST RegRoot/IRPC
:32768.000b-09d4-b66c / 0
CIST RootPortId
:0.0
BPDU-Protection
:disabled
STP Converge Mode
:Fast
Issue 02 (2013-12-31)

1654

Equipment

:enabled
Port Role
Port Priority
:128
Port Cost(Dot1T )
Desg. Bridge/Port
:32768.000b-09d4-b66c / 128.82
Port Edged
Point-to-point
Protection Type
:None
PortTimes
BPDU Sent
:7095
BPDU Received
:2
[CE3] display stp
:32768.00e0-fc9f-3257
Bridge Times
CIST Root/ERPC
:32768.00e0-fc9a-4315 / 199999
CIST RegRoot/IRPC
:32768.00e0-fc9f-3257 / 0
CIST RootPortId
:128.82
BPDU-Protection
:disabled
STP Converge Mode
:Fast
:enabled
Port Role
:CIST Root Port
Port Priority
:128
Port Cost(Dot1T )
Desg. Bridge/Port
:32768.00e0-fc9a-4315 / 128.82
Port Edged
Point-to-point
Protection Type
:None
PortTimes
BPDU Sent
:238
BPDU Received
:9745
[CE4] display stp
:32768.00e0-fc9a-4315
Bridge Times
CIST Root/ERPC
:32768.00e0-fc9a-4315 / 0
CIST RegRoot/IRPC
:32768.00e0-fc9a-4315 / 0
CIST RootPortId
:0.0
BPDU-Protection
:disabled
STP Converge Mode
:Fast
:enabled
Port Role
Port Priority
:128
Port Cost(Dot1T )
Desg. Bridge/Port
:32768.00e0-fc9a-4315 / 128.82
Port Edged
Point-to-point
Protection Type
:None
PortTimes
BPDU Sent
:7171
Issue 02 (2013-12-31)

1655

Equipment

BPDU Received
:2
----End
Configuration Files
l

#
sysname CE1
#
vlan batch 100
#
stp enable
#
undo shutdown
portswitch
stp bpdu vlan 100
#
return

#
sysname CE2
#
vlan batch 100
#
stp enable
#
undo shutdown
portswitch
stp bpdu vlan 100
#
return

#
sysname CE3
#
vlan batch 200
#
stp enable
#
undo shutdown
portswitch
stp bpdu vlan 200
#
return

#
sysname CE4
#
vlan batch 200
#
stp enable
#
undo shutdown
Issue 02 (2013-12-31)

1656

Equipment
portswitch
stp bpdu vlan 200
#
Return

#
sysname PE1
#
vlan batch 100 200
#
#
stp enable
#
undo shutdown
portswitch
l2protocol-tunnel stp vlan 100 200
stp disable
#
undo shutdown
portswitch
#
return
Configuration file of the P ATN

#
sysname P
#
vlan batch 100 200
#
undo shutdown
portswitch
#
undo shutdown
portswitch
#
return

#
sysname PE2
#
vlan batch 100 200
#
#
stp enable
#
undo shutdown
portswitch
l2protocol-tunnel stp vlan 100 200
stp disable
#
undo shutdown
Issue 02 (2013-12-31)

1657

Equipment
portswitch
#
return

#
sysname Switch1
#
vlan batch 100 to 200
#
undo shutdown
portswitch
#
undo shutdown
portswitch
#
undo shutdown
portswitch
#
return

#
sysname Switch2
#
vlan batch 100 to 200
#
undo shutdown
portswitch
#
undo shutdown
portswitch
#
undo shutdown
portswitch
#
return
Example for Configuring QinQ-based Transparent Transmission of Layer 2

Protocol Packets
As shown in Figure 5-64, CEs are interconnected through PEs; STP runs between CEs; BPDUs
sent from CE1 and CE2 to PEs carry VLAN tag 100; BPDUs sent from CE3 and CE4 to PEs
carry VLAN tag 200. Based on the networking, you can configure QinQ-based transparent
transmission of Layer 2 protocol packets to achieve the following:
l
Issue 02 (2013-12-31)
1658

Equipment
To save VLAN IDs of the public network, you can configure VLAN stacking on PEs. In this
manner, BPDUs of VLAN tag 100 or 200 from CEs to PEs are encapsulated with the outer
VLAN tag 10, and then transmitted on the ISP network. As a result, BPDUs transmitted on the
ISP network carry double VLAN tags.
transparently transmitted on the ISP network. CEs and PEs are bridge devices of the Customer
type, and the default destination MAC address of BPDUs is 0180-C200-0000.
Figure 5-64 Networking diagram of QinQ-based Transparent Transmission of Layer 2 Protocol
Packets
VLAN100
VLAN100
GE1/0/1
GE0/2/0
CE1
GE0/2/2
PE1
GE0/2/1
CE3 GE1/0/1
GE1/0/1
GE0/2/0
ISP
network
CE2
PE2
GE0/2/2
GE0/2/1
CE4
GE1/0/1
VLAN200
VLAN200
1.
2.
Configure BPDUs sent from CEs to PEs to carry specific VLAN tags.
3.
Disable STP on PE interfaces at the CE side, and then configure QinQ-based transparent
4.
Configure the QinQ (VLAN stacking) function on PEs, ensuring that BPDUs of different
VLAN tags from CEs are encapsulated with the same outer VLAN tag 10, and then
transmitted on the ISP network.
Data Preparation
l
Inner VLAN tags of the BPDUs sent from CEs to PEs
Outer VLAN tag of the BPDUs encapsulated by PEs
Issue 02 (2013-12-31)

1659

Equipment
Procedure
Step 1 Switch the interfaces on PEs and CEs into Layer 2 interfaces.
NOTE
to Layer 2 interfaces. For detailed configurations, see the configuration files at the end of the
# Configure CE1.
[CE1] stp enable
# Configure CE2.
[CE2] stp enable
# Configure CE3.
[CE3] stp enable
# Configure CE4.
[CE4] stp enable
# Configure PE1.
[PE1] stp enable
# Configure PE2.
[PE2] stp enable
Step 3 Configure BPDUs from CE1 and CE2 to PEs to carry VLAN tag 100; configure BPDUs from
CE3 and CE4 to PEs to carry VLAN tag 200.
# Configure CE1.
[CE1] vlan 100
[CE1-vlan100] quit
# Configure CE2.
[CE2] vlan 100
[CE2-vlan100] quit
# Configure CE3.
[CE3] vlan 200
[CE3-vlan200] quit
Issue 02 (2013-12-31)

1660

Equipment
# Configure CE4.
[CE4] vlan 200
[CE4-vlan200] quit
Step 4 Configure QinQ-based transparent transmission of Layer 2 protocol packets on PEs. This ensures
that BPDUs of different VLAN tags sent from CEs are encapsulated with the same outer VLAN
tag 10, and then transmitted on the ISP network.
# Configure PE1.
[PE1] vlan 10
[PE1-Vlan10] quit
[PE1-GigabitEthernet0/2/0] port vlan-stacking vlan 100 stack-vlan 10
[PE1-GigabitEthernet0/2/0] l2protocol-tunnel stp vlan 10
# Configure PE2.
[PE2] vlan 10
[PE2-Vlan10] quit
Step 5 Configure PEs to replace the MAC address of the BPDUs from CEs.
# Configure PE1.
# Configure PE2.

Issue 02 (2013-12-31)

1661

Equipment

Protocol
Group-MAC
Priority
----------------------------------------------------------------------------stp
0180-c200-0000 0100-5e00-0011 0
[CE1] display stp
:32768.000b-09f0-1b91
Bridge Times
CIST Root/ERPC
:32768.000b-09d4-b66c / 199999
CIST RegRoot/IRPC
:32768.000b-09f0-1b91 / 0
CIST RootPortId
:128.82
BPDU-Protection
:disabled
STP Converge Mode
:Fast
:enabled
Port Role
:CIST Root Port
Port Priority
:128
Port Cost(Dot1T )
Desg. Bridge/Port
:32768.000b-09d4-b66c / 128.82
Port Edged
Point-to-point
Protection Type
:None
PortTimes
BPDU Sent
:237
BPDU Received
:9607
[CE2] display stp
:32768.000b-09d4-b66c
Bridge Times
CIST Root/ERPC
:32768.000b-09d4-b66c / 0
CIST RegRoot/IRPC
:32768.000b-09d4-b66c / 0
CIST RootPortId
:0.0
BPDU-Protection
:disabled
STP Converge Mode
:Fast
:enabled
Port Role
Port Priority
:128
Port Cost(Dot1T )
Desg. Bridge/Port
:32768.000b-09d4-b66c / 128.82
Port Edged
Point-to-point
Protection Type
:None
PortTimes
BPDU Sent
:7095
BPDU Received
:2
Root port, and GE 1/0/1 on CE4 as the Designated port.
[CE3] display stp
:32768.00e0-fc9f-3257
Issue 02 (2013-12-31)

1662

Equipment
Bridge Times
CIST Root/ERPC
:32768.00e0-fc9a-4315 / 199999
CIST RegRoot/IRPC
:32768.00e0-fc9f-3257 / 0
CIST RootPortId
:128.82
BPDU-Protection
:disabled
STP Converge Mode
:Fast
:enabled
Port Role
:CIST Root Port
Port Priority
:128
Port Cost(Dot1T )
Desg. Bridge/Port
:32768.00e0-fc9a-4315 / 128.82
Port Edged
Point-to-point
Protection Type
:None
PortTimes
BPDU Sent
:238
BPDU Received
:9745
[CE4] display stp
:32768.00e0-fc9a-4315
Bridge Times
CIST Root/ERPC
:32768.00e0-fc9a-4315 / 0
CIST RegRoot/IRPC
:32768.00e0-fc9a-4315 / 0
CIST RootPortId
:0.0
BPDU-Protection
:disabled
STP Converge Mode
:Fast
:enabled
Port Role
Port Priority
:128
Port Cost(Dot1T )
Desg. Bridge/Port
:32768.00e0-fc9a-4315 / 128.82
Port Edged
Point-to-point
Protection Type
:None
PortTimes
BPDU Sent
:7171
BPDU Received
:2
Run the display vlan command on PEs. You can view QinQ information.
[PE1] display vlan 10 verbose
VLAN ID
: 10
VLAN Type
: Common
Status
: Enable
Broadcast
: Enable
Statistics
: Disable
---------------Tagged
---------------QinQ-stack Port: GigabitEthernet0/2/0
----End
Issue 02 (2013-12-31)

1663

Equipment
Configuration Files
l

#
sysname CE1
#
vlan batch 100
#
stp enable
#
undo shutdown
portswitch
stp bpdu vlan 100
#
return

#
sysname CE2
#
vlan batch 100
#
stp enable
#
undo shutdown
portswitch
stp bpdu vlan 100
#
return

#
sysname CE3
#
vlan batch 200
#
stp enable
#
undo shutdown
portswitch
stp bpdu vlan 200
#
return

#
sysname CE4
#
vlan batch 200
#
stp enable
#
undo shutdown
portswitch
stp bpdu vlan 200
#
return
Issue 02 (2013-12-31)

1664

Equipment

#
sysname PE1
#
vlan batch 10
#
#
stp enable
#
undo shutdown
portswitch
port vlan-stacking vlan 100 stack-vlan 10
l2protocol-tunnel stp vlan 10
stp disable
#
undo shutdown
portswitch
stp disable
#
undo shutdown
portswitch
#
return

#
sysname PE2
#
vlan batch 10
#
#
stp enable
#
undo shutdown
portswitch
stp disable
#
undo shutdown
portswitch
stp disable
#
undo shutdown
portswitch
#
return
Example for Configuring Hybrid VLAN-based Transparent Transmission of Layer

2 Protocol Packets
Issue 02 (2013-12-31)

1665

Equipment
As shown in Figure 5-65, CEs are interconnected through PEs; STP runs between CE1 and CE2;
BPDUs sent from CE1 and CE2 to PEs carry VLAN tag 100; a user-defined Layer 2 protocol
is run between CE3 and CE4 and the protocol packets have the destination multicast MAC
address of 0100-c300-0100; BPDUs sent from CE3 and CE4 to PEs carry no VLAN tag.
Consequently, devices of the ISP network receive BPDUs with VLAN tags or user-defined Layer
2 protocol frames without VLAN tags. Based on the networking, you can configure Hybrid
VLAN-based transparent transmission of Layer 2 protocol packets on PEs to achieve the
following:
l
Devices attached to CE1 and CE2 work jointly to complete the spanning tree calculation.
Devices attached to CE3 and CE4 work jointly to complete the calculation of the userdefined protocol.
In addition, you also enable to configure PEs to achieve the following:

l
Add the default VLAN ID of the receiving interface to the Layer 2 protocol frames that
carry no VLAN tag, and then transparently transmit these packets.
Encapsulate the carrier's VLAN ID for the received Layer 2 protocol frames that carry
VLAN tags. You can flexibly select the carrier's VLAN ID; in other words, you can specify
different carrier's VLAN IDs (outer VLAN tags) for the received BPDUs that carry different
VLAN tags.
replaced by the designated multicast MAC address. In this manner, these Layer 2 protocol
packets can be transparently transmitted on the ISP network. CEs and PEs are bridge devices of
the Customer type, and the default destination MAC address of BPDUs is 0180-C200-0000.
Figure 5-65 Networking diagram of Hybrid VLAN-based transparent transmission of Layer 2
protocol packets
P
PE1
GE0/2/1
GE1/0/2
PE2
GE0/2/1
GE1/0/1
GE0/2/0
GE0/2/0
GE1/0/3
GE1/0/3
GE1/0/1
GE1/0/1
Switch1
Switch2
GE1/0/2
GE1/0/1
CE1
CE3
VLAN 100
GE1/0/1
GE1/0/1
GE1/0/2
GE1/0/1
CE2
VLAN 10
VLAN 100
CE4
VLAN 10
1.
Issue 02 (2013-12-31)

1666

Equipment
2.
Configure BPDUs sent from CE1 and CE2 to PEs to carry the specific VLAN tags;
configure BPDUs sent from CE3 and CE4 to PEs to carry no VLAN tags.
3.
Disable STP on PE interfaces at the CE side, and then configure Hybrid VLAN-based
transparent transmission of Layer 2 protocol packets.
Data Preparation
l
Inner VLAN tag of the BPDUs sent from CEs to PEs
Outer VLAN tag of the BPDUs encapsulated by PEs
Procedure
Step 1 Switch the interfaces on PEs and CEs into Layer 2 interfaces.
NOTE
to Layer 2 interfaces. For detailed configurations, see the configuration files at the end of this
# Configure CE1.
[CE1] stp enable
# Configure CE2.
[CE2] stp enable
# Configure PE1.
[PE1] stp enable
# Configure PE2.
[PE2] stp enable
NOTE
The configuration details of the user-defined Layer 2 protocol on CE3 and CE4 are not mentioned here.
Step 3 Configure BPDUs sent from CE1 and CE2 to PEs to carry VLAN tag 100.
# Configure CE1.
[CE1] vlan 100
[CE1-vlan100] quit
# Configure CE2.
[CE2] vlan 100
Issue 02 (2013-12-31)

1667

Equipment
[CE2-vlan100] quit
NOTE
BPDUs of the user-defined Layer 2 protocol running on CE3 and CE4 carry no VLAN tag. The configuration
details are not mentioned here.
Step 4 Configure convergence switches.

1/0/3
shutdown
default vlan 10
1/0/1
shutdown
1/0/2
shutdown
default vlan 10
1/0/3
shutdown
default vlan 10
1/0/1
shutdown
1/0/2
shutdown
default vlan 10
Step 5 Configure the user-defined Layer 2 protocol.

# Configure PE1.
[PE1] l2protocol-tunnel user-defined-protocol huawei protocol-mac 0100-c300-0100
group-mac 0100-5e00-0014
# Configure PE2.
[PE2] l2protocol-tunnel user-defined-protocol huawei protocol-mac 0100-c300-0100
group-mac 0100-5e00-0014
Step 6 Configure Hybrid VLAN-based transparent transmission of Layer 2 protocol packets on PEs.
After a PE receives a BPDU that carries no VLAN tag, the PE encapsulates the default VLAN
ID 10 of the receiving interface for the BPDU, and then transparently transmits the BPDU; After
a PE receives a BPDU that carries VLAN ID 100, the PE encapsulates the carrier's VLAN ID
100 for the BPDU.
Issue 02 (2013-12-31)

1668

Equipment
# Configure PE1.
[PE1] vlan batch 10 100
[PE1-Vlan10] quit
[PE1-GigabitEthernet0/2/0] port default vlan 10
[PE1-GigabitEthernet0/2/0] l2protocol-tunnel user-defined-protocol huawei enable
# Configure PE2.
[PE2] vlan batch 10 100
[PE2-Vlan10] quit
[PE2-GigabitEthernet0/2/0] port default vlan 10
[PE2-GigabitEthernet0/2/0] l2protocol-tunnel user-defined-protocol huawei enable
Step 7 Configure PEs to replace the MAC address of the BPDUs from CEs.
# Configure PE1.
# Configure PE2.

Protocol
Group-MAC
Priority
----------------------------------------------------------------------------stp
0180-c200-0000 0100-5e00-0011 0
huawei
0100-c300-0100 0100-5e00-0014 3
[CE1] display stp
-------[CIST Global
CIST Bridge
Bridge Times
CIST Root/ERPC
CIST RegRoot/IRPC
CIST RootPortId
BPDU-Protection
Issue 02 (2013-12-31)
Info][Mode MSTP]------:32768.000b-09f0-1b91
:32768.000b-09d4-b66c / 199999
:32768.000b-09f0-1b91 / 0
:128.82
:disabled

1669

Equipment
STP Converge Mode
:Fast
:enabled
Port Role
:CIST Root Port
Port Priority
:128
Port Cost(Dot1T )
Desg. Bridge/Port
:32768.000b-09d4-b66c / 128.82
Port Edged
Point-to-point
Protection Type
:None
PortTimes
BPDU Sent
:237
BPDU Received
:9607
[CE2] display stp
:32768.000b-09d4-b66c
Bridge Times
CIST Root/ERPC
:32768.000b-09d4-b66c / 0
CIST RegRoot/IRPC
:32768.000b-09d4-b66c / 0
CIST RootPortId
:0.0
BPDU-Protection
:disabled
STP Converge Mode
:Fast
:enabled
Port Role
Port Priority
:128
Port Cost(Dot1T )
Desg. Bridge/Port
:32768.000b-09d4-b66c / 128.82
Port Edged
Point-to-point
Protection Type
:None
PortTimes
BPDU Sent
:7095
BPDU Received
:2
----End
Configuration Files
l

#
sysname CE1
#
vlan batch 100
#
stp enable
#
undo shutdown
portswitch
stp bpdu vlan 100
#
return

#
sysname CE2
Issue 02 (2013-12-31)

1670

Equipment
#
vlan batch 100
#
stp enable
#
undo shutdown
portswitch
stp bpdu vlan 100
#
return

#
sysname PE1
#
vlan batch 10 100
#
l2protocol-tunnel user-defined-protocol huawei protocol-mac 0100-c300-0100
group-mac 0100-5e00-0014
#
stp enable
#
undo shutdown
portswitch
l2protocol-tunnel user-defined-protocol huawei enable
stp disable
#
undo shutdown
portswitch
#
return

#
sysname PE2
#
vlan batch 10 100
#
l2protocol-tunnel user-defined-protocol huawei protocol-mac 0100-c300-0100
group-mac 0100-5e00-0014
#
stp enable
#
undo shutdown
portswitch
l2protocol-tunnel user-defined-protocol huawei enable
stp disable
#
undo shutdown
portswitch
#
return
Issue 02 (2013-12-31)

1671

Equipment

#
sysname Switch1
#
vlan batch 1 to 100
#
undo shutdown
portswitch
#
undo shutdown
portswitch
#
undo shutdown
portswitch
#
return

#
sysname Switch2
#
vlan batch 1 to 100
#
undo shutdown
portswitch
#
undo shutdown
portswitch
#
undo shutdown
portswitch
#
return
5.12 ERPS (G.8032) Configuration

Ethernet Ring Protection Switching (ERPS) is a standard protocol issued by the ITU-T to prevent
loops on ring networks. ERPS provides carrier-class relaibility with a fast convergence speed.
ERPS takes effect on a ring network if all ATN devices on a ring network support it.
5.12.1 Introduction
ERPS is a protocol used to block specified ports to prevent loops at the link layer of an Ethernet
network.
Issue 02 (2013-12-31)

1672

Equipment
Overview
Ethernet Ring Protection Switching (ERPS), also called International Telecommunication
Union-Telecommunication Standardization Sector (ITU-T) G.8032, is designed to prevent
Layer 2 loops.
Background
Generally, redundant links are used on an Ethernet switching network to provide link backup
and enhance network reliability. The use of redundant links, however, may produce loops,
causing broadcast storms and rendering the MAC address table unstable. As a result, the
communication quality deteriorates, and communication services may even be interrupted. To
resolve these problems, ERPS can be used for loop avoidance purposes.
ERPS blocks the ring protection link (RPL) owner port to remove loops and unblocks it if a link
fault occurs on promptly restore communication.
ERPSv1 and ERPSv2 are currently available. ERPSv2, fully compatible with ERPSv1, provides
enhanced functions. Table 5-29 compares ERPSv1 and ERPSv2.
Table 5-29 Comparison between ERPSv1 and ERPSv2
Function
ERPSv1
ERPSv2
Ring type
Supports single rings only.
Supports single rings and multirings. A multi-ring topology

comprises major rings and subrings.
Port role
Supports the ring protection link

(RPL) owner port and ordinary
ports.
Supports the RPL owner port,

RPL neighbor port, and ordinary
ports.
Topology change
notification
Not supported.
Supported.
Ring Auto Protection

Switching (R-APS)
PDU transmission
mode on sub-rings
Not supported.
Supported.
Revertive and nonrevertive switching
Supports revertive switching by

default and does not support
non-revertive switching or
switching mode configuration.
Supported.
Manual port blocking
Not supported.
Supports forced switch (FS) and

manual switch (MS).
Compared with other ring network protocols, ERPS provides a fast convergence speed and
allows communication between Huawei and non-Huawei devices. Table 5-30 compares various
ring network protocols.
Issue 02 (2013-12-31)

1673

Equipment
Table 5-30 Ring network protocols supported by the ATN

Ring Network
Protocol
Advantage
Disadvantage
Rapid Ring Protection

Protocol (RRPP)
Boasts fast convergence,

meeting carrier-class reliability
requirements.
l Supports only level-1 subring in ring networking.
STP/Rapid Spanning
Tree Protocol (RSTP)/
Multiple Spanning
Tree Protocol (MSTP)
l Applies to all Layer 2

networks.
Provides a low convergence

speed for a large network. It does
not meet the carrier-class
reliability requirements.
Smart Ethernet
Protection (SEP)
l Applies to all Layer 2

networks.
l Is a standard IEEE protocol

that allows Huawei and nonHuawei devices to
communicate.
l Boasts fast convergence,

meeting carrier-class
l Is a proprietary protocol that

cannot be used for
communication between
Huawei and non-Huawei
devices.
Is a proprietary protocol that

cannot be used for
communication between Huawei
l Displays the topology of an

entire ring, facilitating fault
location and device
maintenance.
ERPS
l Boasts fast convergence,

meeting carrier-class
Requires complex manual

configuration of many functions.
l Is a standard ITU-T protocol

that allows Huawei and nonHuawei devices to
communicate.
l Supports single and multiring topologies in ERPSv2.
Introduction
Loops will cause broadcast storms, exhausting network resources and paralyzing the network.
Loops also cause flapping of the MAC address table and damages MAC address entries.
ERPS is a protocol defined by the ITU-T to block specified ports to prevent Layer 2 loops. ERPS
provides carrier-class reliability with a fast convergence speed.
Issue 02 (2013-12-31)

1674

Equipment
Figure 5-66 ERPS single-ring networking
Network
NPE1
NPE2
LSW1
LSW4
ERPS
RPL
LSW2
LSW3
RPL Owner
CE
Blocked Port
Basic Concepts
Figure 5-66 shows a typical ERPS single-ring network. The following part describes ERPS
based on this networking. ERPS concepts include the ERPS ring, node, port role, and port status.
l
ERPS ring
An ERPS ring consists of interconnected ATN devices that have the same control VLAN.
A ring is the basic ERPS unit.
Issue 02 (2013-12-31)

1675

Equipment
ERPSv1 supports only major rings (closed). ERPSv2 supports both major rings and subrings (open). By default, all ERPS rings are major rings. Major rings can be reconfigured
as sub-rings.
l
Node
A node refers to a ATN added to an ERPS ring. A node can have a maximum of two ports
added to the same ERPS ring.
Port role
ERPS defines three port roles: RPL owner port, RPL neighbor port (only in ERPSv2), and
ordinary port. The link on which the RPL owner port resides is called the ring protection
link (RPL).
RPL owner port
An RPL owner port is a ring port responsible for blocking traffic over the RPL to prevent
loops. An ERPS ring has only one RPL owner port.
When the node on which the RPL owner port resides receives an R-APS PDU indicating
that a link or node on the ring fails, it unblocks the RPL owner port to allow the port to
send and receive traffic. This mechanism ensures that traffic is not interrupted.
RPL neighbor port
An RPL neighbor port is a ring port directly connected to an RPL owner port and helps
reduce the number of times filtering database (FDB) entries are refreshed.
RPL owner and neighbor ports are both blocked under normal conditions to prevent
loops.
If an ERPS ring fails, both RPL owner and neighbor ports are unblocked.
Ordinary port
Ordinary ports are ring ports other than the RPL owner and neighbor ports.
An ordinary port monitors the status of the directly-connected ERPS link and sends RAPS PDUs to inform the other ports if the link status changes.
Port status
On an ERPS ring, an ERPS-enabled port can be in either of the following states:
Forwarding: The port forwards user traffic and sends and receives R-APS PDUs.
Discarding: The port only sends R-APS PDUs.
Control VLAN
A control VLAN is configured for an ERPS ring to transmit R-APS PDUs.
Each ERPS ring must be configured with a control VLAN. After a port is added to an ERPS
ring that has a control VLAN configured, the port is added to the control VLAN
automatically.
Different ERPS rings cannot be configured with the same control VLAN ID.
Unlike control VLANs, data VLANs are used to transmit data packets.
ERP instance
On a ATN running ERPS, the VLAN in which R-APS PDUs and data packets are
transmitted must be mapped to an Ethernet Ring Protection (ERP) instance so that ERPS
forwards or blocks the VLAN packets based on blocking rules. Otherwise, VLAN packets
will probably cause broadcast storms on the ring network and render the network
unavailable.
Issue 02 (2013-12-31)

1676

Equipment
Revertive and non-revertive switching

After link faults are rectified, whether to re-block the RPL owner port depends on the
switching mode.
In revertive switching, the RPL owner port is re-blocked after the wait to restore (WTR)
timer expires, and the traffic channel is blocked on the RPL.
In non-revertive switching, the WTR timer is not started, and the traffic channel
continues to use the RPL.
ERPSv1 supports only revertive switching. ERPSv2 supports both revertive and nonrevertive switching.
Port blocking modes

In case the RPL has high bandwidth, blocking a link with low bandwidth and unblocking
the RPL allow traffic to use the RPL and have more bandwidth. ERPS supports two manual
port blocking modes: forced switch (FS) and manual switch (MS). FS takes precedence
over MS.
FS: forcibly blocks a port immediately after FS is configured, irrespective of whether
link failures have occurred.
MS: forcibly blocks a port on which MS is configured when link failures and FS
conditions are absent.
In addition to FS and MS operations, ERPS also supports the clear operation. The clear
operation has the following functions:
Clears an existing FS or MS operation.
Triggers revertive switching before the WTR or wait to block (WTB) timer expires in
the case of revertive operations.
Triggers revertive switching in the case of non-revertive operations.
ERPSv2 supports manual port blocking.
Timer
ERPS defines four timers: guard timer, WTR timer, hold-off timer, and WTB timer (only
in ERPSv2).
Guard timer
After a faulty link or a faulty node recovers, the nodes on the two ends of the link or the
faulty node sends RAPS packets to inform the other nodes of the link or node recovers
and starts a Guard timer. Before the timer expires, each involved node does not process
any RAPS packet to avoid receiving out-of-date RAPS packets indicating that the link
or node fails. If the involved node receives an RAPS packet indicating that another port
fails , the local port enters the Forwarding state.
WTR timer
If the RPL owner port is unblocked owning to a link or node failure, the involved port
may not go Up immediately after the link or node recovers. To prevent the RPL owner
port alternates between the Up and Down states, the node where the RPL owner port
resides starts a WTR timer after receiving an RAPS packet indicating the link or node
recovery. If the node receives an RAPS packet indicating that another port fails before
the timer expires, it terminates the WTR timer. If the node does not receive any RAPS
packet indicating that another port fails before the timer expires, it unblocks the RPL
owner port when the timer expires and sends an RAPS packet indicating that the RPL
Issue 02 (2013-12-31)

1677

Equipment
owner port is blocked. After receiving this RAPS packet, the other nodes set their ports
on the ring to the Forwarding state.
Hold-off timer
Protection switching sequence requirements vary for Layer 2 networks running ERPS.
For example, in a multi-layer service application, if a server fails, a period of time is
needed for the server to recover. No protection switching is performed immediately
after the server fails, and the client does not detect the failure in this period of time. A
hold-off timer can be set to meet this requirement. If a fault occurs, the fault is not
immediately reported to ERPS. Instead, the hold-off timer starts. If the fault persists
after the timer expires, the fault will be reported to ERPS.
WTB timer
The WTB timer starts after an FS or MS operation is performed. When multiple nodes
on an ERPS ring are in the FS or MS state, the clear operation takes effect only after
the WTB timer expires so that the RPL owner port will not be blocked immediately.
The WTB timer value cannot be configured. Its value is the guard timer value plus 5.
l
R-APS PDU transmission mode on sub-rings

ERPSv2 supports single and multi-ring topologies. In multi-ring topologies, sub-rings
either have R-APS virtual channels (VCs) or non-virtual channels (NVCs).
With VCs: R-APS PDUs on sub-rings are transmitted to the major ring through
interconnection nodes. The RPL owner port of a sub-ring blocks both R-APS PDUs and
data traffic.
With NVCs: R-APS PDUs on sub-rings are terminated on the interconnection nodes.
The RPL owner port blocks data traffic but not R-APS PDUs on each sub-ring.
On the network shown in Figure 5-67, a major ring is interconnected to two sub-rings. The
sub-ring on the left has a VC, whereas the sub-ring on the right has an NVC.
Figure 5-67 Interconnected rings with a VC or NVC
Sub-Ring
with
virtual
channel
Major
Ring
Sub-Ring
without
virtual
channel
Ethernet Ring Node

Interconnection Node
RPL Owner Interface
RAPS Virtual Channel
Issue 02 (2013-12-31)

1678

Equipment
By default, sub-rings use NVCs to transmit R-APS PDUs, except for the scenario shown
in Figure 5-68.
NOTE
When sub-ring links are not contiguous, VCs must be used. On the network shown in Figure 5-68,
links b and d belong to major rings 1 and 2, respectively; links a and c belong to the sub-ring. As
links a and c are not contiguous, they cannot detect the status change between each other, so VCs
must be used for R-APS PDU transmission.
Figure 5-68 VC application networking
Major
Ring1
Sub-Ring
with virtual d
channel
Major
Ring2
c
Ethernet Ring Node
Interconnection Node
RPL owner Interface
RAPS Virtual Channel
Table 5-31 lists the advantages and disadvantages of R-APS PDU transmission modes on
sub-rings with VCs or NVCs.
Table 5-31 Comparison between R-APS PDU transmission modes on sub-rings with VCs
or NVCs
Issue 02 (2013-12-31)
R-APS
PDU
Transmi
ssion
Mode on
Subrings
Advantage
Disadvantage
Using
VCs
Applies to scenarios in which

sub-ring links are not
contiguous.
Requires VC resource reservation and

control VLAN assignment from adjacent
rings.

1679

Equipment
R-APS
PDU
Transmi
ssion
Mode on
Subrings
Advantage
Disadvantage
Using
NVCs
Does not need resource

reservation or control VLAN
assignment from adjacent
rings.
Inapplicable to scenarios in which subring links are not contiguous.
ERPS Features Supported by the ATN

This section describes ERPS features supported by the ATN.
ERPS is a protocol defined by the ITU-T to block specified ports to prevent Layer 2 loops.
The ERPSv1 configuration roadmap is as follows:
1.
Create an ERPS ring, configure the control VLAN and Ethernet Ring Protection (ERP)
instance, add ports to the rings, and specify port roles. These ERPS configurations help
break loops.
2.
Configure timers for the ERPS ring according to real-world situations.
3.
Associate ERPS with a fault detection protocol to shorten the traffic interruption time.
The ERPSv2 configuration roadmap is as follows:

1.
Create ERPS rings, configure control VLANs and ERP instances for the rings, specify
ERPSv2, specify major rings and sub-rings, add ports, and specify port roles. These ERPS
configurations help break loops.
2.
Configure the topology change notification function to ensure traffic transmission

according to real-world situations.
3.
Configure ERPS revertive or non-revertive switching, forced switch (FS) or manual switch
(MS), or timers according to real-world situations.
4.
Associate ERPS with a fault detection protocol to shorten the traffic interruption time.
ERPSv1 and ERPSv2 are currently available. ERPSv2, compatible with ERPSv1, supports
multi-ring topologies and association with connectivity fault management (CFM), in addition
to ERPSv1 functions, such as single ring topologies and multi-instance.
ERPS Single Ring Network

On the network shown in Figure 5-69, ATN A through ATN E constitute a ring network, and
they can communicate with each other. To prevent loops, ERPS blocks the RPL owner port and
also the RPL neighbor port (if any is configured). All other ports can transmit service traffic. If
a node or link fails, the ERPS protection switching mechanism is triggered, and the RPL owner
port and RPL neighbor port are unblocked to send and receive packets. This mechanism ensures
that traffic is not interrupted.
Issue 02 (2013-12-31)

1680

Equipment
Figure 5-69 ERPS single ring network
Network
NPE1
NPE2
LSW5
LSW1
ERPS
LSW4
RPL
LSW2
RPL owner
LSW3
CE
Blocked Interface
Data Flow
ERPS Multi-ring Network

On the multi-ring network shown in Figure 5-70, ATN A through ATN E constitute a major
ring; ATN B, ATN C, and ATN F constitute sub-ring 1, and ATN C, ATN D, and ATN G
constitute sub-ring 2. The LSWs on each ring can communicate with each other. To prevent
loops, each ring blocks its RPL owner port. All other ports can transmit service traffic. Traffic
between PC1 and the upper-layer network travels along the path PC1 <-> ATN F <-> ATN B
<-> ATN A <-> ATN A; traffic between PC2 and the upper-layer network travels along the path
PC2 <-> ATN G <-> ATN D <-> ATN E <-> ATN B.
Issue 02 (2013-12-31)

1681

Equipment
If a node or link on a sub-ring fails, ERPS triggers protection switching and unblocks the RPL
owner port and RPL neighbor port on the sub-ring. Then ERPS sends topology change
notification messages to the major ring through interconnection nodes so that the nodes on the
major ring perform an FDB flush. This mechanism ensures that traffic is not interrupted.
Figure 5-70 ERPS multi-ring network
Network
NPE1
NPE2
LSW5
LSW1
Major Ring
LSW2
LSW4
RPL
Sub-Ring1
LSW6
PC1
LSW3
Sub-Ring2
LSW7
PC2
RPL owner
Data Flow
ERPS Multi-instance
On a common ERPS network, a physical ring can be configured with a single ERPS ring, and a
single blocked port can be specified on the ring. If the ERPS ring is complete, the blocked port
prevents all user packets from passing through. As a result, all user packets travel through a
single path over the ERPS ring, and the other link on the blocked port becomes idle, causing
bandwidth wastes.
The ERPS multi-instance allows two logical ERPS rings on a physical ring. On the ERPS ring
shown in Figure 5-71, all ATN devices, ports, and control VLANs work based on basic ERPS
Issue 02 (2013-12-31)

1682

Equipment
rules. A physical ring has two blocked ports. Each blocked port verifies the completeness of the
physical ring and blocks or forwards data without affecting others.
One or two ERPS rings can be configured over a physical ring. Each ERPS ring is configured
with an ERP instance. Each ERP instance represents a range of VLANs. The topology calculated
for a specific ERPS ring does not apply to another ERPS ring and does not affect other rings.
With a specific ERP for each ERPS ring, a blocked port takes effect only on VLANs of a specific
ERPS ring. Different VLANs can use separate paths, implementing traffic load balancing and
link backup.
Figure 5-71 Networking diagram for the ERPS multi-instance
Network
RouterA
RouterB
ATNC
ATND
ERPS
ATNA
P2
User
network1
ATNB
P1
User
network2
ERPS ring1
ERPS ring2
Blocked Port1
Blocked Port2
Data Flow1
Data Flow2
Issue 02 (2013-12-31)

1683

Equipment
Association Between ERPS and Ethernet CFM

NOTE
Currently, ERPS can be associated only with outward-facing MEPs.
When a transmission device is connected to an ERPS ring and fails, ERPS, in absence of an
automatic link detection mechanism, cannot quickly detect the device failure. This issue will
make convergence slow or even cause service interruption in worse cases. To resolve this
problem, ERPS can be associated with Ethernet connectivity fault management (CFM).
After Ethernet CFM is deployed on ERPS nodes connecting to transmission devices and detects
a transmission link failure, CFM informs the ERPS ring of the failure so that ERPS can perform
fast protection switching.
On the network shown in Figure 5-72, ATN A, ATN B, and ATN C form an ERPS ring. Three
relay nodes exist between ATN A and ATN C. CFM is configured on ATN A and ATN C.
Interface1 on ATN A is associated with Interface1 on Relay1, and Interface1 on ATN C is
associated with Interface1 on Relay3.
If a transmission device or link fails, ATN A and ATN C detect the CFM failure and notify
ERPS. Then ERPS unblocks the RPL owner port and switches traffic.
Issue 02 (2013-12-31)

1684

Equipment
Figure 5-72 ERPS ring over transmission links
Relay2
Interface1
Interface1
Relay1
Relay3
Interface1
Interface1
LSW1
LSW3
LSW2
RPL owner
Data Flow
5.12.2 Configuring ERPSv1

If there is no link fault on the ring network, ERPS can eliminate Ethernet redundant links. If a
link fault occurs on the ring network, ERPS can quickly restore the communication links between
the nodes on the ring network. ERPSv1 supports only single ring topologies.
Before You Start

Before configuring ERPSv1, familiarize yourself with the usage scenario, complete the preconfiguration tasks, and obtain the required data. This can help you complete the configuration
Generally, redundant links are used to access an upper-layer network to provide link backup and
enhance network reliability. The use of redundant links, however, may produce loops. causing
Issue 02 (2013-12-31)

1685

Equipment
broadcast storms and rendering the MAC address table unstable. As a result, the communication
quality deteriorates, and communication services may even be interrupted. ERPS can be
deployed on the ring network to block redundant links and unblock them if a link fault occurs.
NOTE
Only one protocol, that is, RRPP, STP, SEP, or ERPS, can be configured on one port.
Before configuring ERPSv1 functions, complete the following tasks:
l
Set up a physical ring network.
Connect interfaces and configure physical parameters for the interfaces to allow the
physical status of the interfaces to be Up.
Data Preparation
To configure ERPSv1 functions, you need the following data.
No.
Data
ERPS ring ID
Control VLAN ID (Optional) ERPS ring description information
Port number and port role
Protected instance ID
(Optional) WTR timer, (Optional) guard timer, and (Optional) holdoff timer
(Optional) MEL value of the ERPS ring
(Optional) Ports associated with CFM
Creating an ERPS Ring

An ERPS ring is a basic unit of ERPS. An ERPS ring consists of interconnected ATN devices
configured with the same control VLAN.
Procedure
Step 1 Run:
system-view

Step 2 Run:
erps ring ring-id
An ERPS ring is created and the view of the ERPS ring is displayed.
If an ERPS ring needs to be deleted, ensure that no interfaces are added to the ERPS ring. If any
interface is added to the ERPS ring, a prompt message is displayed when the ERPS ring is being
Issue 02 (2013-12-31)

1686

Equipment
deleted. In this case, run the undo erps ring command in the interface view or the undo port
command in the ERPS ring view to remove the interface. and run the undo erps ring command
to delete the ERPS ring.
----End
Follow-up Procedure
To facilitate the maintenance of ATN devices on the ERPS ring, run the description command
to configure description information such as ERPS ring ID for these ATN devices.
Configuring Control VLAN

The control VLAN is a concept relative to the data VLAN. In an ERPS ring, a control VLAN
is used to transmit ERPS packets rather than service packets of users to enhance the security of
ERPS.
Context
The same control VLAN must be configured for all ATN devices on an ERPS ring, and different
control VLANs must be configured for different ERPS rings.
Procedure
Step 1 Run:
system-view

Step 2 Run:
erps ring ring-id
The view of the created ERPS ring is displayed.

Step 3 Run:
The control VLAN is configured for the ERPS ring to forward ERPS protocol packets.
The control VLAN specified by the parameter vlan-id must be newly created. It can neither be
referenced by RRPP or SEP, nor be used in port trunk, default, VLAN mapping, or VLAN
stacking mode.
l If any interface has been added to the ERPS ring, the control VLAN cannot be modified. If
the configured control VLAN needs to be deleted, run the undo erps ring command in the
interface view or the undo port command in the ERPS ring view, and run the undo controlvlan command to delete the control VLAN.
l If no interface is added to the ERPS ring, you can modify the control VLAN for multiple
times. Only the latest configuration takes effect.
l After the control VLAN is correctly created, the command to create ordinary VLANs vlan
batch vlan-id1 [ to vlan-id2 ] &<1-10> is automatically displayed in the configuration file.
After an interface is added to an ERPS ring configured with a control VLAN, the interface
is added to the control VLAN automatically. Note the following information:
Issue 02 (2013-12-31)

1687

Equipment
If the type of the interface added to the ERPS ring is trunk, the vlan-id command is
displayed automatically in the configuration file.
----End
Configuring the Mapping Between Protected Instances and VLANs

Interfaces can be added to an ERPS ring only after a protected instance is created. Data VLANs
can be mapped to the protected instance to implement service traffic load balancing.
Procedure
Step 1 Run:
system-view

Step 2 Run:
erps ring ring-id
The view of the ERPS ring is displayed.

Step 3 Run:
protected-instance { all | { instance-id1 [ to instance-id2 ] &<1-10>
} }
A protected instance is created on the ERPS ring.

By default, no protected instance is configured on an ERPS ring.
Running a new protected-instance command does not overide the previously configured
protected instances.
If any interface has been added to the ERPS ring, no protected instance can be modified. If a
configured protected instance needs to be deleted, run the undo erps ring command in the
interface view or the undo port command in the ERPS ring view, and run the undo protectedinstance command to delete the protected instance.
Step 4 Configure the mapping between protected instances and VLANs. Specific procedures are as
follows:
1.
Run:
system-view

2.
Run:
The multiple spanning tree (MST) region view is displayed.

3.
Run:
instance instance-id vlan { vlan-id [ to vlan-id ] } &<1-10>
The mapping relationships between protected instances and VLANs are specified.
The parameter instance-id in this command must the same as the parameter instance-id in
the protected-instance command.
4.
Run:
Issue 02 (2013-12-31)

1688

Equipment
The mapping relationships are activated.

----End
Adding Layer 2 Ports to ERPS Ring and Configuring Port Roles

After an ERPS ring is created, ERPS breaks loops only if Layer 2 ports are added to the ERPS
ring and port roles are configured.
Prerequisites
Before adding interfaces to an ERPS ring, ensure that:
l
STP and RRPP are not enabled on Layer 2 interfaces that are added to the ERPS ring.
If STP is enabled on these interfaces, run the stp disable command to disable STP.
If RRPP is enabled on these interfaces, run the rrpp disable command to disable RRPP.
If interface to be added to the ERPS ring is Layer 3 interface, run the portswitch command
to switch the Layer 3 interfaces to Layer 2 interfaces.
The control VLAN and protected instance are configured using the control-vlan and
protected-instance commands.
Context
As defined in ERPS, a port can be an RPL owner port or an ordinary port. The link where the
RPL owner port resides is the ring protection link.
l
RPL Owner port

An ERPS ring has only one RPL Owner port, which is configured by a user. Blocking the
RPL Owner port prevents loops on the ERPS ring.
When the node where the RPL owner port resides receives an RAPS packet indicating that
a link or a node on the ring fails, it unblocks the RPL owner port to allow the port to send
and receive traffic. This mechanism ensures non-stop traffic forwarding.
Ordinary port
On an ERPS ring, the ports other than the RPL owner port are ordinary ports.
An ordinary port monitors the status of the directly-connected ERPS link, and sends RAPS
packets to inform the other ports if the link status changes.
There are two methods to add a Layer 2 port to an ERPS ring:

l
In the ERPS ring view, specify the port number and port role.
In the interface view, add the interface to the ERPS ring and configure the port role.
NOTE
At present, as MAC address Update packets cannot be independently sent, configuring the direct link
between two upstream nodes as an RPL is not recommended.
Before changing the port role, use the shutdown command to disable the port; after the role changing is
completed, use the undo shutdown command to enable the port. Otherwise, the traffic is interrupted.
Procedure
Step 1 Run:
Issue 02 (2013-12-31)

1689

Equipment
system-view

Step 2 Select the method to add a Layer 2 port to an ERPS ring:
l In the ERPS ring view, specify the port number and port role:
1.
Run:
erps ring ring-id
The view of a created ERPS ring is displayed.

2.
Run:
port interface-type interface-number [ rpl owner ]
The port is added to the ERPS ring and the port role is specified.
l In the interface view, add the port to the ERPS ring and configure the port role.
1.
Run:
The view of the port to be added to the ERPS ring is displayed.

2.
Run:
erps ring ring-id [ rpl owner ]
The port is added to the ERPS ring and the port role is specified.
----End
(Optional) Configuring Timers of an ERPS Ring

After a node or a link recovers from a fault on the ERPS ring, ERPS timers are used to prevent
traffic flapping on blocked node or link, reducing the service traffic interruption time.
Context
ERPS timers consist of:
l
Guard Timer
After a faulty link or a faulty node recovers, the nodes on the two ends of the link or the
faulty node sends Ring Auto Protection Switching (RAPS) packets to inform the other
nodes of the link or node recovers and starts a Guard timer. Before the timer expires, each
involved node does not process any RAPS packet to avoid receiving out-of-date RAPS
packets indicating that the link or node fails. If the involved node receives an RAPS packet
indicating that another port fails , the local port enters the Forwarding state.
Wait to Restore (WTR) Timer

If the ring protection link (RPL) owner port is unblocked owning to a link or node failure,
the involved port may not go Up immediately after the link or node recovers. To prevent
the RPL owner port alternates between the Up and Down states, the node where the RPL
owner port resides starts a WTR timer after receiving an RAPS packet indicating the link
or node recovery. If the node receives an RAPS packet indicating that another port fails
before the timer expires, it terminates the WTR timer. If the node does not receive any
RAPS packet indicating that another port fails before the timer expires, it unblocks the RPL
owner port when the timer expires and sends an RAPS packet indicating that the RPL owner
port is blocked. After receiving this RAPS packet, the other nodes set their ports on the
ring to the Forwarding state.
Issue 02 (2013-12-31)

1690

Equipment
Holdoff Timer
On different Layer 2 networks running EPRS, there may be different requirements on
protective switchover. For example, if multt-layer services are provided, users hope that
the protective switchover is not performed immediately after a server fails, ensuring that
clients do not sense the failure. In this case, you can set a Holdoff timer. If the fault occurs,
the fault is not immediately sent to ERPS until the Holdoff timer times out.
Procedure
Step 1 Run:
system-view

Step 2 Run:
erps ring ring-id
The view of the ERPS ring is displayed.

Step 3 Configure any of of ERPS timers as needed:
l Run:
wtr-timer time-value
The WTR timer is configured.

By default, the WTR timer is 5 minutes for the ERPS ring.
l Run:
guard-timer time_value_cs
The guard timer is configured.

By default, the guard timer is 200 centiseconds for the ERPS ring.
l Run:
holdoff-timer time-value
The holdoff timer is configured.

By default, the holdoff timer is 0 second for the ERPS ring.
----End
(Optional) Configuring the MEL Value of an ERPS Ring

If connectivity fault management (CFM) is configured on a Layer 2 Ethernet ring protection
switching (ERPS) network, the maintenance entity group level (MEL) value of ERPS packets
determines whether the ERPS packets can be forwarded. The MEL value of ERPS packets is
checked against that for CFM to determine whether the ERPS packets can be forwarded.
Context
In addition to determining whether packets can be forwarded, the MEL value of an ERPS ring
can also be used to facilitate the communications with other vendors' ATN devices. The same
MEL value ensures smooth communications between ATN devices.
Issue 02 (2013-12-31)

1691

Equipment
Procedure
Step 1 Run:
system-view

Step 2 Run:
erps ring ring-id
The view of the created ERPS ring is displayed.

Step 3 Run:
raps-mel level-id
The MEL value of the ERPS ring is set.

By default, the MEL value of ERPS packets is 7.
----End
(Optional) Associating an ERPS Interface with Ethernet CFM

Association between Ethernet connectivity fault management (CFM) and Ethernet Ring
Protection Switching (ERPS) on an ERPS ring port helps promptly detect failures, converge
topologies, and shorten the traffic interruption time. Currently, ERPS can be associated only
with outward-facing MEPs.
Prerequisites
Ethernet CFM has been configured on an ERPS ring port. For details, see 3.6.2 Configuring
Basic Ethernet CFM.
Procedure
l
Perform the following steps to associate ERPS with Ethernet CFM in the OAM
management view.
1.
Run:
system-view

2.
Run:
oam-mgr

3.
Run:
oam-bind ingress cfm md md-name ma ma-name trigger if-notify egress
Ethernet CFM is configured to notify ERPS of a failure.

After Ethernet CFM on a port detects a fault, Ethernet CFM sends an interface Down
event to ERPS but does not shut down the port.
l
Issue 02 (2013-12-31)
Perform the following steps to associate ERPS with Ethernet CFM in the interface view.
1692

Equipment
1.
Run:
system-view

2.
Run:

3.
Run:
erps ring ring-id track cfm md md-name ma ma-name mep mep-id remote-mep
rmep-id
ERPS is associated with Ethernet CFM to promptly detect link failures.

----End

After ERPSv1 is configured, you can view information about the ERPS ring, such as the port
number, port role, control VLAN, protected intsnace, wait to restore (WTR) timer, and guard
timer.
Prerequisites
The ERPSv1 has been configured.
Procedure
l
Run the display erps [ ring ring-id ] [ verbose ] command to check information about the
ERPS ring.
----End
Example
Run the display erps [ ring ring-id ] command to view information about the ERPS ring. For
example:
<HUAWEI> display erps ring 1
D : Discarding
F : Forwarding
R : RPL owner
N : RPL Neighbour
FS : Forced Switch
MS : Manual Switch
Ring Control WTR Timer Guard Timer Port 1
Port 2
ID
VLAN
(min)
(csec)
----------------------------------------------------------------------1
10
6
100 (F)GE0/2/0
(D,R)GE0/2/1
-----------------------------------------------------------------------
Run the display erps [ ring ring-id ] [ verbose ] command to view detailed information about
the ERPS ring. For example:
<HUAWEI> display erps ring 1 verbose
Ring ID
: 1
Description
: Ring 1
Control Vlan
: 10
Issue 02 (2013-12-31)

1693

Equipment
Protected Instance
: 1
Service Vlan
: 100 to 200
WTR Timer Setting (min)
: 6
Running (s)
: 0
Guard Timer Setting (csec)
: 100
Running (csec)
: 0
Holdoff Timer Setting (deciseconds) : 0
Running (deciseconds) : 0
WTB Timer Running (csec)
: 0
Ring State
: Idle
RAPS_MEL
: 7
Revertive Mode
: Revertive
R-APS Channel Mode
: Version
: 1
Sub-ring
: No
Forced Switch Port
: Manual Switch Port
: TC-Notify
: Time since last topology change
: 0 days 0h:33m:4s
----------------------------------------------------------------------Port
Port Role
Port Status
Signal Status
----------------------------------------------------------------------GE0/2/0
Common
Forwarding
Non-failed
GE0/2/1
RPL Owner
Discarding
Non-failed
5.12.3 Configuring ERPSv2

Ethernet Ring Protection Switching (ERPS) eliminates loops on an Ethernet ring network when
no faulty links exist and promptly restores communication if a link fault occurs. ERPSv2,
compatible with ERPSv1, supports multi-ring topologies and association with connectivity fault
management (CFM), in addition to ERPSv1 functions, such as single ring topologies and multiinstance.
Before You Start

Before configuring ERPSv2, familiarize yourself with the usage scenario, complete the preconfiguration tasks, and obtain the data required for the configuration.
Usage Scenario
communication quality deteriorates, and communication services may even be interrupted. To
resolve these problems, ERPS can be used for loop avoidance purposes. ERPS blocks redundant
links under normal conditions and unblocks them if a link fault occurs in promptly restore
communication. As ERPSv1 supports only single ring topologies, ERPSv2 that supports multiring topologies can be used on the multi-ring network shown in Figure 5-73.
Issue 02 (2013-12-31)

1694

Equipment
Figure 5-73 ERPSv2 multi-ring network
Network
NPE1
NPE2
LSW5
LSW1
Major Ring
LSW2
LSW4
RPL
Sub-Ring1
LSW3
LSW6
Sub-Ring2
LSW7
PC2
PC1
RPL owner
Data Flow
NOTE
ERPS and other ring network protocols, such as Rapid Ring Protection Protocol (RRPP), Spanning Tree
Protocol (STP), and Smart Ethernet Protection (SEP), cannot run on the same port.
Before configuring ERPSv2, complete the following tasks:
l
Establish a ring network.
Connect interfaces and set their physical parameters to ensure that the physical status of
the interfaces is Up.
Data Preparation
To configure ERPSv2, you need the following data.
Issue 02 (2013-12-31)

1695

Equipment
No.
Data
ERPS ring ID, control VLAN ID, (optional) ring description, ERP instance ID,
ring port numbers, and port roles
(Optional) Topology change protection interval at which topology change

notification messages are sent and maximum number of topology change
notification messages that can be processed during the topology change
protection interval
(Optional) WTR timer value, (optional) guard timer value, (optional) hold-off
timer value, and (optional) MEL value
(Optional) ERPS port associated with CFM
Configuring an ERPS Ring

ERPS works for ERPS rings. After an ERPS ring is configured, ERPS runs to block redundant
links and eliminate loops on Layer 2 networks.
Context
Perform the following operations to configure an ERPS ring:
1.
Create an ERPS ring.
2.
(Optional) Configure a description for the ERPS ring. The description can contain the ERPS
ring ID.
3.
Configure a control VLAN for the ERPS ring. A control VLAN is different from a data
VLAN that transmits service packets. On ERPS rings, a control VLAN is used to transmit
Ring Auto Protection Switching (R-APS) Protocol Data Units (PDUs), also called the ERPS
protocol packets. A control VLAN does not transmit service packets, enhancing ERPS
security.
All nodes on an ERPS ring must use the same control VLAN. Different ERPS rings cannot
have the same control VLAN.
4.
Configure an Ethernet Ring Protection (ERP) instance and map the instance to a VLAN.
Ports can be added to an ERPS ring only after an ERP instance is configured for the ring.
VLANs can be mapped to ERP instances for load balancing.
5.
Specify ERPSv2.
ERPSv2 has the following additional functions compared with ERPSv1:
l Supports multi-ring topologies, such as intersecting rings.
l Allows sub-rings to use either virtual channels (VCs) or non-virtual channels (NVCs)
to transmit R-APS PDUs.
l Supports two manual port blocking modes: forced switch (FS) and manual switch (MS).
l Supports both revertive and non-revertive switching.
6.
Issue 02 (2013-12-31)
Configure major rings and sub-rings.

1696

Equipment
By default, an ERPS ring is a major ring. When you deploy ERPS on a multi-ring network,
you must configure some rings as sub-rings and set the R-APS PDU transmission mode
on sub-rings.
7.
Add Layer 2 ports to ERPS rings and specify port roles.

Before adding a port to an ERPS ring, ensure that:
l Spanning Tree Protocol (STP), Rapid Ring Protection Protocol (RRPP), or Smart
Ethernet Protection (SEP) is not enabled on the port.
If the port has STP enabled, run the stp disable command in the interface view to
disable STP.
If the port has RRPP enabled, run the undo ring ring-id command in the RRPP
domain view to disable RRPP.
l The port is not a Layer 3 port. If the port is a Layer 3 port, run the portswitch command
to switch the port to the Layer 2 mode.
l A control VLAN and an ERP instance have been configured for the ERPS ring to which
the port will be added.
l ERPSv2 has been specified for the ERPS ring if the port will be specified as an RPL
neighbor port.
Procedure
Step 1 Run:
system-view

Step 2 Run:
erps ring ring-id
An ERPS ring is created, and the ERPS ring view is displayed.

An ERPS ring can be deleted only if it does not have any port. If you attempt to delete an ERPS
ring that has a port, the system prompts a deletion failure. Before deleting an ERPS ring that has
a port, run the undo erps ring command in the interface view of the port or the undo port
command in the ERPS ring view to remove the port from the ERPS ring. Then run the undo
erps ring command to delete the ERPS ring.
By default, an ERPS ring configured using the erps ring ring-id command is a major ring.
description text
A description is configured for the ERPS ring.

By default, the description for an ERPS ring is the ring name, for example, Ring 1.
Step 4 Run:
A control VLAN is configured for the ERPS ring.

The control VLAN specified by vlan-id must be the one that has not been created or used in
RRPP, SEP, VLAN mapping, VLAN stacking, port trunk allow-pass, or port default vlan
applications.
Issue 02 (2013-12-31)

1697

Equipment
l The control VLAN for an ERPS ring cannot be modified after a port is added to the ring.
Before deleting the control VLAN for an ERPS ring that has a port, run the undo erps
ring command in the interface view of the port or the undo port command in the ERPS ring
view to remove the port from the ERPS ring. Then run the undo control-vlan command to
delete the control VLAN.
l If an ERPS ring does not have any port, you can run the control-vlan command more than
once, but only the latest configuration takes effect.
l After a control VLAN is configured, the vlan batch vlan-id1 [ to vlan-id2 ] &<1-10>
command, instead of the control-vlan command, is saved in the configuration file.
After a port is added to an ERPS ring that has a control VLAN configured, the port is
automatically added to the control VLAN.
If the port is a trunk port, the port trunk allow-pass vlan vlan-id command configuration
is automatically generated in the interface view of this port in the configuration file.
Step 5 Run:
protected-instance { all | { instance-id1 [ to instance-id2 ] &<1-10> } }
An ERP instance is configured for the ERPS ring.

By default, no ERP instance is configured.
If you run the protected-instance command for an ERPS ring several times, all the configured
ERP instances take effect.
ERP instances for an ERPS ring cannot be modified after a port is added to the ring. Before
deleting an ERP instance for an ERPS ring that has a port, run the undo erps ring command in
the interface view of the port or the undo port command in the ERPS ring view to remove the
port from the ERPS ring. Then run the undo protected-instance command to delete the ERP
instance.
Step 6 Perform the following steps to configure the mapping between an ERP instance and the control
VLAN:
1.
2.
Run the stp region-configuration command to enter the MST region view.
3.
Run the instance instance-id vlan { vlan-id [ to vlan-id ] } &<1-10> command to map the
control VLAN to an ERP instance.
instance-id specified in this command must be the same as instance-id specified in the
protected-instance command.
4.
Run the active region-configuration command to activate the mapping between the ERP
instance and VLAN.
Step 7 Run:
version v2
ERPSv2 is specified.
By default, ERPSv1 is used.
Before specifying ERPSv1 for an ERPSv2-running ATN, delete all ERPS configurations that
ERPSv1 does not support.
sub-ring
Issue 02 (2013-12-31)

1698

Equipment
The ERPS ring is configured as a sub-ring.

By default, all ERPS rings are major rings. This step is needed only when an existing ERPS ring
must be used as a sub-ring.
An ERPS ring cannot be configured as a sub-ring after a port is added to the ring. Before
configuring an ERPS ring that has a port as a sub-ring, run the undo erps ring command in the
interface view of the port or the undo port command in the ERPS ring view to remove the port
from the ERPS ring. Then run the sub-ring command to configure the ERPS ring as a sub-ring.
NOTE
Major rings are closed, and sub-rings are open.

virtual-channel enable
The R-APS PDU transmission mode is specified for the sub-ring.

By default, sub-rings use NVCs to transmit R-APS PDUs. Using the default transmission mode
is recommended. This step is needed only for a sub-ring.
Step 10 Run either of the following commands to add a port to an ERPS ring and specify the port role.
l Run the port interface-type interface-number [ rpl { owner | neighbour } ] command in the
ERPS ring view.
l Run the erps ring ring-id [ rpl { owner | neighbour } ] command in the interface view.
NOTE
As MAC address updates cannot be separately sent currently, configuring the direct link between two
upstream nodes as the RPL is not recommended.
Before changing the port role, run the shutdown command to shut down the port. Then change the port
role and run the undo shutdown command to enable the port.
----End
Configuring the Topology Change Notification Function

The topology change notification function configured on the interconnection nodes of
intersecting ERPS rings allows one ERPS ring to notify the other ERPS rings of its topology
change. Then all the nodes on the other ERPS rings clear their MAC and ARP entries and relearn
MAC addresses from the ring with a topology change. This function ensures that user traffic is
not interrupted.
Context
If an upper-layer Layer 2 network is not notified of the topology change in an ERPS ring, the
MAC address entries remain unchanged on the upper-layer network and therefore user traffic is
interrupted. To ensure traffic transmission, you can configure the topology change notification
function and specify the ERPS rings that will be notified of the topology change.
In addition, if an ERPS ring frequently receives topology change notification messages, its nodes
will have lower CPU processing capability and repeatedly update Flush-FDB packets,
consuming lots of bandwidth. To resolve this problem, suppress the transmission of topology
change notification messages. You can set the topology change protection interval at which
topology change notification messages are sent to suppress the number of transmissions, and set
Issue 02 (2013-12-31)

1699

Equipment
the maximum number of topology change notification messages that can be processed during
the topology change protection interval to prevent frequent MAC and ARP updates.
Procedure
Step 1 Run:
system-view

Step 2 Run:
erps ring ring-id
The ERPS ring view is displayed.

Step 3 Run:
tc-notify erps ring { ring-id1 [ to ring-id2 ] } &<1-10>
The ERPS ring is configured to notify other ERPS rings of its topology change.
ring-id1 [ to ring-id2 ] specifies the start and end ring IDs of the ERPS rings that will be notified
of the topology change. Ensure that the ERPS rings specified by ring-id1 and ring-id2 exist. If
the specified rings do not exist, the topology change notification function does not take effect.
After the ERPS rings receive the topology change notification from an ERPS ring, they send
Flush-FDB messages on their separate rings to instruct their nodes to update MAC addresses so
that user traffic is not interrupted.
tc-protection interval interval-value
The topology change protection interval at which topology change notification messages are
sent is set.
tc-protection threshold threshold-value
The maximum number of topology change notification messages that can be processed during
the topology change protection interval is set.
The topology change protection interval is the one specified by the tc-protection interval
command.
----End
(Optional) Configuring ERPS Protection Switching

To ensure that ERPS rings function normally when a node or link fails, you can set ERPS
protection switching functions, such as revertive and non-revertive switching, port blocking
modes, and timers.
Context
l
Revertive and non-revertive switching

After link faults are rectified, whether to re-block the RPL owner port depends on the
switching mode.
Issue 02 (2013-12-31)

1700

Equipment
Port blocking modes

In case the ring protection link (RPL) has high bandwidth, blocking a link with low
bandwidth and unblocking the RPL allow traffic to use the RPL and have more bandwidth.
ERPS supports two manual port blocking modes: forced switch (FS) and manual switch
(MS). FS takes precedence over MS. An existing FS or MS operation can be cleared using
the clear command. The clear command also has the following functions:
Triggers revertive switching before the wait to restore (WTR) or wait to block (WTB)
timer expires in the case of revertive operations.
Triggers revertive switching in the case of non-revertive operations.
Timer
ERPS defines four timers: guard timer, hold-off timer, WTR timer, and WTB timer (only
in ERPSv2). The WTB timer value cannot be configured. Its value is the guard timer value
plus 5. The default WTB timer value is 7s.
Procedure
Step 1 Run:
system-view

Step 2 Run:
erps ring ring-id
The ERPS ring view is displayed.

Step 3 Run:
revertive { enable | disable }
The protection switching mode is specified.

By default, ERPS rings use revertive switching.
Step 4 Run:
quit

Step 5 Run:

Step 6 Run:
erps ring ring-id protect-switch { force | manual }
A port blocking mode is specified.

The ERPS ring specified by ring ring-id must be the one to which the port belongs.
To clear the specified port blocking mode, run the clear command in the ERPS ring view.
Step 7 Run the following commands to configure one or more timers for the ERPS ring:
l To configure the WTR timer, run the wtr-timer time-value command.
By default, the WTR timer for an ERPS ring is 5 minutes.
Issue 02 (2013-12-31)

1701

Equipment
l To configure the guard timer, run the guard-timer time_value_cs command.

By default, the guard timer for an ERPS ring is 200 centiseconds.
l To configure the hold-off timer, run the holdoff-timer time-value command.
By default, the hold-off timer for an ERPS ring is 0 seconds.
----End
(Optional) Configuring Association Between ERPS and Ethernet CFM

Association between Ethernet connectivity fault management (CFM) and Ethernet Ring
Protection Switching (ERPS) on an ERPS ring port helps promptly detect failures, converge
topologies, and shorten the traffic interruption time. Currently, ERPS can be associated only
with outward-facing MEPs.
Prerequisites
Ethernet CFM has been configured on an ERPS ring port. For details, see 3.6.2 Configuring
Basic Ethernet CFM.
Procedure
l
Perform the following steps to associate ERPS with Ethernet CFM in the OAM
management view.
1.
Run:
system-view

2.
Run:
oam-mgr

3.
Run:
oam-bind ingress cfm md md-name ma ma-name trigger if-notify egress
Ethernet CFM is configured to notify ERPS of a failure.

After Ethernet CFM on a port detects a fault, Ethernet CFM sends an interface Down
event to ERPS but does not shut down the port.
l
Perform the following steps to associate ERPS with Ethernet CFM in the interface view.
1.
Run:
system-view

2.
Run:

3.
Run:
erps ring ring-id track cfm md md-name ma ma-name mep mep-id remote-mep
rmep-id
Issue 02 (2013-12-31)

1702

Equipment
ERPS is associated with Ethernet CFM to promptly detect link failures.

----End

After configuring ERPSv2, check the configurations.
Prerequisites
ERPSv2 has been configured.
Procedure
l
Run the display erps [ ring ring-id ] [ verbose ] command to check the ports added to an
ERPS ring and ring configurations.
Run the display erps interface interface-type interface-number [ ring ring-id ] command
to check physical configurations of an ERPS ring port.
----End
Example
Run the display erps [ ring ring-id ] command. The command output shows configurations of
the ports added to an ERPS ring and ring configurations.
<HUAWEI> display erps ring 1
D : Discarding
F : Forwarding
R : RPL Owner
N : RPL Neighbour
FS : Forced Switch
MS : Manual Switch
Port 2
ID
VLAN
(min)
(csec)
-------------------------------------------------------------------------------1
1
5
200 (D)Eth-Trunk1
--------------------------------------------------------------------------------
Run the display erps [ ring ring-id ] [ verbose ] command. The command output shows detailed
configurations of ports added to an ERPS ring and ring configurations.
<HUAWEI> display erps ring 1 verbose
Ring ID
:
Description
:
Control Vlan
:
Protected Instance
:
Service Vlan
:
:
:
Holdoff Timer Setting (deciseconds) :
:
Ring State
:
RAPS_MEL
:
Revertive Mode
:
R-APS Channel Mode
:
Version
:
Sub-ring
:
Forced Switch Port
:
Manual Switch Port
:
TC-Notify
:
Issue 02 (2013-12-31)
1
Ring 1
1
0 to 4094
2 to 4094
5
Running (s)
: 0
200
Running (csec)
: 0
100
0
Pending
7
Revertive
2
No
-

1703

Equipment
Time since last topology change

: 0 days 1h:14m:38s
-------------------------------------------------------------------------------Port
Port Role
Port Status
Signal Status
-------------------------------------------------------------------------------Eth-Trunk1
Common
Discarding
Non-failed
Run the display erps interface interface-type interface-number [ ring ring-id ] command. The
command output shows physical configurations of an ERPS ring port.
<HUAWEI> display erps interface Eth-Trunk 1 ring 1
Interface State
: Up
-------------------------------------------------------------------------------Ring ID
: 1
Flush Logic
Remote Node ID
: 0000-0000-0000
Remote BPR
: 0
Track Link Dectect Protocl
: 1AG
MD Name
: 1
MA Name
: 1
MEP ID
: 2270
RMEP ID
: 2260
CFM State
: Failed
5.12.4 Maintaining EPRS

The section describes how to maintain ERPS, such as the method to clear statistics on an EPRS
ring.
Clearing ERPS Statistics

You can run the reset commands to reset ERPS statistics to 0.
Context
NOTICE
ERPS statistics cannot be restored after being reset. Therefore, exercise caution when resetting
ERPS statistics.
Procedure
Step 1 Run:
display erps [ ring ring-id ] statistics
Statistics of the packets sent and received on ERPS interfaces are displayed. Note that the
command is run in the user view.
Step 2 Run:
reset erps [ ring ring-id ] statistics
ERPS statistics are cleared. Note that the command is run in the user view.
----End
Issue 02 (2013-12-31)

1704

Equipment

This section provides an example showing how to configure ERPS functions. In this
configuration example, the networking requirements, configuration roadmap, data preparation,
and configuration files are provided.
Example for Configuring an ERPS Single Ring

This section provides an example for configuring an Ethernet Ring Protection Switching (ERPS)
single ring.
communication quality deteriorates, and communication services may even be interrupted.
To prevent loops caused by redundant links, enable ERPS on the nodes of the ring network.
Figure 5-74 shows a network on which a multi-instance ERPS ring is used. LSW1 through
LSW4 constitute an aggregation ring that provides Layer 2 aggregation services and is connected
to a Layer 3 network for service processing. The aggregation ring runs ERPS, providing
protection switching for Layer 2 redundant links. ERPS ring 1 and ERPS ring 2 are configured
on LSW1 through LSW4. P1 on LSW2 is a blocked port on ERPS ring 1, and P2 on LSW1 is a
blocked port on ERPS ring 1, implementing load balancing and link backup.
Issue 02 (2013-12-31)

1705

Equipment
Figure 5-74 ERPS multi-instance networking
Network
NPE1
NPE2
GE0/2/1
LSW3
GE0/2/2
GE0/2/1
LSW4
GE0/2/2
ERPS
GE0/2/2
LSW1
GE0/2/1
GE0/2/2
GE0/2/1
P2
P1
LSW2
CE1
CE2
VLAN:
100~200
VLAN:
300~400
ERPS ring1
ERPS ring2
Blocked Port1
Blocked Port2
Data Flow1
Data Flow2
1.
Configure the trunk link type for all ports to be added to an ERPS ring.
2.
Create an ERPS ring and configure the control VLAN and Ethernet Ring Protection (ERP)
instance for the ring.
3.
Add Layer 2 ports to the ERPS ring and specify port roles.
Issue 02 (2013-12-31)

1706

Equipment
4.
Configure the guard timer and WTR timer for the ERPS ring.
5.
Configure Layer 2 forwarding for LSW1 through LSW5.
Data Preparation
l
ERPS ring ID, control VLAN ID, and ERP instance ID
Guard timer and WTR timer values
VLAN ID for Layer 2 forwarding
Procedure
Step 1 Configure the trunk link type for all ports to be added to an ERPS ring.
# Configure LSW1.
[HUAWEI] sysname LSW1
[LSW1] interface gigabitethernet
[LSW1-GigabitEthernet0/2/1] port
[LSW1-GigabitEthernet0/2/1] quit
0/2/1
link-type trunk
0/2/2
link-type trunk
# Configure LSW2.
0/2/1
link-type trunk
0/2/2
link-type trunk
# Configure LSW3.
0/2/1
link-type trunk
0/2/2
link-type trunk
# Configure LSW4.
0/2/1
link-type trunk
0/2/2
link-type trunk
Step 2 Create ERPS ring 1 and ERPS ring 2 and configure ERP instances for the two rings. Set the
control VLAN ID of ERPS ring 1 to 10 and the control VLAN ID of ERPS ring 2 to 20. Enable
Issue 02 (2013-12-31)

1707

Equipment
ERPS ring 1 to transmit data packets carrying VLAN IDs from 100 to 200 and enable ERPS
ring 2 to transmit data packets carrying VLAN IDs from 300 to 400.
# Configure LSW1.
[LSW1] erps ring 1
[LSW1-erps-ring1] control-vlan 10
[LSW1-erps-ring1] protected-instance 1
[LSW1-erps-ring1] quit
[LSW1] stp region-configuration
[LSW1-mst-region] instance 1 vlan 10 100 to 200
[LSW1-mst-region] active region-configuration
[LSW1-mst-region] quit
[LSW1] erps ring 2
# Configure LSW2.
[LSW2] erps ring 1
[LSW2] erps ring 2
# Configure LSW3.
[LSW3] erps ring 1
[LSW3] erps ring 2
# Configure LSW4.
[LSW4] erps ring 1
Issue 02 (2013-12-31)

1708

Equipment

[LSW4] erps ring 2
Step 3 Add Layer 2 ports to the ERPS ring and specify port roles. Specifically, configure GE 0/2/1 on
LSW1 and GE 0/2/2 on LSW2 as their respective RPL owner ports.
# Configure LSW1.
[LSW1] interface gigabitethernet 0/2/1
[LSW1-GigabitEthernet0/2/1] stp disable
[LSW1-GigabitEthernet0/2/1] erps ring 1
[LSW1-GigabitEthernet0/2/1] erps ring 2 rpl owner
# Configure LSW2.
# Configure LSW3.
# Configure LSW4.
Issue 02 (2013-12-31)

1709

Equipment
Step 4 Configure the guard timer and WTR timer for the ERPS ring.
# Configure LSW1.
[LSW1] erps ring 1
[LSW1-erps-ring1] wtr-timer 6
[LSW1-erps-ring1] guard-timer 100
[LSW1] erps ring 2
# Configure LSW2.
[LSW2] erps ring 1
[LSW2] erps ring 2
# Configure LSW3.
[LSW3] erps ring 1
[LSW3] erps ring 2
# Configure LSW4.
[LSW4] erps ring 1
[LSW4] erps ring 2
Step 5 Configure Layer 2 forwarding for LSW1 through LSW4.

# Configure LSW1.
[LSW1] vlan batch 100 to 200 300
to 400
0/2/1
trunk allow-pass vlan 100 to 200 300 to 400
0/2/2
# Configure LSW2.
Issue 02 (2013-12-31)
to 400
0/2/1
0/2/2

1710

Equipment
# Configure LSW3.
to 400
0/2/1
0/2/2
# Configure LSW4.
to 400
0/2/1
0/2/2

After completing the configurations, run either of the following commands to verify the
configuration. The following example uses LSW2 configurations.
l Run the display erps command. The command output shows summary configurations of
LSW2 ports added to the ERPS ring and ring configurations.
[LSW2] display erps
D : Discarding
F : Forwarding
R : RPL Owner
N : RPL
Neighbour
FS : Forced
Switch
MS : Manual Switch
Total number of rings configured = 2
Port 2
ID
VLAN
(min)
(csec)
------------------------------------------------------------------------------1
10
6
100 (F)GE0/2/1
(D,R)GE0/2/2
2
20
6
100 (F)GE0/2/1
(F)GE0/2/2
-------------------------------------------------------------------------------
l Run the display erps verbose command. The command output shows detailed configurations
of LSW2 ports added to the ERPS ring and ring configurations.
[LSW2] display erps verbose
Ring ID
Description
Control Vlan
Protected Instance
Holdoff Timer Setting (deciseconds)
Ring State
RAPS_MEL
Revertive Mode
R-APS Channel Mode
Version
Sub-ring
Forced Switch Port
Manual Switch Port
TC-Notify
Issue 02 (2013-12-31)
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
1
Ring 1
10
1
6
Running (s)
: 0
100
Running (csec)
: 0
0
0
Idle
7
Revertive
1
No
-

1711

Equipment
Time since last topology change

: 0 days 0h:35m:5s
------------------------------------------------------------------------------Port
Port Role
Port Status
Signal Status
------------------------------------------------------------------------------GE0/2/1
Common
Forwarding
Non-failed
GE0/2/2
RPL Owner
Discarding
Non-failed
Ring ID
: 2
Description
: Ring 2
Control Vlan
: 20
Protected Instance
: 2
: 6
Running (s)
: 0
: 100
Running (csec)
: 0
Holdoff Timer Setting (deciseconds) : 0
WTB Timer Running (sec)
: 0
Ring State
: Idle
RAPS_MEL
: 7
Revertive Mode
: Revertive
R-APS Channel Mode
: Version
: 1
Sub-ring
: No
Forced Switch Port
: TC-Notify
: 0 days 0h:35m:30s
------------------------------------------------------------------------------Port
Port Role
Port Status
Signal Status
------------------------------------------------------------------------------GE0/2/1
Common
Forwarding
Non-failed
GE0/2/2
Common
Forwarding
Non-failed
----End
Configuration Files
l
LSW1 configuration file

#
sysname LSW1
#
vlan batch 10 20 100 to 200 300 to 400
#
instance 1 vlan 10 100 to 200
#
erps ring 1
control-vlan 10
protected-instance 1
wtr-timer 6
guard-timer 100
erps ring 2
control-vlan 20
wtr-timer 6
guard-timer 100
#

port trunk allow-pass vlan 10 20 100 to 200 300 to 400
Issue 02 (2013-12-31)

1712

Equipment
stp disable
erps ring 1
erps ring 2 rpl owner
#

stp disable
erps ring 1
erps ring 2
#
return

#
sysname LSW2
#
vlan batch 10 20 100 to 200 300 to 400
#
#
erps ring 1
control-vlan 10
wtr-timer 6
guard-timer 100
erps ring 2
control-vlan 20
wtr-timer 6
guard-timer 100
#

stp disable
erps ring 1
erps ring 2
#

stp disable
erps ring 2
#
return

#
sysname LSW3
#
vlan batch 10 20 100 to 200 300 to 400
#
Issue 02 (2013-12-31)

1713

Equipment
#
erps ring 1
control-vlan 10
wtr-timer 6
guard-timer 100
erps ring 2
control-vlan 20
wtr-timer 6
guard-timer 100
#

stp disable
erps ring 1
erps ring 2
#

stp disable
erps ring 1
erps ring 2
#
return

#
sysname LSW4
#
vlan batch 10 20 100 to 200 300 to 400
#
#
erps ring 1
control-vlan 10
wtr-timer 6
guard-timer 100
erps ring 2
control-vlan 20
wtr-timer 6
guard-timer 100
#

stp disable
erps ring 1
erps ring 2
#
Issue 02 (2013-12-31)

1714

Equipment

stp disable
erps ring 1
erps ring 2
#
return
Example for Configuring an ERPS Multi-ring Network

This section provides an example for configuring an ERPS multi-ring network.
communication quality deteriorates, and communication services may even be interrupted.
To prevent loops caused by redundant links, enable ERPS on the nodes of the ring network.
On the ERPS multi-ring network shown in Figure 5-75, LSW1, LSW2, and LSW4 constitute a
major ring, and LSW1, LSW3, and LSW4 constitute a sub-ring.
Figure 5-75 ERPS multi-ring networking
Network
NPE1
LSW1
GE0/2/3
GE0/2/1
sub-ring
NPE2
GE0/2/2
LSW4
GE0/2/1
GE0/2/3
major ring
GE0/2/2
LSW3
GE0/2/1
GE0/2/2
GE0/2/1
LSW2
RPL owner
1.
Configure the trunk link type for all ports to be added to ERPS rings.
2.
Create ERPS rings and configure control VLANs and Ethernet Ring Protection (ERP)
instances for them.
Issue 02 (2013-12-31)

1715

Equipment
3.
Specify the ERPS version and configure a sub-ring.
4.
Add Layer 2 ports to ERPS rings and specify port roles.
5.
Configure the topology change notification function on the interconnection nodes.
6.
Configure the guard timer and WTR timer for the ERPS rings.
7.
Configure Layer 2 forwarding for LSW1 through LSW4.
Data Preparation
l
ERPS ring ID, control VLAN ID, and ERP instance ID
Guard timer and WTR timer values
VLAN ID for Layer 2 forwarding
Procedure
Step 1 Configure the trunk link type for all ports to be added to ERPS rings.
# Configure LSW1.
0/2/1
link-type trunk
0/2/2
link-type trunk
0/2/3
link-type trunk
# Configure LSW2.
0/2/1
link-type trunk
0/2/2
link-type trunk
# Configure LSW3.
0/2/1
link-type trunk
0/2/2
link-type trunk
# Configure LSW4.
[LSW4-GigabitEthernet0/2/1] port link-type trunk
Issue 02 (2013-12-31)

1716

Equipment

0/2/2
link-type trunk
0/2/3
link-type trunk
Step 2 Create ERPS ring 1 and ERPS ring 2 and configure ERP instances for the two rings. Set the
control VLAN ID of ERPS ring 1 to 10 and the control VLAN ID of ERPS ring 2 to 20. Enable
ERPS ring 1 to transmit data packets carrying VLAN IDs from 100 to 200 and enable ERPS
ring 2 to transmit data packets carrying VLAN IDs from 300 to 400.
# Configure LSW1.
[LSW1] erps ring 1
[LSW1] erps ring 2
# Configure LSW2.
[LSW2] erps ring 1
# Configure LSW3.
[LSW3] erps ring 2
# Configure LSW4.
[LSW4] erps ring 1
[LSW4] erps ring 2
Issue 02 (2013-12-31)

1717

Equipment

Step 3 Specify ERPSv2 and configure ERPS ring 2 as a sub-ring.

# Configure LSW1.
[LSW1] erps ring 1
[LSW1-erps-ring1] version v2
[LSW1] erps ring 2
[LSW1-erps-ring2] sub-ring
# Configure LSW2.
[LSW2] erps ring 1
# Configure LSW3.
[LSW3] erps ring 2
# Configure LSW4.
[LSW4] erps ring 1
[LSW4] erps ring 2
Step 4 Add the ports to ERPS rings and specify port roles. Specifically, configure GE 0/2/1 on LSW2
and GE 0/2/1 on LSW3 as their respective RPL owner ports.
# Configure LSW1.
[LSW1-GigabitEthernet0/2/1] shutdown
[LSW1-GigabitEthernet0/2/1] undo shutdown
# Configure LSW2.
Issue 02 (2013-12-31)

1718

Equipment

# Configure LSW3.
# Configure LSW4.
Step 5 Configure the topology change notification function on LSW1 and LSW4, the interconnection
nodes.
# Configure LSW1.
[LSW1] erps ring 1
[LSW1-erps-ring1] tc-notify erps ring 2
[LSW1-erps-ring1] tc-protection interval 200
[LSW1-erps-ring1] tc-protection threshold 60
[LSW1] erps ring 2
# Configure LSW4.
[LSW4] erps ring 1
Issue 02 (2013-12-31)

1719

Equipment

[LSW4] erps ring 2
Step 6 Configure the guard timer and WTR timer for the ERPS rings.
# Configure LSW1.
[LSW1] erps ring 1
[LSW1] erps ring 2
# Configure LSW2.
[LSW2] erps ring 1
# Configure LSW3.
[LSW3] erps ring 2
# Configure LSW4.
[LSW4] erps ring 1
[LSW4] erps ring 2
Step 7 Configure Layer 2 forwarding for LSW1 through LSW4.

# Configure LSW1.
to 400
0/2/1
0/2/2
0/2/3
# Configure LSW2.
[LSW2] vlan batch 100 to 200
[LSW2-GigabitEthernet0/2/1] port trunk allow-pass vlan 100 to 200
Issue 02 (2013-12-31)

1720

Equipment

[LSW2-GigabitEthernet0/2/2] port trunk allow-pass vlan 100 to 200
# Configure LSW3.
[LSW3] vlan batch 300 to 400
0/2/1
0/2/2
# Configure LSW4.
to 400
0/2/1
0/2/2
0/2/3

After completing the configurations, run either of the following commands to verify the
configuration. The following example uses LSW2 configurations.
l Run the display erps command. The command output shows summary configurations of
LSW2 ports added to the ERPS ring and ring configurations.
[LSW2] display erps
D : Discarding
F : Forwarding
R : RPL Owner
N : RPL Neighbour
FS : Forced Switch
MS : Manual Switch
Total number of rings configured = 1
Port 2
ID
VLAN
(min)
(csec)
------------------------------------------------------------------------------1
10
6
100 (F)GE0/2/1
(D)GE0/2/2
-------------------------------------------------------------------------------
l Run the display erps verbose command. The command output shows detailed configurations
of LSW2 ports added to the ERPS ring and ring configurations.
[LSW2] display erps verbose
Ring ID
Description
Control Vlan
Protected Instance
Holdoff Timer Setting (deciseconds)
WTB Timer Running (sec)
Ring State
RAPS_MEL
Revertive Mode
R-APS Channel Mode
Version
Issue 02 (2013-12-31)
:
:
:
:
:
:
:
:
:
:
:
:
:
1
Ring 1
10
1
6
Running (s)
: 0
100
Running (csec)
: 0
0
0
Idle
7
Revertive
2

1721

Equipment
Sub-ring
: No
Forced Switch Port
: TC-Notify
: 0 days 4h:12m:20s
------------------------------------------------------------------------------Port
Port Role
Port Status
Signal Status
------------------------------------------------------------------------------GE0/2/1
RPL Owner
Discarding
Non-failed
GE0/2/2
Common
Forwarding
Non-failed
----End
Configuration Files
l

#
sysname LSW1
#
vlan batch 10 20 100 to 200 300 to 400
#
#
erps ring 1
control-vlan 10
version v2
wtr-timer 6
guard-timer 100
tc-notify erps ring 2
tc-protection interval 200
tc-protection threshold 60
erps ring 2
control-vlan 20
version v2
sub-ring
wtr-timer 6
guard-timer 100
#
port trunk allow-pass vlan 10 100 to 200
stp disable
erps ring 1
#
stp disable
erps ring 1
#
stp disable
erps ring 2
Issue 02 (2013-12-31)

1722

Equipment
#
return

#
sysname LSW2
#
vlan batch 10 100 to 200
#
#
erps ring 1
control-vlan 10
version v2
wtr-timer 6
guard-timer 100
#
stp disable
#
stp disable
erps ring 1
#
return

#
sysname LSW3
#
vlan batch 20 300 to 400
#
#
erps ring 2
control-vlan 20
version v2
sub-ring
wtr-timer 6
guard-timer 100
#
stp disable
#
stp disable
erps ring 2
#
return
l
Issue 02 (2013-12-31)

1723

Equipment
#
sysname LSW4
#
vlan batch 10 20 100 to 200 300 to 400
#
#
erps ring 1
control-vlan 10
version v2
wtr-timer 6
guard-timer 100
erps ring 2
control-vlan 20
version v2
sub-ring
wtr-timer 6
guard-timer 100
#
stp disable
erps ring 1
#
port trunk allow-pass vlan 10 20 100 to 200
stp disable
erps ring 1
#
stp disable
erps ring 2
#
return
Issue 02 (2013-12-31)

1724

Equipment
6 WAN Access
WAN Access
About This Chapter

The document describes the configuration methods of WAN access in terms of basic principles,
implementation of protocols, configuration procedures and configuration examples for the WAN
access of the ATN equipment.
6.1 E-Carrier and T-Carrier Interfaces Configuration
E-Carrier adopt PCM , namely, European 30-channel PCM (E1 for short) .The 24-channel PCM
of North America is called T1.
6.2 Serial Interface Configuration
This chapter describes the physical attributes and configuration procedures of synchronous serial
interfaces.
6.3 POS and CPOS Interface Configuration
The Packet over SONET/SDH (POS) technology is applied to MAN and WAN. CPOS interfaces
are channelized POS interfaces.
6.4 APS Configuration
APS helps ensure nonstop communications by immediately switching services from a faulty
link to a functional link when an STM-N link in the SDH system fails.
6.5 PPP and MP Configuration
Applied to the data link layer of the OSI model and the link layer of the TCP/IP protocol suite,
the Point-to-Point Protocol (PPP) is a link layer protocol that specifies how to transmit and
encapsulate network layer packets over P2P links. PPP is developed based on the Serial Line
Internet Protocol (SLIP). Multilink PPP (MP) is a technique that binds multiple PPP links to
increase bandwidth.
6.6 ATM IMA Configuration
IMA is the acronym of Inverse Multiplexing for ATM. The general idea of IMA is that the sender
schedules and distributes a high-speed ATM cell stream to multiple low-speed physical links
for transmission, and then the receiver schedules and reassembles the stream fragments into one
cell stream and submits the cell stream to the ATM layer. In this manner, bandwidths are
multiplexed flexibly, improving the efficiency of bandwidth usage.
6.7 TDM Configuration
Issue 02 (2013-12-31)

1725

Equipment
6 WAN Access
This chapter describes the basic information about the TDM, and describes how to configure
the TDM service.
6.8 xDSL Configuration
6.9 Glossary
A list of frequently used terms and concepts in this document.
A list of frequently used acronyms and abbreviations in this document.
Issue 02 (2013-12-31)

1726

Equipment
6 WAN Access
6.1 E-Carrier and T-Carrier Interfaces Configuration

E-Carrier adopt PCM , namely, European 30-channel PCM (E1 for short) .The 24-channel PCM
of North America is called T1.
Context
NOTE
Only the ATN 910 supports T-Carrier interfaces.
6.1.1 Introduction to the E-Carrier and T-Carrier Interfaces

E-Carrier and T-Carrier Overview
E-carrier interfaces and T-carrier interfaces have three operation modes, namely, channelized
mode, unchannelized mode, and clear channel mode.
Basic Concepts of E-Carrier and T-Carrier

The present digital transmission system adopts Pulse Code Modulation (PCM). PCM was
initially designed to enable a trunk line among telephone exchanges to transfer multiple
telephones. PCM has the following mutually incompatible international standards:
l
European 30-channel PCM is called E1. 30 channels indicate that E1 has 32 timeslots, in
which 30 timeslots are used to transmit data. Timeslot 0 is used to transmit frame
synchronization and warning signals. Timeslot 16 is used to transmit control signaling. The
rate of E1 is 2.048 Mbit/s. E1 supported by the ATN is 30-channel and 31-channel PCM.
Timeslot 16 also transmits data.
The 24-channel PCM of North America is called T1. 24 channels indicate that T1 has 24
timeslots that can be used to transmit data. The rate of T1 is 1.544 Mbit/s.
E-carrier is a digital communication system recommended by International Telecommunication

Union-Telecommunication Standardization Sector (ITU-T). It starts from E1 and has been
applied in regions except North America.
The American National Standards Institute (ANSI) defines the T-carrier system standard in the
T1.107 Specification. The standard starts from T1 and is widely used in North America. Similar
to T1, Japan's J1 also belongs to the T-carrier system standard.
The primary features of T-carrier and E-carrier are almost the same although they differ in details
of the protocols used by them.
Digital Carrier System

With the carrier system, a single physical communication channel can contain multiple logical
channels. Therefore, it supports multi-channel communication.
In the digital carrier system, a single digital circuit with a large capacity supports multiple logical
channels, each of which supports one independent channel.
Issue 02 (2013-12-31)

1727

Equipment
6 WAN Access
Channelized, Unchannelized, and Clear Channel Modes

The operation mode of E-carrier and T-carrier interfaces involves the following concepts:
l
Channelized: In framed mode, all timeslots except the frame header in data stream can be
allocated to different channels.
Unchannelized: In framed mode, all timeslots except the frame header in data stream are
allocated to only one channel and are bound only once.
Clear Channel: It is also called the unframed mode. That is, there is no frame flag in the
data stream, and all bits are data bits and belong to the same channel.
Introduction to E1 Interface
When a physical interface formed by E1 works only in clear channel mode or unchannelized
mode, this interface is called an E1 interface.
An E1 interface has the following characteristics:
l
In clear channel mode, also called the unframed mode, all timeslots of an E1 interface are
used as a channel in which all bits are data. The E1 interface functions like an interface
with the transmission rate being 2.048 Mbit/s and without timeslot division. It has the same
logical features as a synchronous serial interface, and supports network protocols such as
IP and link layer protocols such as ATM, PPP, and TDM.
In unchannelized mode, also called the framed mode, timeslots of an E1 interface can be
bundled to form a channel, and these timeslots can be bundled only once. For example, if
timeslot 1 and timeslot 2 are bundled to form a serial interface with the bandwidth of 128
kbit/s, the remaining timeslots cannot be bundled. That is, timeslots can be bundled only
once to form a serial interface regardless of how many timeslots are bundled at a time. The
serial interface has the same logical features as a synchronous serial interface, and supports
network protocols such as IP and link layer protocols such as ATM, PPP, and TDM.
Introduction to CE1 Interface

When a physical interface formed by E1 works in clear channel mode or channelized mode only,
this interface is called a CE1 interface.
A CE1 interface has the following characteristics:
l
In clear channelized mode, also called the unframed mode, the CE1 interface functions like
an interface with no divided timeslot and the data bandwidth of 2.048 Mbit/s. It has the
same logical features as a synchronous serial interface, supporting link layer protocols such
as PPP, TDM and MP binding. When MP binding is configured, network protocols such
as IP are also supported.
In channelized mode, also called the framed mode, the CE1 interface is physically divided
into 32 timeslots numbered from 0 to 31. The ATN supports the following types of timeslot
bundling:
Bundling of timeslots 1 to 31 (applicable when ATM, PPP, or TDM is specified as the
link-layer protocol at an interface).
Bundling of timeslots 1 to 15 and timeslots 17 to 31 (applicable when ATM, PPP, or
TDM is specified as the link-layer protocol at an interface).
Timeslots 1 and 16 are used to transmit signaling information.
Issue 02 (2013-12-31)

1728

Equipment
6 WAN Access
Bundling of any timeslots in timeslots 131. For AND1ML1A, and AND1ML1, a

timeslot range with two or more timeslots can be specified for bundling. For
AND2ML1A, AND2ML1B, AND1MD1A, AND1MD1B, AND3ML1A,
AND3ML1B, AND2MD1A, and AND2MD1B, a timeslot range with one or more
timeslots can be specified for bundling. This type of binding is applicable when TDM
is specified as the link-layer protocol at an interface.
Timeslot 0 is used to transmit signaling information.
Each bound channel-set of timeslots is used as an interface with the same logical features
as a synchronous serial interface, supporting network protocols such as IP, link layer
protocols such as PPP, ATM, TDM and MP binding.
Introduction to CT1 Interfaces

When a physical interface formed by T1 works only in clear channel mode or channelized mode,
this interface is called a CT1 interface.
A CT1 interface on the ATN has the following characteristics:
l
In clear channel mode, also called the unframed mode, a CT1 interface functions like an
interface with the transmission rate being 1.544 Mbit/s and without timeslot division. The
interface has the same logical features as a synchronous serial interface, and supports
network protocols such as IP, link layer protocols such as PPP, TDM and MP binding.
In channelized mode, also called the framed mode, a CT1 interface is physically divided
into 24 timeslots numbered from 0 to 23. The 24 timeslots can be bundled to form a logical
channel with the transmission rate being 24 x 64 kbit/s.
In CT1 mode, all timeslots can be grouped into one channel-set. This bundled channel-set
of timeslots is used as an interface with the same logical features as a synchronous serial
interface, and supports network protocols such as IP, link layer protocols such as PPP, TDM
and MP binding.
Features of E-Carrier or T-Carrier Interfaces in the ATN

According to the operation modes of E-carrier interfaces , the ATN supports interfaces in
different types. The E-carrier interfaces supported by the ATN are E1 interfaces and CE1
interfaces. The T-carrier interfaces supported by the ATN are T1 interfaces and CT1 interfaces.
Introduction to the Channelized Serial Interface

The serial interface formed by an E-carrier interface or a T-carrier interface is called the
channelized serial interface. A channelized serial interface has the same logical features as a
synchronous serial interface.
The number of a channelized serial interface has a four-dimensional structure. The name and
number format of the interface is serial interface-number:set-number. The parameter interfacenumber specifies the E-carrier interface or T-carrier interface number. The parameter setnumber specifies the index of the interface that the timeslots of the E-carrier interface or Tcarrier interface are bound into.
The method of configuring link layer attributes of a channelized serial interface is the same as
that of a synchronous serial interface. For details, refer to the Serial Interface Configuration.
Issue 02 (2013-12-31)

1729

Equipment
6 WAN Access
6.1.2 Configuring E1 Interfaces

You can configure synchronous serial interfaces on E1 interfaces and configure the coding and
decoding format, clock mode, frame format, and cable mode for E1 interfaces.

Before configuring CE1 interfaces, familiarize yourself with the applicable environment,
An CE1 interface should be configured when it bears upper layer services.
NOTICE
l When a physical interface does not have any cable installed, run the shutdown command to
disable this interface to avoid interference.
l After configuring the interface service, run the shutdown and undo shutdown commands
in the current interface view to ensure that the configured service is loaded to the interface
successfully.
l Disabling the CE1 interface may affect the normal operation of its channel-set.
Before configuring CE1 interfaces, complete the following task:
l
Data Preparation
To configure CE1 interfaces, you need the following data.
No.
Data
CE1 interface number of the ATN
Number of the channel into which the timeslots of the CE1 interface are bound
Number or range of the timeslot bound into a channel set
Creating Synchronous Serial Interface for E1 Interface

You can create synchronous serial interfaces with different bandwidth on E1 interfaces that work
in different operation modes.
Issue 02 (2013-12-31)

1730

Equipment
6 WAN Access
Context
Create the synchronous serial interface with the specific rate on a E1 interface on the ATN:
l
When the E1 interface works in clear channel mode, a synchronous serial interface can be
configured for the E1 interface. The synchronous serial interface transmits data in the speed
of 2.048 Mbit/s, without timeslot division.
When the E1 interface works in channelized mode, you need to bundle timeslots of the E1
interface as a logical channel to form a synchronous serial interface. ATN supports the
following types of timeslot bundling:
Bundling of timeslots 1 to 31, with timeslot 0 used to transmit signaling information
(applicable when ATM, PPP, or TDM is specified as the link-layer protocol at an
interface)
Bundling of timeslots 1 to 15 and timeslots 17 to 31, with timeslots 1 and 16 used to
transmit signaling information (applicable when ATM, PPP, or TDM is specified as the
link-layer protocol at an interface)
Bundling of any timeslots in timeslots 131, with timeslot 0 used to transmit signaling
information. For AND1ML1A and AND1ML1, a timeslot range with two or more
timeslots can be specified for bundling. For AND2ML1A, AND2ML1B, AND1MD1A,
AND1MD1B, AND3ML1A, AND3ML1B, AND2MD1A, and AND2MD1B, a
timeslot range with one or more timeslots can be specified for bundling. This type of
bundling is applicable when TDM is specified as the link-layer protocol at an interface.
NOTE
By default, a E1 interface works in channelized mode.
Do as follows on the ATNs:
Procedure
l
Create the synchronous serial interface in clear channel mode.

1.
Run:
system-view

2.
Run:
controller e1 controller-number
The CE1 interface view is displayed.

3.
Run:
using e1
The CE1 interface is configured to the clear channel mode, and then a synchronous
serial interface is configured for the CE1 interface. The synchronous serial interface
transmits data without timeslot division.
You can run the interface serial controller-number: 0 command to access the
l
Create the synchronous serial interface in channelized mode

1.
Run:
system-view

Issue 02 (2013-12-31)

1731

Equipment
2.
6 WAN Access
Run:
3.
Run:
using ce1
The CE1 interface is configured to the channelized mode.

4.
Run:
channel-set set-number timeslot-list slot-list
The timeslots of the CE1 interface are bundled together to function as a synchronous
serial interface.
You can run the interface serial controller-number: set-number command to access
the synchronous serial interface.
To change an interface from the channelized mode to the clear channel mode, you
need delete all configurations in CE1 mode and all the configurations of
synchronous serial interfaces, but need not delete these interfaces. Then you can
run the using e1 command.
To change an interface from the clear channel mode to the channelized mode, you
need delete all the configurations in E1 mode and all the configurations of
synchronous serial interfaces, but need not delete these interfaces. Then you can
run the using ce1 or undo using command.
----End
Configuring Clock Mode of E1 Interface

A E1 interface works in either master clock mode or slave clock mode. When two E1 interfaces
are directly connected, you need to configure one to work in master clock mode and the other
in slave clock mode. When a E1 interface is connected to a transmission device, the E1 interface
must work in slave clock mode.
Context
A E1 interface supports the following clock modes:
l
Master clock mode: uses internal clock signals.
Slave clock mode: uses line clock signals.
When E1 interfaces of two ATNs are connected directly, configure one interface to work in
master clock mode and the other interface in slave clock mode. When the E1 interface of a
ATN is connected with a transmission device, configure this interface to work in slave clock
mode and use the clock signals provided by the transmission device.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 02 (2013-12-31)

1732

Equipment
6 WAN Access
The E1 interface view is displayed.

Step 3 Run:
clock { master | slave }
Clock mode of the E1 interface is configured.

NOTE
When being used as a synchronous serial interface, the E1 interface also has two working modes: DTE and
DCE. In this case, you need to choose the clock mode.
NOTE
The AND1ML1/AND1ML1A does not support the clock mode configuration.
By default, a E1 interface works in master clock mode.

----End
Configuring Frame Format of the E1 Interface

You can use the 4-bit CRC code to check physical frames on E1 interfaces.
Context
The interface can be configured with the frame format only when it works in channelized mode.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
frame-format { crc4 | no-crc4 }
The frame format of the E1 interface is configured.

NOTE
By default, the frame format of the E1 interface is no-CRC4.
----End

After a CE1 interface is configured, you can check the encoding and decoding format, clock
mode, and frame format.
Issue 02 (2013-12-31)

1733

Equipment
6 WAN Access
Procedure
l
Run the display interface serial [ interface-number ] [ | { begin | exclude | include }

regular-expression ] command to check the configuration and status of the channel-set.
Run the display controller e1 [ controller-number ] command to check the configuration

and status of the CE1 interface.
----End
6.1.3 Configuring CT1 Interfaces

You can create synchronous serial interfaces on CT1 interfaces; you can also configure the
encoding and decoding format, clock mode, and frame format for the CT1 interfaces.
Context
NOTE
Only the ATN 910 supports CT1 interfaces.
Before You Start

Before configuring CT1 interfaces, familiarize yourself with the usage scenario, complete the
Usage Scenario
Before using a CT1 interface to bear upper layer services, configure parameters for the CT1
interface.
NOTICE
l When a physical interface is not installed with any type of cable, run the shutdown command
to disable the interface and to avoid any interference.
l After configuring services on an interface, run the shutdown and undo shutdown commands
in the interface view to ensure that the configured services are loaded properly.
l Disabling a CT1 interface may affect the normal operation of its channel-set.
Before configuring CT1 interfaces, power on the ATN and conduct a successful self-check.
Data Preparation
To configure CT1 interfaces, you need the following data.
Issue 02 (2013-12-31)
No.
Data
Number of the CT1 interface on the ATN

1734

Equipment
6 WAN Access
No.
Data
Number of the channel into which timeslots of the CT1 interface are bundled
Number or range of the timeslot bundled into a channel-set
Creating Synchronous Serial Interface for CT1 Interface

On CT1 interfaces, you must create synchronous serial interfaces before data transmission.
Context
CT1 interfaces working in different modes can form synchronous serial interfaces with different
rates:
l
When a CT1 interface works in clear channel mode, a synchronous serial interface is formed
with the transmission rate of 1.544 Mbit/s and without timeslot division.
When a CT1 interface works in channelized mode, timeslots 0 to 23 of the CT1 interface
can be bundled randomly to form a logical channel with the transmission rate of N x 64
kbit/s. N stands for the number of bundled timeslots. ATN can only bind timeslots 0-23 as
a 24 x 64 kbit/s logical channel.
By default, a CT1 interface works in channelized mode.

Procedure
l
Creating a synchronous serial interface in clear channel mode

1.
Run:
system-view

2.
Run:
controller t1 controller-number
The CT1 interface view is displayed.

3.
Run:
using t1
The CT1 interface is configured to work in clear channel mode, and a synchronous
serial interface is created with the transmission rate of 1.544 Mbit/s and without
timeslot division.
You can run the interface serial controller-number:0 command to access the
l
Creating a synchronous serial interface in channelized mode

1.
Run:
system-view

Issue 02 (2013-12-31)

1735

Equipment
2.
6 WAN Access
Run:

3.
Run:
using ct1
The CT1 interface is configured to work in channelized mode.

4.
Run:
channel-set set-number timeslot-list 0-23
Timeslots of the CT1 interface are bundled together to form a synchronous serial
interface with the transmission rate of 24 x 64 kbit/s.
You can run the interface serial controller-number:set-number command to access
To change an interface from the CT1 mode to the T1 mode, delete all configurations
in CT1 mode and delete all synchronous serial interfaces, and then run the using
t1 command.
To change an interface from the T1 mode to the CT1 mode, delete all configurations
in T1 mode and all configurations of synchronous serial interfaces, without having
to delete the synchronous serial interfaces, and then run the using ct1 or undo
using command.
----End
Configuring Encoding and Decoding Format of the CT1 Interface

CT1 interfaces support two types of encoding and decoding formats, namely, AMI and B8ZS.
Context
A CT1 interface supports the following encoding and decoding formats:
l
Alternate Mark Inversion (AMI)
Bipolar with 8-Zero Substitution (B8ZS)
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
code { ami | b8zs }
The encoding and decoding format of the CT1 interface is configured.

By default, the encoding and decoding format of a CT1 interface is B8ZS.
Issue 02 (2013-12-31)

1736

Equipment
6 WAN Access
After the line code pattern is set to AMI, the link-layer protocol must be set to TDM for the
synchronous serial port at the CT1 port.
----End
Configuring Clock Mode of the CT1 Interface

A CT1 interface works in either master clock or slave clock mode. You can specify the clock
mode for a CT1 interface according to its working mode (the DTE device or the DCE device).
Context
A CT1 interface works in either of the following clock modes:
l
In master clock mode, a CT1 interface uses internal clock signals.
In slave clock mode, a CT1 interface uses line clock signals.
When a CT1 interface is used as a DCE device, configure the CT1 interface to work in master
clock mode. When a CT1 interface is used as a DTE device, configure the CT1 interface to work
in slave clock mode. When the CT1 interfaces of two ATNs are directly connected, configure
one interface to work in master clock mode and the other in slave clock mode.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
clock { master | slave }
The clock mode of the CT1 interface is configured.

----End
Configuring Frame Format of the CT1 Interface

CT1 interfaces support two types of frame formats, namely, SF and ESF.
Context
A CT1 interface supports the following frame formats:
l
Extended Super Frame (ESF)
Super Frame (SF)
Issue 02 (2013-12-31)

1737

Equipment
6 WAN Access
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
frame-format { esf | sf }
Frame format of the CT1 interface is configured.

By default, the frame format of a CT1 interface is ESF.
----End

After a CT1 interface is configured, you can check the encoding and decoding format, clock
mode, and frame format.
Procedure
l
Run the display interface serial [interface-number ] [ | { begin | exclude | include }

regular-expression ] command to check the status and statistics of the synchronous serial
interface formed by timeslot bundling.
Run the display controller t1 [ controller-number ] command to check the configuration

and status of the CT1 interface.
----End
6.1.4 Maintaining E-Carrier or T-Carrier Interface Configuration

You can maintain E-carrier or T-carrier interfaces by enabling the self-loop function to detect
whether the interface runs normally or clearing interface statistics.
Configuring the Loopback Function to Detect the Link Status

You can configure the loopback function on an interface to detect whether the interface itself or
the link is working properly.
Issue 02 (2013-12-31)

1738

Equipment
6 WAN Access
Context
NOTICE
After you configure the loopback function (by running the loopback command), the interface
on the ATN or the link will not run properly. Therefore, check whether to configure the loopback
function.By default, five minutes after the loopback function is enabled for an interface, the
loopback will be automatically released.
Perform the following steps on the ATNs to be detected:
Procedure
Step 1 Run:
system-view

Step 2 Run:
controller controller-type controller-number
The view of the interface to be detected is displayed.

Step 3 Run:
loopback { local | remote }
By default, the loopback function is disabled on an interface.

----End
Clearing the Interface Statistics

You can run the reset command to clear interface statistics.
Context
NOTICE
The interface statistics cannot be restored after you run the reset command to clear it. So, confirm
the action before you use the command.
To reset the interface statistics of the Network Management System (NMS) or those displayed
by running the display interface command, run the following commands in the user view. Clear
the interface statistics before collecting the traffic.
NOTE
For the interface statistics in the NMS, refer to related NMS manuals.
Issue 02 (2013-12-31)

1739

Equipment
6 WAN Access
Procedure
l
Run the reset counters interface [ interface-type [ interface-number ] ] command to clear

the interface statistics displayed by running the display interface command.

to clear the interface statistics in the NMS.
----End

This part describes the applicable environment, configuration commands, and pre-configuration
commands of CE1 interfaces.
Example for Configuring Communication over CE1 Interfaces

This example describes how to configure CE1 interfaces on two routers to make the routers
communicate over two CE1 links by bundling timeslots of the CE1 interfaces.
The ATN and the CX device connect to each other through two CE1 links and communicate
with each other by using the bundled link.
Figure 6-1 Networking diagram for configuring communication over CE1 interfaces
ATN
CX600
CE1 0/2/0 Link bundling
CE1 4/0/0
CE1 0/2/1
CE1 4/0/1
1.
Create a synchronous serial interface.
2.
Create an MP-Group interface.
3.
Add the synchronous serial interface to the MP-Group interface.
4.
Configure an IP address for the MP-Group interface and restart the MP-Group interface.
Data Preparation
To configure a CE1 interface, you need the following data:
l
Name of the MP-Group interface
IP address of the MP-Group interface
Index of the synchronous serial interface that is formed by bundling timeslots of a CE1
interface
Number or range of the bundled timeslots
Issue 02 (2013-12-31)

1740

Equipment
6 WAN Access
NOTE
l On the ATN, interfaces to be added to an MP-Group interface must have the same slot ID and subcard
number as those of the MP-Group interface. That is, interfaces on different subcards cannot be bundled
together.
l In the case of the AND1MD1A/AND1MD1BAND1MD1A/AND1MD1B/AND2MD1A/
AND2MD1B, the former 16 and latter 16 E1 interfaces cannot be added to an MP-Group.
l Only synchronous serial interfaces can be added to an MP-Group interface.
Procedure
Step 1 Configure ATN .
# Configure the working mode for a CE1 interface and create a synchronous serial interface.
[ATN] controller e1 0/2/0
[ATN-E1 0/2/0] channel-set 0 timeslot-list 1-31
[ATN-E1 0/2/0] quit
[ATN-E1 0/2/1] quit
# Create an MP-Group interface.

[ATN] interface mp-group 0/2/1
[ATN-Mp-group0/2/1] shutdown
[ATN-Mp-group0/2/1] quit
# Add the synchronous serial interface to the MP-Group interface.

[ATN] interface serial 0/2/0:0
[ATN-Serial0/2/0:0] link-protocol ppp
[ATN-Serial0/2/0:0] shutdown
[ATN-Serial0/2/0:0] ppp mp mp-group 0/2/1
[ATN-Serial0/2/0:0] quit
[ATN] interface serial 0/2/1:0
[ATN-Serial0/2/1:0] shutdown
[ATN-Serial0/2/1:0] ppp mp mp-group 0/2/1
# Restart the synchronous serial interface on ATN A.

[ATN] interface serial0/2/0:0
[ATN-Serial0/2/0:0] undo shutdown
[ATN] interface serial0/2/1:0
[ATN-Serial0/2/1:0] undo shutdown
# Configure an IP address for the MP-Group interface and restart the MP-Group interface.
[ATN-Mp-group0/2/1] ip address 5.0.0.1 255.255.255.0
[ATN-Mp-group0/2/1] undo shutdown
Step 2 Configure the CX device.

# Configure the working mode for a CE1 interface and create a synchronous serial interface.
[CX600] controller e1 4/0/0
Issue 02 (2013-12-31)

1741

Equipment
6 WAN Access
[CX600-E1 4/0/0] shutdown

[CX600-E1 4/0/0] channel-set 0 timeslot-list 1-31
[CX600-E1 4/0/0] undo shutdown
[CX600-E1 4/0/0] quit
[CX600] controller e1 4/0/1
[CX600-E1 4/0/1] shutdown
[CX600-E1 4/0/1] channel-set 0 timeslot-list 1-31
[CX600-E1 4/0/1] undo shutdown
[CX600-E1 4/0/1] quit
# Create an MP-Group interface.

[CX600] interface mp-group 4/0/1
[CX600-Mp-group4/0/1] shutdown
[CX600-Mp-group4/0/1] quit
# Add the synchronous serial interface to the MP-Group interface.

[CX600] interface serial 4/0/0:0
[CX600-Serial4/0/0:0] link-protocol ppp
[CX600-Serial4/0/0:0] shutdown
[CX600-Serial4/0/0:0] ppp mp mp-group 4/0/1
[CX600-Serial4/0/0:0] quit
[CX600] interface serial 4/0/1:0
[CX600-Serial4/0/1:0] link-protocol ppp
[CX600-Serial4/0/1:0] shutdown
[CX600-Serial4/0/1:0] ppp mp mp-group 4/0/1
# Restart the synchronous serial interface on ATN B.

[CX600] interface serial4/0/0:0
[CX600-Serial4/0/0:0] undo shutdown
[CX600] interface serial4/0/1:0
[CX600-Serial4/0/1:0] undo shutdown
# Configure an IP address for the MP-Group interface and restart the MP-Group interface.
[CX600] interface mp-group 4/0/1
[CX600-Mp-group4/0/1] ip address 5.0.0.2 255.255.255.0
[CX600-Mp-group4/0/1] undo shutdown

Run the display interface command to view the MP-Group interface status. The command
output shows that link negotiation succeeds. That is, the ATN and the CX device can
communicate.
Take the display on ATN as an example:
<ATN> display interface mp-group 0/2/1
Mp-group0/2/1 current state : UP
Description:HUAWEI, Quidway Series, Mp-group0/2/1 Interface
Link layer protocol is PPP
LCP opened, MP opened, IPCP opened
Physical is MP, baudrate is 3968000 bps
Traffic statistics:
Issue 02 (2013-12-31)

1742

Equipment
6 WAN Access
Input: 21395674 packets, 2048796674 bytes

0 errors
Output: 96504 packets, 3084968 bytes
----End
Configuration Files
l

#
sysname ATN
#
controller e1 0/2/0
undo shutdown
channel-set 0 timeslot-list 1-31
#
controller e1 0/2/1
undo shutdown
#
interface Serial0/2/0:0
undo shutdown
link-protocol ppp
ppp mp Mp-group 0/2/1
#
undo shutdown
link-protocol ppp
#
interface Mp-group0/2/1
undo shutdown
ip address 5.0.0.1 255.255.255.0
#
return

#
sysname CX600
#
controller e1 4/0/0
undo shutdown
#
controller e1 4/0/1
undo shutdown
#
undo shutdown
link-protocol ppp
#
undo shutdown
link-protocol ppp
#
undo shutdown
ip address 5.0.0.2 255.255.255.0
#
return
Issue 02 (2013-12-31)

1743

Equipment
6 WAN Access
6.2 Serial Interface Configuration

This chapter describes the physical attributes and configuration procedures of synchronous serial
interfaces.
6.2.1 Introduction to the Serial Interface

Serial interfaces are classified into synchronous serial interfaces and asynchronous serial
interfaces, and synchronous serial interfaces are widely used on the WAN.
Overview of the Synchronous Serial Interface

As the most commonly-used interfaces on the WAN, serial interfaces can be classified into
synchronous serial interfaces and asynchronous serial interfaces.
A serial interface is one of the most commonly used WAN interfaces. It can be classified into
synchronous serial interfaces and asynchronous serial interfaces. At present, synchronous serial
interfaces are widely used. Serial interfaces in this chapter refer to synchronous serial interfaces
unless otherwise specified.
The serial interfaces, which are channelized by E-carrier or T-carrier and function as common
serial interfaces, have the same logical features as synchronous serial interfaces.
Features of the Synchronous Serial Interface on the ATN

The ATN supports serial interfaces formed by E1/T1 channels channelized from CE1/CT1
interfaces, and uses different index modes for different types of serial interfaces.
Features of the Synchronous Serial Interface on the ATN
On the ATN, various synchronous serial interfaces formed by channelizing physical interfaces
support the configuration of link layer protocols. Table 6-1 shows the index modes of
synchronous serial interfaces.
Table 6-1 Index modes of the synchronous serial interface
Physical Interface
Index Mode
CE1/CT1
slot/card/port:channel-set or slot/card/port:0
6.2.2 Configuring the Link Layer Attributes for a Serial Interface

To configure link layer attributes for a serial interface is to make link layer protocols of the serial
interface available and the protocol status of the serial interface Up.
Issue 02 (2013-12-31)

1744

Equipment
6 WAN Access

Before configuring link layer attributes for a serial interface, familiarize yourself with the
To configure link layer attributes for a serial interface, ensure that the link layer protocol of the
serial interface is Up when it is used to bear upper layer services.
Before configuring link layer attributes for a serial interface, complete the following tasks:
l
Powering on and starting the ATN normally
Connecting the serial interface, configuring physical parameters for the interface, and
ensuring that the physical layer of the interface is Up
Data Preparation
To configure link layer attributes for a serial interface, you need the following data.
No.
Data
Number of the synchronous serial interface on the ATN
Link layer protocol type of the interface
(Optional) Hold-interval of the link layer protocol
(Optional) Check bit of CRC of the interface
Configuring Link Layer Protocol Type

The type of link layer protocol determines the format of link layer frame of the data that passes
through a serial interface. Currently, protocols such as ATM, PPP, and TDM are supported.
Context
The type of link layer protocols affects the format of link layer frames of the data that passes
from the synchronous serial interface.
Procedure
Step 1 Run:
system-view

Issue 02 (2013-12-31)

1745

Equipment
6 WAN Access
Step 2 Run:
interface serial interface-number
The serial interface view is displayed.

Step 3 Run:
link-protocol { atm | ppp | tdm }
The type of link layer protocols is configured on the interface.

By default, none of the three protocols is adopted.
----End
(Optional) Configuring Hold-Interval of the Link Layer Protocol of the

Synchronous Serial Interface
To detect and maintain the connectivity of a link, each end of the link sends detection packets
to the other at the hold-interval of the link layer protocol.
Prerequisites
Before configuring the hold-interval of the link layer protocol, run the link-protocol command
to specify PPP as the link-layer protocol for the synchronous serial interface.
Context
Two ends of a link periodically send detection packets to each other to check and maintain
connectivity.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The synchronous serial interface view is displayed.

Step 3 Run:
timer hold hold-interval
The hold-interval of the link layer protocol is set.

By default, the hold-interval of a link layer protocol is 10 seconds. If the hold-interval is set to
0, it indicates that no detection packets will be sent.
----End
Issue 02 (2013-12-31)

1746

Equipment
6 WAN Access
(Optional) Configuring the CRC Length

When configuring the CRC length, ensure that two directly-connected devices are configured
with the same CRC length.
Prerequisites
Before configuring the CRC length, run the link-protocol command to specify PPP as the linklayer protocol for the synchronous serial interface.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
The synchronous serial interface view is displayed.

Step 3 Run:
crc { 16 | 32 }
The CRC length of the synchronous serial interface is configured.

When configuring the CRC length on a synchronous serial interface, ensure that devices on both
ends are configured with the same CRC length.
By default, the CRC length is 32 bits.
----End
(Optional) Configuring the Scramble Function

POS interfaces support the scrambling function for the payload data to avoid excessive number
of consecutive 1s or 0s and help the receiver extract line clock signals.
Context
The scrambling function of the directly connected interfaces must be configured the same.
Procedure
Step 1 Run:
system-view

Issue 02 (2013-12-31)

1747

Equipment
6 WAN Access
Step 2 Run:

Step 3 Run:
link-protocol atm
The type of link layer protocols is configured with ATM on the interface.
Step 4 Run:
scramble
The scrambling function of the payload is configured for the POS interface.
By default, the scrambling function is enabled on the payload.
----End

After link layer attributes are configured for a synchronous serial interface, you can check the
protocol type, hold-interval of the link layer protocol, MTU, and CRC length of the synchronous
serial interface.
Procedure
l
Run the display interface serial [ interface-number ] [ | { begin | exclude | include }

regular-expression ] command to check the status and statistics of a synchronous serial
interface.
Run the display interface brief [ | { begin | include | exclude } regular-expression ]

command to check brief information about a synchronous serial interface.
----End
6.2.3 Maintaining Serial Interface Configuration

You can maintain a serial interface by enabling the self-loop function to detect whether the serial
interface runs normally or clearing the statistics on the serial interface.

The statistics on a serial interface mainly refers to the traffic statistics. You can clear the statistics
through the command and re-collect the statistics.
Context
NOTICE
The statistics cannot be restored after you clear it. So, confirm the action before you use the
command.
Issue 02 (2013-12-31)

1748

Equipment
6 WAN Access
To clear the interface statistics in the Network Management System (NMS) or those displayed
by running the display interface command, run the following commands in the user view.
NOTE
For the display of interface statistics in the NMS, refer to related NMS manuals.
Procedure
l
Run the reset counters interface [ serial [ interface-number ] ] command to clear the
interface statistics displayed by running the display interface command.
Run the reset counters if-mib interface [ serial [ interface-number ] ] command to clear
the interface statistics in the NMS.
----End
6.3 POS and CPOS Interface Configuration

The Packet over SONET/SDH (POS) technology is applied to MAN and WAN. CPOS interfaces
are channelized POS interfaces.
Context
NOTE
Only the ATN 950B supports POS and CPOS interfaces.
6.3.1 Introduction to the POS and CPOS Interfaces

OS supports transmission of packets. POS and CPOS makes full use of the SDH system.
Overview of CPOS Interfaces and POS Interfaces

This part briefly describes CPOS interfaces and POS Interfaces in terms of basic concepts of
SONET and SDH, channelization and non-channelization, and frame structure of SDH.
Introduction to SONET and SDH

Synchronous Optical Network (SONET) is the synchronous digital transmission standard
defined by the American National Standards Institute (ANSI) and mainly used in North America
and Japan. Clocks at each level in an entire network are provided by a very precise master clock.
SONET defines the line rate hierarchical structure of synchronous transmission for the optical
transmission system. The basic transmission rate of the SONET is 51.84 Mbit/s and
approximately equals the transmission rate of E3/T3.
l
For an electrical signal, the transmission rate is called Level 1 Synchronous Transport
Signal, namely, STS-1.
For an optical signal, the transmission rate is called Level 1 Optical Carrier, namely, OC-1.
Adopting synchronous signals, SONET can easily multiplex multiple signals.

Based on SONET, Synchronous Digital Hierarchy (SDH) is an international standard defined
by the ITU-T and mainly used in Europe. The corresponding standard of SDH is the proposals
from G.707 to G.709 passed in 1988 and the proposals added in 1992.
Issue 02 (2013-12-31)

1749

Equipment
6 WAN Access
SDH is similar to SONET to a great extent. The basic rate of SDH is 155.52 Mbit/s, which is
called Level 1 Synchronous Transfer Module, STM-1. This rate equals the OC-3 rate in SONET.
Adopting synchronous multiplexing and flexible mapping, SDH can multiplex or demultiplex
low-speed tributary signals from SDH signals without using multiplexing or demultiplexing
devices. This reduces signal consumption and equipment investment.
Table 6-2 lists the common transmission rates of SONET and SDH. The hierarchical relationship
between common transmission rates is four times. For convenience, the approximations in the
parentheses are often used to express transmission rates.
Table 6-2 Relationship between common transmission rates of SONET and SDH
SONET
SDH
Transmission Rate
(Mbit/s)
Electrical
Signal
Optical Signal
Optical Signal
STS-1
OC-1
51.840
STS-3
OC-3
STM-1
155.520 (155)
STS-9
OC-9
STM-3
466.560
STS-12
OC-12
STM-4
622.080 (622)
STS-18
OC-18
STM-6
933.120
STS-24
OC-24
STM-8
1244.160
STS-36
OC-36
STM-12
1866.240
STS-48
OC-48
STM-16
2488.320 (2.5 Gbit/s)
STS-96
OC-96
STM-32
4876.640
STS-192
OC-192
STM-64
9953.280 (10 Gbit/s)
CPOS and POS Interfaces

The Packet over SONET/SDH (POS) technology is applied to MAN and WAN, supporting
packet data such as IP packets.
Making full use of the SDH system, Channelized POS (CPOS) interfaces have the following
functions:
l
Perform refined division of bandwidth.
Reduce the demand for the quantity of low-speed physical ports on a ATN in networking.
Enhance the convergence capability of low-speed ports of a ATN.
Improve the dedicated line access capability of a ATN.
Frame Structure of SDH

Issue 02 (2013-12-31)

1750

Equipment
6 WAN Access
To facilitate understanding, the following section describes the frame structure of the SDH
signal, that is, the structure of the STM-N frame.
To add or drop low-speed tributary signals to or from high-speed signals, try to distribute
tributary signals in the frame equably and regularly. The ITU-T regulates that STM-N frames
are rectangular and expressed in bytes, as shown in Figure 6-2.
Figure 6-2 STM-N frame structure
9*270*N(bytes)
1
2
3
4
5
6
7
8
9
Regenerator
Section
Overhead
AU-PTR
Payload
Multiplex
Section
Overhead
9*N
261*N
STM-N is the frame with the dimension of 9 rows x 270 x N columns. Here, N is consistent with
that in STM-N, indicating how many STM-1 signals are multiplexed to this STM-N signal.
An STM-N frame consists of the following parts:
l
Section Overhead (SOH): includes Regenerator Section Overhead (RSOH) and Multiplex
Section Overhead (MSOH).
Administration Unit Pointer (AU-PTR): is the pointer that specifies the first byte of the
payload. The receiving end can correctly extract the payload according to the location of
the pointer.
Payload
Multiplexing units: SDH contains basic multiplexing units, including container (C-n),
virtual container (VC-n), tributary unit (TU-n), tributary unit group (TUG-n),
administrative unit (AU-n), and administrative unit group (AUG-n). Here, n stands for the
number of the unit level.
Container: It is used to carry service signals that are transmitted at different rates. G.709
defines specifications for five types of standard containers: C-11, C-12, C-2, C-3, and C-4.
Terms
Issue 02 (2013-12-31)

1751

Equipment
6 WAN Access
VC: It is used to support connections between channel layers of the SDH and is an
information terminal of SDH channels. VCs are classified into lower-order VCs and higherorder VCs. VC-3 in AU-3 and VC-4 are higher-order VCs.
TU and TUG: TU provides adaptation between lower-order and higher-order path layers.
One TU or a set of multiple TUs, occupying a fixed position in the payload of the higherorder VC, is called a TUG.
AU and AUG: AU provides adaptation between higher-order channel layer and multiplex
section layer. One AU and a set of multiple AUs, occupying a fixed position in the payload
of STM-N, is called an AUG.
Multiplexing E1 to STM-1
In the process of SDH multiplexing recommended in G.709, there is more than one multiplexing
path from a valid payload to STM-N.
Figure 6-3 shows the multiplexing from E1/T1 to STM-1.
Figure 6-3 Process of multiplexing E1 to STM-1
SMT-1
AUG-1
AU-4
VC-4
TUG-3
AU-3
7
Point processing
VC-3
TUG-2
Multiplexing
Aligning
Mapping
C-12:2.048Mb/s
C-12
3
VC-12
TU-12
Overhead Bytes
SDH provides monitoring and management in layers. Monitoring is classified into section
monitoring and path monitoring. Section monitoring is classified into regenerator section
monitoring and multiplex section monitoring. Path monitoring is classified into higher-order
path monitoring and lower-order path monitoring. Different overhead bytes help to implement
the monitoring functions.
NOTE
This section describes only some SDH overhead bytes used in configuration. For details, refer to a book
about the particular topic.
SOH
SOH consists of RSOH and MSOH.
The payload of an STM-N frame contains the path overhead (POH) that monitors lowspeed tributary signals.
Issue 02 (2013-12-31)

1752

Equipment
6 WAN Access
J0, the regeneration section trace byte is contained in RSOH. This byte is used to transmit
the Section Access Point Identifiers (SAPIs) repeatedly to check the connection between
the receiver and the transmitter. The byte can be any character in the networks of a carrier,
whereas the J0 byte of the receiver and the transmitter must match each other at the border
of networks between two carriers. With the JO byte, a carrier can locate and rectify faults
in advance to speed up the network recovery.
l
Path overhead
SOH monitors section layers, whereas POH monitors path layers. POH is classified into
lower-order path overhead and higher-order path overhead.
The higher-order path overhead monitors the paths at VC-4 and VC-3 levels.
J1, the higher-order VC-N path trace byte, is contained in the higher-order path overhead.
Similar to j0, J1 is used to transmit SAPIs repeatedly to check the connection between the
receiver and the transmitter. J1 bytes of the receiver and transmitter must match each other.
C2, the path signal label byte, is contained in higher-order path overhead. C2 is used to
specify the multiplexing structure and the attributes of the information payload in a VC
frame, including whether the path is loaded with services, service types, and the mapping
mode. C2 bytes of the receiver and transmitter must match each other.
Features of CPOS Interfaces on the ATN

CPOS interfaces can be channelized into E1 channels.
CPOS Interfaces on the ATN

CPOS is mainly used to improve aggregation capacity of the ATN on low speed access. The
STM-1 CPOS is suitable for aggregating multiple E1s.
The physical port of the STM-1 CPOS interface is not used as a service port, it is called a
controller. E1 channels are used as synchronous serial interfaces and configured in serial
interface view. The indexing method of the interface number is four-dimension index, namely,
slot number/card number/port number/channel number:channel number.
The STM-1 CPOS service board can provide 63 E1 channels (2.048M, DS-1).
NOTE
The channelization type of STM-1 CPOS should take the specifications of the service board as the
standards.
The ATN only supports the channels on the same service board to be bundled to be the bundling
group, and the bundling group is numbered from 1.
The link layer protocols of the channelized E1 on the ATN are as follows:
Table 6-3 Link layer conditions of the E1 supported by the ATN
Channel
Link Layer Protocol
MP Bundling
E1
PPP, ATM and TDM
Supported
The working modes of the E1 channels supported by the ATN are as follows:
Issue 02 (2013-12-31)

1753

Equipment
6 WAN Access
Table 6-4 Working modes of the E1 channels supported by the ATN

Channel
E1
Unframed
The serial interface

with rate 2.048 Mbit/
s.
Framed
Unchannelized
Channelized
Not supported
Timeslots 1 to 31, timeslots 1 to

15, and timeslots 17 to 31 can
be bundled
6.3.2 Configuring POS Interfaces

You can configure the link layer protocol, clock mode, overhead byte, frame format, and CRC
for POS interfaces.

Before configuring POS interfaces, familiarize yourself with the usage scenario, complete the
Usage Scenario
Before using a SONET/SDH optical interface to bear packet data, configure the parameters of
the POS interface.
Before configuring a POS interface, power on the ATN and start it normally.
Data Preparation
To configure a POS interface, you need the following data.
Configuring a Link Layer Protocol

The link layer protocol for POS interfaces can be PPP.
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface pos interface-number
The POS interface view is displayed.

Step 3 Run:
link-protocol ppp
Issue 02 (2013-12-31)

1754

Equipment
6 WAN Access
The link layer protocol of the POS interface is specified.

----End
Configuring Overhead Bytes

SONET/SDH provides a variety of overhead bytes to monitor traffic at different levels.
Context
C2, the path signal label byte, is contained in the higher-order path overhead. C2 is used to
specify the multiplexing structure and the attributes of the information payload in a VC frame.
J0, the regeneration section trace byte, is contained in the section overhead. It is used to check
the continuity of a connection between two ports at the section layer.
J1, the higher-order VC-N path trace byte, is used to check the connectivity of a connection
between two ports at the path layer.
C2, J0, and J1 of the receiver and the transmitter must be the same; otherwise, the two ends
cannot communicate.
For a POS interface, the default value of C2 is hexadecimal 2; the default value of J0 is
hexadecimal "NetEngine"; the default value of J1 is hexadecimal "NetEngine".
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
flag { c2 c2-value | j0 16byte-mode j0-value | j1 16byte-mode j1-value }
Overhead bytes of the POS interface are configured.

----End
Configuring the Scramble Function

POS interfaces support the scrambling function for the payload data to prevent the excessive
number of consecutive 1s or 0s and help the receiver extract line clock signals.
Context
The directly connected interfaces must have the same scrambling function.
Issue 02 (2013-12-31)

1755

Equipment
6 WAN Access
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
scramble
The scrambling function of the payload is configured on the POS interface.

By default, the scrambling function is enabled on the payload.
----End
Configuring the Length of the CRC Check Character

POS interfaces support the CRC check character in either 16 or 32 bits.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
crc { 16 | 32 }
The length of the CRC check character is set for the POS interface.
By default, the 32-bit CRC check character is used.
----End

After configuring POS interfaces, you can view the configuration and status of POS interfaces.
Prerequisites
POS interfaces have been configured.
Issue 02 (2013-12-31)

1756

Equipment
6 WAN Access
Procedure
l
Run the display interface pos [ interface-number ] command to check the configuration
and status of the POS interface.
Run the display interface brief command to check brief information about the POS
interface.
----End
Example
Run the display interface brief command to view brief information about the physical status,
link layer protocol status, bandwidth utilization, and number of incorrect packets of the POS
interface.
<HUAWEI> display interface brief | include Pos
PHY:
Physical
*down: administratively
down
(l):
loopback
(s):
spoofing
(b): BFD
down
(B): bit-error-detection
down
(e): ETHOAM
down
(d): Dampening
Suppressed
InUti/OutUti: input utility/output
utility
Interface
PHY
Protocol InUti OutUti
outErrors
Pos0/2/0
up
up
0%
0%
0
Pos0/2/1
up
up
0%
0%
0
Pos0/2/2
up
up
0%
0%
0
Pos0/2/3
up
up
0%
0%
inErrors
0
0
0
0
6.3.3 Configuring STM-1 CPOS Interfaces

Configuring a CPOS interface on a device effectively converges low-speed channels. An STM-1
CPOS is applicable where multiple E1 channels need to be converged.
Before You Start

Before configuring CPOS interfaces, familiarize yourself with the usage scenario, complete the
Issue 02 (2013-12-31)

1757

Equipment
6 WAN Access
Usage Scenario
Configure parameters for the CPOS interface before using an SDH optical interface to bear
packet data and before using low-speed ports for access.
Before configuring a CPOS interface, power on the ATN and start it normally.
Data Preparation
To configure a CPOS interface, you need the following data.
No.
Data
Number of the CPOS interface on the ATN
Overhead bytes C2, J0, and J1 for the CPOS interface
Configuring the Overhead Byte

SDH provides a variety of overhead bytes. You can configure overhead bytes for CPOS
interfaces to implement monitoring at different levels.
Context
SDH provides a variety of overhead bytes, which perform the monitoring function at different
levels.
C2 is used to indicate the multiplex structure of VC frames and information payload properties.
J0 is a section overhead byte which is used to detect the connectivity of two ports on the section
layer.
J1 is a higher order path overhead byte which is used to detect the connectivity of two ports on
the path layer.
Procedure
Step 1 Run:
system-view

Step 2 Run:
controller cpos cpos-number
The CPOS interface view is displayed.

Step 3 Perform the following as required.
Issue 02 (2013-12-31)

1758

Equipment
6 WAN Access
NOTICE
The line interface module uses the dual fed and selective receiving solution (that is, packets are
dually fed in the transmit direction and selectively received in the receive function), in order to
achieve APS 1+1 protection for the CPOS sub-board. Therefore, the lower order path
configuration items (including J2, Frame-Format, and clock) of the working and protection ports
on both the local and interconnected ATN equipment must be set to the same values.
l To configure the regeneration section trace message J0, run:
flag j0 sdh j0
For the regenerator section trace byte J0:

In the 16-byte mode (sdh), the default value of J0 is "NetEngine".
l To configure the path trace byte J1, run:
flag j1 16byte-mode j1
By default, the value of J1 is "NetEngine".

l To configure the path signal label byte C2, run:
flag c2 c2
C2 is used for international interconnections and 0x02 is used in China. By default, C2 is 02

(in the hexadecimal system).
l To configure the path trace byte J2, run:
flag j2 16byte-mode e1 e1-list j2
NOTE
The C2, J0, on both the receiving and the sending ends must be consistent; otherwise, an alarm is generated.
----End

After a CPOS interface is configured, you can check the clock mode, frame format, overhead
byte, and AUG multiplexing path of the interface.
Procedure
Step 1 Run the display controller cpos [ cpos-number ] command to check information about all
channels of the CPOS interface.
----End
Example
You can view information about the clock, frame format, and multiplexing path by checking
information about the STM-1 CPOS interface.
<HUAWEI> display controller cpos 0/2/0
Cpos0/2/0 current state : UP
Description : HUAWEI, Cpos0/2/0 Interface
The Vendor PN is RTXM139-400
The Vendor Name is WTD
Port BW: 155M, Transceiver max BW: 155M, Transceiver Mode: SingleMode
WaveLength: 1310nm, Transmission Distance: 15km
Rx Power: -11.84dBm, Tx Power: -10.54dBm
Issue 02 (2013-12-31)

1759

Equipment
Physical layer is Packet Over SDH, loopback none
TX:Flag J0: "HuaWei SBS
", Flag J1: "HuaWei SBS
RX:Flag J0: "HuaWei SBS
section layer:
alarm: none
error: B1 0
line layer:
alarm: none
error: B2 0, REI 0
path layer:
alarm: none
error: B3 0, REI 0
6 WAN Access
", Flag C2: 2(0x2)

", Flag C2: 2(0x2)
6.3.4 Configuring a CPOS-Trunk Interface

You can create a CPOS-Trunk interface, add CPOS interfaces to the CPOS-Trunk, and create
Trunk-Serial interfaces.
Before You Start

Before configuring a CPOS-Trunk interface, familiarize yourself with the usage scenario,
Usage Scenario
After bundling CPOS interfaces to create a CPOS-Trunk interface, you can configure automatic
protection switching (APS) on the CPOS-Trunk interface.
Before creating a CPOS-Trunk interface, power on the ATN and ensure that the ATN detects
no error during self-check.
Data Preparation
To configure a CPOS-Trunk interface, you need the following data.
No.
Data
Number of a CPOS-Trunk interface on the ATN
Channel number and timeslot number
Creating a CPOS-Trunk Interface and Adding CPOS Interfaces to the CPOS-Trunk

A CPOS-Trunk interface is created and CPOS interfaces are added to the CPOS-Trunk.
Context
In a scenario where automatic protection switching (APS) is configured to protect services,
CPOS interfaces must be added to a CPOS-Trunk interface so that services can be carried on a
Trunk-Serial interface channelized from the CPOS-Trunk interface.
Issue 02 (2013-12-31)

1760

Equipment
6 WAN Access
Procedure
Step 1 Create a CPOS-Trunk interface.
The CPOS-Trunk interface needs to be jointly used with APS.
1.
Run:
system-view

2.
Run:
interface cpos-trunk trunk-id
A CPOS-Trunk interface is created. If the CPOS-Trunk interface exists, the view of the
existing CPOS-Trunk interface is displayed.
3.
Run:
quit

Step 2 Add CPOS interfaces to the CPOS-Trunk interface.
1.
Run:
system-view

2.
Run:
The view of the specified CPOS interface is displayed.

3.
Run:
cpos-trunk trunk-id
The CPOS interface is added to the CPOS-Trunk.

NOTE
After a CPOS interface is added to a CPOS-Trunk interface, the CPOS interface will undergo status
changes according to the command run on the CPOS-Trunk interface.
l If you run the shutdown command on the CPOS-Trunk interface, the physical status of both the
CPOS-Trunk interface and its member interface becomes Administratively DOWN, and the
configuration file of the member interface displays shutdown automatically.
l If you run the undo shutdown command on the CPOS-Trunk interface, the configuration file of
the member interface displays undo shutdown automatically.
----End
Creating a Trunk-Serial Interface

You can configure an E1 channel channel to work in clear channel mode or bundle timeslots of
the channel to create a Trunk-Serial interface.
Context
In a scenario where automatic protection switching (APS) is configured to protect services, the
services must run on a Trunk-Serial interface channelized from a CPOS-Trunk interface. A
Issue 02 (2013-12-31)

1761

Equipment
6 WAN Access
Trunk-Serial interface is created using either of the following methods which can be flexibly
chosen by users based on their needs.
NOTE
The member interface of the CPOS-Trunk must be added to an APS Group, or the Trunk-Serial interface
created by the CPOS-Trunk will not be Up.
Procedure
l
Configure an E1 channel of a CPOS-Trunk interface.

Configure an E1 channel to work in clear channel mode.
1.
Run:
system-view

2.
Run:
The CPOS-Trunk interface view is displayed.

3.
Run:
e1
e1-number unframed
An E1 channel of a CPOS-Trunk interface is configured to work in clear channel

mode.
Bundle timeslots.
1.
Run:
system-view

2.
Run:
The CPOS-Trunk interface view is displayed.

3.
Run:
e1 e1-number channel-set set-number timeslot-list [ slot-list | ts0 ]
Timeslots of an E1 channel of the CPOS-Trunk interface are bundled, and a TrunkSerial interface is created.
----End

After the configurations of a CPOS-Trunk interface are complete, you can view its
configurations and status.
Prerequisites
A CPOS-Trunk interface has been configured.
Issue 02 (2013-12-31)

1762

Equipment
6 WAN Access
Procedure
l
Run the display cpos-trunk trunk-id command to check detailed information of the CPOSTrunk interface.
----End
Example
Run the display cpos-trunk trunk-id command to view detailed information of the CPOS-Trunk
interface.
<HUAWEI> display cpos-trunk 1
Interface Cpos-Trunk1's state information is:,
Operate status: up
-------------------------------------------------------------------------------PortName
Status
Active Status
Cpos0/2/1
Up
Inactive
Cpos0/2/2
Up
Active
6.3.5 Configuring E1 Channels of the CPOS Interface

You can create synchronous serial interfaces for E1 channels, configure their frame format, clock
mode, and timeslot binding, and disable or enable the E1 channels.
Before You Start

Before configuring E1 channels of CPOS interfaces, familiarize yourself with the usage scenario,
Usage Scenario
Before using the low-speed interface channelized from the CPOS interface for access, configure
parameters for the E1 channel.
Before configuring the E1 channel on a CPOS interface, complete the following tasks:
l
Power on the ATN and start it normally.
Connect the CPOS interface and configure physical attributes for the CPOS interface.
Data Preparation
To configure the E1 channel of a CPOS interface, you need the following data.
Issue 02 (2013-12-31)
No.
Data
Number of the CPOS interface on the ATN
Number of the E1 channel
Number of the CE1 channel whose timeslots are bound to the channel-set, and the
number and range of timeslots

1763

Equipment
6 WAN Access
Creating Synchronous Serial Interface of E1 Channel

Before transmitting data over E1 channels of a CPOS interface, you need to create synchronous
serial interfaces.
Context
NOTE
One channel cannot work in both the clear channel mode and the channelized mode simultaneously. To
switch between these two working modes, cancel the current serial interface and re-create a new one.
Procedure
l
Create the synchronous serial interface of the E1 channel of the ATN.

1.
Run:
system-view

2.
Run:

3.
To create the synchronous serial interface of the E1 channel, perform the following
steps:
To create the E1 channel in clear channel mode, run:
e1 e1-number unframed
To create the E1 channel in channelized mode, run:

e1 e1-number channel-set set-number timeslot-list slot-list
ATN support the following types of timeslot bundling:

Bundling of timeslots 1 to 15
Bundling of timeslots 1 to 15,Bundling of timeslots 17 to 31
The channel-set after the timeslot bundling of the E1 channel forms a serial
interface. You can configure this serial interface. The serial interface is numbered:
slot/card/interface/channel number: channel-set number.
----End
Configuring Frame Format

E1 channels support the frame format with 4-bit CRC.
Context
An E1 channel supports the frame format with 4-bit CRC.
By default, the frame format of an E1 channel is no-CRC4.
Issue 02 (2013-12-31)

1764

Equipment
6 WAN Access
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
e1 e1-number set frame-format { crc4 | no-crc4 }
The frame format of the E1 channel is configured.

----End
Configuring Clock Mode

You can set an E1 channel to work in master or slave clock mode according to the connected
device.
Context
You can configure the clock mode for each E1 channel separately. The clock mode of an E1
channel depends on the device connected to the E1 channel.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
e1 e1-number set clock { master | slave }
The clock mode of the E1 channel is configured.

----End

After E1 channels of CPOS interfaces are configured, you can check their clock mode and frame
format.
Issue 02 (2013-12-31)

1765

Equipment
6 WAN Access
Procedure
l
Run the display interface serial slot/card/port/channel-number:set-number command to

check the information about the serial interface bound by E1 channels.
Run the display controller cpos [ cpos-number ] command to check the information about
the status and statistics of the CPOS interface.
----End
Example
You can view the status, link layer protocol and statistics for the serial interface channelized by
the E1 channel of a CPOS interface.
<HUAWEI> display interface serial 0/2/0/1:1
Serial0/2/0/1:1 current state : UP
Description : Serial0/2/0/1:1 Interface
Route Port, The Maximum Transmit Unit is 1500, Hold timer is 10(sec)
Derived from Cpos0/2/0 e1 1, Timeslot(s) Used: 1-24, baudrate is 1536000 bps
Link layer protocol is PPP
LCP opened
clock master, loopback none
CRC: CRC-32
Scramble disabled
Alarm: None
Statistics last cleared:2009-01-20 15:55:04
Traffic statistics:
Input: 33 packets, 426 bytes
Input error: 0 shortpacket, 0 longpacket, 0 CRC, 0 lostpacket
Output: 30 packets, 372 bytes
Output error: 0 lostpackets
Output error: 0 overrunpackets, 0 underrunpackets
Run the display controller cpos command, you can view the information about the status and
clock mode of a CPOS interface. For example:
<HUAWEI> display controller cpos 0/2/0
Cpos0/2/0 current state : UP
Description : HUAWEI, Cpos0/2/0 Interface
The Vendor PN is MXPD-033S
The Vendor Name is HG GENUINE
Port BW: 155M, Transceiver max BW: 155M, Transceiver Mode: SingleMode
WaveLength: 1310nm, Transmission Distance: 15km
Rx Power: -7.48dBm, Warning range: [-26.00dBm, -10.00dBm]
Tx Power: -11.08dBm, Warning range: [-15.00dBm, -8.00dBm]
Physical layer is Packet Over SDH, loopback none
TX:Flag J0: "HuaWei SBS
", Flag C2: 2(0x2)
RX:Flag J0: "HuaWei SBS
", Flag C2: 2(0x2)
section layer:
alarm: none
error: B1 0
line layer:
alarm: none
error: B2 0, REI 41644
path layer:
alarm: none
error: B3 0, REI 13969
Issue 02 (2013-12-31)

1766

Equipment
6 WAN Access
6.3.6 Maintaining CPOS Interface Configuration

To maintain CPOS interfaces, you can enable the self-loop function to detect whether an interface
runs properly and to clear interface statistics.
Configuring the Self-loop to Detect Whether the Interface Is Normal

You can enable the self-loop function on an interface to detect whether the interface or the link
is working properly.
Context
Procedure
Step 1 Run:
system-view

Step 2 Choose one of the following commands according to the interface type to enter the interface
view.
l In the case of an STM-1 CPOS interface or E1 channel of STM-1 CPOS interface, run:
controller cpos interface-number
Step 3 Choose one of the following commands according to the interface type to enable the self-loop.
l In the case of an E1 channel of STM-1 CPOS interface, run:
e1 e1-number set loopback { local | remote }
By default, the self-loop is disabled.

----End

You can run the reset command to clear interface traffic statistics before collecting statistics on
the interface again.
Context
NOTICE
Interface statistics cannot be restored after you run the reset command to clear them. Exercise
caution when running the commands.
To reset the interface statistics on the Network Management System (NMS) or those displayed
using the display interface command, run the following commands in the user view. Clear the
interface statistics before collecting them.
Issue 02 (2013-12-31)

1767

Equipment
6 WAN Access
NOTE
For interface statistics on the NMS, refer to related NMS manuals.
Procedure
l
Run the reset counters interface [ interface-type [ interface-number ] ] command to clear

the interface statistics previously displayed using the display interface command.

to clear the interface statistics on the NMS.
----End

Example for Configuring an STM-1 CPOS Interface
This example shows how to configure a CPOS interface on a router to converge services from
mid-range-and-low-end routers over E1 links and identify each mid-range-and-low-end router
by bundling different timeslots of the CPOS interface.
As shown in Figure 6-4, certain mid-range-and-low-end devices access the transmission
network through E1 leased cable. All the bandwidths converge to the CPOS interface 0/2/1 on
ATN A through transmission network. Each mid-range-and-low-end device is defined by its
unique timeslot.
There cannot be only one transmission network between the channelized POS interface and the
mid-range-and-low-end deivce. Other transmission methods can also be adopted.
NOTE
The configurations of the T1 channel and the E1 channel are consistent. Take the E1 channel as an example.
Figure 6-4 Networking diagram of an STM-1 CPOS interface
E1
ADM
ATNA
E1
ADM
ADM
CPOS 0/3/1
ADM
E1
Issue 02 (2013-12-31)

1768

Equipment
6 WAN Access
1.
Create the channel.
2.
Create the bound group.
3.
Configure the channel to join the bound group.
Data Preparation
l
Channel number and slot number of each E1 channel
Number of the bound group on each interface

NOTE
l The slot number and card number of the added Mp-group interface and the Mp-group interface must
be consistent. That is, trans-board binding is not supported.
l The interfaces added to the MP-group can only be the serial interfaces instead of other interfaces.
Procedure
Step 1 Configure ATNA
# Create a channel on the CPOS interface.
[ATNA] controller cpos 0/2/1
[ATNA-Cpos0/2/1] e1 1 channel-set
[ATNA-Cpos0/2/1] undo shutdown
[ATNA-Cpos0/2/1] quit
1
2
3
4
timeslot-list
timeslot-list
timeslot-list
timeslot-list
1-31
1-31
1-31
1-31
# Configure a bundle group and the terminal authenticator.

[ATNA] interface mp-group 0/2/1
[ATNA-Mp-group0/2/1] discriminator
[ATNA-Mp-group0/2/1] quit
# Bind the channel to the bundle group.

[ATNA] interface serial 0/2/1/1:1
[ATNA-Serial0/2/1/1:1] link-protocol ppp
[ATNA-Serial0/2/1/1:1] ppp mp mp-group 0/2/1
[ATNA-Serial0/2/1/1:1] quit
----End
Issue 02 (2013-12-31)

1769

Equipment
6 WAN Access
Configuration Files
#
sysname ATNA
#
controller Cpos0/2/1
undo shutdown
e1 1 channel-set 1 timeslot-list
#
interface Serial0/2/1/1:1
link-protocol ppp
#
link-protocol ppp
#
link-protocol ppp
#
link-protocol ppp
#
1-31
1-31
1-31
1-31
6.4 APS Configuration

APS helps ensure nonstop communications by immediately switching services from a faulty
link to a functional link when an STM-N link in the SDH system fails.
NOTE
Only the ATN 950B supports APS configuration.
6.4.1 APS Overview

The APS immediately switches services from a faulty link to a normal link by switching and
recovering linear multiplex sections.
APS Overview
The Automatic Protection Switching (APS) protocol uses the Multiplex Section Overhead
(MSOH) to transmit signals. APS works in either 1+1 or 1:N mode.
APS Principle
APS is an important feature of a Synchronous Digital Hierarchy (SDH) network. APS uses a
protect link to protect traffic on one or more working links. If a working link fails, services on
the working link automatically switches to the protect link, preventing data loss and improving
network reliability.
Issue 02 (2013-12-31)

1770

Equipment
6 WAN Access
APS uses K1 and K2 bytes in the MSOH to carry information. K1 transmits Changeover Order
(COO) signals for a traffic switchover; K2 transmits Changeover Acknowledgement (COA)
signals for a traffic switchback.
APS Working Modes

l
When data is transmitted properly, APS is performed in either 1+1 or 1:N (1:1 is used as
an example) mode:
1+1: Two links work together. The sender sends traffic on both the working and protect
links and the receiver receives traffic from only the working link. The 1+1 mode allows
rapid traffic switching and provides high reliability. However, this mode has a low
channel usage at about 50%.
1:1: Two links are set up and only one link works. If the working link works properly,
traffic flows only through the working link. The 1:1 mode allows a high channel usage
but has poorer reliability than the 1+1 mode.
NOTE
ATN supports only the 1+1 protection mode.
If a working link fails, APS automatically switches data from a working link to a protect
link, and continues to take effect on data in either of the following modes:
Switchback: If the working link recovers, APS switches traffic back to the working link
after the Wait-to-Restore (WTR) timer expires, and allows the protect link to protect
other working links.
Non-switchback: If the working link recovers, APS does not switches traffic back to
the working link unless the protect link fails or a switchover request is received.
If a link fails, either of the following switchovers is performed:

Unidirectional switchover: If a working link fails, the sender sends data along both
working and protect links, and the receiver receives data only from the protect link. This
mode is available only when APS works in 1+1 mode.
Bidirectional switchover: If a working link fails, the sender sends data only along the
protect link. This mode is available when APS works in either 1:1 or 1+1 node.
NOTE
ATNsupports only the unidirectional switchover.
APS provides protection at four levels. The first three levels apply to single-chassis APS
and the fourth applies to E-APS. The four levels are as follows:
Interface level: Both a working interface and a protection interface reside on a single
sub-card of a board.
Sub-card level: A working interface and a protection interface reside on two sub-cards
of a single board.
Board level: A working interface and a protection interface reside on different boards
of a single ATN.
Device level: A working interface and a protection interface are configured on different
ATNs. A working ATN is configured with the working interface, and a protect ATN is
configured with a protection interface. The working and protect ATNs exchange control
information using the Protect Group Protocol (PGP) over an out-band management
channel.
Issue 02 (2013-12-31)

1771

Equipment
6 WAN Access
NOTE
ATN supports only the Interface level.
APS Features Supported by the ATN

The ATN supports the Automatic Protection Switching (APS) working modes, enhanced APS
(E-APS) negotiation and authentication parameters, trunk-based APS groups.
The ATN supports either single-chassis APS or E-APS networking. Working and protection
interfaces must be created for a single-chassis APS or E-APS group. Interfaces on both ends of
a working or protect link must be configured with consistent parameters including the working
or protect link state and automatic APS switching mode.
APS Working Modes

Automatic protection switching
The ATN currently supports 1+1 unidirectional APS working modes. For more information, see
APS Overview. One of the following modes can be configured based on network and application
requirements:
l
1+1 mode: Both the working and protect links transmit traffic.
Unidirectional mode: If an optical fiber to an interface fails, only the receiver switches its
traffic to the protect link.
Command-triggered APS switching

Command-triggered APS switching includes protection lock, forcible switching, and manual
switching. Command-triggered APS switching is used during a device upgrade, link
troubleshooting, testing, and maintenance. The three modes are described as follows:
l
Protection lock means that services are transmitted on the working link and will not be
switched to the protect link even though the working link becomes unavailable.
Either forcible or manual APS switching means that services are manually switched from
the working link to the protect link. Their difference is as follows:
Forcible APS switching takes effect only when the protect link is working properly.
After traffic switches to the protect link, services will be interrupted if a signal degrade
(SD) error occurs on the protect link. Services will switch back to the working link if a
signal failure (SF) occurs on the protect link.
Manual APS switching can be performed only when both the working and protect links
are working properly. After manual APS switching is performed, services will switch
to the working link if an SF or SD error occurs on the protect link.
Delayed Switchback (WTR Time)

After a fault in the working link is rectified, services automatically switch from the protect link
to the working link. During the switchback, some service traffic is dropped because some
resources related to the working link or ATN are being restored. To prevent service loss, the
WTR time can be set on the ATN to delay a switchback. Services can automatically switch from
the protect link back to the working link in the specified WTR time after the working link
becomes available.
Issue 02 (2013-12-31)

1772

Equipment
6 WAN Access
Interfaces in an APS Group Joining a Trunk Interface

l
CPOS-Trunk-based APS
Channelized Packet Over SDH/SONET (CPOS)-enabled working and protection interfaces
can join a single CPOS-Trunk interface on the ATN. Timeslots of an E1 channel of a CPOSTrunk interface can be bound together to create a trunk-serial interface. Add the trunk-serial
interface to a global Multilink Point to Point Protocol (MP) group or configure the CES
service on the trunk-serial interface.
6.4.2 Configuring Single-Device APS

Two devices that support APS can connect through two links. Link reliability can be improved
by configuring single-device APS.
Before You Start

Before configuring single-device APS, familiarize yourself with the usage scenario, complete
APS needs to be configured when the ATN is connected to a Radio Network Controller (RNC).
Before configuring APS, configure an interface on the ATN and ensure that the link layer
protocol between the ATN and the RNC is Up.
Data Preparation
To configure APS, you need the following data.
No.
Data
ID of an APS group
IDs of the working and protection interfaces in an APS group
(Optional) WTR time set for an APS group
Specifying a Working Interface and a Protect Interface for an APS Group

A working interface and a protection interface must be specified and added to an APS group
before other APS configurations are performed.
Context
An APS group includes one working interface and one protection interface, and they are the
smallest units protected by APS. The communication messages between the working interface
and the protection interface are transmitted within the APS Group. Specifying a working
Issue 02 (2013-12-31)

1773

Equipment
6 WAN Access
interface and a protection interface and adding them to an APS group are the prerequisites for
APS operation. The working interface is connected to a working link and the protection interface
is connected to a protect link. The protection interface takes over traffic after APS switching is
performed. When an APS group works in 1+1 mode, both the working and protection interfaces
transmit traffic. The receiver receives traffic only from the working link.
Perform the following steps on the ATN that requires APS:
Procedure
Step 1 Specify an APS working interface.
1.
Run:
system-view

2.
Run:

3.
Run:
aps group group-id
An APS group is created and an interface is added to the APS group.

4.
Run:
aps working
The interface added to the APS group is specified as a working interface.

Step 2 Specify an APS protection interface.
1.
Run:
system-view

2.
Run:

3.
Run:
aps group group-id
An APS group is created and an interface is added to the APS group.
NOTICE
The working and protection interfaces must be added to a single APS group.
4.
Run:
aps protect
The interface added to the APS group is specified as a protection interface.

----End
Issue 02 (2013-12-31)

1774

Equipment
6 WAN Access
Configuring a Working Mode for an APS Group

A working mode can be configured for an APS group. The ATN supports APS working modes,
including automatic APS switching, and delayed switchback with the wait to restore (WTR)
time configured. An APS working mode must be configured on a protection interface.
Context
Automatic APS switching modes are classified into 1+1 unidirectional.
After a fault in the working link is rectified, services automatically switch from the protect link
to the working link. During the switchback, some service traffic is dropped because some
resources related to the working link or ATN are being restored. To prevent service loss, the
WTR time can be set on the ATN to delay a switchback. Services can automatically switch from
the protect link back to the working link in the specified WTR time after the working link
becomes available.
Perform the following steps on a protection interface in an APS group:
Procedure
l
Configure an automatic protection switching mode for an APS group.

1.
Run:
system-view

2.
Run:

l
Set the WTR time for an APS group.

1.
Run:
system-view

2.
Run:
The protection interface view of the APS group is displayed.
3.
Run:
aps revert wtr-time
The WTR time is set for the APS group.

The value ranges from 1 to 12 minutes.
When setting the WTR time, note the following items:
In 1+1 mode, after a fault is rectified, traffic does not automatically switch back
to the working interface. The aps revert wtr-time command can be used to set a
WTR time before an APS group switchback is performed. After the fault is
rectified, data services will switch back to the working interface after the
configured WTR time expires.
----End
Issue 02 (2013-12-31)

1775

Equipment
6 WAN Access
Adding Interfaces of an APS Group to a Trunk Interface

A working interface and a protection interface in an APS group must be added to a single trunk
interface.
Context
APS is used to protect traffic on attachment circuit (AC) links connecting ATNs to Add/Drop
Multiplex (ADM) devices or Radio Network Controllers (RNCs) on a Synchronous Digital
Hierarchy (SDH) network. AC-side physical ATM or channelized Packet Over SDH/SONET
(CPOS) interfaces on the ATNs are added to a trunk interface to carry services.
Perform the following steps on the working and protection interfaces of an APS group:
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface cpos-trunk interface-number
A CPOS-Trunk interface is created and the view of the CPOS-Trunk interface is displayed.
Step 3 Run:
quit

Step 4 Run:
controller cpos interface-number

Step 5 Run:
cpos-trunk trunk-id
The interface is added to a trunk interface.
NOTICE
The working and protection interfaces of an APS group must be added to the trunk interface
with the same trunk ID.
----End

After a single-device APS is configured, the APS group's working mode, working interface,
WTR time, and interface status can be viewed.
Issue 02 (2013-12-31)

1776

Equipment
6 WAN Access
Procedure
Step 1 Run the display aps group group-id command to view configurations of an APS group.
Step 2 Run the commands below to view configurations of trunk interfaces.
Run the display cpos-trunk trunk-id command to view configurations of the CPOS-Trunk
interfaces.
----End
Example
<HUAWEI> display aps group 1
APS Group 1: Cpos0/1/0 working channel 1(Active)
Cpos0/1/1 protection channel 0(Inactive)
Unidirection, 1+1 mode, None Revert Mode
No Request on Both Working and Protection Side
-------------------------------------------------------------------------------Group Work-Channel Protect-Channel Wtr W-State P-State Switch-Cmd Switch-Result
-------------------------------------------------------------------------------1
Cpos0/1/0
Cpos0/1/1
NA
ok
ok
NA
idle
-------------------------------------------------------------------------------total entry: 1
Display configurations of CPOS-Trunk interfaces.

<HUAWEI> display cpos-trunk 1
Interface Cpos-Trunk1's state information is:
Operate status: up
-------------------------------------------------------------------------------PortName
Status
Active Status
Cpos0/2/0
Up
Active
Cpos0/2/2
Up
Inactive

This section provides configuration examples of APS. Each configuration example consists of
the networking requirements, configuration precautions, configuration roadmap, configuration
procedures, and configuration files.
Example for Configuring APS on a CPOS-Trunk

In this example, a CPOS-Trunk is configured on the ATN to aggregate multiple E1 links
connected to mid-range-and-low-end devices and identify devices with different timeslots. In
addition, APS is configured on the CPOS interfaces of the ATN to implement protection
switching. This example includes networking requirements, configuration roadmap, data
preparation, configuration procedure, and configuration files.
As shown in Figure 6-5, mid-range-and-low-end devices are connected to the transport network
through E1 links. These E1 links are aggregated into a CPOS-Trunk configured on ATN A.
ATN A uses timeslots to identify these devices. The CPOS-Trunk on ATN A consists of two
CPOS interfaces. Single-chassis APS needs to be configured on the CPOS interfaces to improve
data transfer reliability.
Issue 02 (2013-12-31)

1777

Equipment
6 WAN Access
In real-world situations, mid-range-and-low-end devices are usually connected to CPOS

interfaces over a multi-layer transport network. Therefore, relay devices and other transport
means are probably involved.
Figure 6-5 Networking diagram for configuring APS on a CPOS-Trunk
1.
Configure single-chassis APS on the two CPOS interfaces, and add the CPOS interfaces
to a CPOS-Trunk.
2.
Bundle timeslots of E1 channels in the CPOS-Trunk to create Trunk-Serial interfaces, and

add the Trunk-Serial interfaces into a Global-MP-Group.
Data Preparation
l
APS parameters
CPOS-Trunk parameters
Global-MP-Group interface number
Procedure
Step 1 Configure single-chassis APS.
1.
Configure single-chassis APS on ATN A.

[ATNA-Cpos0/2/1] aps group 1
[ATNA-Cpos0/2/1] aps working
[ATNA-Cpos0/2/2] aps group 1
[ATNA-Cpos0/2/2] aps protect
Issue 02 (2013-12-31)

1778

Equipment
6 WAN Access
2.
Create a CPOS-Trunk on ATN A and add CPOS interfaces to the CPOS-Trunk.

[ATNA] interface cpos-trunk 0
[ATNA-Cpos-Trunk0] quit
[ATNA-Cpos0/2/1] cpos-trunk 0
[ATNA-Cpos0/2/2] cpos-trunk 0
Step 2 Configure the CPOS-Trunk.

1.
Bundle timeslots of E1 channels in the CPOS-Trunk.

[ATNA] interface cpos-trunk 0
[ATNA-Cpos-Trunk0] e1 1 channel-set 1 timeslot-list 1-31
[ATNA-Cpos-Trunk0] e1 2 channel-set 2 timeslot-list 1-31
[ATNA-Cpos-Trunk0] quit
2.
Create a Global-MP-Group.
[ATNA] interface global-mp-group 0
[ATNA-Global-Mp-Group0] ip address 10.1.1.1 255.255.255.0
[ATNA-Global-Mp-Group0] quit
3.
Add Trunk-Serial interfaces to the Global-MP-Group.

[ATNA] interface Trunk-Serial0/1:1
[ATNA-Trunk-Serial0/1:1] link-protocol
[ATNA-Trunk-Serial0/1:1] ppp mp-global
[ATNA-Trunk-Serial0/1:1] quit
[ATNA-Trunk-Serial0/2:2] link-protocol
[ATNA-Trunk-Serial0/2:2] ppp mp-global
4.
ppp
global-mp-group 0
ppp
global-mp-group 0
Restart Trunk-Serial interfaces and the Global-MP-Group.

[ATNA] interface global-mp-group 0
[ATNA-Global-Mp-Group0] undo shutdown
[ATNA-Global-Mp-Group0] quit
[ATNA-Trunk-Serial0/1:1] undo shutdown
[ATNA-Trunk-Serial0/2:2] undo shutdown

# Run the display aps group command on ATN A to view the APS configuration. The command
output shows the working interface, protection interface, and switchback WTR time.
[ATNA] display aps group 1
APS Group 1: Cpos0/2/1 working channel 1(Active)
Cpos0/2/2 protection channel 0(Inactive)
Unidirectional, 1+1 mode, None Revert
Mode
Local detect Signal Fail on protection side
-----------------------------------------------------------------------Group Work-Channel Protect-Channel Wtr W-State P-State Switch-Cmd Switch-Result
-----------------------------------------------------------------------1
Cpos0/2/1
Cpos0/2/2
6
ok
ok
NA
idle
-----------------------------------------------------------------------total entry: 1
# Run the display cpos-trunk command to view the CPOS-Trunk configuration. The command
output shows the status of CPOS-Trunk member interfaces.
Issue 02 (2013-12-31)

1779

Equipment
6 WAN Access
[ATNA] display cpos-trunk 0

Interface Cpos-Trunk0's state information is:
Operate status: up
-------------------------------------------------------------------------------PortName
Status
Active Status
Cpos0/2/1
Up
Active
Cpos0/2/2
Up
Inactive
# Run the display ppp mp-global command to view the Global-MP-Group configuration. The
command output shows the status of Trunk-Serial interfaces in the Global-MP-Group.
[ATNA] display ppp mp-global
Global-Mp-Group is Global-Mp-Group0
===========Sublinks status begin======
Trunk-Serial0/1:0 physical UP,protocol UP
===========Sublinks status end========
----End
Configuration Files
#

#
sysname ATNA
#
undo shutdown
aps group 1
aps working
cpos-trunk 0
#
undo shutdown
aps group 1
aps protect
cpos-trunk 0
#
interface Cpos-Trunk0
undo shutdown
e1 1 unframed
e1 2 unframed
#
interface Global-Mp-Group0
ip address 10.1.1.1 255.255.255.0
undo shutdown
#
interface Trunk-Serial0/1:0
undo shutdown
link-protocol ppp
ppp mp-global global-mp-group 0
#
interface Trunk-Serial0/2:0
undo shutdown
link-protocol ppp
ppp mp-global global-mp-group 0
#
return
Issue 02 (2013-12-31)

1780

Equipment
6 WAN Access
6.5 PPP and MP Configuration

Applied to the data link layer of the OSI model and the link layer of the TCP/IP protocol suite,
the Point-to-Point Protocol (PPP) is a link layer protocol that specifies how to transmit and
encapsulate network layer packets over P2P links. PPP is developed based on the Serial Line
Internet Protocol (SLIP). Multilink PPP (MP) is a technique that binds multiple PPP links to
increase bandwidth.
6.5.1 Introduction
This section describes PPP and MP features including the format, encapsulation, and
authentication modes of PPP packets.
PPP and MP Overview

The PPP protocol consists of the Link Control Protocol (LCP), Network Control Protocol (NCP),
and PPP extension protocols. PPP establishes links through a series of negotiations.
A point-to-point (P2P) connection is a simple WAN connection. Link layer protocols of a PPP
link are as follows:
l
Point-to-Point Protocol (PPP): supports synchronous and asynchronous transmission.
High-level Data Link Control protocol (HDLC): supports only synchronous transmission.
Located at the data link layer of the Open Systems Interconnection (OSI), PPP supports
synchronous or asynchronous full-duplex links to transmit data from point to point. PPP is widely
used because
l
It provides user authentication.
It supports synchronous and asynchronous communications.
It can be easily expanded.
PPP defines a set of protocols, including:

l
Link Control Protocol (LCP): is used to establish, monitor, and terminate data links.
Network Control Protocol (NCP): is used to establish and configure different network-layer
protocols, and to negotiate the format and type of packets transmitted over data links.
Authentication protocols: include Password Authentication Protocol (PAP) and ChallengeHandshake Authentication Protocol (CHAP), both of which are used for network security
authentication.
The Multilink PPP (MP) technology binds multiple PPP links into a logical channel to increase
bandwidth. MP can be applied to the low-speed interfaces supporting PPP, such as serial
interfaces.
Features of PPP and MP on the ATN

On the ATN, multiple serial interfaces can be bundled into an MP-group interface.
The ATN supports the configuration of PPP on the serial interface to implement the following
functions:
Issue 02 (2013-12-31)

1781

Equipment
6 WAN Access
Supporting the Maximum Receive Unit (MRU) negotiation
On the ATN, the interfaces supporting the MP binding are as follows:

l
Synchronous serial interface formed by E1 and CE1.
Synchronous serial interface formed by T1 and CT1.
The ATN does not support trans-board or trans-card MP binding.

When you configure MP in the MP-group mode, you can directly add the serial interface to the
MP-group.
In the current version, Ethernet OAM IEEE 802.1g and Y.1731 is not applicable to public
network ML-PPP.
6.5.2 Encapsulating an Interface with PPP

This section describes how to configure PPP as the link layer protocol on an interface and how
to enable MRU negotiation.
Before You Start

Before configuring PPP and enabling MRU negotiation, familiarize yourself with the usage
scenario, complete the pre-configuration tasks, and obtain the required data.
Usage Scenario
As a link layer protocol that bears network-layer packets over P2P links, PPP supports MRU
negotiation.
Before configuring PPP, connect the interface and configure physical parameters for the
interface to ensure that the physical layer status of the interface is Up.
Data Preparation
To configure PPP or PPP MRU negotiation, you need the following data.
No.
Data
Encapsulating the Interface with PPP

This section describes how to configure PPP as the link layer protocol on an interface.
Context
Issue 02 (2013-12-31)

1782

Equipment
6 WAN Access
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
link-protocol ppp
The link layer protocol is configured as PPP.

----End

After PPP encapsulation and PPP MRU negotiation are configured on an interface, you can view
the PPP configuration and the negotiated MRU value on the interface.
Prerequisites
The configurations of the encapsulating an interface with PPP and MRU negotiation are
complete.
Procedure
l

PPP configuration and the negotiated MTU value of the interface.
----End
6.5.3 Configuring PPP Optional Parameters

This section describes how to configure optional PPP parameters. Detailed operations include
negotiation timeout period, polling interval,, and also include preventing the peer host route from
being added to the local routing table of direct routes.
Before You Start

Before configuring PPP optional parameters, familiarize yourself with the usage scenario,
Usage Scenario
l
Interval for the negotiation timeout

In PPP negotiation, if no response is received from the peer end within the interval, PPP
resends a negotiation request.
Polling interval
Link layer protocols such as PPP use a polling timer to check whether a link works normally.
Issue 02 (2013-12-31)

1783

Equipment
6 WAN Access
In the case of a long network delay or severe congestion, you can prolong the polling interval
to reduce network flapping.
When configuring the polling interval, ensure that both ends are configured with the same
interval.
l
Link quality parameter

When the quality of a link is lower than the quality percentage of the forbidden link, the
link is disabled. When the link quality is restored to the quality percentage of the recovered
link, the link is enabled automatically.
To avoid a link from frequently switching between prohibition and restoration, the delay
for restarting a link is required.
Before configuring optional parameters of PPP, complete the following tasks:
l
Connect interfaces and configure physical attributes for these interfaces to ensure that the
physical layer of the interfaces is Up.
Configure PPP as the link layer protocol of interfaces

.
Data Preparation
To configure optional parameters of PPP, you need the following data.
No.
Data
Timeout interval of PPP negotiation
Polling interval
Configuring the Timeout Period of Negotiation

During PPP negotiation, if the peer does not reply with a response packet before the negotiation
times out, PPP resends the negotiation request packet.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ppp timer negotiate seconds
Issue 02 (2013-12-31)

1784

Equipment
6 WAN Access
The timeout period of negotiation is configured on the interface.

----End
Configuring the Polling Interval

This section describes how to configure the interval for sending Keepalive packets to a peer.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
timer hold hold-time
The polling interval is configured on the interface.

----End

After PPP optional parameters are configured, you can view the PPP configuration and running
status on the interface.
Prerequisites
The configurations of the PPP otional prameters are complete.
Procedure
l
Run the display current-configuration interface [ interface-type [ interface-number ] ]

and display interface [ interface-type [ interface-number ] ] command to check the PPP
configuration and the status of the interface.
----End
6.5.4 Configuring MP Binding Using an MP-Group

Multiple serial interfaces can be bundled into a logical interface. The ATN allows interfaces to
be bundled into an MP-group interface.
Before You Start

Before configuring MP binding through the MP-Group, familiarize yourself with the usage
scenario, complete the pre-configuration tasks, and obtain the required data.
Issue 02 (2013-12-31)

1785

Equipment
6 WAN Access
Usage Scenario
In MP negotiation, different carriers complements differently.
By default, the endpoint discriminator needs to be negotiated in ATN MP negotiation. If no
endpoint discriminator is sent, MP negotiation fails. As a result, the endpoint discriminator
negotiation cannot be configured on the local side.
NOTE
Configure the local and the peer ends separately. However, the configuration methods are the same.
Before configuring MP binding using MP-Group, complete the following tasks:
l
Configure physical attributes for the ATN interface.
Configure the link layer protocol of the interface as PPP.
Data Preparation
To configure MP binding using MP-Group, you need the following data.
No.
Data
Interface number of the ATN
Interface number of MP-Group
IP addresses and subnet masks of the MP-Group interface
Adding an Interface to an MP-Group

Bundling multiple interfaces into an MP-group interface increases bandwidth.
Context
When using an MP-group to bind an interface, consider the following items:
l
Physical interfaces must be bound into one MP-group in the same mode.
All physical interfaces in one MP-group must be on the same interface card because the
ATN does not support trans-board and trans-card MP binding.
In the case of the AND1MD1A/AND1MD1B/AND2MD1A/AND2MD1B, the former 16

and latter 16 E1 interfaces cannot be added to an MP-Group.
The number of physical interfaces bound in one MP-group used to interwork at two ends
must be the same.
When multiple physical interfaces are bound in one local MP-group, the peer interfaces
directly connected to those physical interfaces must be bound into one MP-group.

Issue 02 (2013-12-31)

1786

Equipment
6 WAN Access
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface mp-group number
The MP-group interface is created.

Step 3 Run:
The IP address is assigned for the MP-group interface.

Step 4 Run:
shutdown
The MP-group interface is shut down.

Step 5 Run:
quit

Step 6 Run:

Step 7 Run:
shutdown
The interface is shut down.

Step 8 Run:
ppp mp mp-group number
The interface is added to the MP-group.

Step 9 Run:
undo shutdown
The interface is restarted.

Step 10 Run:
quit

Step 11 Run:
The MP-group interface view is displayed.

Step 12 Run:
undo shutdown
Issue 02 (2013-12-31)

1787

Equipment
6 WAN Access
The MP-group is restarted.

----End
Disabling the Endpoint Discriminator Negotiation

The LCP status can be Up only when the terminal discriminators of the MP-Groups on both ends
are the same. If the terminal discriminators are different, you need to disable the terminal
discriminator negotiation.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The MP-Group interface is created.

Step 3 Run:
undo discriminator
The terminal discriminator negotiation is disabled.

By default, the endpoint discriminator negotiation is enabled. The LCP status is Up only when
the endpoint discriminators of the MP-Group ports are the same.
The configuration of the endpoint discriminator negotiation on both ends must be the same. If
one end is configured with the undo discriminator command whereas the other end is
configured with the discriminator command, the parameters sent by the end configured with
the undo discriminator command do not contain the endpoint discriminator, and this end
accepts the endpoint discriminator of the other end. As a result, MP cannot be established.
If you want to use the undo discriminator command on the MP-Group interface, you must use
the shutdown and undo shutdown commands on the MP-Group interface to enable the
configuration.
----End

After an MP-group interface is configured, you can check information about the MP-group
interface and the status of member interfaces.
Procedure
l
Run the display ppp mp [ interface interface-type interface-number ] command to check

the MP binding information.
Run the display interface mp-group [ number ] [ | { begin | exclude | include } regularexpression ] command to check the status of the MP-group interface.
Issue 02 (2013-12-31)

1788

Equipment
6 WAN Access
Run the display interface brief [ | { begin | include | exclude } regular-expression ]

command to check brief information about the MP-Group interface and its member
interfaces.
----End
6.5.5 Configuring MP Limiting Parameters

This section describes how to configure MP limiting parameters.
Before You Start

Before configuring MP limiting parameters, familiarize yourself with the usage scenario,
Usage Scenario
After configuring MP binding, you can configure MP limiting parameters to optimize the link
channels.
The limiting parameters include:
l
Maximum receiving re-group unit
Before configuring MP limiting parameters, complete the following tasks:
l
Connect the interface and configure its physical parameters to change the physical layer
status Up
.
Configure MP binding
.
Data Preparation
To configure MP limiting parameters, you need the following data.
Issue 02 (2013-12-31)
No.
Data
The MRRU of MP
Time period during which the MP subchannel status is detected
Maximum number of times flappings occur on the MP subchannel within the

detection time
Minimum time during which the MP subchannel keeps Up to be released from

damping
Minimum number of subchannels in the Up state in an MP

1789

Equipment
6 WAN Access
NOTE
l After changing the parameters configured in the MP-group view, use the shutdown command on the
MP-Group interface to disable MP binding.
l Then use the undo shutdown command on the MP-Group interface to bind MP again.
l Finally, all the configured commands will be effective.
Configuring the MRRU of an MP Group

The Max-Receive-Reconstructed Unit (MRRU) is a mandatory parameter of MP negotiation.
By negotiating the MRRU with the peer, the local end confirms the maximum length of a packet
that the peer can reassemble from fragments and determines how to fragment IP packets.
Context
Max-Receive-Reconstructed Unit (MRRU) refers to the maximum size of the packet that can
be re-assembled with the received fragment packets. MP must negotiate MRRU with the remote
before performing IP packet fragmentation.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The MP group interface is displayed.

Step 3 Run:
mrru mrru
The MRRU of the MP group is configured.

By default, MRRU is 1500 bytes.
Step 4 Run:
shutdown
The current interface is shut down.

undo shutdown
The current interface is restarted.

----End
Configuring the Damping Function for MP Subchannels

The damping function can suppress the frequent flappings of an MP subchannel, and the
subchannel can be released from the damping state only after it keeps Up for a specified time
of period.
Issue 02 (2013-12-31)

1790

Equipment
6 WAN Access
Context
Perform the following steps on the ATNs configured with MP-Group interfaces:
Procedure
Step 1 Run:
system-view

Step 2 Run:
The MP-Group interface view is displayed.

Step 3 Run:
ppp mp damping detect-time detect-time flapping-count flapping-count damping-time
damping-time
The damping function is configured for the MP subchannels.

----End
Configuring the Minimum Number of Subchannels in the Up State in an MP Link

After the LCP negotiation is successful, a PPP link can be added to an MP link only when the
number of subchannels in the Up state in the MP link reaches the configured minimum value,
and then the MP can perform the NCP negotiation. That is, you can set the minimum bandwidth
for an MP link as required.
Context
Perform the following steps on the ATNs configured with MP-Group interfaces:
Procedure
Step 1 Run:
system-view

Step 2 Run:
The MP-Group interface view is displayed.

Step 3 Run:
ppp mp threshold-least number
The minimum number of subchannels in the Up state in the MP link is set.

NOTE
It is recommended that the lower thresholds of the MP groups at both ends of the link be set to the same value.
Step 4 Run:
shutdown
Issue 02 (2013-12-31)

1791

Equipment
6 WAN Access
and
undo shutdown
Or run:
restart
An MP-Group interface is restarted.

----End
Preventing the Peer Host Route from Being Added to the Local Routing Table of
Direct Routes
This section describes how to prevent the peer host route from being added to the local routing
table of direct routes. This prevents the situation where one end is configured with an incorrect
IP address, and the other end automatically adds the incorrect peer host route to the local routing
table, which results in the discrimination of incorrect routing information on the network.
Context
The PPP link does not strictly require that the peer route and local route exist on the same network
segment. Two ends of the PPP link at different network segments can communicate. In addition,
the peer host route at a different network segment can also be automatically added to local routing
table of direct routes.
However, when one end is configured with an incorrect IP address, the other end automatically
adds the incorrect peer host route to the local routing table of direct routes. As a result, the
incorrect routing information is advertised across the network.
With the following command, you can decide whether the peer host route is added to the local
routing table of direct routes.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ppp peer hostroute-suppress
The peer host route is prevented from being added to the local routing table.
NOTE
After enabling or disabling this function, restart the interface to validate the configuration.
Step 4 First run the shutdown and then run undo shutdown commands to restart the interface.
----End
Issue 02 (2013-12-31)

1792

Equipment
6 WAN Access

After MP limiting parameters are configured, you can check the configurations of the parameters.
Procedure
Step 1 Run the display current-configuration interface [ interface-type [ interface-number ] ]
command to check the configuration of MP-Group interface.
----End
6.5.6 Configuring MP Fragmentation

This section describes how to configure MP fragmentation. Detailed operations include setting
the minimum length of outgoing packets to be fragmented .
Before You Start

Before configuring MP fragmentation, familiarize yourself with the usage scenario, complete
Usage Scenario
After binding the interface to the MP, configure MP fragmentation as required to optimize the
link channel.
Before configuring MP fragmentation, complete the following tasks:
l
Connect the interface and configure its physical parameters to change the physical layer
status Up.
Configure MP binding.
Data Preparation
To configure MP fragmentation, you need the following data.
No.
Data
Length of the MP packet to be fragmented
Configuring the MP Fragment Function

Setting the proper size for an MP fragment improves bandwidth usage.
Context
Using the MP fragment function, you can adjust the value of the MP fragment packets.
Issue 02 (2013-12-31)

1793

Equipment
6 WAN Access
Procedure
Step 1 Run:
system-view

Step 2 Run:
The MP group interface is displayed.

Step 3 Run:
fragment-threshold threshold
The fragment value of MP data packet is configured.

NOTE
On an MP link, configuring MP fragmentation to improve link efficiency and setting the size of each
fragment to 256 bytes are recommended.
----End

After MP fragmentation is configured, you can check the configuration of MP fragmentation.
Procedure
Step 1 Run the display current-configuration [ interface [ interface-type [ interface-number ]]]
command to check the MP fragmentation information.
----End
6.5.7 Configuring Global-MP-Group Interfaces

Multiple Trunk-Serial interfaces can be bundled into a logical Global-MP-Group interface.
Context
NOTE
Only the ATN 950B supports Global-MP-Group Interfaces.
Before You Start

Before configuring a Global-MP-Group interface, familiarize yourself with the usage scenario,
Usage Scenario
To increase service bandwidth, you can bundle multiple Trunk-Serial interfaces of the E1
channel in a CPOS-Trunk into a Global-MP-Group interface.
After these Trunk-Serial interfaces are added to the Global-MP-Group interface, services can
be configured directly on the Global-MP-Group interface.
Issue 02 (2013-12-31)

1794

Equipment
6 WAN Access
Before configuring the Global-MP-Group interface, configure PPP as the link layer protocol for
these Trunk-Serial interfaces.
Data Preparation
To configure the Global-MP-Group interface, you need the following data.
No.
Data
Numbers of Trunk-Serial interfaces
Number of the Global-MP-Group interface
Establishing a Global-MP-Group Interface and Adding Member Interfaces to It

This section describes how to bundle multiple Trunk-Serial interfaces into a Global-MP-Group
interface to increase the service bandwidth.
Context
When bundling multiple Trunk-Serial interfaces into a Global-MP-Group interface, note the
following points:
l
The number of Trunk-Serial interfaces that are bundled into a Global-MP-Group interface
must be the same on each end.
The Trunk-Serial interfaces that are directly connected to Trunk-Serial interfaces bundled
into the local Global-MP-Group interface on the peer end must be bundled into the same
Global-MP-Group interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface global-mp-group global-mp-group-number
A Global-MP-Group interface is created.

Step 3 Run:
quit

Step 4 Run:
interface
Issue 02 (2013-12-31)
trunk-serial interface-number

1795

Equipment
6 WAN Access
The Trunk-Serial interface view is displayed.

Step 5 Run:
shutdown
A Trunk-Serial interface is shut down.

Step 6 Run:
ppp mp-global global-mp-group global-mp-group-number
A member interface is added to the Global-MP-Group interface.
Step 7 Run:
undo shutdown
The Trunk-Serial interface is restarted.

Step 8 Run:
quit

Step 9 Run:
interface global-mp-group global-mp-group-number
The Global-MP-Group interface view is displayed.

mrru mrru
The MRRU of the MP group is configured.

discriminator
Terminal discriminator negotiation is enabled on the Global-MP-Group interface.

ppp peer hostroute-suppress
The peer host route is prevented from being added to the local routing table of direct routes.
NOTE
After enabling or disabling this function, restart the interface to validate the configuration.
----End

This section describes how to check Global-Mp-Group interface configurations.
Procedure
Step 1 Run the display ppp mp-global [ interface global-mp-group interface-number ] command to
check information about the member interfaces of the Global-Mp-Group interface.
----End
Issue 02 (2013-12-31)

1796

Equipment
6 WAN Access
Example
Run the display ppp mp-global command to view information about the member interfaces of
the Global-Mp-Group interface.
<HUAWEI> display ppp mp-global interface global-mp-group 1
Global-Mp-Group is Global-Mp-Group1

This section provides several examples for configuring PPP and MP. These configuration
examples explain the networking requirements, configuration roadmap, data preparation,
configuration procedure, and configuration files.
Example for Configuring MP Binding by Using an MP-Group Interface

This example shows how to bundle serial interfaces into an MP-group interface so that routers
can communicate through the MP-group interface on the typical network where an ATN and a
CX are connected through two pairs of serial interfaces.
NOTE
This document takes interface numbers and link types of the ATNas an example. In working situations,
the actual interface numbers and link types may be different from those used in this document.
For the two serial interfaces of ATN and CX are connected respectively with each other, you
can bind MP group to configure MP binding.
Figure 6-6 Networking diagram of the MP-group binding
Mp-group0/2/1
111.1.1.1/24
Serial0/2/0:0
ATN
Serial0/2/1:0
Mp-group2/0/1
111.1.1.2/24
Serial2/0/0:0
Serial2/0/1:0
CX600
1.
Set parameters for the serial interface.
2.
Create MP-group interface and add related interfaces to MP-group.
3.
Restart interfaces to validate the configuration.
Data Preparation
Issue 02 (2013-12-31)

1797

Equipment
The IP addresses of the Mp-groups on ATN
The IP addresses of the Mp-groups on CX
6 WAN Access
NOTE
l The slot number and card number of MP-Group interface must be consistent with the slot number and
card number of the interface added to the MP-Group.
l The interfaces added to the MP-group can only be the serial interfaces instead of other interfaces.
Procedure
Step 1 Configure ATN .
# Create an Mp-group interface and configure the corresponding interface.
[ATN-Mp-group0/2/1] ip address 111.1.1.1 255.255.255.0
[ATN-Mp-group0/2/1] quit
# Add Serial 0/2/0:0 to the Mp-group interface.

[ATN-E1 0/2/0] quit
[ATN] interface Serial 0/2/0:0
[ATN-Serial0/2/0:0] ppp mp mp-group0/2/1

[ATN-E1 0/2/1] quit
[ATN] interface Serial 0/2/1:0
[ATN-Serial0/2/1:0] ppp mp mp-group0/2/1
Step 2 Configure CX.

# Create an Mp-group interface and configure the corresponding IP address.
[CX] interface mp-group 2/0/1
[CX-Mp-group2/0/1] ip address 111.1.1.2 255.255.255.0
[CX-Mp-group2/0/1] quit

[CX] controller e1 2/0/0
[CX-E1 2/0/0] channel-set 0 timeslot-list 1-31
[CX-E1 2/0/0] quit
[CX] interface Serial 2/0/0:0
[CX-Serial2/0/0:0] link-protocol ppp
[CX-Serial2/0/0:0] ppp mp mp-group 2/0/1
[CX-Serial2/0/0:0] quit

[CX] controller e1 2/0/0
[CX-E1 2/0/0] channel-set 0 timeslot-list 1-31
[CX-E1 2/0/0] quit
[CX] interface Serial 2/0/0:0
[CX-Serial2/0/0:0] link-protocol ppp
[CX-Serial2/0/1:0] ppp mp mp-group 2/0/1
Issue 02 (2013-12-31)

1798

Equipment
6 WAN Access
[CX-Serial2/0/1:0] quit

# Check the configuration on ATN .
[ATN] display ppp mp interface mp-group 0/2/1
Mp-group is Mp-group0/2/1
Serial0/2/0:0 physical UP,protocol UP
Bundle Multilink, 2 member, slot 0, Master link is Mp-group0/2/1
The bundled son channels are:
Serial0/2/0:0
Serial0/2/1:0
# Check the Mp-group 2/0/1 status on CX.

[CX] display ppp mp interface Mp-group2/0/1
Mp-group is Mp-group2/0/1
Bundle Multilink, 2 member, slot 2, Master link is Mp-group2/0/1
0 lost fragments, 0 reordered, 0 unassigned, 0 interleaved,
sequence 0/0 rcvd/sent
The bundled son channels are:
Serial2/0/0:0
Serial2/0/1:0
You can ping through the IP address of the MP-group 2/0/1 on ATN .
[ATN] ping 111.1.1.2
0.00% packet loss
ms
ms
ms
ms
ms
----End
Configuration Files
l

#
sysname ATN
#
controller e1 0/2/0
undo shutdown
#
controller e1 0/2/1
undo shutdown
#
link-protocol ppp
Issue 02 (2013-12-31)

1799

Equipment
6 WAN Access
#
link-protocol ppp
#
ip address 111.1.1.1 255.255.255.0
#
return
Configuration file of CX
#
sysname CX
#
controller e1 2/0/0
undo shutdown
#
controller e1 2/0/1
undo shutdown
#
link-protocol ppp
#
link-protocol ppp
#
ip address 111.1.1.2 255.255.255.0
#
return
6.6 ATM IMA Configuration

IMA is the acronym of Inverse Multiplexing for ATM. The general idea of IMA is that the sender
schedules and distributes a high-speed ATM cell stream to multiple low-speed physical links
for transmission, and then the receiver schedules and reassembles the stream fragments into one
cell stream and submits the cell stream to the ATM layer. In this manner, bandwidths are
multiplexed flexibly, improving the efficiency of bandwidth usage.
6.6.1 ATM IMA Overview

This section briefly introduces ATM IMA and describes ATM IMA features supported by the
ATN.
Introduction to ATM IMA

ATM IMA is one of the main scenarios of IPRAN.
Background
Mobile providers worldwide have been constructing the Radio Access Network (RAN)
continuously. The Second Generation (2G) RAN network is based on TDM/SDH, and thus it
has a lower utilization of bandwidth, is hard to expand, and is inflexible to configure.
Issue 02 (2013-12-31)

1800

Equipment
6 WAN Access
The IP data communication network has become the mainstream of data communications by
supporting extensive access modes and large - scale networks.
The introduction of IP to the RAN is an important step because it helps to optimize the
investments of carriers and reduce the cost on establishing the network, and smoothly evolve
the 2G network to the 3G network. That is, IPRAN functions as the solution to the preceding
problems. Compared with the RAN solution, IPRAN adopts the IP transmission technology to
replace the ATM technology. After IPRAN is developed, providers can use the existing IP
network resources to network between base transceiver stations (BTSs) and base station
controllers (BSCs).
With the development of the IP network, the expandability, upgradeability, and compatibility
of the IP network has improved to a great extent. The flexibility of the upgrade, expansion, and
interworking of traditional communication networks is less improved due to transmission modes
and service types. In addition, the sharing and compatibility among new networks is inadequate,
which is inconvenient for interworking management. Therefore, in the process of upgrading and
expanding traditional networks, you must establish repetitious networks or fully use the current
or public network resources.
On 2G networks, a BTS accesses a router through TDM E1 interfaces; on 3G networks, a NodeB
accesses a router through the Inverse Multiplexing over ATM IMA E1 interfaces.
3G-IMA
IPRAN is a trend. UMTS R99/R4 defines ATM as the protocol that is used to transmit services
between the NodeB and RNC, and E1 IMA interfaces are mainly used to connect the two ends.
Figure 6-7 shows the networking diagram.
Figure 6-7 ATM IMAoPSN networking diagram
N*E1(ATM IMA)
NodeB
STM-1 ATM
SDH/Multi
Service IP/MPLS
STM-1 ATM RNC
NodeB
STM-1 ATM
NodeB
To improve utilization of links, IMA is applied to ATM physical interfaces. When users need
to access an ATM network at a rate between E1 and E3, IMA divides a high-speed link into
Issue 02 (2013-12-31)

1801

Equipment
6 WAN Access
multiple low-speed logic links on which user data is transmitted. Thus, low-speed links are
multiplexed into the high-speed link. During the process, the rate of the high-speed link is
approximately equal to the sum of the rates of multiple low-speed links.
ATM IMA Features Supported by the ATN

This section describes the ATM IMA features supported by the ATN.
ATM IMA supports the basic services such as the 1-to-1 service, and N-to-1 service. The
following table shows the corresponding interface types at the AC side and methods of setting
up PWs.
Table 6-5 Basic ATM IMA service types, and the corresponding interface types at the AC side
and methods of setting up PWs
Basic Service Type
Interface Type at the

AC Side
Method of Setting Up
PWs
1-to-1 VCC ATM transparent cell

transport
l Serial subinterfaces
l Local CCC
l IMA group subinterfaces
l PWE3
N-to-1 VCC ATM transparent cell

transport with VPI/VCI mapping
l SVC
1-to-1 VPC ATM transparent cell

transport
N-to-1 VPC ATM transparent cell
transport with VPI mapping
6.6.2 Configuring ATM Services on a Serial Interface

This section describes how to configure ATM services on a serial interface. Detailed operations
include configuring the ATM protocol on a serial interface, configuring the ATM interface type
for a serial interface, and creating a Permanent Virtual Channel (PVC) on a serial interface.

Before configuring ATM services on a serial interface, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the data required for the
configuration. This will help you complete the configuration task quickly and accurately.
Traditional ATM services can run only on ATM interfaces, which leads to high cost of ATM
transmission and very limited applications of ATM services.
By using the Time Division Multiplexing (TDM) technology, a CE1 interface enables you to
choose different transmission channels according to bandwidth requirements to fully utilize
bandwidth resources. A CE1 interface can be channelized to multiple synchronization serial
interfaces. The CE1 interface, thus, can be configured with different types of protocols, which
Issue 02 (2013-12-31)

1802

Equipment
6 WAN Access
decreases communication cost, increases configuration flexibility, and enables the CE1 interface
to support various services.
Currently, the synchronization serial interfaces on the ATN can be configured wih the ATM
protocol and can be added to an IMA group.
NOTE
For how to add a serial interface to an IMA group, see Configuring an IMA Group in this chapter.
Before configuring ATM services on a serial interface, complete the following tasks:
l
Configuring physical parameters for the CE1 interface to ensure that the physical layer
status of the interfaces is Up
Channelizing the CE1 interface on the ATN to synchronization serial interfaces

NOTE
For configurations of a CE1 interface, refer to 6.1 E-Carrier and T-Carrier Interfaces Configuration.
Data Preparation
To configure ATM services on a serial interface, you need the following data.
No.
Data
Number of the synchronization serial interface
PVC name (optional),VPI/VCI and VPI/VCI mapping value
Configuring the ATM Protocol on a Serial Interface

Before adding a serial interface to an Inverse Multiplexing over ATM (IMA) group, you need
to configure ATM as the link layer protocol of the serial interface.
Context
After the link layer protocol of a serial interface is configured to ATM, the ATM status is Up
only when the physical status of the interface is Up.
A serial interface can be added to an IMA group only after the link layer protocol of this interface
is configured to ATM.
By default, the link layer protocol of a serial interface is not adopted.
Procedure
Step 1 Run:
system-view
Issue 02 (2013-12-31)

1803

Equipment
6 WAN Access

Step 2 Run:

Step 3 Run:
link-protocol atm
The ATM protocol is configured to be the link layer protocol on the serial interface.
----End
(Optional) Configuring the ATM Interface Type for a Serial Interface

You can configure interface types according to the function of the device on a link.
Context
After the link layer protocol of a serial interface is configured to ATM, you can configure the
ATM interface type to User-to-Network Interface (UNI) or Network-to-Network Interface
(NNI).
l
If a device needs to work as a user side device, you need to set the ATM interface type of
the interface connecting the peer device to UNI.
If a device needs to work as a network side device, you need to set the ATM interface type
of the interface connecting the peer device to NNI.
By default, the ATM interface type on a serial interface is UNI.

NOTE
The ATM interface type on a serial interface can be configured only after the link layer protocol of the
serial interface is set to ATM.
The VPI value range of the PVC/PVP on the serial sub-interface varies with the ATM interface type on a
serial interface. For detailed information, refer to the PVC/PVP commands in the Command Reference.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
atm interface-type { uni | nni }
The type of the ATM interface is configured on the serial interface.

----End
Issue 02 (2013-12-31)

1804

Equipment
6 WAN Access
Creating a PVC on a Serial Interface

You can create PVCs to implement point-to-multipoint (P2MP) ATM transmission.
Context
ATM transmission can be implemented only after a PVC is created. PVCs support Point-toMultipoint (P2MP) ATM transmission.
As for creating a PVC, note the following:
l
A PVC can be created on a serial interface only after the link layer protocol of the interface
Currently, in the ATN, a PVC can be created on a serial sub-interface rather than a serial
main interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface serial interface-number.subinterface-number
The serial sub-interface is created and the sub-interface view is displayed. If the sub-interface
already exists, the sub-interface view is displayed.
Step 3 Run:
pvc vpi/vci
The PVC is created and the PVC view is displayed.

Step 4 Run:
map pvc vpi/vci bidirectional
The mapping between the local VPI/VCI and its peer VPI/VCI is created.
NOTE
The value of the peer VPI/VCI must be consistent with that of the local VPI/VCI.
----End
Creating a PVP on a Serial Interface

To implement ATM VP monitoring, you need to create a Permanent Virtual Path (PVP).
Context
The ATM VP monitoring function can be implemented only after a PVP is created.
As for creating a PVP, note the following:
Issue 02 (2013-12-31)

1805

Equipment
6 WAN Access
A PVP can be created on a serial interface only after the link layer protocol of the interface
Currently, in the ATN, a PVP can be created only on a serial sub-interface rather than a
serial main interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The serial sub-interface is created and the sub-interface view is displayed. If the sub-interface
already exists, the sub-interface view is displayed.
Step 3 Run:
pvp vpi
The PVP is created and the PVP view is displayed.

Step 4 Run:
map pvp vpi bidirectional
A mapping PVP is created.

NOTE
The mapping value of the peer VPI must be consistent with that of the local VPI.
----End

After ATM services are configured on a serial interface, you can view the configuration of the
serial interface and information about the PVC and PVP configured on the serial interface.
Prerequisites
The configurations of all ATM services on a serial interface are complete.
Procedure
l
Run the display interface serial interface-number command to check the configurations
on the serial interface.
Run the display atm pvc-info [ interface serial interface-number [ pvc vpi/vci ] ] command
to check information about the PVC on the serial interface.
Run the display atm pvp-info [ interface serial interface-number [ pvp vpi ] ] command
to check information about the PVP on the serial interface.
----End
Issue 02 (2013-12-31)

1806

Equipment
6 WAN Access
6.6.3 Configuring IMA Groups

This section describes how to configure an IMA group. Detailed operations include creating an
IMA group, configuring the number of cells contained in an IMA frame, bandwidth, and ATM
interface type for an IMA group, adding an interface to an IMA group, and creating a PVC and
a PVP for an IMA group.

Before configuring an IMA group, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain the data required for the configuration. This
will help you complete the configuration task quickly and accurately.
When users want to access the ATM network at a rate between E1 and E3, using E3 is not costeffective. Using multiple E1 lines is a better solution that can be realized by IMA.
An IMA group is a logical link having one or more links. Its bandwidth is approximately equal
to the sum of all the member links' bandwidth.
NOTE
IMA group interfaces do not support Layer 3 protocols.
Before configuring an IMA group, complete the following task:
l
Creating a synchronization serial interface channelized from CE1 and configuring the ATM
protocol on the serial interface if an IMA group needs to be configured on the serial interface
of the ATN
Data Preparation
To configure an IMA group, you need the following data.
No.
Data
Number of the IMA group
Interface number of the IMA group
Bandwidth of the IMA group
Creating an IMA Group

To configure an IMA group is to bind one or multiple links together to increase bandwidth.
Issue 02 (2013-12-31)

1807

Equipment
6 WAN Access
Context
Creating an IMA group is the prerequisite to performing group-related configurations and adding
interfaces to the IMA group.
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface ima-group interface-number
An IMA group is created and the IMA group interface view is displayed.
----End
Setting the Number of the Cells Contained in an IMA Frame

It is recommended that you adopt the default number of cells contained in an IMA frame.
Context
By default, the number of the cells contained in an IMA frame is 128.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The IMA group interface view is displayed.

Step 3 Run:
frame-length { 32 | 64 | 128 | 256 }
The number of the cells contained in an IMA frame is set.

NOTE
After a member link is added to the IMA group, the number of cells contained in an IMA frame cannot be
changed.
----End
Issue 02 (2013-12-31)

1808

Equipment
6 WAN Access
Configuring Bandwidth for an IMA Group

The bandwidth for an IMA group is determined by the minimum number of available member
links in the IMA group.
Context
The bandwidth for an IMA group is determined by the minimum number of available member
links in the group. An IMA group can work only if the number of available member links is
larger than or equal to the minimum number of available member links.
By default, the minimum number of available member links in an IMA group is 1. That is, an
IMA group can work as long as one member link is available.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
min-active-links number
The minimum number of available member links in the IMA group is set.
----End
Setting the Maximum Link Differential Delay for the IMA Group
Context
By default, the maximum differential delay of member links in an IMA group is 25 ms.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Issue 02 (2013-12-31)

1809

Equipment
6 WAN Access
Step 3 Run:
differential-delay milliseconds
The maximum differential delay of member links in an IMA group is set, in milliseconds.
----End
Adding an Interface to an IMA Group

You can add an interface to an IMA group to bind one or multiple links.
Context
Synchronization serial interfaces channelized from a CE1 interface can be added to an IMA
group. As for adding an interface to an IMA group, note the following:
l
An interface can be added to only one IMA group at one time.
After an interface is added to an IMA group, the network layer configurations on the
interface do not take effect any more.
As for adding a synchronization serial interface to an IMA group, besides the preceding
information, note the following:
l
A synchronization serial interface can be added to an IMA group only after the link layer
protocol of the interface is configured to ATM.
After a synchronization serial interface is added to an IMA group, the link layer protocol
of the interface can be changed only after the interface is removed from the group.
After a synchronization serial interface is added to an IMA group, no sub-interfaces can be

created on the interface.
By default, no links are added to IMA groups, and each link can independently run various
services.
NOTE
An interface can be added to an IMA group only after the group is created.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The synchronization serial interface view is displayed.

Step 3 Run:
ima ima-group interface-number
The interface is added to the IMA group.

Issue 02 (2013-12-31)

1810

Equipment
6 WAN Access
NOTE
The interface can be added only to one IMA group with the slot number and card number being the same
as those of the interface.
For the 32 channels E1 PIC, the synchronous serial interfaces numbered 015 can be added into only IMA
groups numbered 116, and serial interfaces numbered 1631 into only IMA groups numbered 1732.
----End
(Optional) Configuring the ATM Interface Type for an IMA Group

You can configure the interface type according to the function of the device on a link.
Context
After a serial interface is added to an IMA group, the ATM interface type of the serial interface
does not take effect any more. You can re-configure the ATM interface type on the IMA group
interface.
l
If a device needs to work as a user side device, you need to set the ATM interface type of
the interface connecting the peer device to UNI.
If a device needs to work as a network side device, you need to set the ATM interface type
of the interface connecting the peer device to NNI.
By default, the ATM interface type of an IMA group is UNI.

NOTE
The VPI value range of the PVC/PVP on the IMA sub-interface varies with the ATM interface type of an
IMA group. For detailed information, refer to pvc and pvp in the Command Reference.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
atm interface-type { uni | nni }
The ATM interface type is configured on the IMA group interface.

----End
Creating a PVC for an IMA Group

ATM transmission can be implemented only after a PVC is created. PVCs support P2MP ATM
transmission.
Issue 02 (2013-12-31)

1811

Equipment
6 WAN Access
Context
ATM transmission can be implemented only after a PVC is created. PVCs support Point-toMultipoint (P2MP) ATM transmission.
Currently, in the ATN, a PVC can be created on an IMA group sub-interface rather than an IMA
group interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface ima-group interface-number.subinterface-number
The IMA group sub-interface is created and the sub-interface view is displayed.
Step 3 Run:
pvc vpi/vci

Step 4 Run:
----End
Creating a PVP for an IMA Group

The ATM VP monitoring function can be implemented only after a PVP is created.
Context
Currently, in the ATN, a PVP can be created on an IMA group sub-interface rather than an IMA
group interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The IMA group sub-interface is created and the sub-interface view is displayed.
Issue 02 (2013-12-31)

1812

Equipment
6 WAN Access
Step 3 Run:
pvp vpi
The PVP is created and the PVP view is displayed.

Step 4 Run:

----End

After an IMA group is configured, you can view the configuration and status of the ATM
interface, brief information about the IMA-Group interface and its member interfaces, and the
configuration and status of the IMA group.
Prerequisites
The configurations of the IMA groups are complete.
Procedure
l
Run the display interface [serial] [ interface-number ] command to check the

configuration and status of the serial interface.
Run the display interface brief command to check brief information about the IMA-Group
interface and its member interfaces.
Run the display interface ima-group [ group-number ] command to check configuration

and status of the IMA group.
----End
6.6.4 Configuring IMAoPSN Functions(1-to-1 and N-to-1 ATM

Transparent Cell Transport)
This section describes how to configure 1-to-1 and N-to-1 ATM transparent cell transport.

Before configuring ATMoPSN Functions(1-to-1 and N-to-1 ATM Transparent Cell Transport),
familiarize yourself with the applicable environment, complete the pre-configuration tasks, and
obtain the required data. This can help you complete the configuration task quickly and
accurately.
l
If a few ATM services that require a high transmission rate are transparently transmitted
over a PSN network, you can configure 1-to-1 VCC ATM transparent cell transport.
If a large number of ATM services are transparently transmitted over a PSN network, you
can configure N-to-1 VCC ATM transparent cell transport. In N-to-1 VCC ATM
transparent cell transport, an ATM physical link can be divided into multiple PVCs, with
Issue 02 (2013-12-31)

1813

Equipment
6 WAN Access
each PVC transmitting a single type of service. For example, you can create three PVCs to
transmit audio traffic, video traffic, and data traffic. This helps improve ATM QoS.
l
If a PSN that transmits the ATM services requires high transmission rate but has light
service traffic, and the ATM services have the same destination (that is, the VPI values on
the PW link are the same), you can configure 1-to-1 VPC ATM transparent cell transport.
If a large number of ATM services are transmitted over a PSN network and a PW transmits
the cells of multiple ATM PVCs, you can configure N-to-1 VPC ATM transparent cell
transport. In N-to-1 VPC ATM transparent cell transport, multiple PVPs can transmit
various types of services such as video traffic, audio traffic, and data traffic. Each PVP can
transmit a single type of service. For example, a PVP transmits audio traffic and another
PVP transmits video traffic. This helps improve ATM QoS.
Before configuring ATMoPSN Functions(1-to-1 and N-to-1 ATM Transparent Cell Transport),
complete the following tasks on the ATNs at the two ends of the PW:
l
Configuring basic MPLS functions
Enabling MPLS L2VPN
Data Preparation
To configure ATMoPSN Functions(1-to-1 and N-to-1 ATM Transparent Cell Transport), you
No.
Data
Number of the serial interface
Destination address and ID of the L2VC
Configuring the Parameters of the CE1 Interface

Parameters of CE1 interfaces include operating modes of the interfaces, interface coding
methods, and frame formats.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
using ce1
The channelized mode is configured for the CE1 interface.

Issue 02 (2013-12-31)

1814

Equipment
6 WAN Access
The e1 working mode refers to the clear channel mode. The ce1 working mode refers to the
channelized mode.
By default, a CE1 interface works in channelized mode.
NOTE
ATM cannot be configured on CE1 interfaces working in clear channel mode on the ATN.
Step 4 Run:
Timeslots in CE1 mode are bound as a channel-set.

NOTE
The ATNs support any of the following modes for binding timeslots to form a synchronous serial interface:
l Timeslots 1 to 31 are bound to form a synchronous serial interface, and timeslot 0 is used to transmit
signaling information.
l Timeslots 1 to 15 and timeslots 17 to 31 are bound to form a synchronous serial interface, and timeslots
0 and 16 are used to transmit signaling information.
Step 5 Run:
The frame format is configured for the CE1 interface.

By default, the CE1 interface adopts no-crc4 as the frame format.
----End
Configuring 1-to-1 and N-to-1 ATM Transparent Cell Transport

1-to-1 and N-to-1 ATM transparent cell transport can be classified into different modes, namely,
the 1-to-1 VCC mode, N-to-1 VCC mode, 1-to-1 VPC mode, and N-to-1 VPC mode.
Context
Perform the following steps on the serial sub-interfaces or the IMA group sub-interfaces
connecting the PE to the CE.
Procedure
l
1-to-1 VCC ATM Transparent Cell Transport

1.
Run:
system-view

2.
Run the following command as required:

In the case of the E1/CE1 interface, to create a serial sub-interface and enter the
sub-interface view, run: interface serial controller-number:setnumber.subnumber p2p
In the case of the CPOS interface, to create a serial sub-interface and enter the subinterface view, run: interface serial controller-number/e1-number:setnumber.subnumber p2p
Issue 02 (2013-12-31)

1815

Equipment
6 WAN Access
In the case of the IMA group interface, to create an IMA group sub-interface and
enter the sub-interface view, run: interface ima-group interfacenumber.subnumber p2p
Ensure that the IMA group interface is Up before creating an IMA group subinterface.
a.
In the system view, run the interface ima-group interface-number command

to create an IMA group interface.
b.
In the serial interface view, run the ima ima-group interface-number

command to add the serial interface to the IMA group.
When the interface type is P2P, the ATM transparent cell transport mode is
specified. That is, the P2P interface type determines the 1-to-1 mode. Whether the
mode is 1-to-1 VCC or 1-to-1 VPC is determined by other commands. In addition,
the default type of the created sub-interface is P2MP.
3.
Run:
pvc vpi/vci
A PVC is created and the PVC view is displayed.

Like the N-to-1 VCC mode, the 1-to-1 VCC mode features the VPI/VCI mapping that
need to be explicitly configured. When a PVC is created, the PEs at both ends use the
VPI/VCI values of the connected CEs. Through L2VC connections, the system
automatically identifies them as the same VC and completes the VPI/VCI mapping.
l
1-to-1 VPC ATM Transparent Cell Transport

1.
Run:
system-view

2.

sub-interface view, run: interface serial controller-number:setnumber.subnumber p2p
In the case of the CPOS interface, to create a serial sub-interface and enter the subinterface view, run: interface serial controller-number/e1-number:setnumber.subnumber p2p
enter the sub-interface view, run: interface ima-group interfacenumber.subnumber p2p
a.

b.

NOTE
When the interface type is P2P, the ATM transparent cell transport mode is specified. That
is, the P2P interface type determines the 1-to-1 mode. Whether the mode is 1-to-1 VCC or
1-to-1 VPC is determined by other commands. In addition, the default type of a created
sub-interface is P2MP.
Issue 02 (2013-12-31)

1816

Equipment
6 WAN Access
ATM transparent cell transport in 1-to-1 mode can be configured only on ATM
sub-interfaces of the P2P type rather than their main interfaces. The 1-to-1 mode
indicates that a VC is mapped to a PW. Hence, the type of sub-interfaces must be
P2P.
3.
Run:
pvp vpi
A PVP is created and the PVP view is displayed.

Like the N-to-1 VCC mode, the 1-to-1 VCC mode features the VPI/VCI mapping that
need to be explicitly configured. When a PVC is created, the PEs at both ends use the
VPI/VCI values of the connected CEs. Through L2VC connections, the system
automatically identifies them as the same VC and completes the VPI/VCI mapping.
l
N-to-1 VCC ATM Transparent Cell Transport with VPI/VCI mapping

1.
Run:
system-view

2.

sub-interface view, run: interface serial controller-number:setnumber.subnumber p2mp
In the case of the CPOS interface, to create a serial sub-interface and enter the subinterface view, run: interface serial controller-number/e1-number:setnumber.subnumber p2mp
enter the sub-interface view, run: interface ima-group interfacenumber.subnumber p2mp
a.

b.

The default type of the created sub-interface is P2MP. ATM transparent cell
transport in N-to-1 mode can be configured only on ATM sub-interfaces of the
P2MP type rather than their main interfaces. The N-to-1 mode indicates that
multiple VCs are mapped to a PW. Hence, the type of sub-interfaces must be
P2MP.
3.
Run:
pvc vpi/vci

l
N-to-1 VPC ATM Transparent Cell Transport with VPI mapping

1.
Run:
system-view

Issue 02 (2013-12-31)

1817

Equipment
2.
6 WAN Access

sub-interface view, run: interface serial controller-number:setnumber.subnumber p2mp
In the case of the CPOS interface, to create a serial sub-interface and enter the subinterface view, run: interface serial controller-number/e1-number:setnumber.subnumber p2mp
enter the sub-interface view, run: interface ima-group interfacenumber.subnumber p2mp
a.

b.

The encapsulation mode of the ATM transparent is cell transport.

3.
Run:
pvp vpi
A PVP is created and the PVP view is displayed.

----End
Configuring the PW
The types of PWs that can be established in 1-to-1 and N-to-1 ATM Transparent Cell Transport
are local CCC, SVC, PWE3,.
Context
At the edge of the PSN, PE1 at the user side is connected downstream to the BTS, and PE2 at
the network side is connected to the upstream RNC. Both PEs require the following
configurations. P routers of the PSN, however, do not require the following configurations.
Currently, the following PW types are supported:
l
Local CCC (excluding remote CCC)
SVC
PWE3
Take the dynamic PWE3 as an example to explain the configuration process.

NOTE
l When configuring the PW, you need to configure the following parameters; otherwise, the system uses
the default values.
l To set the maximum number of cells, run: max-atm-cells max-atm-cell-value
l To configure the delay in packing ATM cells, run: atm-pack-overtime time
l The preceding parameters can be set in either the PW template view or the interface view.
Issue 02 (2013-12-31)

1818

Equipment
6 WAN Access
The procedures for configuring the preceding parameters in the two views are as follows:
Procedure
l
Creating a PW in the PW template view

1.
Run:
system-view

2.
Run:
pw-template pw-template-name
A PW template is created and the PW template view is displayed.

3.
Run:
peer-address ip-address
An IP address is assigned to the peer PE of the PW.

4.
(Optional)Run:
tnl-policy policy-name
A tunnel-selecting policy is configured for the PW template.

You need to create a tunnel policy and use the tunnel binding destination command
to configure the policy, and then use the policy for the PW to select tunnels.
5.
Run:
max-atm-cells max-atm-cell-value
The maximum number of transmitted cells is specified.

The value ranges from 1 to 28.
By default, the maximum number of transmitted cells defined in the PW template is
28.
6.
Run:
atm-pack-overtime time
The delay in packing ATM cells is configured.

The value ranges from 100 to 50000, in microsecondsATM pack time must be 100 or
a multiple of 1000. By default, the value is 1000.
7.
Run:
quit
Exit from the PW template view.

8.

To enter the IMA group interface view, run: interface ima-group groupnumber.subnumber
To enter the channelized serial interface view of the CE1 interface, run: interface
serial controller-number : set-number.subnumber
9.
Run:
mpls l2vc pw-template pw-template-name vc-id [ group-id group-id | tunnelpolicy policy-name | [ control-word | no-control-word ] | max-atm-cells
cells-value | atm-pack-overtime time | secondary | ignore-standby-state ]
*
Issue 02 (2013-12-31)

1819

Equipment
6 WAN Access
A dynamic PW is created.
l
Creating a PW in the interface view

1.
Run:
system-view

2.

To enter the IMA group interface view, run: interface ima-group groupnumber.subnumber
To enter the channelized serial interface view of the CE1 interface, run: interface
serial controller-number : set-number.subnumber
3.
Run:
mpls l2vc ip-address vc-id [ group-id group-id | tunnel-policy policyname | [ control-word | no-control-word ] | max-atm-cells cells-value |
atm-pack-overtime time | secondary | ignore-standby-state ] *
----End

After IMAoPSN is configured, you can view configurations and statuses of CE1, and information
about the static PW, dynamic PW.
Context
Procedure
l
Run the display controller e1 controller-number command to check the configuration and
status of the CE1 interface.
Run the display mpls static-l2vc [ vc-id |interface interface-type interface-number |

state { down | up } ] or display mpls static-l2vc brief command to check information
about the static PW.
Run the display mpls l2vc [ vc-id | interface interface-type interface-number ] or display
mpls l2vc brief command to check information about the dynamic PW.
----End
6.6.5 Configuring ATM-Bundle Group Members

Before configuring an ATM-bundle group, you need to configure synchronous serial ports as
physical member ports for the group. To configure serial ports, you need to create serial ports,
and set the frame format, link-layer protocol type, and scrambling mode for the ports.
Issue 02 (2013-12-31)

1820

Equipment
6 WAN Access

Before configuring an ATM-Bundle group member interface, familiarize yourself with the
Synchronous serial interfaces on CE1 interfaces can be used as physical member interfaces for
the group. Before creating an ATM-Bundle group, synchronous serial interfaces must be
configured to establish the physical links.
NOTICE
successfully.
l Disabling the CE1 interface may affect the normal operation of its channel-set.
Before configuring CE1 interfaces, complete the following task:
l
Data Preparation
No.
Data
CE1 interface number of the ATN
Number of the channel into which the timeslots of the CE1 interface are bound
Synchronous serial interface number or synchronous serial sub-interface number

of the ATN
Local PVC/PVP and its peer PVC/PVP of the synchronous serial subinterface
Creating Member Synchronous Serial Interface for CE1 Interface

You can create synchronous serial interfaces with different bandwidth on CE1 interfaces that
work in different operation modes. The synchronous serial interfaces can be used as the member
interfaces of an ATM Bundle group.
Issue 02 (2013-12-31)

1821

Equipment
6 WAN Access
Context
CE1 interfaces on ATN may work in channel-pure mode (E1) or channelized mode (CE1).
l
In channel-pure mode, a CE1 interface contains 32 timeslots and these timeslots, except
timeslot 0, can be bundled as a serial interface. To display the view of the serial interface,
run the interface serial controller-number command.
In channelized mode, a CE1 interface does not contain timeslots and works as a 2.048 Mbit/
s serial interface. In this case, the serial interface does not support the channel-set setnumber timeslot-list slot-list and frame-format { crc4 | no-crc4 } commands.
NOTE
By default, a CE1 interface works in channelized mode.
Do as follows on the ATN.
Procedure
l
Creating a synchronous serial interface in clear channel mode

1.
Run:
system-view

2.
Run:

3.
Run:
using e1
The CE1 interface is configured to work in clear channel mode, and a synchronous
serial interface with the transmission rate being 2.048 Mbit/s and without timeslot
division is configured.
You can run the interface serial controller-number:0 command to access the
l
Creating a synchronous serial interface in channelized mode

1.
Run:
system-view

2.
Run:

3.
Run:
using ce1
The CE1 interface is configured to work in channelized mode.

4.
Run:
Timeslots of the CE1 interface are bundled to form a synchronous serial interface.
Issue 02 (2013-12-31)

1822

Equipment
6 WAN Access
You can run the interface serial controller-number:set-number command to access

To change an interface from the CE1 mode to the E1 mode, you need to delete all
configurations in CE1 mode and all configurations of synchronous serial
interfaces, and then run the using e1 command.
To change an interface from the E1 mode to the CE1 mode, you need to delete all
configurations in E1 mode and all configurations of synchronous serial interfaces,
and then run the using ce1 or undo using command. In this case, the synchronous
serial interfaces do not need to be deleted.
----End
Configuring Frame Format of the member CE1 Interface

You can use the 4-bit CRC code to check physical frames on CE1 interfaces.
Prerequisites
The interface can be configured with the frame format only when it works in channelized mode.
Context
By default, the frame format of the CE1 interface is no-CRC4. And the default value is
recommended.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
----End
Configuring Link Layer Protocol Type on the Synchronous Serial Interface

Before adding a serial interface to an ATM-Bundle group, you need to configure ATM as the
link layer protocol of the serial interface.
Context
The type of link layer protocols affects the format of link layer frames of the data that passes
from the synchronous serial interface.
Issue 02 (2013-12-31)

1823

Equipment
6 WAN Access
By default, none of the three protocols is adopted as the link layer protocol.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
link-protocol atm
The link layer protocol type is configured on the interface.

----End
Creating Serial Sub-interfaces

Serial sub-interfaces are used to provide multiple links on one physical interface.
Context
Creating serial sub-interfaces realizes P2MP connections on ATM links.
ATM transmission and can be implemented only after a PVC is created, while the ATM VP
monitoring function can be implemented only after a PVP is created. Currently, in theATN, a
PVC or a PVP can be created only on a serial sub-interface rather than a serial main interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The serial sub-interface view is displayed.

----End
Creating a PVC on a Serial Sub-interface

A PVC is used to specify the VPI/VCI. ATM transmission and can be implemented only after
a PVC is created.
Issue 02 (2013-12-31)

1824

Equipment
6 WAN Access
Context
Currently, in theATN, a PVC can be created only on a serial sub-interface rather than a serial
main interface.
VPI/VCI mapping consistent with that at the peer end must be configured using the map pvc
command.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
pvc [ pvc-name ] vpi/vci

Step 4 Run:
A mapping PVC is created.

----End
Creating a PVP on a Serial Sub-interface

Context
Currently, in theATN, a PVP can be created only on a serial sub-interface rather than a serial
main interface.
VPI mapping consistent with that at the peer end must be configured using the map pvp
command.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 02 (2013-12-31)

1825

Equipment
6 WAN Access

Step 3 Run:
pvp [ pvp-name ] vpi
The PVP is created and the PVC view is displayed.

Step 4 Run:

----End

After a member serial interface is configured, you can view the configuration information of the
serial interface.
Context
The configurations of the serial interface is complete.
Procedure
Step 1 Run the display controller e1 [ controller-number ] command to check the configuration and
status of the CE1 interface
Step 2 Run the display interface serial [ interface-number ] [ | { begin | exclude | include } regularexpression ] command to check the configuration and status of the serial interface.
----End
6.6.6 Configuring ATM Bundle

The atm-bundle command adds an IMA group sub-interface or a serial sub-interface to an
existing ATM bundle interface. This allows nodeBs to share a PW to transmit a single type of
service to an RNC.

Before configuring ATM-bundle, familiarize yourself with the applicable environment,
As an extended application, ATM bundle originates from the IP RAN scenario where each base
station connects to CSG over an ATM link and each may carry voice and data services. If one
PW is used to transmit one type of service on each nodeB, a large number of PWs need to be
configured on the CSG. The growing number of NodeBs and service types creates an increasing
burden on the CSG.
To address this problem, sub-interfaces transmitting the same type of service on different nodeBs
join one ATM bundle interface connecting nodeBs to a CSG. A PW is set up on the ATM bundle
Issue 02 (2013-12-31)

1826

Equipment
6 WAN Access
interface connecting the CSG to an RNC. This means that each type of service requires one ATM
bundle interface and one PW on a CSG, reducing the number of PWs, lessening the burden on
the CSG, and improving service scalability.
Before configuring an ATM-Bundle interface, complete the following task:
l
Enabling MPLS L2VPN
Data Preparation
To configure basic ATM-Bundle functions, you need the following data.
NO.
Data
ATM-Bundle group number
IMA group sub-interface number or serial sub-interface number
L2VPN destination address, VC ID, and VC type
Creating ATM-Bundle Interface

Serial interfaces are slow and cannot provide the 8 to 16 Mbit/s bandwidth needed for 3G RAN
services. ATM bundle interfaces are used to provide the required bandwidth and improve
transmission resource utilization.
Context
A sub-interface can be added to an ATM-budle group only after the ATM-bundle group is
created.
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface atm-bundle bundle-id
An ATM-Bundle interface is created.

----End
Adding a Sub-interface to an ATM-Bundle Group

IMA group sub-interfaces or Serial sub-interfaces are used to provide multiple links.
Issue 02 (2013-12-31)

1827

Equipment
6 WAN Access
Prerequisites
A serial sub-interface must be configured with a PVC or PVP before joining an ATM-bundle
interface; otherwise, the serial sub-interface will fail to join an ATM bundle interface and an
error message is displayed.
Context
An ATM-Bundle group is a logical link having one or more links. Its bandwidth is approximately
equal to the sum of all the member links' bandwidth.
Multiple serial sub-interfaces or IMA group sub-interfaces can join one ATM-bundle interface,
allowing the same type of services from multiple sources to travel through one PW.
Procedure
l
Add a serial sub-interface to an ATM-Bundle interface

1.
Run:
system-view

2.
Run:

3.
Run:
atm-bundle bundle-id
The serial sub-interface is added to the ATM-bundle interface.

NOTE
Different sub-interfaces under the same interface cannot be added to the same ATM-bundle interface.
Add an IMA group sub-interface to an ATM-Bundle interface

1.
Run:
system-view

2.
Run:
The IMA group sub-interface view is displayed.

3.
Run:
atm-bundle bundle-id
The IMA group sub-interface is added to the ATM-bundle interface.

----End
Configuring the PW
The types of PWs that can be established in ATM-Bundle are SVC, and PWE3.
Issue 02 (2013-12-31)

1828

Equipment
6 WAN Access
Context
configurations. P devices of the PSN, however, do not require the following configurations.
Currently, the following PW types are supported:
l
SVC
PWE3
Take the dynamic PWE3 as an example to explain the configuration process.

NOTE
l When configuring the PW, you need to configure the following parameters; otherwise, the system uses
the default values.
l To set the maximum number of cells, run: max-atm-cells max-atm-cell-value
l To configure the delay in packing ATM cells, run: atm-pack-overtime time
l Before configuring the PW on a main interface, you need to configure the ATM transparent cell
transport function on the interface.
Procedure
l

1.
Run:
system-view

2.
Run:
mpls l2vpn
MPLS L2VPN is enabled.

3.
Run:
quit

4.
Run:

5.
Run:

6.
(Optional)Run:
A tunnel-selecting policy is configured for the PW template.

Issue 02 (2013-12-31)

1829

Equipment
6 WAN Access
You need to create a tunnel policy and use the tunnel binding destination command
to configure the policy, and then use the policy for the PW to select tunnels.
7.
Run:
max-atm-cells max-atm-cell-value
The maximum number of transmitted cells is specified.

The value ranges from 1 to 28.
By default, the maximum number of transmitted cells defined in the PW template is
28.
8.
Run:
atm-pack-overtime time
The delay in packing ATM cells is configured.

The value ranges from 100 to 50000, in microseconds. ATM pack time must be 100
or a multiple of 1000. By default, the value is 1000.
9.
Run:
quit

10. Run:
The ATM-Bundle interface view is displayed.

11. Run:
mpls l2vc pw-template pw-template-name vc-id [ [ group-id group-id ] |
[ control-word | no-control-word ] ] * [ secondary ]
l

1.
Run:
system-view

2.
Run:
The ATM-Bundle interface view is displayed.

3.
Run:
mpls l2vc ip-address vc-id [ group-id group-id] [ [ control-word | nocontrol-word ] | tunnel-policy policy-name ] * [ secondary ] [ [ max-atmcells cells-value ] | [ atm-pack-overtime time ] ] *
----End

After an ATM-Bundle group is configured, you can view status of the serial sub-interfaces or
the IMA group sub-interface, and information about the PW and ATM-Bundle group.
Issue 02 (2013-12-31)

1830

Equipment
6 WAN Access
Prerequisites
All the configurations of an ATM-Bundle group are complete.
Procedure
Step 1 Run the display controller e1 [ controller-number ] command to check the configuration and
status of the CE1 interface.
Step 2 Run the display mpls l2vc [ vc-id | interface interface-type interface-number | remote-info
[ vc-id ] | state { down | up } ] command to check the information about MPLS L2VC.
Step 3 Run the display atm-bundle [ bundle-number ] command to check the information of the ATMBundle group.
----End
6.6.7 Configuring ATM OAM

To detect and locate faults on ATM links, you can configure ATM OAM.
Before You Start

Before configuring ATM OAM, familiarize yourself with the usage scenario, complete the preconfiguration tasks, and obtain the required data.
Usage Scenario
OAM provides various optional methods of detecting and locating the faults on an ATM link.
Choose the configuration as required.
l
To detect the link status and report faults in real time without interrupting services, activate
the CC function or configure the end-to-end loopback detection function:
The CC function detects the link status in real time by periodically transmitting CC cells
while not restricting the connection point attribute.
The end-to-end loopback detection function detects the link status in real time by
sending loopback cells periodically.
Check whether the device supports CC cells or loopback cells and then choose
configurations according to the OAM connection point attribute.
To locate and remove the link faults, configure the cell loopback.
To debug and detect whether the ATM OAM mechanism works normally, insert OAM
cells manually.
To response to the OAM F4/F5 loopback cells on the peer, configure their response.
Before configuring ATM OAM, complete the following tasks:
l
Configure physical attributes for the ATM interface.
Configure ATM PVC

.
Issue 02 (2013-12-31)

1831

Equipment
6 WAN Access
Data Preparation
To configure ATM OAM, you need the following data.
No.
Data
Number of the ATM interface or sub-interface
PVC name, the network VPI and VCI
Number of times for sending loopback cells
LLID of the loopback connection point
(Optional) Configuring the Connection Point Attribute

You need to set the connection point attributes of the connection before performing ATM OAM
maintenance. The connection point attribute determines how the port handles the OAM cell.
Context
ITU-T I.610 defines three types of connection points for an ATM network:
l
end-to-end point: It usually refers to an edge node on an ATM network.
segment point: It means that one ATM link has multiple segments.
inner: It usually refers to an intermediate node between segment points or end-to-end points.
As defined in the ITU-T I.610, the three types of OAM nodes are different regarding the
following dimensions: OAM cells to be inserted, checking tests to be started, and OAM cells to
be terminated. In addition, a segment point should locate between two end points, and an
intermediate point should locate between two end-to-end points or segment points.
On ATN, the connection point attribute can be set only to seg-point for PVC or PVP. If the
connection point attribute is not specified, the node is considered as an inner node by default.
When the CC or loopback function is enabled, ATN transmits or processes cells of the segment
point type, regardless of whether the connection point attribute has been specified. This type of
cells will be terminated at devices whose connection point attribute is set to segment point.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
pvc vpi/vci
Issue 02 (2013-12-31)

1832

Equipment
6 WAN Access

Step 4 Run:
Step 5 Run:
oam
The ATM-OAM interface view is displayed.

Step 6 Run:
attribute
{ vpi | vpi/vci } seg-point [ forward | backward ]
The connection point attributes of a PVC or PVP are set.

----End
(Optional) Activating the CC Function

You can activate the CC function to enable a device to detect link status and report faults in real
time without service interruption.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface interface-type interface-number [.subinterface ]
The IMA group sub-interface or serial sub-interface view is displayed.

Step 3 Run:
oam
The OAM view is displayed.

Step 4 Run:
cc { vpi | vpi/vci } segment
{ both | sink | source } { forward | backward }
The CC function is activated.

When activating the CC function of PVC, note the following points:
l Before activating the CC function, you need to complete the OAM attribute configurations
on both ends.
l The type of the CC function and the OAM attributes must be consistent.
l During the recovery stage, you cannot cancel the CC function.
Issue 02 (2013-12-31)

1833

Equipment
6 WAN Access
l Before deleting the OAM connection, if the board is not faulty, you must cancel the CC
function first.
l If the parameter sink or both is configured, a clear alarm will be generated when either of
the following conditions is met:
The local end receives CC cells from the peer end.
The local end receives data cells from the peer end.
----End
(Optional) Configuring the Cell Loopback

After cell loopback is configured, the system checks loopback cells to detect and locate link
faults.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface interface-type interface-number [.subinterface ]
The IMA group sub-interface or serial sub-interface view is displayed.

Step 3 Run:
oam
An OAM view is displayed.

Step 4 Run:
loopback { vpi | vpi/vci } seg-loopback [ llid llid-number ] { forward | backward }
times
The cell loopback function is configured.

The OAM provides the loopback test function for convenient fault locating and testing. The
loopback test inserts loopback cells in the VC/VP link of a certain connection point and the cells
loop back to another connection point. The system detects and locates any link faults through
the received loopback cells.
The loopback includes the following two types: segment loopback and end loopback. ATN only
supports segment loopback.
l Before configuring the segment point loopback, you need to configure the end loopback point
as the segment point.
l The loopback in one board fails.
----End
Issue 02 (2013-12-31)

1834

Equipment
6 WAN Access

After ATM OAM is configured, you can check ATM OAM configurations and statistics.
Procedure
l
Run the display atm oam alarm-status atm interface-number [ vpi | vpi/vci ] command
to check the alarm status of the ATM OAM.
Run the display atm oam configuration atminterface-number [ vpi | vpi/vci ] command
to check the configuration of the ATM OAM.
----End

You can learn the configuration procedures based on the configuration flowchart. Each
configuration example consists of such information as the networking requirements,
configuration notes, and configuration roadmap.
Example for Configuring N-to-1 VCC Transparent Transmission of ATM Cells

If a large number of ATM services are transparently transmitted over a PSN, you can configure
ATM transparent cell transport in N-to-1 VCC mode. In this mode, an ATM physical link can
be divided into multiple PVCs, with each PVC transmitting a single type of service. For example,
you can create three PVCs to transmit audio traffic, video traffic, and data traffic. This helps
improve ATM QoS.
As shown in Figure 6-8, it is required that two E1 links at the NodeB side should be connected
to PE1 and added to an IMA group. Configure 4 PVCs on the sub-interfaces of the IMA group.
Connect the RNC to the PE2 through the ATM interface. Then, configure 4 PVCs on the ATM
sub-interfaces. A PW is established between PE1 and PE2 to transparently transmit ATM cells.
Issue 02 (2013-12-31)

1835

Equipment
6 WAN Access
Figure 6-8 Networking diagram of configuring N-to-1 VCC transparent transmission of ATM
cells
STM-1
E1 0/2/1
E1 0/2/2
PE1
P
GE0/2/4
GE1/0/0
2IMA E1
VC1:1/100
VC2:1/200
VC3:1/300
VC4:1/400
PE2
GE2/0/0
GE2/0/0
PWE3 ATM Transparent

Cell Transport
ATM3/0/1
VC1:1/100
VC2:1/200
VC3:1/300
VC4:1/400
RNC
NodeB
Router
Interface
IP Address
PE1
GE0/2/4
10.1.1.1/24
Loopback0
192.2.2.2/32
GE 1/0/0
10.1.1.2/24
GE 2/0/0
10.2.1.1/24
Loopback0
192.4.4.4/32
GE 2/0/0
10.2.1.2/24
Loopback0
192.3.3.3/32
PE2
1.
Run the IGP protocol on the backbone network so that devices can communicate with each
other.
2.
Configure basic MPLS functions on the backbone network, and configure MPLS L2VPN
functions on PE devices. Establish the remote MPLS LDP peer relationship between PEs
at both ends of the PW.
3.
Set parameters for the serial interface.
4.
Configure the PW template.
5.
Establish MPLS L2VC connections on PEs.
Data Preparation
l
Issue 02 (2013-12-31)
L2VC IDs at both ends of the PW (must be the same)

1836

Equipment
6 WAN Access
MPLS LSR IDs of the PEs and P router
IP address of the remote peer of the PE
Coding mode and frame format of the E1/CE1 interface
Procedure
Step 1 Run the IGP protocol on the backbone network so that devices can communicate with each other.
For detailed configurations, see the configuration file of this example.
Step 2 Configure basic MPLS functions on the backbone network, and configure MPLS L2VPN
functions on PE devices. Then, establish the remote MPLS LDP peer relationship between PEs
at both ends of the PW. For detailed configurations, see the configuration file of this example.
The remote MPLS LDP peer relationship is required only for the dynamic PW.
Step 3 Set parameters for the serial interface on PE1 and then add the serial interface to the IMA group.
Set parameters for the ATM interface on PE2.
1.
Configure PE1.
# Configure the channelized mode, and no-CRC4 frames for CE1 0/2/1 and CE1 0/2/2 on
PE1.
NOTE
The ATNs support any of the following modes for binding timeslots to form a synchronous serial
interface:
l Timeslots 1 to 31 are bound to form a synchronous serial interface, and timeslot 0 is used to
transmit signaling information.
l Timeslots 1 to 15 and timeslots 17 to 31 are bound to form a synchronous serial interface, and
timeslots 0 and 16 are used to transmit signaling information.
[PE1] controller e1 0/2/1
[PE1-E1 0/2/1] channel-set 1 timeslot-list 1-31
[PE1-E1 0/2/2] quit
# Create an IMA interface.

[PE1] interface ima-group 0/2/1
[PE1-Ima-group0/2/1] quit
# Add the channelized serial interface to the IMA group.

[PE1] interface serial0/2/1:1
[PE1-Serial0/2/1:1] link-protocol
[PE1-Serial0/2/1:1] ima ima-group
[PE1-Serial0/2/1:1] quit
2.
atm
0/2/1
atm
0/2/1
Configure PE2.
[PE2] interface atm 3/0/1.1
[PE2-Atm3/0/1.1] atm cell transfer
[PE2-Atm3/0/1.1] quit
Step 4 Configure the PW and configure N-to-1 VCC transparent transmission of ATM cells.
1.
Configure PE1.
[PE1] pw-template 1to3
[PE1-pw-template-1to3] peer-address 192.3.3.3
Issue 02 (2013-12-31)

1837

Equipment
6 WAN Access
[PE1-pw-template-1to3] atm-pack-overtime 2000

[PE1-pw-template-1to3] quit
[PE1] interface ima-group 0/2/1.1 p2mp
[PE1-Ima-group0/2/1.1] pvc 1/100
[PE1-Ima-group0/2/1.1-1/100] map pvc 1/100 bidirectional
[PE1-Ima-group0/2/1.1-1/100] quit
[PE1-Ima-group0/2/1.1] mpls l2vc pw-template 1to3 100
[PE1-Ima-group0/2/1.1] undo shutdown
[PE1-Ima-group0/2/1.1] quit
2.
Configure PE2.
[PE2] interface atm 3/0/1.1
[PE2-Atm3/0/1:1.1] pvc 1/100
[PE2-Atm3/0/1:1.1-1/100] quit
[PE2-Atm3/0/1:1.1] pvc 1/200
[PE2-Atm3/0/1:1.1-1/200] quit
[PE2-Atm3/0/1:1.1] pvc 1/300
[PE2-Atm3/0/1:1.1-1/300] quit
[PE2-Atm3/0/1:1.1] pvc 1/400
[PE2-Atm3/0/1:1.1-1/400] quit
[PE2-Atm3/0/1:1.1] mpls l2vc pw-template 3to1 100
[PE2-Atm3/0/1:1.1] undo shutdown
[PE2-Atm3/0/1:1.1] quit

Run the display mpls l2vc command on PEs. You can view that the status of the PW is Up.
# The display on PE1 is as follows:
<PE1> display mpls l2vc interface ima-group 0/2/1.1
*client interface
: Ima-group0/2/1.1 is up
Administrator PW
: no
session state
: up
AC state
: up
VC state
: up
Label state
: 0
Token state
: 0
VC ID
: 100
VC type
: ATM Nto1 VCC
destination
: 192.3.3.3
local group ID
: 0
remote group ID
local VC label
: 32
remote VC label
max ATM cells
: 28
ATM pack overtime
: 2000
seq-number
: disable
local AC OAM State
: up
local PSN OAM State
: up
local forwarding state : forwarding
local status code
: 0x0
remote AC OAM state
: up
: up
remote forwarding state: forwarding
remote status code
: 0x0
Issue 02 (2013-12-31)

: 0
: 140289
1838

Equipment
BFD for PW
VCCV State
manual fault
active state
forwarding entry
OAM Detect
OAM Status
OAM Type
PW APS ID
PW APS Status
TTL Value
link state
local ATM cells
local VCCV
remote VCCV
local control word
tunnel policy name
PW template name
load balance type
Access-port
Switchover Flag
NO.0 TNL type
Backup TNL type
create time
up time
last change time
VC last up time
VC total up time
CKey
NKey
PW redundancy mode
AdminPw interface
AdminPw link state
Diffserv Mode
Service Class
Color
DomainId
Domain Name
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
6 WAN Access
no
unavailable
up
not set
active
exist
---0
-1
up
28
remote ATM cells
: 28
alert ttl lsp-ping bfd
alert ttl lsp-ping bfd
disable
remote control word : disable
-1to3
primary
flow
false
false
1 tunnels/tokens
lsp
, TNL ID : 0x11b
lsp
, TNL ID : 0x0
2011/04/11 12:36:17
14
13
frr
--pipe
ef
green
---
# The display on PE2 is as follows:

<PE2> display mpls l2vc interface atm 3/0/1.1
*client interface : Atm3/0/0.1 is up
session state
: up
AC state
: up
VC state
: up
VC ID
: 100
VC type
: ATM Nto1 VCC
destination
: 192.2.2.2
local group ID
: 0
remote group ID : 0
local VC label
: 140289 remote VC label : 32
local AC OAM State
: up
local PSN State
: up
local forwarding state: forwarding
local status code
: 0x0
remote AC OAM state
: up
remote PSN state
: up
remote statuscode
: 0x0
BFD for PW
: unavailable
manual fault
: not set
active state
: active
forwarding entry
: exist
link state
: up
local ATM cells
: 28
remote ATM cells
Issue 02 (2013-12-31)

: 28
1839

Equipment
local VCCV
remote VCCV
local control word
remote control word
tunnel policy
traffic behavior
PW template name
NO.0 TNL type
create time
up time
last change time
VC last up time
VC total up time
CKey
NKey
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
6 WAN Access
alert lsp-ping bfd

alert lsp-ping bfd
disable
disable
--3to1
primary
1 tunnels/tokens
lsp , TNL ID : 0x208000
2008/00/24 12:31:31
11
10
----End
Configuration Files
l
Configuration file of PE1:

#
sysname PE1
#
mpls
#
mpls l2vpn
#
pw-template 1to3
atm-pack-overtime 2000
#
mpls ldp
#
remote-ip 192.3.3.3
#
controller e1 0/2/1
undo shutdown
#
interface serial0/2/1:1
link-protocol atm
ima ima-group 0/3/1
undo shutdown
#
controller e1 0/2/2
undo shutdown
#
link-protocol atm
ima ima-group 0/2/1
undo shutdown
#
interface ima-group 0/2/1
undo shutdown
#
interface ima-group 0/2/1.1
pvc 1/100
map pvc 1/100 bidirectional
pvc 1/200
Issue 02 (2013-12-31)

1840

Equipment
6 WAN Access
pvc 1/300
pvc 1/400
mpls l2vc pw-template 1to3 100
undo shutdown
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 192.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 192.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
Configuration file of PE2:

#
sysname PE2
#
mpls
#
mpls l2vpn
#
pw-template 3to1
#
mpls ldp
#
remote-ip 192.2.2.2
#
interface atm 3/0/1.1
undo shutdown
atm cell transfer
pvc 1/100
pvc 1/200
pvc 1/300
pvc 1/400
mpls l2vc pw-template 3to1 100
#
undo shutdown
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 192.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 192.3.3.3 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return
Issue 02 (2013-12-31)

1841

Equipment
6 WAN Access
Configuration file of the P router:

#
sysname P
#
mpls
#
mpls ldp
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
undo shutdown
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 192.4.4.4 255.255.255.255
#
ospf 1
area 0.0.0.0
network 192.4.4.4 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return
Example for Configuring ATM Bundle Interfaces to Forward Traffic from Multiple
NodeBs to an RNC
An ATM bundle interface transmits a single type of service from multiple TDM/ATM nodeBs
along one PW to an RNC. This relieves the burden on a CSG and allows greater service
scalability.
ATM bundling is an extended PWE3 application for transparently transmitting ATM cells. An
ATM bundle interface allows various nodeBs to share one PW to transmit a single type of service
to an RNC.
On an IP RAN, multiple nodeBs are connected to a CSG through serial interfaces channelized
from E1, CE1, or CPOS links. Every nodeB can transmit voice, video, and data services.
Therefore, the CSG must create three PVCs for every nodeB before transmitting voice, video,
and data services. An increase in the number of nodeBs and service types increases the load on
the CSG. An ATM bundle interface forwards a single type of service from multiple nodeBs to
an RNC along one PW. This reduces the number of PWs, relieves the load on the CSG, and
improves service scalability.
On the network shown in Figure 6-9, NodeB1 and NodeB2 are connected to a CSG through a
serial link channelized from E1, CE1, or CPOS lines. Each NodeB transmits voice and data
services. ATM bundle 1 and ATM bundle 2 are created on the CSG and PW1 and PW2 are
configured on each of the ATM bundle interfaces. The sub-interfaces on which a PVC is
configured to transmit voice services join ATM bundle 1. The sub-interfaces on which the other
PVC is configured to transmit data services join ATM bundle 2. This allows multiple nodeBs
Issue 02 (2013-12-31)

1842

Equipment
6 WAN Access
to share two PWs to separately transmit data and voice services to an RNC. Table 6-6 shows
the mappings between nodeBs, sub-interfaces, and service types.
Table 6-6 Mappings between nodeBs, sub-interfaces, and service types
Nod
eB
CSG Subinterface
Service
Type
VPI/VCI Values
ATM Bundle ID
Node
B1
Serial0/2/0
:0.1
Voice
1/33
ATM Bundle 1
Serial0/2/0
:0.2
Data
2/33
ATM Bundle 2
Serial0/2/1
:0.1
Voice
3/33
ATM Bundle 1
Serial0/2/1
:0.2
Data
4/33
ATM Bundle 2
Node
B2
Figure 6-9 Networking diagram for configuring ATM bundle interfaces to forward traffic from
multiple nodeBs to an RNC
PW1
E1
NodeB1
Serial0/2/0.1
Serial0/2/0.2
Loopback 1
Loopback 1
1.1.1.1/32
2.2.2.2/32
GE0/2/4
172.0.1.1/24
Atm1/0/0
CSG
Serial0/2/1.1
Serial0/2/1.2
GE1/0/0
172.0.1.2/24 RSG
BSC/RNC
PW2
E1
NodeB2
1.
Assign an IP address to and configure a routing protocol on each interface.
2.
Configure basic MPLS functions and TE tunnels:

l Enable MPLS TE, RSVP-TE, OSPF TE, and CSPF.
l Configure MPLS TE tunnel interfaces.
l Configure a tunnel policy.
3.
Configure ATM bundle interfaces:

l Configure ATM bundle interfaces.
Issue 02 (2013-12-31)

1843

Equipment
6 WAN Access
l Add AC sub-interfaces connecting the CSG to nodeBs to ATM bundle interfaces.

4.
Configure PWE3:
l Configure a remote LDP session between the CSG and RSG.
l Enable L2VPN and configure PWE3.
Data Preparation
l
Interface number, interface IP address, and OSPF process ID
LSR ID, VC ID, and VC type
ATM bundle interface number and PVC VPI/VCI values
Procedure
Step 1 Assign an IP address to and configure a routing protocol on each interface.
1.
Assign an IP address to each interface.
2.
Configure a routing protocol on the CSG and RSG to establish connectivity. OSPF is used
in this example.
After completing the preceding configurations, run the display ip routing-table command on
CSG and RSG. Both have learned routes from each other. Note that when configuring OSPF,
advertise 32-bit loopback interface addresses (LSR IDs) of the CSG and RSG.
The configuration procedure is not provided.
Step 2 Configure basic MPLS functions and TE tunnels.
1.
Enable MPLS TE, RSVP-TE, OSPF TE, and CSPF.

# Configure the CSG.
[CSG] mpls lsr-id 1.1.1.1
[CSG] mpls
[CSG-mpls] mpls te
[CSG-mpls] mpls rsvp-te
[CSG-mpls] mpls te cspf
[CSG-mpls] quit
[CSG] interface gigabitethernet 0/2/4
[CSG-GigabitEthernet0/2/4] mpls
[CSG-GigabitEthernet0/2/4] mpls te
[CSG-GigabitEthernet0/2/4] mpls rsvp-te
[CSG-GigabitEthernet0/2/4] quit
[CSG] ospf 100
[CSG-ospf-100] opaque-capability enable
[CSG-ospf-100] area 0
[CSG-ospf-100-area-0.0.0.0] mpls-te enable
[CSG-ospf-100-area-0.0.0.0] quit
[CSG-ospf-100] quit
# Configure the RSG.

[RSG] mpls lsr-id 2.2.2.2
[RSG] mpls
[RSG-mpls] mpls te
[RSG-mpls] mpls rsvp-te
[RSG-mpls] mpls te cspf
[RSG-mpls] quit
[RSG] interface gigabitethernet 1/0/0
Issue 02 (2013-12-31)

1844

Equipment
6 WAN Access
[RSG-GigabitEthernet1/0/0] mpls
[RSG-GigabitEthernet1/0/0] mpls te
[RSG-GigabitEthernet1/0/0] mpls rsvp-te
[RSG-GigabitEthernet1/0/0] quit
[RSG] ospf 100
[RSG-ospf-100] opaque-capability enable
[RSG-ospf-100] area 0
[RSG-ospf-100-area-0.0.0.0] mpls-te enable
[RSG-ospf-100-area-0.0.0.0] quit
[RSG-ospf-100] quit
2.
Configure an MPLS TE tunnel interface.

[CSG] interface tunnel 0/2/1
[CSG-Tunnel0/2/1] ip address unnumbered interface loopback 1
[CSG-Tunnel0/2/1] tunnel-protocol mpls te
[CSG-Tunnel0/2/1] destination 2.2.2.2
[CSG-Tunnel0/2/1] mpls te tunnel-id 100
[CSG-Tunnel0/2/1] mpls te reserved-for-binding
[CSG-Tunnel0/2/1] mpls te commit
[CSG-Tunnel0/2/1] quit

[RSG] interface tunnel 1/0/1
[RSG-Tunnel1/0/1] ip address unnumbered interface loopback 1
[RSG-Tunnel1/0/1] tunnel-protocol mpls te
[RSG-Tunnel1/0/1] destination 1.1.1.1
[RSG-Tunnel1/0/1] mpls te tunnel-id 100
[RSG-Tunnel1/0/1] mpls te signal-protocol rsvp-te
[RSG-Tunnel1/0/1] mpls te reserved-for-binding
[RSG-Tunnel1/0/1] mpls te commit
[RSG-Tunnel1/0/1] quit
3.
Configure a tunnel policy.

[CSG] tunnel-policy policy1
[CSG-tunnel-policy-policy1] tunnel binding destination 2.2.2.2 te Tunnel0/2/1
[CSG-tunnel-policy-policy1] quit

[RSG] tunnel-policy policy1
[RSG-tunnel-policy-policy1] tunnel binding destination 1.1.1.1 te Tunnel0/2/1
[RSG-tunnel-policy-policy1] quit
Step 3 Configure ATM bundling.

1.
Create ATM bundle interfaces.

# Create two ATM bundle interfaces on the CSG.
[CSG] interface atm-bundle 1
[CSG-Atm-Bundle1] quit
2.
Add the AC sub-interfaces connecting the CSG to nodeBs to the ATM bundle interfaces.
# Add AC sub-interfaces connecting the CSG to nodeB1 to both ATM bundle interfaces.
[CSG] interface serial 0/2/0:0
[CSG-Serial0/2/0:0] link-protocol atm
[CSG-Serial0/2/0:0] undo shutdown
[CSG-Serial0/2/0:0] quit
Issue 02 (2013-12-31)

1845

Equipment
6 WAN Access
[CSG] interface Serial 0/2/0:0.1

[CSG-Serial0/2/0:0.1] pvc 1/33
[CSG-Serial0/2/0:0.1-1/33] map pvc 1/33 bidirectional
[CSG-serial-pvc-Serial0/2/0:0.1-1/33] quit
[CSG-Serial0/2/0.1] atm-bundle 1
[CSG-Serial0/2/0:0.2] atm-bundle 2
# Add AC sub-interfaces connecting the CSG to nodeB2 to both ATM bundle interfaces.
[CSG] interface serial 0/2/1:0
[CSG-Serial0/2/1:0] link-protocol atm
[CSG-Serial0/2/1:0] undo shutdown
[CSG-Serial0/2/1:0] quit
Step 4 Configure PWE3.

1.
Configure a remote MPLS LDP session between the CSG and RSG.
[CSG] mpls ldp
[CSG-mpls-ldp] quit
[CSG] mpls ldp remote-peer 2.2.2.2
[CSG-mpls-ldp-remote-2.2.2.2] remote-ip 2.2.2.2
[CSG-mpls-ldp-remote-2.2.2.2] quit

[RSG] mpls ldp
[RSG-mpls-ldp] quit
[RSG] mpls ldp remote-peer 1.1.1.1
[RSG-mpls-ldp-remote-1.1.1.1] remote-ip 1.1.1.1
[RSG-mpls-ldp-remote-1.1.1.1] quit
# Run the display mpls ldp session all command on the CSG and RSG. The LDP session
is in the Operational state. In this example, LDP session information on the CSG is
displayed.
[CSG] display mpls ldp session all
-----------------------------------------------------------------------------PeerID
Status
LAM SsnRole SsnAge
KASent/Rcv
-----------------------------------------------------------------------------2.2.2.2:0
Operational DU
Passive 0000:00:47 190/190
3.3.3.3:0
Operational DU
Passive 0000:00:47 190/190
Issue 02 (2013-12-31)

1846

Equipment
2.
6 WAN Access
Enable L2VPN and configure PWE3.

# Configure PWE3 on the ATM bundle interfaces of the CSG.
[CSG] mpls l2vpn
[CSG-l2vpn] quit
[CSG-Atm-Bundle1] mpls l2vc 2.2.2.2 100 tunnel-policy policy1 control-word
[CSG-Atm-Bundle2] mpls l2vc 2.2.2.2 200 tunnel-policy policy1 control-word
# Configure PWE3 on the AC sub-interfaces of the RSG.

[RSG] mpls l2vpn
[RSG-l2vpn] quit
[RSG] interface atm1/0/0.1
[RSG-Atm1/0/0.1] pvc 1/33
[RSG-atm-pvc-Atm1/0/0.1-1/33] quit
[RSG-Atm1/0/0.1] mpls l2vc 1.1.1.1 100 tunnel-policy policy1 control-word
[RSG-Atm1/0/0.1] quit
[RSG] interface atm1/0/0.2
[RSG-Atm1/0/0.2] pvc 2/33
[RSG-atm-pvc-Atm1/0/0.2-2/33] quit
[RSG-Atm1/0/0.2] mpls l2vc 1.1.1.1 200 tunnel-policy policy1 control-word
[RSG-Atm1/0/0.2] quit

Run the display mpls l2vc command on the CSG and RSG. Both PWs are Up.
# Display PW information on ATM bundle 1.
<CSG> display mpls l2vc interface Atm-Bundle 1
*client interface
: Atm-Bundle1 is up
Administrator PW
: no
session state
: up
AC state
: up
VC state
: up
Label state
: 0
Token state
: 0
VC ID
: 100
VC type
: ATM AAL5 SDU
destination
: 2.2.2.2
local group ID
: 0
remote group ID
local VC label
: 1025
remote VC label
max ATM cells
: 28
ATM pack overtime
: 1000
seq-number
: disable
local AC OAM State
: up
local PSN State
: up
local status code
: 0x0
remote AC OAM state
: up
remote PSN state
: up
remote status code
: 0x0
: no
BFD for PW
: unavailable
VCCV State
: up
manual fault
: not set
active state
: active
forwarding entry
: exist
link state
: up
local VC MTU
: 1500
remote VC MTU
local VCCV
: cw alert ttl lsp-ping bfd
Issue 02 (2013-12-31)

: 0
: 1028
: 1500
1847

Equipment
remote VCCV
local control word
tunnel policy name
traffic behavior name
PW template name
Switchover Flag
NO.0 TNL type
Backup TNL type
create time
up time
last change time
VC last up time
VC total up time
CKey
NKey
PW redundancy mode
AdminPw interface
AdminPw link state
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
6 WAN Access
cw alert ttl lsp-ping bfd
enable
remote control
policy1
--primary
false
1 tunnels/tokens
cr lsp, TNL ID : 0x800001
lsp
, TNL ID : 0x0
0 days, 1 hours, 0 minutes,
2010/11/10 11:16:04
4
3
frr
---
word
: enable
5 seconds
5 seconds
5 seconds
5 seconds
# Display PW information on ATM bundle 2.

<CSG> display mpls l2vc interface Atm-Bundle 2
*client interface
: Atm-Bundle2 is up
Administrator PW
: no
session state
: up
AC state
: up
VC state
: up
Label state
: 0
Token state
: 0
VC ID
: 100
VC type
: ATM AAL5 SDU
destination
: 2.2.2.2
local group ID
: 0
remote group ID
: 0
local VC label
: 1027
remote VC label
: 1032
max ATM cells
: 28
ATM pack overtime
: 1000
seq-number
: disable
local AC OAM State
: up
local PSN State
: up
local status code
: 0x0
remote AC OAM state
: up
remote PSN state
: up
remote status code
: 0x0
: no
BFD for PW
: unavailable
VCCV State
: up
manual fault
: not set
active state
: active
forwarding entry
: exist
link state
: up
local VC MTU
: 1500
remote VC MTU
: 1500
local VCCV
remote VCCV
local control word
: enable
remote control word : enable
tunnel policy name
: policy1
traffic behavior name : -PW template name
: -primary or secondary
: primary
Switchover Flag
: false
: 1 tunnels/tokens
NO.0 TNL type
: cr lsp, TNL ID : 0x800001
Backup TNL type
: lsp
, TNL ID : 0x0
create time
up time
Issue 02 (2013-12-31)

1848

Equipment
last change time
VC last up time
VC total up time
CKey
NKey
PW redundancy mode
AdminPw interface
AdminPw link state
:
:
:
:
:
:
:
:
6 WAN Access
2010/11/10 11:16:04
4
3
frr
---
----End
Configuration Files
l
Configuration file of the CSG

#
sysname CSG
#
mpls lsr-id 1.1.1.1
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
mpls l2vpn
#
mpls ldp
#
#
remote-ip 2.2.2.2
#
interface Atm-Bundle1
mpls l2vc 2.2.2.2 100 tunnel-policy policy1 control-word
#
interface Atm-Bundle2
#
link-protocol atm
undo shutdown
#
interface Serial0/2/0:0.1
pvc 1/33
atm-bundle 1
#
pvc 2/33
atm-bundle 2
#
link-protocol atm
undo shutdown
#
pvc 3/33
atm-bundle 1
#
pvc 4/33
atm-bundle 2
#
Issue 02 (2013-12-31)

1849

Equipment
6 WAN Access
undo shutdown
ip address 172.0.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
destination 2.2.2.2
mpls te commit
#
ospf 100
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 172.0.1.0 0.0.0.255
mpls-te enable
#
#
return
Configuration file of the RSG

#
sysname RSG
#
mpls lsr-id 2.2.2.2
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
mpls l2vpn
#
mpls ldp
#
#
remote-ip 1.1.1.1
#
undo shutdown
ip address 172.0.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Atm1/0/0
undo shutdown
#
interface Atm1/0/0.1
pvc 1/33
#
interface Atm1/0/0.2
pvc 2/33
#
interface LoopBack1
Issue 02 (2013-12-31)

1850

Equipment
6 WAN Access
ip address 2.2.2.2 255.255.255.255

#
destination 1.1.1.1
mpls te commit
#
ospf 100
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 172.0.1.0 0.0.0.255
mpls-te enable
#
#
return
Example for Configuring ATM OAM

ATM OAM detects link continuity in real time without having to interrupt services.
Prerequisites
The following tasks must be completed before configuring ATM OAM.
l
Configure physical attributes for IMA group sub-interfaces or serial sub-interfaces on

ATN.
Configure ATM PVC.
As shown in Figure 6-10, a UNIs-NNI ATM service from Node B to RNC is created. The service
is connected to Node B through PE1, and is connected to RNC through NE2. The service type
is N-to-1 VCC. PE1 is connected to Node B through VPI/VCI 32/33. The ATM service needs
to be checked. The connectivity of services only in the direction from Node B to PE1 and from
RNC to PE2 can be checked. Enable the CC and LB functions to check whether the link is
normal. If the services are unavailable over the link, an alarm is reported. ATN is used as PE1
and CX600 is used as PE2.
This example illustrates how to configure ATM OAM using the following tasks.
l
Configure the forward CC function from PE1 to PE2.
Configure the forward remote cell loopback function from PE1 to PE2.
NOTE
For ATM OAM, the forward direction refers to the AC-to-PW direction, or the Node B-to-PE1 or RNCto-PE2 direction in Figure 6-10. The backward direction refers to the PW-to-AC direction, or the PE1-toNode B or PE2-to-RNC direction in Figure 6-10.
Issue 02 (2013-12-31)

1851

Equipment
6 WAN Access
Figure 6-10 Networking diagram for configuring ATM OAM

Loopback1
3.3.3.3/32
Loopback1
4.4.4.4/32
MPLS
Network
IMA-group
0/2/1.1
(STM-1) ATM 3/0/1
PW
NodeB
PE1
PE2
RNC
Table 6-7 Description of the networking diagram for configuring ATM OAM
Parameter
Value
Interface on PE1
IMA-group 0/2/1.1
VPI/VCI for PE1 to connect to

Node B
32/33, 33/33
Connection point attribute of PE1
seg-point
LLID for PE2
00-01-02-03-04-05-06-07-08-09-10-11-12-13-14-15
IP address of PE2 loopback

interface
4.4.4.4/32
1.
Configure the connection point attributes.
2.
Activate the CC function.
3.
Activate the cell loopback function so that cells are looped back at PE2.
Data Preparation
l
VPI/VCI for PE1 to connect to Node B
LLID of PE2
Procedure
Step 1 Configure the connection point attribute for PVC.
# Configure PE1.
<ATN> system-view
[ATN] interface ima-group 0/2/1.1
[ATN-Ima-group0/2/1.1] pvc num1 32/33
[ATN-ima-pvc-Ima-group0/2/1.1-32/33-num1] oam
[ATN-Ima-group0/2/1.1-fatm-oam] attribute 32/33 seg-point forward
Issue 02 (2013-12-31)

1852

Equipment
6 WAN Access
[ATN-Ima-group0/2/1.1-fatm-oam] quit
[ATN-Ima-group0/2/1.1] map pvc 10/20 bidirectional
[ATN-Ima-group0/2/1.1-fatm-oam] attribute 33/33 seg-point forward
Step 2 Activate the CC function for PVC 32/33.

# Configure PE1.
[ATN-Ima-group0/2/1.1-fatm-oam] cc 32/33 segment source backward
Step 3 Activate the cell loopback function for PVC 33/33 so that cells are looped back at PE2.
# Configure PE1.
[ATN] pw-template pe1tope2
[ATN-pw-template-pe1tope2] peer-address 4.4.4.4
[ATN-pw-template-pe1tope2] quit
[ATN] interface ima-group 0/2/1.1
[ATN-Ima-group0/2/1.1] mpls l2vc pw-template pe1tope2 200
[ATN-Ima-group0/2/1.1-fatm-oam] loopback 33/33 seg-loopback llid 00-01-02-03
-04-05-06-07-08-09-10-11-12-13-14-15 forward 3

# View OAM configurations on PE1.
[HUAWEI] display atm oam configuration ima-group 0/2/1.1
Interface
PVC/PVP
Attribute CC func
CC dir CC attr Direction
-------------------- ---------- --------- -------- ------ ------- --------Ima-group0/2/1.1
32/33
seg-point enable
source segment forward
Ima-group0/2/1.1
32/33
----disabled
------backward
Ima-group0/2/1.1
33/33
seg-point disabled
------forward
Ima-group0/2/1.1
33/33
----disabled
------backward
Current displayed item(s) is : 4
----End
Configuration File
#
sysname PE1
#
llid 01-02-03-04-05-06-07-08-09-10-11-12-13-14-15-16
#
controller E1 0/2/1
channel-set 1 timeslot-list 1-15,17-31
undo shutdown
#
interface Ima-group0/2/1
#
interface Ima-group0/2/1.1
pvc num1 32/33
pvc num2 33/33
oam
attribute 32/33 seg-point forward
cc 32/33 segment source backward
attribute 33/33 seg-point forward
Issue 02 (2013-12-31)

1853

Equipment
6 WAN Access
6.7 TDM Configuration

This chapter describes the basic information about the TDM, and describes how to configure
the TDM service.
6.7.1 CES Overview

This section briefly introduces CES and describes CES service features supported by the
ATN.
Introduction to CES
Circuit emulation service (CES) applies the PWE3 emulation technology. For a CES service,
the PWE3 packet headers contain the frame format information, alarm information, signaling
information, and synchronous timing information of the TDM service flow. After encapsulated
by the IP/UDP, MPLS, or L2TP protocol, the PW packets are transported over the tunnel in the
PSN network. When reaching the PW egress, the PW packets are decapsulated to rebuild the
TDM circuit-switching service flow.
The ATN supports two types of CES services: structure-aware TDM circuit emulation service
over packet switched network (CESoPSN) and structure-agnostic TDM over packet (SAToP).
In the structure-aware TDM circuit emulation service over packet switched network (CESoPSN)
mode:
l
The ATN senses frame structures, frame alignment modes and timeslots in the TDM circuit
The ATN processes the overhead and extracts the payload in TDM frames. Then, the
ATN delivers the timeslot of each channel to the packet payload according to certain
sequence. As a result, the service in each channel in the packet is fixed and visible.
Each Ethernet frame that carries the CES service loads TDM frames of a fixed number.
The ATN provides the compression function to save the transmission bandwidth.
In the structure-agnostic TDM over packet (SAToP) mode:

l
The equipment regards TDM signals as constant rate bit flows, instead of sensing structures
in the TDM signals. The entire bandwidth of TDM signals is emulated.
The overhead and payload in the TDM signal are transparently transmitted.
The Ethernet frame carries the CES service. By default, the loading time is 1 ms.
CES Service Features Supported by the ATN

This section describes the CES service features supported by the ATN.
ATN supports the following basic and extended functions.
Issue 02 (2013-12-31)

1854

Equipment
6 WAN Access
Table 6-8 Basic CES service function and extended functions supported by ATN
Function Type
Basic function
TDM
transparent cell
transport
Extended
functions
At the AC Side
At the PW Side
Supporting serial
interfaces
encapsulated with
the TDM protocol,
including the
channelized serial
interfaces of the E1/
T1.
l Local CCC
l SVC
l PWE3
MPLS OAM/BFD for PW

Supporting alarm transmission through E1 interfaces:
l Alarm detection on E1/T1 interfaces
l Alarm transparent transport through E1/T1 interfaces
Supporting the clock function:
l Line clock
l System clock
CES service can be encapsulated in the following two modes:

Table 6-9 Encapsulation modes of CES service
Encapsulation
Mode
Applicable Link
Description
SAToP
clear channel E1/T1
l In this mode, it is not required to protect

the integrity of the structure and to
explain or operate each timeslot
channel.
l This mode is applied to the PSN
network of good transmission
performance, on which channels are
not distinguished and the TDM
signaling is not disrupted.
l Currently, the MPLS encapsulation is
supported.
Issue 02 (2013-12-31)

1855

Equipment
6 WAN Access
Encapsulation
Mode
Applicable Link
Description
CESoPSN
Channelized E1/T1
l This mode is applied to the PSN

network on which the explicit
protection of the TDM structure is
required during data transmission.
l This mode is applicable to the PSN
network of low transmission
performance.
l Currently, the MPLS encapsulation is
supported.
NOTE
When configuring the multi-hop PW on the switching node, you must use either the SAToP mode or the
CESoPSN mode according to the configuration types of PWs at both sides.
The supported TDMoPSN key technologies are as follows:

l
Data jitter buffer

After traversing a PSN and reaching the egress PE, PW packets may have different arrival
intervals that results in packet disorder.
The jitter buffer of a larger capacity can accept a greater jitter in the transmission interval
of packets on the network, but causes a longer delay in the reconstruction of TDM service
flows.
Therefore, you must configure the capacity of a jitter buffer flexibly based on the delay and
jitter of different networks.
Configuring the number of TDM frames encapsulated in a PW packet

PW packets of less packed frames can be transmitted with less delay but more cost on
packing; PW packets of more packed frames can be transmitted with high bandwidth usage
but more delay caused by packing.
6.7.2 Configuring a Serial Interface

You can configure a serial interface and configure the operating mode, coding format, and frame
format for serial interfaces.

Before configuring a CES service interface, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data. This can help
Synchronous serial interfaces on CE1/CT1 interfaces can be used as CES service interfaces.
Issue 02 (2013-12-31)

1856

Equipment
6 WAN Access
NOTICE
successfully.
l Disabling the CE1/CT1 interface may affect the normal operation of its channel-set.
Before configuring CE1/CT1 interfaces, complete the following task:
l
Data Preparation
No.
Data
CE1/CT1 interface number of the ATN
Number of the channel into which the timeslots of the CE1/CT1 interface are bound
Configuring the TDM Protocol on a Serial Interface

When synchronous serial ports carry CES services, the link-layer protocol type must be set for
the synchronous serial ports so that the ports are up.
Context
The link-layer protocol type determines the link-layer frame format of data on serial ports.
By default, a protocol is not configured at a synchronous serial port. When configuring a CES
service, set the link-layer protocol type to TDM.
Perform the following operations on ATN.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 02 (2013-12-31)

1857

Equipment
6 WAN Access

Step 3 Run:
link-protocol tdm
The link layer protocol type is configured on the interface.

----End

After a synchronous serial interface is configured, you can view the configuration information
of the serial interface.
Prerequisites
The configurations of the serial interface is complete.
Procedure
Step 1 Run the display interface serial [ interface-number ] [ | { begin | exclude | include } regularexpression ] command to check the status and statistics of a synchronous serial interface.
Step 2 Run the display interface brief [ | { begin | include | exclude } regular-expression ] command
to check brief information about a synchronous serial interface.
----End
6.7.3 Configuring a CES Service

This section describes how to configure a CES service.

Before configuring a CES service, familiarize yourself with the applicable environment,
Services of the 2G RAN network, mainly a small number of voice services, are transmitted over
TDM links. Generally, one to three E1 interfaces on a BTS are connected to a BSC. Some mobile
carriers do not own fixed network infrastructure, and therefore have to lease E1 lines of the fixed
network at a high price.
With the introduction of CES services, the services between the BTSs and BSCs in the same
city can be transparently transmitted over TDM links in a Metro Ethernet (ME) network. Data
of the Fractional E1 interface can be transmitted from the GSM BTS to BSC in the mode of
structuralized TDM circuit emulation.
A pseudo wire (PW) is established between ATN through VLL or PWE3 to transparently
transmit TDM frames.
Issue 02 (2013-12-31)

1858

Equipment
6 WAN Access
Before configuring a CES service, complete the following tasks on the routers at both ends of
the PW:
l
Enabling MPLS L2VPN
Configuring IGP routing protocol
Data Preparation
To configure a CES service, you need the following data.
No.
Data
Coding mode and frame format of each E1/CE1 or T1/CT1 interface
IP address of the peer PE
VC ID of the dynamic PW
Tunnel selecting policy for the PW template
Configuring the PW
The types of PWs that can be established in CES are local CCC, SVC, and PWE3.
Context
configurations, whereas devices inside the PSN do not need the following configurations.
At present, the following PW types are supported:
l
Local CCC
SVC
PWE3
Referring to the configuration of a PW, take the dynamic PWE3 as an example.

NOTE
l When configuring the PW, you need to set the following parameters; otherwise, the system uses the
default value:
l To set the depth of the jitter buffer, run: jitter-buffer depth depth
l To set the number of TDM frames encapsulated in a CESoPSN or SAToP packet, run: tdmencapsulation-number number
Issue 02 (2013-12-31)

1859

Equipment
6 WAN Access
Procedure
l

1.
Run:
system-view

2.
Run:

3.
Run:

4.
Run:
A policy is configured for the PW template to select tunnels.

Before importing a policy, you should configure the policy and use the tunnel
binding destination command to define entries in the policy.
5.
(Optional) Run:
jitter-buffer depth depth
The depth of the jitter buffer is set.

6.
Run:
tdm-encapsulation-number number
The number of TDM frames encapsulated in a CESoPSN or SAToP packet is set.

7.
(Optional) Run:
rtp-header
The RTP header carried in the TDM transparent transmission encapsulation is

configured.
8.
Run:
quit

9.
Run the following command according to interface types:

In the case of the E1/CE1 interface, to enter the view of the serial interface
channelized from the E1/CE1 interface, run: interface serial controller-number
: set-number
In the case of the CPOS interface, to enter the view of the serial interface
channelized from the CPOS interface, run: interface serial controller-number/e1number : set-number
10. Run:
mpls l2vc pw-template pw-template-name vc-id [ group-id group-id | tunnelpolicy policy-name | [ control-word | no-control-word ] | secondary |
jitter-buffer depth | tdm-encapsulation number | tdm-sequence-number |
rtp-header | ignore-standby-state ] *
Issue 02 (2013-12-31)

1860

Equipment
6 WAN Access
l

1.
Run:
system-view

2.
Run the following command according to interface types:

In the case of the CE1 interface, to enter the view of the serial interface channelized
from the CE1 interface, run: interface serial controller-number : set-number
3.
Run:
mpls l2vc ip-address vc-id [ group-id group-id | tunnel-policy policyname | [ control-word | no-control-word ] | secondary | jitter-buffer
depth | tdm-encapsulation number | tdm-sequence-number | rtp-header |
ignore-standby-state ] *
4.
Run:
quit
Exit from the serial interface view.

----End
Configuring a Local CES Service

To configure the local CES Service, you need to create a local CCC connection and only
configure the incoming and outgoing interfaces of the CCC connection on a local PE. The local
CCC connection is bidirectional and thus only one such connection needs to be created.
Prerequisites
Before configuring a local CES Service, complete the following tasks:
Configuring the synchronous serial ports. For detals, see 6.7.2 Configuring a Serial
Interface.
Context
The local CCC connection is bidirectional, and thus only one connection is required.
Do as follows on the PEs:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ccc ccc-connection-name interface interface-type1 interface-number1 out-interface
interface-type2 interface-number2
Issue 02 (2013-12-31)

1861

Equipment
6 WAN Access
A local CCC connection is created.

----End
Follow-up Procedure
After the configuration mentioned above on the PE, a local CCC connection is created.

After a CES service is configured, you can not only view configurations and statuses of E1/CE1
interfaces; but also view information about the static PW and dynamic PW.
Context
Procedure
l
Run the display controller e1 controller-number command to check the configuration and
status of the E1/CE1 interface.
Run the display mpls static-l2vc [ vc-id |interface interface-type interface-number |

state { down | up } ] or display mpls static-l2vc brief command to check information
about the static PW.
Run the display mpls l2vc [ vc-id | interface interface-type interface-number ] or display
mpls l2vc brief command to check information about the dynamic PW.
----End

Example for Configuring TDMoPSN

CES transparent cell transport provides a new alternative for wireless operators. Through TDM
transparent cell transport, services between the BTSs and BSCs in the same city can be
transparently transmitted over CES links in a Metro Ethernet (ME) network. Data of the
fractional E1 interface can be transmitted from the GSM BTS to BSC in the mode of
structuralized CES circuit emulation.
Generally, on a 2G RAN, one to three E1 interfaces on a BTS are connected to a BSC. Some
mobile operators do not own fixed network infrastructure, and have to rent E1 lines of fixedline network operators at a high price. By deploying CESoPSN service, that is, CES transparent
transmission on a 2G RAN, these mobile operators can achieve transparent transmission of 2G
services between the BTSs and BSCs in the same city over CES links in a Metro Ethernet (ME)
network, which is both simple and cost-saving.
Issue 02 (2013-12-31)

1862

Equipment
6 WAN Access
As shown in Figure 6-11, it is required that the BTS and PE1 should be connected through two
E1 links. The BSC and PE2 should be connected through the CPOS interface. On the channelized
serial interface of E1 links, configure the encapsulation protocol as CES. Then, a PW is set up
between PE1 and PE2 to transparently transmit TDM data.
Figure 6-11 Networking diagram of configuring TDMoPSN
E1 0/2/1
E1 0/2/2
2TDM E1
GE0/2/4
GE1/0/0
PE1
GE2/0/0
GE2/0/0
P
PWE3 TDM
Transparent Cell Transport
CPOS3/0/1
PE2
BSC
STM-1
BTS
Router
Interface
IP Address
PE1
GE 0/2/4
10.1.1.1/24
Loopback0
192.2.2.2/32
GE 1/0/0
10.1.1.2/24
GE 2/0/0
10.2.1.1/24
Loopback0
192.4.4.4/32
GE 2/0/0
10.2.1.2/24
Loopback0
192.3.3.3/32
PE2
1.
Run the IGP protocol on the backbone network so that devices can communicate with each
other.
2.
Configure basic MPLS functions on the backbone network, and configure MPLS L2VPN
functions on PE devices. Establish the remote MPLS LDP peer relationship between PEs
at both ends of the PW.
3.
Configure parameters for the TDM interface.
4.
Configure the PW template.
5.
Establish MPLS L2VC connections on PEs.
Data Preparation
Issue 02 (2013-12-31)

1863

Equipment
L2VC IDs at both ends of the PW (must be the same)
MPLS LSR IDs of the PEs and P router
IP addresses of the remote peers of PEs
Coding mode and frame format of the E1/CE1 interface
6 WAN Access
Procedure
Step 1 Run the IGP protocol on the backbone network so that devices can communicate with each other.
For detailed configurations, see the configuration file of this example.
Step 2 Configure basic MPLS functions on the backbone network, and configure MPLS L2VPN
functions on PE devices. Then, establish the remote MPLS LDP peer relationship between PEs
at both ends of the PW. For detailed configurations, see the configuration file of this example.
The remote MPLS LDP peer relationship is required only for the dynamic PW.
Step 3 Configure parameters for the TDM interface.
1.
Configure PE1.
# Configure the channelized mode and CRC4 frames for CE1 0/2/1 and CE1 0/2/2 on PE1.
NOTE
The ATNs support any of the following modes for binding timeslots to form a synchronous serial
interface:
transmit signaling information (applicable when ATM, PPP, or TDM is specified as the linklayer protocol on an interface).
timeslots 0 and 16 are used to transmit signaling information (applicable when ATM, PPP, or
TDM is specified as the link-layer protocol on an interface).
l Bundling of any timeslots in timeslots 131, with timeslot 0 used to transmit signaling
information. For AND1ML1A and AND1D1ML1, a timeslot range with two or more timeslots
can be specified for bundling. For AND2ML1A, AND2ML1B, AND1MD1A, and
AND1MD1BAND3ML1A, AND3ML1B, AND2MD1A, and AND2MD1B, a timeslot range
with one or more timeslots can be specified for bundling. This type of bundling is applicable
when TDM is specified as the link-layer protocol at an interface.
[PE1-E1 0/2/1] using ce1
[PE1-E1 0/2/1] frame-format crc4
[PE1-E1 0/2/1] quit
[PE1-E1 0/2/2] using ce1
[PE1-E1 0/2/2] frame-format crc4
[PE1-E1 0/2/2] quit
2.
Configure PE2.
# Set parameters for the CPOS interface on PE2.
Issue 02 (2013-12-31)

1864

Equipment
6 WAN Access
NOTE
The CXs support any of the following modes for binding timeslots to form a synchronous serial
interface:
transmit signaling information.
timeslots 0 and 16 are used to transmit signaling information.
[PE2] controller cpos 3/0/1
[PE2-Cpos3/0/1] e1 1 channel-set 1 timeslot-list 1-15 ts0
[PE2-Cpos3/0/1] e1 2 channel-set 2 timeslot-list 16-31 ts0
Step 4 Configure the encapsulation protocol on the serial interface as TDM.

1.
Configure PE1.
[PE1-Serial0/2/1:1] link-protocol tdm
2.
Configure PE2.
Step 5 Configuring the PW.

1.

[PE1-pw-template-1to3] jitter-buffer depth 8
[PE1-pw-template-1to3] tdm-encapsulation-number 24
[PE1-Serial0/2/1:1] mpls l2vc pw-template 1to3 100 control-word
2.
Configure PE2.
[PE2-pw-template-3to1] jitter-buffer depth 8
[PE2-pw-template-3to1] tdm-encapsulation-number 24
[PE2-Serial3/0/1:1] undo shutdown
[PE2-Serial3/0/1:2] undo shutdown

Run the display mpls l2vc command on PEs. You can view that the status of the PW is Up.
<PE1> display mpls l2vc interface serial0/2/1:1
*client interface
: Serial0/2/1:1 is up
Issue 02 (2013-12-31)

1865

Equipment
6 WAN Access
Administrator PW
: no
session state
: up
AC state
: up
VC state
: up
Label state
: 0
Token state
: 0
VC ID
: 100
VC type
: CESoPSN basic mode
destination
: 192.3.3.3
local group ID
: 0
remote group ID
: 0
local VC label
: 16
remote VC label
: 16
TDM encapsulation number: 24
jitter-buffer
: 8
idle-code
: ff
rtp-header
: enable
local AC OAM State
: up
local PSN OAM State
: up
local status code
: 0x0
remote AC OAM state
: up
: up
remote status code
: 0x0
: no
Dynamic BFD for PW
: enable
Detect Multipier
: 3
Min Transit Interval
: 1500
Max Receive Interval
: 1500
Dynamic BFD Session
: built
BFD for PW
: unavailable
VCCV State
: up
manual fault
: not set
active state
: active
forwarding entry
: exist
link state
: up
local VC MTU
: 2000
remote VC MTU
: 1500
local VCCV
remote VCCV
local control word
: enable
remote control word : enable
tunnel policy name
: -traffic behavior name : -PW template name
: 1to3
: primary
load balance type
: flow
Access-port
: false
Switchover Flag
: false
: 1 tunnels/tokens
NO.0 TNL type
: lsp
, TNL ID : 0x392
Backup TNL type
: lsp
, TNL ID : 0x0
create time
up time
last change time
VC last up time
: 2011/04/11 10:36:45
VC total up time
CKey
: 2
NKey
: 1
PW redundancy mode
: frr
AdminPw interface
: -Diffserv Mode
: pipe
Service Class
: ef
Color
: green
DomainId
: -Domain Name
: --
----End
Issue 02 (2013-12-31)

1866

Equipment
6 WAN Access
Configuration Files
l

#
sysname PE1
#
mpls
#
mpls l2vpn
#
pw-template 1to3
jitter-buffer depth 8
tdm-encapsulation-number 24
#
mpls ldp
#
remote-ip 192.3.3.3
#
controller e1 0/3/1
using ce1
frame-format crc4
undo shutdown
#
controller e1 0/2/2
using ce1
frame-format crc4
undo shutdown
#
link-protocol tdm
mpls l2vc pw-template 1to3 100 control-word
undo shutdown
#
link-protocol tdm
undo shutdown
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 192.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 192.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return

#
sysname PE2
#
mpls
#
mpls l2vpn
Issue 02 (2013-12-31)

1867

Equipment
6 WAN Access
#
pw-template 3to1
jitter-buffer depth 8
tdm-encapsulation-number 24
#
mpls ldp
#
remote-ip 192.2.2.2
#
controller cpos 3/0/1
e1 1 channel-set 1 timeslot-list 1-15 ts0
e1 2 channel-set 1 timeslot-list 16-31 ts0
#
link-protocol tdm
undo shutdown
#
link-protocol tdm
undo shutdown
#
undo shutdown
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 192.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 192.3.3.3 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return
#
sysname P
#
mpls
#
mpls ldp
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
undo shutdown
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 192.4.4.4 255.255.255.255
#
ospf 1
area 0.0.0.0
Issue 02 (2013-12-31)

1868

Equipment
6 WAN Access
network 192.4.4.4 0.0.0.0

network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return
6.8 xDSL Configuration

Context
NOTE
Only the ATN 910 supports xDSL Interfaces.
6.8.1 Introduction to xDSL

To provide high speed downlink packet access (HSDPA) services over a 3G mobile
communication network, the xDSL feature can be used to transmit data services over an xDSL
wholesale managed service (WMS) network to reduce the transmission cost.
Overview
Offload is important for a mobile communication network. When offload applies, ATN transmits
the services received from base stations over different links. Specifically, ATN transmits
traditional voice services (such as 2G and 3G R99 CS) over E1 private lines, ensuring high QoS,
low delay, and high reliability, and transmits high-bandwidth packet services such as HSDPA,
which have a low requirement for delay, using xDSL (for example, over an xDSL WMS
network). An xDSL network features high bandwidth but low cost, and therefore effectively
reduces the transmission cost when transmitting HSDPA services. After xDSL is configured on
ATN, HSDPA services are separated from voice services and transmitted to an xDSL network
for further transmission.
Generally, backhaul services between the base station and base station controller (BSC) are
transmitted over PDH or SDH microwave links or TDM E1 private lines leased from a fixed
network operator. This is the reason why the offload solution and xDSL feature are used. With
service development, the base station backhaul requires increasing bandwidth and the traditional
audio service takes a decreasing proportion. On this condition, leasing more costly E1 links to
increase the backhaul bandwidth is not economical. The offload solution uses the xDSL feature
to offload bandwidth-eating data services onto a less expansive xDSL WMS network. This
approach ensures quality transmission of voice services without having to lease more E1 lines.
Figure 6-12 shows the typical application scenario of xDSL.
Figure 6-12 Typical application scenario of xDSL
Wholesale xDSL
service
HSDPA
flow
Node B
Issue 02 (2013-12-31)
ATM
STM-1
DSLAM
IMA
ATN
R99 flow
Leased line

CX600
1869

Equipment
6 WAN Access
ATN receives services (including R99 and HSDPA services, which are identified by VPI/VCI
carried service packets) from Node B over links in the AC-side ATM IMA group and sends
them to CX600, which aggregates and sends the services to RNC. The mobile backhaul process
is as follows:
l
Signaling Flow and R99 Service Flow:

ATN at an access site sends the signaling flow and R99 service flow over IMA E1 links to
CX600 at the aggregation site.
HSDPA Service Flow:

ATN at an access site encapsulates ATM packets in PWE3, then into tunnels according to
the xDSL WMS network, and finally into Ethernet packets. Then the xDSL subboard
performs EFM encapsulation, PTM encapsulation, or AAL5 adaptation and ATM
encapsulation. After that, xDSL PICs send the services to DSLAM over xDSL links.
When receiving the services, DSLAM terminates xDSL physical encapsulation and
ATM, PTM, or EFM encapsulation to recover Ethernet packets, and then sends the Ethernet
packets to CX600 over an xDSL WMS network (such as Layer 2 Ethernet switching
network or IP forwarding network).
When receiving the Ethernet packets, CX600 decapsulates them to recover ATM packets
and then sends the ATM packets to RNC over ATM STM-1 links.
xDSL Features Supported by ATN

The xDSL features supported by ATN are classified into ADSL2+, VDSL2, and SHDSL.
Key Technologies
ADSL
ADSL provides high bandwidth on telephone wires and transmits digital information for resident
or enterprise users. Unlike the planned dial-up telephone services, ADSL provides constant
online connections. ADSL uses the major part of service channel bandwidth for downstream
transmission but the minor part for upstream transmission. In other words, ADSL provides a
high-speed channel for downstream transmission. ADSL2+ is a technology extended based on
the ADSL technology. ADSL2+ supports a maximum downstream rate of 24 Mbit/s, a maximum
upstream rate of 2.5 Mbit/s, and a maximum reach of 6.5 km.
In a mobile backhaul network, ADSL mainly carries data services. The ADV8A PIC is not
recommended to carry voice services.
Very-High-Speed Digital Subscriber Line 2 (VDSL2)
VDSL2 is developed based on ITU-T Recommendation G.993.2 and is an extension to VDSL1,
which is developed based on ITU-T Recommendation G.993.1.
SHDSL
SHDSL is a new symmetric digital subscriber line technology based on HDSL, SDSL, and
HDSL2, and it is defined in ITU-T G.991.2. SHDSL uses the Trellis coded pulse amplitude
modulation (TC-PAM) technology to transfer high-speed data over common twisted pairs,
providing a new broadband access approach.
SHDSL.bis enhances SHDSL and is compatible with SHDSL.
Issue 02 (2013-12-31)

1870

Equipment
6 WAN Access
Port Working Mode

ATN supports working modes for ports: ATM, PTM, EFM, and IMA.
l
In ATM mode, an xDSL PIC encapsulates packets in AAL5 format, converts them into
ATM cells, processes them at the physical layer, and then sends them to an ATN device.
In PTM mode, an xDSL PIC directly encapsulates packets in PTM format, processes them
at the physical layer, and then sends them to an ATN device.
In EFM mode, an xDSL PIC directly encapsulates packets in EFM format, processes them
at the physical layer, and then sends them to an ATN device.
In IMA mode, an xDSL PIC encapsulates packets in AAL5 format, converts them into IMA
cells, processes IMA cells at the physical layer, and sends them to a CX600 device. When
receiving the IMA cells, the CX600 device multiplexes them to recover the original ATM
cells. In this manner, multiple low-rate links are flexibly multiplexed.
Interface Type
There are three types of interfaces about xDSL:
l
xDSL interfaces: They are physical interfaces on xDSL PICs, including ADSL2+,
VDSL2, and SHDSL interfaces.
Dsl-group interfaces: They are link-layer logical interfaces. In the Dsl-group interface, you
can set link-layer attributes for an xDSL PIC, including interface PVC, interface
encapsulation mode for AVD8A, interface encapsulation mode for AVD8B, interface
working mode for SHD4, and IMA group attributes for SHD4I.
VE interfaces: They are logical Layer 3 interfaces (You can also use the portswitch
command to switch them to Layer 2 interfaces.) used only on the NNI side to carry ETHoA
services. xDSL services must be configured at VE interfaces.
Before configuring an xDSL service, create a VEl interface and a Dsl-group interface, display
the Dsl-group interface view, and then configure link-layer attributes for the xDSL PIC. After
the preceding two types of interfaces are created, bind VE and Dsl-group interfaces first, and
then bind Dsl-group and xdsl interfaces. Then configure xDSL services on the VE interfaces so
that they are carried over the physical interfaces (xDSL).
NOTE
For SHD4I, a maximum of two VE interfaces can be configured on one PIC and xDSL services can be
separately configured for them. The tunnels configured at the VE interfaces can be configured into a
protection group.
Device Support for the Feature

The xDSL feature can be used to carry the following types of services:
l
CES services
ATM PWE3 services
Ethernet services
IP services
The following PICs support the xDSL feature:

l
Issue 02 (2013-12-31)
AVD8A, which is an ADSL PIC and can work only in ATM mode.
1871

Equipment
6 WAN Access
AVD8B, which is a VDSL2 PIC and can work only in PTM mode.
SHD4, which is an SHDSL PIC and can work in either ATM or EFM mode as specified.
When working in ATM mode, the SHD4 supports SHDSL.bis feature.
SHD4I, which is an SHDSL PIC and can work only in IMA mode.
Bind physical xDSL interfaces with Dsl-group interfaces according to the following notes:
l
For SHD4, only when it works in ATM mode, the binding relationships between Dsl-group
interfaces and physical xDSL interfaces can be manually specified. When it works in EFM
mode, the DSLAM device determines the binding relationships and ATN automatically
adapts itself to the DSLAM device.
For SHD4I, a Dsl-group interface is always bound to four physical xDSL interfaces.
6.8.2 Configuring xDSL Logical Interfaces

This section describes how to configure xDSL logical interfaces. Detailed operations include
Dsl-group interface configuration and Virtual-Ethernet interface configuration.
Establishing a Configuration Task

Before configuring an xDSL interface, familiarize yourself with the applicable environment,
xDSL uses three types of interfaces: xDSL, Dsl-group, and VE interfaces, which are physical
interfaces, link-layer logical interfaces, and Layer 3 logical interfaces. xDSL services are
configured on VE interfaces but carried on xDSL interfaces. Before configuring xDSL services,
bind xDSL, Dsl-group, and VE interfaces. After configuring a Dsl-group interface, you can
separately bind it to an xDSl or VE interface. Then a logical xDSL interface is available and
link-layer attributes can be configured for it, which must be consistent with those for the
interconnected DSLAM device. Then, you can configure xDSL services on a VE interface.
NOTICE
l If a physical interface on the device is connected to a cable, run the shutdown command to
shut down the interface to prevent the interface from being interfered.
Before configuring a dsl-group or a VE interface, complete the following tasks:
l
Power on ATN and ensure that there is no exception in the self-check.
Data Preparations
Prepare the following data before configuring a Dsl-group interface:
Issue 02 (2013-12-31)

1872

Equipment
6 WAN Access
No.
Data
xDSL PIC type used by ATN
Interface numbers for xDSL PICs on ATN
Link-layer configuration information of the interconnected DSLAM device
VE interface number
Creating Dsl-group Interfaces

Before configuring link-layer attributes for xDSL service interfaces, create Dsl-group interfaces
and bind them to physical xDSL interfaces.
Context
The maximum number of Dsl-group interfaces varies with PICs.
SHD4 may work in ATM or EFM mode. Before binding physical xDSL and Dsl-group interfaces
on SHD4, specify a proper working mode for the PIC.
l
For SHD4 in ATM mode and AVD8A, manually bind physical xDSL interfaces and Dslgroup interfaces.
For SHD4 in EFM mode and SHD4I, physical xDSL interfaces and Dsl-group interfaces
are automatically bound.
Perform the following operations on ATN:
Procedure
Step 1 Run the system-view command. Then the system view is displayed.
Step 2 Run the interface xdsl interface-number command. Then the xDSL interface view is displayed.
Step 3 Run the shutdown and undo shutdown commands to activate the physical xDSL interface.
Step 4 Run the interface dsl-group dsl-group-number command to create a Dsl-group interface.
Step 5 (Optional) Run the work-mode to specify a proper working mode for SHD4.
Step 6 (Optional) Run the add xdsl interface-number command to bind the physical xDSL interface
and Dsl-group interface.
Step 7 (Optional) Run the dsl-group enable command to enable the configuration for binding xDSL
interfaces and Dsl-group interfaces on SHD4 (in ATM mode) or AVD8A.
----End
(Optional) Configuring Link-Layer Attributes for Dsl-group Interfaces

Configure and activate link-layer attributes on Dsl-group interfaces for xDSL service interfaces.
The link-layer attribute configurations must be consistent with those for the interconnected
DSLAM device.
Issue 02 (2013-12-31)

1873

Equipment
6 WAN Access
Context
If SHD4 is used and it works in EFM mode, you do not need to configure link-layer attributes
for Dsl-group interfaces.
If AVD8B is used, you do not need to configure link-layer attributes for Dsl-group interfaces.
In other cases, you need to manually set link-layer attributes for Dsl-group interfaces. The linklayer attribute configuration items vary with PICs. Configure link-layer attributes according to
the PIC type.
SHD4 (in ATM Mode)
SHD4I
AVD8A
PVC
PVC
PVC
SHDSL.bis attribute
IMA group attribute
Encapsulation mode
Procedure
Step 2 Run the interface dsl-group dsl-group-number command. Then the Dsl-group interface view
is displayed.
Step 3 Run the pvc-set pvc-index vpi/vci command to configure PVC attributes for the Dsl-group
interface.
Step 4 (Optional) Run the bis disable command to disable the SHDSL.bis attribute for the Dsl-group
interface on SHD4.
Step 5 (Optional) Run the ima attr ver ver-number framelen len-number rx-minlink rx-linknumber tx-minlink tx-link-number command to configure IMA group attributes for the Dslgroup interface on SHD4I.
Step 6 (Optional) Run the reset ima command to restart the IMA group on SHD4I. After the restart,
the IMA group attribute configurations for the Dsl-group interface take effect.
Step 7 (Optional) Run the encape-mode command to specify a proper encapsulation mode for the Dslgroup interface on AVD8A.
----End
Creating a VE Interface
Before creating a VE interface, ensure that the physical board in the specified slot exists.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 02 (2013-12-31)

1874

Equipment
6 WAN Access
ve-number
A VE interface is created and the VE interface view is displayed.

The parameter ve-number specifies the number of a VE interface, including slot/card/serial. The
range of the serial number is 0 for AND1SHD4, 0 or 1 for AND1SHD4I and 0 to 3 for
AND1AVD8A/AND1AVD8B.
----End
Binding Dsl-group and VE Interfaces

Though xDSL services are carried over physical xDSL interfaces on PICs, they must be
configured on VE interfaces. To bind physical xDSL and VE interfaces, bind VE and Dsl-group
interfaces and then bind Dsl-group and physical xDSL interfaces.
Prerequisites
A Dsl-group interface and a VE interface have been configured.
Context
The binding relationships between VE ports and Dsl-group ports vary with PICs.
l
For SHD4, the Dsl-group and VE ports are unique, and can be directly bound.
For SHD4I, the Dsl-group port is unique and a maximum of two VE ports can be configured
(for service protection). The Dsl-group port can be bound to or released from the two VE
ports separately.
For AVD8A, a maximum of four Dsl-group ports and four VE ports can be configured.
Dsl-group ports 0-3 must be bound to VE ports 0-3, respectively.
Procedure
Step 2 Run the interface dsl-group dsl-group-number command. Then the Dsl-group interface view
is displayed.
Step 3 Run the bind virtual-ethernet ve-number command to bind a VE interface to a Dsl-group
interface.
----End

After a Dsl-group or a VE interface is configured, you can view configurations and status of the
physical xDSL interface ,Dsl-group interface and VE interface.
Prerequisites
A Dsl-group interface has been configured.
Issue 02 (2013-12-31)

1875

Equipment
6 WAN Access
Procedure
l
Run the display interface dsl-group dsl-group-number command to view configurations

and status of the Dsl-group interface.
Run the display interface xdsl interface-number command to view configurations and
status of the physical xDSL interface.
Run the display interface virtual-ethernet [ ve-number ] command to check the status of
a VE interface.
----End

Example of Configuring ETH Forwarding-Based xDSL Services

This section describes how to configure ETH forwarding-based xDSL services that traverse a
wholesale xDSL network on the ATN.
In Figure 6-13, PE1 (ATN) receives services (including R99 and HSDPA services, which are
identified by VPI/VCI carried service packets) from Node B over links in the AC-side ATM
IMA group and sends them to PE2 (CX600), which aggregates and sends the services to RNC.
R99 voice services require high QoS, low delay, and high reliability, and a leased private line
on a fixed network meet these requirements. HSDPA services are high-bandwidth packet
services that have low delay requirements, and they can be transmitted using the xDSL technique
over a Layer 2 ETH switching network (wholesale xDSL service network).
This section describes how to configure HSDPA services that traverse a wholesale xDSL service
network on the ATN.
Figure 6-13 Example of configuring ETH forwarding-based xDSL services
Loopback 1
1.0.0.1/32
Loopback 1
2.0.0.2/32
Leased line
ATM
STM-1
IMA
VE 0/3/0
Node B
PE2
PE1
Wholesale xDSL
service
IMA-group 0/2/1.1
DSLAM
PW
MPLS Tunnel
Issue 02 (2013-12-31)

1876

Equipment
6 WAN Access
Parameter description
The table below lists parameter settings for PE1.
Parameter
PE1 loopback
interface
AC-side
physical
interface
AC-side
synchronous
serial interface
AC-side IMA
group subinterface
Physical
interface on
NNI-side PIC
(SHD4)
NNI-side VE
interface
Value
Parameter
Loopback 1
PE2 loopback
interface
IP address:
1.0.0.1/32
CE1 0/2/0
AC-side PVC
CE1 0/2/1
Value
Parameter
Value
Loopback 1
MPLS
tunnel
interface
number
Tunnel0/3/0
MPLS
Tunnel ID
100
IP address:
2.0.0.2/32
PVC1: 10/100
(HSDPA service)
PVC2: 20/100
(voice service)
Serial0/2/0:1
Serial0/2/1:1
PVC matching
DSLAM
10/20
Tunnel
policy name
policy1
Ima-group0/2/1.1
Upstream
VLAN tag for
packets sent to
DSLAM
320
Maximum
number of
cells
20
Whether
DSLAM
supports ITU-T
G.992.1.bis
No
ATM cell
packaging
delay
2000
IS-IS domain
level of PE1
level-1
VC ID
100
Xdsl0/3/2
Xdsl0/3/3
Xdsl0/3/0
Xdsl0/3/1
VirtualEthernet0/3/0
IP address:
80.0.6.1/30
Configure HSDPA services that traverse a wholesale xDSL service network on the ATN device
using the following procedure:
1.
Configure AC-side interfaces.
2.
Bind NNI-side dsl-group and VE interfaces, and dsl-group and VE interfaces, and specify
IP addresses for the VE interfaces.
3.
Configure a routing protocol.
4.
Configure the basic MPLS functions and TE tunnels.

l Configure the basic MPLS functions, enable MPLS-TE and RSVP_TE, and enable ISIS.
Issue 02 (2013-12-31)

1877

Equipment
6 WAN Access
l Configure the tunnel policy.

5.
Configure PWE3.
l Establish an MPLS LDP remote session between PE1 and PE2.
Data Preparations
To complete the configuration, you need to prepare the following data:
l
Interface numbers and IP address
Domain address and level of PE1
PICs used on PE1 and link-layer configurations of the opposite DSLAM device.
Procedure
Step 1 Configure AC-side interfaces.
1.
Configure AC-side IMA group sub-interfaces.

# Set parameters for interfaces CE1 0/2/0 and CE1 0/2/1 on PE1 and use the channelized
mode.
[PE1-E1 0/2/0] channel-set 1 timeslot-list 1-15, 17-31
[PE1-E1 0/2/0] controller e1 0/2/1
[PE1-E1 0/2/1] quit
# Create IMA group interfaces.

# Add the serial interface in the IMA group.

2.
atm
0/2/1
atm
0/2/1
Configure PVC for the HSDPA service received on the AC side.

# Configure transparent transmission of ATM cells in 1-to-1 VCC mode.
[PE1] interface ima-group 0/2/1.1 p2p
[PE1-Ima-group0/2/1.1] pvc 10/100
[PE1-ima-pvc-Ima-group0/2/1.1-10/100] map pvc 10/100 bidirectional
[PE1-ima-pvc-Ima-group0/2/1.1-10/100] quit
Step 2 Configure the NNI-side xDSL interface and its logical interface.
1.
Create a dsl-group interface and configure link-layer attributes for it.

# Activate the physical xDSL interface on the AND1SHD4 PIC.
Issue 02 (2013-12-31)

1878

Equipment
[PE1] interface
[PE1-Xdsl0/3/2]
[PE1-Xdsl0/3/2]
[PE1-Xdsl0/3/2]
[PE1] interface
[PE1-Xdsl0/3/3]
[PE1-Xdsl0/3/3]
[PE1-Xdsl0/3/3]
[PE1] interface
[PE1-Xdsl0/3/0]
[PE1-Xdsl0/3/0]
[PE1-Xdsl0/3/0]
[PE1] interface
[PE1-Xdsl0/3/1]
[PE1-Xdsl0/3/1]
[PE1-Xdsl0/3/1]
6 WAN Access
xdsl 0/3/2
shutdown
undo shutdown
quit
xdsl 0/3/3
shutdown
undo shutdown
quit
xdsl 0/3/0
shutdown
undo shutdown
quit
xdsl 0/3/1
shutdown
undo shutdown
quit
# Create a dsl-group interface and bind it to the physical xDSL interface.

[PE1] interface dsl-group 0/3/0
[PE1-Dsl-group0/3/0] work-mode atm
Changing workmode will interrupt services! Continue?[Y/N]:y
[PE1-Dsl-group0/3/0] add xdsl 0/3/2
[PE1-Dsl-group0/3/0] dsl-group enable
# Configure PVC matching DSLAM and disable SHDSL.bis for the dsl-group interface.
[PE1-Dsl-group0/3/0] pvc-set 1 10/20
[PE1-Dsl-group0/3/0] bis disable
[PE1-Dsl-group0/3/0] quit
2.
Create a VE interface and bind it to the dsl-group interface.

# Create a VE interface.
[PE1] interface virtual-ethernet 0/3/0
[PE1-Virtual-Ethernet0/3/0] quit
# Configure the binding relationship.

[PE1-Dsl-group0/3/0] bind Virtual-Ethernet 0/3/0
# Configure an IP address for the VE interface and an upstream VLAN tag that matches
DSLAM.
[PE1] interface virtual-ethernet 0/3/0.1
[PE1-Virtual-Ethernet0/3/0.1] ip address 80.0.6.1 30
[PE1-Virtual-Ethernet0/3/0.1] vlan-type dot1q 320
[PE1-Virtual-Ethernet0/3/0.1] quit
Step 3 Configure a routing protocol.

# Configure a routing protocol, and enable the protocol at the VE and loopback interfaces.
[PE1] isis 1
[PE1-isis-1] is-level level-1
[PE1-isis-1] network-entity 10.0000.0000.0001.00
[PE1-isis-1] quit
[PE1-Virtual-Ethernet0/3/0.1] isis enable 1
Issue 02 (2013-12-31)

1879

Equipment
6 WAN Access
[PE1-LoopBack1] isis enable 1

Step 4 Configure the basic MPLS functions and TE tunnels.

1.
Configure the basic MPLS functions and enable MPLS-TE.

# Perform the configurations on PE1.
[PE1] mpls
[PE1-mpls] mpls te
[PE1-mpls] mpls rsvp-te
[PE1-mpls] mpls te cspf
[PE1-mpls] quit
[PE1-Virtual-Ethernet0/3/0.1] mpls
[PE1-Virtual-Ethernet0/3/0.1] mpls te
[PE1-Virtual-Ethernet0/3/0.1] mpls rsvp-te
2.
Configure IS-IS TE.

# Perform the configurations on ISIS-1.
[PE1] isis 1
[PE1-isis-1] cost-style wide
[PE1-isis-1] traffic-eng level-1
[PE1-isis-1] quit
3.
Configure MPLS TE tunnel interfaces.

# Create MPLS tunnel interfaces.
[PE1] interface tunnel 0/3/0
[PE1-Tunnel0/2/2] ip address unnumbered interface loopback 1
[PE1-Tunnel0/3/0] tunnel-protocol mpls te
[PE1-Tunnel0/3/0] destination 2.0.0.2
[PE1-Tunnel0/3/0] mpls te tunnel-id 100
[PE1-Tunnel0/3/0] mpls te signal-protocol rsvp-te
[PE1-Tunnel0/3/0] mpls te reserved-for-binding
[PE1-Tunnel0/3/0] mpls te commit
[PE1-Tunnel0/3/0] quit
4.

[PE1] tunnel-policy policy1
[PE1-tunnel-policy-policy1] tunnel binding destination 2.0.0.2 te Tunnel0/3/0
[PE1-tunnel-policy-policy1] quit
5.
Configure an LDP remote session between PE1 and PE2.

# Configure an LDP remote session on PE1.
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] mpls ldp remote-peer 2.0.0.2
[PE1-mpls-ldp-remote-2.0.0.2] remote-ip 2.0.0.2
[PE1-mpls-ldp-remote-2.0.0.2] quit

1.
Configure a PW template.
# Perform a PW template on PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
Issue 02 (2013-12-31)

1880

Equipment
[PE1] pw-template pe1tope2
[PE1-pw-template-pe1tope2]
2.
6 WAN Access
tnl-policy policy1
max-atm-cells 20
quit
Create a VLL connection on the UNI interface.

Perform the configuration only on the serial sub-interface in the IMA group on PE1.
[PE1] interface ima-group 0/2/1.1
[PE1-Ima-group0/2/1.1] mpls l2vc pw-template pe1tope2 100

After DSLAM and PE2 are configured, run the display mpls l2vc command on PE1 to query
PW status, which is displayed as Up.
[PE1]display mpls l2vc
Total LDP VC : 1
1 up
*client interface
Administrator PW
session state
AC status
VC state
Label state
Token state
VC ID
VC type
destination
local VC label
control word
forwarding entry
local group ID
manual fault
active state
OAM Protocol
OAM Status
OAM Fault Type
PW APS ID
PW APS Status
TTL Value
link state
local VC MTU
tunnel policy name
PW template name
load balance type
Access-port
create time
up time
last change time
VC last up time
VC total up time
CKey
NKey
AdminPw interface
AdminPw link state
Diffserv Mode
Service Class
Color
DomainId
Domain Name
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
0 down
Ima-group0/2/1.1 is
no
up
up
up
0
0
100
VLAN
2.0.0.2
387
remote
disable
exist
0
not set
active
---0
-1
up
1500
remote
policy1
pe1tope2
primary
flow
false
0 days, 0 hours, 38
0 days, 0 hours, 37
0 days, 0 hours, 37
2011/10/18 15:55:39
0 days, 0 hours, 38
21
20
--uniform
-----
up
VC label
: 203
VC MTU
: 1500
minutes, 59 seconds
minutes, 28 seconds
minutes, 28 seconds
minutes, 51 seconds
----End
Issue 02 (2013-12-31)

1881

Equipment
6 WAN Access
Configuration File
#
mpls lsr-id 1.0.0.1
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
mpls l2vpn
#
pw-template pe1tope2
max-atm-cells 20
tnl-policy policy1
#
mpls ldp
#
#
remote-ip 2.0.0.2
#
isis 1
is-level level-1
cost-style wide
network-entity 10.0000.0000.0001.00
traffic-eng level-1
#
interface Dsl-group0/3/0
bind Virtual-Ethernet0/3/0
work-mode atm
add Xdsl0/3/2
add Xdsl0/3/3
add Xdsl0/3/1
dsl-group enable
pvc-set 1 10/20
bis disable
#
#
interface Ima-group0/2/0.1 p2mp
pvc 10/100
mpls l2vc pw-template pe1tope2 100
#
interface virtual-ethernet
0/3/0
interface Virtual-Ethernet0/3/0.1
vlan-type dot1q 320
ip address 80.0.6.1 255.255.255.252
isis enable 1
mpls
mpls te
mpls rsvp-te
#
interface LoopBack1
ip address 1.0.0.1 255.255.255.255
isis enable 1
#
destination 2.0.0.2
Issue 02 (2013-12-31)

1882

Equipment
6 WAN Access
mpls te commit
#
#
return
Follow-up Procedure
After finishing the preceding configurations, perform the following operations on PE2 to
provision the xDSL service.
l

Configure the basic MPLS functions, enable MPLS-TE and RSVP_TE, and enable ISIS.
Establish an MPLS LDP remote session between PE2 and PE1.
Example of Configuring ETH Forwarding-Based xDSL Services (IMA)

This section describes how to configure an ETH forwarding-based xDSL service, that will be
received over an IMA link and traverse a wholesale xDSL network, on the ATN.
In Figure 6-14, PE1 (ATN) receives services (including R99 and HSDPA services, which are
identified by VPI/VCI carried service packets) from Node B over links in the AC-side ATM
IMA group and sends them to PE2 (CX600), which aggregates and sends the services to RNC.
R99 voice services require high QoS, low delay, and high reliability, and a leased private line
on a fixed network meet these requirements. HSDPA services are high-bandwidth packet
services that have low delay requirements, and they can be transmitted using the xDSL technique
over a Layer 2 ETH switching network (wholesale xDSL service network).
After the ATN separates the HSDPA service, the DSLAM receives it over an IMA link and
sends it to the CX600 through a third-party network. On the SHD4I PIC of the ATN, two tunnels
(for backup to each other) can be configured to protect the link between the DSLAM and CX600.
This section describes how to configure HSDPA services that traverse a wholesale xDSL service
network on the ATN.
Issue 02 (2013-12-31)

1883

Equipment
6 WAN Access
Figure 6-14 Example of configuring ETH forwarding-based xDSL services

Loopback 1
2.0.0.2/32
Loopback 1
1.0.0.1/32
Leased line
ATM
STM-1
IMA
Node B
PE1
VE 0/3/0
VE 0/3/1
PE2
RNC
Wholesale
xDSL service
IMA-group 0/2/1.1
DSLAM
Physical link
Working MPLS Tunnel
PW
Protection MPLS Tunnel
Parameter
PE1 loopback
interface
AC-side
physical
interface
AC-side
synchronous
serial interface
AC-side IMA
group subinterface
Value
Parameter
Loopback 1
PE2 loopback
interface
IP address:
1.0.0.1/32
CE1 0/2/0
AC-side PVC
CE1 0/2/1
Serial0/2/0:1
Serial0/2/1:1
PVC matching
DSLAM
Ima-group0/2/1.1
Upstream
VLAN tag for
packets sent to
DSLAM
Issue 02 (2013-12-31)
Value
Parameter
Value
Loopback 1
MPLS
tunnel
interface
number
Working:
Tunnel0/3/0
MPLS
Tunnel ID
Working: 100
IP address:
2.0.0.2/32
PVC1: 10/100
(HSDPA service)
PVC2: 20/100
(voice service)
PVC1: 10/20
PVC2: 40/50
Working: 320
Protection: 330

Protection:
Tunnel0/3/1
Protection: 200
Tunnel
policy name
policy1
Maximum
number of
cells
20
1884

Equipment
Parameter
Value
Parameter
6 WAN Access
Value
Parameter
Value
ATM cell
packaging
delay
2000
VC ID
100
IMA protocol
version: 1.1
Physical
interface on
NNI-side PIC
(SHD4I)
IMA group
attributes
consistent with
those on the
DSLAM
Xdsl0/3/2
Xdsl0/3/3
Xdsl0/3/0
Xdsl0/3/1
IMA frame length:

128
Minimum number
of available links in
the receive
direction: 2
Minimum number
of available links in
the transmit
direction: 2
Working interface:
VirtualEthernet0/3/0.1
NNI-side VE
interface
IP address:
80.0.6.1/30
Protection
interface:
IS-IS domain
level of PE1
level-1
IP address:
80.0.7.1/30
Configure HSDPA services that traverse a wholesale xDSL service network on the ATN device
using the following procedure:
1.
Configure AC-side interfaces.
2.
Create a dsl-group interface, working and protection VE interfaces on the NNI side, bind
the VE interfaces with the dsl-group interface, and configure IP addresses for the VE
interfaces.
3.
4.
Configure the basic MPLS functions and working and protection TE tunnels.
5.
Configure PWE3.
l Establish an MPLS LDP remote session between PE1 and PE2.
Issue 02 (2013-12-31)

1885

Equipment
6 WAN Access
Data Preparations
l
Domain address and level of PE1
Procedure
Step 1 Configure AC-side interfaces.
1.
Configure AC-side IMA group sub-interfaces.

# Set parameters for interfaces CE1 0/2/0 and CE1 0/2/1 on PE1 and use the channelized
mode.
[PE1-E1 0/2/0] controller e1 0/2/1
[PE1-E1 0/2/1] quit
# Create IMA group interfaces.

# Add the serial interface in the IMA group.

2.
atm
0/2/1
atm
0/2/1
Configure PVC for the HSDPA service received on the AC side.

# Configure transparent transmission of ATM cells in 1-to-1 VCC mode.
[PE1] interface ima-group 0/2/1.1 p2p
[PE1-Ima-group0/2/1.1] pvc 10/100
[PE1-ima-pvc-Ima-group0/2/1.1-10/100] map pvc 10/100 bidirectional
[PE1-ima-pvc-Ima-group0/2/1.1-10/100] quit
1.

# Create a dsl-group interface.
# Configure PVCs and IMA group attributes and ensure that the configurations are
consistent with those of the DSLAM. As the DSLAM sends the HSDPA service over
Issue 02 (2013-12-31)

1886

Equipment
6 WAN Access
different PVCs to the working and protection physical links, configure two PVCs for the
working and protection links at the same dsl-group interface.
[PE1-Dsl-group0/3/0]
2.
pvc-set 1 10/20
pvc-set 2 40/50
ima-attr ver 1.1 framelen 128 rx-minlink 2 tx-minlink 2
quit
Create working and protection VE interfaces and bind them to the dsl-group interface.
# Create the VE interfaces.
[PE1-Virtual-Ethernet0/3/0] interface virtual-ethernet 0/3/1

# Configure IP addresses for interfaces (the IP addresses of two VE interfaces must be in

different network segments), and configure upstream packet VLAN labels matching those
on the DSLAM.
[PE1-Virtual-Ethernet0/3/0.1] interface virtual-ethernet 0/3/1.1
Step 3 Configure a routing protocol.

# Configure a routing protocol, and enable the protocol at the VE and loopback interfaces.
[PE1] isis 1
[PE1-isis-1] network-entity 10.0000.0000.0001.00
[PE1-isis-1] quit

1.

[PE1] mpls
[PE1-mpls] mpls te
[PE1-mpls] quit
Issue 02 (2013-12-31)

1887

Equipment
6 WAN Access
2.
Configure IS-IS TE.

# Perform the configurations on ISIS-1.
[PE1] isis 1
[PE1-isis-1] quit
3.
Configure working MPLS TE tunnel interfaces.

# Create MPLS tunnel interface.
4.
Configure protection MPLS TE tunnel interfaces.

# Create MPLS tunnel interface.
5.
Configure an MPLS TE tunnel protection group.

Specify Tunnel0/3/1 as backup for Tunnel0/3/0.
[PE1-Tunnel0/3/0] mpls te protection tunnel 200 holdoff 100 mode revertive wtr
10
6.

[PE1-tunnel-policy-policy1] tunnel binding destination 2.0.0.2 te Tunnel0/3/0
7.
Configure an LDP remote session between PE1 and PE2.

# Configure an LDP remote session on PE1.
[PE1] mpls ldp
[PE1-mpls-ldp] quit
Issue 02 (2013-12-31)

1888

Equipment
6 WAN Access
[PE1] mpls ldp remote-peer 2.0.0.2

[PE1-mpls-ldp-remote-2.0.0.2] remote-ip 2.0.0.2
[PE1-mpls-ldp-remote-2.0.0.2] quit

1.
Configure a PW template.
# Perform a PW template on PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
[PE1] pw-template pe1tope2
2.
tnl-policy policy1
max-atm-cells 20
quit
Create a VLL connection on the UNI interface.

Perform the configuration only on the serial sub-interface in the IMA group on PE1.
[PE1] interface ima-group 0/2/1.1
[PE1-Ima-group0/2/1.1] mpls l2vc pw-template pe1tope2 100

1.
On PE1, run the display mpls l2vc command to query PW status, which is displayed as
Up.
# Check PW status.
[PE1]display mpls l2vc
Total LDP VC : 1
1 up
down
*client interface
up
Administrator PW
no
session state
up
AC status
up
VC state
up
Label state
0
Token state
0
VC ID
100
VC type
VCC
destination
2.0.0.2
local VC label
203
control word
disable
max ATM cells
20
ATM pack overtime
microseconds
seq-number
disable
Issue 02 (2013-12-31)
: Ima-group0/2/1.1 is
:
:
:
:
:
:
:
: ATM Nto1
:
: 387
remote VC label
:
:
: 2000
:

1889

Equipment
transmit ATM cells
6 WAN Access
:
28
forwarding entry
exist
local group ID
0
manual fault
set
active state
active
OAM Protocol
-OAM Status
-OAM Fault Type
-PW APS ID
0
PW APS Status
-TTL Value
1
link state
up
local ATM cells
0
tunnel policy name
policy1
PW template name
pe1tope2
primary
load balance type
flow
Access-port
false
create time
seconds
up time
seconds
last change time
seconds
VC last up time
15:55:39
VC total up time
seconds
CKey
21
NKey
20
AdminPw interface
-AdminPw link state
-Diffserv Mode
pipe
Service Class
ef
Color
green
DomainId
-Domain Name
2.
Issue 02 (2013-12-31)
:
:
: not
:
:
:
:
:
:
:
:
: 20
remote ATM cells
:
:
:
:
:
: 2011/10/18
:
:
:
:
:
:
:
:
: --
After DSLAM and PE2 are configured, run the display mpls te protection tunnel all
verbose on PE1. Then the tunnel interface status is up.

1890

Equipment
6 WAN Access
# Check the tunnel configuration result.

[PE1]display mpls te protection tunnel all verbose
---------------------------------------------------------------Verbose information about the No.1 protectiongroup
---------------------------------------------------------------Work-tunnel id
:
100
Protect-tunnel id
:
200
Work-tunnel name
:
Tunnel0/3/0
Protect-tunnel name
:
Tunnel0/3/1
Work-tunnel reverse-lsp
:
Protect-tunnel reverse-lsp
:
Bridge type
:
1:1
Switch type
:
unidirectional
Switch result
: worktunnel
Tunnel using Best-Effort
:
none
Tunnel using Ordinary
:
none
Work-tunnel frr in use
:
none
Work-tunnel defect state
: in
defect
Protect-tunnel defect state
: in
defect
Work-tunnel forward-lsp defect state
: in
defect
Protect-tunnel forward-lsp defect state : in
defect
Work-tunnel reverse-lsp defect state
: nondefect
Protect-tunnel reverse-lsp defect state : nondefect
HoldOff config time
:
10000ms
HoldOff remain time
:
WTR config time
:
600s
WTR remain time
:
Mode
:
revertive
Using same path
:
Local state
: signal fail for
protection
Far end request
: no request
----End
Configuration File
#
mpls lsr-id 1.0.0.1
Issue 02 (2013-12-31)

1891

Equipment
6 WAN Access
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
mpls l2vpn
#
pw-template pe1tope2
max-atm-cells 20
tnl-policy policy1
#
mpls ldp
#
#
remote-ip 2.0.0.2
#
isis 1
is-level level-1
cost-style wide
network-entity 10.0000.0000.0001.00
traffic-eng level-1
#
controller E1 0/2/0
undo shutdown
#
controller E1 0/2/1
undo shutdown
#
#
interface Ima-group0/2/0.1 p2p
pvc 10/100
mpls l2vc pw-template pe1tope2 100
#
link-protocol atm
ima ima-group 0/2/1
#
link-protocol atm
ima ima-group 0/2/1
#
interface Xdsl0/3/2
undo shutdown
#
interface Xdsl0/3/3
undo shutdown
#
interface Xdsl0/3/0
undo shutdown
#
interface Xdsl0/3/1
undo shutdown
#
ima-attr ver 1.1 framelen 128 rx-minlink 2 tx-minlink 2
pvc-set 1 10/20
pvc-set 2 40/50
Issue 02 (2013-12-31)

1892

Equipment
6 WAN Access
#
interface Virtual-Ethernet0/3/0
mac-address 5489-98f6-b025
#
vlan-type dot1q 320
ip address 80.0.6.1 255.255.255.252
isis enable 1
mpls
mpls te
mpls rsvp-te
#
mac-address 5489-98f6-b026
#
vlan-type dot1q 330
ip address 80.0.7.1 255.255.255.252
isis enable 1
mpls
mpls te
mpls rsvp-te
#
interface LoopBack1
ip address 1.0.0.1 255.255.255.255
isis enable 1
#
destination 2.0.0.2
mpls te protection tunnel 200 holdoff 100 mode revertive wtr 10
mpls te commit
#
destination 2.0.0.2
mpls te commit
# tunnel-policy policy1
#
return
Follow-up Procedure
l
Configure the basic MPLS functions and working and protection TE tunnels.
Configure the basic MPLS functions, enable MPLS-TE and RSVP_TE, and enable ISIS.
Issue 02 (2013-12-31)

1893

Equipment
6 WAN Access
Establish an MPLS LDP remote session between PE2 and PE1.
Example of Configuring IP Forwarding-Based xDSL Services

This section describes how to configure IP forwarding-based xDSL services that traverse a
wholesale xDSL network on the ATN.
In Figure 6-15, PE1 (ATN) receives services from Node B over the AC-side Ethernet links, and
sends them to PE2 (CX600), which aggregates and sends the services to RNC.
This section describes how to configure L3PVN services received from the Ethernet interface
that traverse a wholesale xDSL service network on the ATN.
Figure 6-15 Example of configuring IP forwarding-based xDSL services
AS 600
AS 300
AS 900
IS-IS 1
Loopback 0
4.4.4.4/32
Loopback 0
2.2.2.2/32
VE 0/4/0.1
80.0.8.1/30
Loopback 0
6.6.6.6/32
ADSL2+
ETH
Node B
IS-IS 2
PE1
GE
DSLAM
Ethernet 0/2/0
10.5.5.1/30
PE2
GE 1/0/0
80.0.8.2/30
RNC
GE 1/0/0
80.1.1.2/30
Ethernet 0/1/0
10.5.5.2/30
L3VPN Service
MPLS TE Tunnel
The table below lists routing parameter settings for the network.
Parameter
Value
Parameter
Value
Parameter
Value
PE1 loopback
interface
Loopback0
P loopback
interface
Loopback0
PE2 loopback
interface
Loopback0
P IS-IS
process
ISIS 1
PE1 IS-IS
process
4.4.4.4/32
ISIS 1
Issue 02 (2013-12-31)
2.2.2.2/32
ISIS 2
PE2 IS-IS
process

6.6.6.6/32
ISIS 2
1894

Equipment
Parameter
Value
Parameter
6 WAN Access
Value
10.0001.0020.020
0.2002.00
Parameter
Value
PE2 networkentity
10.0002.0060.060
0.6006.00
PE1 networkentity
10.0001.0040.040
0.4004.00
P networkentity
IS-IS domain
level of PE1/
P/PE2
Level-2
Node B AS
AS 600
RNC AS
AS 900
PE1 AS
AS 300
PE1 AS
AS 300
PE1 AS
AS 300
10.0002.0020.020
0.2002.00

Parameter
AC-side physical
interface
Value
Parameter
Value
Parameter
Value
Ethernet
0/2/0
Physical
interface on
NNI-side PIC
Xdsl0/4/0
PVC matching
DSLAM
10/20
10.5.5.1/30
Upstream VLAN
tag for packets
sent to DSLAM
320
MPLS TE Tunnel
interface number
Tunnel0/4/0
explicit path
Xdsl0/4/1
(AVD8A)
DSLAM
encapsulation
mode
Bridge VCMUX
Tunnel0/4/0
MPLS TE
Tunnel ID
50
pe1tope2
Address of the
next hop address
on the explicit
path
80.0.8.2
80.1.1.2
NNI-side VE
interface
Tunnel policy
name
Node B
interface
80.0.8.1/30
policy01
Ethernet0/1/0
10.5.5.2/30
Configure L3VPN services that traverse a wholesale xDSL service network on the ATN using
the following procedure:
1.
Bind NNI-side dsl-group and VE interfaces, and dsl-group and VE interfaces, and specify
IP addresses for the VE interfaces.
2.
Configure the IGP routing protocol (taking IS-IS TE as an example).
3.

Issue 02 (2013-12-31)

1895

Equipment
4.
6 WAN Access
L3VPN services
l Configure the IBGP protocol for PE1 and PE2.
l Configure a VPN instance.
l Configure the AC-side interface and bind it to the VPN instance.
l Configure the EBGP protocol for PE1 and CE.
Data Preparations
l
Domain address, level, and BGP AS number of PE1
Procedure
1.

# Activate the physical xDSL interface on the AND1AVD8A PIC.
[PE1] interface
[PE1-Xdsl0/4/0]
[PE1-Xdsl0/4/0]
[PE1-Xdsl0/4/0]
[PE1-Xdsl0/4/1]
[PE1-Xdsl0/4/1]
[PE1-Xdsl0/4/1]
xdsl 0/4/0
shutdown
undo shutdown
interface xdsl 0/4/1
shutdown
undo shutdown
quit
# Create a dsl-group interface and bind it to the physical xDSL interface.

[PE1-Dsl-group0/4/0] dsl-group enable
# Configure PVC and packet encapsulation mode matching DSLAM.

[PE1-Dsl-group0/4/0] pvc-set 1 10/20
[PE1-Dsl-group0/4/0] encape-mode eoa-vcmux
2.
Create a VE interface and bind it to the dsl-group interface.

# Create a VE interface.

# Configure an IP address for the VE interface and an upstream VLAN tag that matches
DSLAM.
Issue 02 (2013-12-31)

1896

Equipment
6 WAN Access

Step 2 Configure a IGP routing protocol.

# Configure an IS-SI TE routing protocol, and enable the protocol at the VE and loopback0
interfaces.
[PE1] isis 1
[PE1-isis-1] network-entity 10.0001.0040.0400.4004.00
[PE1-isis-1] import-route direct
[PE1-isis-1] quit
[PE1-Virtual-Ethernet0/4/0.1] isis cost 10
[PE1-LoopBack0] isis cost 10

1.

[PE1] mpls
[PE1-mpls] mpls te
[PE1-mpls] quit
2.
Configure a loose explicit path.

# Specify the loose explicit path from PE1 to PE3.
[PE1] explicit-path pe1tope2
[PE1-explicit-path-pe1tope2] next hop 80.0.8.2 include loose
[PE1-explicit-path-pe1tope2] next hop 80.1.1.2 include loose
[PE1-explicit-path-pe1tope2] quit
3.

# Create MPLS tunnel interfaces.
[PE1-Tunnel0/4/0] mpls te path explicit-path pe1tope2
4.
Issue 02 (2013-12-31)

1897

Equipment
6 WAN Access

[PE1-tunnel-policy-policy01] tunnel binding destination 6.6.6.6 te tunnel0/4/0
Step 4 Configure L3VPN services.

1.
Configure an MP-BGP routing policy.

# Establish the MP-IBGP peer relationship between PE1 and PE2.
[PE1] bgp
[PE1-bgp]
[PE1-bgp]
[PE1-bgp]
[PE1-bgp]
[PE1-bgp]
[PE1-bgp]
2.
300
router-id 4.4.4.4
peer 6.6.6.6 connect-interface loopback 0
import-route direct
ipv4-family vpnv4 [PE1-bgp-af-vpnv4] peer 6.6.6.6 enable
quit
Configure a VPN instance.

# Configure the VPN instance l3vpn1 on PE1.
[PE1] ip vpn-instance l3vpn1
[PE1-vpn-instance-l3vpn1] ipv4-family
[PE1-vpn-instance-l3vpn1-af-ipv4] route-distinguisher 100:1
[PE1-vpn-instance-l3vpn1-af-ipv4] tnl-policy policy01
[PE1-vpn-instance-l3vpn1-af-ipv4] vpn-target 100:1 export-extcommunity
[PE1-vpn-instance-l3vpn1-af-ipv4] vpn-target 100:1 import-extcommunity
[PE1-vpn-instance-l3vpn1-af-ipv4] quit
[PE1-vpn-instance-l3vpn1] quit
3.
Bind the AC-side interface on PE1 to the VPN instance.

# Bind Ethernet0/2/0 to l3vpn1. Ethernet0/2/0 configurations will be deleted. In this case,
configure the IP address of Ethernet0/2/0.
[PE1] interface ethernet 0/2/0
[PE1-Ethernet0/2/0] ip binding vpn-instance l3vpn1
[PE1-Ethernet0/2/0] ip address 10.5.5.1 24
4.
Configure PE1 and Node B as MP-EBGP peers and import VPN routes.
[PE1] bgp 300
[PE1-bgp] ipv4-family vpn-instance l3vpn1
[PE1-bgp-l3vpn1] peer 10.5.5.2 as-number 600
[PE1-bgp-l3vpn1] import-route direct
[PE1-bgp-l3vpn1] quit
Configure PE1 and Node B as MP-EBGP peers.

# After DSLAM, P, and PE2 are configured, run the ping -vpn-instance command on PE1 to
ping to Node B.
[PE1] ping -vpn-instance l3vpn1 10.5.5.2
ms
ms
ms
ms
ms
--- 10.5.5.2 ping statistics ---
Issue 02 (2013-12-31)

1898

Equipment
6 WAN Access
0.00% packet loss
# After DSLAM, P, and PE2 are configured, run the display ip routing-table vpn-instance
command on PE1 to query the peer route.
[PE1] display ip routing-table vpn-instance l3vpn1
-----------------------------------------------------------------------------Routing Tables: l3vpn1
Destinations : 5
Routes : 5
Destination/Mask
Proto
Pre
Cost
10.5.5.0/30
10.5.5.1/32
10.5.5.3/32
10.70.5.0/30
255.255.255.255/32
Direct
Direct
Direct
IBGP
Direct
0
0
0
255
0
0
0
0
0
0
Flags NextHop
D
D
D
RD
D
10.5.5.1
127.0.0.1
127.0.0.1
6.6.6.6
127.0.0.1
Interface
Ethernet0/2/0
Ethernet0/2/0
Ethernet0/2/0
Tunnel0/2/4
InLoopBack0
----End
Configuration File
#
sysname PE1
#
router id 4.4.4.4
#
ip vpn-instance l3vpn1
ipv4-family
tnl-policy policy01
#
mpls lsr-id 4.4.4.4
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
explicit-path pe1tope2
next hop 80.0.8.2 include loose
next hop 80.1.1.2 include loose
#
isis 1
is-level level-2
cost-style wide
network-entity 10.0001.0040.0400.4004.00
import-route direct
traffic-eng level-2
#
interface Ethernet0/0/0
undo shutdown
ip address 10.137.86.179 255.255.255.0
#
interface Ethernet0/2/0
undo shutdown
ip binding vpn-instance l3vpn1
ip address 10.5.5.1 255.255.255.252
#
Issue 02 (2013-12-31)

1899

Equipment
6 WAN Access
interface Xdsl0/4/0
undo shutdown
#
interface Xdsl0/4/1
undo shutdown
#
add Xdsl0/4/0
add Xdsl0/4/1
dsl-group enable
pvc-set 1 10/20
encape-mode eoa-vcmux
#
mac-address 2800-d410-b108
#
vlan-type dot1q 320
ip address 80.0.6.1 255.255.255.252
isis enable 1
isis cost 10
mpls
mpls te
mpls rsvp-te
#
interface NULL0
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
isis enable 1
isis cost 10
#
destination 6.6.6.6
mpls te path explicit-path pe1tope2
mpls te commit
#
bgp 300
router-id 4.4.4.4
#
ipv4-family unicast
import-route direct
peer 6.6.6.6 enable
#
ipv4-family vpnv4
policy vpn-target
peer 6.6.6.6 enable
#
ipv4-family vpn-instance l3vpn1
import-route direct
#
#
return
Issue 02 (2013-12-31)

1900

Equipment
6 WAN Access
Follow-up Procedure
l
Configure the IGP routing protocol on P and PE2. Then configure and enable IS-IS.
Create the IS-IS 2 process on PE2 and enable it on related interfaces.
Create the IS-IS 1 and IS-IS 2 processes on P. Enable the IS-IS 1 process on the interface
interconnecting P with PE1, and enable the IS-IS 2 process on the interface
interconnecting P with PE2 and Loopback0 interface.
Configure the routing policy on P to control route advertisement and import.

Configure the basic MPLS functions and enable MPLS TE and RSVP-TE on P.
Configure the basic MPLS functions, enable MPLS TE and RSVP-TE, create MPLS
TE tunnel interfaces, and configure the explicit path and tunnel policy on PE2.
Configure L3VPN services on PE2.

Configure PE3 and PE1 as MP-IBGP peers.
Configure a VPN instance.
Bind the AC-side interface on PE3 to the VPN instance.
Configure PE3 and RNC as MP-EBGP peers.
6.9 Glossary
A list of frequently used terms and concepts in this document.
A
ATM
Asynchronous Transfer Mode (ATM). A data transmission

technology in which data is transferred at high data rates in fixed
length, 53 bytes.
Authentication
An act that decides whether a user can be awarded with access right
or what kinds of users can access a network.
Authorization
An act that accredits a user with access to certain services.
AUX
Auxiliary interface that provides an EIA/TIA-232 DTE interface.

By using the AUX interface and the Modem, a user can access a
network through dialup.
C
Callback
Issue 02 (2013-12-31)
A call mode in which both ends of the communication participate

in the call. One end is called the Client, while the other end is caller
the Server. The Client initiates a call, and the Server decides
whether to call back. If a callback is needed, the Server tears down
the connection and then initiates a call to the Client.
1901

Equipment
Called Number
Number of the called party.
Calling Number
Number of the calling party.
6 WAN Access
P
POS
A MAN and LAN technology that provides a point to point

connection. The POS interface is based on SONET.
S
SONET
Synchronous Optical Network (SONET). A standard for

synchronous data transfer over optical networks. The standard
contains a series of transmission speed, including SDH Transport
Module (STM) -1 (155 Mbit/s), STM-4c (622 Mbit/s) and
STM-16c/STM-16 (2.5 Gbit/s).
W
WAN
Wide Area Network. A network that covers a large geographic

area.

A list of frequently used acronyms and abbreviations in this document.
A
Issue 02 (2013-12-31)
AA
Anonymous Access
AAA
AAL
ATM Adaptation Layer
AAL1
AAL2
AAL3
AAL5
ACL
Access Control List
ADSL
AMI
Alternate Mark Inversion
ANSI
American National Standard Institute
ARP

1902

Equipment
ATM
AU
Administrative Unit
AUG
Administrative Unit Group
AUX
Auxiliary (port)
6 WAN Access
B
BAS
Broadband Access Server
BRI
C
CAR
Committed Access Rate
CBR
Constant Bit Rate
CCITT
International Telegraph and Telephone Consultative Committee
CD
Carrier Detect
CDV
Cell Delay Variation
CHAP
CPE
Customer Premises Equipment
CPOS
Channelized-POS
CSMA
Carrier Sense Multiple Access
CUG
Closed User Group
Issue 02 (2013-12-31)
DCC
DCD
Data Carrier Detected
DCE
DDN
Digital Data Network
DHCP
DLCI
DLSw
Data Link Switching
DNS
Domain Name System
DSL
Digital Subscriber Line

1903

Equipment
DSLAM
DSL Access Multiplexer
DTE
6 WAN Access
E
EIA
ESF
Extended Service Frame
ETSI
European Telecommunications Standards Institute
F
FCS
Frame Check Sequence
FDDI
Fiber Distributed Digital Interface
FE
Fast Ethernet
FIFO
First In First Out
FR
Frame Relay
FRF
Frame Relay Forum
FRMR
Frame Rejection
FS
Forced Switch
FTP
G
GE
Gigabit Ethernet
GPRS
General Packet Radio Service
GRE
Issue 02 (2013-12-31)
HDB3
High Density Bipolar of Order 3
HDLC
HDSL
High-bit-rate Digital Subscriber Link
HFC
Hybrid Fiber-Coaxial
HIC
Highest Incoming-only Channel
HOC
Highest Outgoing-only Channel

1904

Equipment
HTTP
6 WAN Access
Hypertext Transfer Protocol
I
IAD
Integrated Access Device
IBGP
Internal BGP
ID
Identification
IEEE
IETF
IF
Information Frame
IGMP
Internet Group Management Protocol
IP
Internet Protocol
IPC
Inter-Process Communication
IPCP
IP Control Protocol
IPHC
IPoA
IPoE
IP over Ethernet
IPoEoA
ISDN
ISO
International Organization for Standardization
ISP
ITU-T
International Telecommunication Union - Telecommunication

Issue 02 (2013-12-31)
L2TP
LAN
Local Area Network
LAPB
LCP
Link Control Protocol
LFI
Link Fragmentation and Interleaving
LIC
Lowest Incoming-only Channel
LOC
Loss of continuity
LQR
Link Quality Reports

1905

Equipment
LTC
6 WAN Access
Lowest Two-way Channel
M
MAP
Mobile Application Part
MD5
Message Digest 5
MFR
MIB
MP
Multilink PPP
MTU
N
NAT
NBMA
Non Broadcast Multiple Access
NCP
Network Control Protocol
NE
NetEngine
NNI
Network Node Interface
NT
Network Terminal
O
OAM
OC-3
OC-3
OSI
OSPF
Issue 02 (2013-12-31)
PAP
PC
Personal Computer
PCI
Protocol Control Information
PCM
Pulse-Code Modulation
POH
Path Overhead
POS

1906

Equipment
PPP
PRI
PSE
Packet Switching Exchange
PSTN
PVC
6 WAN Access
Q
QoS
Quality of Service
R
RADIUS
RAS
Remote Access Server
RFC
RIP
RSOH
Regenerator Section Overhead
RSU
Routing Switch Unit
RTP
Real-time Transport Protocol
RTU
Remote Test Unit
Issue 02 (2013-12-31)
SDH
Synchronous Digital Hierarchy
SDLC
SDSL
Symmetrical Digital Subscriber Line
SF
Signal Failure
SGSN
Serving GPRS Support Node
SHDSL
Single-line High Speed Digital Subscriber Line
SLIP
SNA
SNMP
SNP
Sequence Number PDUs
SOH
Section Overhead

1907

Equipment
SONET
Synchronous Optical Network
SP
Service Provider
STM-1
SVC
6 WAN Access
T
TACACS
Terminal Access Controller Access Control System
TCP
TFTP
TU
Tributary Unit
TUG
Tributary Unit Group
U
UBR
Unspecified Bit Rate
UDP
UNI
User Network Interface
UP
User Plane
V
VBR
Variable Bit Rate
VC
Virtual Circuit
VCI
Virtual Channel Identifier
VLAN
VP
Virtual Path
VPI
Virtual Path Identifier
VPLS
Virtual Private LAN Service
VPN
VRP
W
WWW
Issue 02 (2013-12-31)
World Wide Web

1908

Equipment
7 IP Services
IP Services
About This Chapter

The document describes the configuration methods of IP services in terms of basic principles,
implementation of protocols, configuration procedures and configuration examples for the IP
services of the ATN equipment.
7.1 IP Addresses Configuration
By assigning IP addresses to network devices, you can enable data communications between
the network devices.
7.2 ARP Configuration
ARP can map an IP address to a MAC address and implements transmission of Ethernet frames.
7.3 IP Performance Configuration
By configuring IP performance, you can improve the performance of the device.
7.4 ACL Configuration
Access Control Lists (ACLs) help guarantee network security and stability.
7.5 Basic IPv6 Configuration
The IPv6 protocol stack is a support for routing protocols and application protocols on an IPv6
network.
7.6 ACL6 Configuration
Access Control Lists (ACL6s) help guarantee network security and stability.
7.7 Glossary
Issue 02 (2013-12-31)

1909

Equipment
7 IP Services
7.1 IP Addresses Configuration

By assigning IP addresses to network devices, you can enable data communications between
the network devices.
7.1.1 IP Addresses Overview

An IP address is also called a logical address. The IP address of a network device on the Internet
is the unique identifier of the network device.
Introduction
IP is the core of the TCP/IP protocol suite. The packets of the Transmission Control Protocol
(TCP), User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), and Internet
Group Membership Protocol (IGMP) are all transmitted in the format of IP datagrams. Devices
on different networks communicate with each other using their network layer addresses, namely
IP addresses.
To communicate with each other on Internet Protocol (IP) networks, each host must be assigned
an IP address.
An IP address is a 32-bit number that is composed of two parts, namely, the network ID and
host ID.
The network ID identifies a network and the host ID identifies a host on the network. If the
network IDs of hosts are the same, it indicates that the hosts are on the same network regardless
of their physical locations.
Features of IP Addresses Supported by the ATN

IP addresses can be obtained through static manual configuration, auto-negotiation, or
borrowing.
The ATN supports IP address configuration through the following methods:
l
Manually configuring an IP address for an interface
Obtaining an IP address through negotiation
Borrowing an IP address from other interfaces
The ATN supports the space overlapping of network segment addresses to save the address
space.
l
The primary IP address and the secondary IP address in the overlapped network segments
but not same can be configured on the same interface. For example, after the interface is
configured with a primary IP address 20.1.1.1/24, if the secondary IP address is 20.1.1.2/16
sub, the system prompts a message. However, the configuration is still successful.
The primary IP address and the secondary IP address in the overlapped network segments
but not same can be configured on different interfaces of the same device. However, the
primary IP address and the secondary IP address cannot be the same. For example, after an
interface on a device is configured with the IP address 20.1.1.1/16, if another interface is
Issue 02 (2013-12-31)

1910

Equipment
7 IP Services
configured with the IP address 20.1.1.2/24 sub, the system prompts a message. However,
the configuration is still successful.
The ATN supports 31-bit IP address masks. Therefore, there are only two IP addresses in a
network segment, that is, the network address and broadcast address. For example, 10.110.1.0/31
and 10.110.1.1/31. The two IP addresses can be used as host addresses.
You can assign the IP addresses with 31-bit masks to Point-to-Point (P2P), Point-to-Multipoint
(P2MP), NBMA Address Resolution Protocol (NBMA), broadcast, and loopback interfaces. For
non-P2P interfaces, if a 31-bit mask is configured, the system prompts acknowledgement
information to protect P2MP or broadcast links. For example, if an Ethernet interface on a device
is assigned an IP address with a 31-bit mask, this device can access only the host in the directly
connected subnet. It cannot access all hosts in the subnet. In the backbone network of a broadcast
link, if a P2P link exists, you can configure the IP addresses with 31-bit masks.
7.1.2 Configuring IP Addresses for Interfaces

Assigning an IP address to a device on a network enables the device to communicate with the
other devices on the network.
Before You Start

This section describes the usage scenario, pre-configuration tasks, data preparation, and
configuration procedure for assigning an IP address to an interface.
Usage Scenario
To start IP services on an interface, configure the IP address for the interface. You can assign
several IP addresses to each interface. Among them, one is the primary IP address and the others
are secondary IP addresses.
Generally, you need to configure only a primary IP address for an interface. Secondary IP
addresses, however, are required in some cases. For instance, when a device connects to a
physical network through an interface, and computers on this network belong to two Class C
networks, you need to configure a primary IP address and a secondary IP address for this interface
to ensure that the device can communication with all computers on this network.
Before configuring an IP addresses for an interface, complete the following tasks:
l
Configuring the physical parameters for the interface and ensuring that the physical layer
status of the interface is Up
Configuring the link layer parameters for the interface and ensuring that the status of the
link layer protocol on the interface is Up
Data Preparation
Before configure IP addresses for an interface, you need the following data.
Issue 02 (2013-12-31)

1911

Equipment
No.
Data
Interface number
Primary IP address and subnet mask of the interface
(Optional) Secondary IP address and subnet mask of the interface
7 IP Services
Configuring a Primary IP Address for an Interface

An interface can have only one primary IP address.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
A primary IP address is configured.

An interface has only one primary IP address. If the interface already has a primary IP address,
the newly configured primary IP address replaces the original one.
----End
(Optional) Configuring a Secondary IP Address for an Interface

To enable an interface to communicate with several networks with different network IDs, you
need to assign a secondary IP address to this interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ip address ip-address { mask | mask-length } sub
A secondary IP address is configured.

Issue 02 (2013-12-31)

1912

Equipment
7 IP Services
A secondary IP address with a 31-bit mask can be configured for an interface.

You can configure a maximum of 255 secondary IP addresses on an interface.
----End

You can view the configuration of the IP address for an interface.
Prerequisites
The configurations of the IP addresses for the interface are complete.
Procedure
l
Run the display ip interface [ brief ] [ interface-type interface-number ] command to check

the IP configuration on the interface.
Run the display interface [ interface-type [ interface-number ] ] command to check

interface information.
----End
7.1.3 Maintaining IP Addresses

Maintaining an IP address involves monitoring the operation of this IP address.
Monitoring Network Operating Status of IP Addresses

This section describes IP address monitoring through the display command.
Context
In routine maintenance, you can run the following commands in any view to check the operation
of IP addresses.
Procedure
l
Run the display ip interface [ brief ] [ interface-type [ interface-number ] ] command in

any view to check the IP address configuration on the interface.
Run the display interface [ interface-type [ interface-number ] ] command in any view to

check information about the interface.
----End

This section includes the networking requirements, precautions for configuration, and
Issue 02 (2013-12-31)

1913

Equipment
7 IP Services
Context
NOTE
This document takes interface numbers and link types of the ATN as an example. In working situations,
Example for Configuring IP Address Overlapping on the Same Device

This part describes how to configure IP address overlapping on a device.
As shown in Figure 7-1, Network A (10.1.1.0/24) and Network B (20.1.1.0/24) are independent
from each other. They access the Internet through different paths. Using the same Layer 2
network provided by ISP 1, Network A and Network B can access each other.
It is required to use ATN to connect Network A and Network B to the Layer 2 network provided
by ISP 1 by using the IP addresses 192.168.1.11/24 and 192.168.1.12/24.
Figure 7-1 Networking diagram of configuring IP address overlapping on the same device
GE1/3/0
192.168.1.1/24
Router A
AS:100
Layer2
network
r1
GE0/2/0
192.168.1.11/24
GE0/2/4
10.1.1.1/24
r2
GE0/2/1
192.168.1.12/24
ATN
GE0/2/5
20.1.1.1/24
ISP1 AS:200
NodeB-2
20.1.1.2/24
NodeB-1
10.1.1.2/24
Network A
Network B
Procedure
Step 1 Configure a VPN instance.
# On ATN , create a VPN instance for Network A, and bind the VPN instance to the upstream
interface GE 0/2/0 and the downstream interface GE 0/2/4.
[ATN] ip vpn-instance r1
[ATN-vpn-instance-r1] ipv4-family
[ATN-vpn-instance-r1-af-ipv4] route-distinguisher 100:1
[ATN-vpn-instance-r1-af-ipv4] quit
[ATN-vpn-instance-r1] quit
[ATN-GigabitEthernet0/2/0] ip binding vpn-instance r1
Issue 02 (2013-12-31)

1914

Equipment
7 IP Services
[ATN-GigabitEthernet 0/2/4] ip binding vpn-instance r1
[ATN-GigabitEthernet 0/2/4] ip address 10.1.1.1 24
[ATN-GigabitEthernet 0/2/4] undo shutdown
[ATN-GigabitEthernet 0/2/4] quit
# On ATN, create a VPN instance for Network B, and bind the VPN instance to the upstream
interface GE 0/2/1 and the downstream interface GE 0/2/5.
[ATN] ip vpn-instance r2
[ATN-vpn-instance-r1] ipv4-family
[ATN-vpn-instance-r1-af-ipv4] route-distinguisher 100:2
[ATN-vpn-instance-r1-af-ipv4] quit
[ATN-vpn-instance-r2] quit
# On ATN, configure static routes for the two VPN instances.

[ATN] ip route-static vpn-instance r1 0.0.0.0 0 192.168.1.1
[ATN] ip route-static vpn-instance r2 0.0.0.0 0 192.168.1.1
Step 2 Set up the EBGP neighbor relationship between Router A and the two upstream interfaces on
ATN respectively.
# Configure ATN.
[ATN] bgp 200
[ATN-bgp] router-id 100.1.1.1
[ATN-bgp] ipv4-family vpn-instance r1
[ATN-bgp-r1] peer 192.168.1.1 as-number 100
[ATN-bgp-r1] import-route direct
[ATN-bgp-r1] quit
[ATN-bgp] ipv4-family vpn-instance r2
[ATN-bgp-r2] peer 192.168.1.1 as-number 100
[ATN-bgp-r2] import-route direct
[ATN-bgp-r2] quit
# Configure Router A.
[HUAWEI] sysname RouterA
[RouterA] interface gigabitethernet 1/3/0
[RouterA-GigabitEthernet1/3/0] ip address 192.168.1.1 24
[RouterA-GigabitEthernet1/3/0] undo shutdown
[RouterA-GigabitEthernet1/3/0] quit
[RouterA] bgp 100
[RouterA-bgp] peer 192.168.1.11 as-number 200
[RouterA-bgp] peer 192.168.1.12 as-number 200
[RouterA-bgp] quit
Step 3 Configure IP addresses for Router C and Router D on the local network.
# Configure the IP address for 10.1.1.2 24 Router C.
# Configure the IP address for 20.1.1.2 24 Router D.
Issue 02 (2013-12-31)

1915

Equipment
7 IP Services

# After the configurations, view the private routing table on ATN. The routes of the two local
networks connected to ATN belong to two VPN instances (r1 and r2) respectively. This indicates
that the routes are isolated.
[ATN] display ip routing-table vpn-instance r1
-----------------------------------------------------------------------------Routing Tables: r1
Destinations : 6
Routes : 6
Destination/Mask
Proto
0.0.0.0/0
10.1.1.0/24
10.1.1.1/32
10.1.1.2/32
192.168.1.0/24
192.168.1.11/32
Static
Direct
Direct
Direct
Direct
Direct
Pre
Cost
Flags
0
0
0
0
0
0
RD
D
D
D
D
D
60
0
0
0
0
0
NextHop
192.168.1.1
10.1.1.1
127.0.0.1
10.1.1.2
192.168.1.11
127.0.0.1
Interface
InLoopBack0
InLoopBack0
[ATN] display ip routing-table vpn-instance r2

-----------------------------------------------------------------------------Routing Tables: r2
Destinations : 6
Routes : 6
Destination/Mask
0.0.0.0/0
20.1.1.0/24
20.1.1.1/32
20.1.1.2/32
192.168.1.0/24
192.168.1.12/32
Proto
Static
Direct
Direct
Direct
Direct
Direct
Pre
Cost
Flags
60
0
0
0
0
0
0
0
0
0
0
0
RD
D
D
D
D
D
NextHop
192.168.1.1
20.1.1.1
127.0.0.1
20.1.1.2
192.168.1.12
127.0.0.1
Interface
InLoopBack0
InLoopBack0
# Run the display ip routing-table command on Router A. The command output shows that
the public routing table on Router A contains routes to the two local networks.
[RouterA] display ip routing-table
Destinations : 8
Routes : 8
Destination/Mask
Proto
10.1.1.0/24
EBGP
10.1.1.2/32
EBGP
20.1.1.0/24
EBGP
20.1.1.2/32
EBGP
127.0.0.1/32
Direct
192.168.1.0/24
Direct
192.168.1.1/32
Direct
Pre
Cost
Flags
NextHop
255
192.168.1.11
255
192.168.1.11
255
192.168.1.12
255
192.168.1.12
0
0
0
0
0
0
D
D
D
127.0.0.1
192.168.1.1
127.0.0.1
Interface
InLoopBack0
InLoopBack0
Network A and Network B can ping through each other.

----End
Issue 02 (2013-12-31)

1916

Equipment
7 IP Services
Configuration Files
l
Configuration file of Router A

#
sysname RouterA
#
undo shutdown
ip address 192.168.1.1 255.255.255.0
#
bgp 100
peer 192.168.1.11 as-number 200
peer 192.168.1.12 as-number 200
#
ipv4-family unicast
#
return
Configuration file of ATN.

#
sysname ATN
#
ip vpn-instance r1
#
ip vpn-instance r2
#
undo shutdown
ip binding vpn-instance r1
ip address 192.168.1.11 255.255.255.0
#
undo shutdown
ip address 192.168.1.12 255.255.255.0
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
undo shutdown
ip address 20.1.1.1 255.255.255.0
#
bgp 200
router-id 100.1.1.1
#
ipv4-family unicast
#
ipv4-family vpn-instance r1
import-route direct
#
ipv4-family vpn-instance r2
import-route direct
#
ip route-static vpn-instance r1 0.0.0.0 0.0.0.0 192.168.1.1
ip route-static vpn-instance r2 0.0.0.0 0.0.0.0 192.168.1.1
Issue 02 (2013-12-31)

1917

Equipment
7 IP Services
#
return
7.2 ARP Configuration

ARP can map an IP address to a MAC address and implements transmission of Ethernet frames.
7.2.1 Introduction
ARP, acronym for Address Resolution Protocol, is at the link layer of the TCP/IP protocol suite.
Overview of ARP
An Ethernet device must support ARP. ARP implements dynamic mapping between Layer 3 IP
addresses and Layer 2 MAC addresses.
Each host or device on the Local Area Network (LAN) can be configured a 32-bit IP address to
communicate with others. The assigned IP address is independent of the hardware address.
On the Ethernet, a host or a device transmits and receives Ethernet frames according to a 48-bit
Medium Access Control (MAC) address. The MAC address is also called the physical address
or the hardware address, which is assigned to an Ethernet interface when equipment is produced.
Therefore, on an interconnected network, an address resolution mechanism is required to provide
the mapping between MAC addresses and IP addresses.
The Address Resolution Protocol (ARP) maps an IP address to the corresponding MAC address.
Features of ARP Supported by the ATN

ARP can operate in either of two modes: static and dynamic. The extensions of ARP include
proxy ARP, gratuitous ARP, association between ARP and interface status, and ARP-Ping.
ARP is only used in the IPv4 environment and can only run on Ethernet links.
Introduction to ARP-Ping
ARP-Ping consists of ARP-Ping IP and ARP-Ping MAC. ARP-Ping is developed to maintain
the deployed Layer 2 features.
Introduction to ARP-Ping IP
ARP-Ping IP uses ARP packets to check whether an IP address is used by another device on the
LAN.
Before configuring an IP address for a device, you need to check that this IP address is not used
by another device on the network by sending the ARP packets. Then, you can take appropriate
actions.
You can also run the ping command to check whether the IP address is used by another device
on the network. If enabled with the firewall function that does not reply to Ping packets, the
destination host and device do not reply to Ping packets and think that the IP address is not in
use. ARP is a Layer 2 protocol. In most cases, ARP packets can pass through the firewall. In
this way, the preceding situation does not occur.
Issue 02 (2013-12-31)

1918

Equipment
7 IP Services
Principles of ARP-Ping IP
ARP-Ping IP sends ARP Request packets. The following describes how to implement ARP-Ping
IP:
1.
After setting the specified IP address through command lines, you can send ARP Request
packets and start the timeout timer.
2.
After receiving an ARP Request packet, each device or host on the LAN replies with an
ARP Reply packet.
3.
After receiving the ARP Reply packet, the source device compares the source IP address
contained in the Reply packet with the IP address input in the command line. If they are
consistent, the MAC address corresponding to the input IP address is displayed and the
timeout timer of ARP Reply packets is disabled. The operation finishes.
If the timeout timer of ARP Reply packets times out, it means that the IP address is not in
use.
As shown in Figure 7-2, ATN A and Node Bare directly connected. You can run the arp-ping
ip command on ATN A to check whether the IP address 10.1.1.2 is in use.
Figure 7-2 Implementation procedure of ARP-Ping IP
GE1
10.1.1.1/24
Node B
10.1.1.2/32
ATN A
Through the command output, you can know whether the IP address is used by another host on
the network.
NOTE
The arp-ping ip command is applicable to the outgoing interface in one of the following types: the Gigabit
Ethernet interface, and Eth-Trunk interface, VLANIF interface, Ethernet interface, mp-group interface,
VE interface, Ima interface.
The arp-ping ip command is applicable to the outgoing interface in one of the following types: the Gigabit
Ethernet interface, and Eth-Trunk interface, VLANIF interface, Ethernet interface.
Introduction to ARP-Ping MAC

ARP-Ping MAC uses ICMP packets to check whether a MAC address is used by another device
on the LAN.
When you know a specific MAC address on a network segment but do not know the
corresponding IP address, you can obtain the IP address corresponding to the MAC address by
sending the broadcast Internet Control Messages Protocol (ICMP) packets through ARP-Ping
MAC. In this way, you can query the IP address corresponding to the specific MAC address on
the network segment.
Issue 02 (2013-12-31)

1919

Equipment
7 IP Services
Principles of ARP-Ping MAC

ARP-Ping MAC sends broadcast ICMP Echo Request packets. The following describes how to
implement ARP-Ping MAC:
1.
After setting the specified MAC address through the command line, you can send broadcast
ICMP Echo Request packets and start the timeout timer.
2.
After receiving an ICMP Echo Request packet, each device or host on the LAN replies with
an ICMP Echo Reply packet.
3.
After receiving the ICMP Echo Reply packet, the source device compares the source MAC
address contained in the Echo Reply packet with the MAC address input in the command
line. If they are consistent, the IP address of the Echo Reply packet is displayed. Then the
source device prompts you that the MAC address is in use and disables the timeout timer.
The operation finishes.
If the timeout timer of the ICMP Echo Reply packets times out, it means that the MAC
address is not in use.
NOTE
If the system denies the request for replying with the network segment address, the sender cannot receive
the ICMP Echo Reply packet.
As shown in Figure 7-3, ATN A and Node B are directly connected. You can run the arp-ping
mac command on ATN A to check whether the MAC address 0013-46E7-2EF5 is in use.
Figure 7-3 Implementation procedure of ARP-Ping MAC
GE1
10.1.1.0/24
Node B
0013-46E7-2EF5
ATN A
The following describes how to implement ARP-Ping MAC on ATN A:

Run the arp-ping mac 0013-46E7-2EF5 10.1.1.0 or arp-ping mac 0013-46E7-2EF5 interface
gigabitethernet 0/2/0command on ATN A. After receiving the ICMP Reply packets replied by
all the hosts on the network, ATN A displays the IP address of the node with the MAC address
0013-46E7-2EF5.
Through the command output, you can obtain the IP address corresponding to the MAC address.
NOTE
The arp-ping mac command is applicable to the outgoing interface in one of the following types: Gigabit
Ethernet interface, VLANIF interface, Ethernet interface,Eth-Trunk interface, the VE interface, and Ima
interface
7.2.2 Configuring Static ARP

Static ARP indicates that there is a fixed mapping between an IP address and a MAC address.
Static ARP needs to be configured by an administrator.
Issue 02 (2013-12-31)

1920

Equipment
7 IP Services
Before You Start

configuration procedure for configuring static ARP.
Usage Scenario
Static ARP is used in the following situations:
l
For the packets whose destination IP address is on another network segment, static ARP
can help these packets traverse a gateway of the local network segment so that the gateway
can forward the packets to their destination.
When you need to filter out some packets with illegitimate destination IP addresses, static
ARP can bind these illegitimate addresses to a nonexistent MAC address.
Before configuring ARP, complete the following tasks:
l
Configuring the link layer protocol parameters for the interface and ensuring that the status
of the link layer protocol on the interface is Up
Configuring the network layer protocol for the interface
Data Preparation
To configure ARP, you need the following data.
No.
Data
IP address and MAC address of the static ARP entry
VPN instance name and VLAN ID to which the static ARP entry belongs
Configuring Common Static ARP Entries

Static ARP entries are required for the communication between common interfaces.
Context
NOTE
To configure static ARP for the packets with double tags, run the arp static cevid command. For details,
see the Command Reference - LAN Access and MAN Access.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 02 (2013-12-31)

1921

Equipment
7 IP Services
arp static ip-address mac-address
Configure common static ARP entries.

NOTE
Static ARP entries keep valid when a device works normally.
----End
Configuring Static ARP Entries in a VLAN

In the scenario where two users belong to the same VLAN but user isolation is configured in
the VLAN, to implement communications between the two users, you need to enable static ARP
within the VLAN on the interface of the VLAN.
Context
NOTE
see the ATNMulti-service Access EquipmentCommand Reference - LAN Access and MAN Access.
Procedure
Step 1 Run:
system-view

Step 2 Configure static ARP entries in a Virtual Local Area Network (VLAN).
To configure static ARP entries in a VLAN, do as follows:
l Run the arp static ip-address mac-address vid vlan-id interface interface-type interfacenumber command.
It is required to set parameters vid vlan-id and interface interface-type interface-number when
you configure static ARP entries in the VLAN.
If the interface corresponding to the VLAN is bound to a Virtual Private Network (VPN),
the device can automatically associate the configured static ARP entry with the VPN. This
command is applicable to port-based VLANs.
l Run the arp static ip-address mac-address [ vpn-instance vpn-instance-name ] vid vlanid command.
This command is applicable to the sub-interface that supports VLAN and can be bound to
the VPN.
NOTE
----End
Configuring Static ARP Entries in a VPN Instance

To implement Layer 2 interworking of the devices in a VPN instance, you can configure static
ARP in the VPN instance.
Issue 02 (2013-12-31)

1922

Equipment
7 IP Services
Context
If static ARP and the Virtual Router Redundancy Protocol (VRRP) are enabled on a device
simultaneously, the virtual IP address of the VRRP backup group configured on the Dot1q
termination sub-interface, QinQ termination sub-interface, or VLANIF interface cannot be the
IP address contained in the static ARP entries; otherwise, incorrect host routes are generated and
packets cannot be normally forwarded.
NOTE
see the Command Reference - LAN Access and MAN Access.
Procedure
Step 1 Run:
system-view

Step 2 Run:
arp static ip-address mac-address vpn-instance vpn-instance-name
Configure static ARP entries in a VPN instance.

NOTE
----End

You can view the configuration of static ARP.
Prerequisites
The configurations of the ARP function are complete.
Procedure
l
Run the display arp vpn-instance vpn-instance-name [ dynamic | static ] command to

check information about ARP mapping tables based on VPN instances.
Run the display arp statistics { all | interface interface-type interface-number } command
to check the statistics for ARP entries.
----End
7.2.3 Optimizing Dynamic ARP

If dynamic ARP is configured, the system automatically resolutes an IP address into an Ethernet
MAC address.
Issue 02 (2013-12-31)

1923

Equipment
7 IP Services
Before You Start

configuration procedure for optimizing dynamic ARP.
Usage Scenario
Dynamic ARP is one of functions owned by a device or host. You do not need to run a command
to enable dynamic ARP but you can modify some parameters of dynamic ARP.
None
Data Preparation
Optimizing dynamic ARP, you need the following data.
No.
Data
ID of the Ethernet interface to which the dynamic ARP entry belongs
Aging detection times of the dynamic ARP entry
Aging time of the dynamic ARP entry
Modify the aging parameters of dynamic ARP

If the device needs to update ARP entries frequently, you can reduce the aging timeout period
of ARP entries, increase the number of aging detections for ARP entries, and reduce the aging
detection intervals of ARP entries.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The interface view is displayed or create the logical interface.

Step 3 Run:
arp detect-times detect-times
The number of aging detection times of the dynamic ARP entries is configured.
Step 4 Run:
arp expire-time expire-times
The timeout period for aging dynamic ARP entries is configured.

Issue 02 (2013-12-31)

1924

Equipment
7 IP Services
By default, the aging detection times of the dynamic ARP entries is three, and the aging timeout
period is 1200 seconds.
Step 5 Run:
arp detect-mode unicast
The interface is configured to send ARP Aging Detection packets in unicast mode.
By default, an interface sends ARP Aging Detection packets in broadcast mode.
----End
Enabling ARP Suppression Function

If the system receives a great number of ARP packets from the same source at a time, the system
needs to update ARP entries repeatedly. To ensure the performance of the system, you can enable
ARP suppression. In this manner, the system only responds to the ARP packets but does not
update ARP entries.
Procedure
Step 1 Run:
system-view

Step 2 Run:
arp-suppress enable
ARP suppression is enabled on the current device.

By default, ARP suppression is disabled and only VLANIF interfaces are suppressed.
----End
Enabling Layer 2 Topology Detection Function

After Layer 2 topology detection is enabled, the system updates all the ARP entries
corresponding to the VLANs to which a Layer 2 interface belongs, if this Layer 2 interface goes
Up.
Procedure
Step 1 Run:
system-view

Step 2 Run:
l2-topology detect enable
The Layer 2 topology detection function is enabled.

By default, this function is not enabled.
----End
Issue 02 (2013-12-31)

1925

Equipment
7 IP Services
Enabling ARP Check

ARP check can be enabled to ensure network security. In this case, when an interface receives
an ARP packet, it checks whether the source MAC address and destination MAC address in the
Ethernet packet header are the same as those in the Data field of the ARP packet.
Context
On the metro Ethernet, there are various ARP attacks. To protect the network, you need to
configure ARP security features at the access layer or convergence layer of the network to protect
against ARP attacks.
If there are ARP spoofing attacks on the network, you can run the arp validate command to
enable an interface to check the received ARP packet to determine whether the source MAC
address and destination MAC address in the Ethernet packet header are respectively the same
as those in the Data field of the ARP packet. If they are not the same, the ARP packet is discarded.
If they are the same, the ARP packet is forwarded.
NOTE
l ARP check cannot be configured on sub-interfaces. When a sub-interface receives an ARP packet, the
main interface where the sub-interface is configured checks the ARP packet to determine whether the
destination MAC address in the Ethernet packet header is the same as that in the Data field of the ARP
packet. If they are the same, the sub-interface forwards the ARP packet. If they are not the same, the
sub-interface discards the ARP packet.
l ARP check cannot be configured on VLANIF interfaces. When a VLANIF interface receives an ARP
packet, the physical interface that belongs to the VLAN for which the VLANIF interface is configured
checks the ARP packet to determine whether the destination MAC address in the Ethernet packet header
is the same as that in the Data field of the ARP packet. If they are the same, the VLANIF interface
forwards the ARP packet. If they are not the same, the VLANIF interface discards the ARP packet.
Perform the following steps on the devices on which ARP check needs to be enabled.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of the Ethernet interface where ARP check needs to be enabled is displayed.
Step 3 Run:
arp validate { source-mac | destination-mac }
ARP check is enabled.

l If source-mac is specified:
After receiving an ARP Request packet, an interface only checks whether the source MAC
address in the Ethernet packet header is consistent with that in the Data field of the ARP
packet.
Issue 02 (2013-12-31)

1926

Equipment
7 IP Services
After receiving an ARP Response packet, an interface only checks whether the source
MAC address in the Ethernet packet header is consistent with that in the Data field of the
ARP packet.
l If destination-mac is specified:
After receiving an ARP Request packet, an interface does not check whether the
destination MAC address in the Ethernet packet header is consistent with that in the Data
field of the ARP packet because ARP packets are broadcast packets.
After receiving an ARP Response packet, an interface only checks whether the destination
MAC address in the Ethernet packet header is consistent with that in the Data field of the
ARP packet.
l If both source-mac and destination-mac are specified:
After receiving an ARP Request packet, an interface only checks whether the source MAC
address in the Ethernet packet header is consistent with that in the Data field of the ARP
packet.
After receiving an ARP Response packet, an interface checks whether both the source
MAC address and destination MAC address in the Ethernet packet header are respectively
the same as those in the Data field of the ARP packet.
----End

You can view the configuration of dynamic ARP.
Prerequisites
The configurations of the ARP function are complete.
Procedure
l
Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid cevlanid ] ] command to check information about ARP mapping tables based on interfaces.

to check the statistics for ARP entries.
----End
7.2.4 Configuring Routed Proxy ARP

Proxy ARP enables devices whose IP addresses belong to the same network segment but
different physical networks to communicate with each other.
Before You Start

configuration procedure for configuring routed proxy ARP.
Issue 02 (2013-12-31)

1927

Equipment
7 IP Services
Usage Scenario
The two physical networks of an enterprise are in different subnets of the same IP network, and
are separated by a device. You need to enable the proxy ARP on the device interface connected
to the physical networks. This enables communication between the two networks.
Network IDs of subnet hosts must be the same. You do not need to configure default gateways
for hosts.
Before configuring routed proxy ARP, complete the following tasks:
l
Configuring the physical parameters for the interface and ensuring that the status of the
physical layer of the interface is Up
Data Preparation
To configure routed proxy ARP, you need the following data.
No.
Data
Number of the interface to be enabled with routed proxy ARP
IP address of the interface to be enabled with routed proxy ARP
Configure an IP Addresses for the Interface

The IP address assigned to a routed proxy ARP-enabled interface must be on the same network
segment with the IP address of the host on the LAN to which this interface connects.
Procedure
Step 1 Run:
system-view

Step 2 Run:

The interfaces supporting routed proxy ARP include GE interfaces, GE sub-interfaces, Ethernet
interfaces, Ethernet sub-interfaces, VLANIF interfaces, Eth-Trunk interfaces, and Eth-Trunk
sub-interfaces.
Step 3 Run:
The interface is configured with an IP address.

Issue 02 (2013-12-31)

1928

Equipment
7 IP Services
The IP address configured for the interface must be in the same network segment with that of
hosts in the LAN connected to this interface.
----End
Enabling the Routed Proxy ARP Function

To interconnect the subnets in the same IP network, you need to enable routed proxy ARP.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
arp-proxy enable
By default, the routed proxy ARP function is disabled on the interface.

After routed proxy ARP is enabled, you must reduce the aging time of ARP entries in the device
so that the number of packets received but cannot be forwarded by the device is decreased. To
configure the aging time of ARP entries.
----End

You can view the configuration of routed proxy ARP.
Prerequisites
The configurations of the routed proxy ARP function are complete.
Procedure
l
Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid cevlanid ] ] command to check information about ARP mapping tables based on interfaces.

to check statistics about ARP entries.
----End
7.2.5 Configuring ARP-Ping IP

ARP-Ping IP is a method of detecting whether an IP address is used by another device on a local
area network (LAN) by sending ARP packets.
Issue 02 (2013-12-31)

1929

Equipment
7 IP Services
Before You Start

configuration procedure for configuring ARP-Ping IP.
Usage Scenario
In the LAN, to configure an IP address for a device, you need to use the arp-ping ip command
to check whether this IP address is used by another device in the network.
The arp-ping ip command is used in the maintenance of the deployed Lay 2 features. For
example, in the L2VPN networking, such as the virtual private LAN segment (VPLS) and virtual
private wire service (VPWS) that the Ethernet or VLAN is used to access, you can run the arpping ip command on the PE or CE to check whether the IP address is used by the local or remote
host.
You can also run the ping command to check whether the IP address is used by another device
on the network. If enabled with the firewall function that does not reply to Ping packets, the
destination host and device do not reply to Ping packets and think that the IP address is not in
use. ARP is a Layer 2 protocol. In most cases, ARP packets can pass through the firewall. In
this way, the preceding situation does not occur.
Before configuring ARP-Ping IP, complete the following tasks:
l
Data Preparation
To configure ARP-Ping IP, you need the following data.
No.
Data
IP address to be checked
Detecting the IP Address by Using the arp-ping ip Command

ARP-Ping IP detects whether an IP address is used by a device on a LAN by sending ARP
requests.
Procedure
Step 1 Run:
arp-ping ip ip-address [ interface interface-type interface-number [ vlan-id vlanid ] ]
Check whether the IP address is in use.

Issue 02 (2013-12-31)

1930

Equipment
7 IP Services
NOTE
When the specified outgoing interface is a Layer 2 interface, you need to configure vlan-id vlan-id; when
the specified outgoing interface is a Layer 3 interface, you cannot configure vlan-id vlan-id.
The following information is displayed:

l If the following information is displayed, it means that the IP address is not in use.
<HUAWEI> arp-ping ip 110.1.1.2
Error: Can't find any interface!
l If the following information is displayed, it means that the IP address is in use.

<HUAWEI> arp-ping ip 128.1.1.1
ARP-Pinging 128.1.1.1:
128.1.1.1 is used by 00e0-517d-f202
----End
7.2.6 Configuring ARP-Ping MAC

ARP-Ping MAC is a method of detecting whether a MAC address is used by another device on
a LAN by sending ICMP packets.
Before You Start

configuration procedure for configuring ARP-Ping MAC.
Usage Scenario
To check whether a MAC address is in use or query the IP address through the MAC address,
you can use the arp-ping mac command.
Before configuring ARP-Ping MAC, complete the following tasks:
l
Data Preparation
To configure ARP-Ping MAC, you need the following data.
No.
Data
MAC address to be checked
Detecting the MAC Address by Using the arp-ping mac Command

ARP-Ping MAC detects whether an IP address is used by a device on a LAN by sending ICMP
packets.
Issue 02 (2013-12-31)

1931

Equipment
7 IP Services
Procedure
Step 1 Run:
arp-ping mac mac-address { ip-address [ vpn-instance vpn-instance-name ] |
interface interface-type interface-number }
Check whether the MAC address is in use. Alternatively, you can query the IP address through
the MAC address.
The following information is displayed:
l If the following information is displayed, it means that the MAC address is not in use.
[HUAWEI] arp-ping mac 00e0-517d-f201 interface gigabitethernet 0/2/1
OutInterface: GigabitEthernet0/2/1 MAC[00-E0-51-7D-F2-01], press CTRL_C to
break
Error: Request timed out
----- ARP-Ping MAC statistics ----3 packet(s) transmitted
MAC[00-E0-51-7D-F2-01] not be used
l If the following information is displayed, it means that the MAC address is in use.
[HUAWEI] arp-ping mac 00e0-517d-f202 interface gigabitethernet 0/2/1
OutInterface: GigabitEthernet0/2/1 MAC[00-E0-51-7D-F2-02], press CTRL_C to
break
----- ARP-Ping MAC statistics ----1 packet(s) transmitted
IP ADDRESS
MAC ADDRESS
128.1.1.1
00-E0-51-7D-F2-02
----End
7.2.7 Maintaining ARP

The operations of ARP maintenance include clearing ARP statistics and monitoring ARP
operating status.
Clearing ARP Entries

This section describes ARP entries clearance through the reset command.
Context
NOTICE
l The mapping between the IP and MAC addresses is deleted after you clear ARP entries. So,
confirm the action before you use the command.
l The static ARP entries cannot restore after you clear it. So, confirm the action before you
use the command.
Issue 02 (2013-12-31)

1932

Equipment
7 IP Services
Procedure
Step 1 Run the reset arp { all | dynamic ip ip-address [ vpn-instance vpn-instance-name ] |
interface interface-type interface-number [ ip ip-address ] | static } command in the user view
to clear the ARP entries in the ARP mapping table.
----End
Monitoring Network Operating Status of ARP

This section describes ARP operation monitoring through the display command.
Context
In routine maintenance, you can run the following command in any view to check the operation
of ARP.
Procedure
l
Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid cevlanid ] ] command in any view to check the information about the ARP mapping table based
on interfaces.
Run the display arp vpn-instance vpn-instance-name [ dynamic | static ] command in

any view to check the information about ARP mapping tables based on VPN instances.
----End

Context
NOTE
Example for Configuring Layer 2 Topology Detection

This section provides an example of configuring Layer 2 topology detection.
As shown in Figure 7-4, configure VLAN 100 as the default VLAN of the two GE interfaces
on the device enabled with the portswitch function. Configure the IP addresses of the two GE
interfaces based on the figure.
Issue 02 (2013-12-31)

1933

Equipment
7 IP Services
Figure 7-4 Networking diagram of configuring Layer 2 topology detection

ATN
GE 0/2/1
GE 0/2/2
VLANIF100
10.1.1.2/24
VLAN100
Node A
10.1.1.1/24
Node B
10.1.1.3/24
1.
Enable portswitch on two GE interfaces and configure them to join VLAN 100 by default.
2.
Enable Layer 2 topology detection and view changes of ARP entries.
Data Preparation
l
Types and numbers of the interfaces to be added to a VLAN
IP addresses of the VLANIF interface and the NodeB
Procedure
Step 1 Create VLAN 100 and configure VLAN 100 to be the default VLAN of the two GE interfaces
on the device.
# Create VLAN 100 and configure an IP address for the VLANIF interface.
[ATN] vlan 100
[ATN-vlan100] quit
[ATN] interface vlanif 100
[ATN-vlanif100] undo shutdown
[ATN-vlanif100] ip address 10.1.1.2 24
[ATN-vlanif100] quit
# Configure the two GE interfaces to join VLAN 100 by default.

Issue 02 (2013-12-31)

1934

Equipment
7 IP Services
Step 2 Enable the Layer 2 topology detection function.

[ATN] l2-topology detect enable
Step 3 Restart GE 0/2/1 and view changes of ARP entries and aging time.
# View ARP entries on the device. You can find that the device has learnt the MAC address of
the NodeB.
[ATN] display arp all
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPNINSTANCE
VLAN/CEVLAN PVC
----------------------------------------------------------------------------10.1.1.2
00e0-c01a-4900
I Vlanif100
10.1.1.1
00e0-c01a-4901 20
D-0
GE0/2/1
100/10.1.1.3
00e0-de24-bf04 20
D-0
GE0/2/2
100/----------------------------------------------------------------------------Total:3
Dynamic:2
Static:0
Interface:1
# Run the shutdown command and then the undoshutdown command on GE 0/2/1 to view the
aging time of ARP entries.
[ATN-GigabitEthernet0/2/1] shutdown
[ATN-GigabitEthernet0/2/1] display arp all
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
---------------------------------------------------------------------------10.1.1.2
00e0-c01a-4900
I Vlanif100
10.1.1.3
00e0-de24-bf04 0
D-0
GE0/2/2
100/-----------------------------------------------------------------------------Total:2
Dynamic:1
Static:0
Interface:1
NOTE
The preceding command output shows that the ARP entries learned from GE 0/2/1 are deleted after GE
0/2/1 is shut down. After the undo shutdown command is run on GE 0/2/1 and GE 0/2/1 goes Up, the aging
time of the ARP entries learned from GE 0/2/2 changes to 0. When the aging time is 0, the device sends
an ARP probe packet for updating ARP entries.
[ATN-GigabitEthernet0/2/1] display arp all
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
---------------------------------------------------------------------------10.1.1.2
00e0-c01a-4900
I Vlanif100
10.1.1.3
00e0-de24-bf04 20
D-0
GE0/2/2
100/---------------------------------------------------------------------------Total:2
Dynamic:1
Static:0
Interface:1
NOTE
After the entry is updated, the aging time restores the default value, 20 minutes.
----End
Issue 02 (2013-12-31)

1935

Equipment
7 IP Services
Configuration Files
The configuration file of ATN is as follows:
#
sysname ATN
#
L2-topolgy detect enable
#
vlan 100
#
interface Vlanif100
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
undo shutdown
portswitch
#
undo shutdown
portswitch
#
return
7.3 IP Performance Configuration

By configuring IP performance, you can improve the performance of the device.
7.3.1 IP Performance Overview

By configuring IP performance, you can improve the IP packet forwarding capability of the
device.
Introduction
By configuring certain parameters and functions, you can improve the IP performance of the
device.
IP performance optimization should be performed on the basis of configurations of some
parameters and enablement of related functions, for example, the interface MTU, ICMP
attributes, and TCP attributes.
Internet Control Message Protocol (ICMP) messages are used by either the IP layer or the higher
layer protocol (TCP or UDP). ICMP communicates error messages or other information that
require attention.
IP Performance Supported by the ATN

By setting IP, TCP, and ICMP packets, you can improve the performance of the network.
ICMP
l
Issue 02 (2013-12-31)
ICMP Host Unreachable messages

1936

Equipment
7 IP Services
When forwarding packets, the device discards the packets and returns an ICMP host
unreachable message to the source to notify that the source must stop sending packets to
this destination if the device encounters the following situations:
There is no route to the destination.
The packet is not for itself.
l
ICMP Redirection messages

During packet forwarding, if the device finds the following situations, the device needs to
send an ICMP redirection message to the source device and notices the host to reselect a
correct device to send packets.
The interfaces to receive and forward packets are the same.
The selected route is not created or modified by the ICMP redirection packet.
The selected route is not the route destined for the destination 0.0.0.0.
The subnet mask bit of the source address is the same as that of the outgoing interface.
ICMP packet sending switches

In normal circumstance, ICMP host unreachable and redirection messages can ensure
normal packet transmission. However, when devices encounter the preceding conditions
frequently, network traffic becomes heavy because devices send a large number of ICMP
messages. This increases the traffic burden. In the case of malicious attacks, network
congestion becomes worse.
To solve this problem, the ICMP host unreachable function can be deployed on the
outbound interface. If this function is disabled, the device does not send out ICMP host
unreachable messages and as a result the traffic burden of the network is released and
malicious attacks to the network are prevented.
7.3.2 Improving IP Performance

By setting parameters for IP packets, you can optimize the performance of the network.
Before You Start

configuration procedure for configuring IP performance optimization.
Usage Scenario
In some special network environments, you must adjust the IP parameters to achieve the best
performance. Improving IP performance involves configurations of a series of parameters.
Before improving IP performance, complete the following tasks:
l
Configuring the physical parameters for related interfaces and ensuring that the status of
the physical layer of the interface is Up
Configuring the link layer protocol for related interfaces and ensuring that the status of the
Configuring the IP addresses for related interfaces
Issue 02 (2013-12-31)

1937

Equipment
7 IP Services
Data Preparation
To improve IP performance, you need the following data.
No.
Data
Number and MTU value of the interface
Number of the interface which needs source address verification
Number of the interface which needs to forward broadcast packets and ACL number
Number of the interface which needs to clear the DF
Number of the interface which needs to configure ICMP host-unreachable
Configuring the Maximum Transmission Unit of the Interface

The MTU of an interface determines whether a packet needs to be fragmented when passing
through this interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
mtu mtu
The maximum transmission unit of the interface is configured.

----End
Follow-up Procedure
The default MTU value varies with the interface type. Use the display interface command to
find out the value used.
NOTE
After configuring the MTU on an interface, you must restart the interface; otherwise, the configuration
cannot take effect. To restart the interface, run the shutdown and then undo shutdown commands.
Verifying the Source IP Address

By configuring source IP address verification, you can verify whether the source IP address of
a packet is valid. In this manner, you can improve the security of the network.
Issue 02 (2013-12-31)

1938

Equipment
7 IP Services
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ip verify source-address
The source IP address verification is enabled on the interface.

By default, the function is disabled on all interfaces.
----End
Configuring the Control of IP Packets with Source-Route Options

By controlling IP source routing option packets, you can prevent an attacker from detecting the
network structure by sending IP source routing option packets. In this manner, you can improve
the security of the network. Perform the following steps on the router that receives the IP packets
containing source-route options.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
discard srr
The router is configured not to process the packets with source-route options.
----End
Configuring DF Clearance
By performing this configuration task, you can enable forcible fragmentation of outgoing IP
packets on an interface.
Procedure
Step 1 Run:
system-view
Issue 02 (2013-12-31)

1939

Equipment
7 IP Services

Step 2 Run:

NOTE
The DF clearance takes effect only on the outbound interface.
Step 3 Run:
clear ip df
Clearing DF function is configured.

By default, the forced fragmentation is disabled for the outbound IP packet.
----End
Configuring ICMP Attributes

Controlling the sending and receiving ICMP messages can protect ICMP messages against
attacks.
Context
By default, receiving ICMP messages, and sending ICMP host unreachable messages are
enabled.
NOTICE
l If sending ICMP host unreachable messages is disabled, the device no longer sends the ICMP
host unreachable message.
l If receiving ICMP messages is disabled, the ATN does not receive ICMP messages in any
condition.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
icmp host-unreachable send
Issue 02 (2013-12-31)

1940

Equipment
7 IP Services
Sending ICMP host unreachable messages is enabled.

----End

You can view the configuration of IP performance optimization.
Prerequisites
The configurations of the improving IP performance function are complete.
Procedure
l
Run the display udp statistics command to check the UDP traffic statistics.
Run the display ip interface [ interface-type interface-number ] command or display ip

interface brief [ interface-type [ interface-number ] ] command to check the table
information of the IP layer interface.
Run the display ip statistics command to check the IP traffic statistics.
Run the display icmp statistics command to check the ICMP traffic statistics.
Run the display ip socket [ monitor ] [ task-id task-id socket-id socket-id | socket-type
socket-type ] command to check all the current socket API information.
----End
7.3.3 Configuring TCP

By setting IP packets, you can improve the performance of the network.
Before You Start

configuration procedure for configuring TCP.
Usage Scenario
None.
None.
Data Preparation
To configure TCP, you need the following data.
Issue 02 (2013-12-31)
No.
Data
SYN-WAIT timer, FIN-WAIT timer, receiving and sending buffer size of the socket

1941

Equipment
7 IP Services
Configuring TCP Timer

By setting two TCP timers, you can control TCP connection time.
Context
The types of TCP timers are shown as follows:
l
The SYN-Wait timer: On sending SYN packets, the TCP starts the SYN-Wait timer. If
response packets are not received before the SYN-Wait timer timeout, the TCP connection
is terminated. The SYN-Wait timer timeout ranges from 2 seconds to 600 seconds, and the
default value is 75 seconds.
The FIN-Wait timer: When the TCP connection status turns from FIN_WAIT_1 to
FIN_WAIT_2, the FIN-Wait timer starts. If FIN packets are not received before the FINWait timer timeout, the TCP connection is terminated. The FIN-Wait timer timeout ranges
from 76 seconds to 3600 seconds, and the default value is 675 seconds.
Procedure
Step 1 Run:
system-view

Step 2 Run:
tcp timer syn-timeout interval
The SYN-Wait timer of setting up TCP connections is configured.

Step 3 Run:
tcp timer fin-timeout interval
The FIN-Wait timer of setting TCP connections is configured.

----End
Specifying the Size of a TCP Sliding Window

By setting the sliding window size for TCP, you can set the sizes of the receiving buffer and
transmitting buffer in the socket. In this manner, you can improve the security of the network.
Procedure
Step 1 Run:
system-view

Step 2 Run:
tcp window window-size
The receiving/sending buffer size of the TCP socket is configured.

Issue 02 (2013-12-31)

1942

Equipment
7 IP Services
The receiving and sending window-size of the connection-oriented socket: It ranges from 1K
bytes to 32K bytes, and the default value is 8K bytes.
----End

You can view the configuration of TCP.
Prerequisites
The configurations of TCP function are complete.
Procedure
l
Run the display tcp status [ [ task-id task-id ] [ socket-id socket-id ] | [ local-ip ipv4address ] [ local-port local-port-number ] [ remote-ip ipv4-address ] [ remote-port
remote-port-number ] ] command to check the TCP connection status.
Run the display tcp statistics command to check the TCP traffic statistics.
----End
7.3.4 Maintaining IP Performance

You can maintain IP performance by deleting IP performance statistics and monitoring the
operation of IP performance.
Clearing IP Performance Statistics

By running the reset command, you can delete IP performance statistics.
Context
NOTICE
IP/TCP/UDP statistics cannot be restored after you clear it. So, confirm the action before you
use the command.
Procedure
l
Run the reset ip statistics [ interface interface-type interface-number] command in the

user view to clear the IP statistics.
Run the reset ip socket monitor [ task-id task-id socket-id socket-id ] command in the
user view to clear information on the socket monitor.
Run the reset tcp statistics command in the user view to clear the TCP traffic statistics.
Run the reset udp statistics command in the user view to clear the UDP traffic statistics.
----End
Issue 02 (2013-12-31)

1943

Equipment
7 IP Services
Monitoring Network Operating Status of IP Performance

By running the display command, you can monitor the operation of IP performance.
Context
of IP performance.
Procedure
l
Run the display tcp status [ [ task-id task-id ] [ socket-id socket-id ] | [ local-ip ipv4address ] [ local-port local-port-number ] [ remote-ip ipv4-address ] [ remote-port
remote-port-number ] ] command in any view to check TCP connection status.
Run the display tcp statistics command in any view to check statistics about TCP traffic.
Run the display udp statistics command in any view to check statistics about UDP traffic.
Run the display ip interface [ interface-type interface-number ] command or display ip

interface brief [ interface-type [ interface-number ] ] command in any view to check
information about IP interfaces.
Run the display ip statistics command in any view to check statistics about IP traffic.
Run the display icmp statistics command in any view to check statistics about ICMP
traffic.
Run the display fib command in any view to check the FIB on the specified interface board.
Run the display fib acl acl-number [ verbose ] command in any view to check the FIB
information selectively through filtering.
Run the display fib destination-address1 [ desinationt-mask1 ] [ longer ] [ verbose ]

command in any view to filter FIB entries by matching destination IP addresses.
Run the display fib destination-address1 destination-mask1 destination-address2

destination-mask2 [ verbose ] command in any view to check the FIB entries with the
destination IP addresses in the range from destination-address1 destination-mask1 to
destination-address2 destination-mask2.
Run the display fib ip-prefix prefix-name [ verbose ] command in any view to check the
FIB entries that have passed filtering in a certain format according to the input IP prefix
name.
Run the display fib interface interface-type interface-number command in any view to
check the FIB entries that have passed filtering in a certain format according to the input
interface type and interface number.
Run the display fib next-hop ip-address command in any view to check the FIB entries
that have passed filtering in a certain format according to the input next hop address.
Run the display fib statistics command in any view to check the total number of FIB
entries.
Run the display fib command in any view to check brief information about the forwarding
table.
Run the display ip socket [ monitor ] [ task-id task-id socket-id socket-id | socket-type
socket-type ] command in any view to check information about all the socket interfaces of
the system.
----End
Issue 02 (2013-12-31)

1944

Equipment
7 IP Services

Context
NOTE
Example for Limiting Transmission of ICMP Host-Unreachable Packets

This part provides an example for configuring ICMP host-unreachable packets.
As shown in Figure 7-5, CX-A, CX-B and ATN are connected with each other through their
Ethernet ports to test limiting transmission of host-unreachable packets.
Figure 7-5 Networking diagram of configuring ICMP host unreachable packets
CX-A
GE 1/0/0
1.1.1.1/24
Internet
GE 0/2/0
2.2.2.2/24
NodeB
ATN
GE 1/0/0
1.1.1.2/24
CX-B
1.
Configure IP addresses for the interfaces on devices.
2.
Configure static routes between devices that are not directly connected.
3.
Enable limiting transmission of ICMP Host-unreachable packets.
Data Preparation
Issue 02 (2013-12-31)

1945

Equipment
Static routes between devices that are not directly connected
IP addresses for the interfaces
7 IP Services
Procedure
Step 1 Configure CX-A.
# Configure static routes on CX-A.
[CX-A] ip route-static 2.2.2.2 24 1.1.1.2
# Configure an IP address for GE 1/0/0.

[CX-A-GigabitEthernet1/0/0] ip address 1.1.1.1 24
Step 2 Configure CX-B.

# Disable sending ICMP host unreachable packets on ATN B and configure an IP address for
GE 1/0/0.
[CX-B-GigabitEthernet1/0/0] undo icmp host-unreachable send
[CX-B-GigabitEthernet1/0/0] ip address 1.1.1.2 24
[CX-B] quit
Step 3 Configure ATN.

# Configure an IP address for GE 0/2/0 on ATN.

# Enable the debugging of the ICMP packets of CX-B.
<CX-B> debugging ip icmp
# Run the ping 2.2.2.2 command on CX-A. If you can view that CX-B does not send the host
unreachable packets, it means that the configuration succeeds. For example:
[CX-A] ping 2.2.2.2
----End
Configuration Files
l

#
sysname CX-A
Issue 02 (2013-12-31)

1946

Equipment
7 IP Services
#
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
ip route-static 2.2.2.0 255.255.255.0 1.1.1.2
#
return

#
sysname CX-B
#
undo shutdown
ip address 1.1.1.2 255.255.255.0
undo icmp host-unreachable send
#
return

#
sysname ATN
#
undo shutdown
ip address 2.2.2.2 255.255.255.0
#
return
7.4 ACL Configuration

Access Control Lists (ACLs) help guarantee network security and stability.
7.4.1 Introduction
ACLs are used for device management, policy-based routing, unicast packet filtering, routing
policies, traffic management, and multicast packet filtering to ensure network security,
reliability, and stability.
ACL Overview
ACLs (Access Control List) configured on devices help the devices classify different types of
packets, and permit or deny packets accordingly.
Devices need to communicate with each other on stable networks with reliable data transmission.
ACLs can be configured on access or core devices to:
l
Protect the devices against IP, TCP, and ICMP packet attacks.
Control network access. For example, control the access of enterprise network users to
external networks, specific network resources that users can access, and time ranges in
which users can access networks.
Limit network traffic and improve network performance. For example, limit bandwidth for
upstream and downstream traffic, charge for the bandwidth that users have applied for, and
use high-bandwidth network resources.
Issue 02 (2013-12-31)

1947

Equipment
7 IP Services
ACL Features Supported by the ATN

Familiarizing yourself with the ACL definition, ACL classification, and ACL rules helps you
complete the ACL configuration task quickly and accurately.
ACL Definition
An ACL is a set of sequential filter rules. Rules are defined based on packets' inbound interfaces,
source or destination IP addresses, protocol types, or source or destination port numbers, and
specify deny or permit actions. After an ACL is configured on the ATN, the ATN classifies the
received packets based on the rules defined in the ACL, and then denies or permits the packets
accordingly.
An ACL only classifies packets based on defined rules. ACLs can be used to filter packets only
when they have been applied to a specific service, such as device management, policy-based
routing, unicast packets filtering, route policies, traffic management, or multicast packets
filtering.
ACL Classification
ACLs can be classified into interface-based ACLs, basic ACLs, advanced ACLs, and Ethernet
frame header-based.
l
Interface-based ACL
Interface-based ACLs are numbered from 1000 to 1999. A maximum of 1000 interfacebased ACLs can be configured.
Rules in an interface-based ACL are defined based on inbound interfaces that receive
packets.
Basic ACL
Basic ACLs are numbered from 2000 to 2999. A maximum of 1000 basic ACLs, including
numbered and named ACLs, are supported.
Rules in a basic ACL are defined based on the source IP addresses of received packets.
Advanced ACL
Numbered advanced ACLs are numbered from 3000 to 3999. A maximum of 1000
numbered advanced ACLs can be configured.
Named advanced ACLs are numbered from 42768 to 75535. A maximum of 32768 named
advanced ACLs can be configured.
Rules in an advanced ACL are defined based on the source or destination IP addresses,
protocol types, or source or destination port numbers of received packets.
Ethernet frame header-based ACL

The numbers of Ethernet frame header-based ACLs range from 4000 to 4999. That is, 1000
Ethernet frame header-based ACLs are supported.
Rules in an Ethernet frame header-based ACL are defined based on the Layer 2 information,
such as the source MAC address, destination MAC address, or protocol type of Ethernet
frames.
Issue 02 (2013-12-31)

1948

Equipment
7 IP Services
ACL Time Range

Configuring a time range for an ACL rule allows a device to permit or deny packets within a
specified time period. A time range can be an absolute time range or a cycle time range.
l
An absolute time range starts from yyyy-mm-dd to yyyy-mm-dd. This time range is not
cyclic.
A cycle time range is cyclic and the cycle is one week. For example, an ACL rule takes
effect from 8:00 to 12:00 every Sunday.
ACL Description
Configuring description for a created ACL helps you learn about the ACL quickly.
ACL Rule
ACL rules are configured for each ACL and are used to classify packets in different scenarios.
Table 7-1 lists ACL rules and their applications.
Table 7-1 ACL rules
ACL Rule
Function and Usage Scenario
ACL Type
Inbound interface
Classifies packets based on their inbound

interfaces. This is used for:
Interface-based ACL
l Flow control
l Access authority control
Time range
Sets a time range in which ACL rules take

effect. This is used for:
l Flow control
Interface-based ACL,
basic ACL, and
advanced ACL
l Access time control

Non-first fragment
Classifies packets based on whether a

packet is the first packet fragment.
Basic ACL and

advanced ACL
l Attack defense
l Flow control
Source IP address
Classifies packets based on their source IP

addresses. This is used for:
Basic ACL and

advanced ACL
l Flow control
l Route filtering
l Multicast packet filtering
Issue 02 (2013-12-31)

1949

Equipment
7 IP Services
ACL Rule
ACL Type
VPN instance
Classifies packets based on the VPN

instances to which the packets belong.
This is used for:
Basic ACL and

advanced ACL
l Flow control
Destination IP
address
Classifies packets based on their

destination IP addresses. This is used for:
Advanced ACL
l Flow control
l Route filtering
Protocol type
Classifies packets based on their protocol

types.
Advanced ACL
Source port number
Classifies packets based on source TCP or

UDP port numbers. This is used for:
Advanced ACL
l Flow control
l Route filtering
Destination port
number
Classifies packets based on destination

TCP or UDP port numbers. This is used
for:
Advanced ACL
l Flow control
l Route filtering
IP DSCP
Classifies IP packets based on their DSCP

values.
Advanced ACL
IP precedence
Classifies IP packets based on IP

precedence. This is used for flow control.
Advanced ACL
IP ToS
Classifies IP packets based on their ToS

values. This is used for flow control.
Advanced ACL
Source MAC
address, Destination
MAC address, or
Protocol type of
Ethernet frame
Classifies MPLS packets based on their

EXP values, labels, or TTL values. This is
used for flow control.
Ethernet frame headerbased ACL
ACL Rule Sequence

A device configured with ACLs matches the received packets with the rules in an ACL.
Issue 02 (2013-12-31)

1950

Equipment
7 IP Services
The rule sequence in an ACL depends on ACL rule matching orders and ACL rule numbers.
Rule matching orders include the configuration order and the automatic order.
l
Automatic order: The system automatically allocates rule numbers, and places the most
precise rule in the front of the ACL based on the depth-first principle.
NOTE
ACL rules are arranged in sequence based on rule precision. For an ACL rule (where a protocol type,
a source IP address range, or a destination IP address range is specified), the stricter, the more precise.
For example, an ACL rule can be configured based on the wildcard of an IP address. The smaller the
wildcard, the smaller the specified network segment and the stricter the ACL rule.
If rules have the same precision, they are matched based on the configuration order.
Configuration order: The system arranges ACL rules based on the rules' configuration
order. The number of an ACL rule can be configured or automatically generated by the
system based on the ACL step.
ACL Step
An ACL step is the difference between two automatically allocated ACL rule numbers. Using
an ACL step, you can maintain ACL rules and add new ACL rules conveniently.
When an ACL step is changed, the rule numbers in an ACL will be automatically rearranged.
For example, the original rule numbers 5, 10, 15, and 20 will become 2, 4, 6, and 8 if you change
the ACL step to 2.
Unevenly distributed rule numbers will become evenly distributed if you set an ACL step. For
example, if the current ACL step is 5 and the rule numbers are 1, 3, 10, and 12, the rule numbers
will become 2, 4, 6, and 8 after you set the ACL step to 2.
7.4.2 Configuring a Basic ACL

A basic ACL defines rules based on packets' source IP addresses.

Before configuring a basic ACL, familiarize yourself with the applicable environment, complete
the pre-configuration tasks, and obtain the data required for the configuration. This will help
you complete the configuration task quickly and efficiently.
In network management, different types of packets need to be processed in different ways. For
example:
l
Allocate different bandwidths to voice, video, and data traffic to meet different
requirements on traffic forwarding delay. This allows network resources to be fully utilized
and ensures high reliability of each type of service.
Set different access rights for users based on the source IP addresses of the packets sent by
them. This is to ensure network reliability and security.
Filter routes advertised by routing devices to achieve route optimization and ensure network
security.
Issue 02 (2013-12-31)

1951

Equipment
7 IP Services
A basic ACL can manage traffic, control access rights, and filter routes by checking whether the
packets are the first packet fragments, or checking the packets' source IP addresses or VPNs.
Figure 7-6 shows the application of a basic ACL.
Figure 7-6 Application of a basic ACL
Network A
10.1.1.0/24
GE0/2/0 ATN A
Network B
10.1.2.0/24
Internet
Basic ACL enable
GE0/2/1
Network C
10.1.3.0/24
As shown in Figure 7-6, a basic ACL is created on ATN A to permit all packets sent from
Network A to the Internet and deny all packets sent from Network B and Network C to the
Internet.
Before creating a basic ACL, complete the following task:
l
Configuring link layer protocol parameters for interfaces to ensure that the link layer
protocol on the interfaces is Up
Data Preparation
To create a basic ACL, you need the following data.
Issue 02 (2013-12-31)
No.
Data
(Optional) Name of the time range in which the basic ACL takes effect, and the start
time and end time in the time range
Number, (optional) description, and (optional) step of the basic ACL

1952

Equipment
7 IP Services
No.
Data
Number of each rule in the basic ACL, source IP address of a packet, and VPN
instance to which the packet belongs
(Optional) Creating a Time Range in Which an ACL Rule Takes Effect

You can create a time range in which an ACL rule takes effect.
Context
A time range can be an absolute time range or a cycle time range.
l
cyclic.
After a time range is set, data traffic volumes and user access rights can be controlled in this
time range. For example, access rights of some users can be restricted at the peak time from 9:00
to 18:00 every day, allowing the important users to use their services more freely.
A created time range can be specified in the rule command. Creating a time range, however, is
optional. If you do not create a time range, an ACL rule will take effect immediately after being
configured.
Procedure
Step 1 Run:
system-view

Step 2 Run:
time-range time-name { start-time to end-time days | from time1 date1 [ to time2
date2 ] }
A time range is created.

l A maximum of 256 time ranges with different names can be created.
l In each time range (with a specific time-name), a maximum of 32 cycle time ranges and 12
absolute time ranges can be specified.
----End
Creating a Basic ACL

This section describes how to create an ACL with the number ranging from 2000 to 2999.
Context
Both a basic ACL and an advanced ACL can define rules based on packets' source IP addresses.
To define rules only based on source IP addresses, you can use a basic ACL. An advanced ACL
Issue 02 (2013-12-31)

1953

Equipment
7 IP Services
can define rules based on packets' protocol types, source/destination IP addresses, or source/
destination port numbers.
For details on the rules supported by each type of ACL, see ACL rules.
When creating a basic ACL, you can configure description for it so that other users can view
and quickly learn about the configuration of this ACL.
An ACL step is the difference between two automatically allocated ACL rule numbers (auto
configured in Step 2).
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl { [ number ] acl-number | name acl-name [ basic ] [ number acl-number ] }
[ match-order { auto | config } ]
A basic ACL is created and the view of the basic ACL is displayed.
description text
The description is configured for the ACL.

The description cannot contain more than 127 characters.
step step
An ACL step is set.

Using the undo step command can restore the default ACL step (5) and rearrange ACL rule
numbers.
----End
Configuring a Basic ACL Rule

A basic ACL defines rules based on whether the packets are the first fragment, packets' source
IP addresses, or the VPNs to which the packets belong.
Context
When you configure a basic ACL:
l
If a specific source IP address is specified (source in Step 3), the system filters only packets
with this specified source IP address.
If all source IP addresses are specified (any in Step 3), the system will not check packets'
source IP addresses, but considers that all packets have matched the rule and directly takes
an action (deny or permit) on the packets.
Issue 02 (2013-12-31)

1954

Equipment
7 IP Services
NOTE
Adding a rule permit or rule deny rule following the other rules is recommended. If a packet has not
matched the other rules, the system will take the action specified in the added rule on the packet.
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl { [ number ] acl-number1 | name acl-name [ advance | basic | ucl ] [ number aclnumber2 ] } [ match-order { auto | config } ]
The view of the basic ACL is displayed.

Step 3 Run:
vpn-instance-name ] *
A rule is configured for the basic ACL.

l Adding new rules to an ACL will not affect the existing rules.
l When an existing rule is edited and the edited contents conflict with the original contents,
the edited contents take effect.
----End
Applying a Basic ACL

Basic ACLs can be used in device management, routing policies, multicast packet filtering, and
QoS services.
Context
Table 7-2 describes the typical applications of basic ACLs.
Table 7-2 Typical applications of basic ACLs
Issue 02 (2013-12-31)
Typical
Application
Usage Scenario
Operation
Device
management
When a router functions

as an FTP or TFTP
server, you can configure
a basic ACL on the router
to allow only the clients
that match specific ACL
rules to access the server.
For details on how to configure FTP and

TFTP access control, see
l Configuring an FTP ACL
l Configuring TFTP Access Authority

1955

Equipment
Typical
Application
7 IP Services
Usage Scenario
Operation
You can configure a

basic ACL to restrict the
incoming or outgoing
calls on VTY user
interfaces.
For details on how to configure restriction

on incoming and outgoing calls on VTY user
interfaces, see Setting Restrictions for
Incoming and Outgoing Calls on VTY
User Interfaces.
You can also configure a

basic ACL to control the
NMS' right to access
devices.
For details on how to configure control on

the NMS' right to access devices, see
l Controlling the NM Station's Access
to the Device (by SNMPv1)
Multicast packet
filtering
To filter multicast
packets, you can
configure a basic ACL to
receive or forward only
the multicast packets that
match the ACL rules.
For details on how to configure a device to

filter multicast packets, see
l Configuring Filtering Rules Based on
Source Addresses
l Configuring the SSM Group Address
Range
l Configuring the BSR Address Range
l Configuring the Range of Valid C-RP
Addresses
Routing policies
To control the reception

and advertisement of
routing information on a
router, you can configure
a basic ACL on the router
to allow the router to
receive or advertise only
the routes that match the
ACL rules.

receive or advertise protocol-specific routes,
see
l Filtering Routes Advertised by OSPF
l Filtering Routes Received by OSPF
l Filtering Routes Advertised by RIP
l Filtering Routes Received by RIP
l Filtering Routes Advertised by IS-IS
l Filtering Routes Received by IS-IS
l Filtering Routes Advertised by BGP
l Filtering Routes Received by BGP
Issue 02 (2013-12-31)

1956

Equipment
7 IP Services
Typical
Application
Usage Scenario
Operation
QoS services
To process different
types of traffic, you can
configure a basic ACL to
perform traffic policing,
traffic shaping, or traffic
classification on the
traffic that matches the
ACL rules.
For details on how to configure traffic

policies for different types of traffic, see
Configuring a Traffic Policy Based on
Complex Traffic Classification
Typical Cases of Applying a Basic ACL

l
Cases of applying a basic ACL in device management

For example, a user configures a device as follows:
Configuring a basic ACL for FTP login
acl number 2001
rule 10 permit
ftp acl 2001
Matching result: Users with the IP address 192.168.2.100 are prohibited from logging
in to the device using FTP.
Configuring a basic ACL for Telnet login
acl number 2001
rule 10 deny
acl 2001 inbound
Matching result: Only users with the IP address 192.168.2.100 are allowed to log in to
the device using Telnet.
Configuring a basic ACL for SNMP login
acl number 2001
rule 10 permit
snmp-agent community read acl 2001
Matching result: Users with the IP address 192.168.2.100 are prohibited from logging
in to the device using SNMP.
l
Case of applying a basic ACL in multicast packet filtering

acl number 2001
pim
source-policy 2001
Matching result: The device permits multicast packets containing the source address
10.10.1.2 while discarding those containing the source address 10.10.1.1.
l
Cases of applying a basic ACL in routing policies

A routing policy of a routing protocol is used to filter routes.
Issue 02 (2013-12-31)

1957

Equipment
7 IP Services
ip route-static 1.1.1.0 255.255.255.0 NULL0

bgp 1
ipv4-family unicast
import-route static
route-policy test permit node 0
if-match acl 2001
acl number 2001
rule 10 deny source 1.1.1.0 0.0.0.255
Matching result: Routes from the network segments 1.1.1.0 and 192.168.2.0 are filtered
out, while the route 192.168.2.100 is permitted.
NOTE
l Routes from the network segments 1.1.1.0 are filtered out, because the action defined in the
ACL rule that the routes match is deny.
l Routes from the network segment 192.168.2.0 do not match any specified ACL rules. By
default, the device matches the routes with the last ACL rule. The action defined in the last
ACL rule is deny, and therefore the routes are filtered out.
l The route 192.168.2.100 is permitted, because the action defined in the ACL rule that the
route matches is permit and the action defined in the routing policy is also permit.
if-match acl 2001
apply cost 100
apply cost 200
acl number 2001
Matching result: The cost of the route 192.168.2.100 is changed to 100, while the costs
of other routes are changed to 200.
NOTE
In the preceding route-policy, permit is specified for node 0, the route 192.168.2.100/32 passes
the check by the if-match clause, and the device takes the action (apply cost 100) specified in
the apply clause. As a result, the cost of the route is changed to 100. The other routes do not pass
node 1 in the route-policy. As a result, the costs of these routes are changed to 200.
route-policy test deny node 0
if-match acl 2001
apply cost 100
apply cost 200
acl number 2001
Matching result: The cost of the route 192.168.2.100/32 is not changed to 100.
NOTE
In the preceding route-policy, deny is specified for node 0, the route 192.168.2.100/32 passes
the check by the if-match clause, and the device does not take the action (apply cost 100) specified
in the apply clause. As a result, the cost of the route is not changed to 100. The other routes do
not pass the check by the if-match clause, and the device takes the action (apply cost 200)
specified in node 1 in the route-policy. As a result, the costs of these routes are changed to 200.
A filtering policy of a routing protocol is used to filter routes.

Issue 02 (2013-12-31)

1958

Equipment
7 IP Services
bgp 1
ipv4-family unicast
filter-policy 2001 export
import-route static
acl number 2001
rule 10 deny source 1.1.1.0 0.0.0.255
NOTE
route matches is permit and the action defined in the filtering policy is export.
Cases of applying a basic ACL in QoS services

Configuring a basic ACL in firewall traffic behavior (packet filtering)
acl number 2001
rule 5 permit source 50.0.0.0 0.255.255.255
rule 10 deny source 60.0.0.0 0.255.255.255
traffic classifier acl
if-match acl 2001
traffic behavior test
deny
traffic policy test
classifier acl behavior test
traffic-policy test inbound
GE 1/0/1 receives the following packets:

Packet 1 with the source IP address 50.0.0.1/24
Matching result: Packets 1 and 2 are discarded but packet 3 is permitted.
Configuring a basic ACL in common traffic behavior
acl number 2001
rule 5 permit source 50.0.0.0 0.255.255.255
rule 10 deny source 60.0.0.0 0.255.255.255
if-match acl 2001
remark ip-precedence 7
traffic policy test

Packet 1 with the source IP address 50.0.0.1/24 and IP precedence 0
Issue 02 (2013-12-31)

1959

Equipment
7 IP Services

Matching result: Packet 1 is permitted, and its IP precedence is re-marked 7; packet 3
is permitted, and its IP precedence remains 0; packet 2 is discarded.

After a basic ACL is configured, you can view its configuration.
Prerequisites
The basic ACL has been configured.
Procedure
l
Run the display acl { acl-number | name acl-name | all } command to check the configured
ACL.
Run the display time-range { time-name | all } command to check the configured time
range.
----End
Example
After an ACL is successfully configured, run the display acl command to view the ACL number,
number of configured ACL rules, ACL step, ACL rule contents, and number of times that the
ACL rules are matched.
Basic ACL 2000, 1 rule
ACL's step is 5
Run the display time-range command to view the configuration and status of the time range.
<HUAWEI> display time-range all
Current time is 14:19:16 3-15-2011 Wednesday
Time-range : time1 ( Inactive )
10:00 to 12:00 daily
from 13:00 2011/4/1 to 23:59 2099/12/31
Time-range : active1 ( Active )
14:00 to 00:00 daily
7.4.3 Configuring an Advanced ACL

An advanced ACL defines rules based on packets' source IP addresses, destination IP addresses,
protocol types, source port numbers, or destination port numbers.

Before configuring an advanced ACL, familiarize yourself with the applicable environment,
will help you complete the configuration task quickly and efficiently.
Issue 02 (2013-12-31)

1960

Equipment
7 IP Services
example:
l
Filter packets of various protocols. For example, filter out ICMP packets to protect network
devices against ICMP packet attacks.
security.
Provide tailored services for different users based on their different service requirements.
An advanced ACL can manage traffic, control access rights, and filter routes by checking
whether the packets are the first packet fragments, or checking the packets' source IP addresses,
destination IP addresses, protocol types, source port numbers, destination port numbers, IP
DSCP values, IP precedence, IP ToS values, or VPNs to which packets belong. Figure 7-7 shows
the application of an advanced ACL.
Figure 7-7 Application of an advanced ACL
Network A
1.1.1.0/24
Network D
4.4.4.0/24
ICMP
packet
CX-A
CX-D
ATN
Network B
2.2.2.0/24
Network C
3.3.3.0/24
ICMP
packet
CX-B
CX-C
As shown in Figure 7-7, an advanced ACL is created on ATNto permit all ICMP packets sent
from ATN B to CX-D and deny all ICMP packets sent from CX-A to CX-C.
Before creating an advanced ACL, complete the following task:
l
Issue 02 (2013-12-31)
1961

Equipment
7 IP Services
Data Preparation
To create an advanced ACL, you need the following data.
No.
Data
(Optional) Name of the time range in which the advanced ACL takes effect, and the
start time and end time in the time range
Number, (optional) description, and (optional) step of the advanced ACL
Number of each rule in the advanced ACL, packet's source IP address, destination IP
address, protocol type, source port number, destination port number, IP DSCP value,
IP precedence, IP ToS value, or VPN instance to which the packet belongs
(Optional) Creating a Time Range in Which an ACL Rule Takes Effect

You can create a time range in which an ACL rule takes effect.
Context
l
cyclic.
optional. If you do not create a time range, an ACL rule will take effect immediately after being
configured.
Procedure
Step 1 Run:
system-view

Step 2 Run:
date2 ] }

----End
Issue 02 (2013-12-31)

1962

Equipment
7 IP Services
Creating an Advanced ACL

This section describes how to create a numbered ACL with the number ranging from 3000 to
3999, and a named ACL with the number ranging from 42768 to 75535.
Context
Compared with other types of ACLs, advanced ACLs provide richer rules for filtering packets
more flexibly.
An advanced ACL can define rules based on packets' protocol types, source/destination IP
addresses, or source/destination port numbers.
Advanced ACLs include numbered advanced ACLs and named advanced ACLs.
l
The number of a numbered advanced ACL ranges from 3000 to 3999.
The number of a named advanced ACL ranges from 42768 to 75535. By default, the system
automatically allocates numbers to named advanced ACLs. The functions of named ACLs
can be easily understood by their names, and the rules supported by named ACLs are the
same as those supported by numbered ACLs.
When creating an advanced ACL, you can configure description for it so that other users can
view and quickly learn about the configuration of this ACL.
An ACL step is the difference between two automatically allocated ACL rule numbers (auto
configured in Step 2).
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl { [ number ] acl-number | name acl-name [ advance ] [ number acl-number ] }
An advanced ACL is created and the view of the advanced ACL is displayed.
description text

step step
An ACL step is set.

numbers.
----End
Issue 02 (2013-12-31)

1963

Equipment
7 IP Services
Configuring an Advanced ACL Rule

An advanced ACL defines rules based on packets' source IP addresses, destination IP addresses,
Context
When you configure an advanced ACL:
l
If a specific destination IP address (destination in Step 3), destination port number

(destination-port in Step 3), source IP address (source in Step 3), and source port number
(source-port in Step 3), the system filters only packets with the specified destination IP
address, destination port number, source IP address, and source port number.
If all destination IP addresses, destination port numbers, source IP addresses, and source
port numbers are specified (any in Step 3), the system will not check packets' destination
IP addresses, destination port numbers, source IP addresses, and source port numbers, and
considers that all packets have matched the rule and directly takes an action (deny or
permit) on the packets.
NOTE
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl { [ number ] acl-number | name acl-name [ advance ] [ number acl-number ] }
The view of the advanced ACL is displayed.

l If protocol is TCP or UDP, run the following commands to create ACL rules.
rule [ rule-id ] { deny | permit } protocol [ [ dscp dscp | [ precedence precedence | tos
tos ] * ] | destination { destination-ip-address destination-wildcard | any } | destinationport operator port-number | fragment-type fragment-type-name | source { source-ipaddress source-wildcard | any } | source-port operator port | syn-flag { syn-flag |
established } | time-range time-name | vpn-instance vpn-instance-name ] *
rule [ rule-id ] { deny | permit } protocol [ [ dscp dscp | [ precedence precedence | tos
tos ] * ] | destination { destination-ip-address destination-wildcard | any } | destinationport operator port-number | fragment-type fragment-type-name | source { source-ipaddress source-wildcard | any } | source-port operator port | time-range time-name | vpninstance vpn-instance-name ] *
l If protocol is ICMP, run the following commands to create ACL rules.
rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destinationwildcard | any } | fragment-type fragment-type-name | icmp-type { icmp-name | icmp-type
Issue 02 (2013-12-31)

1964

Equipment
7 IP Services
icmp-code } | source { source-ip-address source-wildcard | any } | time-range time-name |

vpn-instance vpn-instance-name | dscp dscp ] *
When protocol is other protocols, the command format of the advanced ACL is as follows:
l If protocol is a protocol that is not TCP, UDP, or ICMP, run the following commands to
create ACL rules.
rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destinationwildcard | any } | fragment-type fragment-type-name | source { source-ip-address sourcewildcard | any } | time-range time-name | vpn-instance vpn-instance-name | dscp dscp ] *
rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destinationwildcard | any } | fragment-type fragment-type-name | source { source-ip-address sourcewildcard | any } | time-range time-name | vpn-instance vpn-instance-name | precedence
precedence | tos tos ] *
l Different ACLs can be created based on different protocol types. The parameters specified
in the protocol-specific ACLs vary. For example, if the protocol type is TCP or UDP in an
ACL rule, [ source-port operator port ] and [ destination-port operator port ] can be
specified in the ACL rule. If the protocol type is not TCP or UDP in an ACL rule, neither
[ source-port operator port ] nor [ destination-port operator port ] can be specified in the
ACL rule.
----End
Applying an Advanced ACL

Advanced ACLs can be used in routing policies, multicast packet filtering, and QoS services.
Context
Table 7-3 describes the typical applications of advanced ACLs.
Table 7-3 Typical applications of advanced ACLs
Issue 02 (2013-12-31)
Typical
Application
Usage Scenario
Operation
Device management
To restrict the incoming or

outgoing calls on VTY user
interfaces, you can configure
an advanced ACL.
For details on how to configure

restriction on incoming and outgoing
calls on VTY user interfaces, see
Setting Restrictions for Incoming
and Outgoing Calls on VTY User
Interfaces.

1965

Equipment
7 IP Services
Typical
Application
Usage Scenario
Operation
Multicast packet
filtering
To filter multicast packets,

you can configure an
Advanced ACL to receive or
forward only the multicast
packets that match the ACL
rules.
For details on how to configure a

device to filter multicast packets, see
l Configuring Filtering Rules
Based on Source Addresses
l Configuring the SSM Group
Address Range
l Configuring the BSR Address
Range
l Configuring the Range of Valid
C-RP Addresses
Routing policies
To control the reception and

advertisement of routing
information on a router, you
can configure an Advanced
ACL on the router to allow the
router to receive or advertise
only the routes that match the
ACL rules.
For details on how to configure a

device to receive or advertise
protocol-specific routes, see
l Filtering Routes Advertised by
OSPF
l Filtering Routes Received by
OSPF
RIP
RIP
IS-IS
IS-IS
BGP
BGP
QoS services
To process different types of

traffic, you can configure an
Advanced ACL to perform
traffic policing, traffic
shaping, or traffic
classification on the traffic
that matches the ACL rules.

traffic policies for different types of
traffic, see Configuring a Traffic
Policy Based on Complex Traffic
Classification
Typical Cases of Applying an Advanced ACL

l
Cases of applying an advanced ACL in device management

acl number 3001
rule 5 permit ip source 192.168.2.100 0
Issue 02 (2013-12-31)

1966

Equipment
7 IP Services
rule 10 deny ip source any

acl 3001 inbound
Matching result: Only users with the IP address 192.168.2.100 are allowed to log in to the
device using Telnet.
l
Case of applying an advanced ACL in multicast packet filtering

acl number 3001
rule 10 deny ip source 10.10.1.1 0
pim
source-policy 3001
Matching result: The device permits multicast packets containing the source address
10.10.1.2 while discarding those containing the source address 10.10.1.1.
l
Cases of applying an advanced ACL in routing policies

A routing policy of a routing protocol is used to filter routes.
bgp 1
ipv4-family unicast
import-route static
if-match acl 3001
acl number 3001
rule 10 deny ip source 1.1.1.0 0.0.0.255
NOTE
route matches is permit and the action defined in the routing policy is also permit.
if-match acl 3001
apply cost 100
apply cost 200
acl number 3001
Matching result: The cost of the route 192.168.2.100 is changed to 100, while the costs
of other routes are changed to 200.
Issue 02 (2013-12-31)

1967

Equipment
7 IP Services
NOTE
In the preceding route-policy, permit is specified for node 0, the route 192.168.2.100/32 passes
the apply clause. As a result, the cost of the route is changed to 100. The other routes do not pass
node 1 in the route-policy. As a result, the costs of these routes are changed to 200.
route-policy test deny node 0
if-match acl 3001
apply cost 100
apply cost 200
acl number 3001
Matching result: The cost of the route 192.168.2.100/32 is not changed to 100.
NOTE
In the preceding route-policy, deny is specified for node 0, the route 192.168.2.100/32 passes
the check by the if-match clause, and the device does not take the action (apply cost 100) specified
in the apply clause. As a result, the cost of the route is not changed to 100. The other routes do
not pass the check by the if-match clause, and the device takes the action (apply cost 200)
specified in node 1 in the route-policy. As a result, the costs of these routes are changed to 200.
A filtering policy of a routing protocol is used to filter routes.

bgp 1
ipv4-family unicast
import-route static
acl number 3001
NOTE
route matches is permit and the action defined in the filtering policy is export.
Cases of applying an advanced ACL in QoS services

Configuring an advanced ACL in firewall traffic behavior (packet filtering)
acl number 3000
rule 5 permit tcp destination-port eq domain
rule 10 permit udp destination-port eq dns
rule 15 permit icmp icmp-type echo
rule 20 permit icmp icmp-type echo-reply
if-match acl 3000
permit
Issue 02 (2013-12-31)

1968

Equipment
7 IP Services
traffic policy test

Matching result: DNS Echo, DNS Echo Reply, ICMP Echo, and ICMP Echo Reply
packets are permitted.
acl number 3000
rule 5 permit ip source 10.108.0.0 0.0.0.255
if-match acl 3000
permit
traffic policy test
Matching result: IP packets from the network segment 10.108.0.0/24 are permitted,
while those from the network segment 10.108.0.0/16 are denied.
acl number 3000
rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0
0.0.0.255 destination-port eq www
if-match acl 3000
permit
traffic policy test
Matching result: Hosts in the 129.9.0.0 network segment are permitted to send WWW
packets to hosts in the 202.38.160.0 network segment.
time-range no-http 08:00 to 16:00 working-day
acl number 3000
rule 5 deny tcp source-port eq www time-range no-http
rule 10 deny tcp destination-port eq www time-range no-http
if-match acl 3000
permit
traffic policy test
Matching result: HTTP packets are denied from 8:00 am to 6:00 pm Monday through
Friday.
acl number 3000
rule 5 permit tcp syn-flag 16
rule 10 permit tcp syn-flag 4
if-match acl 3000
permit
traffic policy test
Matching result: TCP packets are permitted.

Configuring an advanced ACL in common traffic behavior
acl number 3001
rule 5 permit ip source 50.0.0.0 0.255.255.255
Issue 02 (2013-12-31)

1969

Equipment
7 IP Services

if-match acl 3001
remark ip-precedence 7
traffic policy test

Matching result: Packet 1 is permitted, and its IP precedence is re-marked 7; packet 3
is permitted, and its IP precedence remains 0; packet 2 is discarded.

After an advanced ACL is configured, you can view its configuration.
Prerequisites
The advanced ACL has been configured.
Procedure
l
Run the display acl { acl-number | all | name acl-name } command to check the configured
ACL.
range.
----End
Example
Advanced ACL 3000, 1 rule
ACL's step is 5
rule 5 deny ip source 10.1.1.1 0 (5 times matched)
10:00 to 12:00 daily
from 13:00 2006/4/1 to 23:59 2099/12/31
14:00 to 00:00 daily
Issue 02 (2013-12-31)

1970

Equipment
7 IP Services
7.4.4 Configuring an Ethernet Frame Header-based ACL

An ethernet frame header-based ACL defines rules according to the source MAC address,
destination MAC address, and the protocol type, in order to match and filter packets.
Before You Start

Before configuring an Ethernet frame header-based ACL, familiarize yourself with the usage
Usage Scenario
example:
l
An Ethernet frame header-based ACL defines rules according to the source MAC address,
destination MAC address, and the protocol type, in order to match and filter packets. Figure
7-8 shows the application of an Ethernet frame header-based ACL.
Figure 7-8 Application of an Ethernet frame header-based ACL
MAC Address:1-1-1
Router A
Network A
Router D
Router C
Network C
Network B
Router B
Ethernet Frame
Head-based ACL
enable
MAC Address:2-1-1
As shown in Figure 7-8, an Ethernet frame header-based ACL is created on ATND to deny all
the packets sent from a host of Network A with the MAC address of 1-1-1 to Network C, and
permit all the packets sent from a host of Network B with the MAC address of 2-2-2 to Network
C.
Issue 02 (2013-12-31)

1971

Equipment
7 IP Services
Before configuring an Ethernet frame header-based ACL, complete the following tasks:
l
Configuring the parameters of the link layer protocol for interfaces to ensure that the link
layer protocol status of the interfaces is Up
Data Preparation
To create an Ethernet frame header-based ACL, you need the following data.
No
Data
Number, (optional) description, and (optional) step of the Ethernet frame headerbased ACL
Number of each rule in the Ethernet frame header-based ACL, packet's source MAC
address, destination MAC address, protocol type of Ethernet frames, 802.1p priority
Creating an Ethernet Frame Header-based ACL

This section describes how to create an ACL with the number ranging from 4000 to 4999.
Context
An Ethernet frame header-based ACL defines rules according to the source MAC address,
destination MAC address, and the protocol type, in order to match and filter packets.
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl
[ number ] acl-number [ match-order { auto | config } ]
An Ethernet frame header-based ACL is created and the view of the Ethernet frame header-based
ACL is displayed.
description text

step step
An ACL step is set.

Issue 02 (2013-12-31)

1972

Equipment
7 IP Services
numbers.
----End
Configuring Rules for an Ethernet Frame Header-based ACL

The rules in an ethernet frame header-based ACL are defined according to the information of
ethernet frame header, and are used to filter packets.
Context
When you configure an Ethernet Frame Header-based ACL:
l
If a specific destination protocol type of Ethernet frames (type in Step 3), source MAC
address (source-mac in Step 3), destination MAC address (dest-mac in Step 3), the system
filters only packets with the specified protocol type, source MAC address, and destination
MAC address.
NOTE
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl [ number ] acl-number
An Ethernet Frame Header-based ACL is created and the view of the Ethernet Frame Headerbased ACL is displayed.
Step 3 Run:
rule [ rule-id ] { deny | permit } [ type type type-mask | source-mac source-mac
sourcemac-mask | dest-mac dest-mac destmac-mask | 8021p 8021p-value | 8021p-inner
8021p-inner-value ] *
An Ethernet Frame Header-based ACL rule is configured.

----End
Applying an Ethernet Frame Header-based ACL

Ethernet Frame Header-based ACL can be used in QoS services.
Context
Table 7-4 describes the typical applications of Ethernet frame header-based ACLs.
Issue 02 (2013-12-31)

1973

Equipment
7 IP Services
Table 7-4 Typical applications of Ethernet frame header-based ACLs

Typical Application
Usage Scenario
Operation
QoS services
To process different types

of traffic, you can configure
Ethernet frame headerbased ACLs to perform
traffic policing, traffic
shaping, or traffic
classification on the traffic
that matches the ACL rules.

traffic policies for different types
of traffic, see Configuring a
Traffic Policy Based on
Typical Cases of Applying an Ethernet Frame Header-based ACL

Cases of applying an Ethernet frame header-based ACL in QoS services
l
Configuring an Ethernet frame header-based ACL in firewall traffic behavior (packet

filtering)
acl number 4001
rule permit 8021p 3 source-mac 1-1-1 ffff-ffff-ffff
rule 10 deny
if-match acl 4001
permit
traffic policy test
Matching result: Only VLAN packets with the 802.1p priority 3 in the outer VLAN tag,
source MAC address 1-1-1, and source MAC address mask ffff-ffff-ffff are permitted.
l
Configuring an Ethernet frame header-based ACL in common traffic behavior

acl number 4001
rule permit 8021p 3 source-mac 1-1-1 ffff-ffff-ffff
rule 10 deny
if-match acl 4001
remark 8021p 7
traffic policy test
Matching result: Only VLAN packets with the 802.1p priority 3 in the outer VLAN tag,
source MAC address 1-1-1, and source MAC address mask ffff-ffff-ffff are permitted, and
the packets' 802.1p priority is re-marked 7.

Prerequisites
The Ethernet Frame Header-based ACL has been configured.
Issue 02 (2013-12-31)

1974

Equipment
7 IP Services
Procedure
l
Run the display acl { acl-number | all } command to check the configured ACL.
----End
Example
Ethernet frame ACL 4000, 2 rules
ACL's step is 5
rule 5 deny source-mac 0000-0000-0000 0002-0002-0002 dest-mac 0002-0002-0002
0003-0003-0003
rule 10 deny type 0200 0222 dest-mac 0000-0000-0000 0002-0002-0002
7.4.5 Maintaining an ACL

This section describes how to reset ACL statistics and monitor the ACL status.
Resetting ACL Statistics

This section describes how to reset ACL statistics using a reset command.
Context
NOTICE
ACL statistics cannot be restored after being cleared. Exercise caution when running a reset
command.
Procedure
Step 1 Run the reset acl counter { acl-number | name acl-name | all } command in the user view to
reset ACL statistics.
----End
Monitoring the ACL Status

This section describes how to monitor the ACL status using display commands.
Context
In routine maintenance, run the following commands in any view to view the ACL status.
Issue 02 (2013-12-31)

1975

Equipment
7 IP Services
Procedure
l
Run the display acl { acl-number | name acl-name | all } command to view the ACL status.
Run the display time-range { time-name | all } command to view the time range status.
----End

These configuration examples provide networking requirements, configuration roadmap, and
data preparation.
Example for Configuring an Advanced ACL to Defend Against Attacks

This section provides an example showing how to configure an advanced ACL to defend against
attacks.
As shown in Figure 7-9, ATN A, CX- B, and CX- C are access ATN s, whereas CX- D, CXE, and CX- F are core ATN s. The access ATNs are connected to the core ATNs through 10
Gbit/s interfaces. Voice and 3G services are provided on the network. To control user access
and ensure network and device security, security policies need to be configured on the access
ATN s to prevent ICMP packet attacks.
As shown in Figure 7-9, an advanced ACL is configured on ATN A. When the attacker (NodeB)
attacks the network, ATN A can use the configured advanced ACL to prevent the ICMP packet
attacks.
Figure 7-9 Networking diagram for configuring an advanced ACL to defend against attacks
Internet
GE1/0/0
CX-C
CX-D
CX-B
ATN A
GE1/0/0
GE1/0/0
Internet
Internet
CX-F
GE0/2/0
172.16.1.1/24
CX-E
NodeB
(Attacker)
Issue 02 (2013-12-31)

1976

Equipment
7 IP Services
1.
Set passwords for users to log in to a device using the NMS and CLI to improve login
security.
2.
Record all information about unsuccessful logins in a log file and output log information
to the console interface for network administrators to check the login information.
3.
Configure an advanced ACL on ATN A and apply the advanced ACL to QoS services to
defend against ICMP packet attacks.
Data Preparation
l
Password for users to log in to a device using the NMS and CLI
Number of the advanced ACL
Procedure
Step 1 Configure an IP address for each interface. For detailed configurations, see "Configuration
Files."
Step 2 Set a password for users to log in to a device using the NMS and CLI.
<ATNA> system-view
[ATNA] user-interface console 0
[ATNA-ui-con0] shell
[ATNA-ui-con0] authentication mode password
[ATNA-ui-con0] set authentication password cipher huawei
[ATNA-ui-con0] idle-timeout 30 0
[ATNA-ui-con0] quit
[ATNA] user-interface maximum-vty 15
[ATNA] user-interface vty 5 14
[ATNA-ui-vty5-14] shell
[ATNA-ui-vty5-14] authentication mode password
[ATNA-ui-vty5-14] set authentication password cipher huawei
[ATNA-ui-vty5-14] idle-timeout 30 0
[ATNA-ui-vty5-14] quit
NOTE
The configurations on all access ATNs are similar. The configuration on ATN A is used as an example.
Step 3 Record all information about unsuccessful logins in a log file and output log information to the
console.
[ATNA]
[ATNA]
[ATNA]
[ATNA]
<ATNA>
info-center enable
info-center source default channel 9 log level warnings
info-center logfile channel channel9
quit
terminal logging
Step 4 Configure an advanced ACL on ATN A and apply the advanced ACL to QoS services to defend
against ICMP packet attacks.
<ATNA> system-view
[ATNA] acl number 3001
[ATNA-acl-adv-3001] description anti-virus
[ATNA-acl-adv-3001] rule 5 deny icmp
[ATNA-acl-adv-3001] quit
[ATNA] traffic classifier anti-virus
[ATNA-classifier-anti-virus] if-match acl 3001
[ATNA-classifier-anti-virus] quit
[ATNA] traffic behavior anti-virus
Issue 02 (2013-12-31)

1977

Equipment
7 IP Services
[ATNA-behavior-anti-virus] quit
[ATNA] traffic policy anti-virus
[ATNA-trafficpolicy-anti-virus] classifier anti-virus behavior anti-virus
[ATNA-trafficpolicy-anti-virus] quit
[ATNA-GigabitEthernet0/2/0] traffic-policy anti-virus inbound
[ATNA-GigabitEthernet0/2/0] traffic-policy anti-virus outbound
Step 5 Verify the Configuration.

# Ping ATN A on the NodeB. The ping fails.
c:\>
Pinging 172.16.1.1 with 32 bytes of data:
Request
Request
Request
Request
timed
timed
timed
timed
out.
out.
out.
out.
Ping statistics for 172.16.1.1:

Pacets: Sent = 4, Received = 0, Lost = 4 <100% loss>,
# Delete the advanced ACL on ATN A. The ping succeeds.

c:\>
Pinging 172.16.1.1 with 32 bytes of data:
Reply
Reply
Reply
Reply
from
from
from
from
172.16.1.1:
172.16.1.1:
172.16.1.1:
172.16.1.1:
bytes=32
bytes=32
bytes=32
bytes=32
time<1ms
time<1ms
time<1ms
time<1ms
TTL=128
TTL=128
TTL=128
TTL=128
Ping statistics for 172.16.1.1:

Pacets: Sent = 4, Received = 4, Lost = 0 <0% loss>,
Approximate round trip times in mill-seconds:
Minimum = 0ms, Maximum = 0 ms, Average = 0ms
----End
Configuration Files
NOTE
Only the configuration file of ATN A is provided here.
#
sysname ATNA
#
info-center source default channel 9 log level warning
#
acl number 3001
description anti-virus
rule 5 deny icmp
#
traffic classifier anti-virus
if-match acl 3001
#
traffic behavior anti-virus
#
traffic policy anti-virus
classifier anti-virus behavior anti-virus
#
undo shutdown
traffic-policy anti-virus inbound
Issue 02 (2013-12-31)

1978

Equipment
7 IP Services
traffic-policy anti-virus outbound

#
set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
idle-timeout 30 0
set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
idle-timeout 30 0
#
return
7.5 Basic IPv6 Configuration

The IPv6 protocol stack is a support for routing protocols and application protocols on an IPv6
network.
7.5.1 Basic IPv6 Overview

Internet Protocol version 6 (IPv6) is a proposed next generation for the Internet Protocol, which
was introduced by the Internet Engineering Task Force (IETF) and formerly known as IPng.
Introduction
IPv6 is an upgraded version of IPv4 and solves many problems with IPv4.
Internet Protocol Version 6 (IPv6), also called IP Next Generation (IPng), is the standard network
protocol of the second generation. It is a set of specifications designed by the Internet
Engineering Task Force (IETF). IPv6 is the upgraded version of IPv4. The most remarkable
difference between IPv6 and IPv4 is that the IP address lengthens from 32 bits to 128 bits.
IPv6 Supported by the ATN

The basic functions of IPv6 include IPv6 address configuration, IPv6 neighbor discovery, router
advertisement, ICMPv6 packet control, and Path MTU (PMTU) configuration. The IPv6
protocol stack is a support for routing protocols and application protocols.
The ATN supports the IPv6 protocol suite and TCP6 protocol suite.
ATN supports IPv6 on the following interfaces:
l
Ethernet interfaces and sub-interfaces
Loopback interfaces
Eth-Trunk interfaces, Eth-Trunk sub-interfaces
VLANIF interfaces
IPv6 Address
A 128-bit IPv6 address has the following formats:
l
Issue 02 (2013-12-31)
X:X:X:X:X:X:X:X
1979

Equipment
7 IP Services
In this format, a 128-bit IP address is divided into eight groups. The 16 bits of each group
are represented by four hexadecimal characters, that is, 0 to 9, and A to F. The groups are
separated by colons. Every "X" represents a group of hexadecimal values.
l
X:X:X:X:X:X:d.d.d.d
This format is for the following types of addresses:
IPv4-compatible IPv6 address
IPv4-mapped IPv6 address
In this type of address, "X" represents the first six groups of numbers. Each "X" stands for
16 bits that are represented by hexadecimal numbers. "d" represents the subsequent four
groups of numbers. Each "d" stands for eight bits that are represented by decimal numbers.
"d.d.d.d" is a standard IPv4 address.
An IPv6 address can be divided into two parts:

l
Network prefix: equals the network ID of an IPv4 address. It is of n bits.
Interface identifier: equals the host ID in an IPv4 address. It is of 128-n bits.
Selection of Source and Destination Addresses

When network administrators need to specify or plan a source and a destination addresses, they
can define a group of address selection rules. An address selection policy table can be created
based on these rules. Similar to a routing table, this table can be queried based on the longest
match rule. The address is selected based on a source and a destination addresses.
IPv6 Neighbor Discovery

The IPv6 neighbor discovery (ND) is a group of messages and processes that define the
relationship between neighboring nodes. ND replaces the Address Resolution Protocol (ARP)
messages and the Internet Control Message Protocol (ICMP) device discovery messages. It also
provides additional functions.
IPv6 SEND
The SEcure Neighbor Discovery (SEND) protocol is a security extension of the Neighbor
Discovery Protocol (NDP) in IPv6.
IPv6 PMTU
Generally, the problem that different networks have different Maximum Transmission Units
(MTU) can be solved in the following ways:
l
Devices fragment packets as required. The source host only needs to fragment packets;
however, the intermediate ATN not only needs to fragment packets, but also to reassemble
packets.
The source host sends packets based on a proper MTU so that packets do not need to be
fragmented on the intermediate ATN. In such a case, packet processing burden on the
intermediate ATN can be reduced. During IPv6 packet transmission, only this way can be
adopted because IPv6 intermediate ATNs do not support packet fragmentation.
The Path MTU (PMTU) Discovery mechanism aims at finding a proper MTU value on the path
from the source to the destination.
Issue 02 (2013-12-31)

1980

Equipment
7 IP Services
IPv6 FIB
Connecting network topologies of different types needs the configuration of different routing
protocols. This brings about Routing Information Base (RIB). The RIB is a base of the
Forwarding Information Base (FIB). Guided by route management policies, a device extracts a
minimum of necessary forwarding information from RIB and adds the information to the FIB.
Through the route management module, you can also add static routes into the FIB.
A FIB contains a group of minimum information needed by a device during packet forwarding.
An FIB entry usually contains the destination address, prefix length, transport port, next-hop
address, route flag, and time stamp. A device forwards packets according to FIB entries.
The FIB mechanism consists of two parts: FIB agent (used on the control plane) and FIB
container (used on the forwarding plane). A FIB agent is responsible for interacting with the
Route Management(RM) module for delivering FIB entries to the forwarding engine, and to the
I/O board in a distributed system.
A FIB contains the following information:
l
Destination address: indicates the network or host a packet is destined for.
Prefix length: indicates the length of the destination address prefix. From the prefix length,
you can infer that the destination address is a network address or a host address.
Nexthop: indicates the address of the close next hop through which the packet reaches the
destination.
Flag(s): identifies route features.
Interface: indicates the outgoing interface of the packet.
Timestamp: Indicates the time when an FIB entry is established.
Tunnel ID: Indicates the ID of VPN Tunnel.
7.5.2 Configuring an IPv6 Address for an Interface

Assigning an IPv6 address to a device on a network enables the device to communicate with the
other devices on the network.
Before You Start

configuration procedure for assigning an IPv6 address to an interface.
Usage Scenario
When a device communicates with an IPv6 device, you need to configure IPv6 address for the
interface. The ATN supports configuring IPv6 addresses for the following interfaces:
Up to 10 global unicast addresses and one link-local address can be configured for an interface.
The link-local address is used in ND, and in the communication between nodes on the local link
in the stateless address auto-configuration. The packets using the link-local address as the source
or destination address are not forwarded to other links.
The link-local address can be automatically generated or manually configured. After being
enabled with automatic address generation capability, the system automatically generates a linkIssue 02 (2013-12-31)

1981

Equipment
7 IP Services
local address. The link-local address configured manually must be a valid link-local address
(FE80::/10).
It is recommended to automatically generate a link-local address because the link-local address
is used only for the communication between link-local nodes. Commonly, it is used to implement
communication requirements of protocol and is not directly related to the communication
between users.
The global unicast address is equivalent to the IPv4 public address. It is used for data forwarding
across the public network, which is necessary for the communication between users.
An EUI-64 address has the same function as a global unicast address. The difference is that only
the network bits need to be specified for the EUI-64 address and the host bits are transformed
from the MAC addresses of the interface while a complete 128-bit address need to be specified
for the global unicast address. Note that the prefix length of the network bits in an EUI-64 address
must not be longer than 64 bits.
The EUI-64 address and the global unicast address can be configured simultaneously or
alternatively. However, the IP addresses configured for one interface cannot be in the same
network segment.
Before configuring IPv6 addresses, complete the following tasks:
l
Configuring the physical features of the interface and ensuring that the status of the physical
layer of the interface is Up
Data Preparation
To configure IPv6 addresses for an interface, you need the following data.
No.
Data
Link-local address configured manually
Global unicast address and prefix length
Enabling IPv6 Packet Forwarding Capability

You can perform other IPv6 configurations on an interface only when IPv6 is enabled in the
interface view. To enable IPv6 packet forwarding on an interface, you must configure IPv6 in
the system view.
Context
To enable a device to forward IPv6 packets, you must enable the IPv6 capability in both the
system view and the interface view. This is because:
Issue 02 (2013-12-31)

1982

Equipment
7 IP Services
If you run the ipv6 command only in the system view, only the IPv6 packet forwarding
capability is enabled on a device. The IPv6 function, however, is not enabled on the interface
and hence you cannot perform any IPv6 configurations.
If you run the ipv6 enable command only in the interface view, the IPv6 capability is
enabled only on an interface. Therefore, the device cannot forward IPv6 data.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ipv6
The IPv6 packet forwarding capability is enabled.

By default, the IPv6 packet forwarding capability is disabled.
To enable a device to forward IPv6 packets, you must run this command in the system view;
otherwise, the device cannot forward IPv6 packets although you enable IPv6 on the interface.
Step 3 Run:
The view of the interface to be enabled with the IPv6 capability is displayed.
Step 4 Run:
ipv6 enable
The IPv6 capability is enabled on the interface.

Before performing IPv6 configurations in the interface view, you must enable the IPv6 capability
in the interface view.
By default, the IPv6 capability is disabled on the interface.
----End
Configuring an IPv6 Link-Local Address for an Interface

The local address of a link is used in the neighbor discovery protocol, and in the communications
between nodes on the local end of the link in stateless address auto-configuration. The local
address of a link is valid only for the link. A packet with a link-local address as the source or
destination address is forwarded only along the local link.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 02 (2013-12-31)

1983

Equipment
7 IP Services
The view of Layer 3 interface (such as VLANIF, loopback, or tunnel interface) is displayed.
Step 3 Perform the following as required.
Run:
ipv6 address auto link-local
Auto generation of the IPv6 link-local address is enabled.

Or
Run:
ipv6 address ipv6-address link-local
The IPv6 link-local address is manually configured.

Besides configuring a link-local address through the preceding two commands, you can also
configure a global unicast IPv6 address for auto generating a link-local address. For details, see
Configuring an IPv6 Global Unicast Address for an Interface.
----End
Configuring an IPv6 Global Unicast Address for an Interface

A global unicast IP address is equal to an Internet IPv4 address and can be used for links whose
route prefixes can be aggregated. In this manner, routing entries can be reduced.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } or ipv6
address { ipv6-address prefix-length | ipv6-address/prefix-length } eui-64
The global unicast address is configured on the interface.

----End

You can view the configuration of the IPv6 address for an interface.
Prerequisites
The IPv6 addresses have been configured.
Issue 02 (2013-12-31)

1984

Equipment
7 IP Services
Procedure
l
Run the display ipv6 interface [ interface-type interface-number | brief ] command to

check the IPv6 information of an interface.
Run the display ipv6 statistics [ slot slot-id | interface interface-type interface-number ]
command to check the IPv6 packet statistics.
----End
Example
Run the display ipv6 interface command. If the IPv6 address of the interface is displayed, it
means that the configuration succeeds. For example:
<HUAWEI> display ipv6 interface gigabitethernet 0/2/0
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::200:1FF:FE04:5D00
Global unicast address(es):
2001::1, subnet is 2001::/64
Joined group address(es):
FF02::1:FF00:1
FF02::1:FF04:5D00
FF02::2
FF02::1
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
Run the display ipv6 interface command. If the configured IPv6 address and interface status
are displayed, it means that the configuration succeeds.
<HUAWEI> display ipv6 interface brief
(l): loopback
(s): spoofing
Interface
Physical
up
[IPv6 Address] 2030::101:101
up
[IPv6 Address] 2001::1
LoopBack0
up
[IPv6 Address] Unassigned
Protocol
up
up
up(s)
Run the display ipv6 statistics command. If the statistics on IPv6 packets is displayed, it means
that the configuration succeeds.
<HUAWEI> display ipv6 statistics
IPv6 Protocol:
Sent packets:
Total
Local sent out
Raw packets
Fragmented
Fragments failed
:
:
:
:
:
3630
3630
0
0
0
Received packets:
Total
: 3630
Hop count exceeded : 0
Too big
: 0
Issue 02 (2013-12-31)
Forwarded
Discarded
Fragments
Multicast
:
:
:
:
Local host
Header error
Routing failed
: 3630
: 0
: 0

0
0
0
0
1985

Equipment
Address error
Truncated
Fragments
Reassembly timeout
Fragments overlap
:
:
:
:
:
0
0
0
0
0
7 IP Services
Protocol error
Option error
Reassembled
Multicast
:
:
:
:
0
0
0
0
7.5.3 Configuring an IPv6 Address Selection Policy Table

If multiple addresses are configured on an interface of the device, the IPv6 address selection
policy table can be used to select source and destination addresses for packets.
Usage Scenario
IPv6 addresses can be classified into different types based on different applications.
l
Link local addresses and global unicast addresses based on the effective range of the IPv6
addresses
Temporary addresses and public addresses based on security levels
Home addresses and care-of addresses based on the application in the mobile IPv6 field
Physical interface addresses and logical interface addresses based on the interface attributes
The preceding IPv6 addresses can be configured on the same interface of the ATN. In this case,
the device must select a source address or a destination addresses from multiple addresses on
the interface. If the device supports the IPv4/IPv6 dual-stack, it also must select IPv4 addresses
or IPv6 addresses for communication. For example, if a domain name maps both an IPv4 address
and an IPv6 address, the system must select an address to respond to the DNS request of the
client.
An IPv6 address selection policy table solves the preceding problems. It defines a group of
address selection rules. The source and destination addresses of packets can be specified or
planned based on these rules. This table, similar to a routing table, can be queried by using the
longest matching rule. The address is selected based on the source and destination addresses.
l
The label parameter can be used to determine the result of source address selection. The
address whose label value is the same as the label value of the destination address is selected
preferably as the source address.
The destination address is selected based on both the label and the precedence parameters.
If label values of the candidate addresses are the same, the address whose precedence value
is largest is selected preferably as the destination address.
None.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ipv6 address-policy [ vpn-instance vpn-instance-name ] ipv6-address prefix-length
precedence label
Issue 02 (2013-12-31)

1986

Equipment
7 IP Services
The source or destination address selection policies are configured.

By default, only default address selection policy entries are contained. These entries are prefixed
with ::1, ::, 2002::, FC00::, and ::ffff:0:0.
A maximum of 50 address selection policy entries are supported by the system.
----End

l
Run the display ipv6 address-policy [ vpn-instance vpn-instance-name ] { all | ipv6address prefix-length } command to check address selection policy entries.
Run the display ipv6 address-policy all command, and you can check all address selection
policy entries, including the default address selection policy entries and the address selection
policy entry configured by ipv6 address-policy command whose prefix is 3::.
<HUAWEI> display ipv6 address-policy all
Policy Table :
Total:6
------------------------------------------------------------------------------Prefix
: ::
PrefixLength : 0
Precedence : 40
Label
: 1
Default
: Yes
Prefix
: ::1
Precedence : 50
Default
: Yes
PrefixLength
Label
: 128
: 0
Prefix
: ::FFFF:0.0.0.0
Precedence : 10
Default
: Yes
PrefixLength
Label
: 96
: 4
Prefix
: 3::
Precedence : 40
Default
: No
PrefixLength
Label
: 64
: 20
Prefix
: 2002::
Precedence : 30
Default
: Yes
PrefixLength
Label
: 16
: 2
Prefix
: FC00::
Precedence : 20
Default
: Yes
PrefixLength
Label
: 7
: 3
-------------------------------------------------------------------------------
7.5.4 Configuring IPv6 Neighbor Discovery

IPv6 neighbor discovery (ND) is a packet transmission process to identify the relationship
between neighboring nodes. The Neighbor Discovery Protocol (NDP) replaces the Address
Resolution Protocol (ARP), ICMP Router Discovery messages, and ICMP Redirect messages,
and introduces neighbor reachability detection.
Before You Start

configuration procedure for IPv6 neighbor discovery.
Issue 02 (2013-12-31)

1987

Equipment
7 IP Services
Usage Scenario
After an IPv6 address is configured for a node, the node checks whether this address can be used
and does not conflict with any other address. If a node is a host, a router needs to notify the host
of the optimal next hop address of a packet to be sent by the host to a specific destination. If a
node is a router, it needs to advertise its address, address prefix, and other configuration
parameters to instruct hosts to configure parameters. During IPv6 packet forwarding, a node
needs to know the neighboring nodes' link-layer addresses and check their reachability. The
Neighbor Discovery (ND) function can be used to meet the requirements.
Most of the ND configurations are implemented based on the interfaces.
The IPv6 ND configuration is supported on the following interfaces:
l
GigabitEthernet interfaces and their sub-interfaces
Loopback interfaces
Eth-Trunk interfaces, Eth-Trunk sub-interfaces, and IP-Trunk interfaces
VLANIF interfaces
Before configuring IPv6 neighbor discovery, complete the following tasks:
l
Configuring the physical features for the interface and ensuring that the status of the
Configuring link layer parameters for the interface
Configuring the IPv6 address for the interface
Data Preparation
To configure IPv6 neighbor discovery, you need the following data.
Issue 02 (2013-12-31)
No.
Data
Number of interfaces which need to be configured with IPv6 ND
IPv6 address and MAC address of the static neighbor
Intervals, prefix, and life duration of Router Advertisement(RA) messages
Flag bit of automatic configuration
Hop limit of ND
Sending times of Duplicate Address Detection(DAD)
Intervals for re-transmitting Neighbor Solicitation(NS) messages
Neighbor Unreachability Detection(NUD) reachable time
Interface MTU

1988

Equipment
7 IP Services
Configuring Static Neighbors

By configuring a static neighbor, you can obtain the mapping of the IPv6 address and MAC
address of the neighbor.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run one of the following commands as required:
l To configure a static neighbor entry on a common Layer 3 interface, run the ipv6
neighbor ipv6-address mac-address command.
l To configure a static neighbor entry on a VLANIF interface, run the ipv6 neighbor ipv6address mac-address vid vlan-id interface-type interface-number command.
l To configure a static neighbor entry on a sub-interface for QinQ VLAN tag termination, run
the ipv6 neighbor ipv6-address mac-address vid vid [ cevid cevid ] command.
NOTE
If an interface is configured with dynamic QinQ, you cannot configure a static neighbor entry on it.
Static neighbors can be configured for interfaces and their sub-interfaces. You can configure up
to 300 neighbors on each interface.
----End
Enabling RA Message Advertising

After being enabled with ATN advertisement, the device can send router advertisement
messages, providing prefixes for hosts.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
(Optional)undo ipv6 nd ra halt
The function of advertising Router Advertisement(RA) messages is enabled.

----End
Issue 02 (2013-12-31)

1989

Equipment
7 IP Services
Setting the Interval for Advertising RA Messages

The device periodically sends router advertisement messages containing information such as
prefixes and flag bits.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ipv6 nd ra { max-interval maximum-interval | min-interval minimum-interval }
The interval for advertising Router Advertisement(RA) messages is configured.

By default, the maximum interval is 600 seconds, and the minimum interval is 200 seconds.
The maximum interval cannot be shorter than the minimum interval.
When the maximum interval is less than 9 seconds, the minimum interval is set to the same value
as the maximum interval.
----End
Configuring the Address Prefixes to Be Advertised

Nodes of the local links can perform address auto-configuration by using prefixes of these
addresses.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ipv6 nd ra prefix { ipv6-address ipv6-prefix-length | ipv6-prefix/ipv6-prefixlength } valid-lifetime preferred-lifetime [ no-autoconfig ] [ off-link ]
The prefix of Router Advertisement(RA) messages is configured.

----End
Issue 02 (2013-12-31)

1990

Equipment
7 IP Services
Configuring Other Information to Be Advertised

A router advertisement message carries information such as the maximum number of hops,
prefix option, neighbor hold time, and keepalive time.
Context
Duplicate Address Detect (DAD) is a process of IPv6 automatic address configuration. You can
configure the number of DAD messages which are sent continuously.
Set the interval of sending Neighbor Solicitation (NS) messages on the device. By default, NS
re-transmitting time interval is 1000ms.
Neighbor Unreachability Detection (NUD) checks the reachability of neighbors. By default,
NUD value is 30000ms.
The MTU of the interface determines whether to fragment IP packets on the interface. Default
MTUs vary with interface types. The MTU on an GigabitEthernet interface defaults to be 1500
bytes.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ipv6 nd hop-limit limit
ND hop limit is configured.

The value of limit ranges from 1 to 255. By default, it is 64.
Step 3 Run:

Step 4 Run:
ipv6 nd ra hop-limit limit
ND hop limit is configured.

The value of limit ranges from 0 to 255. By default, it is 64.
NOTE
l If the ipv6 nd ra hop-limit command has been run on an interface, the hop limit for an Router
Advertisement(RA) message uses the value configured on the interface.
l If the ipv6 nd ra hop-limit command has not been run on an interface, the hop limit for an RA message
uses the value configured globally, that is, the value configured in the ipv6 nd hop-limit command.
Step 5 Run:
ipv6 nd ra router-lifetime ra-lifetime
The life duration of RA messages is configured.

Issue 02 (2013-12-31)

1991

Equipment
7 IP Services
NOTE
l When the ipv6 nd ra command is run to set the interval for advertising RA messages, the interval must
be less than or equal to the life duration.
l By default, the maximum interval is 600 seconds, and the minimum interval is 200 seconds.
l By default, the life duration of RA messages is 1800 seconds. If the prefix is configured, the duration
is still 1800 seconds.
Step 6 Run:
ipv6 nd dad attempts value
Times to send DAD messages are configured.

Step 7 Run:
ipv6 nd ns retrans-timer interval
The interval for re-sending NS messages is set.

Step 8 Run:
ipv6 nd nud reachable-time value
The NUD reachable time is set.

Step 9 Run:
ipv6 mtu mtu
MTU of the interface is configured.

Step 10 Run:
ipv6 nd neighbor-limit
The maximum number of dynamic neighbor entries that can be learned by a specified interface
is configured.
By default, an interface can learn a maximum of 1024 dynamic neighbor entries.
NOTE
You can set a maximum number of neighbor entries that can be learned by a VLANIF interface dynamically
using the ipv6 nd neighbor-limit command. The ipv6 nd neighbor-limit command takes effect only on
a VLANIF interface.
----End
Configuring the Default Router Priority and Route Information

Router Advertisement(RA) packets that carry the default router priority and route information
can be transmitted over the local link. In this manner, a proper ATN can be selected to forward
packets of a host.
Context
If a host is connected to multiple ATNs, the host must select a ATN to forward packets based
on the destination addresses of packets. The ATN can advertise the default router priority and
specified route information to the host so that the host can select a proper forwarding ATN based
on the destination addresses of packets.
After receiving the RA packets carrying the route information, the host updates its routing table.
When sending packets to another device, the host queries the routing table and selects a proper
route to send packets.
Issue 02 (2013-12-31)

1992

Equipment
7 IP Services
When receiving the RA packets that carry the priority of default routers, the host updates its
default router table. When sending packets to another device, if there is no route to be selected,
the host queries the default router table. Then, the host selects a ATN with the highest priority
on the local link to send packets. If the ATN is faulty, the host selects another ATN in descending
order of priority.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ipv6 nd ra preference { high | medium | low }
The default router priority is configured in RA packets.

Step 4 Run:
ipv6 nd ra route-information ipv6-address prefix-length lifetime route-lifetime
[ preference { high | medium | low } ]
Route information is configured in RA packets.

----End
Enabling IPv6 ND Strict Learning

This section describes how to enable IPv6 neighbor discovery (ND) strict learning to comply
with RFC 4861.
Context
A device uses neighbor advertisement (NA) packets to establish neighbor entries, which does
not comply with RFC 4861. To comply with RFC 4861, enable IPv6 ND strict learning. After
you enable IPv6 ND strict learning on a device, the device uses NA packets only in response to
neighbor solicitation (NS) packets to establish neighbor entries.
Procedure
l
Enable IPv6 ND strict learning globally.

1.
Run:
system-view

2.
Run:
ipv6 nd learning strict
IPv6 ND strict learning is enabled globally.

Issue 02 (2013-12-31)

1993

Equipment
7 IP Services
Enable IPv6 ND strict learning in the interface view.

1.
Run:
system-view

2.
Run:

This command applies only to VLANIF interfaces, Eth-Trunk interfaces and Eth-trunk
sub-interfaces.
3.
Run:
ipv6 nd learning strict force-enable
IPv6 ND strict learning is forcibly enabled on the interface.

----End

You can view the configuration of IPv6 neighbor discovery.
Prerequisites
The IPv6 neighbor discovery function has been configured.
Procedure
l
Run the display ipv6 neighbors [ ipv6-address | [ vid vlan-id ] interface-type interfacenumber | vpn-instance vpn-instance-name ]display ipv6 neighbors interface-type
interface-number| [vid vid ] | [cevid cevid] command to check the neighbor information in
the cache.
Run the display ipv6 neighbors[[ vid vlan-id] interface-type interface-number ] command
to check the neighbor information in the cache.

check the IPv6 information of an interface. If the interface is in the Up state, the
configuration is successful.
----End
Example
Run the display ipv6 neighbors command. If the cache of the neighbor information contains
neighbors' IPv6 addresses and the specified interfaces, it means that the configuration succeeds.
<HUAWEI> display ipv6 neighbors gigabitethernet 0/2/0
-------------------------------------------------------IPv6 Address : 3003::2
Link-layer
: 00e0-fc89-fe6e
State : STALE
Interface
: GE0/2/0
Age
: 7
VLAN
: CEVLAN: VPN name
: vpn1
Is Router: TRUE
Secure FLAG : UN-SECURE
IPv6 Address : FE80::2E0:FCFF:FE89:FE6E
Issue 02 (2013-12-31)

1994

Equipment
7 IP Services
Link-layer
: 00e0-fc89-fe6e
State : STALE
Interface
: GE0/2/0
Age
: 7
VLAN
: CEVLAN: VPN name
: vpn1
Is Router: TRUE
Secure FLAG : UN-SECURE
--------------------------------------------------------Total: 2
Dynamic: 2
Static: 0
Run the display ipv6 interface command. If information about the IPv6 address on the interface
is displayed, it means that the configuration succeeds.
2001::1, subnet is 2001::/64
FF02::1:FF00:1
FF02::1:FF04:5D00
FF02::2
FF02::1
MTU is 1500 bytes
Run the display ipv6 interface brief command. If information about the IPv6 address on the
interface and interface status are displayed, it means that the configuration succeeds.
<HUAWEI> display ipv6 interface brief
(l): loopback
(s): spoofing
Interface
Physical
up
[IPv6 Address] 2030::101:101
up
[IPv6 Address] 2001::1
LoopBack0
up
[IPv6 Address] Unassigned
Protocol
up
up
up(s)
7.5.5 Configuring PMTU

By setting the PMTU, you can select a proper MTU for packet transmission. In this manner,
packets do not have to be fragmented during transmission and loads on intermediate devices are
reduced. In addition, network resources are used more efficiently and the network throughput
reaches the optimal value.
Before You Start

configuration procedure for configuring the PMTU.
Usage Scenario
By setting PMTUs on interfaces, you can enable devices to send packets based on proper MTUs
across the network. This avoids packet fragmentation, reduces the burden of the devices,
implements efficient usage of network resources and achieves the best throughput.
Issue 02 (2013-12-31)

1995

Equipment
7 IP Services
Before configuring PMTUs, complete the following tasks:
l
Configuring the physical features for the interface and ensuring that the status of the
Configuring the link layer protocol for the interface
Data Preparation
To configure PMTUs, you need the following data.
No.
Data
IPv6 address and PMTU value to be configured
PMTU aging time
Creating Static PMTU Entries

You can configure a static PMTU according to the lowest MTU of the path that a packet is to
traverse. This speeds up packet transmission.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ipv6 pathmtu ipv6-address [ path-mtu ]
The PMTU value of a specified IPv6 address is configured.

By default, the PMTU of the IPv6 address is 1500 bytes.
l The maximum number of static PMTU entries is 300.
l The maximum number of static PMTU entries of each VPN instance is 32.
l The maximum number of dynamic and static PMTU entries on the public network is 512.
l The maximum number of PMTU entries in all VPN instances is 1000.
----End
Configuring PMTU Aging Time

By setting the PMTU aging time, you can change the keepalive time of dynamic PMTU entries
in the cache. A static PMTU entry never ages.
Issue 02 (2013-12-31)

1996

Equipment
7 IP Services
Procedure
Step 1 Run:
system-view

Step 2 Run:
ipv6 pathmtu age age-time
The aging time of PMTU is configured.

By default, the dynamic PMTU aging time is 10 minutes.
----End

You can view the configuration of a PMTU.
Prerequisites
The the PMTU has been configured.
Procedure
l
Run the display ipv6 pathmtu { ipv6-address | all | dynamic | static } command to check
all PMTU items.

check the current MTU of the interface.
----End
Example
Run the display ipv6 pathmtu command. If the destination IPv6 address, the PMTU value, the
aging time and type are displayed, it means that the configuration succeeds.
<HUAWEI> display ipv6 pathmtu all
IPv6 Destination Address
ZoneID
fe80::12
0
2222::3
0
PathMTU
1300
1280
Age
40
--
Type
Dynamic
Static
Run the display ipv6 interface command. If the current MTU of the interface is displayed, it
means that the configuration succeeds.
2001::1, subnet is 2001::/64
FF02::1:FF00:1
FF02::1:FF04:5D00
FF02::2
FF02::1
MTU is 1500 bytes
Issue 02 (2013-12-31)

1997

Equipment
7 IP Services

7.5.6 Configuring TCP6

By setting TCP6 packets, you can improve the performance of the network.
Before You Start

configuration procedure for configuring TCP6.
Usage Scenario
To optimize network performance, you need to adjust the TCP6 parameters.
Before configuring TCP6, complete the following tasks:
l
Connecting and configuring the physical features for the interface and ensuring that the
status of the physical layer of the interface is Up
Configuring the link layer protocol parameters for the interface and ensuring that the status
of the link layer protocol on the interface is Up
Data Preparation
To configure TCP6, you need the following data.
No.
Data
Value of TCP6 FIN-WAIT timer
Value of TCP6 SYN-WAIT timer
Size of TCP6 Sliding Window
Configuring TCP6 Timers

By setting two TCP6 timers, you can control the TCP connection time.
Procedure
Step 1 Run:
system-view

Step 2 Run:
tcp ipv6 timer syn-timeout timer-value
Issue 02 (2013-12-31)

1998

Equipment
7 IP Services
The TCP6 SYN-WAIT timer is set.

By default, the SYN-WAIT timer is 75s.
Step 3 Run:
tcp ipv6 timer fin-timeout timer-value
The TCP6 FIN-WAIT timer is set.

By default, the FIN-WAIT timer is 600s.
----End
Configuring the Size of the TCP6 Sliding Window

By setting the sliding window size for TCP6, you can set the sizes of the receiving buffer and
transmitting buffer in the socket. In this manner, you can improve the performance of the
network.
Procedure
Step 1 Run:
system-view

Step 2 Run:
tcp ipv6 window window-size
The size of the TCP6 sliding window is configured.

The size of the TCP6 sliding window ranges from 1 KB to 32 KB. By default, the size of the
TCP6 sliding window is 8 KB.
----End

You can view the configuration of TCP6.
Prerequisites
The TCP6 function has been configured.
Procedure
l
Run the display tcp ipv6 statistics command to check related TCP6 statistics.
Run the display tcp ipv6 status command to check the TCP6 connection status.
Run the display udp ipv6 statistics command to check related UDP6 statistics.
----End
Issue 02 (2013-12-31)

1999

Equipment
7 IP Services
Example
Run the display tcp ipv6 statistics, display tcp ipv6 status, and display udp ipv6 statistics
commands. If the connection status and statistic of TCP6 and UDP6 are displayed, it means that
the configuration succeeds.
<HUAWEI> display tcp ipv6 statistics
Received packets:
total: 0
packets in sequence: 0 (0 bytes)
window probe packets: 0
window update packets: 0
checksum error: 0
offset error: 0
short error: 0
duplicate packets: 0 (0 bytes)
partially duplicate packets: 0 (0 bytes)
out-of-order packets: 0 (0 bytes)
packets with data after window: 0 (0 bytes)
packets after close: 0
ACK packets: 0 (0 bytes)
duplicate ACK packets: 0
too much ACK packets: 0
packets dropped due to MD5 authentication failure: 0
packets receieved with MD5 Signature Option: 0
Sent packets:
total: 0
urgent packets: 0
control packets: 0 (including 0 RST)
window probe packets: 0
window update packets: 0
data packets: 0 (0 bytes)
data packets retransmitted: 0 (0 bytes)
ACK only packets: 0 (0 delayed)
packets sent with MD5 Signature Option: 0
Other Statistics:
retransmitted timeout: 0
connections dropped in retransmitted timeout: 0
keepalive timeout: 0
keepalive probe: 0
keepalive timeout, so connections disconnected: 0
initiated connections: 0
accepted connections: 0
established connections: 0
closed connections: 0 (dropped: 0, initiated dropped: 0)
<HUAWEI> display tcp ipv6 status
TCP6CB
Local Address
Foreign Address
State
09e39ae4 3000::2->179
3000::1->49158
Time_Wait
09e36f24 3000::2->49152
3000::1->179
Established
07da08f8 ::->179
::->0
Listening
07d96da8 ::->23
::->0
Listening
<HUAWEI> display udp ipv6 statistics
Received packets:
total: 0
total(64bit high-capacity counter): 0
checksum error: 0
shorter than header: 0
invalid message length: 0
no socket on port: 0
no multicast port: 0
not delivered, input socket full: 0
input packets missing pcb cache: 0
packets sent for external pre processing: 1
Issue 02 (2013-12-31)

2000

Equipment
7 IP Services
Sent packets:
total: 0
total(64bit high-capacity counter): 0
7.5.7 Configuring ICMPv6 Message Control

In ICMPv6 message control, the token bucket algorithm is adopted, and one token represents
one ICMPv6 message. Tokens are placed in the virtual bucket at fixed intervals until the capacity
of the token bucket reaches the upper threshold. If the number of ICMPv6 messages exceeds
the upper threshold, extra messages are discarded.
Before configuring ICMPv6 message control, complete the following tasks:
l
Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical status of the interfaces is Up
Setting the parameters of the link layer protocols on interfaces
Configuring IPv6 addresses for interfaces
Control ICMPv6 error messages in the system view.
Procedure
1.
Run:
system-view

2.
Run:
ipv6 icmp-error { bucket bucket-size | ratelimit interval }
A sending rate limit is configured for ICMP error messages.

By default, a token bucket allows a maximum number of 10 tokens, and the interval
at which ICMPv6 messages are sent is 100 ms.
3.
Run:
ipv6 icmp too-big-rate-limit
The device is enabled to reject jumbo ICMPv6 error messages.

By default, the device is disabled from rejecting jumbo ICMPv6 error messages.
4.
Run:
undo ipv6 icmp redirect send
The system is disabled from sending ICMPv6 redirect messages.

By default, the system is enabled to send ICMPv6 redirect messages.
l
Control ICMPv6 Host Unreachable messages in the interface view.

1.
Run:
system-view

2.
Run:
Issue 02 (2013-12-31)

2001

Equipment
7 IP Services

3.
Run:
undo ipv6 icmp host-unreachable send
The interface is disabled from sending ICMPv6 Host Unreachable messages.

By default, an interface is enabled to send ICMPv6 Host Unreachable messages.
----End

l

view the configuration of IPv6 on the specified interface.
Run the display icmpv6 statistics [ interface-type interface-number ] command to view

the statistics about ICMPv6 traffic on the specified interface.
Run the display ipv6 interface command, and you can view the IPv6 addresses that are
configured on the interface.
link-local address is FE80::200:1FF:FE04:5D00
2001::1, subnet is 2001::/64
FF02::1:FF00:1
FF02::1:FF04:5D00
FF02::2
FF02::1
MTU is 1500 bytes
Run the display icmpv6 statistics command, and you can view statistics about ICMPv6 traffic.
<HUAWEI> display icmpv6 statistics
ICMPv6 protocol:
Sent packets:
Total
Unreached
Hop count exceeded
Too big
Echo replied
Router advert
Neighbor advert
Rate limited
:
:
:
:
:
:
:
:
16
0
0
0
5
0
2
0
Prohibited
Parameter problem
Echoed
Router solicit
Neighbor solicit
Redirected
:
:
:
:
:
:
0
0
5
0
4
0
:
:
:
:
:
16
0
0
0
0
Format error
:
Too short
:
Bad length
:
Unknown error type :
Prohibited
:
0
0
0
0
0
Received packets:
Total
Checksum error
Bad code
Unknown info type
Unreached
Issue 02 (2013-12-31)

2002

Equipment
Hop count exceeded
Too big
Echo replied
Router advert
Neighbor advert
Rate limited
:
:
:
:
:
:
0
0
5
0
2
0
7 IP Services
Parameter problem
Echoed
Router solicit
Neighbor solicit
Redirected
:
:
:
:
:
2
5
0
4
0
7.5.8 Maintaining IPv6

This section describes how to maintain IPv6. Detailed operations include deleting information
about IPv6 operation and monitoring IPv6 operation.
Resetting IPv6
This section describes clearance of information about IPv6 operation through the reset command.
Context
NOTICE
IPv6 statistics cannot restore after you clear it. So, confirm the action before you use the
command.
Procedure
l
Run the reset ipv6 statistics [ slot slot-id ] command in the user view to clear statistics of
processing IPv6 packets after you confirm it.
Run the reset ipv6 pathmtu { all | dynamic | static } command in the user view to clear
PMTU entries in the cache after you confirm it.
Run the reset ipv6 address-policy [ vpn-instance vpn-instance-name ] command in the

user view to clear address selection policy entries.
Run the reset ipv6 neighbors { all | dynamic | static | vid vlan-id [ interface-type interfacenumber ] | interface-type interface-number [ dynamic | static ] } command in the user view
to clear IPv6 neighbor entries in the cache after you confirm it.
Run the reset tcp ipv6 statistics command in the user view to clear all TCP6 statistics after
you confirm it.
Run the reset udp ipv6 statistics command in the user view to clear all UDP6 statistics
after you confirm it.
Run the reset ipv6 attack-source overlapping-fragment command in the user view to
clear all statistics after you confirm it.
----End
Monitoring Network Operating Status of IPv6

This section describes IPv6 operation monitoring through the display command.
Issue 02 (2013-12-31)

2003

Equipment
7 IP Services
Context
of IPv6.
Procedure
l
Run the display ipv6 interface [ interface-type interface-number | brief ] command in any
view to check the IPv6 information about the interface.
Run the display ipv6 statistics [ slot slot-id | interface interface-type interface-number ]
command in any view to check IPv6 packet statistics.
Run the display icmpv6 statistics [ slot slot-id | interface interface-type interfacenumber ] command in any view to check the operation of ICMPv6 packet statistics.
Run the display ipv6 neighbors [ ipv6-address | [ vid vlan-id ] interface-type interfacenumber ], display ipv6 neighbors [ interface-type interface-number [ vid vid [ cevid
cevid ] ] ], or display ipv6 neighbors slot slot-id [ verbose ] [ [vid vlan-id ] [ interfacetype interface-number ] ] command in any view to check contents about the neighbor cache.
Run the display ipv6 address-policy [ vpn-instance vpn-instance-name ] { all | ipv6address prefix-length } command in any view to check address selection policy entries.
Run the display ipv6 neighbors [[ vid vlan-id ] interface-type interface-number ] command
in any view to check contents about the neighbor cache.
Run the display ipv6 pathmtu { ipv6-address | all | dynamic | static } command in any
view to check all PMTU entries.
Run the display tcp ipv6 statistics command in any view to check TCP6 statistics.
Run the display tcp ipv6 status command in any view to check TCP6 connection status.
Run the display udp ipv6 statistics command in any view to check UDP6 statistics.
Run the display ipv6 fib [ [ slot-id ] verbose ] command in any view to check information
about the FIB.
Run the display ipv6 fib [ [ slot-id ] verbose ] command in any view to check information
about the FIB.
Run the display ipv6 attack-source overlapping-fragment command in any view to

check information to check information about attack-source overlapping-fragment.
----End

configuration roadmap. An example is used to describe how to configure an IPv6 address and
Neighbor Discovery Protocol for an interface.
Example for Configuring an IPv6 Address for an Interface

This part provides an example for configuring the IPv6 address of an interface.
Issue 02 (2013-12-31)

2004

Equipment
7 IP Services
Networking Requirement
As shown in Figure 7-10, ATN A and ATN B are connected through GE interfaces. It is required
to configure IPv6 global unicast addresses for the interfaces and test the connectivity between
them.
The IPv6 global unicast addresses to be configured for the interfaces are 3001::1/64 and
3001::2/64.
Figure 7-10 Networking diagram of configuring an IPv6 address for an interface
GE0/2/0
3001::1/64
GE0/2/0
3001::2/64
ATN A
ATN B
1.
Enable IPv6 forwarding capability on devices.
2.
Configure IPv6 global unicast addresses for the interfaces.
Data Preparation
To complement the configuration, you need the following data:
l
Global unicast addresses of the interfaces
Procedure
Step 1 Enable IPv6 packet forwarding on ATN A and ATN B.
# Configure ATN A
[ATNA] ipv6
# Configure ATN B
[ATNB] ipv6
Step 2 Configure IPv6 global unicast addresses for the interfaces.

# Configure ATN A.
[ATNA-GigabitEthernet0/2/0] ipv6
[ATNA-GigabitEthernet0/2/0] undo
Issue 02 (2013-12-31)
0/2/0
enable
address 3001::1/64
shutdown

2005

Equipment
7 IP Services
# Configure ATN B.
[ATNB] interface gigabitethernet
[ATNB-GigabitEthernet0/2/0] ipv6
[ATNB-GigabitEthernet0/2/0] undo
0/2/0
enable
address 3001::2/64
shutdown

If the configuration succeeds, you can view the configured IPv6 global unicast addresses and
status of the interface and the IPv6 protocol are both Up.
# Display interface information of ATN A.
[ATNA] display ipv6 interface gigabitethernet 0/2/0
IPv6 is enabled, link-local address is FE80::C964:0:B8B6:1
3001::1, subnet is 3001::/64
FF02::1:FF00:1
FF02::1:FFB6:1
FF02::2
FF02::1
MTU is 4470 bytes
# Display interface information of ATN B.

[ATNB] display ipv6 interface gigabitethernet 0/2/0
IPv6 is enabled, link-local address is FE80::2D6F:0:7AF3:1
3001::2, subnet is 3001::/64
FF02::1:FF00:2
FF02::1:FFF3:1
FF02::2
FF02::1
MTU is 4470 bytes
# On ATN A, ping the link-local address of ATN B. Note that you need to use the parameter i to specify the interface.
[ATNA] ping ipv6 fe80::2d6f:0:7af3:1 -i gigabitethernet 0/2/0
PING FE80::2D6F:0:7AF3:1 : 56 data bytes, press CTRL_C to break
Reply from FE80::2D6F:0:7AF3:1
bytes=56 Sequence=1 hop limit=64 time = 60 ms
--- FE80::2D6F:0:7AF3:1 ping statistics ---
Issue 02 (2013-12-31)

2006

Equipment
7 IP Services
0.00% packet loss
# On ATN A, ping the global unicast IPv6 address of ATN B.

[ATNA] ping ipv6 3001::2
PING 3001::2 : 56 data bytes, press CTRL_C to break
Reply from 3001::2
Reply from 3001::2
Reply from 3001::2
Reply from 3001::2
Reply from 3001::2
--- 3001::2 ping statistics --5 packet(s) transmitted
0.00% packet loss
----End
Configuration Files
l

#
sysname ATNA
#
ipv6
#
link-protocol ppp
undo shutdown
ipv6 enable
ipv6 address 3001::1/64
#
return

#
sysname ATNB
#
ipv6
#
link-protocol ppp
undo shutdown
ipv6 enable
#
return
Example for Configuring IPv6 Neighbor Discovery

This section provides an example of configuring IPv6 Neighbor Discovery.
As shown in Figure 7-11, device is directly connected to the PC by GE 0/2/0.
Issue 02 (2013-12-31)

2007

Equipment
7 IP Services
Figure 7-11 Example for configuring IPv6 neighbor discovery

GE0/2/0
3000::/64 eui-64
NodeB
1.
Configure the local unicast addresses of the link and EUI-64 site separately on GE 0/2/0.
2.
Configure the RA prefix message to be advertised on GE 0/2/0 and enable the advertisement
of the RA prefix message.
Data Preparation
l
Local unicast addresses of the link and EUI-64 site on GE 0/2/0
RA prefix message to be advertised
Procedure
Step 1 Enable the IPv6 forwarding on devices.
[HUAWEI] ipv6
Step 2 Configure the local unicast address of the link on GE 0/2/0.

[HUAWEI] interface gigabitethernet
[HUAWEI-GigabitEthernet0/2/0] undo
[HUAWEI-GigabitEthernet0/2/0] ipv6
[HUAWEI-GigabitEthernet0/2/0] ipv6
0/2/0
shutdown
enable
address auto link-local
Step 3 Configure the local unicast address of the EUI-64 site on GE 0/2/0 and the prefix in the RA
message.
NOTE
A PC can automatically obtain the RA prefix message from devices only after the Router Advertisement
(RA) prefix message to be advertised is configured and the advertisement of the RA prefix message is
enabled on devices.
[HUAWEI-GigabitEthernet0/2/0] ipv6 address 3000::/64 eui-64
[HUAWEI-GigabitEthernet0/2/0] ipv6 nd ra prefix 3000::/64 1000 1000
[HUAWEI-GigabitEthernet0/2/0] undo ipv6 nd ra halt

If configurations are successful, you can view the configured local unicast address of the link
and the EUI-64 site and find that GE 0/2/0 is Up and IPv6 is Up.
# Display information about interfaces of devices.
[HUAWEI-GigabitEthernet0/2/0] display this ipv6 interface
Issue 02 (2013-12-31)

2008

Equipment
7 IP Services

IPv6 is enabled, link-local address is FE80::2E0:FCFF:FE7D:A497
3000::2E0:FCFF:FE7D:A497, subnet is 3000::/64
FF02::1:FF7D:A497
FF02::2
FF02::1
MTU is 1500 bytes
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND router advertisement max interval 600 seconds, min interval 200 seconds
ND router advertisements live for 1800 seconds
# Display information about PCs.

Ethernet adapter 1:
Connection-specific
Description . . . .
rnet NIC #2
Physical Address. .
Dhcp Enabled. . . .
IP Address. . . . .
Subnet Mask . . . .
IP Address. . . . .
IP Address. . . . .
IP Address. . . . .
Default Gateway . .
DNS Servers . . . .
DNS Suffix . :
. . . . . . . : Realtek RTL8139 Family PCI Fast Ethe
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
:
:
:
:
:
:
:
:
:
00-E0-4C-77-A1-B6
No
110.1.1.33
255.0.0.0
3000::78b3:4397:c0c4:f078
3000::2e0:4cff:fe77:a1b6
fe80::2e0:4cff:fe77:a1b6%6
fe80::288:ff:fe10:b%6
fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
# Ping the local unicast address of the link on the PC from the device with the use of the parameter
-i which specifies the interface corresponding to the local unicast address.
[HUAWEI-GigabitEthernet0/2/0] ping ipv6 fe80::2e0:4cff:fe77:a1b6 -i
PING FE80::2E0:4CFF:FE77:A1B6: 56 data bytes, press CTRL_C to break
Reply from FE80::2E0:4CFF:FE77:A1B6
--- FE80::2E0:4CFF:FE77:A1B6 ping statistics --5 packet(s) transmitted
0.00% packet loss
# Ping the local unicast address of the EUI-64 site of the PC from the device.
[HUAWEI-GigabitEthernet0/2/0] ping ipv6 3000::78b3:4397:c0c4:f078
PING 3000::78B3:4397:C0C4:F078 : 56 data bytes, press CTRL_C to break
Reply from 3000::78B3:4397:C0C4:F078
Reply from 3000::78B3:4397:C0C4:F078
Reply from 3000::78B3:4397:C0C4:F078
Issue 02 (2013-12-31)

2009

Equipment
7 IP Services

Reply from 3000::78B3:4397:C0C4:F078
Reply from 3000::78B3:4397:C0C4:F078
--- 3000::78B3:4397:C0C4:F078 ping statistics --5 packet(s) transmitted
0.00% packet loss
----End
Configuration Files
Configuration file of HUAWEI
#
sysname HUAWEI
#
ipv6
#
undo shutdown
ipv6 enable
ipv6 address 3000::/64 eui-64
ipv6 address auto link-local
ipv6 nd ra prefix 3000::/64 1000 1000
undo ipv6 nd ra halt
#
return
Example for Configuring IPv6 Address Selection Policy Table

This part describes how to configure IPv6 address selection policy table.
As shown in Figure 7-12, the domain name (huawei.com) of Server A maps multiple IPv6
addresses. When ATN A, as an IPv6 DNS client, accesses Server A by using the domain name
(huawei.com), the DNS Server sends all IPv6 addresses of Server A to ATN A. Then, ATN A
queries the IPv6 address selection policy table to select a proper IPv6 address as the destination
address of Server A.
Issue 02 (2013-12-31)

2010

Equipment
7 IP Services
Figure 7-12 Networking diagram for configuring an IPv6 address selection policy table
DNS Server
abcd::1234/64
DNS Client
ATN A
Ethernet
GE0/2/0
a::1/64
2001:2::2/64
b::1/64
2001::1/64
fed0:1::2/64
Abcd::77/64
huawei.com
Server A
Configuration Notes
None
1.
Configure IPv6 address selection policy entries.
2.
Configure dynamic IPv6 DNS services.
Data Preparation
l
IPv6 addresses on the interface of ATN A
Addresses, label values and precedence values of IPv6 address selection policy entries
IPv6 addresses of the DNS server
Procedure
Step 1 Configure IPv6 address selection policy entries
# Configure IPv6 addresses for the interface.
[ATNA] ipv6
[ATNA-GigabitEthernet0/2/0] ipv6 enable
Issue 02 (2013-12-31)

2011

Equipment
[ATNA-GigabitEthernet0/2/0]
7 IP Services
ipv6
ipv6
ipv6
ipv6
quit
address
address
address
address
fe80::1 link-local
fed0:1::2 64
2001:2::2 64
abcd::77 64
# Configure destination address selection policies.

[ATNA] ipv6 address-policy fed0:1::2 128 100 100
[ATNA] ipv6 address-policy 2001::1 128 100 100
Step 2 Configure dynamic IPv6 DNS services.

[ATNA]
[ATNA]
[ATNA]
[ATNA]
dns resolve
dns server ipv6 abcd::1234
dns domain com
quit

# Run the ping ipv6 huawei.com command on ATN A, and you can find that Server A can be
pinged successfully, with the destination IP address being 2001::1.
<ATNA> ping ipv6 huawei.com
Resolved Host (huawei.com -> 2001::1)
PING huawei.com : 56 data bytes, press CTRL_C to
Reply from 2001::1: bytes=56 Sequence=1 ttl=126
--- huawei.com ping statistics --5 packet(s) transmitted
0.00% packet loss
break
time=6
time=4
time=4
time=4
time=4
ms
ms
ms
ms
ms
# Run the display ipv6 interface gigabitethernet 0/2/0 command on ATN A, and you can view
information about the IPv6 address of GigabitEthernet 0/2/0.
<ATNA> display ipv6 interface gigabitethernet 0/2/0
IPv6 is enabled, link-local address is FE80::1
FED0:1::2, subnet is FED0:1::/64
2001:2::2, subnet is 2001:2::/64
ABCD::77, subnet is ABCD::/64
FF02::1:FF00:77
FF02::2
FF02::1
FF02::1:FF00:2
FF02::1:FF00:1
MTU is 1500 bytes
# Run the display ipv6 address-policy all command on ATN A, and you can view information
about address selection policy entries.
<ATNA> display ipv6 address-policy all
Policy Table :
Total:7
-------------------------------------------------------------------------------
Issue 02 (2013-12-31)

2012

Equipment
7 IP Services
Prefix
: ::
Precedence : 40
Default
: Yes
PrefixLength
Label
: 0
: 1
Prefix
: ::1
Precedence : 50
Default
: Yes
PrefixLength
Label
: 128
: 0
Prefix
: ::FFFF:0.0.0.0
Precedence : 10
Default
: Yes
PrefixLength
Label
: 96
: 4
Prefix
: 2001::1
Precedence : 100
Default
: No
PrefixLength
Label
: 128
: 100
Prefix
: 2002::
Precedence : 30
Default
: Yes
PrefixLength
Label
: 16
: 2
Prefix
: FC00::
Precedence : 20
Default
: Yes
PrefixLength
Label
: 7
: 3
Prefix
: FED0:1::2
Precedence : 100
Default
: No
PrefixLength
Label
: 128
: 100
-------------------------------------------------------------------------------
----End
Configuration Files
l

#
sysname ATNA
#
ipv6
#
dns resolve
dns server ipv6 abcd::1234
dns domain com
#
undo shutdown
ipv6 enable
ipv6 address FED0:1::2/64
ipv6 address 2001:2::2/64
ipv6 address FE80::1 link-local
#
ipv6 address-policy 2001::1 128 100 100
ipv6 address-policy FED0:1::2 128 100 100
#
return
Example for Configuring Default Router Priority and Route Information

This part describes how to configure default router priorities and route information.
Issue 02 (2013-12-31)

2013

Equipment
7 IP Services
As shown in Figure 7-13, a NodeB is connected to ATN A and ATN B by using ATN A. The
NodeB selects a proper ATN to forward packets based on destination addresses of packets.
Figure 7-13 Networking of Configuring Default Router Priorities and Route Information
GE0/2/0
2002::2/64
GE0/2/0
4004::2/64
ATNA
ATNB
ATNC
2002::1/64
4004::1/64
NodeB
Configuration Notes
The NodeB supports RFC 4191, by which it can learn the default router priorities and route
information in RA packets.
1.
Configure default router priorities and route information on ATN A and ATN B.
Data Preparation
l
IPv6 addresses of interfaces on ATN A and ATN B
Default router priorities and route information
Procedure
Step 1 Configure default router priorities and route information.
# Configure ATN A.
[ATNA] ipv6
Issue 02 (2013-12-31)

2014

Equipment
preference high
7 IP Services
ipv6
undo
ipv6
ipv6
ipv6
ipv6
enable
ipv6 nd ra halt
address fe80::1 link-local
address 2002::2/64
nd ra preference high
nd ra route-information 2002:: 64 lifetime 2000
quit
# Configure ATN B.
[ATNB] ipv6
[ATNB] interface gigabitethernet
preference high
0/2/0
shutdown
enable
ipv6 nd ra halt
address fe80::2 link-local
address 4004::2/64
nd ra preference low
nd ra route-information 4004:: 64 lifetime 2000

# Check the configuration of the PC, and you can find that the default gateway of the PC is ATN
A.
C:\Documents and Settings\Administrator>ipconfig /all
Ethernet adapter 1:
Connection-specific
Description . . . .
rnet NIC #2
Physical Address. .
Dhcp Enabled. . . .
IP Address. . . . .
Subnet Mask . . . .
IP Address. . . . .
IP Address. . . . .
IP Address. . . . .
IP Address. . . . .
IP Address. . . . .
Default Gateway . .
DNS Servers . . . .
DNS Suffix . :
. . . . . . . : Realtek RTL8139 Family PCI Fast Ethe
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
:
:
:
:
:
:
:
:
:
:
:
00-E0-4C-77-A1-B6
No
110.1.1.33
255.0.0.0
3000::78b3:4397:c0c4:f078
3000::2e0:4cff:fe77:a1b6
2002::1
4004::1
fe80::2e0:4cff:fe77:a1b6%6
2002::2
fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
# Check the routing table of the PC, and you can find the routing entries learned by the PC.
C:\Documents and Settings\Administrator>netsh
netsh>interface ipv6
netsh interface ipv6>show route
Querying active state...
Publish
------no
no
yes
yes
Type
-------Manual
Manual
Manual
Manual
Met
---3
3
3
3
Prefix
-----------------------4004::/64
2002::/64
1414::/64
1212::/64
Idx
--4
4
4
4
Gateway/Interface Name
--------------------fe80::2
fe80::1
Local Area Connection
Local Area Connection
----End
Issue 02 (2013-12-31)

2015

Equipment
7 IP Services
Configuration Files
l

#
sysname ATNA
#
ipv6
#
undo shutdown
ipv6 enable
ipv6 nd ra preference high
ipv6 nd ra route-information 2002:: 64 lifetime 2000 preference high
#
return

#
sysname ATNB
#
ipv6
#
undo shutdown
ipv6 enable
ipv6 nd ra preference low
ipv6 nd ra route-information 4004:: 64 lifetime 2000 preference high
#
return
7.6 ACL6 Configuration

Access Control Lists (ACL6s) help guarantee network security and stability.
7.6.1 Introduction
ACL6s are used for device management, unicast packet filtering, routing policies, traffic
management, and multicast packet filtering to ensure network security, reliability, and stability.
ACL6 Overview
Access Control List6s (ACL6s) configured on devices help the devices classify different types
of packets, and permit or deny packets accordingly.
Devices need to communicate with each other on stable networks with reliable data transmission.
ACL6s can be configured on access or core devices to:
l
Protect the devices against IPv6, TCP, and ICMPv6 packet attacks.
Control network access. For example, control the access of enterprise network users to
external networks, specific network resources that users can access, and time ranges in
which users can access networks.
Issue 02 (2013-12-31)

2016

Equipment
7 IP Services
Limit network traffic and improve network performance. For example, limit bandwidth for
upstream and downstream traffic, charge for the bandwidth that users have applied for, and
make full use of high-bandwidth network resources.
ACL6s can be configured on access or core devices to ensure network security and stability.
ACL6 Features Supported by the ATN

Familiarizing yourself with the ACL6 definition, ACL6 classification, and ACL6 rules helps
you complete the ACL6 configuration task quickly and accurately.
ACL6 Definition
An ACL6 is a set of sequential filter rules. Rules are defined based on packets' inbound interfaces,
source or destination IP addresses, protocol types, or source or destination port numbers, and
specify deny or permit actions. After an ACL6 is configured on the ATN, the ATN classifies
the received packets based on the rules defined in the ACL6, and then denies or permits the
packets accordingly.
An ACL6 only classifies packets based on defined rules. ACL6s can be used to filter packets
only when they have been applied to a specific service, such as device management, policybased routing, unicast packet filtering, route policies, traffic management, or multicast packet
filtering.
ACL6 Classification
ACL6s can be classified into interface-based ACL6s, basic ACL6s, and advanced ACL6s.
l
Interface-based ACL6
Interface-based ACL6s are numbered from 1000 to 1999. A maximum of 1000 interfacebased ACL6s can be configured.
Rules in an interface-based ACL6 are defined mainly based on inbound interfaces that
receive packets.
Basic ACL6
Basic ACL6s are numbered from 2000 to 2999. A maximum of 1000 basic ACL6s can be
configured.
Rules in a basic ACL6 are defined based on the source IP addresses of received packets.
Advanced ACL6
Numbered advanced ACL6s are numbered from 3000 to 3999. A maximum of 1000
numbered advanced ACL6s can be configured.
Named advanced ACL6s are numbered from 42768 to 75535. A maximum of 32768 named
advanced ACL6s can be configured.
Rules in an advanced ACL6 are defined based on the source or destination IP addresses,
protocol types, or source or destination port numbers of received packets.
ACL6 Time Range

Configuring a time range for an ACL6 rule allows a device to permit or deny packets within a
specified time period. A time range can be an absolute time range or a cycle time range.
Issue 02 (2013-12-31)

2017

Equipment
7 IP Services
cyclic.
A cycle time range is cyclic and the cycle is one week. For example, an ACL6 rule takes
ACL6 Description
The description of an ACL6 can be configured. The description helps users understand ACL6
information such as usage, improving readability.
ACL6 Rule
ACL6 rules are configured for each ACL6 and are used to classify packets in different scenarios.
Table 7-5 lists ACL6 rules and their applications.
Table 7-5 ACL6 rules
ACL6 Rule
ACL6 Type
Outbound interface
Classifies packets based on their outbound

interfaces. This is used for:
Interface-based ACL6
l Flow control
Time range
Sets a time range in which ACL6 rules take

effect. This is used for:
l Flow control
Interface-based ACL6,
basic ACL6, and
advanced ACL6
l Access time control

Non-first fragment
Classifies packets based on whether a

packet is the first packet fragment.
Basic ACL6 and

advanced ACL6
l Attack defense
l Flow control
Source IPv6 address
Classifies packets based on their source

IPv6 addresses. This is used for:
Basic ACL6 and

advanced ACL6
l Flow control
l Route filtering
VPN instance
Classifies packets based on the VPN

instances to which the packets belong.
This is used for:
Basic ACL6 and

advanced ACL6
l Flow control
Issue 02 (2013-12-31)

2018

Equipment
7 IP Services
ACL6 Rule
ACL6 Type
Destination IPv6
address
Classifies packets based on their

destination IPv6 addresses. This is used
for:
Advanced ACL6
l Flow control
l Route filtering
Protocol type
Classifies packets based on their protocol

types.
Advanced ACL6
Source port number
Classifies packets based on source TCP6

or UDP6 port numbers. This is used for:
Advanced ACL6
l Flow control
l Route filtering
Destination port
number
Classifies packets based on destination

TCP6 or UDP6 port numbers. This is used
for:
Advanced ACL6
l Flow control
l Route filtering
IPv6 DSCP
Classifies IPv6 packets based on their

DSCP values.
Advanced ACL6
IPv6 precedence
Classifies IPv6 packets based on IP

precedence. This is used for flow control.
Advanced ACL6
IPv6 ToS
Classifies IPv6 packets based on their ToS

values. This is used for flow control.
Advanced ACL6
ACL6 Rule Sequence

A device configured with ACL6s matches the received packets with the rules in an ACL6.
The rule sequence in an ACL6 depends on ACL6 rule matching orders and ACL6 rule numbers.
Rule matching orders include the configuration order and the automatic order.
l
Issue 02 (2013-12-31)
Automatic order: The system automatically allocates rule numbers, and places the most
precise rule in the front of the ACL6 based on the depth-first principle.

2019

Equipment
7 IP Services
NOTE
ACL6 rules are arranged in sequence based on rule precision. For an ACL6 rule (where a protocol
type, a source IP address range, or a destination IP address range is specified), the stricter, the more
precise. For example, an ACL6 rule can be configured based on the wildcard of an IP address. The
smaller the wildcard, the smaller the specified network segment and the stricter the ACL6 rule.
If rules have the same precision, they are matched based on the configuration order.
Configuration order: The system arranges ACL6 rules based on the rules' configuration
order. The number of an ACL6 rule can be configured or automatically generated by the
system based on the ACL6 step.
ACL6 Step Size

The system automatically assigns numbers to ACL6 rules by a specified step size, facilitating
ACL maintenance.
If a step size is changed, the system renumbers ACL6 rules by the updated step size. For example,
rule numbers 5, 10, 15, and 20 change to 2, 4, 6, and 8 starting from the configured step size, if
the step size is changed to 2.
If rule numbers are not evenly distributed, they become even after the step command is run. For
example, if the current step is 5 and the rule IDs are 1, 3, 10, and 12, the rule IDs become 2, 4,
6, and 8 after the step 2 command is run.
7.6.2 Configuring a Basic ACL6

A basic ACL6 defines rules based on packets' source IPv6 addresses.
Before You Start

Before configuring a basic ACL6, familiarize yourself with the usage scenario, complete the
Usage Scenario
example:
l
Set different access rights for users based on the source IPv6 addresses of the packets sent
by them. This is to ensure network reliability and security.
security.
A basic ACL6 can manage traffic, control access rights, and filter routes by checking whether
the packets are the first packet fragments, or checking the packets' source IPv6 addresses or
VPNs. Figure 7-14 shows the application of a basic ACL6.
Issue 02 (2013-12-31)

2020

Equipment
7 IP Services
Figure 7-14 Application of a basic ACL6
Network A
2001::1/128
Network B
2002::1/128
GE0/2/0
ATN A
Internet
Basic ACL6 enable
GE0/2/1
Network C
2003::1/128
As shown in Figure 7-14, a basic ACL6 is created on ATN A to permit all packets sent from
Network A to the Internet and deny all packets sent from Network B and Network C to the
Internet.
Before creating a basic ACL6, complete the following task:
l
Configuring the link layer protocol parameters for interfaces to ensure that the link layer
Data Preparation
To create a basic ACL6, you need the following data.
Issue 02 (2013-12-31)
No.
Data
(Optional) Name of the time range in which the basic ACL6 takes effect, and the start
time and end time in the time range
Number, (optional) description, and (optional) step value of the basic ACL6
Number of each rule in the basic ACL6, source IPv6 address of a packet, and VPN
instance to which the packet belongs

2021

Equipment
7 IP Services
(Optional) Creating a Time Range in Which an ACL6 Rule Takes Effect

You can create a time range in which an ACL6 rule takes effect.
Context
l
cyclic.
optional. If you do not create a time range, an ACL6 rule will take effect immediately after being
configured.
Procedure
Step 1 Run:
system-view

Step 2 Run:
date2 ] }

----End
Creating a Basic ACL6

This section describes how to create an ACL6 with the number ranging from 2000 to 2999.
Context
Both a basic ACL6 and an advanced ACL6 can define rules based on packets' source IPv6
addresses. To define rules only based on source IPv6 addresses, you can use a basic ACL6. An
advanced ACL6 can define rules based on packets' protocol types, source/destination IPv6
For details on the rules supported by each type of ACL6, see ACL6 rules.
When creating a basic ACL6, you can configure description for it so that other users can view
and quickly learn about the configuration of this ACL6.
Issue 02 (2013-12-31)

2022

Equipment
7 IP Services
An ACL6 step is the difference between two automatically allocated ACL6 rule numbers
(auto configured in Step 2).
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl ipv6 [ number ] ACL6-number [ match-order { auto | config } ]
A basic ACL6 is created and the view of the basic ACL6 is displayed.
description text
The ACL6 description is configured.

The length of the description is a maximum of 127 characters.
step step
The step size of ACL6 rules is set.

The undo step command allows the system to restore the default ACL6 step size of 5 and rearrange ACL6 rule numbers.
----End
Configuring a Basic ACL6 Rule

A basic ACL6 defines rules based on whether the packets are the first fragment, packets' source
IPv6 addresses, and the VPNs to which the packets belong.
Context
When you configure a basic ACL6:
l
If a specific source IPv6 address is specified (source in Step 3), the system filters only
packets with this specified source IPv6 address.
If all source IPv6 addresses are specified (any in Step 3), the system will not check packets'
source IPv6 addresses, but considers that all packets have matched the rule and directly
takes an action (deny or permit) on the packets.
NOTE
Procedure
Step 1 Run:
system-view
Issue 02 (2013-12-31)

2023

Equipment
7 IP Services

Step 2 Run:
acl ipv6 [ number ] acl6-number [ match-order { auto | config } ]
The view of the basic ACL6 is displayed.

Step 3 Run:
rule [ rule-id ] { deny | permit } [ fragment | source { source-ipv6-address prefixlength | source-ipv6-address/prefix-length | any } | time-range time-name | vpninstance vpn-instance-name ] *
A rule is configured for the basic ACL6.

l Adding new rules to an ACL6 will not affect the existing rules.
----End
Applying a Basic ACL6

Basic ACL6s can be used in device management, routing policies, multicast packet filtering,
and QoS services.
Context
Table 7-6 describes the typical applications of basic ACL6s.
Table 7-6 Typical applications of basic ACL6s
Issue 02 (2013-12-31)
Typical
Application
Usage Scenario
Operation
Device
management
When a router functions

as an FTP or TFTP
server, you can configure
a basic ACL6 on the
router to allow only the
clients that match
specific ACL rules to
access the server.
For details on how to configure FTP and

TFTP access control, see
To restrict the incoming

or outgoing calls on VTY
user interfaces, you can
configure a basic ACL6.
For details on how to configure restriction

on incoming and outgoing calls on VTY user
Incoming and Outgoing Calls on VTY
User Interfaces.
l Configuring an FTP ACL

l Configuring TFTP Access Authority

2024

Equipment
7 IP Services
Typical
Application
Usage Scenario
Operation
Routing policies

a basic ACL6 on the
router to allow the router
to receive or advertise
only the routes that match
the ACL6 rules.

see
l Configuring OSPFv3 to Import
External Routes
l Configuring OSPFv3 to Filter the
Received Routes
l Configuring RIPng to Import
External Routes
l Configuring RIPng to Filter the
Received Routes
l Configuring IPv6 IS-IS to Import
External Routes
l Configuring IPv6 IS-IS to Filter the
Received Routes
l Configuring the Policy for Advertising
BGP4+ Routing Information
l Configuring the Policy for Receiving
To process different
types of traffic, you can
configure a basic ACL6
to perform traffic
policing, traffic shaping,
or traffic classification
on the traffic that
matches the ACL6 rules.
QoS services
For details on how to configure traffic

policies for different types of traffic, see
Configuring a Traffic Policy Based on

After a basic ACL6 is configured, you can view its configuration.
Prerequisites
The basic ACL6 has been configured.
Procedure
l
Run the display acl ipv6 { ACL6-number | all } command to check the configured ACL6.
range.
----End
Issue 02 (2013-12-31)

2025

Equipment
7 IP Services
Example
After an ACL6 is successfully configured, run the display acl ipv6 command to view the ACL6
number, number of configured ACL6 rules, ACL6 step, ACL6 rule contents, and number of
times that the ACL6 rules are matched.
<HUAWEI> display acl ipv6 2000
Basic IPv6 ACL 2000, 1 rule
IPv6 ACL's step is 5
rule 1 deny source 4050:7080::4060/96 (0 times matched)
10:00 to 12:00 daily
from 13:00 2011/4/1 to 23:59 2099/12/31
14:00 to 00:00 daily
7.6.3 Configuring an Advanced ACL6

An advanced ACL6 defines rules based on packets' source IP addresses, destination IP addresses,
Before You Start

Before configuring an advanced ACL6, familiarize yourself with the usage scenario, complete
Usage Scenario
example:
l
Filter packets of various protocols. For example, filter out ICMPv6 packets to protect
network devices against ICMPv6 packet attacks.
security.
An advanced ACL6 can manage traffic, control access rights, and filter routes by checking
whether the packets are the first packet fragments, or checking the packets' source IPv6
addresses, destination IPv6 addresses, protocol types, source port numbers, destination port
numbers, IPv6 DSCP values, IPv6 precedence, IPv6 ToS values, or VPNs to which packets
belong. Figure 7-15 shows the application of an advanced ACL6.
Issue 02 (2013-12-31)

2026

Equipment
7 IP Services
Figure 7-15 Application of an advanced ACL6
Network A
2001::1/128
Network D
2004::1/128
ICMPv6
packet
ATN A
ATN D
RouterE
Network B
2002::1/128
Network C
2003::1/128
ICMPv6
packet
ATN B
ATN C
As shown in Figure 7-15, an advanced ACL6 is created on ATN E to permit all ICMPv6 packets
sent from ATN B to ATN D and deny all ICMPv6 packets sent from ATN A to ATN C.
Before creating an advanced ACL6, complete the following task:
l
Configuring the link layer protocol parameters for interfaces to ensure that the link layer
Data Preparation
To create an advanced ACL6, you need the following data.
No.
Data
(Optional) Name of the time range in which the advanced ACL6 takes effect, and the
start time and end time in the time range
Number, (optional) description, and (optional) step value of an advanced ACL6
Number of each rule in the advanced ACL6, packet's source IPv6 address, destination
IPv6 address, protocol type, source port number, destination port number, IPv6 DSCP
value, IPv6 precedence, IPv6 ToS value, or VPN instance to which the packet belongs

Context
Issue 02 (2013-12-31)

2027

Equipment
7 IP Services
cyclic.
configured.
Procedure
Step 1 Run:
system-view

Step 2 Run:
date2 ] }

----End
Creating an Advanced ACL6

This section describes how to create a numbered ACL6 with the number ranging from 3000 to
3999, and a named ACL6 with the number ranging from 42768 to 75535.
Context
Compared with other types of ACL6s, advanced ACL6s provide richer rules for filtering packets
more flexibly.
An advanced ACL6 can define rules based on packets' protocol types, source/destination IP
For details on the rules supported by each type of ACL6, see ACL6 rules.
Advanced ACL6s include numbered advanced ACL6s and named advanced ACL6s.
l
The number of a numbered advanced ACL6 ranges from 3000 to 3999.
The number of a named advanced ACL6 ranges from 42768 to 75535. By default, the
system automatically allocates numbers to named advanced ACL6s. The functions of
named ACL6s can be easily understood by their names, and the rules supported by named
ACL6s are the same as those supported by numbered ACL6s.
Issue 02 (2013-12-31)

2028

Equipment
7 IP Services
When creating an advanced ACL6, you can configure description for it so that other users can
view and quickly learn about the configuration of this ACL6.
An ACL6 step is the difference between two automatically allocated ACL6 rule numbers
(auto configured in Step 2).
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl ipv6 { [ number ] acl-number1 | name acl-name [ number acl-number2 ] } [ matchorder { auto | config } ]
An advanced ACL6 is created and the view of the advanced ACL6 is displayed.
description text
The ACL6 description is configured.

The length of the description is a maximum of 127 characters.
step step
The step size of ACL6 rules is set.

The undo step command allows the system to restore the default ACL6 step size of 5 and rearrange ACL6 rule numbers.
----End
Configuring an Advanced ACL6 Rule

An advanced ACL6 defines rules based on packets' source IP addresses, destination IP addresses,
Context
When you configure an advanced ACL6:
l
If a specific destination IP address (destination in Step 3), destination port number

(destination-port in Step 3), source IP address (source in Step 3), and source port number
(source-port in Step 3), the system filters only packets with the specified destination IP
address, destination port number, source IP address, and source port number.
If all destination IP addresses, destination port numbers, source IP addresses, and source
port numbers are specified (any in Step 3), the system will not check packets' destination
IP addresses, destination port numbers, source IP addresses, and source port numbers, and
considers that all packets have matched the rule and directly takes an action (deny or
permit) on the packets.
Issue 02 (2013-12-31)

2029

Equipment
7 IP Services
NOTE
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl ipv6 { [ number ] ACL6-number1 | name ACL6-name [ number acl6-number2 ] }
The view of the advanced ACL6 is displayed.

l If protocol is TCP, run the following commands to create ACL6 rules.
rule [ rule-id ] { deny | permit } protocol [ [ traffic-class traffic-class | dscp dscp |
[ precedence precedence | tos tos ] * ] | destination { destination-ipv6-address prefixlength | destination-ipv6-address/prefix-length | any } | destination-port operator port |
fragment | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length
| any } | source-port operator port | time-range time-name | vpn-instance vpn-instancename ] *
l If protocol is UDP, run the following commands to create ACL6 rules.
[ precedence precedence | tos tos ] * ] | destination { destination-ipv6-address prefixlength | destination-ipv6-address/prefix-length | any } | destination-port operator port |
fragment | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length
| any } | source-port operator port | time-range time-name | vpn-instance vpn-instancename ] *
l If protocol is ICMP6, run the following commands to create ACL6 rules.
[ precedence precedence | tos tos ] * ] | destination { destination-ipv6-address prefixlength | destination-ipv6-address/prefix-length | any } | fragment | icmpv6-type { icmp6type-name | icmp6-type [ icmp6-code ] } | source { source-ipv6-address prefix-length |
source-ipv6-address/prefix-length | any } | time-range time-name | vpn-instance vpninstance-name ] *
l If protocol is a protocol that is not TCP, UDP, or ICMPv6, run the following commands to
create ACL6 rules.
[ precedence precedence | tos tos ] * ] | destination { destination-ipv6-address prefixlength | destination-ipv6-address/prefix-length | any } | fragment | source { source-ipv6address prefix-length | source-ipv6-address/prefix-length | any } | time-range time-name |
vpn-instance vpn-instance-name ] *
Issue 02 (2013-12-31)

2030

Equipment
7 IP Services
l Different ACL6s can be created based on different protocol types. The parameters specified
in the protocol-specific ACL6s vary. For example, if the protocol type is TCP or UDP in an
ACL6 rule, [ source-port operator port ] and [ destination-port operator port ] can be
specified in the ACL6 rule. If the protocol type is not TCP or UDP in an ACL6 rule, neither
[ source-port operator port ] nor [ destination-port operator port ] can be specified in the
ACL6 rule.
----End
Applying an Advanced ACL6

Advanced ACL6s can be used in routing policies, multicast packet filtering, and QoS services.
Context
Table 7-7 shows the typical applications of advanced ACL6s.
Table 7-7 Typical applications of advanced ACL6s
Typical
Application
Usage Scenario
Operation
Device
management
To restrict the incoming

or outgoing calls on VTY
user interfaces, you can
configure an advanced
ACL6.
For details on how to configure restriction on

incoming and outgoing calls on VTY user
Incoming and Outgoing Calls on VTY User
Interfaces.
Application of
Advanced
ACL6s in
routing policies

an Advanced ACL6 on
the router to allow the
router to receive or
advertise only the routes
that match the ACL6
rules.

see
l Configuring OSPFv3 to Import
External Routes
l Configuring OSPFv3 to Filter the
Received Routes
l Configuring RIPng to Import External
Routes
l Configuring RIPng to Filter the
Received Routes
l Configuring IPv6 IS-IS to Import
External Routes
l Configuring IPv6 IS-IS to Filter the
Received Routes
l Configuring the Policy for Advertising
l Configuring the Policy for Receiving
Issue 02 (2013-12-31)

2031

Equipment
7 IP Services
Typical
Application
Usage Scenario
Operation
QoS services
To process different types

of traffic, you can
configure an Advanced
ACL6 to perform traffic
policing, traffic shaping,
or traffic classification on
the traffic that matches
the ACL6 rules.
For details on how to configure traffic policies

for different types of traffic, see Configuring
a Traffic Policy Based on Complex Traffic
Classification

After an advanced ACL6 is configured, you can view its configuration.
Prerequisites
The advanced ACL6 has been configured.
Procedure
l
Run the display acl ipv6 { name acl-name | acl6-number | all } command to check the
configured ACL6.
range.
----End
Example
Advanced IPv6 ACL 3100, 3 rules
rule 0 permit icmpv6 (2 times matched)
rule 1 permit ipv6 source 3001::/16 destination 4001::/16 (1 times matched)
rule 2 permit tcp source 5001::/16 (0 times matched)
10:00 to 12:00 daily
from 13:00 2006/4/1 to 23:59 2099/12/31
14:00 to 00:00 daily
Issue 02 (2013-12-31)

2032

Equipment
7 IP Services
7.6.4 Configuring an Interface-based ACL6

An interface-based ACL6 defines rules based on packets' inbound interfaces.
Before You Start

Before configuring an interface-based ACL6, familiarize yourself with the usage scenario,
Usage Scenario
An interface-based ACL6 is used to filter debugging information.
Before configuring an interface-based ACL6, complete the following task:
l
Configuring the link layer protocol parameters and IP addresses for interfaces to ensure
that the link layer protocol on the interfaces is Up
Data Preparation
To configure an interface-based ACL6, you need the following data.
No.
Data
(Optional) Name of the time range in which the interface-based ACL6 takes effect,
and the start time and end time in the time range
Number, (optional) description
Number of each interface-based ACL6 rule, and type and number of the interface to
which the ACL6 is applied

Context
l
cyclic.
Issue 02 (2013-12-31)

2033

Equipment
7 IP Services
configured.
Procedure
Step 1 Run:
system-view

Step 2 Run:
date2 ] }

----End
Creating an Interface-based ACL6

This section describes how to create an ACL6 with the number ranging from 1000 to 1999.
Context
An interface-based ACL6 defines rules based on the inbound interfaces of received packets. For
details on the rules supported by each type of ACL6, see ACL6 rules.
Both an interface-based ACL6 and a basic ACL6 can define rules based on the packet source:
l
Interface-based ACL6: defines rules based on packets' inbound interfaces.
Basic ACL6: defines rules based on packets' source IP addresses.
If packets' source IP addresses vary frequently, defining ACL6 rules based on source IP
addresses will become complicated. You can use an interface-based ACL6 to filter packets.
When creating an interface-based ACL6, you can configure description for it so that other users
can view and quickly learn about the configuration of this ACL6.
Procedure
Step 1 Run:
system-view

Step 2 Run:
An interface-based ACL6 is created and the view of the interface-based ACL6 is displayed.
Issue 02 (2013-12-31)

2034

Equipment
7 IP Services

description text
The description is configured for the ACL6.

----End
Configuring an Interface-based ACL6 Rule

An interface-based ACL6 defines rules based on packets' inbound interfaces.
Context
When you configure an interface-based ACL6:
l
If a specific interface is specified (interface in Step 3), the system filters only packets
received by this specified interface.
If all interfaces are specified (any in Step 3), the system will not check packets' inbound
interfaces, and considers that all packets have matched the rule and directly takes an action
(deny or permit) on the packets.
NOTE
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of the interface-based ACL6 is displayed.

Step 3 Run:
any } [ time-range time-name ]
A rule is configured for the interface-based ACL6.

----End

After an interface-based ACL6 is configured, you can view its configuration.
Issue 02 (2013-12-31)

2035

Equipment
7 IP Services
Prerequisites
The interface-based ACL6 has been configured.
Procedure
l
Run the display acl ipv6 { name acl-name | acl6-number | all } command to check the
configured ACL6.
range.
----End
Example
Interface Based IPv6 ACL 1100, 1 rule
rule 1 permit interface GigabitEthernet1/0/0 time-range dd(Inactive)
10:00 to 12:00 daily
from 13:00 2011/4/1 to 23:59 2099/12/31
14:00 to 00:00 daily
7.6.5 Maintaining ACL6

This section describes how to maintain an ACL6. Detailed operations include deleting ACL6
statistics and monitoring the ACL6 operation.
Resetting ACL6 Statistics

This section describes how to reset ACL6 statistics using a reset command.
Context
NOTICE
ACL6 statistics cannot be restored after being cleared. Exercise caution when running a reset
command.
Issue 02 (2013-12-31)

2036

Equipment
7 IP Services
Procedure
Step 1 Run the reset acl ipv6 counter { acl6-number | name acl6-name | all } command in the user
view to reset ACL6 statistics.
----End
Monitoring the ACL6 Status

This section describes how to monitor the ACL6 status using display commands.
Context
In routine maintenance, run the following commands in any view to view the ACL6 status.
Procedure
l
Run the display acl ipv6 { name acl-name | acl6-number | all } command to view the
ACL6 status.
Run the display time-range { time-name | all } command to view the time range status.
----End

These configuration examples provide networking requirements, configuration roadmap, and
data preparation.
Example for Configuring an ACL6 to Filter IPv6 Packets

This section provides an example for configuring an ACL6 and IPv6 packet filtering.
As shown in Figure 7-16, ATN A and ATN B are connected through GE interfaces. Configure
ACL6 rules on ATN A to prevent the IPv6 packets with the source IP address 3001::2 from
entering GE0/2/0 of ATN A.
Figure 7-16 Networking diagram of configuring an ACL6 to filter IPv6 packets
GE0/2/0
3001::1/64
ATN A
GE0/2/0
3001::2/64
Loopback2
3002::2/64
ATN B
Issue 02 (2013-12-31)

2037

Equipment
1.
Define an ACL6 number.
2.
Define rules in the ACL6.
7 IP Services
Data Preparation
l
ACL6 number
Source IPv6 address denied by the ACL6 rule
Procedure
Step 1 Enable IPv6 forwarding capabilities on ATN A and ATN B, configure interface parameters, and
check connectivity between them.
# Configure ATN A.
[ATNA] ipv6
[ATNA-GigabitEthernet0/2/0] undo
0/2/0
enable
address 3001::1 64
shutdown
# Configure a static route on ATN A.

[ATNA] ipv6 route-static 3002:: 64 3001::2
# Configure ATN B.
[ATNB] ipv6
[ATNB] interface loopback 2
[ATNB-LoopBack2] ipv6 enable
[ATNB-LoopBack2] ipv6 address 3002::2 64
[ATNB-LoopBack2] quit
[ATNB-GigabitEthernet0/2/0] ipv6 enable
[ATNB-GigabitEthernet0/2/0] ipv6 address 3001::2 64
# Ping GigabitEthernet 0/2/0 of ATN A from GigabitEthernet 0/2/0 of ATN B.

[ATNB] ping ipv6 -a 3001::2 3001::1
Reply from 3001::1
Reply from 3001::1
Reply from 3001::1
Reply from 3001::1
Reply from 3001::1
0.00% packet loss
Issue 02 (2013-12-31)

2038

Equipment
7 IP Services
The ping succeeds without timeout or abnormal delay.

# Ping GigabitEthernet 0/2/0 of ATN A from loopback2 of ATN B.
[ATNB] ping ipv6 -a 3002::2 3001::1
Reply from 3001::1
Reply from 3001::1
Reply from 3001::1
Reply from 3001::1
Reply from 3001::1
0.00% packet loss

Step 2 Create an ACL6 rule and apply the rule on the interface to prevent the IPv6 packets from 3001::2.
# Configure ATN A.
[ATNA] acl ipv6 number 3001
[ATNA-acl6-adv-3001] rule deny ipv6 source 3001::2/128
[ATNA-acl6-adv-3001] quit

# Ping GigabitEthernet0/2/0 of ATN A from GigabitEthernet0/2/0 of ATN B.
[ATNB] ping ipv6 -a 3001::2 3001::1
Request time out
Request time out
Request time out
Request time out
Request time out
100.00% packet loss
The ping fails.

# Ping GigabitEthernet0/2/0 of ATN A from loopback2 of ATN B.
[ATNB] ping ipv6 -a 3002::2 3001::1
Reply from 3001::1
Reply from 3001::1
Reply from 3001::1
Reply from 3001::1
Reply from 3001::1
Issue 02 (2013-12-31)

2039

Equipment
7 IP Services

0.00% packet loss

----End
Configuration Files
l

#
sysname ATNA
#
ipv6
#
acl ipv6 number 3001
rule 0 deny ipv6 source 3001::2/128
#
link-protocol ppp
undo shutdown
ipv6 enable
#
ipv6 route-static 3002:: 64 3001::2
#
return

#
sysname ATNB
#
ipv6
#
link-protocol ppp
undo shutdown
ipv6 enable
#
interface LoopBack2
ipv6 enable
#
return
7.7 Glossary
A
Access Control List
Issue 02 (2013-12-31)
A list composed of multiple sequential permit/deny statements.

In firewall, after ACL is applied to an interface on the device, the
device decides which packet can be forwarded and which packet
should be denied. In QoS, ACL is used to classify traffic.

2040

Equipment
7 IP Services
Acknowledge
To confirm an action. The acknowledgement (ACK) message is

sent from one device to another.
Address Resolution
Protocol
A protocol used to map an IP Address to a MAC address, as

defined in RFC 826.
ATM
An asynchronous Transfer Mode. It is a data transmission

technology in which data (files, voice and video) is transferred in
cells with a fixed length (53 Bytes). The fixed length makes the
cell be processed by the hardware. The object of ATM is to use
high-speed transmission medium such as E3, Synchronous
Optical Network(SONET) and T3.
B
Broadcast
To send packets to all ports of the nodes in the network.
D
Domain name
A name composed of numbers or characters. Each domain name

corresponds to an IP address.
Dotted decimal notation
A format of IP address. IP addresses in this format are separated

into four parts by a dot "." with each part is in the decimal numeral.
E
Ethernet
A technology complemented in LAN. It adopts Carrier Sense

Multiple Access/Collision Detection. The speed of an Ethernet
interface can be 10 Mbit/s, 100 Mbit/s, 1000 Mbit/s or 10000
Mbit/s. The Ethernet network features high reliability and easy
maintaining..
F
An application layer protocol based on TCP/IP. It is used to

transfer large amounts of data reliably between the user and the
remote host. FTP is implemented based on corresponding file
system.
I
IPv6
A update version of IPv4. It is also called IP Next Generation

(IPng). The specifications and standardizations provided by it are
consistent with the Internet Engineering Task Force
(IETF).Internet Protocol Version 6 (IPv6) is also called. It is a
new version of the Internet Protocol, designed as the successor to
IPv4. The specifications and standardizations provided by it are
consistent with the Internet Engineering Task Force (IETF).The
difference between IPv6 and IPv4 is that an IPv4 address has 32
bits while an IPv6 address has 128 bits.
Issue 02 (2013-12-31)

2041

Equipment
Local Area Network
7 IP Services
A network intended to serve a small geographic area, (few square

kilometers or less), a single office or building, or a small defined
group of users. It features high speed and little errors. Ethernet,
FDDI and Token Ring are three technologies implemented in
LAN.
M
MAC address
A link layer address or physical address. It is six bytes long.
MTU
A maximum size of packets that an interface can process. It is in

bytes
N
Neighbor Discovery
A process to discover neighboring modes.
P
Ping
To test the reachability of a device in the network through ICMP

Echo message.
Policy-based Routing
A routing mechanism based on user-defined policies. It can

implement secure communication and load balancing.
PPP
A serial point to point link used for special transmission between

two devices.
R
Router
A device running on the network layer. After receiving a packet,

the device searches the routing table for a proper route and sends
the packet to the next hop. The last hop device sends the packet
to the host directly.
T
Telnet
An application layer protocol based on TCP/IP. It implements

remote login and virtual terminal. It
Time Range
A special time period.
Traffic
A group of packets sent from the source to the destination and

matching certain classification.
Tunnel
In VPN, it is a transport tunnel set up between two entities to

prevent interior users from interrupting and ensure security.
U
Unicast
To send packets to one destination network.
V
VPN
Issue 02 (2013-12-31)
Virtual Private Network (VPN). It implements an apparent single

private network (as seen by the user), over a number of separate
public and private networks. Virtual indicates that this kind of
network is a logical network.

2042

Equipment
VRP
7 IP Services
Versatile Routing Platform. It is a versatile operating system

platform developed by Huawei.
W
Wide Area Network
A network that covers a large geographic area, such as a country

or a state. Devices in this network are connected through certain
protocol or physical links.
X
X.25
A data link layer protocol. It defines the communication in the

Public Data Network (PDN) between a host and a remote
terminal.

A
AAA
ACK
Acknowledgement
ASCII
American Standard Code for Information Interchange
ATM
B
BGP
C
CIDR
Classless Inter-Domain Routing
D
DHCP
DLCI
DNS
Domain Name System
DOS
Denial of Service
DAD
Duplicate Address Detect
E
EBGP
External BGP
F
FEC
Issue 02 (2013-12-31)
Forward Error Correction

2043

Equipment
FIB
7 IP Services
Forward Information Base
G
GRE
H
HDLC
HTTP
I
IBGP
Internal BGP
ICMP
Internet Control Message Protocol
IEEE
IETF
IGP
Interior Gateway Protocol
IP
Internet Protocol
IPoEoA
IS-IS
Intermediate System-Intermediate System
ISP
L
LDP
LSP
Label Switch Path
M
MAC
MED
Multi-Exit discrimination
MPLS
Multi-Protocol Label Switching
N
NAT-PT
Network Address Translation - Protocol Translation
NIC
Network Information Center
O
OSPF
Issue 02 (2013-12-31)
PC
Personal Computer
PE
Provider Edge

2044

Equipment
POS
PPP
PVC
7 IP Services
Q
QoS
Quality of Service
R
RIP
S
SLIP
SNMP
SVC
T
TCP
TFTP
ToS
Type of Service
TTL
Time To Live
U
UDP
URPF
Unicast Reverse Path Forwarding
V
VLAN
VPN
VRP
VRRP
VT
Virtual-Template
Issue 02 (2013-12-31)
WINS
Windows Internet Name Service
WWW
World Wide Web

2045

Equipment
8 IP Routing
IP Routing
About This Chapter

The document describes the configuration methods of IP routing in terms of basic principles,
implementation of protocols, configuration procedures and configuration examples for the IP
routing of the ATN equipment.
8.1 IP Routing Basic Configuration
This chapter describes IP routing, which functions as the basis for data communication networks.
8.2 IP Static Route Configuration
Static routes are commonly used on simple networks. Properly configuring and using static
routes improves network performance and ensures that enough bandwidth is available for
important services.
8.3 RIP Configuration
RIP can advertise and receive routes to affect the selection of data forwarding paths, and can
provide the network management function. RIP is commonly used on small-scale networks.
8.4 RIPng Configuration
RIPng is an extension of RIP for support of IPv6.
8.5 OSPF Configuration
OSPF, which is developed by the IETF, is a link-state IGP. OSPF is widely used in access
networks and MANs.
8.6 OSPFv3 Configuration
By building Open Shortest Path First Version 3 (OSPFv3) networks, you can enable OSPFv3
to discover and calculate routes in ASs. OSPFv3 is applicable to a large-scale network that
consists of hundreds of routers.
8.7 IS-IS Configuration
This chapter describes the basic principle of IS-IS and procedures for configuring IS-IS, and
provides configuration examples.
8.8 BGP Configuration
BGP is used between ASs to transmit routing information on large-scale and complex networks.
8.9 BGP4+ Configuration
Issue 02 (2013-12-31)

2046

Equipment
8 IP Routing
BGP4+, which is applicable to the large-scale IPv6 network with a complicated structure, is used
between ASs to transmit routing information.
8.10 Routing Policy Configuration
Routing policies are used to filter routes to change the path through which network traffic passes.
8.11 A Glossary
Issue 02 (2013-12-31)

2047

Equipment
8 IP Routing
8.1 IP Routing Basic Configuration

This chapter describes IP routing, which functions as the basis for data communication networks.
8.1.1 Routing Management

To forward data, ATNs need to establish and refresh routing tables and forward packets
according to the information in routing tables.
Displaying of the Routing Table

Routing tables are one of the best sources of information about a network. Checking these tables
helps you locate faults.
Prerequisites
The following lists common commands for displaying information about the routing table.
Note that display commands can be run in all views.
Procedure
l
For IPv4 routing table:

Run the display ip routing-table command to check brief information about current
active routes.
Run the display ip routing-table verbose command to check detailed information
about the IP routing table.
Run the display ip routing-table ip-address [ mask | mask-length ] [ longer-match ]
[ verbose ] command to check the routes to a specified destination address.
Run the display ip routing-table ip-address1 { mask1 | mask-length1 } ip-address2
{ mask2 | mask-length2 } [ verbose ] command to check the routes whose destination
addresses are within a specified address range.
Run the display ip routing-table acl { acl-number | acl-name } [ verbose ] command
to check the routes filtered by a specified basic ACL.
Run the display ip routing-table ip-prefix ip-prefix-name [ verbose ] command to
check the routes filtered by a specified IP prefix list.
Run the display ip routing-table protocol protocol [ inactive | verbose ] command to
check the routes discovered by a specified protocol.
Run the display ip routing-table statistics command to check statistics about the IP
routing table.
Run the display ip routing-table vpn-instance vpn-instance-name command to check
brief information about the VPN routing table.
Run the display ip routing-table vpn-instance vpn-instance-name verbose command
to check detailed information about the VPN routing table.
----End
Issue 02 (2013-12-31)

2048

Equipment
8 IP Routing
Displaying of the Routing Management Module

You can use display commands of the routing management (RM) module to locate routing
problems.
Context
The display commands can be run in all views.
Procedure
l
Run the display rm interface [ interface-type interface-number ] command to check RM

information about a specified interface.
Run the display rm interface vpn-instance vpn-instance-name command to check RM

information about the private network interface.
----End
FRR Principle
FRR is a technique that allows the physical layer or data link layer to report a fault (if any) to
the upper layer routing system so that packets are forwarded over a backup link.
Context
On traditional IP networks, after a forwarding device such as the router detects a fault on the
lower layer link, it takes the routing system several seconds to complete route convergence (to
re-select an available route).
A second-level convergence may interrupt the services that are extremely sensitive to packet
loss and delay. For example, Voice over IP (VoIP) service can tolerate a maximum of 50 ms of
network interruption.
Therefore, to prevent services from being seriously affected by link faults, the forwarding system
must be able to detect and rectify faults and restore the affected services immediately.
Fast Reroute (FRR) is applicable to the services that are sensitive to packet loss and delay. After
FRR is configured, when a fault is detected at the lower layer (physical layer or link layer), the
fault is reported to the upper layer routing system. Meanwhile, packets are forwarded over a
backup link. Therefore, the impact of link faults on services is minimized.
NOTE
Bidirectional forwarding detection (BFD) detects faults quickly and monitors the forwarding and
connectivity of links or IP routes of the network. FRR needs to be associated with BFD to achieve fast fault
discovery, in order to immediate switchover to the backup link.
According to the application scope, FRR is classified into IP FRR and VPN FRR. IP FRR can
be further classified into public network IP FRR and VPN IP FRR.
l
Public network IP FRR: protects ATNs on the public network.
VPN IP FRR: protects Customer Edges (CEs).
VPN FRR: protects Provider Edges (PEs).
For detailed introduction of FRR, see the Feature Description- IP Route.

Issue 02 (2013-12-31)

2049

Equipment
8 IP Routing
For detailed configuration of VPN IP FRR and VPN FRR, see the Configuration Guide VPN.
FRR can provide backup for direct, static, and dynamic routes (including OSPF, IS-IS, and BGP
routes) of ATNs.
8.1.2 Configuring Public Network IP FRR

Public network IP FRR is applicable to the services that are sensitive to packet loss and delay
Before You Start

Before configuring public network IP FRR, familiarize yourself with the usage scenario,
Public network IP Fast Reroute (FRR) is applicable to the services that are sensitive to packet
loss and delay on the public network.
Before configuring public network IP FRR, complete the following tasks:
l
Configure a static route or an IGP to ensure that nodes are reachable.
Set different costs to generate two routes.
Data Preparation
To configure public network IP FRR, you need the following data.
No.
Data
Name of the route-policy and the number of the node
Outbound interface of the backup route
Next hop of the backup route
Configuring a Route-Policy
When configuring public network IP FRR, you can use a route-policy to correctly establish the
backup relationship between routes.
Context
Perform the following steps on the ATN to which public network IP FRR is applied:
Issue 02 (2013-12-31)

2050

Equipment
8 IP Routing
Procedure
Step 1 Run:
system-view

Step 2 Run:
route-policy route-policy-name { permit | deny } node node
The node of the route-policy is created and the route-policy view is displayed.
if-match
The matching condition is set to filter the routes to be backed up.

You can use the if-match command according to the description in (Optional) Configuring
the If-Match Clause.
If the matching condition is not set, IP FRR backs up outbound interfaces and next hops for all
routes in the routing table. In this manner, certain routes that do not need to be backed up are
also configured with backup information. Therefore, you need to correctly set the relationship
between routes to be backed up and backup routes. Using the matching condition to specify the
routes to be backed up is recommended.
Step 4 Run:
apply backup-interface interface-type interface-number
The backup outbound interface is specified.

Step 5 Run:
apply backup-nexthop ip-address
The backup next hop is specified.

NOTE
l If a backup next hop is specified, a backup outbound interface also needs to be specified.
l If a backup outbound interface is specified on a Point-to-Point (P2P) link, no backup next hop needs
to be specified.
l If a backup outbound interface is specified on a non-P2P link, a backup next hop also needs to be
specified.
----End
Enabling Public Network IP FRR

After IP FRR is configured on the public network, service traffic can be switched to the backup
link immediately after the primary link fails. This ensures the normal transmission of service
traffic.
Context
Perform the following steps on the ATN to which public network IP FRR is applied:
Issue 02 (2013-12-31)

2051

Equipment
8 IP Routing
Procedure
Step 1 Run:
system-view

Step 2 Run:
ip frr route-policy route-policy-name
IP FRR is enabled.
Before applying IP FRR, use this command to enable IP FRR. In this manner, the route-policy
used to specify backup outbound interfaces and backup next hops can take effect.
Only one route-policy can be applied at a time. If the ip frr command is run more than once,
the latest configuration overrides the previous one.
----End

After public network IP FRR is configured, you can check backup information about routes.
Prerequisites
Public network IP FRR has been configured.
Procedure
l
Run the display route-policy [ route-policy-name ] command to check the route-policy.
Run the display ip routing-table verbose command to check backup outbound interfaces
and backup next hops of all routes in the routing table.

verbose command to check the backup outbound interface and the backup next hop of a
specified route in the routing table.
Run the display ip routing-table ip-address1 { mask1 | mask-length1 } ip-address2

{ mask2 | mask-length2 } verbose command to check the backup outbound interfaces and
the backup next hops of the routes in the address range determined by ip-address1 and ipaddress2 in the routing table.
----End
Example
Run the display ip routing-table ip-address verbose command to view the backup outbound
interface and the backup next hop in the routing table. An example command output is as follows:
<HUAWEI> display ip routing-table 172.17.1.0 verbose
-----------------------------------------------------------------------------Routing Table : Public
Summary Count : 1
Destination: 172.17.1.0/24
Protocol: OSPF
Issue 02 (2013-12-31)
Process ID: 1

2052

Equipment
Preference:
NextHop:
State:
Tag:
Label:
IndirectID:
RelayNextHop:
TunnelID:
BkNextHop:
BkLabel:
BkPETunnelID:
BkIndirectID:
8 IP Routing
10
Cost: 3
192.168.10.2
Neighbour: 0.0.0.0
Active Adv
Age: 00h06m49s
0
Priority: low
NULL
QoSInfo: 0x0
0x0
0.0.0.0
Interface: GigabitEthernet0/2/0
0x0
Flags: D
192.168.20.2 BkInterface: GigabitEthernet0/2/4
NULL
SecTunnelID: 0x0
0x0
BkPESecTunnelID: 0x0
0x0
8.1.3 Configuring the Advertisement of IPv4 ARP Vlink Direct

Routes on the Public Network
Advertising IPv4 ARP Vlink direct routes on the public network allows precise control of data
traffic.
Before You Start

Before advertising IPv4 ARP Vlink direct routes on the public network, familiarize yourself
with the usage scenario, and complete the pre-configuration tasks, and obtain the data required
for the configuration.
IP packets are forwarded through a specified physical interface, but cannot be forwarded through
a VLANIF interface. If packets reach a VLANIF interface, the device obtains information about
the physical interfaces using IPv4 ARP and generates relevant routing entries. The routes
recorded by the routing entries are called IPv4 ARP Vlink direct routes.
In most cases, IPv4 ARP Vlink direct routes are used only to guide local traffic forwarding and
are not advertised. In this manner, the scale and stability of the routing table can be controlled.
In certain situations, however, different operations have to be performed on specific routes of
VLAN users (for example, different traffic export policies have to be applied to the specific
routes to direct remote traffic). IPv4 ARP Vlink direct routes need to be imported to the dynamic
routing protocol and advertised to the remote end.
As shown in Figure 8-1, ATN D uses VLANIF interfaces to connect to ATNs A, B, and C at
three sites. ATN E only needs to communicate with ATN B, but not with ATN A or ATN C.
You can configure ATN D to advertise IPv4 ARP Vlink direct routes and configure a routepolicy on ATN D to filter out routes to the network segment of the VLAN for which the VLANIF
interfaces are configured and filter out routes to ATN A and ATN C.
Issue 02 (2013-12-31)

2053

Equipment
8 IP Routing
Figure 8-1 Networking diagram of advertising IPv4 ARP Vlink direct routes on the public
network
192.168.0.3/24
ATNA
192.168.0.4/24
SwitchA
ATND
BGP
VLANIF10
192.168.0.2/24
ATNB
VLANIF10
192.168.0.1/24
192.168.0.5/24
ATNE
ATNC
Before advertising IPv4 ARP Vlink direct routes on the public network, complete the following
task:
l
Configuring parameters of a link layer protocol and assigning an IP address to each interface
to ensure that the link layer protocol on the interfaces is Up
Data Preparation
To advertise IPv4 ARP Vlink direct routes on the public network, you need the following data.
No.
Data
(Optional) Route-policy name and node ID
Enabling the Advertisement of IPv4 ARP Vlink Direct Routes

IPv4 ARP Vlink direct routes can be imported to and advertised by a dynamic protocol only if
advertising IPv4 ARP Vlink direct routes is enabled. Advertising IPv4 ARP Vlink direct routes
allows the remote device to precisely control traffic.
Context
Before IPv4 ARP Vlink direct routes are advertised, a route-policy can be configured to filter
the advertised routes and only routes that match the route-policy can be advertised. In this
manner, data traffic can be precisely controlled.
Perform the following steps on the ATN on which IPv4 ARP Vlink direct routes need to be
advertised:
Issue 02 (2013-12-31)

2054

Equipment
8 IP Routing
Procedure
Step 1 Run:
system-view

Step 2 Run:
arp vlink-direct-route advertise [ route-policy route-policy-name ]
Advertising IPv4 ARP Vlink direct routes is enabled.

By default, IPv4 ARP Vlink direct routes cannot be advertised.
If IPv4 ARP Vlink direct routes have to be advertised, you can specify the parameter routepolicy route-policy-name in the arp vlink-direct-route advertise command to filter the
advertised IPv4 ARP Vlink direct routes.
NOTE
At present, apply clauses cannot be used to set routing attributes for routes that match the filtering rules.
----End
Follow-up Procedure
After advertising IPv4 ARP Vlink direct routes is enabled, IPv4 ARP Vlink direct routes can be
advertised only if they are imported to a dynamic routing protocol. Perform the following steps
on the ATN based on the type of the dynamic routing protocol:
l
If RIP is used, run the import-route direct [ cost cost | route-policy route-policy-name ]
command to import IPv4 ARP Vlink direct routes to RIP.
If OSPF is used, run the import-route direct [ cost cost | route-policy route-policyname | tag tag | type type ] * command to import IPv4 ARP Vlink direct routes to OSPF.
If IS-IS is used, run the import-route direct [ cost-type { external | internal } | cost
cost | tag tag | route-policy route-policy-name | [ level-1 | level-2 | level-1-2 ] ] * command
to import IPv4 ARP Vlink direct routes to IS-IS.
If BGP is used, run the import-route direct [ med med | route-policy route-policyname ] * command to import IPv4 ARP Vlink direct routes to BGP.

After the advertisement of IPv4 ARP Vlink direct routes has been configured successfully, view
information about advertised IPv4 ARP Vlink direct routes on the public network.
Prerequisites
The advertisement of IPv4 ARP Vlink direct routes on the public network has been configured.
Procedure
l

[ verbose ] command to check information about advertised IPv4 ARP Vlink direct routes
----End
Issue 02 (2013-12-31)

2055

Equipment
8 IP Routing
Example
# Run the display ip routing-table ip-address mask-length verbose command to view detailed
information about the IPv4 ARP Vlink direct route 10.1.1.4/32.
<HUAWEI> display ip routing-table 10.1.1.4 32 verbose
Summary Count : 1
Protocol: Direct
Preference: 0
NextHop: 10.1.1.4
State: Active Adv
Tag: 0
Label: NULL
IndirectID: 0x0
RelayNextHop: 0.0.0.0
TunnelID: 0x0
Process ID: 0
Cost: 0
Neighbour: 0.0.0.0
Age: 03h43m20s
Priority: high
QoSInfo: 0x0
Interface: Vlanif10
Flags: D
The command output shows that the route status is Active Adv, indicating that the route is active
and can be advertised.
8.1.4 Configuring the Advertisement of IPv6 NDP Vlink Direct

Routes on the Public Network
On an IPv6 public network, advertising IPv6 neighbor discover protocol (NDP) Vlink direct
routes allows precise control of data traffic.
Before You Start

Before advertising IPv6 NDP Vlink direct routes on the public network, familiarize yourself
with the usage scenario, complete the pre-configuration tasks, and obtain the data required for
the configuration.
IP packets are forwarded through a specified physical interface, but cannot be forwarded through
a VLANIF interface. If packets reach a VLANIF interface, the device obtains information about
the physical interfaces using IPv6 NDP and generates relevant routing entries. The routes
recorded by the routing entries are called IPv6 NDP Vlink direct routes.
In most cases, IPv6 NDP Vlink direct routes are used only to guide local traffic forwarding and
are not advertised. In this manner, the scale and stability of the routing table can be controlled.
In certain situations, however, different operations have to be performed on specific routes of
VLAN users (for example, different traffic export policies have to be applied to the specific
routes to direct remote traffic). In this case, some IPv6 NDP Vlink direct routes need to be
imported to the dynamic routing protocols and advertised to the remote end.
As shown in Figure 8-2, ATN D uses VLANIF interfaces to connect to ATNs A, B, and C at
three sites. ATN E only needs to communicate with ATN B, but not with ATN A and ATN C.
You can configure ATN D to advertise IPv6 NDP Vlink direct routes and configure a routepolicy on ATN D to filter out routes to the network segment of the VLAN for which the VLANIF
interfaces are configured and filter out routes to ATN A and ATN C.
Issue 02 (2013-12-31)

2056

Equipment
8 IP Routing
Figure 8-2 Networking diagram of advertising IPv6 NDP Vlink direct routes on the public
network
ATN-A
2001::3/64
ATN-B
ATN-D
SwitchA
BGP
2001::4/64
VLANIF10
2001::2/64
VLANIF10
2001::1/64
ATN-E
ATN-C
2001::5/64
Before advertising IPv6 NDP Vlink direct routes on the public network, complete the following
task:
l
Configuring parameters of a link layer protocol and assigning an IP address to each interface
to ensure that the link layer protocol on the interfaces is Up
Data Preparation
To advertise IPv6 NDP Vlink direct routes on the public network, you need the following data.
No.
Data
(Optional) Route-policy name and node ID
Enabling the Advertisement of IPv6 NDP Vlink Direct Routes

IPv6 NDP Vlink direct routes can be imported to dynamic routing protocols and advertised only
if the function of advertising IPv6 NDP Vlink direct routes is enabled. Advertising IPv6 NDP
Vlink direct routes allows the remote device to precisely control traffic.
Issue 02 (2013-12-31)

2057

Equipment
8 IP Routing
Context
Before IPv6 NDP Vlink direct routes are advertised, a route-policy can be used to filter the
advertised routes and only routes that pass the filtering can be advertised. In this manner, data
traffic can be precisely controlled.
Perform the following steps on the ATN on which IPv6 NDP Vlink direct routes need to be
advertised:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ipv6 nd vlink-direct-route advertise [ route-policy route-policy-name ]
Advertising IPv6 NDP Vlink direct routes is enabled.

By default, IPv6 NDP Vlink direct routes cannot be advertised.
If IPv6 NDP Vlink direct routes have to be advertised, you can specify the parameter routepolicy route-policy-name in the ipv6 nd vlink-direct-route advertise command to filter IPv4
ARP Vlink direct routes.
NOTE
At present, apply clauses cannot be used to set routing attributes for routes that match the filtering rules.
----End
Follow-up Procedure
After advertising IPv6 NDP Vlink direct routes is enabled, IPv6 NDP Vlink direct routes can
be advertised only if they are imported to dynamic routing protocols. Perform the following
steps on the ATN based on the type of the dynamic routing protocol:
l
If RIPng is used, run the import-route direct [ cost cost | route-policy route-policyname ] * command to import IPv6 NDP Vlink direct routes to RIPng.
If OSPFv3 is used, run the import-route direct [ cost cost | inherit-cost | route-policy
route-policy-name | tag tag | type type ] * command to import IPv6 NDP Vlink direct routes
to OSPFv3.
If IS-IS is used, run the import-route direct [ cost-type { external | internal } | cost
cost | tag tag | route-policy route-policy-name | [ level-1 | level-2 | level-1-2 ] ] * command
to import IPv6 NDP Vlink direct routes to IS-IS.
If BGP4+ is used, run the import-route direct [ med med | route-policy route-policyname ] * command to import IPv6 NDP Vlink direct routes to BGP4+.

After the advertisement of IPv6 NDP Vlink direct routes has been configured successfully, view
information about advertised IPv6 NDP Vlink direct routes on the public network.
Issue 02 (2013-12-31)

2058

Equipment
8 IP Routing
Prerequisites
All configurations relevant to the advertisement of IPv6 NDP Vlink direct routes has been
configured.
Procedure
l
Run the display ipv6 routing-table ipv6-address [ prefix-length ] [ longer-match ]

[ verbose ] command to check information about advertised IPv6 NDP Vlink direct routes
----End
Example
# Run the display ipv6 routing-table ipv6-address [ mask | mask-length ] verbose command
to view detailed information about the IPv6 NDP Vlink direct route 2000::4/128.
<HUAWEI> display ipv6 routing-table 2000::4 128 verbose
Routing Table :
Summary Count : 1
Destination :
NextHop
:
Neighbour
:
Label
:
State
:
Entry ID
:
Reference Cnt:
Priority
:
IndirectID
:
RelayNextHop :
Interface
:
2000::4
2000::4
::
NULL
Active Adv
266288988
2
high
0x0
::
Vlanif10
PrefixLength : 128
Preference
: 0
ProcessID
: 0
Protocol
: Direct
Cost
: 0
EntryFlags
: 0xa0010050
Tag
: 0
Age
: 15sec
TunnelID
Flags
: 0x0
: D
The command output shows that the route status is Active Adv, indicating that the route is active
and can be advertised.
8.1.5 Maintaining the Route Management Module

The operations of Route Management (RM) maintenance include configuring thresholds for the
number of route prefixes on a device and configuring a limit on the number of public route
prefixes.
Configuring a Limit on the Number of IPv4 Public Route Prefixes

This section describes how to configure a limit on the number of IPv4 public route prefixes to
improve system security and reliability.
Context
If the ATN imports a large number of routes, system performance may be affected when
processing services because the routes consume a lot of system resources. To improve system
security and reliability, configure a limit on the number of IPv4 public route prefixes. When the
number of IPv4 public route prefixes exceeds the limit, an alarm is generated, prompting you to
check whether unneeded IPv4 public route prefixes exist.
Issue 02 (2013-12-31)

2059

Equipment
8 IP Routing
Procedure
Step 1 Run:
system-view

Step 2 Run:
ip prefix-limit number { alert-percent [ route-unchanged ] | simply-alert }
A limit is configured on the number of IPv4 public route prefixes.

alert-percent indicates the percentage of the maximum number of IPv4 public route prefixes
that is supported. If you specify alert-percent in the command, when the number of IPv4 public
route prefixes exceeds the value calculated by number x alert-percent/100, an alarm is generated.
Additional IPv4 public route prefixes can still be added to the routing table until the number of
IPv4 public route prefixes reaches number. Subsequent route prefixes are discarded.
If you specify simply-alert in the command, additional IPv4 public route prefixes can still be
added to the routing table and only an alarm is generated after the number of IPv4 public route
prefixes exceeds number. However, when the total number of private and public route prefixes
reaches the limit on the number of unicast route prefixes specified in the PAF file, subsequent
IPv4 public route prefixes are discarded.
If you decrease alert-percent after the number of IPv4 public route prefixes exceeds number,
whether the routing table remains unchanged is determined by route-unchanged.
l If you specify route-unchanged in the command, the routing table remains unchanged.
l If you do not specify route-unchanged in the command, the system deletes the routes from
the routing table and re-adds routes.
By default, the system deletes the routes from the routing table and re-adds routes.
NOTE
After the number of IPv4 public route prefixes exceeds the limit, note the following rules:
l If you run the ip prefix-limit command to increase number or the undo ip prefix-limit command to
delete the limit, the ATN relearns IPv4 public route prefixes.
l Direct and static routes can still be added to the IP routing table.
l The snmp-agent trap enable feature-name rm command must have been run so that alarms can be
generated.

ip prefix-limit log-interval interval
An interval is specified for the system to generate logs after the number of IPv4 public route
prefixes exceeds the limit.
By default, the system generates logs at an interval of 5s after the number of IPv4 public route
You can run the command to set a larger value for the interval to decrease the frequency at which
these logs are generated.
----End
Issue 02 (2013-12-31)

2060

Equipment
8 IP Routing
Configuring a Limit on the Number of IPv6 Public Route Prefixes

This section describes how to configure a limit on the number of IPv6 public route prefixes to
improve system security and reliability.
Context
If the ATN imports a large number of routes, system performance may be affected when
processing services because the routes consume a lot of system resources. To improve system
security and reliability, configure a limit on the number of IPv6 public route prefixes. When the
number of IPv6 public route prefixes exceeds the limit, an alarm is generated, prompting you to
check whether unneeded IPv6 public route prefixes exist.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ipv6 prefix-limit number { alert-percent [ route-unchanged ] | simply-alert }
A limit is configured on the number of IPv6 public route prefixes.

alert-percent indicates the percentage of the maximum number of IPv6 public route prefixes
that is supported. If you specify alert-percent in the command, when the number of IPv6 public
route prefixes exceeds the value calculated by number x alert-percent/100, an alarm is generated.
Additional IPv6 public route prefixes can still be added to the routing table until the number of
IPv6 public route prefixes reaches number. Subsequent route prefixes are discarded.
If you specify simply-alert in the command, additional IPv6 public route prefixes can still be
added to the routing table and only an alarm is generated after the number of IPv6 public route
prefixes exceeds number. However, when the total number of private and public route prefixes
reaches the limit on the number of unicast route prefixes specified in the PAF file, subsequent
IPv6 public route prefixes are discarded.
If you decrease alert-percent after the number of IPv6 public route prefixes exceeds number,
whether the routing table remains unchanged is determined by route-unchanged.
l If you specify route-unchanged in the command, the routing table remains unchanged.
l If you do not specify route-unchanged in the command, the system deletes the routes from
the routing table and re-adds routes.
By default, the system deletes the routes from the routing table and re-adds routes.
NOTE
After the number of IPv6 public route prefixes exceeds the limit, note the following rules:
l If you run the ipv6 prefix-limit command to increase number or the undo ipv6 prefix-limit command
to delete the limit, the ATN relearns IPv6 public route prefixes.
l Direct and static routes can still be added to the IPv6 routing table.
l The snmp-agent trap enable feature-name rm command must have been run so that alarms can be
generated.
Issue 02 (2013-12-31)

2061

Equipment
8 IP Routing

ipv6 prefix-limit log-interval interval
An interval is specified for the system to generate logs after the number of IPv6 public route
By default, the system generates logs at an interval of 5s after the number of IPv6 public route
You can run the command to set a larger value for the interval to decrease the frequency at which
these logs are generated.
----End
8.1.6 Configuration Example

IP routing configuration examples provide networking requirements, networking diagrams,
configuration notes, configuration roadmap, and configuration procedures.
Example for Configuring IP FRR on the Public Network

After IP FRR on the public network is configured, traffic can be rapidly switched to the backup
link if the primary link becomes faulty.
As shown in Figure 8-3, it is required that the backup outbound interface and backup next hop
be configured on ATN-T to ensure that link B functions as the backup of link A. In this manner,
if a fault occurs on link A, traffic can be rapidly switched to link B.
Figure 8-3 Networking diagram for configuring IP FRR on the public network
GE2/0/0
192.168.11.2/24
GE1/0/0
192.168.10.2/24
GE0/2/4
192.168.10.1/24
GE0/2/1
172.16.1.1/24
ATN-T
NodeB
GE0/2/0
192.168.20.1/24
GE2/0/0
192.168.11.1/24
GE1/0/0
172.17.1.1/24
CX-C
GE3/0/0
RNC
192.168.21.1/24
CX-A
Link A
Link B
GE1/0/0
192.168.20.2/24
GE2/0/0
192.168.21.2/24
CX-B
Issue 02 (2013-12-31)

2062

Equipment
8 IP Routing
1.
Enable basic OSPF functions on each device.
2.
Set a greater cost for GE 0/2/0 of ATN-T and GE 3/0/0 of CX-C so that OSPF prefers link
A.
3.
Configure a route-policy on ATN-T, configure the backup outbound interface and backup
next hop, enable IP FRR on the public network, and check information about the backup
outbound interface and backup next hop.
4.
Check information about the backup outbound interface and backup next hop after IP FRR
is disabled.
Data Preparation
Equipment Name
Parameter Name
Parameter Value
ATN-T
the cost of 0/2/0
100
CX-C
the cost of GE3/0/0
100
ATN-T
the name of the route-policy
ip_frr_rp
ATN-T
the index of the node in the

route-policy
10
ATN-T
backup next hop
192.168.20.2
ATN-T
backup outbound interface
GE0/2/0
Configuration procedure
1.
Configure an IP address for each interface.

The configuration details are not described here.
2.
Configure OSPF on ATN-T, CX-A, CX-B, and CX-C.
3.
Set a cost on an OSPF interface.

# Set a cost on Gigabit Ethernet 0/2/0 of ATN-T so that OSPF prefers link A.
[ATN-T] interface Gigabitethernet 0/2/0
[ATN-T-GigabitEthernet0/2/0] ospf cost 100
[ATN-T-GigabitEthernet0/2/0] quit
# Set a greater cost on Gigabit Ethernet 3/0/0 of CX-C so that OSPF prefers link A.
[CX-C-GigabitEthernet3/0/0] ospf cost 100
4.
Configure a route-policy.
# Configure a route-policy on ATN-T, configure the backup outbound interface and backup
next hop, and configure an if-match clause to limit the application scope.
[ATN-T] ip ip-prefix
[ATN-T] route-policy
[ATN-T-route-policy]
Issue 02 (2013-12-31)
frr1 permit 172.17.1.1 24

ip_frr_rp permit node 10
if-match ip-prefix frr1
apply backup-nexthop 192.168.20.2
apply backup-interface gigabitethernet0/2/0

2063

Equipment
8 IP Routing
[ATN-T-route-policy] quit
5.
Enable IP FRR on the public network.

[ATN-T] ip frr route-policy ip_frr_rp
# Check information about the backup outbound interface and backup next hop on ATNT.
<ATN-T> display ip routing-table 172.17.1.0 verbose
Summary Count : 1
Protocol: OSPF
Process ID:
Preference: 10
Cost:
NextHop: 192.168.10.2
Neighbour:
State: Active Adv
Age:
Tag: 0
Priority:
Label: NULL
QoSInfo:
IndirectID: 0x0
Interface:
TunnelID: 0x0
Flags:
BkNextHop: 192.168.20.2
BkInterface:
BkLabel: NULL
SecTunnelID:
BkPETunnelID: 0x0
BkPESecTunnelID:
BkIndirectID: 0x0
6.
1
3
0.0.0.0
00h06m49s
low
0x0
D
0x0
0x0
If IP FRR is not required, run the undo ip frr command to disable IP FRR.
[ATN-T] undo ip frr
# After IP FRR is disabled, check information about the backup outbound interface and
backup next hop.
<ATN-T> display ip routing-table 172.17.1.0 verbose
Summary Count : 1
Protocol: OSPF
Preference: 10
NextHop: 192.168.10.2
State: Active Adv
Tag: 0
Label: NULL
IndirectID: 0x0
TunnelID: 0x0
Process ID:
Cost:
Neighbour:
Age:
Priority:
QoSInfo:
1
3
0.0.0.0
00h00m01s
low
0x0
Flags: D
Configuration Files
l
Configuration file of ATN-T

#
sysname ATN-T
#
ip frr route-policy ip_frr_rp
#
ip address 192.168.10.1 255.255.255.0
#
ip address 192.168.20.1 255.255.255.0
ospf cost 100
#
Issue 02 (2013-12-31)

2064

Equipment
8 IP Routing
ip address 172.16.1.1 255.255.255.0
#
interface NULL0
#
ospf 1
area 0.0.0.0
network 192.168.10.0 0.0.0.255
network 192.168.20.0 0.0.0.255
area 0.0.0.1
network 172.16.1.0 0.0.0.255
#
ip ip-prefix frr1 permit 172.17.1.1 24
#
route-policy ip_frr_rp permit node 10
if-match ip-prefix frrl
apply backup-nexthop 192.168.20.2
apply backup-interface GigabitEthernet0/2/0
#
return

#
sysname CX-A
#
ip address 192.168.10.2 255.255.255.0
#
ip address 192.168.11.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 192.168.10.0 0.0.0.255
network 192.168.11.0 0.0.0.255
#
return

#
sysname CX-B
#
ip address 192.168.20.2 255.255.255.0
#
ip address 192.168.21.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 192.168.20.0 0.0.0.255
network 192.168.21.0 0.0.0.255
#
return

#
sysname CX-C
#
ip address 172.17.1.1 255.255.255.0
#
ip address 192.168.11.1 255.255.255.0
#
ip address 192.168.21.1 255.255.255.0
Issue 02 (2013-12-31)

2065

Equipment
8 IP Routing
ospf cost 100

#
ospf 1
area 0.0.0.0
network 192.168.11.0 0.0.0.255
network 192.168.21.0 0.0.0.255
area 0.0.0.2
network 172.17.1.0 0.0.0.255
#
return
Example for Importing IPv4 ARP Vlink Direct Routes to BGP

By importing IPv4 ARP Vlink direct routes to BGP, you can enable the remote device to obtain
information about detailed routes in the VLAN, allowing precise control of data traffic.
As networks develop, the VLAN technology is widely used. If a user outside a VLAN needs to
communicate with users within the VLAN, advertising routes destined for the network segment
of the VLAN can achieve this purpose. When users outside the VLAN need to know the IPv4
ARP Vlink direct routes of the VLAN, and apply different traffic policies to routes of the VLAN
users, advertising the routes destined for the network segment of the VLAN cannot meet this
requirement. In this case, you can enable the function of IPv4 ARP Vlink direct route
advertisement.
As shown in Figure 8-4, ATN-C is connected to two VLAN sites through VLANIF interfaces.
ATN-D communicates with ATN-B, but not with ATN-A. To meet the communication
requirement, you can enable the function of IPv4 ARP Vlink direct route advertisement on ATNC, and use a route-policy to filter out the routes to the network segment of the VLAN and the
route to ATN-A.
Figure 8-4 Networking diagram of importing IPv4 ARP Vlink direct routes to BGP
GE0/2/1
10.1.1.3/24
ATN-A
GE0/3/1
GE0/3/3
ATN-B
Switch-A
GE0/3/2
AS100
ATN-C
GE0/2/1
VLANIF10 VLANIF10
10.1.1.2/24 10.1.1.1/24
ATN-D
BGP
GE0/2/2
GE0/2/1
10.2.1.1/24 10.2.1.2/24
GE0/2/1
10.1.1.4/24
Issue 02 (2013-12-31)

2066

Equipment
8 IP Routing
1.
Create VLANIF interfaces on Switch-A and ATN-C and assign IP addresses to the
VLANIF interfaces, and ensure that ATN-A, ATN-B, Switch-A, and ATN-C can
2.
Enable BGP on ATN-C and ATN-D, ensuring that ATN-C and ATN-D are able to advertise
IP routes to each other.
3.
Enable the function of IPv4 ARP Vlink direct route advertisement on ATN-C.
4.
Configure a route-policy on ATN-C, allowing routes only from ATN-B to pass through.
5.
Enable BGP on ATN-C to import direct routes, and use the route-policy to import routes
only from ATN-B.
6.
Associate BGP with the route-policy on ATN-C to filter out the network segment route of
the VLAN so that ATN-D cannot learn the network segment route and can communicate
with VLAN users only based on IPv4 ARP Vlink direct routes.
Data Preparation
l
ID of the VLAN in which Switch-A and ATN-C reside (the VLAN ID is 10 in this example)
Router IDs and AS numbers of ATN-s C and D (router ID of ATN-C is 3.3.3.3 and router
ID of ATN-D is 4.4.4.4, and ATN-s C and D are in AS 100 in this example)
Route-policy used to filter direct routes (the route-policy is policy1 in this example)
Route-policy used to advertise BGP routes on ATN-C (the route-policy is policy2 in this
example)
Procedure
Step 1 Configure an IP address for each interface.
# Configure ATN-A.
[HUAWEI] sysname ATN-A
[ATN-A] interface GigabitEthernet 0/2/1
[ATN-A-GigabitEthernet0/3/1] undo shutdown
[ATN-A-GigabitEthernet0/3/1] ip address 10.1.1.3 24
[ATN-A-GigabitEthernet0/3/1] quit
# Configure ATN-B.
[HUAWEI] sysname ATN-B
[ATN-B] interface GigabitEthernet 0/2/1
[ATN-B-GigabitEthernet0/3/1] undo shutdown
[ATN-B-GigabitEthernet0/3/1] ip address 10.1.1.4 24
[ATN-B-GigabitEthernet0/3/1] quit
# Configure ATN-C.
[HUAWEI] sysname ATN-C
[ATN-C] interface GigabitEthernet 0/2/2
[ATN-C-GigabitEthernet0/3/2] undo shutdown
[ATN-C-GigabitEthernet0/3/2] ip address 10.2.1.1 24
[ATN-C-GigabitEthernet0/3/2] quit
# Configure ATN-D.
Issue 02 (2013-12-31)

2067

Equipment
8 IP Routing
[HUAWEI] sysname ATN-D
[ATN-D] interface GigabitEthernet 0/2/1
[ATN-D-GigabitEthernet0/3/1] undo shutdown
[ATN-D-GigabitEthernet0/3/1] ip address 10.2.1.2 24
[ATN-D-GigabitEthernet0/3/1] quit
Step 2 Configure basic VLAN functions. Create VLANIF 10 on Switch-A and ATN-C and assign IP
addresses to the VLANIF interfaces.
# Configure Switch-A.
[HUAWEI] sysname Switch-A
[Switch-A] vlan 10
[Switch-A-vlan10] quit
[Switch-A] interface GigabitEthernet 0/3/1
[Switch-A-GigabitEthernet0/3/1] portswitch
[Switch-A-GigabitEthernet0/3/1] undo shutdown
[Switch-A-GigabitEthernet0/3/1] port link-type access
[Switch-A-GigabitEthernet0/3/1] port default vlan 10
[Switch-A-GigabitEthernet0/3/1] quit
[Switch-A] interface Vlanif 10
[Switch-A-Vlanif10] ip address 10.1.1.2 24
[Switch-A-Vlanif10] quit
# Configure ATN-C.
[HUAWEI] sysname ATN-C
[ATN-C] vlan 10
[ATN-C-vlan10] quit
[ATN-C] interface GigabitEthernet 0/2/1
[ATN-C-GigabitEthernet0/3/1] portswitch
[ATN-C-GigabitEthernet0/3/1] undo shutdown
[ATN-C-GigabitEthernet0/3/1] port link-type access
[ATN-C-GigabitEthernet0/3/1] port default vlan 10
[ATN-C] interface Vlanif 10
[ATN-C-Vlanif10] ip address 10.1.1.1 24
[ATN-C-Vlanif10] quit
Step 3 Configure BGP between ATN-C and ATN-D.

# Configure ATN-C.
[ATN-C] bgp 100
[ATN-C-bgp] peer 10.2.1.2 as-number 100
[ATN-C-bgp] quit
# Configure ATN-D.
[ATN-D] bgp 100
[ATN-D-bgp] peer 10.2.1.1 as-number 100
[ATN-D-bgp] quit
Issue 02 (2013-12-31)

2068

Equipment
8 IP Routing
Step 4 Configure BGP on ATN-C and import direct routes to BGP. Then view the routing tables of
ATN-s C and D.
# Configure ATN-C.
[ATN-C] bgp 100
[ATN-C-bgp] import-route direct
[ATN-C-bgp] quit
# Display the BGP routing table of ATN-C.

[ATN-C] display bgp routing-table

Network
NextHop
*>
*>
*>
*>
*>
*>
*>
*>
*>
10.1.1.0/24
10.1.1.1/32
10.1.1.2/32
10.1.1.3/32
10.1.1.4/32
10.2.1.0/24
10.2.1.1/32
127.0.0.0
127.0.0.1/32
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
MED
LocPrf
PrefVal Path/Ogn
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
?
?
?
?
?
?
?
# Display the BGP routing table of ATN-D.

[ATN-D] display bgp routing-table

Network
NextHop
*>i
i
10.1.1.0/24
10.2.1.0/24
10.2.1.1
10.2.1.1
MED
LocPrf
0
0
PrefVal Path/Ogn
100
100
0
0
?
?
You can see that ATN-D has not learned the two IPv4 ARP Vlink direct routes 10.1.1.3/32 and
10.1.1.4/32.
Step 5 Enable the function of IPv4 ARP Vlink direct route advertisement on ATN-C and configure the
route-policy policy1 to filter out the routes to the network segment of the VLAN and the IPv4
ARP Vlink direct route from ATN-A, 10.1.1.3/32.
# Configure ATN-C.
[ATN-C] ip ip-prefix prefix1 permit 10.1.1.4 32
[ATN-C] route-policy policy1 permit node 10
[ATN-C-route-policy] if-match ip-prefix prefix1
[ATN-C-route-policy] quit
[ATN-C] arp vlink-direct-route advertise route-policy policy1
# Display the BGP routing table of ATN-C.

[ATN-C] display bgp routing-table
Issue 02 (2013-12-31)

2069

Equipment
8 IP Routing


Network
NextHop
*>
*>
*>
*>
*>
*>
*>
*>
*>
10.1.1.0/24
10.1.1.1/32
10.1.1.2/32
10.1.1.3/32
10.1.1.4/32
10.2.1.0/24
10.2.1.1/32
127.0.0.0
127.0.0.1/32
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
MED
LocPrf
0
0
0
0
0
0
0
0
0
PrefVal Path/Ogn
0
0
0
0
0
0
0
0
0
?
?
?
?
?
?
?
?
?

[ATN-D] display bgp routing-table

Network
NextHop
*>i
*>i
i
10.1.1.0/24
10.1.1.4/32
10.2.1.0/24
10.2.1.1
10.2.1.1
10.2.1.1
MED
LocPrf
0
0
0
100
100
100
PrefVal Path/Ogn
0
0
0
?
?
?
You can see that ATN-D has learned the IPv4 ARP Vlink direct route 10.1.1.4/32, whereas the
route 10.1.1.3/32 has been filtered out.
Step 6 Use the route-policy policy2 to filter out the network segment route 10.1.1.0/24 on ATN-C when
BGP routes are advertised.
# Configure ATN-C.
[ATN-C] ip ip-prefix prefix2 index 10 deny 10.1.1.0 24
[ATN-C] ip ip-prefix prefix2 index 20 permit 0.0.0.0 0 less-equal 32
[ATN-C] route-policy policy2 permit node 10
[ATN-C-route-policy] if-match ip-prefix prefix2
[ATN-C-route-policy] quit
[ATN-C] bgp 100
[ATN-C-bgp] peer 10.2.1.2 route-policy policy2 export
[ATN-C-bgp] quit
[ATN-C] quit
<ATN-C> refresh bgp all export


Network
NextHop
Issue 02 (2013-12-31)
MED
LocPrf

PrefVal Path/Ogn
2070

Equipment
*>i
i
10.1.1.4/32
10.2.1.0/24
10.2.1.1
10.2.1.1
8 IP Routing
0
0
100
100
0
0
?
?
You can find that the route 10.1.1.0/24 does not exist in the BGP routing table of ATN-D. As a
result, ATN-D can communicate with ATN-B, but cannot communicate with ATN-A.
----End
Configuration Files
l
Configuration file of Switch-A

# sysname switchA # vlan batch 10 # interface Vlanif10 ip address 10.1.1.2
255.255.255.0 # interface GigabitEthernet0/3/1 portswitch undo shutdown port
link-type access port default vlan 10 # interface GigabitEthernet0/3/2
portswitch undo shutdown port link-type access port default vlan 10 # interface
GigabitEthernet0/3/3 portswitch undo shutdown port link-type access port
default vlan 10 # return
Configuration file of Switch-A

#
sysname Switch-A
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
portswitch
undo shutdown
#
portswitch
undo shutdown
#
portswitch
undo shutdown
#
return
Configuration file of ATN-A

#
sysname ATN-A
#
undo shutdown
ip address 10.1.1.3 255.255.255.0
#
return
Configuration file of ATN-B

#
sysname ATN-B
#
undo shutdown
ip address 10.1.1.4 255.255.255.0
Issue 02 (2013-12-31)

2071

Equipment
8 IP Routing
#
return
Configuration file of ATN-C

#
sysname ATN-C
#
arp vlink-direct-route advertise route-policy policy1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
portswitch
undo shutdown
#
undo shutdown
ip address 10.2.1.1 255.255.255.0
#
bgp 100
router-id 3.3.3.3
#
ipv4-family unicast
import-route direct
peer 10.2.1.2 route-policy policy2 export
#
route-policy policy1 permit node 10
if-match ip-prefix prefix1
#
route-policy policy2 permit node 10
if-match ip-prefix prefix2
#
ip ip-prefix prefix1 index 10 permit 10.1.1.4 32
ip ip-prefix prefix2 index 10 deny 10.1.1.0 24
ip ip-prefix prefix2 index 20 permit 0.0.0.0 0 less-equal 32
#
return
Configuration file of ATN-D

#
sysname ATN-D
#
undo shutdown
ip address 10.2.1.2 255.255.255.0
#
#
bgp 100
router-id 4.4.4.4
#
ipv4-family unicast
#
return
Issue 02 (2013-12-31)

2072

Equipment
8 IP Routing
8.2 IP Static Route Configuration

Static routes are commonly used on simple networks. Properly configuring and using static
routes improves network performance and ensures that enough bandwidth is available for
important services.
8.2.1 Introduction
On a simple network, you only need to configure static routes for the network to run properly.
Static Route
Static routes are special routes that are configured manually by network administrators.
On a simple network topology, you only need to configure static routes so that the network can
run properly. Properly using static routes improves the network performance and provides the
guaranteed bandwidth for important applications.
The disadvantage of static routes is that if a fault occurs on the network or the network topology
changes, static routes must be changed manually by the administrator.
Static Routing Features Supported by the ATN

The system supports various static route features, including IPv4 static routes, default routes,
BFD for static routes, NQA for static routes, and permanent advertisement of static routes.
IPv4 Static Route

IPv4 static routes need to be manually configured by the administrator. IPv4 static routes are
applicable to simple IPv4 networks.
An IPv4 static route is an IPv4 default route if its destination address is 0.0.0.0 and the mask
length is 0.
If the destination address of an IPv4 packet fails to match any entry in the routing table, the
ATN uses the IPv4 default route to forward the IPv4 packet.
The ATN supports ordinary static routes and the static routes associated with VPN instances.
The static routes associated with VPN instances are used to manage VPN routes . For details of
VPN instances, see the Feature Description - VPN.
Default Route
Default routes are a special type of routes that are usually configured by network administrators.
Default routes can also be generated by dynamic routing protocols such as Open Shortest Path
First (OSPF) or Intermediate System-to-Intermediate System (IS-IS).
Default routes are used only when packets to be forwarded fail to match any entry in the routing
table. You can run the display ip routing-table command to check whether the default route is
configured.
If the destination address of a packet does not match any entry in the routing table, the ATN
uses the default route to forward the packet. If no default route exists, the packet is discarded,
Issue 02 (2013-12-31)

2073

Equipment
8 IP Routing
and an Internet Control Message Protocol (ICMP) packet is sent to inform the originating host
that the destination host or network is unreachable.
BFD for Static Route

Unlike dynamic routing, static routing does not have a detection mechanism. If a fault occurs
on the network, administrator involvement is required. Bidirectional Forwarding Detection
(BFD) for static route is used to bind BFD sessions to static routes on the public network. The
BFD sessions are used to detect the link status of a static route. The system then uses the detection
results to determine whether to add static routes to its IP routing table.
After BFD for static route is configured, each static route can be bound to a BFD session.
l
When the BFD session on the link of a static route detects that the link changes from Up
to Down, BFD reports the fault to the RM module, and then the RM module sets the route
to inactive. Subsequently, the route becomes unavailable and is deleted from the routing
table.
When a BFD session is established on the link of a static route (the link changes from Down
to Up), BFD reports the success to the RM module, and then the RM module sets the route
to active. Subsequently, the route becomes available and is added to the IP routing table.
NQA for Static Route

NQA for static routes refers to the association between a static route and an NQA test instance.
The system can use the NQA test instance to check the link status. Then, according to the NQA
test result, the system can determine an optimal route in time to prevent communication
interruption and ensure service quality. NQA for static routes functions as follows:
l
If NQA detects a fault in the link, the system sets the static route to inactive. The route
becomes unavailable and is deleted from the IP routing table.
If NQA finds that the link recovers, the system sets the static route to active. The route
becomes available and is added to the IP routing table.
Permanent Advertisement of Static Routes

Permanent advertisement of static routes provides a simple link detection mechanism to monitor
services, which improves compatibility between Huawei devices and non-Huawei devices. If
service traffic needs to be forwarded along a specified path, you can detect links by pinging the
destination addresses of static routes.
8.2.2 Configuring an IPv4 Static Route

On an IPv4 network, you can accurately control route selection by configuring IPv4 static routes.
Before You Start

Before configuring an IPv4 static route, familiarize yourself with the usage scenario, complete
When configuring an IPv4 static route, note the following:
Issue 02 (2013-12-31)

2074

Equipment
8 IP Routing
Destination address and mask

In the ip route-static command, the IPv4 destination address is in dotted decimal notation,
and the mask can be either expressed in dotted decimal notation or replaced by the mask
length (namely, the number of consecutive 1s in the mask).
Outbound interface and next-hop address

When configuring a static route, you can specify either interface-type interface-number or
nexthop-address depending on which parameter is better suited to your situation.
In real-world situations, each routing entry requires a next-hop address. When sending a
packet, the ATN first searches for the matched route in the routing table against the
destination address.
For example, in some cases, the link layer is encapsulated with PPP, you can also specify
outbound interfaces when configuring the ATN even if the remote address is not known.
In this manner, it is unnecessary to modify the ATN configuration if the remote address
changes.
When specifying the outbound interface, note the following:
For a Point-to-Point (P2P) interface, the next-hop address is specified after the outbound
interface is specified. That is, the address of the remote interface (interface on the peer
device) connected to this interface is the next-hop address.
When a static route is being configured, specifying an Ethernet interface as the outbound
interface is not recommended. This is because the Ethernet interface is a broadcast
interface. Therefore, if the Ethernet interface is specified as the outbound interface,
multiple next hops exist and the system cannot decide which next hop is to be used. In
practice, when specifying a broadcast interface (such as an Ethernet interface) as the
outbound interface, you must specify the associated next-hop address.
Other attributes
Setting different preferences for static routes helps flexibly apply routing policies. For
example, when configuring multiple routes to the same destination address, you can set the
same preference for these routes to implement load balancing. You can also set different
preferences to implement routing redundancy.
When the ip route-static command is run to configure a static route, a default route is
configured if the destination address and the mask are set to all 0s (0.0.0.0 0.0.0.0).
Before configuring an IPv4 static route, complete the following task:
l
Configuring link layer protocol parameters and IP addresses for interfaces to ensure that
the link layer protocol status of the interfaces is Up
Data Preparation
To configure an IPv4 static route, you need the following data.
Issue 02 (2013-12-31)
No.
Data
Outbound interface or next-hop IPv4 address

2075

Equipment
No.
Data
Preference of the IPv4 static route
8 IP Routing
Configuring an IPv4 Static Route on the Public Network

When configuring an IPv4 static route, configure its destination address, outbound interface,
and next hop.
Context
Perform the following steps on the ATN to be configured with a static route:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ip route-static ip-address { mask | mask-length } { nexthop-address | interfacetype interface-number [ nexthop-address ] | vpn-instance vpn-instance-name nexthopaddress } [ preference preference | tag tag ] * [ description text ]
An IPv4 static route is configured.

By default, no IPv4 static route is configured.
----End
(Optional) Setting the Default Preference for IPv4 Static Routes

Setting the default preference for IPv4 static routes can affect route selection.
Context
Perform the following steps on the ATNs that need to be configured with static routes and change
the default preference for static routes:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ip route-static default-preference preference
The default preference is set for static routes.

By default, the preference of static routes is 60.
Issue 02 (2013-12-31)

2076

Equipment
8 IP Routing
When a static route is configured, the default preference is used if no preference is explicitly
specified for the static route. After a default preference is specified, the new default preference
is valid for subsequent rather than existing IPv4 static routes.
----End
(Optional) Configuring Static Route Selection Based on Relay Depth

After static route selection based on relay depths is configured, the static route module selects
the static route with the smallest relay depth as the active route and delivers it to the FIB table.
The other routes become inactive.
Context
After static routes are configured, multiple static routes with the same prefix and preference but
different relay depths exist. After static route selection based on relay depths is configured, the
static route module selects the route with the smallest relay depth as the active route and delivers
it to the Forwarding Information Base (FIB) table. The other routes become inactive.
Perform the following steps on the ATN to be configured with static routes:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ip route-static selection-rule relay-depth
Static route selection based on relay depths is configured.

By default, static routes are not selected according to relay depths.
----End
(Optional) Configuring Permanent Advertisement of IPv4 Static Routes

Permanent advertisement of static routes provides a low-cost and simple link detection
mechanism and improves the compatibility between Huawei devices and non-Huawei devices.
Context
Link connectivity directly affects the stability and availability of a network. Consequently,
detecting link status is an important part of network maintenance. If service traffic needs to be
forwarded along a specified path, you can detect the status of the path using a ping operation.
In this manner, you can monitor services at a very low cost.
With permanent advertisement of static routes, you can detect link connectivity by pinging the
destination addresses of static routes. After permanent advertisement of static routes is
configured, static routes always take effect regardless of the outbound interface status. In this
case, the system forwards ping packets along a specified path only, which helps detect the link
status of the specified path.
Issue 02 (2013-12-31)

2077

Equipment
8 IP Routing
Perform the following steps on the ATN where IPv4 static routes need to be configured.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ip route-static ip-address { mask | mask-length } { nexthop-address | interfacetype interface-number [ nexthop-address ] | vpn-instance vpn-instance-name nexthopaddress } permanent
Permanent advertisement of IPv4 static routes is configured.

By default, permanent advertisement of IPv4 static routes is not configured.
----End

After an IPv4 static route is configured, you can check detailed information about the configured
IPv4 static route.
Prerequisites
An IPv4 static route has been configured.
Procedure
l
Run the display ip routing-table command to check brief information about the IPv4
routing table.
Run the display ip routing-table verbose command to check detailed information about
the IPv4 routing table.
----End
8.2.3 Configuring an IPv6 Static Route

On an IPv6 network, you can accurately control route selection by configuring IPv6 static routes.
Before You Start

Before configuring an IPv6 static route, familiarize yourself with the usage scenario, complete
On a small IPv6 network, you can implement network interconnection by configuring IPv6 static
routes. Compared with using dynamic routes, using static routes saves the bandwidth.
Before configuring an IPv6 static route, complete the following task:
Issue 02 (2013-12-31)

2078

Equipment
8 IP Routing
Data Preparation
To configure an IPv6 static route, you need the following data.
No.
Data
Preference of the IPv6 static route
Configuring an IPv6 Static Route on the Public Network

When configuring an IPv6 static route, you need to correctly configure its destination address,
outbound interface, and next hop.
Context
Perform the following steps on the ATN to be configured with static routes:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ipv6 route-static dest-ipv6-address prefix-length { interface-type interfacenumber | nexthop-ipv6-address } [ preference preference | tag tag ] *
[ description text ]

When configuring a static route, you need to specify either the outbound interface or the nexthop address according to the actual situation. If the outbound interface is a non-P2P interface,
you must also specify the next-hop address in addition to specifying the outbound interface.
If preference is not specified, the default preference is 60.
----End
(Optional) Setting the Default Preference for IPv6 Static Routes

By setting the default preference for an IPv6 static route, you can change the preference of the
static route.
Issue 02 (2013-12-31)

2079

Equipment
8 IP Routing
Context
Perform the following steps on the ATN that needs to be configured with IPv6 static routes and
change the default priority for IPv6 static routes:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ipv6 route-static default-preference preference
The default preference of IPv6 static routes is set.

By default, the preference of IPv6 static routes is 60.
When an IPv6 static route is configured, the default preference is used if the preference of the
static route is not explicitly specified. After the default preference is specified, the default
preference is valid for subsequent rather than existing IPv6 static routes.
----End

After an IPv6 static route is configured, you can check detailed information about the configured
route.
Prerequisites
An IPv6 static route has been configured.
Procedure
l
Run the display ipv6 routing-table command to check brief information about the IPv6
routing table.
Run the display ipv6 routing-table verbose command to check detailed information about
the IPv6 routing table.
----End
8.2.4 Configuring BFD for IPv4 Static Routes on the Public Network
On an IPv4 network, configuring BFD for IPv4 static routes on the public network can speed
up route convergence and improve network reliability.
Before You Start

Before configuring BFD for static routes, familiarize yourself with the usage scenario, complete
Issue 02 (2013-12-31)

2080

Equipment
8 IP Routing
BFD can quickly detect IPv4 forwarding failures, ensuring QoS for voice, video, and other videoon-demand (VoD) services on an IPv4 network. With BFD, service providers can provide voice
over IP (VoIP) and other real-time services with high availability and scalability.
By binding IPv4 static routes to BFD sessions, you can use BFD sessions to provide link
detection for IPv4 static routes on the public network. A static route can be bound to a BFD
session.
Before configuring BFD for IPv4 static routes on the public network, complete the following
task:
l
Data Preparation
To configure BFD for IPv4 static routes on the public network, you need the following data.
No.
Data
IP address of the peer detected by BFD
Local discriminator and remote discriminator of a BFD session
Configuring an IPv4 static route

When configuring an IPv4 static route, configure its destination address, outbound interface,
and next hop.
Context
Perform the following steps on the ATN to be configured with a static route:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ip route-static ip-address { mask | mask-length } { nexthop-address | interfacetype interface-number [ nexthop-address ] | vpn-instance vpn-instance-name nexthopaddress } [ preference preference | tag tag ] * [ description text ]

Issue 02 (2013-12-31)

2081

Equipment
8 IP Routing

----End
Configuring a BFD Session

BFD sessions are used to quickly detect and monitor the connectivity of links on a network.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd

Step 3 Run:
quit

Step 4 Run the bfd bfd-name bind peer-ip peer-ip [ vpn-instance vpn-instance-name ] [ interface
interface-type interface-number ] [ source-ip source-ip ] command to configure a BFD session.
l When a BFD session is set up for the first time, you need to bind the peer IP address to it.
After the BFD session is set up, you cannot modify it.
l When the BFD configuration items are created, the system checks only the format of the IP
address rather than the correctness. The BFD session cannot be established if incorrect peer
IP address or source IP address is bound.
l When the IP address of the peer and the local interface are both specified, a single-hop link
is monitored. BFD monitors the route with the outbound interface specified and peer-ip as
the next-hop IP address specified. When only the IP address of the peer is specified, multihop routes are monitored.
Step 5 Configure the discriminators.
l Run:
The local discriminator is configured.

l Run:
The remote discriminator is configured.

NOTE
The local discriminator of the local device corresponds to the remote discriminator of the remote device,
and the remote discriminator of the local device corresponds to the local discriminator of the remote device.
The local discriminator of the local device must be the same as the remote discriminator of the remote
device. Otherwise, the session cannot be correctly set up. After the local and remote discriminators are
configured, they cannot be modified.
Step 6 Run:
Issue 02 (2013-12-31)

2082

Equipment
8 IP Routing
commit

NOTE
When setting up a BFD session, you must run the commit command after configuring necessary
parameters, such as local and remote discriminators; otherwise, the session cannot be set up.
----End
Binding a Static Route to a BFD Session

When binding a static route to a BFD session, ensure that the static route resides on the same
link as the BFD session.
Context
Perform the following steps on the ATN to bind a static route to a BFD session:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ip route-static ip-address { mask | mask-length } { nexthop-address | interfacetype interface-number [ nexthop-address ] } [ preference preference | tag tag ] *
track bfd-session bfd-name [ description text ]
A BFD session is bound to the IPv4 static route on the public network.
NOTE
When binding a static route to a BFD session, ensure that the static route resides on the same link as the
BFD session.
----End

After BFD for static route is configured, you can check information about BFD sessions and
BFD for static route.
Prerequisites
BFD configurations for IPv4 static routes are complete.
Procedure
l
Run the display bfd session { all | discriminator discr-value } [ verbose ] [ slot slotid ] command to check BFD session information.
Run the display current-configuration | include bfd command to check the configuration
of BFD for static routes.
Issue 02 (2013-12-31)

2083

Equipment
8 IP Routing
You can check information about a BFD session only after parameters for the BFD session
are set and the BFD session is established.
If BFD session negotiation succeeds, the status of the BFD session is displayed as Up. You
can also check that the BFD session is bound to the static route by running the display
current-configuration | include bfd command in the system view.
----End
8.2.5 Configuring NQA for IPv4 Static Routes

On an IPv4 network, if Bidirectional Forwarding Detection (BFD) for static IPv4 routes on the
public network cannot be configured because one of the communicating devices does not support
BFD, Network Quality Analysis (NQA) for static IPv4 routes can be configured to detect faults
in links. An NQA test instance is used to detect the link status to allow a fast link switchover
after a fault occurs in a link. This switchover helps prevent prolonged service interruptions.
Before You Start

Before configuring NQA for static IPv4 routes, familiarize yourself with the usage scenario,
In real world situations, the link status is monitored for network stability. If an active link fails,
traffic switches to a standby link to ensure non-stop traffic forwarding. The Address Resolution
Protocol (ARP) probe function and BFD are usually used to detect link faults. In addition, Interior
Gateway Protocol (IGP) convergence helps reveal link faults. In certain situations, the preceding
methods are unsuitable. For example:
l
If only one link, not every link, on the network needs to be monitored, the ARP detection
is unsuitable.
If any device on the network does not support BFD, BFD is unavailable.
If either end of a link is a Layer 2 device, dynamic routing protocols cannot be deployed.
As a result, no IGP convergence occurs.
In these situations, NQA for static IPv4 routes can be configured to detect link faults. It can be
used to detect faults in links where Layer 2 devices reside and take effect even if only one of the
two communicating devices supports NQA.
If a fault occurs, an NQA test instance can immediately detect the fault and instruct the system
to delete the associated static route from the IP routing table. Traffic is then forwarded along
another path.
Before configuring NQA for static IPv4 routes, complete the following task:
l
the link layer protocol on the interfaces is Up
Data Preparation
To configure NQA for static IPv4 routes, you need the following data.
Issue 02 (2013-12-31)

2084

Equipment
No.
Data
Administrator name and name of an NQA test instance
Destination IP address of the NQA test instance
Destination network address and mask
Next hop IPv4 address or outbound interface for a static route
8 IP Routing
Configuring an ICMP Type NQA Test Instance

NQA is an effective tool for locating and diagnosing network faults.
Context
NQA measures the performance of different protocols running on a network. With NQA, carriers
can collect the operation indicators of networks in real time. These indicators include total delay
of the delay in the Transfer Control Protocol (TCP) connection, file transmission rate, and delay
in the File Transfer Protocol (FTP) connection. To check these performance indexes, you can
create NQA test instances.
An NQA test is performed between a client and a server. The client is responsible for initiating
an NQA test. After test instances are configured on the client, NQA places these test instances
into test instance queues according to their operation types. After the test instances are started,
the data information about the protocol-related running status can be collected based on
information about the return packets.
An Internet Control Messages Protocol (ICMP) NQA test instance checks whether a route from
the NQA client to the destination is reachable. The ICMP NQA test performs a function similar
to the ping command but provides more detailed output:
l
By default, the output contains the five most recent tests.
The test result contains information including the average delay, packet loss ratio, and time
when the last packet was correctly received.
The minimum interval at which an ICMP NQA test instance sends packets is once per second,
which ensures that NQA reports the test results to the system when a link fault is detected and
when the link fault is rectified. For details about NQA, see the chapter "NQA Configuration" in
the Configuration Guide - System Management.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 02 (2013-12-31)

2085

Equipment
8 IP Routing
An NQA test instance is created, and the test instance view is displayed.
Step 3 Run:
test-type icmp
The test type is set to ICMP.

Step 4 Run:
The destination address is specified for the NQA test instance.

frequency interval
The interval for automatically performing an NQA test is set. By default, no interval is set, and
only one test is performed.
probe-count number
The number of probes to be sent each time is set for the NQA test instance. By default, three
probes are sent each time.
After probes are sent multiple times for the NQA test instance, you can estimate the network
quality more accurately based on the collected statistics.
nexthop ipv4 ip-address
The next hop address for NQA test packets is configured. By default, the next hop address for
the NQA test packets is obtained by searching the routing table.
NOTE
The specified next hop must be the physical interface directly connected to the device that sends the NQA
test packets.
In the scenario that an NQA test instance is associated with static routes, if a link becomes faulty,
the NQA test instance detects this fault and then the static routes associated with the NQA test
instance become Down. After the link recovers, the NQA test instance attempts to send ICMP
test packets over the static routes. Because these static routes are still Down, the NQA test
instance still fails to detect link connectivity. Traffic fails to be forwarded.
The nexthop command configures a next hop address for the NQA test packets, which ensures
that the packets are forwarded when the link recovers from the fault, and the static routes
associated with the NQA test instance are Up.
Step 8 Run:
start

Run one of the following commands in different situations:
l To start an NQA test immediately, run the start now [ end { at [ yyyy/mm/dd ] hh:mm:ss |
delay { seconds second | hh:mm:ss } | lifetime { seconds second | hh:mm:ss } } ] command.
Issue 02 (2013-12-31)

2086

Equipment
8 IP Routing
l To start an NQA test at a specified time, run the start at [ yyyy/mm/dd ] hh:mm:ss [ end
{ at [ yyyy/mm/dd ] hh:mm:ss | delay { seconds second | hh:mm:ss } | lifetime { seconds
second | hh:mm:ss } } ] command.
l To start an NQA test after a certain period of time, run the start delay { seconds second |
hh:mm:ss } [ end { at [ yyyy/mm/dd ] hh:mm:ss | delay { seconds second | hh:mm:ss } |
----End
Binding an IPv4 Static Route to an NQA Test Instance

If a static IPv4 route is associated with an NQA test instance, NQA tests the link status
periodically. After NQA detects a fault in the link related to the associated static route, the static
route is deleted and traffic diverts to another path.
Context
On a network with a simple topology, configuring static routes is usually adequate enough to
ensure the network is able to operate correctly. Static routes can also be configured on a router
that cannot run dynamic routing protocols to generate routes to the destination. Unlike dynamic
routing protocols, static routes do not have a dedicated detection mechanism. Static routes cannot
detect faults in the network, which means that traffic loss will likely occur at some point.
The NQA for static IPv4 routes feature allows static IPv4 routes to be associated with NQA test
instances. The ping function of NQA test instances is used to check the status of links through
which static routes pass. If a fault occurs in the link for a static route, the system deletes the static
route to force traffic transmitted based on this route to divert to another path.
Perform the following steps on the router that requires NQA for static IPv4 routes:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ip route static ip-address { mask | mask-length } { nexthop-address | interfacetype interface-number [ nexthop-address ] } [ preference preference | tag tag ] *
track nqa admin-name test-name [ description text ]
A static IPv4 route is associated with an NQA test instance.

NOTE
The destination address of an NQA test instance cannot be the destination address of an associated static
route.
If the static route associated with one NQA test instance is associated with another NQA test instance, the
association between the static route and the former NQA test instance is automatically removed.
----End
Issue 02 (2013-12-31)

2087

Equipment
8 IP Routing

After associating an NQA test instance with a static route, you can check NQA test results and
information about the association between the static route and the NQA test instance.
Prerequisites
NQA configurations for static IPv4 routes have been configured.
NOTE
NQA test results cannot be displayed automatically on the terminal. To check NQA test results, run the
display nqa results command. By default, the command output shows the results of the five most recent
tests.
Procedure
Step 1 Run the display current-configuration | include nqa command to check NQA configurations
for static IPv4 routes.
Step 2 Run the display nqa results [ test-instance admin-name test-name ] command to check NQA
test results.
----End
Example
After associating a static route to an NQA test instance, run the display currentconfiguration | include nqa command in the system view to check whether the static route has
been associated with the NQA test instance. For example:
<HUAWEI> display current-configuration | include nqa
ip route-static 172.16.1.3 255.255.255.255 GigabitEthernet0/2/1 track nqa admin
icmp
Run the display nqa results command. The test records are successfully queried if the following
information is displayed:
l
testflag is active
testtype is icmp
Completion:success
For example:
<HUAWEI> display nqa results test-instance admin icmp
NQA entry(admin, icmp) :testflag is active ,testtype is icmp
1 . Test 206 result
Completion:success
Attempts number:1
Issue 02 (2013-12-31)

2088

Equipment
8 IP Routing
For an ICMP NQA test, the minimum, maximum, and average time for receiving ICMP EchoReply packets are displayed as Min/Max/Average Completion Time. In addition, the NQA
test packet loss ratio is displayed, which helps provide a clear indication of the link status. In
the preceding example, the packet loss ratio is 0, indicating that the link works properly.
NOTE
If the frequency interval command is configured for an NQA test instance, testflag is active is displayed.
If the frequency interval command is not configured for an NQA test instance, the NQA test is performed
only once and testflag is inactive is displayed.

Static route configuration examples explain networking requirements, networking diagrams,
configuration notes, configuration roadmap, and configuration procedures.
Example for Configuring IPv4 Static Routes

You can configure IPv4 static routes to interconnect any two devices on an IPv4 network.
Figure 8-5 shows IP addresses and masks of interfaces and NodeB, and RNC. It is required that
static routes be used so that NodeB, RNC1, and RNC2 in Figure 8-5 can communicate with one
another.
Issue 02 (2013-12-31)

2089

Equipment
8 IP Routing
Figure 8-5 Networking diagram for configuring IPv4 static routes
RNC2
1.1.2.2/24
GE3/0/0
1.1.2.1/24
GE2/0/0
1.1.4.5/30
GE1/0/0
1.1.4.2/30
CX-B
ATN-A
GE0/2/0
1.1.4.1/30
GE1/0/0
1.1.4.6/30
GE0/2/4
1.1.1.1/24
CX-C
GE2/0/0
1.1.3.1/24
1.1.1.2/24
1.1.3.2/24
NodeB
RNC1
1.
Configure an IPv4 address for each interface on each devices for interworking.
2.
Configure an IPv4 static route and a default route to the destination address on each devices.
3.
Configure an IPv4 default gateway on NodeB, RNC1 and RNC2, so that they can
communicate with one another.
Data Preparation
Issue 02 (2013-12-31)

2090

Equipment
8 IP Routing
Equipment Name
Attribute
Name
Parameter Value
ATN-A
Default route
with the next hop being 1.1.4.2
CX-C
Default route
with the next hop being 1.1.4.5
CX-B
Static route
with the destination address and next hop

being 1.1.1.0 and 1.1.4.1 respectively
Static route
with the destination address and next hop

being 1.1.3.0, and 1.1.4.6 respectively
NodeB
Default
gateway
1.1.1.1
RNC1
Default
gateway
1.1.3.1
RNC2
Default
gateway
1.1.2.1
Procedure
The configuration details are not described here.
Step 2 Configure static routes.
# Configure an IPv4 default route on ATN-A.
[ATN-A] ip route-static 0.0.0.0 0.0.0.0 1.1.4.2
# Configure two IPv4 static routes on CX-B.

[CX-B] ip route-static 1.1.1.0 255.255.255.0 1.1.4.1
[CX-B] ip route-static 1.1.3.0 255.255.255.0 1.1.4.6
# Configure an IPv4 default route on CX-C.

[CX-C] ip route-static 0.0.0.0 0.0.0.0 1.1.4.5
Step 3 Configure NodeB, RNC2 and RNC1.

Set default gateway addresses of NodeB, RNC2 and RNC1 to 1.1.1.1, 1.1.2.1, and 1.1.3.1
respectively.
# Check the IP routing table of ATN-A.
[ATN-A] display ip routing-table
Destinations : 8
Routes : 8
Destination/Mask
Proto Pre Cost
Flags
NextHop
Interface
0.0.0.0/0
Static 60
0
RD
1.1.4.2
Issue 02 (2013-12-31)

2091

Equipment
1.1.1.0/24 Direct
1.1.1.1/32 Direct
1.1.4.0/30 Direct
1.1.4.1/32 Direct
1.1.4.2/32 Direct
127.0.0.0/8
Direct
127.0.0.1/32 Direct
8 IP Routing
0
1.1.1.1
0
0
0
0
D
D
127.0.0.1
1.1.4.1
InLoopBack0
0
0
0
0
D
D
127.0.0.1
1.1.4.2
InLoopBack0
0
0
0
0
D
D
127.0.0.1
127.0.0.1
InLoopBack0
InLoopBack0
# Run the ping command to verify the connectivity.

[ATN-A] ping 1.1.3.1
0.00% packet loss
ms
ms
ms
ms
ms
# Run the tracert command to verify the connectivity.

[ATN-A] tracert 1.1.3.1
traceroute to 1.1.3.1(1.1.3.1), max hops: 30 ,packet length: 40
1 1.1.4.2 31 ms 32 ms 31 ms
2 1.1.4.6 62 ms 63 ms 62 ms
----End
Configuration Files
l

#
sysname ATN-A
#
ip address 1.1.1.1 255.255.255.0
#
ip address 1.1.4.1 255.255.255.252
#
ip route-static 0.0.0.0 0.0.0.0 1.1.4.2
#
return

#
sysname CX-B
#
ip address 1.1.2.1 255.255.255.0
#
ip address 1.1.4.2 255.255.255.252
#
ip address 1.1.4.5 255.255.255.252
#
ip route-static 1.1.1.0 255.255.255.0 1.1.4.1
ip route-static 1.1.3.0 255.255.255.0 1.1.4.6
Issue 02 (2013-12-31)

2092

Equipment
8 IP Routing
#
return

#
sysname CX-C
#
ip address 1.1.3.1 255.255.255.0
#
ip address 1.1.4.6 255.255.255.252
#
ip route-static 0.0.0.0 0.0.0.0 1.1.4.5
#
return
8.3 RIP Configuration

RIP can advertise and receive routes to affect the selection of data forwarding paths, and can
provide the network management function. RIP is commonly used on small-scale networks.
8.3.1 Introduction
RIP is a dynamic routing protocol used on small-scale networks. It is an Interior Gateway
Protocol (IGP) and uses the distance-vector routing algorithm.
Overview of RIP
RIP is widely used on small-scale network because it is simple to deploy and easier to configure
and maintain than OSPF and IS-IS.
The Routing Information Protocol (RIP) is a simple Interior Gateway Protocol (IGP). RIP is
mainly used on small-scale networks such as campus networks and simple regional networks.
RIP uses the distance-vector routing algorithm and exchanges routing information by using User
Datagram Protocol (UDP) packets through port 520.
RIP uses the hop count to measure the distance to the destination. The distance is called the
routing metric. In RIP, the hop count from a ATN to its directly connected network is 0, and the
hop count from a ATN to a network, which can be reached through another ATN, is 1. To speed
up route convergence, RIP defines the cost as an integer that ranges from 0 to 15. If the hop
count is equal to or exceeds 16, the destination network or host is unreachable because the path
is considered to have an infinite metric. It is this limitation to the hop count that makes RIP
inapplicable to large-scale networks.
To improve network performance and prevent routing loops, RIP supports both split horizon
and poison reverse.
l
Split horizon is a method of preventing routing loops in a network and reducing bandwidth
consumption. The basic principle is simple: Information about the routing for a particular
packet is never sent back in the direction from which it was received.
Poison reverse is that RIP sets the cost of the route learnt from an interface of a neighbor
to 16 (specifying the route as unreachable) and then sends the route from the interface back
Issue 02 (2013-12-31)

2093

Equipment
8 IP Routing
to the neighbor. In this way, RIP can delete useless routes from the routing table of the
neighbor.
RIP has two versions:
l
RIPv1
RIPv2
RIPv1 is a classful routing protocol, whereas RIPv2 is a classless routing protocol. In RIPv2,
address 224.0.0.9 is the multicast address of a RIP router.
Compared with RIPv1, RIPv2 has the following advantages:
l
Supports route tag and can flexibly control routes on the basis of the tag in the routing
policy.
Provides packets that contain mask information and supports route aggregation and
Classless Inter-domain Routing (CIDR).
Supports the next hop address and can select the optimal next hop address in the broadcast
network.
Uses multicast routes to send update packets. Only RIPv2 routers can receive protocol
packets. This reduces the resource consumption.
Provides three authentication modes to enhance security: plain-text authentication, MD5

authentication and HMAC-SHA256 authentication.
RIP Features Supported by the ATN

The RIP features supported by the ATN include RIPv1, RIPv2, split horizon, poison reverse,
and multi-instance.
The ATN supports the following RIP features:
l
RIPv1 and RIPv2
RIP multi-instance, which functions as an internal routing protocol for VPNs and runs
between CEs and PEs in MPLS L3VPN networks
NOTE
For detailed configuration of a VPN instance, see the chapter "BGP MPLS IP VPN Configuration" in the
Configuration Guide - VPN.
8.3.2 Configuring Basic RIP Functions

To implement RIP features, configure basic RIP functions including enabling RIP, specifying
the network segment in which RIP runs, and setting the RIP version.
Before You Start

Before configuring basic RIP functions, familiarize yourself with the usage scenario, complete
Configuring basic RIP functions allows you to enjoy certain RIP features.
Issue 02 (2013-12-31)

2094

Equipment
8 IP Routing
Before configuring basic RIP functions, complete the following tasks:
l
Configuring the link layer protocol
Configuring IP addresses for interfaces to ensure that neighboring nodes are reachable at
the network layer
Data Preparation
To configure basic RIP functions, you need the following data.
No.
Data
RIP process ID
Network segment in which the RIP interface resides
RIP version number
Enabling RIP
Creating RIP processes is the prerequisite to performing RIP configurations.
Context
If you run RIP-related commands in the interface view before enabling RIP, the configurations
take effect only after RIP is enabled.
Perform the following steps on the ATN to be enabled with RIP:
Procedure
Step 1 Run:
system-view

Step 2 Run:
rip [ process-id ]
The RIP is enabled and the RIP view is displayed.

RIP supports multi-instance. To associate RIP processes with VPN instances, you can run the
rip [ process-id ] vpn-instance vpn-instance-name command.
Issue 02 (2013-12-31)

2095

Equipment
8 IP Routing
NOTE
For easy management and effective control, RIP supports multi-process and multi-instance. The multiprocess feature allows a set of interfaces to be associated with a specific RIP process and an interface can
be associated with only one RIP process. This ensures that the specific RIP process performs all the protocol
operations only on this set of interfaces. Therefore, multiple RIP processes can work on a single router and
each process is responsible for a unique set of interfaces. In addition, the routing data is independent
between RIP processes; however, routes can be imported between processes.
For the routers that support the VPN, each RIP process is associated with a specific VPN instance. In this
case, all the interfaces attached to the RIP process should be associated with the RIP-process-related VPN
instance.

description
Descriptions for RIP processes are configured.

----End
Enabling RIP on the Specified Network Segment

After enabling RIP, you need to specify the network segment in which RIP runs. RIP runs only
on the interfaces on the specified network segment. RIP does not receive, send, or forward routes
on the interfaces that do not reside on the specified network segment.
Context
By default, after RIP is enabled, it is disabled on all interfaces.
Perform the following steps on the ATN to be enabled with RIP.
Procedure
Step 1 Run:
system-view

Step 2 Run:
rip [ process-id ]
The RIP process is enabled and the RIP view is displayed.

Step 3 Run:
network network-address
RIP is enabled in the specified network segment.

network-address specifies the address of a natural network segment.
NOTE
An interface can be associated with only one RIP process.

If any network segment in which an interface configured with multiple sub-interface IP addresses resides
is associated with a RIP process, the interface cannot be associated with any other RIP processes.
----End
Issue 02 (2013-12-31)

2096

Equipment
8 IP Routing
Configuring RIP Version Number

RIP versions include RIPv1 and RIPv2. The two versions have different functions.
Context
Perform the following steps on the RIP ATN.
Procedure
l
Configuring the Global RIP Version Number

1.
Run:
system-view

2.
Run:
rip [ process-id ]

3.
Run:
version { 1 | 2 }
The global RIP version number is specified.

The RIP-1 protocol poses a security risk, and therefore the RIP-2 protocol is
recommended.
l
Configuring the RIP Version Number for an Interface

1.
Run:
system-view

2.
Run:

3.
Run:
rip version { 1 | 2 [ broadcast | multicast ] }
The RIP version number of the packets received by the interface is specified.
NOTE
By default, an interface receives both RIPv1 and RIPv2 packets but sends only RIPv1 packets.
When configuring RIPv2 on an interface, you can specify the mode in which the interface sends
packets. If no RIP version number is configured in the interface view, the global RIP version
is used. The RIP version set on an interface takes precedence over the global RIP version.
The RIP-1 protocol poses a security risk, and therefore the RIP-2 protocol is recommended.
----End

After basic RIP functions are successfully configured, you can view the current running status,
configurations, and routing information of RIP.
Issue 02 (2013-12-31)

2097

Equipment
8 IP Routing
Procedure
l
Run display rip [ process-id | vpn-instance vpn-instance-name ] command to check the

running status and configuration of RIP.
Run display rip process-id route command to check the activated and inactivated RIP
routes.
Run display default-parameter rip command to check the default RIP configuration.
Run the display rip process-id statistics interface { all | interface-type interfacenumber [ verbose | neighbor neighbor-ip-address ] } command, then you can view the
statistics on a RIP interface.
----End
Example
Run the display rip [ process-id | vpn-instance vpn-instance-name ] command, then you can
view the running status and configuration of the enabled RIP process. The display shows that
two VPN instances are running. The first one is a public network instance; the second one is
named VPN-Instance-1.
<HUAWEI> display rip
Public VPN-instance
RIP process : 1
RIP version : 1
Preference : 100
Checkzero : Enabled
Default-cost : 0
Summary : Enabled
Hostroutes : Enabled
Maximum number of balanced paths : 3
Update time
: 30 sec Age time : 180
Suppress time : 0 sec
Garbage-collect
Graceful restart : Disabled
Silent interfaces : None
Default Route : Disabled
Verify-source : Enabled
Networks :
172.4.0.0
Configured peers : None
Number of routes in database : 4
Number of interfaces enabled : 3
Triggered updates sent : 3
Number of route changes : 6
Number of replies to queries : 1
Number of routes in ADV DB
: 6
Private VPN-instance name : VPN-Instance-1
RIP process : 2
RIP version : 1
Preference : 100
Checkzero : Enabled
Default-cost : 0
Summary : Enabled
Hostroutes : Enabled
Update time
: 30 sec Age time : 180
Garbage-collect
Graceful restart : Disabled
Silent interfaces : None
Networks :
192.4.5.0
Issue 02 (2013-12-31)
sec
time : 120 sec
sec
time : 120 sec

2098

Equipment
8 IP Routing
Configured peers : None

Triggered updates sent : 0
Number of route changes : 0
Number of replies to queries : 0
Number of routes in ADV DB
: 6
Total count for 2 process :
Number of routes sendable in a periodic update : 6
Number of routes sent in last periodic update : 4
Run the display rip process-id route command, then you can view all activated and inactivated
routes of the specified RIP process.
<HUAWEI> display rip 1 route
Route Flags: R - RIP
A - Aging, S - Suppressed, G - Garbage-collect
---------------------------------------------------------------------------Peer 192.4.5.1 on GigabitEthernet0/2/1
Destination/Mask
Nexthop
Cost
Tag
Flags
Sec
172.4.0.0/16
192.4.5.1
1
0
RA
15
192.13.14.0/24
192.4.5.1
2
0
RA
15
192.4.5.0/24
192.4.5.1
1
0
RA
15
Run the display default-parameter rip command, and you can view the default RIP
configuration.
<HUAWEI> display default-parameter rip
-------------------------------------------Protocol Level Default Configurations
-------------------------------------------RIP version
: 1
Preference
: 100
Checkzero
: Enabled
Default-cost : 0
Auto Summary : Enabled
Hostroutes
: Enabled
Maximum Balanced Paths : 16
Update time
: 30 sec
Age time : 180 sec
Garbage-collect time : 120 sec
Graceful restart
: Disabled
-------------------------------------------Interface Level Default Configurations
-------------------------------------------Metricin
: 0
Metricout
: 1
Input Packet Processing : Enabled
Output Packet Processing: Enabled
Poison Reverse
: Disabled
Replay Protect
: Disabled
Split Horizon
For Broadcast and P2P Interfaces : Enabled
For NBMA Interfaces
: Disabled
Packet Transmit Interval
: 200 msecs
Packet Transmit Number
: 30
RIP Protocol Version
: RIPv1 Compatible (Non-Standard)
Running the display rip process-id statistics interface { all | interface-type interface-number
[ verbose | neighbor neighbor-ip-address ] } command, you can view the statistics on a RIP
interface.
<HUAWEI> display rip 1 statistics interface Gigabitethernet0/2/0
Issue 02 (2013-12-31)

2099

Equipment
8 IP Routing
GigabitEthernet0/2/0(10.0.0.11)
Statistical information
Last min
Last 5 min
Total
-----------------------------------------------------------------Periodic updates sent
5
23
259
Triggered updates sent
5
30
408
Response packet sent
10
34
434
Response packet received
15
38
467
Response packet ignored
0
0
0
Request packet sent
1
3
8
Request packet received
4
20
40
Request packet ignored
0
0
0
Bad packets received
0
0
0
Bad routes received
0
0
0
Packet authentication failed
0
0
0
8.3.3 Configuring RIP Route Attributes

By setting RIP route attributes, you can change RIP routing policies to meet the requirements
of complex networks.
Before You Start

RIP route attributes include the RIP preference, additional metrics of an interface, and maximum
number of equal-cost routes.
For complex networks, you can set RIP route attributes to change RIP routing policies. After
performing the configuration procedures in this section, you can:
l
Affect route selection by changing the additional metric of a RIP interface.
Change the matching order by configuring the RIP preference when multiple routing
protocols discover routes to the same destination.
Implement load balancing among multiple equal-cost routes.
Before configuring RIP route attributes, complete the following tasks:
l
the network layer
Configuring Basic RIP Functions
Data Preparation
To configure RIP route attributes, you need the following data.
Issue 02 (2013-12-31)
No.
Data
Additional metric of the interface
RIP preference
Maximum number of equal-cost routes

2100

Equipment
8 IP Routing
Configuring Additional Metrics of an Interface

The additional metric is the metric (hop count) to be added to the original metric of a RIP route.
You can specify commands to set additional metrics for incoming and outgoing RIP routes.
Context
The additional metric is added to the original metric of the RIP route.
l
The rip metricin command is used to add an additional metric to an incoming route. After
this route is added to the routing table, its metric in the routing table changes.Running this
command affects route selection on the local device and other devices on the network.
The rip metricout command is used to add an additional metric to an outgoing route. When
this route is advertised, an additional metric is added to this route, but the metric of the
route in the routing table does not change. Running this command does not affect route
selection on the local device or other devices on the network.
Perform the following steps on the RIP ATN:
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run any of the following commands as required:
l Based on the basic ACL:
1.
Run rip metricin { value | { acl-number | acl-name acl-name } value1 }, the metric
added to an incoming route is set.
2.
Run quit, return to the system view.
3.
Run acl { [ number ] acl-number1 | name acl-name basic [ number acl-number2 ] }

[ match-order { auto | config } ], the basic ACL view is displayed.
4.
Run rule [ rule-id ] { deny | permit } [ fragment-type fragment-type-name | source

vpn-instance-name ] *, a rule is configured for the basic ACL.
l Based on the named advanced ACL:

1.
Run rip metricin { value | acl-name acl-name value1 }, the metric added to an incoming
route is set.
2.
3.
Run acl name acl-name advance [ number acl-number2 ] [ match-order { auto |

config } ], the basic ACL view is displayed.
4.
Run rule [ rule-id ] { deny | permit } protocol [ source { source-ip-address sourcewildcard | any } | time-range time-name ] *, a rule is configured for the basic ACL.
l Based on the IP prefix: rip metricin { value | ip-prefix ip-prefix-name value1 }

Issue 02 (2013-12-31)

2101

Equipment
8 IP Routing
NOTE
You can specify the value of the metricin to be added to the RIP route that passes the filtering policy by
specifying value1 through an ACL or an IP prefix list. If a RIP route does not pass the filtering, its metric
is not incremented.

1.
Run rip metricout { value | { acl-number | acl-name acl-name } value1 }, the metric
added to an outgoing route is set.
2.
3.

4.


1.
Run rip metricout { value | acl-name acl-name value1 }, the metric added to an
outgoing route is set.
2.
3.

4.
l Based on the IP prefix: rip metricout { value | ip-prefix ip-prefix-name value1 }

NOTE
You can specify the value of the metricout to be added to the RIP route that passes the filtering policy by
specifying value1 through an ACL or an IP prefix list. If a RIP route does not pass the filtering, its metric
is increased by 1.
----End
Configuring RIP Preference

When there are routes discovered by multiple routing protocols on the same ATN, you can set
RIP preferences to instruct the ATN to prefer certain RIP routes over others.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
rip [ process-id ]
Issue 02 (2013-12-31)

2102

Equipment
8 IP Routing

Step 3 Run:
preference { preference | route-policy route-policy-name } *
The RIP preference is set.

By default, the RIP preference is 100.
----End
Setting the Maximum Number of Equal-Cost Routes

By setting the maximum number of equal-cost RIP routes, you can change the number of routes
for load balancing.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
rip [ process-id ]

Step 3 Run:
maximum load-balancing number
The maximum number of equal-cost routes is set.

NOTE
When the number of equal-cost routes is greater than number specified in the maximum load-balancing
command, valid routes are selected for load balancing based on the following criteria:
1. Interface index: If routes have the same priorities, routes with higher interface index values are selected
for load balancing.
2. Next hop IP address: If routes have the same priorities and interface index values, routes with larger
IP address are selected for load balancing.
----End

After RIP route attributes are successfully set, you can view the current running status,
configuration, and routing information of RIP.
Prerequisites
The configurations of RIP route attributes are complete.
Issue 02 (2013-12-31)

2103

Equipment
8 IP Routing
Procedure
l
Run display rip [ process-id | vpn-instance vpn-instance-name ] command to check the

running status and configuration of RIP.
Run display rip process-id database command to check all activated routes in the RIP
database.
Run display rip process-id route command to check all activated and inactivated RIP
routes.
----End
Example
Run the display rip process-id database command, and you can view information about the
database of the specified RIP process.
<HUAWEI> display rip 100 database
10.0.0.0/8, cost 1, ClassfulSumm
10.0.0.0/24, cost 1, nexthop 10.0.0.1, Rip-interface
11.0.0.0/24, cost 1, nexthop 10.0.0.1, Imported
10.10.10.0/24, cost 0, [A], Rip-interface
10.137.220.0/23, cost 1, [A], nexthop 10.10.10.2
8.3.4 Controlling the Advertising of RIP Routing Information

To meet the requirements of complex networks, accurately controlling the advertising of RIP
routing information is essential.
Before You Start

RIP routing information can be advertised through default routes, Update packets, and imported
external routes.
To meet the requirements of a network, you need to control the advertising of RIP routing
information accurately. After performing the configuration procedures in this section, you can:
l
Advertise default routes to neighbors.
Suppress interfaces from sending RIP Update packets.
Import external routes from various routing protocols and filter the routes to be advertised.
Before configuring the ATN to control the advertising of RIP routing information, complete the
following tasks:
l
the network layer
Issue 02 (2013-12-31)

2104

Equipment
8 IP Routing
Data Preparation
To control the advertising of RIP routing information, you need the following data.
No.
Data
Metric of the default route to be advertised
Number of the interface that is suppressed from sending RIP Update packets
Protocol name and process ID of the external route to be imported
Configuring RIP to Advertise Default Routes

A default route is a route destined for 0.0.0.0. By default, RIP does not advertise default routes
to its neighbors.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
rip [ process-id ]

----End
Disabling an Interface from Sending RIP Update Packets

Disabling interfaces from sending RIP Update packets is a method of preventing routing loops
and can be implemented in two ways.
Context
Procedure
l
Disable an interface from sending RIP Update packets in a RIP process (with a high
priority).
1.
Run:
system-view

Issue 02 (2013-12-31)

2105

Equipment
2.
8 IP Routing
Run:
rip [ process-id ]
The RIP process is enabled, and the RIP view is displayed.

3.
Run:
silent-interface interface-type interface-number
A specified interface is disabled from sending RIP Update packets.

You can configure an interface as a silent interface so that it only receives RIP Update
packets to update its routing table.
NOTE
You can run the silent-interface all command to disable all RIP interfaces from sending RIP
Update packets.
The silent-interface command takes precedence over the rip output command configured in
the interface view. By default, an interface can both send and receive RIP Update packets.
Disable an interface from sending RIP Update packets in the interface view (with a low
priority).
1.
Run:
system-view

2.
Run:

3.
Run:
undo rip output
The interface is disabled from sending RIP Update packets.

By running this command, you can specify whether to send RIP Update packets on
an interface. The silent-interface command takes precedence over the undo rip
output command. By default, an interface is allowed to send RIP Update packets.
----End
Configuring RIP to Import External Routes

To enrich its routing information, RIP can import the routes learned by other processes or other
routing protocols.
Context
Procedure
Step 1 Run:
system-view

Issue 02 (2013-12-31)

2106

Equipment
8 IP Routing
Step 2 Run:
rip [ process-id ]

default-cost cost
The default cost of imported routes is set.

If no cost is specified when external routes are imported, the default cost is used.
Step 4 Run:
import-route bgp [ permit-ibgp ] [ cost { cost | transparent } | route-policy routepolicy-name ] * or import-route { { static | direct | unr } | { { rip | ospf |
isis } [ process-id ] } } [ cost cost | route-policy route-policy-name ] *
NOTE
Import of IBGP routes in RIP process can lead to routing loops. Administrator should take care of routing
loops before configuring permit-ibgp.
Step 5 (Optional) Run any of the following commands as required:

1.
Run filter-policy { acl-number | acl-name acl-name } export [ protocol [ processid ]| interface-type interface-number ], the imported routes are filtered when being
advertised.
2.
3.

4.

When a filtering policy of a routing protocol is used to filter routes:
If the action specified in an ACL rule is permit, a route that matches the rule will
be received or advertised by the system.
If the action specified in an ACL rule is deny, a route that matches the rule will not
If a route has not matched any ACL rules, the route will not be received or advertised
by the system.
If an ACL does not contain any rules, all routes matching the route-policy that
references the ACL will not be received or advertised by the system.
If the ACL referenced by the route-policy does not exist, all routes matching the
route-policy will be received or advertised by the system.
In the configuration order, the system first matches a route with a rule that has a
smaller number and then matches the route with a rule with a larger number. Routes
can be filtered using a blacklist or a whitelist:
Route filtering using a blacklist: Configure a rule with a smaller number and specify
the action deny in this rule to filter out the unwanted routes. Then, configure another
rule with a larger number in the same ACL and specify the action permit in this rule
to receive or advertise the other routes.
Issue 02 (2013-12-31)

2107

Equipment
8 IP Routing
Route filtering using a whitelist: Configure a rule with a smaller number and specify
the action permit in this rule to permit the routes to be received or advertised by the
system. Then, configure another rule with a larger number in the same ACL and
specify the action deny in this rule to filter out unwanted routes.
1.
Run filter-policy acl-name acl-name export [ protocol [ process-id ]| interface-type

interface-number ], the imported routes are filtered when being advertised.
2.
3.

4.
by the system.
l Based on the IP prefix: filter-policy ip-prefix ip-prefix-name export [ protocol [ processid ]| interface-type interface-number ]
If the routing information to be advertised by RIP contains the routes imported from other routing
protocols, you can specify protocol to filter the specified routes. If protocol is not specified, all
the routing information to be advertised will be filtered, including the imported routes and local
RIP routes (directly connected routes).
Issue 02 (2013-12-31)

2108

Equipment
8 IP Routing
NOTE
The Tag field in RIP is 16 bits in length, whereas the Tag field in other routing protocols is 32 bits in length.
If the routes of other routing protocols are imported and the tag is used in the routing policy, ensure that
the tag value does not exceed 65535. Otherwise, the routing policy becomes invalid or the matching result
is incorrect.
----End

After the function of controlling the advertising of RIP routing information is successfully
configured, you can view the current running status, configuration, and routing information of
RIP.
Prerequisites
The configurations of controlling the advertising of RIP routing information are complete.
Procedure
l
Run the display rip [ process-id | vpn-instance vpn-instance-name ] command to check

the running status and configuration of RIP.
Run the display rip process-id database command to check all activated routes in the RIP
database.
Run the display rip process-id route command to check all activated and inactivated RIP
routes.
----End
Example
10.0.0.0/24, cost 1, nexthop 10.0.0.1, Rip-interface
11.0.0.0/24, cost 1, nexthop 10.0.0.1, Imported
10.137.220.0/23, cost 1, [A], nexthop 10.10.10.2
8.3.5 Controlling the Receiving of RIP Routing Information

To meet the requirements of complex networks, accurately controlling the receiving of RIP
routing information is essential.
Before You Start

You can obtain RIP routing information by receiving Update packets and host routes.
Issue 02 (2013-12-31)

2109

Equipment
8 IP Routing
In practice, to meet the requirements of a complex network, it is required to control the receiving
of RIP routing information accurately. After performing configuration procedures in this section,
you can:
l
Disable an interface from receiving RIP Update packets.
Filter the received routing information.
Import external routes from various routing protocols and filter the imported routes.
Before configuring a ATN to control the receiving of RIP routing information, complete the
following tasks:
l
the network layer
Data Preparation
To control the receiving of RIP routing information, you need the following data.
No.
Data
ACL used to filter the routing information
Disabling an Interface from Receiving RIP Update Packets

Disabling interfaces from receiving Update packets is a method of preventing routing loops.
Context
By default, an interface is allowed to receive RIP Update packets.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
undo rip input
Issue 02 (2013-12-31)

2110

Equipment
8 IP Routing
The interface is disabled from receiving RIP Update packets.

----End
Disabling RIP from Receiving Host Routes

When you disable RIP from receiving host routes on a router, the router rejects to receive host
routes. This prevents the router from receiving a large number of unnecessary routes and
therefore avoiding wasting network resources.
Context
In certain situations, a ATN may receive a large number of host routes from the same network
segment. These routes are not required in route addressing, but consume many network
resources. You can configure the ATN to refuse to accept host routes by disabling RIP from
accepting host routes.
By default, host routes are added to the routing table.
Procedure
Step 1 Run:
system-view

Step 2 Run:
rip [ process-id ]

Step 3 Run:
undo host-route
RIP is disabled from adding host routes to the routing table.

NOTE
undo host-route command will not be effective in RIP version 2. By default, RIP version 2 always supports
host-route.
----End
Configuring RIP to Filter the Received Routes

By specifying ACLs and IP prefix lists, you can configure the inbound policy to filter the routes
to be received. You can also configure a router to receive only RIP packets from a specified
neighbor.
Context
The ATN can filter routing information. To filter the imported and advertised routes, you can
configure inbound and outbound routing policies by specifying ACLs and IP prefix lists.
You can also configure the ATN to receive RIP packets only from a specified neighbor.
Issue 02 (2013-12-31)

2111

Equipment
8 IP Routing
Procedure
Step 1 Run:
system-view

Step 2 Run:
rip [ process-id ]

Step 3 Depending on type of desired filtering, run one of following commands to configure RIP to filter
the received routes:
1.
Run filter-policy { acl-number | acl-name acl-name } import, the learned routing

information is filtered based on an ACL.
2.
3.

4.

by the system.

Issue 02 (2013-12-31)

2112

Equipment
8 IP Routing
1.
Run filter-policy acl-name acl-name import, the learned routing information is filtered
based on an ACL.
2.
3.

4.
by the system.
l Based on the IP prefix:

Run filter-policy gateway ip-prefix-name import, the routing information advertised by
neighbors is filtered based on the IP prefix list.
Run filter-policy ip-prefix ip-prefix-name [ gateway ip-prefix-name ] import
[ interface-type interface-number ], the routes learned by the specified interface are
filtered based on the IP prefix list and neighbors.
----End

After the function of controlling the receiving of RIP routing information is successfully
configured, you can view the current running status, configuration, and routing information of
RIP.
Issue 02 (2013-12-31)

2113

Equipment
8 IP Routing
Procedure
l

Run the display rip process-id database [ verbose ] command to check all activated RIP
routes in the database.
Run the display rip process-id interface [ interface-type interface-number ] [ verbose ]

command to check information about the RIP interface.
Run the display rip process-id neighbor [ verbose ] command to check information about
RIP neighbors.
routes.
----End
Example
172.4.0.0/16, cost 1, nexthop 192.13.14.1
192.4.5.0/24, cost 2, nexthop 192.13.14.1
192.13.14.0/24, cost 0, Rip-interface
10.137.220.0/23, cost 1, [A], nexthop 10.10.10.2
8.3.6 Configuring RIP-2 Features

Different from RIP-1, RIP-2 supports VLSM, CIDR, and authentication to ensure higher
security.
Before You Start

Before configuring RIP-2 features, familiarize yourself with the usage scenario, complete the
RIP-2 is a type of classless routing protocol. A RIP-2 packet carries subnet mask information.
Deploying a RIP-2 network saves IP addresses. For a network on which the IP addresses of
devices are not consecutive, only RIP-2 can be deployed, whereas RIP-1 cannot be deployed.
RIP-2 features include:
l
RIP-2 route summarization
RIP-2 authentication mode
Before configuring RIP-2 features, complete the following tasks:
Issue 02 (2013-12-31)

2114

Equipment
8 IP Routing
Configuring the link layer protocol
the network layer
Data Preparation
To configure RIP-2 features, you need the following data.
No.
Data
RIP-2 process ID
Network segment where the RIP-2 interface resides
Configuring RIP-2 Route Summarization

RIP-2 route summarization can reduce the size of a routing table and improve network efficiency.
By default, RIP-2 route summarization is enabled. To broadcast all subnet routes, you can disable
RIP-2 route summarization.
Context
Route summarization indicates that multiple subnet routes on the same natural network segment
are summarized into one route with the natural mask when being advertised to other network
segments. Therefore, route summarization reduces the network traffic and the size of the routing
table.
Route summarization is enabled for RIP-2 by default, but is invalid for RIP-1. To broadcast all
subnet routes, you can disable RIP-2 automatic route summarization.
NOTE
Route summarization is invalid when poison reverse is configured. When the summarized routes are sent
outside the natural network boundary, poison reverse in related views needs to be disabled.
Procedure
l
Enable RIP-2 automatic route summarization

1.
Run:
system-view

2.
Run:
rip [ process-id ]

3.
Run:
version 2
RIP-2 is configured.
Issue 02 (2013-12-31)

2115

Equipment
4.
8 IP Routing
Run:
summary [ always ]
Route summarization is enabled.

Enable the RIP-2 automatic route summarization when split horizon is disabled,
there is no need to configure always.
Enable the RIP-2 automatic route summarization irrespective of split horizon
configuration, always must be configured.
NOTE
The summary command is used in the RIP view to enable classful network-based route
summarization.
Configure RIP-2 to advertise the summary address

1.
Run:
system-view

2.
Run:

3.
Run:
rip summary-address ip-address mask [ avoid-feedback ]
The local summary address of RIP-2 is advertised.

NOTE
The rip summary-address ip-address mask [ avoid-feedback ] command is run in the

interface view to enable classless network-based route summarization.
----End
Configuring Packet Authentication of RIP-2

RIP-2 supports the ability to authenticate protocol packets and provides two authentication
modes, Simple authentication and Message Digest 5 (MD5) authentication, to enhance security.
By default, authentication is not configured for RIP. Configuring authentication is recommended
to ensure system security.
Context
RIP-2 supports two authentication modes:
l
Simple authentication
MD5 authentication
In simple authentication mode, the unencrypted authentication key is sent in every RIP-2 packet.
Therefore, simple authentication does not guarantee security, and cannot meet the requirements
for high security.
Issue 02 (2013-12-31)

2116

Equipment
8 IP Routing
NOTICE
When configuring an authentication password, select the ciphertext mode becasue the password
is saved in configuration files in plaintext if you select plaintext mode, which has a high risk.
To ensure device security, change the password periodically.
Procedure
Step 1 Run:
system-view

Step 2 Run:

l Run:
rip authentication-mode simple { [ plain ] plain-text | cipher password-key }
Simple authentication is configured for RIP-2 packets.

l Run:
rip authentication-mode md5 usual { plain plain-text | [ cipher ] password-key }
MD5 usual authentication is configured for RIP-2 packets.

l Run:
rip authentication-mode md5 nonstandard { keychain keychain-name | { { plain
plain-text | [ cipher ] password-key } key-id } }
MD5 nonstandard authentication is configured for RIP-2 packets.

l Run:
rip authentication-mode hmac-sha256 { plain plain-text | [ cipher ] passwordkey } key-id
hmac-sha256 authentication is configured for RIP-2 packets.

l Run:
rip authentication-mode keychain keychain-name
Keychain authentication is configured for RIP-2 packets.

NOTE
The MD5 type must be specified if MD5 authentication is configured. The usual type supports private
standard authentication packets, and the nonstandard type supports IETF standard authentication packets.
----End

After RIP-2 features are successfully configured, you can view the current running status,
configuration, and routing information of RIP.
Issue 02 (2013-12-31)

2117

Equipment
8 IP Routing
Prerequisites
RIP-2 features have been configured.
Procedure
l

Run the display rip process-id route command to check all the RIP routes that are learned
from other ATNs.
----End
8.3.7 Optimizing a RIP Network

You can adjust and optimize the RIP network performance by configuring RIP functions in
special network environments, such as configuring RIP timers, setting the interval for sending
packets, and setting the maximum number of packets to be sent.
Before You Start

Before adjusting and optimizing the RIP network performance, familiarize yourself with the
configuration.
On certain networks, you need to configure RIP features and optimize the performance of a RIP
network. After performing configuration procedures in this section, you can:
l
Change the convergence speed of the RIP network by adjusting the values of RIP timers.
Reduce the consumption of device resources and network bandwidth by adjusting the
number of packets to be sent by interfaces and the interval at which packets are sent.
Configure split horizon or poison reverse to prevent routing loops.
After the replay-protect function is enabled, neighbors can communicate after a RIP process
is restarted.
Check the validity of packets and authenticate packets on a network demanding high
security.
Run RIP on a link that does not support broadcast or multicast packets.
Before optimizing a RIP network, complete the following tasks:
l
the network layer
Issue 02 (2013-12-31)

2118

Equipment
8 IP Routing
Data Preparation
To optimize a RIP network, you need the following data.
No.
Data
Values of timers
Number of Update packets that an interface sends each time and interval for sending
an Update packet
Packet authentication mode and password
IP addresses of RIP neighbors
Configuring RIP Timers

RIP has three timers: Update timer, Age timer and Garbage-collect timer. Changing the values
of the three timers affects the RIP convergence speed.
Context
RIP has three timers: Update timer, Age timer and Garbage-collect timer. Changing the values
of the three timers affects the RIP convergence speed. For details on timers, see corresponding
description in the chapter "RIP" in the Feature Description - IP Routing.
Procedure
Step 1 Run:
system-view

Step 2 Run:
rip [ process-id ]

Step 3 Run:
timers rip update age garbage-collect
RIP timers are configured.
Issue 02 (2013-12-31)

2119

Equipment
8 IP Routing
NOTE
l RIP timers take effect immediately after being changed.

l Route flapping occurs if the values of the times are set improperly. The relationship between the values
is as follows: update must be smaller than age and update must be smaller than garbage-collect. For
example, if the update time is longer than the aging time, and a RIP route changes within the update
time, the ATN cannot inform its neighbors of the change on time.
l You must configure RIP timers based on the network performance and uniformly on all the ATNs
running RIP. This avoids unnecessary network traffic or route flapping.
By default, the Update timer is 30s; the Age timer is 180s; the Garbage-collect timer is four
times the Update timer, namely, 120s.
In practice, the Garbage-collect timer is not fixed. If the Update timer is set to 30s, the Garbagecollect timer may range from 90s to 120s.
Before permanently deleting an unreachable route from the routing table, RIP advertises this
route (with the metric being set to 16) by periodically sending Update packets four times.
Subsequently, all the neighbors know that this route is unreachable. Because a route may not
always become unreachable at the beginning of an Update period, the Garbage-collect timer is
actually three or four times the Update timer.
----End
Setting the Interval for Sending Packets and the Maximum Number of the Sent
Packets
By setting the interval for sending RIP Update packets and the maximum number of Update
packets to be sent each time, you can effectively control the memory used by a ATN to process
RIP Update packets.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
rip pkt-transmit { interval interval | number pkt-count }
The interval for sending Update packets and the maximum number of packets sent each time
are set on the interface.
----End
Issue 02 (2013-12-31)

2120

Equipment
8 IP Routing
Configuring Split Horizon and Poison Reverse

You can configure split horizon and poison reverse to prevent routing loops.
Context
If both split horizon and poison reverse are configured, only poison reverse takes effect.
On Non-Broadcast Multi-Access (NBMA) networks such as frame relay (FR) and X.25
networks, if no sub-interface is configured, split horizon needs to be disabled to ensure that
routing information is transmitted accurately.
Procedure
Step 1 Run:
system-view

Step 2 Run:

l Run:
rip split-horizon
Split horizon is enabled.

l Run:
rip poison-reverse
Poison reverse is enabled.

----End
Enabling replay-protect Function

By enabling the replay-protect function, you can obtain the Identification field in the last RIP
packet sent by a RIP interface before it goes Down. This prevents RIP routing information on
both ends from being unsynchronized or lost.
Context
If the Identification field in the last RIP packet sent before a RIP interface goes Down is X, after
the interface goes Up, the Identification field in the subsequent RIP packet sent by this interface
becomes 0. If the remote end does not receive the RIP packet with the Identification field being
0, subsequent RIP packets will be discarded until the remote end receives the RIP packet with
the Identification field being X+1. This leads to the unsynchronization and loss of RIP routing
information of both ends.
To solve this problem, you need to enable the replay-protect function so that RIP can obtain the
Identification field in the last RIP packet sent before the RIP interface goes Down and increase
the Identification field in the subsequent RIP packet by one.
Issue 02 (2013-12-31)

2121

Equipment
8 IP Routing
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
l
rip authentication-mode md5 nonstandard
RIPv2 is configured to use MD5 authentication, and authentication packets use the
nonstandard packet format.
l
rip authentication-mode hmac-sha256

key } key-id
{ plain plain-text | [ cipher ] password-
RIPv2 is configured to use HMAC-SHA256 authentication.

l Run:
rip authentication-mode keychain keychain-name
Keychain authentication is configured for RIP-2 packets.

NOTE
Before running the rip replay-protect command, run the rip authentication-mode md5 nonstandard
command or the rip authentication-mode hmac-sha256 { plain plain-text | [ cipher ] password-key }
key-id in the RIP interface view to configure cryptographic authentication packets .
Step 4 Run:
rip replay-protect
The replay-protect function is enabled.

NOTE
l For details of the Identification field in an IP packet, see Feature Description - IP Services.
l If you run the rip replay-protect command in the same view multiple times, only the last configuration
takes effect.
----End
Configuring RIP to Check the Validity of Update Packets

The check on RIP Update packets includes the check on zero fields in RIPv1 packets and the
check on source addresses of RIP Update packets. The two types of check have different
functions and applications.
Context
Issue 02 (2013-12-31)

2122

Equipment
8 IP Routing
Procedure
l
Configuring the Zero Field Check for RIPv1 Packets

1.
Run:
system-view

2.
Run:
rip [ process-id ]

3.
Run:
checkzero
The zero field check is configured for RIPv1 packets.

Certain fields in a RIPv1 packet must be 0s, and these fields are called zero fields.
RIPv1 checks the zero fields on receiving a packet. If the value of any zero field in a
RIPv1 packet is not 0, this packet is not processed.
As a RIPv2 packet does not contain any zero field, configuring the zero field check
is invalid in RIPv2.
l
Configuring the Source Address Check for RIP Update Packets

1.
Run:
system-view

2.
Run:
rip [ process-id ]

3.
Run:
verify-source
The source address check is configured for RIP Update packets.

When receiving a packet, RIP checks the source address of the packet. If the packet
fails in the check, it is not processed.
By default, the source address check is enabled.
----End
Configuring RIP Neighbors

Generally, RIP sends packets by using broadcast or multicast addresses. To run RIP on the links
that do not support the forwarding of broadcast or multicast packets, you need to specify RIP
neighbors.
Context
Generally, RIP sends packets by using broadcast or multicast addresses. If RIP needs to run on
the links that do not support the forwarding of broadcast or multicast packets, you need to
configure the devices at both ends of the link as each other's neighbor.
Issue 02 (2013-12-31)

2123

Equipment
8 IP Routing
Procedure
Step 1 Run:
system-view

Step 2 Run:
rip [ process-id ]

Step 3 Run:
peer ip-address
The RIP neighbor is configured.

----End

After the function of adjusting and optimizing the RIP network performance is successfully
configured, you can view the current running status, routing information, neighbor information,
and interface information of RIP.
Prerequisites
The configurations of optimizing a RIP network are complete.
Procedure
l


command to check information about the RIP interface.
Run the display rip process-id neighbor [ verbose ] command to check information about
RIP neighbors.
routes.
----End
Example
command, and you can view RIP information about the specified interface. The command output
shows that the interface status is Up.
<HUAWEI> display rip 1 interface gigabitethernet0/2/0
Issue 02 (2013-12-31)

2124

Equipment
8 IP Routing
-----------------------------------------------------------------Interface
IP Address
State
Protocol
MTU
-----------------------------------------------------------------GE 1/0/0
1.1.1.2
UP
RIPv1 Compatible
500
8.3.8 Configuring RIP GR

This section describes how to configure RIP GR to avoid incorrect route calculation and packet
loss after a RIP router restarts.
Before You Start

In practice, you can configure RIP GR on the device with two main control boards to prevent
service forwarding from being affected by the fault on one main control board.
To avoid traffic interruption and route flapping caused by master/slave switchover, you can
enable RIP graceful restart (GR). GR is a technology used to ensure normal traffic forwarding
and non-stop forwarding of key services during the restart of routing protocols.
After a RIP process is restarted through GR, the Restarter and the Helper re-establish the
neighbor relationship and update the routing table and forwarding table. This ensures non-stop
traffic forwarding and stabilizes the network topology. During RIP GR, except the neighbor of
the device where master/slave switchover occurs, other ATNs do not detect the route change.
NOTE
In practice, you can configure RIP GR on the device with two main control boards to prevent service
forwarding from being affected by the fault on one main control board.
Before configuring RIP GR, complete the following tasks:
l
the network layer
Configuring basic RIP functions, establish the neighbor relationship successfully
Data Preparation
To configure RIP GR, you need the following data
No.
Data
RIP process ID
Parameters for establishing a GR session
Enabling RIP GR
To avoid traffic interruption and route flapping caused by master/slave switchover, you can
enable RIP GR.
Issue 02 (2013-12-31)

2125

Equipment
8 IP Routing
Context
Perform the following steps on the ATN to be enabled with GR:
Procedure
Step 1 Run:
system-view

Step 2 Run:
rip [ process-id ]
The RIP view is displayed.

Step 3 Run:
graceful-restart [ period period | wait-time time | planned-only time ]
RIP GR is enabled.
When most ATNs on a network do not support RIP GR, setting wait-time time to a larger value
is recommended. This ensures that the Restarter has enough time to learn correct routes.
----End
Follow-up Procedure
If the Restarter finishes GR within the GR period specified by period period, the Restarter
automatically exits from GR. Otherwise, the Restarter is forced to exit from GR.

After RIP GR is configured, you can check the RIP GR status.
Prerequisites
The configurations of RIP GR are complete.
Procedure
l
Run the display rip process-id graceful-restart [ verbose ] command to check the status
of RIP GR.
----End
Example
Run the display rip 1 graceful-restart command, and you can view the GR configuration of
RIP process 1.
<HUAWEI> display rip 1 graceful-restart
Restart mode
: None
Restart status
: None
Last complete reason : None
Issue 02 (2013-12-31)

2126

Equipment
8 IP Routing
8.3.9 Configuring BFD for RIP

On a network that runs high-rate data services, BFD for RIP can be configured to quickly detect
and respond to network faults.
Generally, RIP uses timers to receive and send Update messages to maintain neighbor
relationships. If a RIP device does not receive an Update message from a neighbor after the Age
timer expires, the RIP device will announce that this neighbor goes Down. The default value of
the Age timer is 180s. If a link fault occurs, RIP can detect this fault after 180s. If high-rate data
services are deployed on a network, a great deal of data will be lost during the aging time.
BFD provides millisecond-level fault detection. It can rapidly detect faults in protected links or
nodes and report them to RIP. This speeds up RIP processes's response to network topology
changes and achieves rapid RIP route convergence.
In BFD for RIP, BFD session establishment is triggered by RIP. When establishing a neighbor
relationship, RIP will send detection parameters of the neighbor to BFD. Then, a BFD session
will be established based on these detection parameters. If a link fault occurs, the local RIP
process will receive a neighbor unreachable message within seconds. Then, the local RIP device
will delete routing entries in which the neighbor relationship is Down and use the backup path
to transmit messages.
Either of the following methods can be used to configure BFD for RIP:
l
Enable BFD in a RIP process: This method is recommended when BFD for RIP needs to
be enabled on most RIP interfaces.
Enable BFD on RIP interfaces: This method is recommended when BFD for RIP needs
to be enabled on a small number of RIP interfaces.
Before configuring BFD for RIP, complete the following tasks:
l
Assigning an IP address to each interface to ensure reachability between neighboring nodes

at the network layer
Data Preparation
No.
Data
ID of a RIP process to be enabled with BFD
Type and number of an interface to be enabled with BFD
(Optional) BFD session parameter values

NOTE
Default BFD session parameter values are recommended.
Issue 02 (2013-12-31)

2127

Equipment
8 IP Routing
Procedure
l
Enable BFD in a RIP process.

1.
Run:
system-view

2.
Run:
bfd
BFD is enabled globally.

3.
Run:
quit

4.
Run:
rip process-id
The RIP view is displayed.

5.
Run:
bfd all-interfaces enable
BFD is enabled in the RIP process to establish a BFD session.

If BFD is enabled globally, RIP will use default BFD parameters to establish BFD
sessions on all the interfaces where RIP neighbor relationships are in the Up state.
6.
(Optional) Run:
bfd all-interfaces { min-rx-interval min-receive-value | min-tx-interval
min-transmit-value | detect-multiplier detect-multiplier-value } *
The values of BFD parameters used to establish the BFD session are set.
BFD parameter values are determined by the actual network situation and network
reliability requirement.
If links have a high reliability requirement, reduce the interval at which BFD
packets are sent.
If links have a low reliability requirement, increase the interval at which BFD
packets are sent.
Running the bfd all-interfaces command changes BFD session parameters on all RIP
interfaces. The default detection multiplier and interval at which BFD packets are sent
are recommended.
7.
(Optional) Perform the following operations to prevent an interface in the RIP process
from establishing a BFD session:
Run the quit command to return to the system view.
Run the interface interface-type interface-number command to enter the view of
a specified interface.
Run the rip bfd block command to prevent the interface from establishing a BFD
session.
Enable BFD on RIP interfaces.

1.
Issue 02 (2013-12-31)
Run:
2128

Equipment
8 IP Routing
system-view

2.
Run:
bfd

3.
Run:
quit

4.
Run:
The view of the specified interface is displayed.

5.
Run:
rip bfd enable
BFD is enabled on the interface to establish a BFD session.

6.
(Optional) Run:
rip bfd { min-rx-interval min-receive-value | min-tx-interval mintransmit-value | detect-multiplier detect-multiplier-value } *
The values of BFD parameters used to establish the BFD session are set.
----End

After enabling BFD for RIP at both ends of a link, run the display rip bfd session { interface
interface-type interface-number | neighbor-id | all } command. You can see that the BFDState
field value on the local ATN is displayed Up. For example:
<HUAWEI> display rip 1 bfd session all
LocalIp
:10.1.0.1
RemoteIp :10.1.0.2
BFDState :Up
TX
:1000
RX
:1000
Multiplier:3
BFD Local Dis:8192
Interface :GigabitEthernet0/2/0
DiagnosticInfo: No diagnostic information
LocalIp
:20.1.0.1
RemoteIp :20.1.0.2
BFDState :Up
TX
:1000
RX
:1000
Multiplier:3
BFD Local Dis:8193
Interface :GigabitEthernet0/2/1
DiagnosticInfo: No diagnostic information
8.3.10 Configuring Static BFD for RIP

BFD provides link failure detection featuring light load and high speed. Static BFD for RIP is
a mode to implement the BFD function.
Context
Establishing BFD sessions between RIP neighbors can rapidly detect faults on links and speed
up response of RIP to network topology changes. Static BFD implements the following
functions: Two-arm BFD: If all the devices on a network support BFD, configure two-arm BFD
to implement fault detection.
Static BFD must be enabled using a command and session parameters are also set using
commands.
Issue 02 (2013-12-31)

2129

Equipment
8 IP Routing
Before configuring static BFD for RIP, complete the following tasks:
l
Assigning an IP address to each interface to ensure IP connectivity
Configuring basic RIP functions
Data Preparation
No.
Data
ID of a RIP process
Type and number of the interface to be enabled with BFD
Procedure
Step 1 Enable BFD globally.
1.
Run:
system-view

2.
Run:
bfd

3.
Run:
quit

Step 2 Configure two-arm BFD.
1.
Run:
bfd bfd-name bind peer-ip ip-address [ interface interface-type interfacenumber ]
BFD binding is created.

If a peer IP address and a local interface are specified, BFD detects only a single-hop link,
that is, a route with the interface specified in the bfd command as the outbound interface
and with the peer IP address specified in the peer-ip command as the next-hop address.
2.
Set discriminators.
l Run:
The local discriminator is set.

l Run:
The remote discriminator is set.

Issue 02 (2013-12-31)

2130

Equipment
8 IP Routing
The local discriminator must be the remote discriminator of the device on the other end;
otherwise, a BFD session cannot be established. The local and remote discriminators cannot
be modified after being configured.
NOTE
local discr-value set on the local device is the same as that of remote discr-value set on the remote
device.remote discr-value set on the local device is the same as that of local discr-value set on the
remote device.
3.
Run:
commit

4.
Run:
quit

Step 3 Enable static BFD on an interface.
1.
Run:

2.
Run:
rip bfd static
Static BFD is enabled on the interface.

3.
Run:
quit

----End

After configuring static BFD for RIP, run the display rip process-id command to check BFD
for RIP configurations on the specified interface. interface [ interface-type interface-number ]
verbose
Run the display rip process-id interface interface-type interface-number verbosecommand.
The command output shows that static BFD has been enabled on GigabitEthernet0/2/1. For
example:
<HUAWEI> display rip 1 interface gigabitethernet0/2/1 verbose
GigabitEthernet0/2/1 (81.1.1.1)
State
: UP
MTU : 500
Metricin : 0
Metricout : 1
Input
: Enabled
Output
: Enabled
Protocol : RIPv1 Compatible (Non-Standard)
Send
: RIPv1 Packets
Receive : RIPv1 Packets, RIPv2 Multicast and Broadcast Packets
Poison-reverse
: Disabled
Split-Horizon
: Enabled
Authentication type : None
Replay Protection
: Disabled
BFD
: Enabled (Static)
Issue 02 (2013-12-31)

2131

Equipment
8 IP Routing
Summary Address (es):

1.1.0.0/16
8.3.11 Configuring the Network Management Function in RIP

By binding RIP to MIBs, you can view and configure RIP through the NMS.
Before You Start

Before binding RIP to MIBs, familiarize yourself with the usage scenario, complete the preconfiguration tasks, and obtain the data required for the configuration.
After performing configuration procedures in this section, you can bind RIP to a MIB.
Before configuring the network management function in RIP, complete the following tasks:
l
the network layer
Data Preparation
None.
Binding RIP to MIBs

Before binding RIP to MIBs, you need to specify the RIP process ID.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
rip mib-binding process-id
RIP is bound to MIBs.

This command is used to bind a RIP process ID to MIBs and specify the ID of the RIP process
that accepts Simple Network Management Protocol (SNMP) requests.
----End
Issue 02 (2013-12-31)

2132

Equipment
8 IP Routing

After RIP and MIBs are successfully bound, you can view binding information in the current
RIP configuration.
Prerequisites
The network management function in RIP has been configured.
Procedure
Step 1 Run the display current-configuration command to check the parameters that take effect on
the ATN.
----End
8.3.12 Maintaining RIP

This section describes how to reset RIP connections and clear RIP information.
Resetting RIP
Restarting RIP can reset RIP.
Context
NOTICE
The RIP neighbor relationship is deleted after you reset RIP connections with the reset rip
command. Exercise caution when running this command.
To reset RIP connections, run the following reset commands in the user view.
Procedure
l
Run the reset rip process-id configuration command in the user view to reset the
parameters of the specified RIP process. When the RIP process starts, all parameters use
default values.
----End
Clearing RIP
This section describes how to clear statistics about RIP counters.
Issue 02 (2013-12-31)

2133

Equipment
8 IP Routing
Context
NOTICE
RIP information cannot be restored after it is cleared. Exercise caution when running the
commands.
To clear RIP information, run the following reset command in the user view.
Procedure
l
Run the reset rip process-id statistics [ interface { all | interface-type interface-number
[ neighbor neighbor-ip-address ] } ] command in the user view to clear statistics about the
counter that is maintained by a specified RIP process.
----End

In actual networking, RIP versions and whether to import external routes will affect which routes
can be learned.
Example for Configuring RIP Version

Before using RIP, you need to configure basic RIP functions and specify a RIP version. You
can run commands to view the configuration results.
As shown in Figure 8-6, it is required that RIP be enabled on all interfaces of ATN-A, CX-B,
CX-C, and CX-D and the devices interconnect with each other through RIP-2.
Figure 8-6 Networking diagram of configuring the RIP version number
CX-C
POS2/0/0
172.16.1.2/24
CX-B
POS2/0/0
172.16.1.1/24
GE1/0/0
192.168.1.2/24
POS3/0/0
10.1.1.1/24
GE0/2/0
192.168.1.1/24
ATN-A
Issue 02 (2013-12-31)

POS3/0/0
10.1.1.2/24
CX-D
2134

Equipment
8 IP Routing
1.
Configure the IP address of each interface to make the network layers accessible.
2.
Enable RIP on each device and configure basic RIP functions.
3.
Configure RIP-2 on each device and check the subnet masks.
Data Preparation
Equipment Name
Parameter Name
Parameter Value
ATN-A
RIP network segment
192.168.1.0
RIP version
RIP-2
RIP network segment
192.168.1.0, 172.16.0.0,
10.0.0.0
RIP version
RIP-2
RIP network segment
172.16.0.0
RIP version
RIP-2
RIP network segment
10.0.0.0
RIP version
RIP-2
CX-B
CX-C
CX-D

l
RIP network segment 192.168.1.0 on ATN-A
RIP network segment 192.168.1.0, 172.16.0.0, and 10.0.0.0 on CX-B
RIP network segment 172.16.0.0 on CX-C
RIP network segment 10.0.0.0 on CX-D
RIP-2 on ATN-A, CX-B, CX-C, and CX-D
Procedure
Step 1 Configure the IP address of each interface
The details are not mentioned here.
Step 2 Configure basic RIP functions.
# Configure ATN-A.
[ATN-A] rip
[ATN-A-rip-1] network 192.168.1.0
[ATN-A-rip-1] quit
# Configure CX-B.
[CX-B] rip
Issue 02 (2013-12-31)

2135

Equipment
[CX-B-rip-1]
[CX-B-rip-1]
[CX-B-rip-1]
[CX-B-rip-1]
8 IP Routing
network 192.168.1.0
network 172.16.0.0
network 10.0.0.0
quit
# Configure CX-C.
[CX-C] rip
[CX-C-rip-1] network 172.16.0.0
[CX-C-rip-1] quit
# Configure CX-D.
[CX-D] rip
[CX-D-rip-1] network 10.0.0.0
[CX-D-rip-1] quit
# Check the RIP routing table of ATN-A.

[ATN-A] display rip 1 route
Route Flags: R - RIP, T - TRIP
P - Permanent, A - Aging, S - Suppressed, G - Garbage-collect
------------------------------------------------------------------------Peer 192.168.1.2 on GigabitEthernet0/2/0
Destination/Mask
Nexthop
Cost
Tag
Flags
Sec
10.0.0.0/8
192.168.1.2
1
0
RA
14
172.16.0.0/16
192.168.1.2
1
0
RA
14
192.168.1.0/24
192.168.1.2
1
0
RA
14
From the routing table, you can view that the routes advertised by RIP-1 use natural masks.
Step 3 Configure the RIP version number.
# Configure RIP-2 on ATN-A.
[ATN-A] rip
[ATN-A-rip-1] version 2
[ATN-A-rip-1] quit
# Configure RIP-2 on CX-B.

[CX-B] rip
[CX-B-rip-1] version 2
[CX-B-rip-1] quit
# Configure RIP-2 on CX-C.

[CX-C] rip
[CX-C-rip-1] version 2
[CX-C-rip-1] quit
# Configure RIP-2 on CX-D.

[CX-D] rip
[CX-D-rip-1] version 2
[CX-D-rip-1] quit

# Check the RIP routing table of ATN-A.
[ATN-A] display rip 1 route
Route Flags: R - RIP
A - Aging, S - Suppressed, G - Garbage-collect
------------------------------------------------------------------------Peer 192.168.1.2 on GigabitEthernet0/2/0
Destination/Mask
Nexthop
Cost
Tag
Flags
Sec
10.1.1.0/24
192.168.1.2
1
0
RA
32
Issue 02 (2013-12-31)

2136

Equipment
172.16.1.0/24
192.168.1.0/24
8 IP Routing
192.168.1.2
192.168.1.2
0
1
RA
RA
32
14
From the routing table, you can view that the routes advertised by RIP-2 contain accurate subnet
masks.
----End
Configuration Files
l

#
sysname ATN-A
#
link-protocol ppp
undo shutdown
ip address 192.168.1.1 255.255.255.0
#
rip 1
version 2
network 192.168.1.0
#
return

#
sysname CX-B
#
undo shutdown
ip address 192.168.1.2 255.255.255.0
#
interface Pos2/0/0
link-protocol ppp
undo shutdown
ip address 172.16.1.1 255.255.255.0
#
interface Pos3/0/0
link-protocol ppp
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
rip 1
version 2
network 192.168.1.0
network 172.16.0.0
network 10.0.0.0
#
return

#
sysname CX-C
#
interface Pos2/0/0
link-protocol ppp
undo shutdown
ip address 172.16.1.2 255.255.255.0
#
rip 1
version 2
network 172.16.0.0
#
return
Issue 02 (2013-12-31)

2137

Equipment
8 IP Routing

#
sysname CX-D
#
interface Pos3/0/0
link-protocol ppp
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
rip 1
version 2
network 10.0.0.0
#
return
Example for Configuring RIP to Import External Routes

To obtain more RIP routing information, you can configure RIP to import external routes. You
can run commands to view the configuration results.
As shown in Figure 8-7, two RIP processes, RIP 100 and RIP 200, run on ATN-A. ATN-A
exchanges routing information with NodeB through RIP 100. ATN-A exchanges routing
information with CX-C through RIP 200.
It is required that the two processes of ATN-A import the RIP routes from each other. The cost
of the imported RIP 200 routes defaults to 3.
It is required that a filtering policy be configured on ATN-A to filter out the imported RIP 200
route 192.168.4.0/24 and prevent it from being advertised to NodeB.
Figure 8-7 Networking diagram of configuring RIP to import external routes
CX-C
GE1/0/0
192.168.2.2/24
GE0/2/0
192.168.1.2/24
NodeB
RIP 100
GE0/2/4
ATN-A 192.168.2.1/24
RIP 200
GE2/0/0
192.168.3.1/24
GE3/0/0
192.168.4.1/24
1.
Issue 02 (2013-12-31)
Enable RIP 100 and RIP 200 on each device and specify the network segments.
2138

Equipment
8 IP Routing
2.
Configure the two processes on ATN-A to import the routes from each other and set the
default cost of the imported RIP 200 routes to 3.
3.
Configure an ACL on ATN-A to filter the routes imported from RIP 200.
Data Preparation
l
RIP 100 on NodeB and the network segment 192.168.1.0 and 192.168.0.0
RIP 100 and RIP 200 on ATN-A and the network segment 192.168.1.0 and 192.168.2.0
RIP 200 on CX-C and the network segment 192.168.2.0, 192.168.3.0, and 192.168.4.0
Default cost of the imported RIP 200 routes as 3; ACL 2000 to deny the route with the
source network segment of 192.168.4.0 and import RIP100 routes to RIP 200
Procedure
Step 1 Configure the IP address of each interface.
The details are not mentioned here.
Step 2 Configure basic RIP functions.
# Enable RIP process 100 on NodeB.
# Enable the two RIP processes, process 100 and process 200, on ATN-A.
[ATN-A] rip 100
[ATN-A-rip-100]
[ATN-A-rip-100]
[ATN-A] rip 200
[ATN-A-rip-200]
[ATN-A-rip-200]
network 192.168.1.0
quit
network 192.168.2.0
quit
# Enable RIP process 200 on CX-C.

[CX-C] rip 200
[CX-C-rip-200] network 192.168.2.0
[CX-C-rip-200] network 192.168.3.0
[CX-C-rip-200] network 192.168.4.0
[CX-C-rip-1] quit
# Check the routing table of NodeB.

Step 3 Configure RIP to import external routes.
# Set the default route cost to 3 on ATN-A and import the routes of the two RIP processes into
the routing table of each other.
[ATN-A] rip 100
[ATN-A-rip-100] default-cost 3
[ATN-A-rip-100] import-route rip 200
[ATN-A-rip-100] quit
[ATN-A] rip 200
[ATN-A-rip-200] import-route rip 100
[ATN-A-rip-200] quit
[ATN-A-rip-1] quit
# Check the routing table of NodeB after the routes are imported.
Issue 02 (2013-12-31)

2139

Equipment
8 IP Routing
Step 4 Configure RIP to filter the imported routes.

# Configure an ACL on ATN-A and set a rule to deny the packets with the source address of
192.168.4.0/24.
[ATN-A] acl 2000
[ATN-A-acl-basic-2000] rule deny source 192.168.4.0 0.0.0.255
[ATN-A-acl-basic-2000] rule permit
[ATN-A-acl-basic-2000] quit
# Filter out the imported route 192.168.4.0/24 of RIP 200 on ATN-A according to the ACL rule.
[ATN-A] rip 100
[ATN-A-rip-100] filter-policy 2000 export

# Check the routing table of NodeB after the filtering.
----End
Configuration Files
l

#
sysname ATN-A
#
acl number 2000
rule 5 deny source 192.168.4.0 0.0.0.255
rule 10 permit
#
undo shutdown
ip address 192.168.1.2 255.255.255.0
#
undo shutdown
ip address 192.168.2.1 255.255.255.0
#
rip 100
default-cost 3
network 192.168.1.0
import-route rip 200
#
rip 200
network 192.168.2.0
import-route rip 100
#
return

#
sysname CX-C
#
undo shutdown
ip address 192.168.3.1 255.255.255.0
#
undo shutdown
ip address 192.168.4.1 255.255.255.0
#
undo shutdown
Issue 02 (2013-12-31)

2140

Equipment
8 IP Routing
ip address 192.168.2.2 255.255.255.0

#
rip 200
network 192.168.2.0
network 192.168.3.0
network 192.168.4.0
#
return
8.4 RIPng Configuration

RIPng is an extension of RIP for support of IPv6.
8.4.1 Introduction
RIPng is the extension of RIPv2 on IPv4 networks. Most RIP concepts apply to RIPng.
RIPng Overview
RIPng is a distance-vector routing protocol, which measures the distance to the destination host
by the hop count.
The Routing Information Protocol Next Generation (RIPng) protocol is an extension of RIPv2
that is applied to IPv4 networks. Most RIP-related concepts are applicable to RIPng.
Extension of RIP
For IPv6 applications, RIPng extends RIP as follows:
l
UDP port number: In RIPng, UDP port number 521 is used to send and receive routing
information.
Multicast group address: In RIPng, FF02::9 is used as the multicast group address of RIPng
routers.
Prefix length: In RIPng, the prefix length of a destination address is 128 bits (the mask
length).
Next-hop address: In RIPng, a next-hop address is a 128-bit IPv6 address.
Source address: In RIPng, link-local address is used as the source address to send RIPng
Update packets.
Operation Principle of RIPng

RIPng is a distance-vector routing protocol. It exchanges routing information by using User
Datagram Protocol (UDP) packets through the port 521.
RIPng employs the hop count to measure the distance to the destination. The distance is called
the routing metric. In RIPng, the hop count from the ATN to its directly connected network is
0, and the hop count from the ATN to a network, which can be reached through another ATN,
is 1. The hop count that is equal to or exceeds 16 is defined as infinity, indicating that the
destination network or host is unreachable.
By default, RIPng sends an Update packet every 30 seconds. If no Update packet is received
from a neighbor in 180 seconds, RIPng marks all the routes learned from the neighbor as
Issue 02 (2013-12-31)

2141

Equipment
8 IP Routing
unreachable. If no Update packet is received from a neighbor in 300 seconds, RIPng deletes the
routes of the neighbor from the routing table.
To prevent routing loops, RIPng supports split horizon and poison reverse. In addition, RIPng
can import routes from other routing protocols.
Each ATN running RIPng manages a routing database, which contains routing entries to all
accessible destinations on a network. These routing entries contain the following information:
l
Destination address: indicates the IPv6 address of a host or network.
Next-hop address: indicates the address of the next ATN to the destination.
Interface: indicates the interface through which an IP packet is forwarded.
Cost: indicates the hop count to the destination. The value is an integer that ranges from 0
to 16. If the value is 16, it indicates that the destination host or network is unreachable.
Timer: indicates the time since a routing entry is last updated. The timer is reset to 0 when
a routing entry is updated.
Route tag: indicates a label that differentiates routes of interior routing protocols and those
of exterior routing protocols.
RIPng Features Supported by the ATN

The RIPng features supported by the ATN include split horizon and poison reverse.
In the ATN, you can modify the routing policy of RIPng by configuring RIPng route attributes.
You can also control the advertising and receiving of RIPng routing information to meet the
requirements of a complex network. On certain networks, you can configure RIPng features to
optimize the RIPng network performance.
8.4.2 Configuring Basic RIPng Functions

To implement RIPng features, you need to configure basic RIPng functions, including creating
RIPng processes and enabling RIPng on interfaces.
Before You Start

To make a ATN learn the routes to the network segment of an interface, ensure that the link
status of the interface is Up.
The configuration of basic RIPng functions involves the configuration of basic RIPng features.
After the configuration, the RIPng features are available.
During the RIPng configuration, you must enable RIPng in the system view first. If you run
RIPng-related commands in the interface view, these commands take effect only after RIPng is
enabled in the system view.
Before configuring basic RIPng functions, complete the following tasks:
l
Issue 02 (2013-12-31)
Enabling IPv6 on the ATN

2142

Equipment
8 IP Routing
Configuring IPv6 addresses for interfaces to ensure that neighboring nodes are reachable
Data Preparation
To configure basic RIPng functions, you need the following data.
No.
Data
RIPng process ID
Interface to be enabled with RIPng
Enabling RIPng and Entering the RIPng View

Creating RIPng processes is the prerequisite to performing RIPng configurations. When creating
RIPng processes, you can also enter the RIPng view to perform configurations.
Context
Perform the following steps on the ATN to be enabled with RIPng:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ripng [ process-id ]
The RIPng process is enabled and the RIPng view is displayed.

When only one RIPng process runs, process-id does not need to be specified. That is, processid defaults to 1.
After the RIPng process is cancelled, the ripng process-id enable command needs to be
reconfigured on an interface.
description
Descriptions for RIPng processes are configured.

----End
Enabling RIPng in the Interface View

After an interface is associated with a RIPng process, routing information on this interface can
be exchanged through RIPng.
Issue 02 (2013-12-31)

2143

Equipment
8 IP Routing
Context
Perform the following steps on the ATN to be enabled with RIPng:
Procedure
Step 1 Run:
system-view

Step 2 Run:

The interface is at the network side of the ATN. That is, the ATN is connected to other devices
through this interface. To enable the ATN to learn routes to the network segment where the
interface resides, ensure that the link status of the interface is Up.
Step 3 Run:
ripng process-id enable
RIPng is enabled on the specified interface.

NOTE
In the interface view, this command cannot be executed if IPv6 is not enabled.
If the ATN connects to other devices through multiple interfaces, repeatedly perform Step 2 and
Step 3.
----End

After basic RIPng functions are successfully configured, you can view the configuration and
routing information of RIPng.
Prerequisites
Basic RIPng functions has been configurede.
Procedure
l
Run the display ripng process-id route command to check all the RIPng routes that are
learned from other ATNs.
----End
Example
<HUAWEI> display ripng 100
RIPng process : 100
Preference : 100
Checkzero : Enabled
Default-cost : 0
Issue 02 (2013-12-31)

2144

Equipment
8 IP Routing
Update time
: 30 sec
Age time : 180 sec
Garbage-collect time : 120 sec
Number of periodic updates sent : 0
Number of trigger updates sent : 1
Total count for 1 process :
Number of routes sendable in a periodic update : 0
Number of routes sent in last periodic update : 0
Run the display ripng process-id route command, and you can view all activated and inactivated
RIPng routes of the specified RIPng process.
<HUAWEI> display ripng 100 route
Route Flags: R - RIPng
A - Aging, G - Garbage-collect
---------------------------------------------------------------Dest 3FFE:C00:C18:1::/64,
via FE80::200:5EFF:FE04:B602, cost 2, tag 0, RA, 34 Sec
Dest 3FFE:C00:C18:2::/64,
Dest 3FFE:C00:C18:1::/64,
Dest 3FFE:C00:C18:3::/64,
Dest 100::/32,
via FE80::200:5EFF:FE04:3302, cost 2, tag 0, RA, 6 Sec
Dest 4000:1::/64,
Dest 4000:2::/64,
Dest 4000:3::/64,
Dest 4000:4::/64,
8.4.3 Configuring RIPng Route Attributes

By setting RIPng route attributes, you can change RIPng routing policies.
Before You Start

RIPng route attributes include the RIPng preference and interface metric.
To meet the requirements of a complex network, you can change RIPng routing policies by
configuring RIPng route attributes. After performing configuration procedures in this section,
you can:
l
Change the matching order of routing protocols by configuring the RIPng preference when
multiple routing protocols discover routes to the same destination.
Affect route selection by changing the additional metric of a RIPng interface.
Before configuring RIPng route attributes, complete the following tasks:
Issue 02 (2013-12-31)

2145

Equipment
8 IP Routing
Data Preparation
To configure RIPng route attributes, you need the following data.
No.
Data
RIPng preference
Additional metric of the interface
Configuring the RIPng Preference

When there are routes discovered by multiple routing protocols on the same router, you can
make the router prefer RIPng routes by setting the RIPng preference.
Context
Each routing protocol has its preference, according to which a routing policy selects the optimal
route. The RIPng preference can be set manually. The greater the value is, the lower the
preference is.
Perform the following steps on the RIPng ATN:
Procedure
Step 1 Run:
system-view

Step 2 Run:
The RIPng process is enabled and the RIPng view is displayed.

Step 3 Run:
preference { preference | route-policy route-policy-name } *
The RIPng preference is set.

----End
Configuring Additional Metrics of an Interface

You can set additional metrics for received and sent RIPng routes by using different commands.
Issue 02 (2013-12-31)

2146

Equipment
8 IP Routing
Context
The additional route metric is the metric (hop count) to be added to the original metric of a RIPng
route.
l
The ripng metricin command is used to configure a device to add an additional metric to
a received route before the device adds the route to its routing table, causing the metric of
the route in the routing table to change. Running this command affects route selection on
the device and other devices.
The ripng metricout command is used to configure a device to add an additional metric
to a route before the device advertises the route, keeping the metric of the route in the
routing table unchanged. Running this command does not affect route selection on the local
device but will affect route selection of other devices.
You can specify the value of the metric to be added to the RIPng route that passes the filtering
policy by specifying value1 through an IPv6 ACL or an IPv6 prefix list. If a RIPng route does
not pass the filtering, its metric is increased by 1.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ripng metricin value
The metric added to a received route is set.

Step 4 Run:
ripng metricout { value | { acl6-number | acl6-name acl6-name | ipv6-prefix ipv6prefix-name } value1 }
The metric added to a sent route is set.

NOTE
If the ATN connects to other RIPng ATNs through multiple interfaces, repeatedly perform Step 2 to Step
4 until metrics of all links are set.
----End

After RIPng route attributes are successfully set, you can view the configuration and routing
information of RIPng.
Prerequisites
RIPng route attributes has been configured.
Issue 02 (2013-12-31)

2147

Equipment
8 IP Routing
Procedure
l
Run the display ripng [ process-id | vpn-instance vpn-instance-name ] command to check

the running status and configuration of RIPng.
Run the display ripng process-id database command to check all activated routes in the
RIPng database.
----End
8.4.4 Controlling the Advertising of RIPng Routing Information

To meet the requirements of complex networks, it is required to accurately control the advertising
of RIPng routing information.
Before You Start

RIPng routing information can be advertised through route summarization, default routes, and
imported external routes.
To meet the requirements of a complex network, you need to control the advertising of RIPng
routing information accurately. After performing configuration procedures in this section, you
can:
l
Advertise default routes to neighbors.
Suppress interfaces from sending RIPng Update packets.
Import external routes from various routing protocols and filter routes to be advertised.
Before configuring the ATN to control the advertising of RIPng routing information, complete
l
Data Preparation
To control the advertising of RIPng routing information, you need the following data.
Issue 02 (2013-12-31)
No.
Data
Metric of the default route to be advertised
Protocol name and process ID of the external route to be imported

2148

Equipment
8 IP Routing
Configuring RIPng Route Summarization

By configuring a RIPng router to advertise the summarized IPv6 address on an interface, you
can save the space used by RIPng routes in the routing table. You can also set parameters to
prevent an interface from learning the same summarized route.
Context
This configuration is to configure the RIPng ATN to advertise the summarized IPv6 prefix rather
than specific routes on an interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ripng summary-address ipv6-address prefix-length [ avoid-feedback ]
RIPng route summarization is configured.

----End
Configuring RIPng to Advertise the Default Routes

There are two methods of advertising RIPng default routes. You can configure a router to
advertise RIPng default routes according to the actual networking. Additionally, you can specify
the cost of the default routes to be advertised.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ripng default-route { only | originate } [ cost cost ]
Issue 02 (2013-12-31)

2149

Equipment
8 IP Routing
RIPng is configured to advertise a default route.

You can configure RIPng to advertise default routes as required:
l only: advertises only IPv6 default routes (::/0) and suppresses the advertising of other routes.
l originate: advertises IPv6 default routes (::/0) and does not affect the advertising of other
routes.
A RIPng default route is forcibly advertised by using an Update packet through a specified
interface, regardless of whether this route exists in the IPv6 routing table.
----End
Configuring the Default Cost for External Routes Imported by RIPng

If RIPng imports routes from other routing protocols, but no metric is specified, you can set the
default metric for imported external routes.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
The RIPng view is displayed.

Step 3 Run:
default-cost cost
The default cost is set for the external routes imported by RIPng.
If no metric is specified, this command can be used to set the default cost for the external routes
imported by RIPng from other routing protocols.
----End
Configuring RIPng to Import External Routes

Similar to RIP, RIPng can import external routes to enrich routing information.
Context
Procedure
Step 1 Run:
Issue 02 (2013-12-31)

2150

Equipment
8 IP Routing
system-view

Step 2 Run:

default-cost cost
The default cost is set for imported external routes.

Step 4 Run:
import-route { { ripng | isis | ospfv3 } process-id | bgp [ permit-ibgp ] | unr |
direct | static } [ cost cost | route-policy route-policy-name ] *
External routes are imported.

NOTE
Import of IBGP routes in RIPng process can lead to routing loops. Administrator should take care of routing
loops before configuring permit-ibgp.

l filter-policy { acl6-number | acl6-name acl6-name } export [ protocol [ process-id ] ]
RIPng is configured to filter the routes based on the ACL.
Run any of the following commands as required:
Configure a basic ACL:
1.
Run:
quit
Return to the BGP view.

2.
Run:
quit

3.
Run
acl ipv6 { [ number ] acl6-number1 | name acl-name [ number aclnumber2 ] } [ match-order { auto | config } ]
The basic ACL view is displayed.

4.
Run
rule [ rule-id ] { deny | permit } [ fragment | source { source-ipv6address prefix-length | source-ipv6-address/prefix-length | any } | timerange time-name | vpn-instance vpn-instance-name ] *

When the rule command is run to configure rules for a named ACL, only the source
address range specified by source and the time period specified by time-range are
valid as the rules.
If the action specified in an ACL rule is permit, a route that matches the rule
will be received or advertised by the system.
Issue 02 (2013-12-31)

2151

Equipment
8 IP Routing
If the action specified in an ACL rule is deny, a route that matches the rule will
not be received or advertised by the system.
If a route has not matched any ACL rules, the route will not be received or
advertised by the system.
smaller number and then matches the route with a rule with a larger number.
Routes can be filtered using a blacklist or a whitelist:
Route filtering using a blacklist: Configure a rule with a smaller number and
specify the action deny in this rule to filter out the unwanted routes. Then,
configure another rule with a larger number in the same ACL and specify the
action permit in this rule to receive or advertise the other routes.
Route filtering using a whitelist: Configure a rule with a smaller number and
specify the action permit in this rule to permit the routes to be received or
advertised by the system. Then, configure another rule with a larger number in
the same ACL and specify the action deny in this rule to filter out unwanted
routes.
Configure an advanced ACL:
1.
Run
acl ipv6 name acl-name [ number acl-number2 ] [ match-order { auto |
config } ]

2.
Run
rule [ rule-id ] { deny | permit } protocol [ source { source-ipv6address prefix-length | source-ipv6-address/prefix-length | any } | timerange time-name ] *
A rule is configured for the advanced ACL.

Issue 02 (2013-12-31)

2152

Equipment
8 IP Routing
routes.
l filter-policy ipv6-prefix ipv6-prefix-name export [ protocol [ process-id ] ]
RIPng is configured to filter the routes based on the prefix list.
RIPng can filter the imported routes based on an IPv6 ACL or an IPv6 prefix list. Only the routes
that meet the match conditions are advertised to neighbors. If protocol is not specified in the
command, all the routing information to be advertised will be filtered, including the imported
routes and local RIPng routes (directly connected routes).
----End

After the function of controlling the advertising of RIPng routing information is successfully
configured, you can view RIPng routing information.
Prerequisites
Controlling the advertising of RIPng routing information has been configured.
Procedure
l
RIPng database.
----End
8.4.5 Controlling the Receiving of RIPng Routing Information

To meet the requirements of complex networks, it is required to accurately control the receiving
of RIPng routing information.
Before You Start

Before controlling the receiving of RIPng routes, familiarize yourself with the usage scenario,
To meet the requirements of a complicated networking environment, you need to control the
receiving of RIPng routing information accurately. After performing configuration procedures
in this section, you can:
l
Issue 02 (2013-12-31)
Disable an interface from receiving RIPng Update packets.

2153

Equipment
8 IP Routing
Filter the received routing information.
Import external routes from various routing protocols and filter the imported routes.
Before configuring the ATN to control the receiving of RIPng routing information, complete
l
Configuring Basic RIPng Functions
Data Preparation
To control the receiving of RIPng routing information, you need the following data.
No.
Data
ACL used to filter routing information
Configuring RIPng to Filter the Received Routes

By configure an IPv6 ACL or an IPv6 prefix list to filter received routes, you can configure a
router to selectively receive routes.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
l filter-policy { acl6-number | acl6-name acl6-name | } import
The imported routes are filtered based on the ACL.
1.
Run:
quit

Issue 02 (2013-12-31)

2154

Equipment
2.
8 IP Routing
Run:
quit

3.
Run

4.
Run

valid as the rules.
routes.
1.
Run
config } ]

2.
Run

Issue 02 (2013-12-31)

2155

Equipment
8 IP Routing

routes.
l filter-policy ipv6-prefix ipv6-prefix-name import
The imported routes are filtered based on the prefix list.
----End

After the function of controlling the receiving of RIPng routing information is successfully
configured, you can view RIPng routing information.
Prerequisites
Controlling the receiving of RIPng routing information has been configured.
Procedure
l
RIPng database.
----End
8.4.6 Optimizing a RIPng Network

You can adjust and optimize the RIPng network performance by configuring RIPng timers, split
horizon, poison reverse, and zero field check.
Issue 02 (2013-12-31)

2156

Equipment
8 IP Routing
Before You Start

Before adjusting and optimizing the RIPng network performance, familiarize yourself with the
configuration.
On certain networks, you need to configure RIPng features and optimize the performance of a
RIPng network. After performing configuration procedures in this section, you can:
l
Change the convergence speed of the RIPng network by adjusting RIPng timers.
Configure split horizon and poison reverse to prevent routing loops.
Before optimizing a RIPng network, complete the following tasks:
l
Configuring Basic RIPng Functions
Data Preparation
To optimize a RIPng network, you need the following data.
No.
Data
Values of timers
Configuring RIPng Timers

RIPng has three timers: Update timer, Age timer and Garbage-collect timer. If the three RIPng
timers are configured improperly, routes become unstable.
Context
NOTE
Route flapping occurs if the values of the four RIPng timers are set improperly. The relationship between
the values is as follows: update < age, update < garbage-collect. For example, if the update time is longer
than the aging time, and a RIPng route changes within the update time, the ATN cannot inform its neighbors
of the change on time.
By default, the Update timer is 30s; the Age timer is 180s; the Garbage-collect timer is 120s.
Procedure
Step 1 Run:
Issue 02 (2013-12-31)

2157

Equipment
8 IP Routing
system-view

Step 2 Run:

Step 3 Run:
timers ripng update age garbage-collect
RIPng timers are configured.

----End
Setting the Interval for Sending Update Packets and the Maximum Number of
Packets Sent Each Time
By setting the interval for sending packets and the maximum number of packets to be sent each
time, you can optimize the RIPng performance.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ripng pkt-transmit { interval interval | number pkt-count }*
The interval for sending RIPng Update packets and the maximum number of packets sent each
time are set on the specified interface.
----End
Configuring Split Horizon and Poison Reverse

You can configure split horizon and poison reverse to prevent routing loops.
Context
Split horizon is a method of preventing routing loops by preventing the ATN from advertising
a route back onto the interface from which the route is learned. On NBMA networks such as FR
networks and X.25 networks, if no sub-interface is configured, split horizon must be disabled
to ensure that routes are advertised correctly.
Issue 02 (2013-12-31)

2158

Equipment
8 IP Routing
Poison reverse is another method of preventing routing loops by enabling the ATN to advertise
a route as unreachable back through the interface from which the route is learned.
If both split horizon and poison reverse are configured, only poison reverse takes effect.
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface interface-type vlan-id

l Run:
ripng split-horizon
Split horizon is enabled.

l Run:
ripng poison-reverse
Poison reverse is enabled.

----End
Enabling the Zero Field Check for RIPng Packets

In a RIPng packet, there are certain fields whose values must be 0. These fields are called zero
fields. If the values of these zero fields in some RIPng packets are not 0s, these RIPng packets
are ignored.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
checkzero
Issue 02 (2013-12-31)

2159

Equipment
8 IP Routing
The zero field check is configured for RIPng packets.

----End

After the function of adjusting and optimizing the RIPng network performance is successfully
configured, you can view routing information, neighbor information, and interface information
of RIPng.
Prerequisites
Adjusting and optimizing the RIPng network performance has been configured.
Procedure
l
Run the display ripng [ process-id | vpn-instance vpn-instance-name ] command to check

the configuration of the RIPng process.
Run the display ripng process-id database [ verbose ] command to check all activated
routes in the RIPng database.
Run the display ripng process-id interface [ interface-type interface-number ]

[ verbose ] command to check information about the RIPng interface.
Run the display ripng process-id neighbor [ verbose ] command to check information
about RIPng neighbors.
----End
8.4.7 Maintaining RIPng

This section describes how to clear statistics of a specified RIPng process.
Clearing RIPng
This section describes how to clear statistics about RIPng counters.
Context
NOTICE
RIPng information cannot be restored after it is cleared. Exercise caution when running the
commands.
To clear RIPng information, run the following reset command in the user view.
Issue 02 (2013-12-31)

2160

Equipment
8 IP Routing
Procedure
l
Run the reset ripng process-id statistics [ interface { all | interface-type interfacenumber [ neighbor neighbor-ip-address ] } ] command in the user view to clear statistics
about the counter that is maintained by a specified RIPng process.
----End
8.5 OSPF Configuration

OSPF, which is developed by the IETF, is a link-state IGP. OSPF is widely used in access
networks and MANs.
8.5.1 Introduction
By building OSPF networks, you can enable OSPF to discover and calculate routes in ASs.
OSPF is applicable to a large-scale network that consists of hundreds of routers.
OSPF Overview
OSPF is a link-state IGP. At present, OSPFv2 is intended for IPv4.
Defined by the Internet Engineering Task Force (IETF), the Open Shortest Path First (OSPF)
protocol is an Interior Gateway Protocol (IGP) implemented on the basis of the link status.
NOTE
In this chapter, OSPF refers to OSPFv2, unless otherwise specified.
OSPF Features
OSPF has the following features:
l
Wide applications
OSPF is applicable to networks of various sizes and even to the network consisting of
hundreds of routers.
Fast convergence
Once the network topology changes, Update packets are transmitted to synchronize the link
state databases (LSDBs) of all the routers within the Autonomous System (AS).
Loop-free
According to the collected link status, OSPF calculates routes with the shortest path tree
algorithm. This algorithm ensures the generation of loop-free routes.
Area division
An AS can be divided into different areas to facilitate AS management. After the area
partition, an LSDB stores routing information only of the local area. The reduce of LSDB
size dramatically reduces memory and CPU usage. In addition, less bandwidth is consumed
because of the decrease in routing information transmitted within the AS.
Equal-cost routes
OSPF supports multiple equal-cost routes to the same destination.
Issue 02 (2013-12-31)

2161

Equipment
8 IP Routing
Routing hierarchy
Four types of routing are available. They are listed in the descending order of priority: intraarea routes, inter-area routes, Type 1 external routes, and Type 2 external routes.
Authentication
Area-based and interface-based packet authentication guarantees the security of packet
interaction.
Multicast
Multicast packets are transmitted only on certain types of links to reduce the interference
for some devices.
Process of OSPF Route Calculation

The process of calculating OSPF routes is as follows:
1.
Based on the surrounding network topology, each OSPF device originates a Link State
Advertisement (LSA). The route device then transmits Update packets containing the LSAs
to other OSPF devices.
2.
Each OSPF device collects the LSAs from other devices, and all these LSAs compose the
LSDB. An LSA describes the network topology around a route device, whereas an LSDB
describes the network topology of the whole AS.
3.
OSPF devices transform the LSDB into a weighted directed map. The weighted directed
map reflects the topology of the entire network. All route devices in the same area have the
same map.
4.
According to the directed map, each route device uses the Shortest Path First (SPF)
algorithm to calculate the shortest path tree, regarding itself as the root. The tree displays
the routes to each node in the AS.
Area Division
The number of route devices increases with the unceasing expansion of the network scale. This
leads to a large LSDB on each route device. As a result, the load of each route device is very
heavy. OSPF solves this problem by dividing an AS into different areas. An area is regarded as
a device group logically. Each group is identified by an area ID. On the border of an area resides
a route device rather than a link. A network segment (or a link) belongs to only one area. That
is, the area to which each OSPF interface belongs must be specified, as shown in Figure 8-8.
Issue 02 (2013-12-31)

2162

Equipment
8 IP Routing
Figure 8-8 OSPF area division
Area4
Area1
Area0
Area2
Area3
After area division, route aggregation can be performed on border routers to reduce the number
of LSAs advertised to other areas. Route aggregation also minimizes the influence caused by
changes in the topology.
Router Type
Routers are classified into the following types according to their locations in the AS:
l
Internal routers
Area border routers (ABRs)
Backbone routers
AS boundary routers (ASBRs)
Figure 8-9 Types of routers

IS-IS
ASBR
Area4
Area1
Internal
Router
Area2
Issue 02 (2013-12-31)
Backbone
Router
Area0
ABR
Area3

2163

Equipment
8 IP Routing
OSPF Network Types

OSPF classifies networks into four types according to the link layer protocol:
l
Broadcast: If the link layer protocol is Ethernet or FDDI, OSPF defaults the network type
to broadcast. In this type of networks, the following situations occur.
Hello packets and packets from the Designated Router (DR) are sent in multicast mode
(224.0.0.5: indicates the reserved IP multicast addresses for OSPF devices).
Link State Update (LSU) packets are sent to the DR in multicast mode (224.0.0.6:
indicates the reserved IP multicast address for the OSPF DR), and the DR forwards the
LSU packets to destination 224.0.0.5.
Database Description (DD) packets, Link State Request (LSR) packets, and all
retransmission packets are sent in unicast mode.
Link State Acknowledgement (LSAck) packets are usually sent in multicast mode
(224.0.0.5). When a route device receives repeated LSAs, or the LSAs are deleted due
to the timeout of the maximum lifetime, LSAck packets are sent in unicast mode.
Non-Broadcast Multi-Access (NBMA): If the link layer protocol is Frame Relay, ATM, or
X.25, OSPF defaults the network type to NBMA. In this type of networks, protocol packets,
such as Hello packets, DD packets, LSR packets, LSU packets, and LSAck packet, are
transmitted in unicast mode.
Point-to-Multipoint (P2MP): A P2MP network must be forcibly changed from other

network types. In this type of networks, Hello packets are transmitted in multicast mode
(224.0.0.5); DD packets, LSR packets, LSU packets, and LSAck packets are transmitted
in unicast mode.
Point-to-Point (P2P): If the link layer protocol is PPP, HDLC, or LAPB, OSPF defaults the
network type to P2P. In this type of networks, protocol packets, such as Hello packets, DD
packets, LSR packets, LSU packets, and LSAck packets, are transmitted in multicast mode
(224.0.0.5).
OSPF Features Supported by the ATN

The ATN supports various OSPF features, including multi-process, authentication, hot standby,
Smart-discover, GR, TE, VPN multi-instance, sham link, BFD, IGP Shortcut, forwarding
adjacency, OSPF-BGP association.
Multi-process
OSPF supports multi-process. More than one OSPF process can run on the same ATN because
processes are mutually independent. Route interaction between different OSPF processes is
similar to the interaction between different routing protocols.
An interface of a ATN belongs to only a certain OSPF process.
A typical application of OSPF multi-process is to run OSPF between PEs and CEs in the VPN
where OSPF is also adopted in the backbone network. On the PEs, the two OSPF processes are
independent of each other.
Issue 02 (2013-12-31)

2164

Equipment
8 IP Routing
Authentication
OSPF supports packet authentication. Only the OSPF packets that pass the authentication can
be received. If the packets fail to pass the authentication, the neighbor relationship cannot be
established.
The ATN supports two authentication modes:
l
Area authentication mode
Interface authentication mode
If both modes are available, the latter is preferred.
Hot Backup
NOTE
Only the ATN 950B supports this function.
The ATN with a distributed structure supports OSPF hot standby (HSB). OSPF backs up
necessary information from the active main board (AMB) to the standby main board (SMB).
When the AMB fails, the SMB replaces it to ensure the normal operation of OSPF.
OSPF supports two types of HSB:
l
Backing up all OSPF data: After the switchover between the AMB and the SMB, OSPF
restores its normal work immediately.
Backing up only the OSPF configuration: After the switchover between the AMB and the
SMB, OSPF performs graceful restart (GR), obtains the adjacency relationship from
neighbors, and synchronizes the LSDBs.
Smart-discover
Generally, ATNs periodically send Hello packets through interfaces that run OSPF, ATNs set
up and maintain the neighbor relationship, and elect the DR and the Backup Designated Router
(BDR) on the multi-access network (broadcast or NBMA) by exchanging Hello packets. When
establishing the neighbor relationship or electing the DR and the BDR on the multi-access
network, interfaces can send Hello packets only when the Hello timer expires. This affects the
speed for establishing the neighbor relationship and electing the DR and the BDR.
NOTE
l The interval for sending Hello packets on an interface depends on the interval for sending Hello packets
set on the interface.
l The default value of the interval for sending Hello packets varies with the network type.
The Smart-discover function can solve the preceding problem.

l
In broadcast and NBMA networks, the neighbor relationship can be established rapidly and
a DR and a BDR on the networks can be elected rapidly.
When the neighbor status becomes 2-way for the first time, or it returns to Init from the 2way or higher state as shown in Figure 8-10, the interface enabled with the Smart-discover
function sends Hello packets to the neighbor without waiting for the timeout of the Hello
timer when the interface finds that the status of the neighbor changes.
Issue 02 (2013-12-31)

2165

Equipment
8 IP Routing
When the interface status of the DR and the BDR in the multi-access network changes, the
interface enabled with the Smart-discover function sends Hello packets to the network
segment and takes part in the DR or BDR election.
Figure 8-10 Changes of the neighbor state machine
Down
Init
2-way
Exstart
Exchange
Loading
Full
Attempt
(NBMA)
On P2P and P2MP networks, the adjacency relationship can be established rapidly. The
principle is the same as that in broadcast and NBMA networks.
OSPF GR
When a ATN restarts or performs the active/standby switchover, it directly ages all routing
entries in the Forward Information Base (FIB) table. This results in route interruption. In
addition, neighboring ATNs remove this ATN from the neighbor list, and notify other ATNs.
This causes the re-calculation of SPF. If this ATN recovers within a few seconds, the neighbor
relationship becomes unstable. This results in route flapping.
After being enabled with OSPF Graceful Restart (GR), a ATN can ensure continuous packet
forwarding if it restarts just for abnormities. In such a case, route flapping is avoided during the
short restart of the ATN.
NOTE
Unless otherwise specified, "protocol restart" in this document refers to restarting OSPF in GR mode.
When a ATN restarts OSPF, the GR Restarter does not age the forwarding information. At the
same time, the GR Helper keeps the topology information or routes obtained from the GR
Restarter for a period. This ensures that traffic forwarding is not interrupted when protocol restart
occurs.
OSPF and DS-TE

OSPF TE supports the establishing and maintaining of the Label Switch Path (LSP) of the TE.
When constructing constraint-based routed LSP (CR LSP), MPLS needs information about the
traffic attributes of all the links in the area. With the help of the OSPF, MPLS obtains traffic
engineering information about the links.
OSPF supports a new type of LSAs called opaque LSA. The opaque LSA can carry TE
information. You can use the related commands to configure OSPF to support or not support
the originating and handling of the opaque LSA that carries TE information.
NOTE
For details of OSPF TE configurations, refer to the Configuration Guide - MPLS.
Issue 02 (2013-12-31)

2166

Equipment
8 IP Routing
IGP Shortcut and Forwarding Adjacency

OSPF TE supports either IGP shortcut aor Forwarding Adjacency (FA). This two features allow
OSPF TE to establish an LSP to reach a specified destination. Without the two features, OSPF
cannot use the LSP as an outgoing interface even if the LSP to the destination exists.
The differences between IGP Shortcut and forwarding adjacency are as follows:
l
If only forwarding adjacency is enabled, OSPF can reach the destination by using the LSP.
If only IGP Shortcut is enabled, only the ATN enabled with IGP Shortcut can use the LSP.
NOTE
For detailed configuration of this feature, refer to the Configuration Guide - MPLS.
OSPF VPN Multi-instance

OSPF supports multi-instance, which can run between PEs and CEs in VPN networks.
In BGP MPLS VPN, many sites of one VPN can use OSPF as the internal routing protocol. The
sites, however, are handled as being from different ASs. In this way, the OSPF routes learned
on one site are transmitted as external routes to another site. This causes a heavy OSPF traffic
and some avoidable network management problems.
In the ATN implementation, you can configure domain IDs on a PE to differentiate the VPNs
where different sites reside. Different sites in one VPN consider each other as if they were
connected directly. Therefore, PEs exchange OSPF routing information as if they were directly
connected through a leased line. This improves network management and enhances the validity
of the OSPF application.
NOTE
For detailed configuration of this feature, refer to the Configuration Guide - VPN.
OSPF Sham Links

OSPF sham links are unnumbered P2P links between two PEs over an MPLS VPN backbone
network.
Generally, BGP extended community attributes carry routing information over the MPLS VPN
backbone between BGP peers. OSPF running on the remote PE uses this information to generate
Type3 summary LSAs from PE to CE. These routes are considered as inter-area routes.
If a ATN, however, connects to PEs in its own area and establishes an intra-area route to a
particular destination, the VPN traffic always traverses the route rather than the backbone route.
This is because OSPF intra-area routes in the routing table have relatively higher priorities. To
prevent this, an unnumbered P2P sham link is configured between the PEs. This provides an
intra-area path with a lower cost to the PE.
NOTE
For configurations of OSPF sham links, refer to the Configuration Guide - VPN.
BFD for OSPF

By default, in broadcast networks, the interval for OSPF to send Hello packets is 10 seconds; in
NBMA networks, the interval for sending Hello packets is 30 seconds, and the period for
Issue 02 (2013-12-31)

2167

Equipment
8 IP Routing
advertising that the neighbor is Down is four times the interval for sending Hello packets. If the
ATN does not receive the Hello packet from the neighbor before the neighboring ATN becomes
invalid, it deletes the neighbor. That is, the ATN detects the neighbor faults in seconds. This
leads to the loss of a large number of packets in a high-speed network.
To solve the preceding problem in the current detection mechanism, Bidirectional Forwarding
Detection (BFD) is developed. BFD can implement detection at the millisecond level. Instead
of replacing the Hello mechanism of OSPF, BFD works with OSPF to fast detect the adjacency
fault. BFD is used to notify OSPF of recalculating routes. This can correctly guide the packet
forwarding.
Routing Management (RM) module exchanges routing information with the BFD module.
Through RM, OSPF notifies BFD of dynamically setting up or deleting BFD sessions. The Event
message of BFD is delivered to OSPF through RM.
The process of establishing and deleting a BFD session is as follows:
l
Process of establishing a BFD session: If BFD feature is globally configured, BFD is

enabled on an interface or a process, and the status of the OSPF neighbor is Full, OSPF
uses RM to notify the BFD module of establishing the BFD session and negotiate related
parameters of BFD.
Process of deleting a BFD session: When BFD detects a link fault, BFD generates a Down
event and notifies the upper protocol of the fault through RM. OSPF then responds to the
event and immediately deletes the adjacency relationship on the link. At this time, the status
of the neighbor is not Full. This does not meet the requirements of establishing a BFD
session. OSPF then uses RM to notify the BFD module of deleting the BFD session.
OSPF supports dynamically establishing or deleting a BFD session on broadcast, P2P, P2MP,
and NBMA links.
Configure BFD according to the actual network environment. If time parameters are set
incorrectly, network flapping occurs.
OSPF-BGP
When a new ATN is connected to the network, or a ATN restarts, the network traffic may be
lost during BGP convergence. This is because the IGP route convergence is quicker than the
BGP route convergence.
If the backup link exists, OSPF-BGP linkage makes a ATN that restarts or a ATN that is
connected to the network start the stub router timer during the OSPF-BGP linkage. During the
set linkage period, the ATN acts as the stub router by increasing the metrics of the links in the
LSA generated by the ATN to 65535. Other OSPF devices are notified of not using the stub
router to forward data. This ensures that the ATN is not used as the spanned router. This avoids
traffic loss during traffic switchback because route convergence speed is slower than that of
OSPF.
8.5.2 Configuring Basic OSPF Functions

This section describes how to configure basic OSPF functions.
Issue 02 (2013-12-31)

2168

Equipment
8 IP Routing
Before You Start

Before configuring basic OSPF functions, enable OSPF, specify the OSPF process and area, and
establish OSPF neighbor relationships.
When OSPF is configured on multiple ATNs in the same area, most configuration data, such as
the timer, filter, and aggregation, must be planned uniformly in the area. Incorrect configurations
may cause neighboring ATNs to fail to send messages to each other or even causing routing
information congestion and self-loops.
The OSPF-relevant commands that are configured in the interface view take effect regardless
of whether OSPF is enabled. After OSPF is disabled, the OSPF-relevant commands also exist
on interfaces.
Before configuring basic OSPF functions, complete the following tasks:
l
Configuring a link layer protocol
Configuring IP addresses for interfaces to ensure that neighboring ATNs are reachable at
the network layer
Data Preparation
To configure basic OSPF functions, you need the following data.
No.
Data
Router ID
OSPF process ID
VPN instance name (if OSPF multi-instance is configured)
ID of the area to which an interface belongs
IP address of the network segment where an interface resides
Enabling OSPF
Create an OSPF process and specify a router ID to enable OSPF. After enabling OSPF, specify
an interface on which the OSPF protocol is running and the area to which the interface belongs.
After that, routes can be discovered and calculated in the AS.
Context
Before running OSPF on the ATN, specify a router ID for the ATN. The router ID is a 32-bit
unsigned integer, which identifies the ATN in the AS. To ensure OSPF stability, manually set
the router ID of each ATN during network planning.
Issue 02 (2013-12-31)

2169

Equipment
8 IP Routing
This causes the link state database (LSDB) to unexpectedly grow. OSPF resolves this problem
by partitioning an AS into different areas. The area is regarded as a logical group and each group
is identified by an area ID. At the border of an area resides the ATN instead of a link. A network
segment (or a link) belongs to only one area. The area to which each OSPF interface belongs
must be specified.
There are two methods for enabling OSPF: creating an OSPF process and enabling OSPF on an
interface.
Procedure
l
Create an OSPF process.

1.
Run:
system-view

2.
Run:
ospf [ process-id | router-id router-id ]
The OSPF process is started, and the OSPF view is displayed.

The ATN supports OSPF multi-process. If you wan to configure OSPF in the VPN
instance view, run the ospf [ process-id | router-id router-id | vpn-instance vpninstance-name ] * command.
The parameter process-id specifies the ID of an OSPF process. The default value
is 1.
The ATN supports OSPF multi-process. You can create different processes for
services of different types. The OSPF process ID is valid in the local area, without
affecting packet exchange with other ATNs. Therefore, different ATNs can also
exchange packets even though they have different process IDs.
The parameter router-id router-id specifies the router ID of the ATN.
By default, the system automatically selects an IP address of the interface as the
router ID. Assign a unique router ID for each device in an AS. Generally, you can
set the router ID to be the same as an interface IP address.
NOTE
The router ID of each OSPF process must be unique on the entire network. Otherwise,
routers cannot establish OSPF neighbor relationships, and the routing information is
incorrect.
If a router ID conflict occurs, perform either of the following operations:

Run the ospf router-id router-id command to reconfigure a router ID.
Run the undo ospf router-id auto-recover disable command to enable the
router ID automatic recovery function. After the function is enabled, the system
automatically allocates a new router ID.
Issue 02 (2013-12-31)

2170

Equipment
8 IP Routing
NOTE
l If the automatic recovery function is enabled and a router ID conflict occurs between
indirectly connected routers in one OSPF area, the system replaces the conflicted router
ID with a newly calculated one. The automatic recovery function takes effect on both
configured and automatically generated router IDs.
l The system can replace a router ID in a maximum of three attempts in case the router
ID conflict persists.
If the router ID is changed, a new router ID will take affect after the reset ospf
[ process-id ]process command is run.
The parameter vpn-instance vpn-instance-name specifies the name of a virtual
private network (VPN) instance.
If a VPN instance is specified, the OSPF process belongs to the specified VPN
instance. Otherwise, the OSPF process belongs to public network instances.
The description of an OSPF process helps identify special processes by the
description command.
3.
Run:
area area-id
The OSPF area view is displayed.

The OSPF areas can be classified into a backbone area with the area ID of 0 and nonbackbone areas. The backbone area is responsible for forwarding inter-area routing
information. The routing information between the non-backbone areas must be
forwarded through the backbone area.
The description of an OSPF area helps identify special processes by the description
command.
4.
Run:
network ip-address wildcard-mask [ description text ]
The network segments are configured to belong to the area. description is used to
configure a description for the specified OSPF network segment.
OSPF can run on an interface properly only when the following conditions are met:
The mask length of the IP address of an interface is greater than or equal to that
specified by the network command.
NOTE
When the wildcard-mask parameter in the network command is specified as 0, if the IP

address of the interface and the IP address that is configured by the network address
command are the same, OSPF is enabled on the interface.
The primary IP address of an interface is on the network segment specified by the

network command.
By default, OSPF uses a 32-bit host route to advertise the IP address of a loopback
interface. To advertise routes to the network segment of the loopback interface,
configure the network type as NBMA or broadcast in the interface view. For details,
see Configuring Network Types for OSPF Interfaces.
l
Enable OSPF on an interface.

1.
Run:
system-view
Issue 02 (2013-12-31)

2171

Equipment
8 IP Routing

2.
Run:

3.
Run:
ospf enable [ process-id ] area area-id
OSPF is enabled on the interface.

An area ID can be input in the format of a decimal integer or an IPv4 address, but
displayed in the format of IPv4 address.
----End
(Optional) Creating OSPF Virtual Links

This section describes how to create logical links between backbone areas to ensure the OSPF
network connectivity.
Context
After OSPF areas are defined, OSPF route updates between non-backbone areas are transmitted
through a backbone area. Therefore, OSPF requires that all non-backbone areas maintain the
connectivity with the backbone area and the backbone areas in different OSPF areas maintain
the connectivity with each other. In real world situations, this requirement may not be met
because of some restrictions. To resolve this problem, you can configure OSPF virtual links.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]
The OSPF process view is displayed.

Step 3 Run:
area area-id

Step 4 Run:
vlink-peer router-id [ dead dead-interval | hello hello-interval | retransmit
retransmit-interval | smart-discover | trans-delay trans-delay-interval | [ simple
[ plain plain-text | [ cipher ] cipher-text ] | { md5 | hmac-md5 | hmac-sha256 }
[ key-id { plain plain-text | [ cipher ] cipher-text } ] | authentication-null |
keychain keychain-name ] ] *
A virtual link is created.

This command must also be configured on the neighboring ATN.
----End
Issue 02 (2013-12-31)

2172

Equipment
8 IP Routing
Follow-up Procedure
After virtual links are created, different default MTUs may be used on devices provided by
different vendors. To ensure consistency, the MTU is set to 0 by default when the interface sends
DD packets. For details, see Configuring an Interface to Fill in the DD Packet with the Actual
MTU.
(Optional) Configuring a Route Selection Rule on the ATN

You can configure the ATN to comply with the route selection rule defined in RFC 1583 or RFC
2328.
Context
RFC 2328 and RFC 1583 define the route selection rule differently. After OSPF is enabled on
the ATN, specify a route selection rule based on the ATN configuration. The ATN complies
with the route selection rule defined in RFC 1583 by default. If the neighboring ATN complies
with the route selection rule defined in RFC 2328, configure the local ATN to comply with that
defined in RFC 2328. This allows all ATNs in the OSPF area to comply with the same route
selection rule.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]

Step 3 Run:
undo rfc1583 compatible
The ATN is configured to comply with the route selection rule defined in RFC 2328, not RFC
1583.
By default, the ATN complies with route selection rule defined in RFC 1583.
----End
(Optional) Setting the OSPF Priority

When multiple routing protocols are used to select routes, you can set the OSPF priority to
maneuver route selection.
Context
The routing protocols may share and select the routing information because the ATN may run
multiple dynamic routing protocols at the same time. The system sets a priority for each routing
protocol. When multiple routing protocols are used to select routes, the route selected by the
routing protocol with a higher priority takes effect.
Issue 02 (2013-12-31)

2173

Equipment
8 IP Routing
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]

Step 3 Run:
preference [ ase ] { preference | route-policy route-policy-name }
The OSPF priority is set.

l ase: sets the priority of the AS-External route.
l preference: sets the priority for OSPF. The smaller the value, the higher the priority.
l route-policy-name: sets the priority for specified routes in the routing policy.
The default OSPF priority value is 10. When an ASE is specified, the default OSPF priority
value is 150.
----End
(Optional) Restricting the Flooding of LSA Update Packets

When a large number of LSA update packets are flooded, the neighboring ATN may be busy
processing LSA update packets and has to discard the Hello packets that are used to maintain
neighbor relationships. This causes neighbor relationships to be interrupted. To resolve this
problem, you can restrict the flooding of LSA update packets to maintain neighbor relationships.
Context
When multiple neighboring ATNs are configured or a large number of LSA update packets are
flooded, the neighboring ATN may receive a large number of LSA update packets in a short
period. This keeps the neighboring ATN busy processing a burst of LSA update packets and
causes the neighboring ATN to unexpectedly discard Hello packets that are used to maintain the
OSPF neighbor relationships. As a result, the neighbor relationships are interrupted. After the
neighbor relationships are reestablished, more packets are to be exchanged. This intensifies
neighbor relationship interruption. To resolve this problem, you can restrict the flooding of LSA
update packets to maintain neighbor relationships.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]

Issue 02 (2013-12-31)

2174

Equipment
8 IP Routing
Step 3 Run:
flooding-control [ number transmit-number | timer-interval transmit-interval ]
The flooding of LSA update packets is restricted.

By default, the number of LSA update packets to be flooded each time is 50, and the interval at
which LSA update packets are flooded is 30s.
After the flooding-control command is run, the flooding of LSA update packets is immediately
restricted.
If the flooding-control command is not run, the function of restricting the flooding of LSA
update packets automatically takes effect when the number of neighboring ATNs exceeds 256.
----End
(Optional) Configuring the Maximum Number of Packet Retransmission Attempts

When no response to DD packets, LSU packets, or LSR packets is received, the retransmission
mechanism is used and the maximum number of packet retransmission attempts is set.
Context
If no response is received when the maximum number of packet retransmission attempts is
reached, the neighbor relationship will be interrupted. By default, the retransmission mechanism
is disabled.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]

Step 3 Run:
retransmission-limit [ max-number ]
The maximum number of OSPF packet retransmission attempts is set.

max-number specifies the maximum number of packet retransmission attempts and is 30 by
default.
----End
(Optional) Setting an Interval at Which an LSA Packet Is Retransmitted to the

Neighboring ATN
You can control packet retransmission and improve the convergence rate by setting an interval
at which an LSA packet is retransmitted to the neighboring ATN.
Issue 02 (2013-12-31)

2175

Equipment
8 IP Routing
Context
After sending an LSA packet to the neighboring ATN, the ATN waits for a response. If no
response is received within the set interval, the ATN retransmits the LSA packet to the
neighboring ATN.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ospf timer retransmit interval
An interval at which an LSA packet is retransmitted to the neighboring ATN is set.

Setting the interval to a proper value is recommended. A rather small interval will cause
unnecessary retransmission. The interval is generally longer than a round trip of one packet
transmitted between two ATNs.
The default retransmission interval is 5s and is widely used.
----End
(Optional) Configuring an Interface to Fill in a DD Packet with the Interface MTU

You can configure an interface to fill in the Interface MTU field of a DD packet with the interface
MTU.
Context
The default maximum transmission unit (MTU) is 0.
After virtual links are created, different default MTUs may be used on devices provided by
different vendors. To ensure consistency, the MTU is set to 0 by default when the interface sends
DD packets.
NOTICE
Setting the MTU in a DD packet will have the neighbor relationship reestablished.
Procedure
Step 1 Run:
system-view
Issue 02 (2013-12-31)

2176

Equipment
8 IP Routing

Step 2 Run:

Step 3 Run:
ospf mtu-enable
The interface is configured to fill in a DD packet with the interface MTU and check whether the
MTU in the DD packet from the neighboring ATN exceeds the MTU of the local ATN.
----End

After basic OSPF functions are successfully configured, you can check information about the
LSDB, neighbors in each area, and routing table.
Prerequisites
Basic OSPF functions have been configured.
Procedure
l
Run the display ospf [ process-id ] peer command to check OSPF neighbor information.
Run the display ospf [ process-id ] routing command to check OSPF routing table
information.
Run the display ospf [ process-id ] lsdb command to check OSPF LSDB information.
----End
Example
Run the display ospf peer command. If the OSPF neighbor relationship is in the Full state, the
configuration succeeds.
<HUAWEI> display ospf peer
OSPF Process 1 with Router ID 10.1.1.2
Neighbors
Area 0.0.0.0 interface 10.1.1.2(GigabitEthernet0/2/0)'s neighbors
Router ID: 10.1.1.1
Address: 10.1.1.1
GR State: Normal
State: Full Mode:Nbr is Slave Priority: 1
DR: 10.1.1.1 BDR: None
MTU: 0
Dead timer due in 35 sec
Retrans timer interval: 5
Neighbor is up for 00:00:05
Authentication Sequence: [ 0 ]
Run the display ospf routing command to view OSPF routing table information.
<HUAWEI> display ospf routing
Issue 02 (2013-12-31)

2177

Equipment
8 IP Routing
Routing Tables
Routing for Network
Destination
172.16.1.0/24
172.17.1.0/24
192.168.0.0/24
192.168.1.0/24
192.168.2.0/24
Cost
4
1
2
3
1
Type
Inter-area
Transit
Inter-area
Inter-area
Stub
NextHop
192.168.2.1
172.17.1.1
192.168.2.1
192.168.2.1
192.168.2.2
Routing for ASEs

Destination
Cost
Type
Tag
100.0.0.0/8
1
Type2
1
Total Nets: 6
Intra Area: 2 Inter Area: 3 ASE: 1 NSSA: 0
AdvRouter
2.2.2.2
4.4.4.4
2.2.2.2
2.2.2.2
4.4.4.4
NextHop
192.168.2.1
Area
0.0.0.2
0.0.0.2
0.0.0.2
0.0.0.2
0.0.0.2
AdvRouter
1.1.1.1
8.5.3 Configuring OSPF on the NBMA or P2MP Network

This section describes how to configure OSPF and modify attributes on the NBMA or point-tomultipoint (P2MP) network to flexibly construct the OSPF network.
Before You Start

To implement OSPF functions, configure OSPF on the NBMA or P2MP network.
As shown in Table 8-1, OSPF classifies networks into four types based on the types of link layer
protocols.
NOTE
Differentiated OSPF configurations that are applicable to the NBMA network and P2MP network are
provided in this section. The OSPF configurations not provided here are applicable to the four types of
networks.
Table 8-1 Network types supported by OSPF

Network Type
Characteristic
Default Configuration
Broadcast
On the broadcast network, Hello

packets, LSU packets, and LSAck
packets are multicasted; DD
packets and LSR packets are
unicasted.
If the link layer protocol is

Ethernet or Fiber Distributed Data
Interface (FDDI), OSPF regards
the network as a broadcast
network by default.
Non-broadcast
multiple access
(NBMA)
On an NBMA network, Hello

packets, DD packets, LSR
packets, LSU packets, and LSAck
packets are unicasted.
If the link layer protocol is ATM,

OSPF regards the network as an
NBMA network by default.
The NBMA network must be fully

meshed. Any two ATNs on the
NBMA network must be directly
reachable.
Issue 02 (2013-12-31)

2178

Equipment
8 IP Routing
Network Type
Characteristic
Default Configuration
Point-to-point
(P2P)
On a P2P network, Hello packets,

DD packets, LSR packets, LSU
packets, and LSAck packets are
multicasted.
If the link layer protocol is PPP,

HDLC, or Link Access Procedure
Balanced (LAPB), OSPF regards
the network as a P2P network by
default.
Point-toOn a P2MP network, Hello

multipoint (P2MP) packets are multicasted; DD
packets, LSR packets, LSU
packets, and LSAck packets are
unicasted.
The mask lengths of the ATNs on
the P2MP network must be the
same.
OSPF does not regard a network as

a P2MP network by default
regardless of any link layer
protocol. A P2MP network is
forcibly changed from the network
of another type.
As shown in Table 8-1, OSPF sends packets in different manners on networks of different types.
Therefore, the difference between OSPF configurations on the networks lies in the packet
sending configurations.
Before configuring OSPF on the NBMA or P2MP network, complete the following tasks:
l
the network layer
Configuring Basic OSPF Functions
Data Preparation
To configure OSPF on the NBMA or P2MP network, you need the following data.
No.
Data
Number of the interface running OSPF
Network type
DR priority of an interface
IP address of a neighbor on an NBMA network
Interval at which Hello packets are sent on an NBMA network
Configuring Network Types for OSPF Interfaces

OSPF classifies networks into four types based on the types of link layer protocols. You can
configure the network type for an OSPF interface to forcibly change its original network type.
Issue 02 (2013-12-31)

2179

Equipment
8 IP Routing
Context
By default, the physical interface type determines the network type.
l
The network type of an Ethernet interface is Broadcast.
The network type of a serial interface or a POS interface running PPP or HDLC is P2P.
The network type of an ATM interface or a Frame Relay (FR) interface is NBMA.
NOTE
A P2MP network is forcibly changed from another other type of network.
The network types of the interfaces on both ends of a link must be the same; otherwise, the OSPF
neighbor relationship cannot be established. Only when the network type of one OSPF interface
is broadcast and the network type of the other OSPF interface is P2P, the two interfaces can still
set up the neighbor relationship; but cannot learn the OSPF routing information each other.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ospf network-type { broadcast | nbma | p2mp | p2p }
The network type of the OSPF interface is configured.

When the network type is configured for an interface, the original network type of the interface
is replaced.
The network type can be configured based on the real world situations.
l On an interface with the broadcast network type, if a router that does not support the multicast
address exists, change the network type of the interface to NBMA.
l On an interface with the NBMA network type, if the network is fully meshed or any two
routers are directly connected, change the network type of the interface to broadcast and do
not configure neighboring router information on the interface.
l On an interface with the NBMA network type, if the network is not fully meshed, change
the network type of the interface to P2MP. After that, two indirectly connected routers can
communicate through one router that can directly reach both the two routers. After the
network type of the interface is changed to P2MP, configuring neighboring router
information on the interface is unnecessary.
l If only two routers run OSPF on the same network segment, changing the network type of
the interface to P2P is recommended.
NOTE
OSPF cannot be configured on a null interface.
----End
Issue 02 (2013-12-31)

2180

Equipment
8 IP Routing
Configuring NBMA Network Attributes

To implement OSPF functions, configure NBMA network attributes.
Procedure
Step 1 (Optional) Set the network type to NBMA.
The NBMA network must be fully meshed. Any two ATNs on the NBMA network must be
directly reachable. In most cases, however, this requirement cannot be met. To resolve this
problem, run specific commands to forcibly change the network type to NBMA. For details, see
Configuring Network Types for OSPF Interfaces.
1.
Run:
system-view

2.
Run:

3.
Run:
ospf network-type nbma
The network type of the OSPF interface is set to NBMA.

ospf timer poll interval
The interval at which Hello packets for polling are sent by an NBMA interface is set.
On the NBMA network, after the neighbor relationship becomes invalid, the ATN sends Hello
packets at an interval defined in the polling mechanism.
The default value is 120, in seconds.
Step 3 Configure a neighboring ATN on the NBMA network.
The interface with the network type of NBMA cannot broadcast Hello packets to discover
neighboring ATNs. Therefore, the IP address of a neighboring ATN must be configured on the
interface and whether the neighboring ATN can participate in DR election must be determined
on the interface.
1.
Run:
quit
Exit from the interface view.

2.
Run:
ospf [ process-id ]

3.
Run:
peer ip-address [ dr-priority priority ]
A neighboring ATN is configured.

----End
Issue 02 (2013-12-31)

2181

Equipment
8 IP Routing
Configuring P2MP Network Attributes

To implement OSPF functions, configure P2MP network attributes.
Procedure
Step 1 Disable OSPF from checking the network mask.
The OSPF neighbor relationship cannot be established between the ATNs with different mask
lengths on the P2MP network. After OSPF is disabled from checking the network mask, the
OSPF neighbor relationship can be properly established.
1.
Run:
system-view

2.
Run:

3.
Run:
ospf network-type p2mp
The network type of the OSPF interface is configured.

A P2MP network is forcibly changed from another other type of network. For details, see
Configuring Network Types for OSPF Interfaces.
4.
Run:
ospf p2mp-mask-ignore
OSPF is disabled from checking the network mask on the P2MP network.
Step 2 (Optional) Configure the ATN to filter the LSA packets to be sent.
When multiple links exist between two ATNs, you can configure the local ATN to filter the LSA
packets to be sent. This can reduce unnecessary LSA retransmission attempts and save
bandwidth resources.
1.
Run:
quit
Exit from the interface view.

2.
Run:
ospf [ process-id ]

3.

a.
Run:
filter-lsa-out peer ip-address { all | { summary [ acl { acl-number |
acl-name } ] | ase [ acl{ acl-number | acl-name } ] | nssa [ acl{ aclnumber | acl-name } ] } * }
Issue 02 (2013-12-31)

2182

Equipment
8 IP Routing
The local ATN is configured to filter the LSA packets to be sent on the P2MP
network.
b.
Run:
quit

c.
Run:
acl { [ number ] acl-number1 | name acl-name basic [ number aclnumber2 ] } [ match-order { auto | config } ]

d.
Run:
rule [ rule-id ] { deny | permit } [ fragment-type fragment-type-name
| source { source-ip-address source-wildcard | any } | time-range timename | vpn-instance vpn-instance-name ] *
The rule for the basic ACL is configured.

If the ACL referenced by the route-policy does not exist, all routes matching
the route-policy will be received or advertised by the system.
In the configuration order, the system first matches a route with a rule that has
a smaller number and then matches the route with a rule with a larger number.
routes.
l Based on the advanced ACL:
a.
filter-lsa-out peer ip-address { all | { summary acl acl-name | ase

acl acl-name | nssa acl acl-name } * }
The local ATN is configured to filter the LSA packets to be sent on the P2MP
network.
b.
Run:
quit

Issue 02 (2013-12-31)

2183

Equipment
c.
8 IP Routing
Run:
Run acl name acl-name advance [ number acl-number2 ] [ match-order
{ auto | config } ]

d.
Run:
rule [ rule-id ] { deny | permit } protocol [ source { source-ip-address
source-wildcard | any } | time-range time-name ] *
The rule for the advanced ACL is configured.

If the ACL referenced by the route-policy does not exist, all routes matching
the route-policy will be received or advertised by the system.
In the configuration order, the system first matches a route with a rule that has
a smaller number and then matches the route with a rule with a larger number.
routes.
By default, the LSA packets to be sent are not filtered.
----End

After OSPF attributes on the NBMA network and P2MP network are set, you can check OSPF
statistics, LSDB information, neighbor information, and interface information.
Prerequisites
OSPF attributes on the NBMA network and P2MP network have been configured.
Procedure
l
Issue 02 (2013-12-31)
Run the either of the following command to check LSDB information.

2184

Equipment
8 IP Routing
display ospf [ process-id ] lsdb [ brief ]

display ospf [ process-id ] lsdb [ router | network | summary | asbr | ase | nssa |
opaque-link | opaque-area | opaque-as ] [ link-state-id ] [ originate-router
[ advertising-router-id ] | self-originate ] [ age { min-value min-age-value | maxvalue max-age-value } * ]
l
Run the display ospf [ process-id ] peer [ [ interface-type interface-number ] neighborid | brief | last-nbr-down ] command to view neighbor information.
Run the display ospf [ process-id ] nexthop command to check next hop information.
Run the either of the following command to check routing table information.
display ospf [ process-id ] routing [ ip-address [ mask | mask-length ] ] [ interface
interface-type interface-number ] [ nexthop nexthop-address ]
display ospf [ process-id ] routing router-id [ router-id ]
Run the display ospf [ process-id ] interface [ all | interface-typeinterface-number ]

[ verbose ] command to check interface information.
----End
Example
Run the display ospf interface command to view the network type of the interface and the
priority of the interface for DR election.
<HUAWEI> display ospf interface GigabitEthernet0/3/0
Interfaces
Interface: 11.1.1.1 (GigabitEthernet0/2/0)
Cost: 1
State: BDR
Type: Broadcast
MTU: 1500
Priority: 1
Designated Router: 11.1.1.2
Backup Designated Router: 11.1.1.1
Timers: Hello 10 , Dead 40 , Poll 120 , Retransmit 5 , Transmit Delay 1
8.5.4 Configuring an OSPF Route Selection Rule

You can configure an OSPF route selection rule to meet requirements of complex networks.
Before You Start

Before configuring an OSPF route selection rule, familiarize yourself with the usage scenario,
In real world situations, you can configure an OSPF route selection rule by setting OSPF route
attributes to meet the requirements of complex networks.
l
Set the cost of an interface. The link connected to the interface with a smaller cost value
preferentially transmits routing information.
Configure equal-cost routes to implement load balancing.
Issue 02 (2013-12-31)

2185

Equipment
8 IP Routing
Configure a stub router during the maintenance operations such as upgrade to ensure stable
data transmission through key routes.
Suppress interfaces from sending or receiving packets to help select the optimal route.
Configuring an OSPF interface to automatically adjust the link cost based on link quality
Before configuring an OSPF route selection rule, complete the following tasks:
l
the network layer
Data Preparation
To configure an OSPF route selection rule, you need the following data.
No.
Data
Interface cost
Equal-cost route preference
Link cost adjustment value
Setting the Interface Cost

You can adjust and optimize route selection by setting the OSPF interface cost.
Context
After the OSPF interface costs are set, the interface with a smaller cost value preferentially
transmits routing information. This helps select the optimal route.
The OSPF interface cost can be set manually or calculated based on the interface bandwidth.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
Issue 02 (2013-12-31)

2186

Equipment
8 IP Routing
ospf cost cost
The OSPF interface cost is set.

The ATN generally transmits routing information using the link connected to the interface with
a smaller cost value.
If no interface cost is configured, the system automatically calculates the interface cost based
on the interface bandwidth. The calculation formula is as follows: Cost of the interface =
Bandwidth reference value/Interface bandwidth. The integer of the calculated result is the cost
of the interface. If the calculated result is smaller than 1, the cost value is 1. By default, the
bandwidth reference value is 100, in Mbit/s. Changing the bandwidth reference value can change
the cost of an interface.
Perform the following steps to change the bandwidth reference value:
1.
Run:
system-view

2.
Run:
ospf [ process-id ]

3.
Run:
bandwidth-reference value
The bandwidth reference value is set.

----End
Configuring Equal-Cost Routes

You can set the number of OSPF equal-cost routes and route preference to implement load
balancing and adjust route selection.
Context
If the destinations and costs of the multiple routes discovered by one routing protocol are the
same, load balancing can be implemented among the routes.
As shown in Figure 8-11, three routes between ATN-A and ATN-B that run OSPF have the
same costs. The three routes are equal-cost routes for load balancing.
Issue 02 (2013-12-31)

2187

Equipment
8 IP Routing
Figure 8-11 Networking diagram of equal-cost routes
IP Network
cos
cost=10
ATN-A
cos
t =5
IP Network
t=1
0
cost=5
ATN-B
cos
t=8
t=
c os
IP Network
Perform the following steps on the equipment running OSPF.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]

Step 3 Run:
The maximum number of equal-cost routes is set.

NOTE
The maximum number of equal-cost routes is 8, by default, it is 8.

nexthop ip-address weight value
The route preferences are configured for load balancing.

When the number of equal-cost routes on the live network is greater than that specified in the
maximum load-balancing command, valid routes are randomly selected for load balancing. To
specify valid routes for load balancing, run the nexthop command to set the route preference.
Ensure that the preferences of valid routes to be used must be high.
Issue 02 (2013-12-31)

2188

Equipment
8 IP Routing
The smaller the weight value, the higher the preference of the route. The default weight value
is 255, which indicates that load balancing is implemented regardless of the route preferences.
----End
Configuring a Stub Router

To ensure that a route is not interrupted during flapping-triggering maintenance operations such
as upgrade, you can configure a ATN as a stub router to allow traffic to bypass the route on the
stub router.
Context
After a stub router is configured, the route on the stub router will not be preferentially selected.
After the route cost is set to the maximum value 65535, traffic generally bypasses the ATN. This
ensures an uninterrupted route on the ATN during maintenance operations such as upgrade.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]

Step 3 Run:
stub-router [ on-startup [ interval ] ]
A stub router is configured.

By default, no ATN is configured as a stub router.
If a ATN is configured as a stub router, the ATN keeps functioning as a stub router for 500s.
NOTE
The stub router configured in this manner is irrelevant to the ATN in the stub area.
----End
Suppressing an Interface from Receiving and Sending OSPF Packets

After an interface is suppressed from receiving and sending OSPF packets, routing information
can bypass a specific ATN and the local ATN can reject routing information advertised by
another ATN.
Context
Suppressing an interface from receiving and sending OSPF packets helps routing information
to bypass a specific ATN and enables the local ATN to reject routing information advertised by
another ATN. This ensures that an optimal route is provided.
Issue 02 (2013-12-31)

2189

Equipment
8 IP Routing
For example, there are three routes between CX-A and ATN-B, as shown in Figure 8-12. To
configure the route with the outbound interface of POS 1/0/1 to be the optimal route, suppress
POS 1/0/0 and POS 1/0/2 from receiving and sending OSPF packets.
Figure 8-12 Networking diagram of suppressing an interface from receiving and sending OSPF
packets
IP Network
PO
S1
/ 0/
POS1/0/1
CX-A
PO
S
1/0
/
IP Network
ATN-B
IP Network
Perform the following steps on the ATN running OSPF.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]

Step 3 Run:
silent-interface { all | interface-typeinterface-number }
An interface is suppressed from receiving and sending OSPF packets.

The same interface in different processes can be suppressed from sending and receiving OSPF
packets, but the silent-interface command is valid only for the OSPF interface in the local
process.
After an OSPF interface is configured to be in the silent state, the interface can still advertise its
direct routes. Hello packets on the interface, however, cannot be forwarded. Therefore, no
neighbor relationship can be established on the interface. This can enhance the networking
adaptability of OSPF and reduce system resource consumption.
----End

After an OSPF route selection rule is configured, you can check information about the OSPF
routing table, interface, and next hop.
Issue 02 (2013-12-31)

2190

Equipment
8 IP Routing
Prerequisites
All OSPF route selection configurations have been configured.
Procedure
l
Run the display ospf [ process-id ] routing [ ip-address [ mask | mask-length ] ]

[ interface interface-type interface-number ] [ nexthop nexthop-address ] command to
check the OSPF routing table information.
Run the display ospf [ process-id ] interface [ all | interface-type interface-number ]

[ verbose ] command to check OSPF interface information.
----End
Example
Run the display ospf [ process-id ] routing ip-address command to view the route convergence
priority.
<HUAWEI> display ospf routing 100.1.1.1
Destination
AdverRouter
Cost
NextHop
Priority
:
:
:
:
:
100.1.1.0/24
100.1.1.2
1
100.1.1.2
Low
Area
Type
Interface
Age
:
:
:
:
0.0.0.0
Transit
00h02m43s
8.5.5 Controlling OSPF Routing Information

You can control the advertising and receiving of OSPF routing information and import routes
of other protocols.
Before You Start

Before controlling OSPF routing information, familiarize yourself with the usage scenario,
You can control the advertising and receiving of OSPF routing information and import routes
of other protocols.
Before controlling OSPF routing information, complete the following tasks:
l
the network layer
Data Preparation
To control OSPF routing information, you need the following data.
Issue 02 (2013-12-31)

2191

Equipment
8 IP Routing
No.
Data
Link cost
ACL for route filtering
Name of the imported routing protocol, OSPF process ID, and default parameters
Configuring OSPF to Import External Routes

Importing the routes discovered by other routing protocols can enrich OSPF routing information.
Context
To access a ATN running a non-OSPF protocol, an OSPF-capable ATN needs to import routes
of the non-OSPF protocol into the OSPF network.
OSPF provides loop-free intra-area routes and inter-area routes; however, OSPF cannot prevent
external routing loops. Therefore, exercise caution when configuring OSPF to import external
routes. For details, see "OSPF VPN" in the Feature Description - IP Routing.
Perform the following steps on the ASBR running OSPF.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]

Step 3 Run:
import-route { limit limit-number | { bgp [ permit-ibgp ] | direct | unr | rip
[ process-id-rip ] | static | isis [ process-id-isis ] | ospf [ process-id-ospf ] }
[ cost cost | type type | tag tag | route-policy route-policy-name ] * }
Routes are imported from another protocol.

default { cost { cost | inherit-metric } | limit limit | tag tag | type type }
The default values of parameters (the cost, number of routes, tag, and type) are set for imported
routes.
When OSPF imports external routes, you can set default values for some additional parameters,
such as the cost, number of routes to be imported, route tag, and route type. The route tag is used
to identify the protocol-related information. For example, it can be used to differentiate AS
numbers carried in BGP routes imported by OSPF.
Issue 02 (2013-12-31)

2192

Equipment
8 IP Routing
By default, the cost of the external routes imported by OSPF is 1; a maximum of 2147483647
routes can be imported each time; the type of the imported external routes is Type 2; the default
tag value of the imported routes is 1.
NOTE
You can run one of the following commands to set the cost of the imported route. The following commands
are listed in descending order of priorities.
l Run the apply cost command to set the cost of a route.
l Run the import-route command to set the cost of the imported route.
l Run the default command to set the default cost of the imported route.

filter-policy { acl-number | acl-name acl-name | ip-prefix ip-prefix-name | routepolicy route-policy-name } export [ protocol [ process-id ] ]

1.
Run:
filter-policy { acl-number | acl-name acl-name } export [ protocol [ processid ] ]
Routes imported using Step 3 can be advertised only when meeting filtering conditions.
2.
Run:
quit

3.
Run:
acl { [ number ] acl-number1 | name acl-name basic [ number acl-number2 ] }

4.
Run:
rule [ rule-id ] { deny | permit } [ fragment-type fragment-type-name |
source { source-ip-address source-wildcard | any } | time-range time-name |

by the system.
Issue 02 (2013-12-31)

2193

Equipment
8 IP Routing
1.
Run:
filter-policy acl-name acl-name export [ protocol [ process-id ] ]
2.
Run:
quit

3.
Run:
config } ]

4.
Run:

by the system.
Run:
Issue 02 (2013-12-31)

2194

Equipment
8 IP Routing
filter-policy ip-prefix ip-prefix-name export [ protocol [ process-id ] ]
l Based on the Route-Policy:
Run:
filter-policy route-policy route-policy-name export [ protocol [ process-id ] ]
OSPF filters the imported routes. OSPF uses Type 5 LSAs to carry routes that meet the filtering
conditions and advertises these Type 5 LSAs.
You can specify the parameter protocol [ process-id ] to filter the routes of a certain routing
protocol or a certain OSPF process. If protocol [ process-id ] is not specified, OSPF filters all
imported routes.
The import-route command cannot be used to import the default route from another AS.
----End
Configuring OSPF to Import a Default Route

The default route is widely applied on the OSPF network to reduce routing entries in the routing
table and filter specific routing information.
Context
On the area border and AS border of an OSPF network generally reside multiple ATNs for nexthop backup or traffic load balancing. A default route can be configured to reduce routing entries
and improve resource usage on the OSPF network.
The default route is generally applied to the following scenarios:
1.
An ABR in an area advertises Type 3 LSAs carrying the default route within the area.
ATNs in the area use the received default route to forward inter-area packets.
2.
An ASBR in an AS advertises Type 5 or Type 7 LSAs carrying the default route within the
AS. ATNs in the AS use the received default route to forward AS external packets.
When no exactly matched route is discovered, the ATN can forward packets through the default
route.
The preference of the default route in Type 3 LSAs is higher than that of the route in Type 5 or
Type 7 LSAs.
The advertising mode of the default route is determined by the type of the area to which the
default route is imported, as shown in Table 8-2.
Table 8-2 Default route advertising mode
Issue 02 (2013-12-31)
Area
Type
Generated By
Advertise
d By
LSA Type
Floodi
ng
Area
Commo
n area
The default-route-advertise command
ASBR
Type 5 LSA
Comm
on area

2195

Equipment
8 IP Routing
Area
Type
Generated By
Advertise
d By
LSA Type
Floodi
ng
Area
Stub
area
Automatically
ABR
Type 3 LSA
Stub
area
NSSA
The nssa [ default-route-advertise ]

command
ASBR
Type 7 LSA
NSSA
Totally
NSSA
Automatically
ABR
Type 3 LSA
NSSA
Perform the following steps on the ASBR running OSPF.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]

Step 3 Run:
default-route-advertise [ [ always | permit-calculate-other ] | cost cost | type
type | route-policy route-policy-name ] *
The default route is imported into the OSPF process.

To configure the parameter cost to specify the default cost of Type-3 summary LSAs, enable
VPN first.
Before advertising a default route, OSPF compares the preferences of default routes. Therefore,
if a static default route is configured on an OSPF device, to add the default route advertised by
OSPF to the current routing table, ensure that the preference of the configured static default route
is lower than that of the default route advertised by OSPF.
For details about how to configure the default route in the NSSA, see Configuring an NSSA.
----End
Configuring Route Summarization

When a large-scale OSPF network is deployed, you can configure route summarization to reduce
routing entries. Otherwise, a large number of routing entries are generated and consume system
resources unexpectedly.
Context
Route summarization on a large-scale OSPF network efficiently reduces routing entries. This
minimizes system resource consumption and maintains the system performance. In addition, if
Issue 02 (2013-12-31)

2196

Equipment
8 IP Routing
a specific link frequently alternates between Up and Down, the links not involved in the route
summarization will not be affected. This prevents route flapping and improves the network
stability.
Procedure
l
Configure ABR route summarization.

1.
Run:
system-view

2.
Run:
ospf [ process-id ]

3.
Run:
area area-id

4.
Run:
abr-summary ip-address mask [ [ [ advertise | not-advertise ] | cost {
cost | inherit-minimum } ] * ]
ABR route summarization is configured.

l
Configure ASBR route summarization.

1.
Run:
system-view

2.
Run:
ospf [ process-id ]

3.
Run:
asbr-summary ip-address mask [ [ advertise | not-advertise ] | cost {
cost | inherit-minimum } ] *
ASBR route summarization is configured.

NOTE
After route summarization is configured, the routing table on the local OSPF ATN remains the same.
The routing table on another OSPF ATN, however, contains only one summarized route, no specific
route. This summarized route is not removed until all specific routes are interrupted.
----End
Configuring OSPF to Filter Routes Received by OSPF

By configuring filtering conditions for the received routes, you can allow only the routes that
meet the filtering conditions to be added to the routing table.
Issue 02 (2013-12-31)

2197

Equipment
8 IP Routing
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]

1.
Run:
filter-policy { acl-number | acl-name acl-name [ secondary ] } import
Routes received by OSPF are filtered.

2.
Run:
quit

3.
Run:

4.
Run:

by the system.
Issue 02 (2013-12-31)

2198

Equipment
8 IP Routing
1.
Run:
filter-policy { acl-name acl-name [ secondary ] } import

2.
Run:
quit

3.
Run:
config } ]

4.
Run:

by the system.
Run:
filter-policy { ip-prefix ip-prefix-name [ secondary ] } import
Issue 02 (2013-12-31)

2199

Equipment
8 IP Routing

l Based on the Route-Policy:
Run:
filter-policy { route-policy route-policy-name [ secondary ] } import

OSPF is a dynamic routing protocol based on the link state, and routing information is carried
in LSAs. The filter-policy import command cannot be used to filter the advertised and received
LSAs. Actually, this command is used to filter the routes calculated by OSPF. Only the routes
that meet the filtering conditions are added to the routing table.
----End
Configuring the ATN to Filter LSAs to Be Sent

Filtering the LSAs to be sent on the local router can prevent unnecessary LSA transmission.
This reduces the size of the LSDB on the neighboring ATN and speeds up network convergence.
Context
When multiple links exist between two ATNs, you can configure the local ATN to filter the
LSAs to be sent. This prevents unnecessary LSA transmission and saves bandwidth resources.
Procedure
Step 1 Run:
system-view

Step 2 Run:

1.
Run:
ospf filter-lsa-out { all | { summary [ acl { acl-number | acl-name } ] |
ase [ acl { acl-number | acl-name } ] | nssa [ acl { acl-number | aclname } ] } * }
The LSAs to be sent are filtered.

2.
Run:
quit

3.
Run:

4.
Issue 02 (2013-12-31)
Run:
2200

Equipment
8 IP Routing


by the system.
1.
Run:
ospf filter-lsa-out { all | { summary [ acl acl-name ] | ase [ acl aclname ] | nssa [ acl acl-name ] } * }
The LSAs to be sent are filtered.

2.
Run:
quit

3.
Run:
config } ]

4.
Run:

Issue 02 (2013-12-31)

2201

Equipment
8 IP Routing
by the system.
By default, the LSAs to be sent are not filtered.
----End
(Optional) Configuring OSPF to Filter LSAs in an Area

Filtering LSAs in an area can prevent unnecessary LSA transmission. This reduces the size of
the LSDB on the neighboring ATN and speeds up network convergence.
Context
After filtering conditions are set for the incoming or outgoing Type 3 LSAs (Summary LSAs)
in an area, only the Type 3 LSAs that meet the filtering conditions can be received or advertised.
This function is applicable only to the ABR.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]

Step 3 Run:
area area-id

Issue 02 (2013-12-31)

2202

Equipment
8 IP Routing
Step 4 Filter incoming or outgoing Type 3 LSAs in the area.

l Filter incoming Type 3 LSAs in the area, run any of the following commands as required:
Based on the basic ACL:
1.
Run:
filter-policy { acl-number | acl-name acl-name } import
The filter incoming Type 3 LSAs in the area are filtered.

2.
Run:
quit

3.
Run:

4.
Run:
source { source-ip-address source-wildcard | any } | time-range timename | vpn-instance vpn-instance-name ] *

routes.
Based on the advanced ACL:
1.
Run:
filter-policy acl-name acl-name import
Issue 02 (2013-12-31)

2203

Equipment
8 IP Routing

2.
Run:
quit

3.
Run:
{ auto | config } ]

4.
Run:

routes.
Based on the IP prefix:
Run:
filter ip-prefix ip-prefix-name export
The IP prefix is configured.

Based on the Route-Policy:
Run:
filter route-policy route-policy-name export
The Route-Policy is configured.

l Filter outgoing Type 3 LSAs in the area, run any of the following commands as required:
Issue 02 (2013-12-31)

2204

Equipment
8 IP Routing

1.
Run:
filter { acl-number | acl-name acl-name } import
The filter outgoing Type 3 LSAs in the area are filtered.

2.
Run:
quit
3.
Run:

4.
Run:
source { source-ip-address source-wildcard | any } | time-range timename | vpn-instance vpn-instance-name ] *

routes.
Based on the advanced ACL:
1.
Run:
filter acl-name acl-name import

2.
Run:
quit
Issue 02 (2013-12-31)

2205

Equipment
8 IP Routing

3.
Run:
{ auto | config } ]

4.
Run:

routes.
Run:
filter ip-prefix ip-prefix-name import

Run:
filter route-policy route-policy-name import

----End
(Optional) Enabling the Mesh-Group Function

The mesh-group function is used to prevent repeated flooding and save system resources.
Issue 02 (2013-12-31)

2206

Equipment
8 IP Routing
Context
When concurrent links exist between two ATNs, you can enable the mesh-group function to
reduce the load on the links.
The neighboring router ID identifies each mesh group. Several concurrent links are added to a
mesh group. Flooding is implemented once in the group. You can add interfaces that meet the
following conditions to the same mesh group.
l
The interfaces belong to the same area and OSPF process.
The interfaces begin to exchange DD packets.
The interfaces are connected to the same neighboring ATN.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]

Step 3 Run:
mesh-group enable
The mesh-group function is enabled.

By default, the mesh-group function is disabled.
----End
Setting the Maximum Number of External LSAs in the LSDB

You can set the maximum number of external LSAs in the LDSB to keep a proper number of
external LSAs.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]

Step 3 Run:
lsdb-overflow-limit number
The maximum number of external LSAs in the LSDB is set.

----End
Issue 02 (2013-12-31)

2207

Equipment
8 IP Routing

After controlling OSPF routing information, you can check information about the OSPF routing
table, interface, and ASBR summarization.
Prerequisites
Controlling OSPF routing information has been configured.
Procedure
l
Run either of the following commands to check routing table information.


Run the display ospf [ process-id ] asbr-summary [ ip-address mask ] command to check
OSPF ASBR summarization information.
----End
Example
Run the display ospf interface command to view the OSPF interface information.
<HUAWEI> display ospf interface GigabitEthernet0/2/0
Interfaces
Interface: 11.1.1.1 (GigabitEthernet0/2/0)
Cost: 1
State: BDR
Type: Broadcast
MTU: 1500
Priority: 1
Designated Router: 1.1.1.2
Backup Designated Router: 1.1.1.1
Timers: Hello 10 , Dead 40 , Poll 120 , Retransmit 5 , Transmit Delay 1
Run the display ospf asbr-summary command to view summarization information about routes
imported by the local ATN.
<HUAWEI> display ospf asbr-summary
Summary Addresses
Total summary address count: 1
Summary Address
net
: 10.0.0.0
mask
: 255.0.0.0
tag
: 10
status
: Advertise
Cost
: 0 (Not Configured)
delay
: 0 (Not Configured)
The Count of Route is : 2
Destination
Net Mask
Proto
Process
10.1.0.0
255.255.0.0
Static
1
10.2.0.0
255.255.0.0
Static
1
Issue 02 (2013-12-31)

Type
2
2
Metric
10
10
2208

Equipment
8 IP Routing
8.5.6 Configuring an OSPF Dynamic Hostname

Compared with router IDs, Open Shortest Path First (OSPF) dynamic hostnames are easier to
memorize. Therefore, using dynamic hostnames to identify routers can facilitate network
management.
To facilitate network management, configure dynamic hostnames to identify routers. If you
configure a dynamic hostname for a router, the router generates a router information (RI) Opaque
LSA, from which you can check the mapping between the router ID and the dynamic hostname.
Before configuring a dynamic hostname, complete the following tasks:
l
Configure an IP address for each interface to ensure that neighboring routers can use the
IP addresses to communicate with each other.
Configure basic OSPF functions.
Enable the Opaque LSA capability.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]

Step 3 Run:
The Opaque LSA capability is enabled.

Step 4 Run:
hostname hostname
An OSPF dynamic hostname is configured.

NOTE
If you specify hostname in this command, hostname is advertised as the dynamic hostname. If no
hostname is specified in this command, the device name specified in the sysname command is advertised
as the dynamic hostname.
----End

Run either of the following commands to check OSPF hostname information:
l
Issue 02 (2013-12-31)
display ospf hostname-table

2209

Equipment
8 IP Routing
display ospf [ process-id ] peer [ interface-type interface-number | interface-name ]

hostname hostname
display ospf [ process-id ] lsdb [ { router | network | summary | asbr | ase | nssa | opaquelink | opaque-area | opaque-as } [ link-state-id ] ] hostname hostname [ age { minvalue min-age-value | max-value max-age-value } * ]
display ospf [ process-id ] lsdb [ { brief | [ { router | network | summary | asbr | ase |
nssa | opaque-link | opaque-area | opaque-as } [ link-state-id ] ] [ originate-router
[ advertising-router-id ] | self-originate ] [ age { min-value min-age-value | max-value
max-age-value } * ] [ resolve-hostname ] } ]
Run the display ospf hostname-table command to check information about OSPF dynamic
hostnames.
<HUAWEI> display ospf hostname
Hostname table information
Area: 0.0.0.1
Router ID
3.3.3.3
10.1.1.1
255.255.255.254
Hostname
RTR_BLR
RTR_SHANGHAI
RTR_BJI
Area: 0.0.0.2
Router ID
3.3.3.3
30.1.1.1
Hostname
RTR_BLR
RTR_DELHI
AS-Scope
Router ID
20.1.1.1
255.255.255.254
Hostname
RTR_SHENZHEN
RTR_BJI
8.5.7 Configuring an OSPF Stub Area

Configuring a non-backbone area as a stub area can reduce routing entries in the area in an AS
does not transmit routes learned from other areas in the AS or AS external routes. This reduces
bandwidth and storage resource consumption.
The number of LSAs can be reduced by partitioning an AS into different areas. To reduce the
number of entries in the routing table and the number of LSAs to be transmitted in a nonbackbone area, configure the non-backbone area on the border of the AS as a stub area.
Configuring a stub area is optional. A stub area generally resides on the border of an AS. For
example, a non-backbone area with only one ABR can be configured as a stub area. In a stub
area, the number of entries in the routing table and the amount of routing information to be
transmitted greatly decrease.
Note the following points when configuring a stub area:
l
Issue 02 (2013-12-31)
The backbone area (Area 0) cannot be configured as a stub area.

2210

Equipment
8 IP Routing
If an area needs to be configured as a stub area, all the ATNs in this area must be configured
with stub attributes using the stub command.
An ASBR cannot exist in a stub area. External routes are not transmitted in the stub area.
Virtual links cannot exist in the stub area.
Before configuring a stub area, complete the following tasks:
l
the network layer
Data Preparation
To configure a stub area, you need the following data.
No.
Data
(Optional) Cost of the default route to the stub area

NOTE
By default, the cost of the default route to the stub area is 1.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]

Step 3 Run:
area area-id

Step 4 Run:
stub
The specified area is configured as a stub area.

NOTE
l All ATNs in a stub area must be configured with stub attributes using the stub command.
l Configuring or deleting stub attributes will update routing information in the area. Stub attributes can
be deleted or configured again only after the routing update is complete.

stub [ no-summary ]
Issue 02 (2013-12-31)

2211

Equipment
8 IP Routing
The ABR is prevented from sending Type 3 LSAs to the stub area.
default-cost cost
The cost of the default route to the stub area is set.

To ensure the reachability of AS external routes, the ABR in the stub area generates a default
route and advertises the route to the non-ABR ATNs in the stub area.
By default, the cost of the default route to the stub area is 1.
----End

Run either of the following commands to check LSDB information.
l
display ospf [ process-id ] lsdb [ router | network | summary | asbr | ase | nssa | opaquelink | opaque-area | opaque-as ] [ link-state-id ] [ originate-router [ advertising-routerid ] | self-originate ] [ age { min-value min-age-value | max-value max-age-value } * ]

l

Run the display ospf [ process-id ] abr-asbr [ router-id ] command to check ASBR and ABR
information.
8.5.8 Configuring an NSSA

Configuring a non-backbone area on the border of an AS as an NSSA does not transmit routes
learned from other areas in the AS but imports AS external routes. This reduces bandwidth and
storage resource consumption on the ATN.
An NSSA is configured in the scenario where AS external routes are to be imported but not
forwarded to save system resources.
The NSSA is a new type of OSPF area. Neither the NSSA nor the stub area transmits routes
learned from other areas in the AS it resides. The stub area does not allow AS external routes to
be imported, whereas the NSSA allows AS external routes to be imported and forwarded in the
entire AS.
Type 7 LSAs are used to carry imported AS external routing information in the NSSA. Type 7
LSAs are generated by the ASBRs of NSSAs and flooded only in the NSSAs where ASBRs
reside. The ABR in an NSSA selects certain Type 7 LSAs from the received ones and translates
them into Type 5 LSAs to advertise AS external routing information to the other areas over the
OSPF network.
To configure an area as an NSSA, configure NSSA attributes on all the ATNs in this area.
Issue 02 (2013-12-31)

2212

Equipment
8 IP Routing
Before configuring an NSSA, complete the following tasks:
l
the network layer
Data Preparation
To configure an NSSA, you need the following data.
No.
Data
(Optional) Cost of the default route to the NSSA

NOTE
By default, the cost of the default route to the NSSA is 1.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]

Step 3 Run:
area area-id

Step 4 Run:
nssa [ default-route-advertise | flush-waiting-timer interval-value | no-importroute | no-summary | set-n-bit | suppress-forwarding-address | translator-always |
translator-interval interval-value | zero-address-forwarding ] *
The specified area is configured as an NSSA.

NOTE
l All ATNs in the NSSA must be configured with NSSA attributes using the nssa command.
l Configuring or deleting NSSA attributes may trigger routing update in the area. A second configuration
of NSSA attributes can be implemented or canceled only after routing update is complete.
The nssa command is applicable to the following scenarios:

l The parameter default-route-advertise is used to advertise Type 7 LSAs carrying the default
route on the ABR or ASBR to the NSSA.
Issue 02 (2013-12-31)

2213

Equipment
8 IP Routing
Type 7 LSAs carrying the default route will be generated regardless of whether the default
route 0.0.0.0 exists in the routing table on the ABR. On the ASBR, however, the default Type
7 LSA is generated only when the default route 0.0.0.0 exists in the routing table.
l When the area to which the ASBR belongs is configured as an NSSA, invalid Type 5 LSAs
from other ATNs in the area where LSAs are flooded will be reserved. These LSAs will be
deleted only when the aging time reaches 3600s. The ATN performance is affected because
the forwarding of a large number of LSAs consumes the memory resources. To resolve such
a problem, you can set the parameter flush-waiting-timer to the maximum value 3600s for
Type 5 LSAs so that the invalid Type 5 LSAs from other ATNs can be deleted in time.
NOTE
l When the LS age field value (aging time) in the header of an LSA reaches 3600s, the LSA is deleted.
l If an ASBR also functions as an ABR, flush-waiting-timer does not take effect. This prevents
Type 5 LSAs in the non-NSSAs from being deleted.
l If an ASBR also functions as an ABR, set the parameter no-import-route to prevent external
routes imported using the import-route command from being advertised to the NSSA.
l To reduce the number of LSAs that are transmitted to the NSSA, set the parameter nosummary on an ABR. This prevents the ABR from transmitting Type 3 LSAs to the NSSA.
l After the parameter set-n-bit is configured, the ATN re-establishes neighbor relationships
with the neighboring ATNs in the NSSA.
l If multiple ABRs are deployed in the NSSA, the system automatically selects an ABR
(generally the ATN with the largest router ID) as a translator to translate Type 7 LSAs into
Type 5 LSAs. You can also configure the parameter translator-always on an ABR to specify
the ABR as an all-the-time translator. To specify two ABRs for load balancing, configure
the parameter translator-always on two ABRs to specify the ABRs as all-the-time
translators. This prevents LSA flooding caused by translator role changes.
l The parameter translator-interval is used to ensure uninterrupted services when translator
roles change. The interval-value value must be greater than the flooding period.
default-cost cost
The cost of the default route to the NSSA is set.

To ensure the reachability of AS external routes, the ABR in the NSSA generates a default route
and advertises the route to the other ATNs in the NSSA.
Type 7 LSAs can be used to carry default route information to guide traffic to other ASs.
Multiple ABRs may be deployed in an NSSA. To prevent routing loops, ABRs do not calculate
the default routes advertised by each other.
By default, the cost of the default route to the NSSA is 1.
----End

Run either of the following commands to check LSDB information.
l
Issue 02 (2013-12-31)

2214

Equipment
8 IP Routing
display ospf [ process-id ] lsdb [ router | network | summary | asbr | ase | nssa | opaquelink | opaque-area | opaque-as ] [ link-state-id ] [ originate-router [ advertising-routerid ] | self-originate ]

l


8.5.9 Configuring BFD for OSPF

After BFD for OSPF is enabled, when a link fails, the ATN rapidly detects the failure, notifies
the OSPF process or interface of the fault, and instructs OSPF to recalculate routes. This speeds
up OSPF network convergence.
Before You Start

Before configuring BFD for OSPF, familiarize yourself with the usage scenario, complete the
OSPF enables the ATN to periodically send Hello packets to a neighboring ATN for fault
detection. Detecting a fault takes more than 1s. As technologies develop, voice, video, and other
VOD services are widely used. These services are quite sensitive to packet loss and delays. When
traffic is transmitted at gigabit rates, long-time fault detection will cause packet loss. This cannot
meet high reliability requirements of the carrier-class network.
BFD for OSPF is introduced to resolve this problem. After BFD for OSPF is configured in a
specified process or on a specified interface, the link status can be rapidly detected and fault
detection can be completed in milliseconds. This speeds up OSPF convergence when the link
status changes.
Before configuring BFD for OSPF, complete the following task:
l
the network layer
Data Preparation
To configure BFD for OSPF, you need the following data.
Issue 02 (2013-12-31)
No.
Data
Number of the OSPF process to be enabled with BFD for OSPF

2215

Equipment
No.
Data
Type and number of the interface to be enabled with BFD for OSPF
(Optional) Values of BFD session parameters
8 IP Routing
NOTE
The default parameter values are recommended.
Configuring BFD for OSPF in a Specified Process

Configuring BFD for OSPF in a specified process helps the system to rapidly detect the link
status and speeds up OSPF convergence in the case of a link failure.
Context
After BFD for OSPF is configured, when detecting a link fault, BFD rapidly notifies the ATNs
on both ends of the link of the fault, triggering rapid OSPF convergence. When the OSPF
neighbor relationship goes Down, the BFD session will be dynamically deleted.
Before configuring BFD for OSPF, enable BFD globally.
Perform the following steps on the ATNs between which a BFD session is to be created.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd
BFD is globally configured.

Step 3 Run:
quit

Step 4 Run:
ospf [ process-id ]

Step 5 Run:
BFD for OSPF is configured. The default parameter values are used to create a BFD session.
If all the interfaces in a certain process are configured with BFD and their neighbor relationships
are in the Full state, OSPF creates BFD sessions with default parameter values on all the
interfaces in the process.
Issue 02 (2013-12-31)

2216

Equipment
8 IP Routing

bfd all-interfaces { min-rx-interval receive-interval | min-tx-interval transmitinterval | detect-multiplier multiplier-value } *
BFD session parameters are modified.

You can skip this step. The default interval at which BFD packets are transmitted and the default
detection multiplier are recommended.
The parameters are configured based on the network status and network reliability requirements.
A short interval at which BFD packets are transmitted can be configured for a link that has a
higher requirement for reliability. A long interval at which BFD packets are transmitted can be
configured for a link that has a lower requirement for reliability.
NOTE
l Actual interval at which BFD packets are transmitted on the local ATN = Max { configured interval transmitinterval at which BFD packets are transmitted on the local ATN, configured interval receive-interval at
which BFD packets are received on the peer ATN }
l Actual interval at which BFD packets are received on the local ATN = Max { configured interval transmitinterval at which BFD packets are transmitted on the peer ATN, configured interval receive-interval at which
BFD packets are received on the local ATN }
l Actual time for detecting BFD packets = Actual interval at which BFD packets are received on the local
ATN x Configured detection multiplier multiplier-value on the peer ATN
For example:
l On the local ATN, the configured interval at which BFD packets are transmitted is 50 ms; the configured
interval at which BFD packets are received is 100 ms; the detection multiplier is 1.
l On the peer ATN, the configured interval at which BFD packets are transmitted is 20 ms; the interval at
which BFD packets are received is 100 ms; the detection multiplier is 10.
Then:
l On the local ATN, the actual interval at which BFD packets are transmitted is 100 ms calculated by using
the formula max {50 ms, 100 ms}; the interval at which BFD packets are received is 100 ms calculated by
using the formula max {20 ms, 100 ms}; the detection period is 1000 ms calculated by multiplying 100 ms
by 10.
l On the peer ATN, the actual interval at which BFD packets are transmitted is 100 ms calculated by using
the formula max {20 ms, 100 ms}, the actual interval at which BFD packets are received is 100 ms calculated
by using the formula max {50 ms, 100 ms}, and the detection period is 100 ms calculated by multiplying
100 ms by 1.
Step 7 (Optional) Prevent an interface from dynamically creating a BFD session.

After BFD for OSPF is configured, all interfaces on which neighbor relationships are Full in the
OSPF process will create BFD sessions. To prevent specific interfaces from being enabled with
BFD, disable these interfaces from dynamically creating BFD sessions.
1.
Run:
quit

2.
Run:

3.
Run:
ospf bfd block
Issue 02 (2013-12-31)

2217

Equipment
8 IP Routing
An interface is prevented from dynamically creating a BFD session.

----End
Configuring BFD for OSPF on a Specified Interface

Configuring BFD for OSPF on a specified interface helps speed up OSPF convergence in the
case of an interface failure.
Context
After BFD for OSPF is configured on a specified interface and the interface becomes faulty, the
ATN rapidly detects the fault and instructs OSPF to recalculate routes. This speeds up OSPF
convergence. When the OSPF neighbor relationship goes Down, the BFD session between OSPF
neighbors is dynamically deleted.
Before configuring BFD for OSPF, enable BFD globally.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd

Step 3 Run:
quit

Step 4 Run:

Step 5 Run:
ospf bfd enable
BFD for OSPF is configured. The default parameter values are used to create a BFD session.
If all the interfaces in a certain process are configured with BFD and their neighbor relationships
are in the Full state, OSPF creates BFD sessions with default parameter values on specified
interfaces in the process.
NOTE
The priority of BFD for OSPF configured on an interface is higher than that of BFD for OSPF configured
for a process.

ospf bfd { min-rx-interval receive-interval | min-tx-interval transmit-interval |
detect-multiplier multiplier-value } *
Issue 02 (2013-12-31)

2218

Equipment
8 IP Routing

You can skip this step. The default interval at which BFD packets are transmitted and the default
detection multiplier are recommended.
The parameters are configured based on the network status and network reliability requirements.
A short interval at which BFD packets are transmitted can be configured for a link that has a
higher requirement for reliability. A long interval at which BFD packets are transmitted can be
configured for a link that has a lower requirement for reliability.
NOTE
l Actual interval at which BFD packets are transmitted on the local ATN = Max { configured interval transmitinterval at which BFD packets are transmitted on the local ATN, configured interval receive-interval at
which BFD packets are received on the peer ATN }
l Actual interval at which BFD packets are received on the local ATN = Max { configured interval transmitinterval at which BFD packets are transmitted on the peer ATN, configured interval receive-interval at which
BFD packets are received on the local ATN }
l Actual time for detecting BFD packets = Actual interval at which BFD packets are received on the local
ATN x Configured detection multiplier multiplier-value on the peer ATN
For example:
l On the local ATN, the configured interval at which BFD packets are transmitted is 50 ms; the configured
interval at which BFD packets are received is 100 ms; the detection multiplier is 1.
l On the peer ATN, the configured interval at which BFD packets are transmitted is 20 ms; the interval at
which BFD packets are received is 100 ms; the detection multiplier is 10.
Then:
l On the local ATN, the actual interval at which BFD packets are transmitted is 100 ms calculated by using
the formula max {50 ms, 100 ms}; the interval at which BFD packets are received is 100 ms calculated by
using the formula max {20 ms, 100 ms}; the detection period is 1000 ms calculated by multiplying 100 ms
by 10.
l On the peer ATN, the actual interval at which BFD packets are transmitted is 100 ms calculated by using
the formula max {20 ms, 100 ms}, the actual interval at which BFD packets are received is 100 ms calculated
by using the formula max {50 ms, 100 ms}, and the detection period is 100 ms calculated by multiplying
100 ms by 1.
----End

After configuring BFD for OSPF, you can view information about the BFD session between
two OSPF neighbors.
Prerequisites
All BFD for OSPF configurations have been configured.
Procedure
l
Run the display ospf [ process-id ] bfd session interface-type interface-number [ routerid ] or display ospf [ process-id ] bfd session { router-id | all } command to check
information about the BFD session between two OSPF neighbors.
----End
Issue 02 (2013-12-31)

2219

Equipment
8 IP Routing
Example
If the BFD session is successfully created, information about BFD for OSPF shows that the BFD
session is Up on the local ATN.
<HUAWEI> display ospf bfd session all

NeighborId:2.2.2.2
BFDState:up
Multiplier:3
RemoteIpAdd:100.2.1.1
AreaId:0.0.0.0
rx
:1000
tx
BFD Local Dis:8194
Diagnostic Info: Init
Interface:GigabitEthernet0/2/0
:1000
LocalIpAdd:100.2.1.2
8.5.10 Configuring OSPF IP FRR

With OSPF IP FRR, devices can rapidly switch traffic from faulty links to backup links without
interrupting traffic. This protects traffic and greatly improves the reliability of OSPF networks.
Before You Start

Before configuring OSPF IP FRR, familiarize yourself with the usage scenario, complete the
With the development of networks, Voice over IP (VoIP) and on-line video services require
high-quality real-time transmission. Nevertheless, if an OSPF fault occurs, traffic can be
switched to a new link only after the following processes: fault detection at the millisecond level,
notifying the fault to the routing control plane at the millisecond level, generating and flooding
new topology information at the tens of milliseconds level, triggering SPF calculation at the tens
of milliseconds level, and notifying and installing a new route at the hundreds-of-milliseconds
level. As a result, it takes much more than 50 ms to recovery the link from the fault, which cannot
meet the requirement for real-time services on the network.
With OSPF IP FRR that calculates a backup link in advance, devices can fast switch traffic to
the backup link without interrupting traffic when the primary link becomes faulty. This protects
traffic and therefore greatly improves the reliability of OSPF networks.
OSPF IP FRR is applicable to the services that are sensitive to packet delay and packet loss.
Before configuring OSPF IP FRR, complete the following tasks:
l
the network layer
Data Preparation
To configure OSPF IP FRR, you need the following data.
Issue 02 (2013-12-31)

2220

Equipment
No.
Data
OSPF process ID
(Optional) Cost of the interface
(Optional) BFD parameters
(Optional) Name of the route policy
8 IP Routing
Enabling OSPF IP FRR

This section describes how to enable OSPF IP FRR to generate a loop-free backup link. If the
primary link fails, OSPF can fast switch traffic to the backup link.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ]
The OSPF process is started, and the OSPF view is displayed.

Step 3 Run:
frr
The OSPF IP FRR view is displayed.

Step 4 Run:
loop-free-alternate
OSPF IP FRR is enabled to generate a loop-free backup link.

NOTE
OSPF can generate the loop-free backup link only when the OSPF IP FRR traffic protection inequality is
met.

frr-priority static low
The Loop-Free Alternates (LFA) algorithm is used to calculate the nexthop and outbound
interface for a backup link.
The nexthop and outbound interface of an OSPF loop-free backup link can be obtained using
either of the following methods:
l For a static backup link, after IP FRR is enabled using the ip frr command in the system
view or VPN instance view, configure a nexthop and an outbound interface for the static
backup link.
Issue 02 (2013-12-31)

2221

Equipment
8 IP Routing
l For a dynamic backup link, after OSPF IP FRR is enabled using the loop-free-alternate
command, enable the device to use the LFA algorithm to calculate the nexthop and outbound
interface for the dynamic backup link.
By default, static backup links take preference over dynamic backup links during route selection.
However, static backup links are less flexible than dynamic backup links. If a link failure occurs,
static backup links cannot update automatically, but dynamic backup links can. Therefore, to
ensure automatic link updates, run the frr-priority static low command to enable dynamic
backup links to take preference over static backup links so that the LFA algorithm is used to
calculate the nexthop and outbound interface.
frr-policy route route-policy route-policy-name
OSPF IP FRR filtering policies are configured.

After OSPF IP FRR filtering policies are configured, only the OSPF backup routes that match
the filtering conditions can be delivered to the forwarding table. To protect the traffic over a
specific OSPF route, you can configure a filtering policy that matches the OSPF route to ensure
that the route can be added to the forwarding table. If this route fails, OSPF can fast switch the
traffic to a backup link.
----End
(Optional) Binding OSPF IP FRR and BFD

This section describes how to bind OSPF IP FRR and BFD so that link faults can be detected
rapidly. This ensures that traffic is rapidly switched to the backup link in the case of link failures.
Context
During the configuration of OSPF IP FRR, the lower layer needs to fast respond to the link
change so that traffic can be rapidly switched to the backup link in the case of a link failure.
Bind BFD to the link status so that link faults can be detected rapidly. This ensures that traffic
is rapidly switched to the backup link in the case of link failures.
Binding OSPF IP FRR and BFD can configure in a specified process or on a specified interface.
The priority of BFD configured on an interface is higher than that of BFD configured in an OSPF
process. If BFD is enabled on an interface, a BFD session is established according to the BFD
parameters set on the interface.
Procedure
l
Binding OSPF IP FRR and BFD in a specified process .

1.
Run:
system-view

2.
Run:
bfd

3.
Run:
quit
Issue 02 (2013-12-31)

2222

Equipment
8 IP Routing

4.
Run:
ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ]
*
The OSPF process is enabled, and the OSPF view is displayed.

5.
Run:
BFD is enabled in an OSPF process.

6.
Run:
bfd all-interfaces frr-binding
IP FRR is bound to BFD in an OSPF process.

l
Binding OSPF IP FRR and BFD on a specified interface.

1.
Run:
system-view

2.
Run:
bfd

3.
Run:
quit

4.
Run:

5.
Run:
ospf bfd enable
The BFD on the specified interface is enabled with OSPF.

6.
Run:
ospf bfd frr-binding
IP FRR is bound to BFD on the OSPF interface.

----End
(Optional) Disabling OSPF IP FRR on an Interface

OSPF IP FRR can be disabled on an interface of a specific device that is running important
services and resides on an FRR backup link. This setting prevents the device connected to this
interface from being a part of a backup link and being burdened after FRR switches traffic to
the backup link.
Procedure
Step 1 Run:
Issue 02 (2013-12-31)

2223

Equipment
8 IP Routing
system-view

Step 2 Run:
The view of the OSPF IP FRR-enabled interface is displayed.

Step 3 Run:
ospf frr block
The OSPF IP FRR function is disabled on the specified interface.

----End

After configuring OSPF IP FRR, you can view route information.
Prerequisites
All OSPF IP FRR configurations have been configured.
Procedure
l
Run the display ospf [ process-id ] routing command to check information about the
primary and backup links after OSPF IP FRR is enabled.
----End
Example
View the routes to the specified OSPF device.
<HUAWEI> display ospf routing router-id 2.2.2.2
Destination : 2.2.2.2
Area : 0.0.0.0
Type : Normal
URT Cost : 1
NextHop : 10.0.0.2
Backup NextHop : 10.0.0.3
Backup Type
: LFA LINK-NODE
Route Type : Intra-area

AdvRouter : 2.2.2.2
Age : 17h03m33s
Interface : Ethernet0/2/0
Backup Interface : Ethernet0/2/1
The preceding display shows that a backup route is generated on ATN, including information
about the backup next hop: Backup NextHop is address of the backup next hop, Backup
Interface is outbound interface of the backup next hop, Backup Type is type of the backup next
hop.
8.5.11 Configuring OSPF GR

This section describes how to configure OSPF GR to avoid traffic interruption and route flapping
caused by the active/standby switchover.
Issue 02 (2013-12-31)

2224

Equipment
8 IP Routing
Before You Start

Before configuring OSPF GR, familiarize yourself with the usage scenario, complete the preconfiguration tasks, and obtain the data required for the configuration.
To avoid traffic interruption and route flapping caused by the active/standby switchover, you
can enable OSPF GR.
After the OSPF process is restarted through Graceful Restart (GR), the Restarter and the Helper
reestablish the neighbor relationship, exchange routing information, synchronize the LSDB, and
update the routing table and forwarding table. These operations ensure the fast convergence of
OSPF and the stability the network topology.
NOTE
In practical applications, you can configure OSPF GR on the dual main control boards to avoid service
forwarding from being affected by the fault occurred on the main control board.
Before configuring OSPF GR, complete the following tasks:
l
the network layer
Data Preparation
To configure OSPF GR, you need the following data.
No.
Data
OSPF process number
(Optional) Parameters for establishing GR sessions

NOTE
The default parameter values are recommended.
Enabling OSPF GR
Enabling OSPF GR to ensure the fast convergence of OSPF and the stability the network
topology.
Procedure
Step 1 Run:
system-view

Issue 02 (2013-12-31)

2225

Equipment
8 IP Routing
Step 2 Run:
ospf [ process-id ]
The OSPF view is displayed.

Step 3 Run:
The opaque-LSA function is enabled.

The opaque-LSA feature of OSPF needs to be enabled first because OSPF supports GR through
Type 9 LSAs.
Step 4 Run:
graceful-restart
The OSPF GR feature is enabled.

After the graceful-restart command is run to enable GR for a ATN, the Helper function is also
enabled.
----End
(Optional) Configuring the GR Session Parameters on the Restarter

This part describes how to set GR session parameters (including GR period, planned GR, and
totally GR) on the Restarter.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]

Step 3 Run:
graceful-restart [ { period period } | planned-only | partial ]
The GR session parameters are set.

l Set period, the GR period on the Restarter is set. By default, the restart time is 120 seconds.
l Set planned-only, the Restarter supports only the planned GR. By default, the Restarter
supports both the planned GR and unplanned GR.
l Set partial, the Restarter supports the partial GR. By default, the Restarter supports the totally
GR.
----End
(Optional) Configuring GR Session Parameters on the Helper

This part describes how to set GR session parameters (including the filtering policies, checks
the LSAs outside the AS, and Planned GR) on the Helper.
Issue 02 (2013-12-31)

2226

Equipment
8 IP Routing
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]

1.
Run:
graceful-restart [ { period period } | partial | planned-only ] * helperrole { { { acl-number acl-number | acl-name acl-name } | ignore-externallsa | planned-only } * | never }

2.
Run:
quit

3.
Run:

4.
Run:

1.
Run:
graceful-restart [ { period period } | partial | planned-only ] * helperrole { { acl-name acl-name | ignore-external-lsa | planned-only } * |
never }

2.
Run:
quit

3.
Run:
config } ]

4.
Run:

Issue 02 (2013-12-31)

2227

Equipment
8 IP Routing

Run:
graceful-restart [ { period period } | partial | planned-only ] * helper-role
{ { ip-prefix ip-prefix-name | ignore-external-lsa | planned-only } * | never }

NOTE
l Set ignore-external-lsa, the Helper does not check the LSAs outside the AS (AS-external LSA). By
default, the Helper checks the LSAs outside the AS.
l Set planned-only, the Helper supports only the planned GR. By default, the Helper supports both the
planned GR and unplanned GR.
l Set never, the ATN does not support the Helper mode.
----End

After configuring OSPF GR, check the OSPF GR status.
Prerequisites
The OSPF GR has been configured.
Procedure
l
Run the display ospf [ process-id ] graceful-restart [ verbose ] command to check the
restart status of OSPF GR.
----End
Example
Run the display ospf graceful-restart command. If the OSPF GR configuration is displayed,
it means that the configuration succeeds. For example:
<HUAWEI> display ospf graceful-restart
Graceful-restart capability
Graceful-restart support
Helper-policy support
Current GR state
Graceful-restart period
:
:
:
:
:
enabled
planned and un-planned, totally
planned and un-planned, strict lsa check
normal
120 seconds
Number of neighbors under helper:

Normal neighbors
: 0
Virtual neighbors
: 0
Sham-link neighbors : 0
Total neighbors
: 0
Number of restarting neighbors : 0
Last exit reason:
On graceful restart : successful exit
On Helper
: none
Issue 02 (2013-12-31)

2228

Equipment
8 IP Routing
8.5.12 Configuring the Network Management Function of OSPF

OSPF supports the network management function. You can bind the OSPF MIB to a certain
OSPF process, and configure the trap function and log function.
Before You Start

Before configuring the network management function for OSPF, familiarize yourself with the
usage scenario, complete pre-configuration tasks, and obtain the required data. This can help
OSPF supports the network management function. You can bind OSPF MIB and a certain OSPF
process. In addition, OSPF also supports the trap function and the log function.
Before configuring the network management function of OSPF, complete the following tasks:
l
Configuring IP addresses for interfaces to make neighboring nodes reachable
Data Preparation
To configure the network management function of OSPF, you need the following data.
No.
Data
OSPF process ID
Configuring OSPF MIB Binding

The MIB is a virtual database of the device status maintained by the managed devices.
Context
When multiple OSPF processes are enabled, you can configure OSPF MIB to select the process
to be processed, that is, configure OSPF MIB to select the process to which it is bound.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf mib-binding process-id
Issue 02 (2013-12-31)

2229

Equipment
8 IP Routing
OSPF MIB binding is configured.

----End
Configuring OSPF Trap

Traps are the notifications sent from a router to inform the NMS of the fault detected by the
system.
Procedure
Step 1 Run:
system-view

Step 2 Run:
snmp-agent trap enable feature-name ospf [ trap-name
{ hwospfv2intraareadripaddressconflict | hwospfv2intraarearouteridconflict |
ospfifauthfailure | ospfifconfigerror | ospfifrxbadpacket | ospfifstatechange |
ospflsdbapproachingoverflow | ospflsdboverflow | ospfmaxagelsa |
ospfnbrrestarthelperstatuschange | ospfnbrstatechange |
ospfnssatranslatorstatuschange | ospforiginatelsa | ospfrestartstatuschange |
ospftxretransmit | ospfvirtifauthfailure | ospfvirtifconfigerror |
ospfvirtifrxbadpacket | ospfvirtifstatechange | ospfvirtiftxretransmit |
ospfvirtnbrrestarthelperstatuschange | ospfvirtnbrstatechange } ]
The trap function for the OSPF module is enabled.

snmp-agent trap feature-name ospf trap-name trap-name description description-text
The descriptions for OSPF traps is configured.

----End
Configuring OSPF Log

Logs record the operations (such as configuring commands) and specific events (such as the
network connection failure) on ATNs.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospf [ process-id ]

Step 3 Run:
enable log [ config | error | state | snmp-trap ]
The log function is enabled.

----End
Issue 02 (2013-12-31)

2230

Equipment
8 IP Routing

After the network management function is configured for OSPF, you can check the contents of
the information channel, information recorded in the information center, log buffer, and trap
buffer.
Prerequisites
The network management function of OSPF has been configured.
Procedure
l
Run the display ospf [ process-id ] brief command to view information about the binding
of OSPF MIBs and OSPF processes.
Run the display snmp-agent trap feature-name ospf all command to view all trap
messages of the OSPF module.
----End
8.5.13 Maintaining OSPF

Maintaining OSPF involves resetting OSPF and clearing OSPF statistics.
Resetting OSPF
Restarting OSPF can reset OSPF. In addition, you can reset OSPF through GR.
Context
NOTICE
The OSPF neighbor relationship is deleted after you reset OSPF connections with the reset
ospf command. Exercise caution when running this command.
To reset OSPF connections, run the following reset ospf commands in the user view.
Procedure
l
Run the reset ospf process command to Restart the OSPF process.
After the reset ospf process command is used to restart OSPF, the following situations
may occur:
If the router ID is changed, a new router ID will take affect after the reset ospf
process command is run.
Re-elect DR and BDR after the reset ospf process command is run.
Issue 02 (2013-12-31)
Run the reset ospf process flush-waiting-timer time command to clear invalid LSAs
within the set time before LSAs time out.
2231

Equipment
8 IP Routing
Run the reset ospf [ process-id ] process [ graceful-restart ] command to Restart the OSPF
process in GR mode.
----End
Clearing OSPF
This section describes how to clear OSPF statistics, including OSPF counters, imported
routes, and GTSM statistics on the board.
Context
NOTICE
OSPF information cannot be restored after being cleared. Exercise caution when running this
command.
To clear the OSPF information, run the following reset ospf commands in the user view.
Procedure
l
Run the reset ospf [ process-id ] counters [ neighbor [ interface-type interface-number ]

[ router-id ] ] command in the user view to clear OSPF counters.
Run the reset ospf [ process-id ] redistribution command in the user view to clear the
routes imported by OSPF.
----End

This section provides several configuration examples of OSPF together with the Networking
diagram. The configuration examples explain networking requirements, configuration notes,
and configuration roadmap.
Example for Configuring Basic OSPF Functions

This part provides an example for configuring basic OSPF functions. Detailed operations include
enabling OSPF on each router and specifying network segments in different areas.
As shown in Figure 8-13, all devices run OSPF, and the entire AS is divided into three areas.
CX-A and CX-B serve as ABRs to forward routes between areas.
After the configuration, each device should learn the routes from the AS to all network segments.
Issue 02 (2013-12-31)

2232

Equipment
8 IP Routing
Figure 8-13 Networking diagram of configuring basic OSPF functions
Area0
CX-A
POS2/0/0
192.168.1.1/24
POS1/0/0
192.168.0.2/24
POS1/0/0
192.168.0.1/24
POS1/0/0
192.168.1.2/24
CX-C
GE2/0/0
172.16.1.1/24
GE0/2/4
172.16.1.2/24
ATNE
Area1
CX-B
POS2/0/0
192.168.2.1/24
POS1/0/0
192.168.2.2/24
CX-D
GE2/0/0
172.17.1.1/24
GE2/0/0
172.17.1.2/24
CX-F
Area2
1.
Enable OSPF on each device, and specify the network segment in different areas.
2.
Check the routing list and LSDB.
Data Preparation
l
The router ID of CX-A is 1.1.1.1, the OSPF process number is 1, the network segment of
Area 0 is 192.168.0.0/24, and the network segment of Area 1 is 192.168.1.0/24.
The router ID of CX-B is 2.2.2.2, the OSPF process number is 1, the network segment of
Area 0 is 192.168.0.0/24, and the network segment of Area 2 is 192.168.2.0/24.
The router ID of CX-C is 3.3.3.3, the OSPF process number is 1, the network segments of
Area 1 are 192.168.1.0/24 and 172.16.1.0/24.
The router ID of CX-D is 4.4.4.4, the OSPF process number is 1, the network segments of
Area 2 are 192.168.2.0/24 and 172.17.1.0/24.
The router ID of ATNE is 5.5.5.5, the OSPF process number is 1, the network segment of
Area 1 is 172.16.1.0/24.
The router ID of CX-F is 6.6.6.6, the OSPF process number is 1, the network segment of
Area 2 is 172.17.1.0/24.
Issue 02 (2013-12-31)

2233

Equipment
8 IP Routing
Procedure
Step 2 Configure basic OSPF functions.
# Configure CX-A.
[CX-A] router id 1.1.1.1
[CX-A] ospf
[CX-A-ospf-1] area 0
[CX-A-ospf-1-area-0.0.0.0]
network 192.168.0.0 0.0.0.255

quit
network 192.168.1.0 0.0.0.255
quit
# Configure CX-B.
[CX-B] router id 2.2.2.2
[CX-B] ospf
[CX-B-ospf-1] area 0
[CX-B-ospf-1-area-0.0.0.0]
network 192.168.0.0 0.0.0.255

quit
network 192.168.2.0 0.0.0.255
quit
# Configure CX-C.
[CX-C] router id 3.3.3.3
[CX-C] ospf
[CX-C-ospf-1] area 1
[CX-C-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255
[CX-C-ospf-1-area-0.0.0.1] quit
# Configure CX-D.
[CX-D] router id 4.4.4.4
[CX-D] ospf
[CX-D-ospf-1] area 2
[CX-D-ospf-1-area-0.0.0.2] network 192.168.2.0 0.0.0.255
[CX-D-ospf-1-area-0.0.0.2] quit
# Configure ATNE.
[ATNE] router id 5.5.5.5
[ATNE] ospf
[ATNE-ospf-1] area 1
[ATNE-ospf-1-area-0.0.0.1] network 172.16.1.0 0.0.0.255
[ATNE-ospf-1-area-0.0.0.1] quit
# Configure CX-F.
[CX-F] router id 6.6.6.6
[CX-F] ospf
[CX-F-ospf-1] area 2
[CX-F-ospf-1-area-0.0.0.2] network 172.17.1.0 0.0.0.255
[CX-F-ospf-1-area-0.0.0.2] quit

# View OSPF neighbors of CX-A.
Issue 02 (2013-12-31)

2234

Equipment
8 IP Routing
[CX-A] display ospf peer

Neighbors
Area 0.0.0.0 interface 192.168.0.1(Pos1/0/0)'s neighbors
Router ID: 2.2.2.2
Address: 192.168.0.2
State: Full Mode:Nbr is Master Priority: 1
DR: None
BDR: None
MTU: 0
Neighbors
Router ID: 3.3.3.3
Address: 192.168.1.2
DR: None
BDR: None
MTU: 0
# View the OSPF routing information of CX-A.

[CX-A] display ospf routing
Routing Tables
Routing for Network
Destination
Cost Type
NextHop
172.16.1.0/24
2
Transit
192.168.1.2
172.17.1.0/24
3
Inter-area 192.168.0.2
192.168.0.0/24
1
Stub
192.168.0.1
192.168.1.0/24
1
Stub
192.168.1.1
192.168.2.0/24
2
Total Nets: 5
AdvRouter
3.3.3.3
2.2.2.2
1.1.1.1
1.1.1.1
2.2.2.2
Area
0.0.0.1
0.0.0.0
0.0.0.0
0.0.0.1
0.0.0.0
# View the LSDB of CX-A.

[CX-A] display ospf lsdb
Link State Database
Area: 0.0.0.0
Type
LinkState ID
AdvRouter
Age Len
Router
2.2.2.2
2.2.2.2
317 48
Router
1.1.1.1
1.1.1.1
316 48
Sum-Net
172.16.1.0
1.1.1.1
250 28
Sum-Net
172.17.1.0
2.2.2.2
203 28
Sum-Net
192.168.2.0
2.2.2.2
237 28
Sum-Net
192.168.1.0
1.1.1.1
295 28
Area: 0.0.0.1
Type
LinkState ID
AdvRouter
Age Len
Router
5.5.5.5
5.5.5.5
214 36
Router
3.3.3.3
3.3.3.3
217 60
Router
1.1.1.1
1.1.1.1
289 48
Network
172.16.1.1
3.3.3.3
670 32
Sum-Net
172.17.1.0
1.1.1.1
202 28
Sum-Net
192.168.2.0
1.1.1.1
242 28
Sum-Net
192.168.0.0
1.1.1.1
300 28
Sequence
80000003
80000002
80000001
80000001
80000002
80000002
Sequence
80000004
80000008
80000002
80000001
80000001
80000001
80000001
Metric
1
1
2
2
1
1
Metric
1
1
1
0
3
2
1
# View the routing table of CX-D and test connectivity by using the ping command.
[CX-D] display ospf routing
Routing Tables
Routing for Network
Destination
Cost Type
NextHop
172.16.1.0/24
4 Inter-area 192.168.2.1
172.17.1.0/24
1 Transit
172.17.1.1
Issue 02 (2013-12-31)
AdvRouter
2.2.2.2
4.4.4.4

Area
0.0.0.2
0.0.0.2
2235

Equipment
192.168.0.0/24
2 Inter-area 192.168.2.1
2.2.2.2
192.168.1.0/24
3 Inter-area 192.168.2.1
2.2.2.2
192.168.2.0/24
1 Stub
192.168.2.2
4.4.4.4
Total Nets: 5
[CX-D] ping 172.16.1.1
0.00% packet loss
8 IP Routing
0.0.0.2
0.0.0.2
0.0.0.2
ms
ms
ms
ms
ms
----End
Configuration Files
l

#
sysname CX-A
#
interface Pos1/0/0
link-protocol ppp
undo shutdown
ip address 192.168.0.1 255.255.255.0
#
interface Pos2/0/0
link-protocol ppp
undo shutdown
ip address 192.168.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 192.168.0.0 0.0.0.255
area 0.0.0.1
network 192.168.1.0 0.0.0.255
#
return

#
sysname CX-B
#
router id 2.2.2.2
#
interface Pos1/0/0
link-protocol ppp
undo shutdown
ip address 192.168.0.2 255.255.255.0
#
interface Pos2/0/0
link-protocol ppp
undo shutdown
ip address 192.168.2.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 192.168.0.0 0.0.0.255
area 0.0.0.2
network 192.168.2.0 0.0.0.255
#
Issue 02 (2013-12-31)

2236

Equipment
8 IP Routing
return

#
sysname CX-C
#
router id 3.3.3.3
#
undo shutdown
ip address 172.16.1.1 255.255.255.0
#
interface Pos1/0/0
link-protocol ppp
undo shutdown
ip address 192.168.1.2 255.255.255.0
#
ospf 1
area 0.0.0.1
network 192.168.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
#
return

#
sysname CX-D
#
router id 4.4.4.4
#
undo shutdown
ip address 172.17.1.1 255.255.255.0
#
interface Pos1/0/0
link-protocol ppp
undo shutdown
ip address 192.168.2.2 255.255.255.0
#
ospf 1
area 0.0.0.2
network 192.168.2.0 0.0.0.255
network 172.17.1.0 0.0.0.255
#
return
Configuration file of ATNE

#
sysname ATNE
#
router id 5.5.5.5
#
ip address 172.16.1.2 255.255.255.0
#
ospf 1
area 0.0.0.1
network 172.16.1.0 0.0.0.255
#
return

#
sysname CX-F
#
router id 6.6.6.6
#
Issue 02 (2013-12-31)

2237

Equipment
8 IP Routing
undo shutdown
ip address 172.17.1.2 255.255.255.0
#
ospf 1
area 0.0.0.2
network 172.17.1.0 0.0.0.255
#
return
Example for Configuring OSPF Stub Areas

This part provides an example for configuring a stub area that imports static routes to reduce the
number of LSAs advertised in this area without affecting the route reachability.
As shown in Figure 8-14, all devices run OSPF, and the entire AS is divided into three areas.
CX-A and CX-B serve as ABRs to forward routes between areas. CX-D serves as an ASBR to
import external routes (static routes).
It is required to configure Area 1 as a stub area to reduce the LSAs advertised to this area without
affecting the route reachability.
Figure 8-14 Configuring OSPF stub areas
CX-A
Area0
POS1/0/0
POS1/0/0
192.168.0.1/24 192.168.0.2/24
POS2/0/0
192.168.1.1/24
POS1/0/0
192.168.1.2/24
ASBR
CX-C
GE2/0/0
172.16.1.1/24
Stub
GE0/2/4
172.16.1.2/24
ATN-E
Area1
CX-B
POS2/0/0
192.168.2.1/24
POS1/0/0
192.168.2.2/24
ASBR
CX-D
GE2/0/0
172.17.1.1/24
GE2/0/0
172.17.1.2/24
CX-F
Area2
Issue 02 (2013-12-31)

2238

Equipment
8 IP Routing
1.
Enable OSPF on each device, and configure basic OSPF functions.
2.
Configure static routes on CX-D, and import them into OSPF.
3.
Configure Area 1 as a stub area, and check the OSPF routing information on CX-C.
4.
Stop CX-A from advertising Type 3 LSAs to the stub area, and check the OSPF routing
information on CX-C.
Data Preparation
l
The router ID of CX-A is1.1.1.1, the process number of OSPF is 1, the network segment
of Area 0 is 192.168.0.0/24, and the network segment of Area 1 is 192.168.1.0/24.
The router ID of CX-B is 2.2.2.2, the process number of OSPF is 1, the network segment
The router ID of CX-C is 3.3.3.3, the process number of OSPF is 1, and the network
segments of Area 1 are 192.168.1.0/24 and 172.16.1.0/24.
The router ID of CX-D is 4.4.4.4, the process number of OSPF is 1, and the network
segments of Area 2 are 192.168.2.0/24 and 172.17.1.0/24.
The router ID of ATN-E is 5.5.5.5, the process number of OSPF is 1, and the network
segment of Area 1 is 172.16.1.0/24.
The router ID of CX-F is 6.6.6.6, the process number of OSPF is 1, and the network segment
of Area 2 is 172.17.1.0/24.
Procedure
Step 2 Configure basic OSPF functions (see Example for Configuring Basic OSPF Functions).
Step 3 Configure CX-D to import static routes.
[CX-D] ip route-static 200.0.0.0 8 null 0
[CX-D] ospf
[CX-D-ospf-1] import-route static type 1
[CX-D-ospf-1] quit
# View ABR/ASBR information on CX-C.

[CX-C] display ospf abr-asbr
Routing Table to ABR and ASBR
Type
Destination
Area
Cost Nexthop
Intra-area 1.1.1.1
0.0.0.1
1
192.168.1.1
Inter-area 4.4.4.4
0.0.0.1
3
192.168.1.1
RtType
ABR
ASBR
# View the OSPF routing table of CX-C.

NOTE
When CX-C is in a common area, there are AS external routes in the routing table.
[CX-C] display ospf routing
OSPF Process 1 with Router ID
Routing Tables
Routing for Network
Destination
Cost Type
Issue 02 (2013-12-31)
3.3.3.3
NextHop

AdvRouter
Area
2239

Equipment
172.16.1.0/24
1
Transit
172.16.1.1
172.17.1.0/24
4
192.168.0.0/24
2
192.168.1.0/24
1
Stub
192.168.1.2
192.168.2.0/24
3 Inter-area
192.168.1.1
Routing for ASEs
Destination
Cost
Type
Tag
200.0.0.0/8
4
Type1
1
Total Nets: 6
8 IP Routing
3.3.3.3
1.1.1.1
1.1.1.1
3.3.3.3
1.1.1.1
NextHop
192.168.1.1
0.0.0.1
0.0.0.1
0.0.0.1
0.0.0.1
0.0.0.1
AdvRouter
4.4.4.4
Step 4 Configure Area 1 as a stub area.

# Configure CX-A.
[CX-A] ospf
[CX-A-ospf-1-area-0.0.0.1] stub
[CX-A-ospf-1-area-0.0.0.1] quit
# Configure CX-C.
[CX-C] ospf
[CX-C-ospf-1-area-0.0.0.1] stub
# Configure ATN-E.
[ATN-E] ospf
[ATN-E-ospf-1] area 1
[ATN-E-ospf-1-area-0.0.0.1] stub
[ATN-E-ospf-1-area-0.0.0.1] quit
# View the routing table of CX-C.

NOTE
After the area where CX-C resides is configured as a stub area, AS external routes are invisible. Instead,
there is a default route.
Routing Tables
Routing for Network
Destination
Cost Type
NextHop
0.0.0.0/0
2
172.16.1.0/24
1
Transit
172.16.1.1
172.17.1.0/24
4
Inter-area
192.168.1.1
192.168.0.0/24
2 Inter-area
192.168.1.1
192.168.1.0/24
1 Stub
192.168.1.2
192.168.2.0/24
3 Inter-area
192.168.1.1
Total Nets: 6
AdvRouter
1.1.1.1
3.3.3.3
1.1.1.1
1.1.1.1
3.3.3.3
1.1.1.1
Area
0.0.0.1
0.0.0.1
0.0.0.1
0.0.0.1
0.0.0.1
0.0.0.1
Step 5 # Stop CX-A from advertising Type 3 LSAs to the stub area.
[CX-A] ospf
[CX-A-ospf-1-area-0.0.0.1] stub no-summary

# View the OSPF routing table of CX-C.
Routing Tables
Issue 02 (2013-12-31)

2240

Equipment
Routing for Network
Destination
Cost Type
NextHop
0.0.0.0/0
2
172.16.1.0/24
1
Transit
172.16.1.1
192.168.1.0/24
1
Stub
192.168.1.2
Total Nets: 3
8 IP Routing
AdvRouter
1.1.1.1
3.3.3.3
3.3.3.3
Area
0.0.0.1
0.0.0.1
0.0.0.1
NOTE
After the advertisement of summary LSAs to a stub area is disabled, the routing entries of the stub router
are further reduced, and only the default route to a destination outside the AS is reserved.
----End
Configuration Files
NOTE
The configuration files of CX-B and CX-F are the same as those in the preceding example, and are not
mentioned here.

#
sysname CX-A
#
router id 1.1.1.1
#
interface Pos1/0/0
link-protocol ppp
undo shutdown
ip address 192.168.0.1 255.255.255.0
#
interface Pos2/0/0
link-protocol ppp
undo shutdown
ip address 192.168.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 192.168.0.0 0.0.0.255
area 0.0.0.1
network 192.168.1.0 0.0.0.255
stub no-summary
#
return

#
sysname CX-C
#
router id 3.3.3.3
#
undo shutdown
ip address 172.16.1.1 255.255.255.0
#
interface Pos1/0/0
link-protocol ppp
undo shutdown
ip address 192.168.1.2 255.255.255.0
#
ospf 1
area 0.0.0.1
network 192.168.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
stub
Issue 02 (2013-12-31)

2241

Equipment
8 IP Routing
#
return

#
sysname CX-D
#
router id 4.4.4.4
#
undo shutdown
ip address 172.17.1.1 255.255.255.0
#
interface Pos1/0/0
link-protocol ppp
undo shutdown
ip address 192.168.2.2 255.255.255.0
#
ospf 1
import-route static type 1
area 0.0.0.2
network 192.168.2.0 0.0.0.255
network 172.17.1.0 0.0.0.255
#
#
return
Configuration file of ATN-E

#
sysname ATN-E
#
router id 5.5.5.5
#
undo shutdown
ip address 172.16.1.2 255.255.255.0
#
ospf 1
area 0.0.0.1
network 172.16.1.0 0.0.0.255
stub
#
return
Example for Configuring OSPF NSSAs

This part provides an example for configuring a translator and an NSSA that imports static routes.
As shown in Figure 8-15, all devices run OSPF, and the entire AS is divided into two areas.
CX-A and CX-B serve as ABRs to forward routes between areas. CX-D serves as the ASBR to
import external routes (static routes).
It is required to configure Area 1 as an NSSA. Configure CX-A and CX-B as translators in the
NSSA, configure CX-D as an ASBR to import external routes (static routes) and correctly
transmit routing information inside the AS.
Issue 02 (2013-12-31)

2242

Equipment
8 IP Routing
Figure 8-15 Configuring an OSPF NSSA
POS2/0/0
192.168.3.1/24
POS1/0/0
192.168.3.2/24
CX-A
GE1/0/0
192.168.0.1/24
GE0/2/0
192.168.0.2/24
POS3/0/0
192.168.1.1/24
CX-D
ASBR
POS2/0/0
192.168.4.1/24
Area1
NSSA
ATN-C
POS1/0/0
192.168.1.2/24
POS3/0/0
192.168.4.2/24
CX-B
GE0/2/4
192.168.2.2/24
GE2/0/0
192.168.2.1/24
Area0
1.
Enable OSPF on each device, and configure basic OSPF functions.
2.
Configure Area 1 as an NSSA (run the nssa command on all devices in Area 1), and check
the OSPF routing information and LSDB of ATN-C.
3.
Configure static routes on CX-D, and import them into OSPF.
4.
Configure translators in the NSSA.
Data Preparation
l
The router ID of CX-A is 1.1.1.1, the OSPF process number is 1, the network segment of
Area 0 is 192.168.0.0/24, and the network segments of Area 1 are 192.168.1.0/24 and
192.168.3.0/24.
The router ID of CX-B is 2.2.2.2, the OSPF process number is 1, the network segment of
Area 0 is 192.168.2.0/24, and the network segments of Area 1 are 192.168.1.0/24 and
192.168.4.0/24.
The router ID of ATN-C is 3.3.3.3, the OSPF process number is 1, and the network segments
of Area 0 are 192.168.0.0/24 and 192.168.2.0/24.
The router ID of CX-D is 4.4.4.4, the OSPF process number is 1, and the network segments
of Area 1 are 192.168.3.0/24 and 192.168.4.0/24.
Issue 02 (2013-12-31)

2243

Equipment
8 IP Routing
Procedure
Step 3 Configure Area 1 as an NSSA.
# Configure CX-A.
[CX-A] ospf
[CX-A-ospf-1-area-0.0.0.1] nssa
# Configure CX-B.
[CX-B] ospf
[CX-B-ospf-1-area-0.0.0.1] nssa
[CX-B-ospf-1-area-0.0.0.1] quit
# Configure CX-D.
[CX-D] ospf
[CX-D-ospf-1-area-0.0.0.1] nssa
Step 4 Configure CX-D to import static routes.

[CX-D] ip route-static 100.0.0.0 8 null 0
[CX-D] ospf
[CX-D-ospf-1] import-route static
[CX-D-ospf-1] quit
# Display the OSPF routing table of ATN-C.

NOTE
l On ATN-C, you can view that the router ID of the advertising router that imports AS external routes
in the NSSA, that is, the router ID of CX-B is 2.2.2.2.
l OSPF selects the ABR with larger router ID as a translator.
[ANTC] display ospf routing
Routing Tables
Routing for Network
Destination
Cost
192.168.3.0/24
2
192.168.4.0/24
2
192.168.0.0/24
1
192.168.1.0/24
2
192.168.1.0/24
2
192.168.2.0/24
1
Type
Inter-area
Inter-area
Stub
Inter-area
Inter-area
Stub
NextHop
192.168.0.1
192.168.2.1
192.168.0.2
192.168.0.1
192.168.2.1
192.168.2.2
Routing for ASEs

Destination
Cost
Type
Tag
100.0.0.0/8 1 Type2 1 192.168.2.1 2.2.2.2
Total Nets: 7
Intra Area: 2
Inter Area: 4
ASE: 1
AdvRouter
1.1.1.1
2.2.2.2
3.3.3.3
1.1.1.1
2.2.2.2
3.3.3.3
NextHop
Area
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
AdvRouter
NSSA: 0
# Display the OSPF LSDB of ATN-C.

Issue 02 (2013-12-31)

2244

Equipment
8 IP Routing
[ANTC] display ospf lsdb

Link State Database
Type
Router
Router
Router
Sum-Net
Sum-Net
Sum-Net
Sum-Net
Sum-Net
Sum-Net
LinkState ID
3.3.3.3
2.2.2.2
1.1.1.1
192.168.4.0
192.168.4.0
192.168.3.0
192.168.3.0
192.168.1.0
192.168.1.0
Area: 0.0.0.0
AdvRouter
3.3.3.3
2.2.2.2
1.1.1.1
2.2.2.2
1.1.1.1
1.1.1.1
2.2.2.2
2.2.2.2
1.1.1.1
Age Len
345 72
346 48
193 48
393 28
189 28
189 28
192 28
393 28
189 28
AS External Database
Type
LinkState ID
AdvRouter
Age
External 100.0.0.0 2.2.2.2 257 36 80000002 1
Sequence
80000004
80000005
80000006
80000001
80000001
80000002
80000002
80000001
80000002
Len
Sequence
Metric
1
1
1
1
2
1
2
1
1
Metric
Step 5 Configure CX-A as a translator.

[CX-A] ospf
[CX-A-ospf-1-area-0.0.0.1] nssa default-route-advertise no-summary translatoralways
[CX-A-ospf-1] quit

# Display the OSPF routing table of ATN-C.
NOTE
On ATN-C, an AS external route is imported.

[ANTC] display ospf routing
Routing Tables
Routing for Network
Destination
Cost
192.168.3.0/24
2
192.168.4.0/24
2
192.168.0.0/24
1
192.168.1.0/24
2
192.168.1.0/24
2
192.168.2.0/24
1
Type
Inter-area
Inter-area
Stub
Inter-area
Inter-area
Stub
NextHop
192.168.0.1
192.168.2.1
192.168.0.2
192.168.2.1
192.168.0.1
192.168.2.2
Routing for ASEs

Destination
Cost
Type
Tag
100.0.0.0/8 1 Type2 1 192.168.0.1 1.1.1.1
Total Nets: 7
Intra Area: 2
Inter Area: 4
ASE: 1
AdvRouter
1.1.1.1
2.2.2.2
3.3.3.3
2.2.2.2
1.1.1.1
3.3.3.3
NextHop
Area
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
AdvRouter
NSSA: 0
# Display the OSPF LSDB of ATN-C.

NOTE
l On ANTC, the router ID of the advertising router that imports AS external routes to the NSSA changes
to 1.1.1.1. That is, CX-A becomes the translator.
l By default, the new translator, together with the former translator, acts as the translator for 40s. After
40s, only the new translator continues to work as a translator.
Issue 02 (2013-12-31)

2245

Equipment
8 IP Routing
[ANTC] display ospf lsdb

Link State Database
Type
Router
Router
Router
Sum-Net
Sum-Net
Sum-Net
Sum-Net
Sum-Net
Sum-Net
LinkState ID
3.3.3.3
2.2.2.2
1.1.1.1
192.168.4.0
192.168.4.0
192.168.3.0
192.168.3.0
192.168.1.0
192.168.1.0
Area: 0.0.0.0
AdvRouter
3.3.3.3
2.2.2.2
1.1.1.1
2.2.2.2
1.1.1.1
1.1.1.1
2.2.2.2
2.2.2.2
1.1.1.1
Age Len
493 72
494 48
341 48
541 28
337 28
337 28
340 28
541 28
337 28
AS External Database
Type
LinkState ID
AdvRouter
Age
External 100.0.0.0 1.1.1.1 248 36 80000001 1
Len
Sequence
80000004
80000005
80000006
80000001
80000001
80000002
80000002
80000001
80000002
Sequence
Metric
1
1
1
1
2
1
2
1
1
Metric
----End
Configuration Files
l

#
sysname CX-A
#
router id 1.1.1.1
#
undo shutdown
ip address 192.168.0.1 255.255.255.0
#
interface Pos2/0/0
link-protocol ppp
undo shutdown
ip address 192.168.3.1 255.255.255.0
#
interface Pos3/0/0
link-protocol ppp
undo shutdown
ip address 192.168.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 192.168.0.0 0.0.0.255
area 0.0.0.1
network 192.168.1.0 0.0.0.255
network 192.168.3.0 0.0.0.255
nssa default-route-advertise no-summary translator-always
#
return

#
sysname CX-B
#
router id 2.2.2.2
#
interface Pos1/0/0
link-protocol ppp
undo shutdown
ip address 192.168.1.2 255.255.255.0
#
Issue 02 (2013-12-31)

2246

Equipment
8 IP Routing
undo shutdown
ip address 192.168.2.1 255.255.255.0
#
interface Pos3/0/0
link-protocol ppp
undo shutdown
ip address 192.168.4.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 192.168.2.0 0.0.0.255
area 0.0.0.1
network 192.168.1.0 0.0.0.255
network 192.168.4.0 0.0.0.255
nssa default-route-advertise no-summary translator-always
#
return

#
sysname ANTC
#
router id 3.3.3.3
#
undo shutdown
ip address 192.168.0.2 255.255.255.0
#
undo shutdown
ip address 192.168.2.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 192.168.0.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return

#
sysname CX-D
#
router id 4.4.4.4
#
interface Pos1/0/0
link-protocol ppp
undo shutdown
ip address 192.168.3.2 255.255.255.0
#
interface Pos2/0/0
link-protocol ppp
undo shutdown
ip address 192.168.4.1 255.255.255.0
#
ospf 1
import-route static
area 0.0.0.1
network 192.168.3.0 0.0.0.255
network 192.168.4.0 0.0.0.255
nssa
#
#
return
Issue 02 (2013-12-31)

2247

Equipment
8 IP Routing
Example for Configuring DR Election of OSPF

This part provides an example for setting the DR priority on an interface for DR election on a
broadcast network.
As shown in Figure 8-16, ATN-A has the highest priority (100) in the network and thus is elected
as the DR. CX-C has the second highest priority, and is elected as the BDR. The priority of CXB is 0, and thus CX-B cannot be elected as the DR or BDR. The priority of CX-D is not configured
and its default value is 1.
Figure 8-16 Configuring DR election of OSPF
ATN-A
GE0/2/0
192.168.1.1/24
GE1/0/0
192.168.1.3/24
CX-B
GE1/0/0
192.168.1.2/24
GE1/0/0
192.168.1.4/24
CX-C
CX-D
1.
Configure the router ID on each device, enable OSPF, and specify the network segment.
2.
Check the DR/BDR status of each device with the default priority.
3.
Configure the DR priority of the interface and check the DR/BDR status.
Data Preparation
l
The router ID of ATN-A is 1.1.1.1 and the DR priority is 100.
The router ID of CX-B is 2.2.2.2 and the DR priority is 0.
The router ID of CX-C is 3.3.3.3 and the DR priority is 2.
The router ID of CX-D is 4.4.4.4 and the DR priority is 1.
Issue 02 (2013-12-31)

2248

Equipment
8 IP Routing
Procedure
# Configure ATN-A.
[ATN-A] router id 1.1.1.1
[ATN-A] ospf
[ATN-A-ospf-1] area 0
[ATN-A-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[ATN-A-ospf-1-area-0.0.0.0] quit
# Configure CX-B.
[CX-B] ospf
[CX-B-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
# Configure CX-C.
[CX-C] ospf
# Configure CX-D.
[CX-D] ospf
# View the DR/BDR status.

[ATN-A] display ospf peer
Neighbors
Router ID: 2.2.2.2
Address: 192.168.1.2
State: 2-way Mode:Nbr is Master Priority: 1
DR: 192.168.1.4 BDR: 192.168.1.3 MTU: 0
Router ID: 3.3.3.3
Address: 192.168.1.3
DR: 192.168.1.4 BDR: 192.168.1.3 MTU: 0
Router ID: 4.4.4.4
Address: 192.168.1.4
DR: 192.168.1.4 BDR: 192.168.1.3 MTU: 0
Issue 02 (2013-12-31)

2249

Equipment
8 IP Routing
# View the neighbor information of ATN-A. You can see the priority of DR and the neighbor
status. The CX-D is the DR, and CX-C is the BDR.
NOTE
When the priority is the same, the device with a higher router ID is elected as the DR. If a new device is
added after the DR/BDR election is complete, the new device cannot become the DR even if it has the
highest priority.
Step 3 Configure DR priorities on interfaces.

# Configure ATN-A.
[ATN-A-GigabitEthernet0/2/0] ospf dr-priority 100
# Configure CX-B.
[CX-B] interface GigabitEthernet 1/0/0
[CX-B-GigabitEthernet1/0/0] ospf dr-priority 0
# Configure CX-C.
[CX-C] interface GigabitEthernet 1/0/0
[CX-C-GigabitEthernet1/0/0] ospf dr-priority 2
# View the DR/BDR status.

[CX-D] display ospf peer
Neighbors
Router ID: 1.1.1.1
Address: 192.168.1.1
DR: 192.168.1.4 BDR: 192.168.1.3 MTU: 0
Router ID: 2.2.2.2
Address: 192.168.1.2
DR: 192.168.1.4 BDR: 192.168.1.3 MTU: 0
Router ID: 3.3.3.3
Address: 192.168.1.3
DR: 192.168.1.4 BDR: 192.168.1.3 MTU: 0
Step 4 Restart OSPF processes.

In the user view of each device, run the reset ospf 1 process command to restart the OSPF
process.
Step 5 View the configuration.
# View the status of OSPF neighbors.
Issue 02 (2013-12-31)

2250

Equipment
8 IP Routing
[CX-D] display ospf peer

Neighbors
Router ID: 1.1.1.1
Address: 192.168.1.1
DR: 192.168.1.1 BDR: 192.168.1.3 MTU: 0
Router ID: 2.2.2.2
Address: 192.168.1.2
State: 2-Way Mode:Nbr is Master Priority: 0
DR: 192.168.1.1 BDR: 192.168.1.3 MTU: 0
Router ID: 3.3.3.3
Address: 192.168.1.3
DR: 192.168.1.1 BDR: 192.168.1.3 MTU: 0
# View the status of the OSPF interface.

[ATN-A] display ospf interface
Interfaces
Area: 0.0.0.0
(MPLS TE not enabled)
IP Address
Type
State
Cost Pri
DR
BDR
192.168.1.1
Broadcast
DR
1
100 192.168.1.1 192.168.1.3
[CX-B] display ospf interface
Interfaces
Area: 0.0.0.0
(MPLS TE not enabled)
IP Address
Type
State
Cost Pri
DR
BDR
192.168.1.2
Broadcast
DROther 1
0 192.168.1.1 192.168.1.3
If all neighbors are in the Full state, it indicates that ATN-A establishes the neighbor relationship
with its neighbor. If the neighbor stays "2-Way", it indicates both of them are not the DR or
BDR. Thus, they need not exchange LSAs.
If the status of the OSPF interface is DROther, it indicates that it is neither DR nor BDR.
----End
Configuration Files
l

#
sysname ATN-A
#
router id 1.1.1.1
#
undo shutdown
ip address 192.168.1.1 255.255.255.0
ospf dr-priority 100
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
Issue 02 (2013-12-31)

2251

Equipment
8 IP Routing
#
return

#
sysname CX-B
#
router id 2.2.2.2
#
undo shutdown
ip address 192.168.1.2 255.255.255.0
ospf dr-priority 0
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
#
return

#
sysname CX-C
#
router id 3.3.3.3
#
undo shutdown
ip address 192.168.1.3 255.255.255.0
ospf dr-priority 2
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
#
return

#
sysname CX-D
#
router id 4.4.4.4
#
undo shutdown
ip address 192.168.1.4 255.255.255.0
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
#
return
Example for Configuring OSPF Virtual Links

This part provides an example for configuring virtual links to connect non-backbone areas to
the backbone area.
As shown in Figure 8-17, Area 2 does not connect with the backbone area directly. Area 1 serves
as a transit area to connect Area 2 and Area 0. A virtual link is configured between ATN-A and
CX-B.
Issue 02 (2013-12-31)

2252

Equipment
8 IP Routing
Figure 8-17 Configuring OSPF virtual links
Area1
ATN-A
GE0/2/0
192.168.1.1/24
GE0/2/4
10.1.1.1/8
GE1/0/0
192.168.1.2/24
Virtual Link
CX-B
GE2/0/0
172.16.1.1/16
GE2/0/0
172.16.1.2/16
Area0
Area2
NodeB
CX-D
1.
Configure basic OSPF functions on each device.
2.
Configure virtual connections on ATN-A and CX-B to connect the backbone area with the
non-backbone area.
Data Preparation
l
The router ID of ATN-A is 1.1.1.1, the process number of OSPF is 1, the network segment
The router ID of CX-B is 2.2.2.2, the process number of OSPF is 1, the network segment
The router ID of NodeB is 3.3.3.3, the process number of OSPF is 1, and the network
segment of Area 0 is 10.0.0.0/8.
The router ID of CX-D is 4.4.4.4, the process number of OSPF is 1, and the network segment
of Area 2 is 172.16.0.0/16.
Procedure
# Configure ATN-A.
[ATN-A] ospf 1 router-id 1.1.1.1
Issue 02 (2013-12-31)

2253

Equipment
[ATN-A-ospf-1-area-0.0.0.0]
8 IP Routing
network 10.0.0.0 0.255.255.255

quit
network 192.168.1.0 0.0.0.255
quit
# Configure CX-B.
[CX-B] ospf 1 router-id 2.2.2.2
# Configure NodeB.
# Configure CX-D.
[CX-D] ospf 1 router-id 4.4.4.4
# View the OSPF routing table of ATN-A.

NOTE
The routing table of ATN-A does not contain routes in Area 2 because Area 2 is not directly connected to
Area 0.
[ATN-A] display ospf routing
Routing Tables
Routing for Network
Destination
Cost Type
NextHop
10.0.0.0/8
1 Transit
10.1.1.1
192.168.1.0/24
1 Stub
192.168.1.1
Total Nets: 2
AdvRouter
3.3.3.3
1.1.1.1
Area
0.0.0.0
0.0.0.1
Step 3 Configure virtual links.

# Configure ATN-A.
[ATN-A] ospf
[ATN-A-ospf-1-area-0.0.0.1] vlink-peer 2.2.2.2
# Configure CX-B.
[CX-B] ospf 1
[CX-B-ospf-1-area-0.0.0.1] vlink-peer 1.1.1.1

# View the OSPF routing table of ATN-A.
[ATN-A] display ospf routing
Routing Tables
Routing for Network
Issue 02 (2013-12-31)

2254

Equipment
Destination
Cost Type
NextHop
172.16.0.0/16
2
10.0.0.0/8
1
Transit
10.1.1.1
192.168.1.0/24
1
Stub
192.168.1.1
Total Nets: 3
8 IP Routing
AdvRouter
2.2.2.2
1.1.1.1
1.1.1.1
Area
0.0.0.0
0.0.0.0
0.0.0.1
----End
Configuration Files
l

#
sysname ATN-A
#
undo shutdown
ip address 10.1.1.1 255.0.0.0
#
undo shutdown
ip address 192.168.1.1 255.255.255.0
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 10.0.0.0 0.255.255.255
area 0.0.0.1
network 192.168.1.0 0.0.0.255
vlink-peer 2.2.2.2
#
return

#
sysname CX-B
#
undo shutdown
ip address 172.16.1.1 255.255.0.0
#
undo shutdown
ip address 192.168.1.2 255.255.255.0
#
area 0.0.0.1
network 192.168.1.0 0.0.0.255
vlink-peer 1.1.1.1
area 0.0.0.2
network 172.16.0.0 0.0.255.255
#
return

#
sysname CX-D
#
undo shutdown
ip address 172.16.1.2 255.255.0.0
#
area 0.0.0.2
network 172.16.0.0 0.0.255.255
#
Issue 02 (2013-12-31)

2255

Equipment
8 IP Routing
return
Example for Configuring OSPF Load Balancing

This part provides an example for configuring OSPF load balancing. Detailed operations include
enabling load balancing, setting the priority for equal-cost routes, and configuring the load
balancing mode.
As shown in Figure 8-18:
l
ATNA, CX-B, CX-C, CX-D, and CX-E are interconnected to each other through OSPF.
ATNA, CX-B, CX-C, CX-D, and CX-E belong to Area 0.
Load balancing is required to transmit the traffic of ATNA to CX-E through CX-C and
CX-D.
Figure 8-18 Networking diagram of configuring OSPF load balancing
Area0
POS2/0/0
GE1/0/0
CX-B
POS1/0/0
GE0/2/0
GE0/2/4
GE0/2/3
ATNA
GE1/0/0
GE0/2/5
POS2/0/0
CX-C
GE1/0/0
POS2/0/0
GE4/0/0
CX-E
POS3/0/0
POS2/0/0
CX-D
Issue 02 (2013-12-31)
Device
Interface
IP Address
Device
Interface
IP Address
ATNA
GigabitEther
net0/2/0
10.1.1.1/24
CX-C
GigabitEther
net1/0/0
10.1.2.2/24
GigabitEther
net0/2/4
10.1.2.1/24
POS2/0/0
192.168.1.1/
24
GigabitEther
net0/2/5
10.1.3.1/24
GigabitEther
net1/0/0
10.1.3.2/24
CX-D

2256

Equipment
Device
CX-B
8 IP Routing
Interface
IP Address
GigabitEther
net0/2/3
172.16.1.1./
24
GigabitEther
net1/0/0
10.1.1.2/24
POS2/0/0
192.168.0.1/
24
Device
CX-E
Interface
IP Address
POS2/0/0
192.168.2.1/
24
POS1/0/0
192.168.0.2/
24
POS2/0/0
192.168.1.2/
24
POS3/0/0
192.168.2.2/
24
GE4/0/0
172.17.1.1/2
4
1.
Enable basic OSPF functions on each device.
2.
Configure load balancing on ATNA.
3.
Configure the priority for equal-cost routes on ATNA.
Data Preparation
l
For ATNA, the router ID is 1.1.1.1, the OSPF process number is 1, and the network segment
of Area 0 is 10.1.1.0/24, 10.1.2.0/24, 10.1.3.0/24, and 172.16.1.0/24.
For CX-B, the router ID is 2.2.2.2, the OSPF process number is 1, and the network segment
of Area 0 is 10.1.1.0/8 and 192.168.0.0/8.
For CX-C, the router ID is 3.3.3.3, the OSPF process number is 1, and the network segment
of Area 0 is 10.1.2.0/8 and 192.168.1.0/8.
For CX-D, the router ID is 4.4.4.4, the OSPF process number is 1, and the network segment
of Area 0 is 10.1.3.0/8 and 192.168.2.0/8.
For CX-E, the router ID is 5.5.5.5, the OSPF process number is 1, and the network segment
of Area 0 is 192.168.0.0/24, 192.168.1.0/24, 192.168.2.0/24, and 172.17.1.0/24.
The number of load balancing paths on ATNA is 2.
The weight values of the next hop routes from ATNA to CX-B, CX-C, and CX-D are 2, 1,
and 1 respectively.
Procedure
Issue 02 (2013-12-31)

2257

Equipment
8 IP Routing
Step 2 Configure basic OSPF functions. The configuration details are not mentioned here.
Step 3 View the routing table of ATNA.
As displayed in the routing table, ATNA has three valid next hops: 10.1.1.2 (CX-B), 10.1.2.2
(CX-C), and 10.1.3.2 (CX-D). This is because the default maximum number of equal-cost routes
is 4.
<ATNA> display ip routing-table
---------------------------------------------------------------------------Routing Tables: Public
Destinations : 12
Routes : 14
Destination/Mask
Proto Pre Cost Flags
NextHop
Interface
10.1.1.0/24 Direct 0
0
D
10.1.1.1
10.1.1.2/32 Direct 0
0
D
10.1.1.2
10.1.2.0/24 Direct 0
0
D
10.1.2.1
10.1.2.2/32 Direct 0
0
D
10.1.2.2
10.1.3.0/24 Direct 0
0
D
10.1.2.1
10.1.3.2/32 Direct 0
0
D
10.1.2.2
192.168.0.0/24 OSPF
10
2
D
10.1.1.2
192.168.1.0/24 OSPF
10
2
D
10.1.2.2
192.168.2.0/24 OSPF
10
2
D
10.1.2.2
172.17.1.0/24 OSPF
10
3
D
10.1.1.2
OSPF
10
3
D
10.1.2.2
OSPF
10
3
D
10.1.3.2
127.0.0.0/8
Direct 0
0
D
127.0.0.1
InLoopBack0
127.0.0.1/32
Direct 0
0
D
127.0.0.1
InLoopBack0
NOTE
The maximum number of equal-cost routes varies with products and protocols. You can adjust the
maximum number by purchasing the license.
Step 4 Configure a maximum of two routes on ATNA to perform load balancing.

[ATNA] ospf 1
[ATNA-ospf-1] maximum load-balancing 2
[ATNA-ospf-1] quit
# View the routing table of ATNA. As shown in the routing table, ATNA has only two valid
next hops, 10.1.1.2 (CX-B) and 10.1.2.2 (CX-C). This is because the maximum number of equalcost routes is set to 2.
[ATNA] display ip routing-table
Destinations : 12
Routes : 13
Destination/Mask
NextHop
Interface
10.1.1.0/24 Direct 0
0
D
10.1.1.1
10.1.1.2/32 Direct 0
0
D
10.1.1.2
10.1.2.0/24 Direct 0
0
D
10.1.2.1
Issue 02 (2013-12-31)

2258

Equipment
10.1.2.2/32 Direct
10.1.3.0/24 Direct
10.1.3.2/32 Direct
192.168.0.0/24 OSPF
192.168.1.0/24 OSPF
192.168.2.0/24 OSPF
172.17.1.0/24 OSPF
OSPF
127.0.0.0/8
Direct
127.0.0.1/32
Direct
8 IP Routing
0
10.1.2.2
10.1.2.1
10.1.2.2
10
10.1.1.2
10
10.1.2.2
10
10.1.2.2
10
10.1.1.2
10
10.1.2.2
0
0
0
0
D
D
127.0.0.1
127.0.0.1
InLoopBack0
InLoopBack0
Step 5 Configure the priority for equal-cost routes on ATNA.

[ATNA] ospf 1
[ATNA-ospf-1]
[ATNA-ospf-1]
[ATNA-ospf-1]
[ATNA-ospf-1]
nexthop 10.1.1.2 weight 2

quit
# View the OSPF routing table of ATNA.

[ATNA] display ip routing-table
Destinations : 12
Routes : 13
Destination/Mask
NextHop
Interface
10.1.1.0/24 Direct 0
0
D
10.1.1.1
10.1.1.2/32 Direct 0
0
D
10.1.1.2
10.1.2.0/24 Direct 0
0
D
10.1.2.1
10.1.2.2/32 Direct 0
0
D
10.1.2.2
10.1.3.0/24 Direct 0
0
D
10.1.2.1
10.1.3.2/32 Direct 0
0
D
10.1.2.2
192.168.0.0/24 OSPF
10
2
D
10.1.1.2
192.168.1.0/24 OSPF
10
2
D
10.1.2.2
192.168.2.0/24 OSPF
10
2
D
10.1.2.2
172.17.1.0/24 OSPF
10
3
D
10.1.2.2
OSPF
10
3
D
10.1.3.2
127.0.0.0/8
Direct 0
0
D
127.0.0.1
InLoopBack0
127.0.0.1/32
Direct 0
0
D
127.0.0.1
InLoopBack0
As shown in the display, the priority of the route with the next hops being 10.1.2.2 and 10.1.3.2
is higher than that of the route with the next hop being 10.1.1.2. Thus, ATNA has only two valid
next hops, 10.1.2.2 (CX-C) and 10.1.3.2 (CX-D).
----End
Issue 02 (2013-12-31)

2259

Equipment
8 IP Routing
Configuration Files
l

#
sysname ATNA
#
undo shutdown
ip address 172.16.1.1 255.255.255.0
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
undo shutdown
ip address 10.1.2.1 255.255.255.0
#
undo shutdown
ip address 10.1.3.1 255.255.255.0
#
maximum load-balancing 2
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 172.16.1.0 0.0.0.255
#
return

sysname CX-B
#
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
interface pos2/0/0
link-protocol ppp
undo shutdown
ip address 192.168.0.1 255.255.255.0
#
area 0.0.0.0
network 10.1.1.0 0.255.255.255
network 192.168.0.0 0.255.255.255
#
return

#
sysname CX-C
#
undo shutdown
ip address 10.1.2.2 255.255.255.0
#
interface pos2/0/0
link-protocol ppp
undo shutdown
ip address 192.168.1.1 255.255.255.0
#
Issue 02 (2013-12-31)

2260

Equipment
8 IP Routing

area 0.0.0.0
network 10.1.2.0 0.255.255.255
network 192.168.1.0 0.0.255.255
#
Return

#
sysname CX-D
#
undo shutdown
ip address 10.1.3.2 255.255.255.0
#
interface pos2/0/0
link-protocol ppp
undo shutdown
ip address 192.168.2.1 255.255.255.0
#
area 0.0.0.0
network 10.1.3.0 0.255.255.255
network 192.168.2.0 0.0.255.255
#
return
Configuration file of CX-E

#
sysname CX-E
#
undo shutdown
ip address 172.17.1.1 255.255.255.0
#
interface pos1/0/0
link-protocol ppp
undo shutdown
ip address 192.168.0.2 255.255.255.0
#
interface pos2/0/0
link-protocol ppp
undo shutdown
ip address 192.168.1.2 255.255.255.0
#
interface pos3/0/0
link-protocol ppp
undo shutdown
ip address 192.168.2.2 255.255.255.0
#
area 0.0.0.0
network 192.168.0.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
network 172.17.1.0 0.0.0.255
#
return
Example for Configuring OSPF IP FRR

When a fault occurs on the network, OSPF IP FRR can fast switch traffic to the backup link
without waiting for route convergence. This ensures uninterrupted traffic transmission.
Issue 02 (2013-12-31)

2261

Equipment
8 IP Routing

l
OSPF runs on the four devices in the same area.
If the link between ATN-A and CX-C becomes faulty, the traffic forwarded by ATN-A is
rapidly switched to the backup link and forwarded through CX-B.
Figure 8-19 Networking diagram for configuring OSPF IP FRR
GE0/2/1
1.2.1.1/24
co
st
CX-B
Router-id
2.2.2.2
GE1/0/1
GE1/0/2
1.2.1.2/24
2.3.1.2/24
co
st
=
5
cost = 4
GE0/2/5
ATN-A 1.3.1.1/24
Router-id
1.1.1.1
GE1/0/3
2.3.1.3/24
cost = 55
GE1/0/2
GE1/0/1
GE1/0/1
1.3.1.3/24 CX-C 3.4.1.3/24 3.4.1.4/24 CX-D
Router-id
Router-id
4.4.4.4
3.3.3.3
1.
Configure basic OSPF functions on each device.
2.
Set the cost to ensure that the link from ATN-A to CX-C is preferred.
3.
Enable OSPF IP FRR on ATN-A to protect the traffic forwarded by ATN-A.
Data Preparation
l
Router ID (1.1.1.1), OSPF process ID (1), network segment addresses in Area 1 (1.2.1.0
and 1.3.1.0), and interface cost (as shown in Figure 8-19) of ATN-A
Router ID (2.2.2.2), OSPF process ID (1), network segment addresses in Area 1 (1.2.1.0
and 2.3.1.0), and interface cost (as shown in Figure 8-19) of CX-B
Router ID (3.3.3.3), OSPF process ID (1), network segment addresses of Area 1 (1.3.1.0,
2.3.1.0, and 3.4.1.0), IP addresses of two loopback interfaces (33.33.33.33 and
33.33.33.30), and interface cost (as shown in Figure 8-19) of CX-C
Router ID (4.4.4.4), OSPF process ID (1), network segment address in Area 1 (3.4.1.0), IP
address of the loopback interface (4.4.4.4), interface cost (as shown in Figure 8-19), and
destination address of the imported static route (160.1.1.1/32) of CX-D
Issue 02 (2013-12-31)

2262

Equipment
8 IP Routing
Procedure
Step 1 Configure an IP address and the cost for each interface. The configuration details are not
mentioned here.
# Configure ATN-A.
[ATN-A] ospf
# Configure CX-B.
[CX-B] ospf
# Configure CX-C.
[CX-C] ospf
[CX-C-ospf-1-area-0.0.0.1]
network
network
network
network
network
2.3.1.0 0.0.0.255
1.3.1.0 0.0.0.255
33.33.33.33 0.0.0.0
33.33.33.30 0.0.0.0
3.4.1.0 0.0.0.255
# Configure CX-D.
[CX-D] ip route-static 160.1.1.1 255.255.255.255 NULL0
[CX-D] ospf
Step 3 Enable OSPF IP FRR and FRR route filtering on ATN-A.

# Enable OSPF IP FRR on ATN-A.
[ATN-A] ospf
[ATN-A-ospf-1] frr
[ATN-A-ospf-1-frr] loop-free-alternate

# View information about the route from ATN-A to CX-D. You can find that OSPF generates
a backup route because OSPF IP FRR is enabled.
<ATN-A> display ospf routing router-id 4.4.4.4
Destination : 4.4.4.4
Area
: 0.0.0.1
Type
: Normal
URT Cost
: 59
NextHop
: 1.3.1.3
Backup Nexthop : 1.2.1.2
Backup Type : LFA LINK
Issue 02 (2013-12-31)
Route Type : Intra-area

AdvRouter : 4.4.4.4
Age
: 00h31m27s
Interface : GigabitEthernet0/2/5
Backup Interface : GigabitEthernet0/2/1

2263

Equipment
8 IP Routing
The preceding display shows that a backup route is generated on ATN-A.

----End
Configuration Files
l

#
sysname ATN-A
#
undo shutdown
ip address 1.2.1.1 255.255.255.0
ospf cost 9
#
undo shutdown
ip address 1.3.1.1 255.255.255.0
ospf cost 4
#
frr
frr-policy route route-policy abc
loop-free-alternate
area 0.0.0.1
network 1.2.1.0 0.0.0.255
network 1.3.1.0 0.0.0.255
#
return

#
sysname CX-B
#
undo shutdown
ip address 1.2.1.2 255.255.255.0
ospf cost 9
#
undo shutdown
ip address 2.3.1.2 255.255.255.0
ospf cost 5
#
area 0.0.0.1
network 2.3.1.0 0.0.0.255
network 1.2.1.0 0.0.0.255
#
return

#
sysname CX-C
#
undo shutdown
ip address 1.3.1.3 255.255.255.0
ospf cost 4
#
undo shutdown
ip address 3.4.1.3 255.255.255.0
ospf cost 55
#
Issue 02 (2013-12-31)

2264

Equipment
8 IP Routing
undo shutdown
ip address 2.3.1.3 255.255.255.0
ospf cost 5
#
interface LoopBack0
ip address 33.33.33.33 255.255.255.255
#
interface LoopBack1
ip address 33.33.33.30 255.255.255.255
#
frr
area 0.0.0.1
network 2.3.1.0 0.0.0.255
network 1.3.1.0 0.0.0.255
network 33.33.33.33 0.0.0.0
network 33.33.33.30 0.0.0.0
network 3.4.1.0 0.0.0.255
#
return

#
sysname CX-D
#
undo shutdown
ip address 3.4.1.4 255.255.255.0
ospf cost 55
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
#
area 0.0.0.1
network 3.4.1.0 0.0.0.255
network 4.4.4.4 0.0.0.0
#
return
Example for Configuring OSPF GR

This part provides an example for configuring OSPF GR to ensure nonstop forwarding when an
OSPF process restarts through GR or the active/standby switchover is performed.
As shown in Figure 8-20, CX-A, CX-B, and ATN-D have the AMB and SMB installed, and
AMB and SMB back up each other. The devices interconnect by means of OSPF, and are enabled
with GR.
It is required that service forwarding be not interrupted when CX-A restarts the OSPF process
in GR mode or performs the active/standby switchover.
Issue 02 (2013-12-31)

2265

Equipment
8 IP Routing
Figure 8-20 Networking diagram of configuring OSPF GR
POS2/0/0
POS2/0/0
CX-A 10.1.2.1/24 10.1.2.2/24 CX-B
GE1/0/0
10.1.1.2/24
POS1/0/0
Area0
10.1.3.2/24
Area1
GE0/2/0
10.1.1.1/24
Area2
CX-C
ATN-D
GE0/2/4
192.168.1.1/24
POS1/0/0
10.1.3.1/24
GE2/0/0
192.168.2.1/24
1.
Enable OSPF to interconnect all devices.
2.
Configure GR on CX-A, CX-B and ATN-D.
Data Preparation
l
IP address of each interface on the devices
OSPF process number
Procedure
The detailed configuration procedure is not mentioned here.
Step 3 (Optional) Enable forcible active/standby switchover on CX-A and configure the SMB to
automatically synchronize information on the AMB.
By default, the forcible active/standby switchover is enabled.
[CX-A] slave switchover enable
[CX-A] slave auto-update config
Issue 02 (2013-12-31)

2266

Equipment
8 IP Routing
Step 4 Enable OSPF GR on CX-A, CX-B, and CX-D.

# Configure CX-A. The configurations of CX-B and CX-D are the same as that of CX-A, and
are not mentioned here.
[CX-A] ospf 1
[CX-A-ospf-1] opaque-capability enable
[CX-A-ospf-1] graceful-restart

# Run the display ospf graceful-restart command on CX-A, CX-B, and ATN-D to check the
OSPF GR status. Take the display of CX-A as an example. You can find that the value of
Graceful-restart capability is enabled. This indicates that OSPF GR is enabled on CX-A.
<CX-A> display ospf 1 graceful-restart
Graceful-restart capability
: enabled
Graceful-restart support
: planned and un-planned, totally
Helper-policy support
: planned and un-planned, strict lsa check
Current GR state
: normal
Graceful-restart period
: 120 seconds
Number of neighbors under helper:
Normal neighbors
: 0
Virtual neighbors
: 0
Sham-link neighbors : 0
Total neighbors
: 0
Number of restarting neighbors : 0
Last exit reason:
On graceful restart : none
On Helper
: none
# In the user view, run the reset ospf process graceful-restart command on CX-A to restart
OSPF process 1. Run the display ospf peer command on CX-D to check the OSPF neighbor
relationship between CX-D and CX-A. If the status of the OSPF neighbor relationship is Full,
it indicates that the relationship is not interrupted when CX-A restarts the OSPF process through
GR.
<CX-A> reset ospf 1 process graceful-restart
<ATN-D> display ospf 1 peer
Neighbors
Router ID: 10.1.1.2
Address: 10.1.1.2
GR State: Doing GR
DR: None
BDR: None
MTU: 0
# Perform the active/standby switchover on CX-A. During the switchover, CX-C can ping
through ATN-D, which indicates that service forwarding is not interrupted. Run the display ospf
peer command on CX-D and CX-B to check the OSPF neighbor relationship with CX-A. The
statuses of the OSPF neighbor relationship are displayed as Full.
[CX-A] slave switchover
<CX-B> display ospf 1 peer
Neighbors
Issue 02 (2013-12-31)

2267

Equipment
8 IP Routing

Router ID: 10.1.1.2
Address: 10.1.2.1
GR State: Normal
DR: None
BDR: None
MTU: 0
Neighbors
Router ID: 10.1.3.1
Address: 10.1.3.1
GR State: Normal
DR: None
BDR: None
MTU: 0
<CX-C> ping 192.168.1.1
0.00% packet loss
----End
Configuration Files
l

#
sysname CX-A
#
ip address 10.1.1.2 255.255.255.0
#
interface Pos2/0/0
link-protocol ppp
ip address 10.1.2.1 255.255.255.0
#
ospf 1
graceful-restart
area 0.0.0.0
network 10.1.2.0 0.0.0.255
area 0.0.0.1
network 10.1.1.0 0.0.0.255
#
return

#
sysname CX-B
#
interface Pos1/0/0
link-protocol ppp
ip address 10.1.3.2 255.255.255.0
Issue 02 (2013-12-31)

2268

Equipment
8 IP Routing
#
interface Pos2/0/0
link-protocol ppp
ip address 10.1.2.2 255.255.255.0
#
ospf 1
graceful-restart
area 0.0.0.0
network 10.1.2.0 0.0.0.255
area 0.0.0.2
network 10.1.3.0 0.0.0.255
#
return

#
sysname CX-C
#
ip address 192.168.2.1 255.255.255.0
#
interface Pos1/0/0
link-protocol ppp
ip address 10.1.3.1 255.255.255.0
#
ospf 1
area 0.0.0.2
network 10.1.3.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
Configuration file of ATN-D

#
sysname ATN-D
#
ip address 192.168.1.1 255.255.255.0
#
ip address 10.1.1.1 255.255.255.0
#
ospf 1
graceful-restart
area 0.0.0.1
network 192.168.1.0 0.0.0.255
network 10.1.1.0 0.0.0.255
#
return
Example for Configuring BFD for OSPF

This part provides an example for configuring BFD for OSPF. After BFD for OSPF is
configured, BFD can fast detect link faults and report them to OSPF so that service traffic can
be transmitted through the backup link.
As shown in Figure 8-21, it is required as follows:
l
Issue 02 (2013-12-31)
Run OSPF between ATN-A, CX-B, and CX-C.

2269

Equipment
8 IP Routing
Enable BFD of the OSPF process on ATN-A, CX-B, and CX-C.
Traffic is transmitted on the active link ATN-A CX-B. The link ATN-A CX-C
CX-B acts as the standby link.
BFD of the interface is configured on the link between ATN-A and CX-B. When a fault
occurs on the link, BFD can quickly detect the fault and notify OSPF of the fault; therefore,
the traffic is transmitted on the standby link.
Figure 8-21 Networking diagram for configuring BFD for OSPF
Active link
CX-B GE3/0/0
172.16.1.1/24
ATN-A
lin
GE2/0/0
3.3.3.2/24
GE1/0/0
2.2.2.2/24
St
an
db
y
GE0/2/0
1.1.1.1/24
GE0/2/4
3.3.3.1/24
GE1/0/0
1.1.1.2/24
GE2/0/0
2.2.2.1/24
CX-C
Area0
1.
Enable the basic OSPF functions on each device.
2.
Enable global BFD.
3.
Enable the detection mechanism on ATN-A and CX-B.
Data Preparation
l
Router ID of Router A is 1.1.1.1, OSPF process number is 1, and the network segments of
Area 0 are 3.3.3.0/24 and 1.1.1.0/24.
Router ID of Router B is 2.2.2.2, OSPF process number is 1, and the network segments of
Area 0 are 3.3.3.0/24, 2.2.2.0/24, and 172.16.1.0/24.
Router ID of Router C is 3.3.3.3, OSPF process number is 1, and the network segments of
Area 0 are 1.1.1.0/24 and 2.2.2.0/24.
Minimum interval for sending the BFD packets, minimum interval for receiving the BFD
packets, and local detection multiple on ATN-A and CX-B.
Issue 02 (2013-12-31)

2270

Equipment
8 IP Routing
Procedure
Step 1 Assign an IP address to each device interface.
The detailed configuration is not mentioned here.
Step 2 Configure the basic OSPF functions.
# Configure ATN-A.
[ATN-A] ospf
[ATN-A-ospf-1] quit
# Configure CX-B.
[CX-B] ospf
[CX-B-ospf-1] quit
network 2.2.2.0 0.0.0.255

network 3.3.3.0 0.0.0.255
network 172.16.1.0 0.0.0.255
quit
# Configure CX-C.
[CX-C] ospf
[CX-C-ospf-1] quit
# After the preceding configurations are complete, run the display ospf peer command. You
can view that the neighboring relationship is set up between ATN-A and CX-B, and that between
CX-B and CX-C. Take the display of ATN-A as an example:
<ATN-A> display ospf peer
Neighbors
Router ID: 3.3.3.3
Address: 1.1.1.2
DR: 1.1.1.1 BDR: 1.1.1.2 MTU: 0
Neighbors
Router ID: 2.2.2.2
Address: 3.3.3.2
DR: 3.3.3.1 BDR: 3.3.3.2 MTU: 0
Issue 02 (2013-12-31)

2271

Equipment
8 IP Routing
# Display the information in the OSPF routing table on ATN-A. You can view the routing entries
to CX-B and CX-C. The next hop address of the route to 172.16.1.0/24 is 3.3.3.2 and traffic is
transmitted on the active link ATN-A CX-B.
<ATN-A> display ospf routing
Routing Tables
Routing for Network
Destination
Cost Type
NextHop
172.16.1.1/24 2 Stub 3.3.3.2 2.2.2.2 0.0.0.0
3.3.3.0/24
1
Transit
3.3.3.1
2.2.2.0/24
2
Transit
3.3.3.2
2.2.2.0/24
2
Transit
1.1.1.2
1.1.1.0/24
1
Transit
1.1.1.1
Total Nets: 5
AdvRouter
Area
1.1.1.1
3.3.3.3
3.3.3.3
1.1.1.1
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
Step 3 Configure OSPF BFD.

# Enable global BFD on ATN-A.
[ATN-A] bfd
[ATN-A-bfd] quit
[ATN-A] ospf
[ATN-A-ospf-1] bfd all-interfaces enable
[ATN-A-ospf-1] quit
# Enable global BFD on CX-B.

[CX-B] bfd
[CX-B-bfd] quit
[CX-B] ospf
[CX-B-ospf-1] bfd all-interfaces enable
[CX-B-ospf-1] quit
# Enable global BFD on CX-C.

[CX-C] bfd
[CX-C-bfd] quit
[CX-C] ospf
[CX-C-ospf-1] bfd all-interfaces enable
[CX-C-ospf-1] quit
# After the preceding configurations are complete, run the display ospf bfd session all command
on ATN-A or CX-B. You can view that the status of the BFD session is Up.
Take the display of ATN-A as an example:
[ATN-A] display ospf bfd session all
Area 0.0.0.0 interface 1.1.1.1(GigabitEthernet0/2/0)'s BFD Sessions
NeighborId:1.1.1.2
AreaId:0.0.0.0
BFDState:up
rx
:10
tx
:10
Multiplier:3
BFD Local Dis:8195
LocalIpAdd:1.1.1.1
RemoteIpAdd:1.1.1.2
Diagnostic Info:No diagnostic information
NeighborId:3.3.3.2
AreaId:0.0.0.0
BFDState:up
rx
:10
tx
:10
Multiplier:3
BFD Local Dis:8194
LocalIpAdd:3.3.3.1
RemoteIpAdd:3.3.3.2
Step 4 Configure BFD of the interface.

# Configure BFD on Gigabit Ethernet 0/2/4 of ATN-A, set the minimum interval for sending
the packets and the minimum interval for receiving the packets to 500 ms, and set the local
detection time multiple to 4.
Issue 02 (2013-12-31)

2272

Equipment
8 IP Routing

[ATN-A-GigabitEthernet0/2/4] ospf bfd enable
[ATN-A-GigabitEthernet0/2/4] ospf bfd min-tx-interval 500 min-rx-interval 500
detect-multiplier 4
# Configure BFD on GE 2/0/0 of CX-B, set the minimum interval for sending the packets and
the minimum interval for receiving the packets to 500 ms, and set the local detection time
multiple to 4.
[CX-B] interface Gigabitethernet 2/0/0
[CX-B-GigabitEthernet2/0/0] ospf bfd enable
[CX-B-GigabitEthernet2/0/0] ospf bfd min-tx-interval 500 min-rx-interval 500
detect-multiplier 4
# After the preceding configurations are complete, run the display ospf bfd session all command
on ATN-A or CX-B. You can view that the status of the BFD session is Up.
Take the display of CX-B as an example:
[CX-B] display ospf bfd session all
NeighborId:1.1.1.1
AreaId:0.0.0.0
BFDState:up
rx
:500
tx
:500
Multiplier:4
BFD Local Dis:8198
LocalIpAdd:3.3.3.2
RemoteIpAdd:3.3.3.1
NeighborId:3.3.3.3
AreaId:0.0.0.0
BFDState:up
rx
:10
tx
:10
Multiplier:3
BFD Local Dis:8199
LocalIpAdd:2.2.2.2
RemoteIpAdd:2.2.2.1

# Run the shutdown command on GE 2/0/0 of CX-B to simulate the active link failure.
[CX-B-Gigabitethernet2/0/0] shutdown
# Display the routing table on ATN-A. The standby link ATN-A CX-C CX-B takes effect
after the active link fails. The next hop address of the route to 172.16.1.0/24 becomes 1.1.1.2.
<HUAWEI> display ospf routing
Routing Tables
Routing for Network
Destination
Cost Type
NextHop
172.16.1.1/24
2
Stub
1.1.1.2
3.3.3.0/24
1
Transit
3.3.3.1
2.2.2.0/24
2
Transit
1.1.1.2
1.1.1.0/24
1
Transit
1.1.1.1
Total Nets: 4
AdvRouter
2.2.2.2
1.1.1.1
3.3.3.3
1.1.1.1
Area
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
----End
Configuration Files
l

#
sysname ATN-A
#
router id 1.1.1.1
Issue 02 (2013-12-31)

2273

Equipment
8 IP Routing
#
bfd
#
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
undo shutdown
ip address 3.3.3.1 255.255.255.0
ospf bfd enable
ospf bfd min-tx-interval 500 min-rx-interval 500 detect-multiplier 4
#
ospf 1
bfd all-interface enable
area 0.0.0.0
network 3.3.3.0 0.0.0.255
network 1.1.1.0 0.0.0.255
#
return

#
sysname CX-B
#
router id 2.2.2.2
#
bfd
#
undo shutdown
ip address 2.2.2.2 255.255.255.0
#
undo shutdown
ip address 3.3.3.2 255.255.255.0
ospf bfd enable
ospf bfd min-tx-interval 500 min-rx-interval 500 detect-multiplier 4
#
undo shutdown
ip address 172.16.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 3.3.3.0 0.0.0.255
network 2.2.2.0 0.0.0.255
network 172.16.1.0 0.0.0.255
#
return

#
sysname CX-C
#
router id 3.3.3.3
#
bfd
#
undo shutdown
ip address 1.1.1.2 255.255.255.0
#
undo shutdown
ip address 2.2.2.1 255.255.255.0
Issue 02 (2013-12-31)

2274

Equipment
8 IP Routing
ospf bfd enable

#
ospf 1
area 0.0.0.0
network 1.1.1.0 0.0.0.255
network 2.2.2.0 0.0.0.255
#
return
8.6 OSPFv3 Configuration

By building Open Shortest Path First Version 3 (OSPFv3) networks, you can enable OSPFv3
to discover and calculate routes in ASs. OSPFv3 is applicable to a large-scale network that
consists of hundreds of routers.
8.6.1 Introduction
The OSPFv3 protocol, which is a link-state IGP, runs on IPv6 networks.
OSPFv3 Overview
OSPFv3 uses the same implementation mechanism as OSPFv2 but is not compatible with
OSPFv2.
The Open Shortest Path First Version 3.0 (OSPFv3) supports the version 6 of the Internet
Protocol (IPv6). OSPFv3 conforms to RFC 2740 (OSPF for IPv6).
OSPFv3 and OSPFv2 have the following in common:
l
32-bit Router ID, Area ID, and Link State Advertisement (LSA) link-state ID
Five types of packets such as Hello, Database Description (DD), Link State Request (LSR),
Link State Update (LSU), and Link State Acknowledgement (LSAck) packets
Neighbor discovery and adjacency establishment mechanisms
Flooding and aging mechanisms of LSAs
LSA types
OSPFv3 and OSPFv2 differ as follows:

l
OSPFv3 runs based on a link; OSPFv2 runs based on a network segment.
OSPFv3 can run multiple instances on the same link.
The topology of OSPFv3 is independent of IPv6 address prefixes.
OSPFv3 identifies its neighbors with the IPv6 link-local addresses.
OSPFv3 has three new types of LSA flooding scopes.
OSPFv3 Features Supported by ATN

The ATN supports various OSPFv3 features, including multi-process and GR.
The ATN supports the following OSPFv3 features:
l
Issue 02 (2013-12-31)
Basic features stipulated in RFC 2740

2275

Equipment
OSPFv3 stub areas
OSPFv3 multi-process
Multiple OSPFv3 processes can run on a ATN.
OSPFv3 GR
8 IP Routing
If a ATN restarts or performs the active/standby switchover, it directly ages all the
entries in the Forward Information Base (FIB). This interrupts the routing. The
neighboring ATNs remove the ATN from the neighbor list and inform other ATNs of
the ATN failure. Then, SPF needs to be calculated again. If the ATN recovers after a
short period of time, the neighbor relationship becomes unstable. This results in route
flapping.
If a ATN restarts because of abnormalities, you can enable OSPFv3 Graceful Restart
(GR) to avoid service interruption during the restart of the ATN.
8.6.2 Configuring Basic OSPFv3 Functions

Before building OSPFv3 networks, you need to configure basic OSPFv3 functions.
Before You Start

You need to enable OSPFv3 and specify interfaces and area IDs before configuring other
functions.
Enable the OSPFv3 process and specify its router ID before configuring OSPFv3; otherwise,
other functions cannot take effect.
You must enable OSPFv3 and specify the interface and area ID before configuring other
functions. OSPFv3 configurations, however, are independent of interface-related features.
Before configuring basic OSPFv3 functions, complete the following tasks:
l
Making the network layers of the adjacent nodes accessible
Enabling IPv6 capabilities
Data Preparation
To configure basic OSPFv3 functions, you need the following data.
Issue 02 (2013-12-31)
No.
Data
Router ID
OSPFv3 process ID
Interfaces on which OSPFv3 needs to be enabled and their areas

2276

Equipment
8 IP Routing
Enabling OSPFv3
Creating an OSPFv3 process is a prerequisite for configuring all OSPFv3 features. By creating
an OSPFv3 process, you can manually specify the router ID for a router.
Context
OSPFv3 supports multiple processes. Multiple OSPFv3 processes running on one ATN are
differentiated by process IDs. OSPFv3 process ID is set when OSPFv3 is enabled and is only
locally valid. It does not affect the packet exchange with other ATNs.
In the format of an IPv4 address, a router ID is a 32-bit unsigned integer that uniquely identifies
a ATN within an AS. The router ID of OSPFv3 must be manually set. If no router ID is set,
OSPFv3 fails to run normally.
When manually setting the router ID, ensure that the router IDs of any two ATNs in an AS are
different. When multiple processes are enabled on a ATN, it is necessary to specify a unique
route ID for each process.
To ensure the stable running of OSPFv3, you need to allocate router IDs and set them in network
planning.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospfv3 [ process-id ] [ { vpn-instance | vpn6-instance } vpn-instance-name ]
OSPFv3 is enabled and the OSPFv3 view is displayed.

Step 3 Run:
router-id router-id
A Router ID is set.
----End
Enabling OSPFv3 on an Interface

For an interface with multiple instances, you need to specify which instance of the interface is
enabled in the OSPFv3 process when enabling OSPFv3 on the interface.
Context
After enabling OSPFv3 in the system view, you need to enable OSPFv3 on the interface. Because
an interface has multiple instances, you need to specify which instance of the interface is enabled
in the OSPFv3 process when OSPFv3 is enabled on the interface. If no instance ID is specified,
the value defaults to 0. The same instance must be enabled on the interfaces between which the
neighbor relationship is set up.
Issue 02 (2013-12-31)

2277

Equipment
8 IP Routing
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ospfv3 process-id area area-id [ instance instance-id ]
OSPFv3 is enabled on the interface.

The area ID can be a decimal integer or in the IPv4 address format, but it is displayed in the IPv4
address format.
Step 4 (Optional) Run the ospfv3 network-type { broadcast | nbma | p2mp [ non-broadcast ] |
p2p } [ instance instance-id ] command to configure the network type of an interface.
When an interface supports multi-instances, you must specify the value of instance-id when
enabling OSPFv3 on the interface. If the value of instance-id is not specified, the default value
0 is adopted. In this case, the configured network type of an interface mismatches the actual
network type of the interface. This step is mandatory in such a case.
----End
Entering the OSPFv3 Area View

By dividing an AS into different areas, specifying OSPFv3 interfaces, and specifying areas to
which these interfaces belong, OSPFv3 can discover and calculate routes in an AS.
Context
You must configure the devices in the same area based on the area. Otherwise, the neighbor
devices cannot exchange information with each other. The congestion of routing information or
routing loop is therefore caused.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ospfv3 [ process-id ]
The OSPFv3 view is displayed.

Step 3 Run:
area area-id
The OSPFv3 area view is displayed.

Issue 02 (2013-12-31)

2278

Equipment
8 IP Routing
The area ID can be a decimal integer or in the IPv4 address format, but it is displayed in the IPv4
address format.
An OSPFv3 area cannot be deleted directly. Only after all the configurations in the area view
are removed and the status of the related interfaces in this area become Down, this area is
automatically removed.
----End

After basic OSPFv3 functions are configured, you can check OSPFv3 brief information, LSDB
information, neighbor information, and OSPFv3 routing table.
Prerequisites
The Basic OSPFv3 Functions has been configured.
Procedure
l
Run the display ospfv3 [ process-id ] command to check the summary information about
the OSPFv3 process.
Run the display ospfv3 [ process-id ] interface [ area area-id ] [ interface-type interfacenumber ] command to check the OSPFv3 interface information.
Run the commands as follow to check the LSDB information about OSPFv3:
display ospfv3 [ process-id ] lsdb [ area area-id ] [ originate-router advertisingrouter-id | self-originate ] [ { router | network | inter-router [ asbr-router asbrrouter-id ] | { inter-prefix | nssa } [ ipv6-address prefix-length ] | link | intra-prefix |
grace } [ link-state-id ] ]
display ospfv3 [ process-id ] lsdb [ originate-router advertising-router-id | selforiginate ] external [ ipv6-address prefix-length ] [ link-state-id ]
Run the display ospfv3 [ process-id ] [ area area-id ] peer [ interface-type interfacenumber ] [ verbose ] command or display ospfv3 [ process-id ] [ area area-id ] peer
neighbor-id [ verbose ] command to check the information about the OSPFv3 neighbor.
Run the commands as follow to check the OSPFv3 routing table:

display ospfv3 [ process-id ] routing uninstalled
display ospfv3 [ process-id ] routing [ abr-routes | asbr-routes | statistics
[ uninstalled ] | ipv6-address prefix-length | intra-routes | inter-routes | ase-routes |
nssa-routes ]
Run the display ospfv3 [ process-id ] path command to check the paths to a destination
address.
Run the display default-parameter ospfv3 command to check the default OSPFv3
configuration.
----End
8.6.3 Establishing or Maintaining OSPFv3 Neighbor Relationship

By establishing and maintaining OSPFv3 neighbor relationships or adjacencies, you can build
OSPFv3 networks.
Issue 02 (2013-12-31)

2279

Equipment
8 IP Routing
Before You Start

When setting parameters on an interface, ensure that these parameters are consistent with those
on the adjacent router.
In applications, establishing or maintaining the OSPFv3 neighbor relationship is a premise for
the construction of an OSPFv3 network. After the configuration in this section, you can:
l
Adjust the convergence speed of the OSPFv3 network and network load posed by protocol
packets by modifying OSPFv3 timers.
Speed up the convergence of an OSPFv3 network by adjusting the intervals for updating
and receiving LSAs.
Before establishing or maintaining the OSPFv3 neighbor relationship, complete the following
tasks:
l
Enabling IPv6 capability
Configuring Basic OSPFv3 Functions
Data Preparation
To establish or maintain the OSPFv3 neighbor relationship, you need the following data.
No.
Data
Interval for sending Hello packets
Dead time of the neighbor relationship
Delay in sending LSAs
Configuring the Interval for Sending Hello Packets

By adjusting the Hello interval set on OSPFv3 neighbors, you can change the speed of
establishing the neighbor relationship, therefore changing the speed of network convergence.
Context
Hello packets are periodically sent to the neighbor ATN to detect and maintain the neighbor
relationship and to elect the DR and the BDR. RFC 2328 requires that the Hello timer values of
neighbors be consistent. The value of the Hello timer is inversely proportional to the route
convergence speed and network load.
Procedure
Step 1 Run:
system-view
Issue 02 (2013-12-31)

2280

Equipment
8 IP Routing

Step 2 Run:

Step 3 Run:
ospfv3 timer hello interval [ instance instance-id ]
The interval for sending Hello packets is set on the interface.

----End
Configuring Dead Time of Neighbor Relationship

If a router does not receive a Hello packet from its neighbor within the Holddown time, the router
considers the neighbor relationship invalid.
Context
If a ATN does not receive any Hello packet from its neighbor during a specified period, the
neighbor ATN is considered invalid. The specified period is called the dead time of the neighbor
relationship. The dead time must be at least four times the Hello interval on an interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ospfv3 timer dead interval [ instance instance-id ]
The dead time of the neighbor relationship is specified.

----End
Configuring the Interval for Retransmitting LSAs to Neighboring

After a ATN sends an LSA to its neighbor, the ATN expects to receive an LSAck packet from
its neighbor. If the router does not receive an LSAck packet within the LSA retransmission
interval, it retransmits the LSA to the neighbor.
Procedure
Step 1 Run:
system-view
Issue 02 (2013-12-31)

2281

Equipment
8 IP Routing

Step 2 Run:

Step 3 Run:
ospfv3 timer retransmit interval [ instance instance-id ]
The interval for retransmitting LSAs to the adjacent routers is set.

The value of seconds must be greater than the time taken to transmit a packet between two
ATNs.
NOTE
Do not set a value which is too small, for the interval between LSA retransmissions. Otherwise, unnecessary
retransmissions may occur.
----End

After OSPFv3 neighbor relationships or adjacencies are stable, you can check OSPFv3 interface
information and neighbor information.
Prerequisites
The Establishing or Maintaining OSPFv3 Neighbor Relationship has been configured.
Procedure
l
Run the display ospfv3 [ process-id ] interface [ area area-id ] [ interface-type interfacenumber ] command to check the OSPFv3 interface information.
----End
8.6.4 Configuring OSPFv3 Areas

OSPFv3 supports stub areas and virtual links, the principle and usage scenario of which are
similar to those in OSPFv2.
Before You Start

Configuring a stub area is optional. Not all areas can be configured as stub areas. Generally, a
stub area, which is located at the AS boundary, is a non-backbone area with only one ABR.
To reduce the number of LSAs in the network and enhance OSPFv3 extensibility, define OSPFv3
areas. For some non-backbone areas at the edge of ASs, you can define them as stub areas for
further reducing the size of the routing table and the number of LSAs.
The current ATN version does not support OSPFv3 NSSA areas.
Issue 02 (2013-12-31)

2282

Equipment
8 IP Routing
Before configuring OSPFv3 area attributes, complete the following tasks:
l
Data Preparation
To configure OSPFv3 area attributes, you need the following data.
No.
Data
Areas to be defined as stub areas
Metrics of default routes sent to stub areas
Configuring OSPFv3 Stub Areas

A stub area is a special area in which ABRs do not flood the received AS external routes.
Therefore, the number of LSAs is greatly reduced.
Context
Perform the following steps on each ATN that runs OSPFv3 in the stub area:
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
area area-id

Step 4 Run:
stub [ no-summary ]
The area is configured as a stub area.

default-cost cost
The cost of the default route sent to the stub area is set.
By default, the cost of the default route sent to the stub area is 1.
Issue 02 (2013-12-31)

2283

Equipment
8 IP Routing
This command is configured on the ABR of the stub area only to set the cost of the default route
to be sent to the stub area. This command does not need to be configured on other ATNs in the
stub area.
The parameter no-summary takes effect only when the stub command is configured on the
ABR. If this parameter is configured, the ABR only sends the summary-LSA of a default route
to the stub area without originating other summary-LSAs. The stub area without AS-externalLSAs or Summary-LSAs is called a totally stub area.
----End
Configuring OSPFv3 Virtual Links

You can establish the logical connectivity between backbone areas and the non-backbone areas
that are not physically connected to the backbone area.
Context
After OSPFv3 areas are defined, OSPFv3 route update between non-backbone areas is
implemented through a backbone area. Then, OSPFv3 requires that all non-backbone areas
should maintain the connectivity with the backbone area and the backbone area should maintain
its own connectivity. In actual applications, this requirement may not be met because of some
restrictions. To solve this problem, you can configure OSPFv3 virtual links.
A virtual link must be configured at both ends of the link; otherwise, it does not take effect.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
area area-id

Step 4 Run:
vlink-peer router-id [ hello hello-interval | retransmit retransmit-interval |
trans-delay trans-delay-interval | dead dead-interval | ipsec sa sa-name |
instance instance-id ] *
A virtual link is created and configured.

----End

After OSPFv3 area attributes are configured, you can check the OSPFv3 LSDB, routing table,
and virtual links.
Issue 02 (2013-12-31)

2284

Equipment
8 IP Routing
Prerequisites
The OSPFv3 Areas has been configured.
Procedure
l

nssa-routes ]
Run the display ospfv3 [ process-id ] vlink command to check the information about
OSPFv3 virtual links.
----End
8.6.5 Configuring OSPFv3 NSSA Areas

Configuring a non-backbone area on the border of an AS as an NSSA does not transmit routes
learned from other areas in the AS but imports AS external routes. This reduces bandwidth and
storage resource consumption on the router.
Before You Start

Before configuring OSPFv3 NSSA areas, familiarize yourself with the usage scenario, complete
An NSSA allows the transmission of Type 7 LSAs, which are generated by ASBRs in an NSSA.
The Type 7 LSAs converting into Type 5 LSAs in the NSSA and advertised to other areas.
Before configuring an OSPFv3 NSSA, complete the following tasks:
l
Configuring basic OSPFv3 functions
Data Preparation
To configure an OSPFv3 NSSA, you need the following data.
Issue 02 (2013-12-31)

2285

Equipment
No.
Data
Cost of the default route sent to an NSSA
8 IP Routing
Defining the Current Area to Be an NSSA Area

Derived from a stub area, an NSSA allows AS external routes to be imported; an ASBR
advertises Type 7 NSSA LSAs in the local NSSA.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The OSPFv3 process view is displayed.

Step 3 Run:
area area-id

Step 4 Run:
nssa [ default-route-advertise [ cost cost | type type | tag tag ] * | no-importroute | no-summary | translator-always | translator-interval translator-interval |
set-n-bit ] *
An area is configured as an NSSA.

----End
Follow-up Procedure
To connect ATNs to an NSSA, you need to run the nssa command to configure NSSA attributes
for the area to which the ATNs belong.
The area may be updated after NSSA attributes are configured or deleted. Therefore, the NSSA
attributes can be re-configured or deleted only after the last update of NSSA attributes is
complete.

After OSPFv3 NSSAs are configured, you can check OSPFv3 routing table information.
Prerequisites
OSPFv3 NSSAs has been configured.
Issue 02 (2013-12-31)

2286

Equipment
8 IP Routing
Procedure
l
Run the display ospfv3 area command to check information about OSPFv3 areas.
Run the commands as follow to check the OSPFv3 routing table.

nssa-routes ]
----End
8.6.6 Configuring OSPFv3 Route Attributes

By setting OSPFv3 route attributes, you can change OSPFv3 routing policies to meet the
requirements of complex networks.
Before You Start

Before configuring OSPFv3 route attributes, familiarize yourself with the usage scenario,
complete pre-configuration tasks, and obtain the required data. This can help you complete the
In actual applications, to meet the requirements of a complicated networking environment, you
can change OSPFv3 routing policies by configuring OSPFv3 route attributes. Through the
following procedures, you can:
l
Set the cost on the OSPFv3 interface.
Before configuring OSPFv3 route attributes, complete the following tasks:
l
Data Preparation
To configure OSPFv3 route attributes, you need the following data.
No.
Data
Link cost
Setting the Cost of the OSPFv3 Interface

OSPFv3 can automatically calculate the link cost for an interface according to the interface
bandwidth. You can also set the link cost for the interface by using the related command.
Issue 02 (2013-12-31)

2287

Equipment
8 IP Routing
Context
You can control route calculation by setting the link cost of OSPFv3 on different interfaces.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ospfv3 cost cost [ instance instance-id ]
The cost is set on the OSPFv3 interface.

By default, the link cost on an OSPFv3 interface is 1.
----End

After OSPFv3 route attributes are configured, you can check the OSPFv3 interface, LSDB, and
routing table.
Prerequisites
The OSPFv3 Route Attributes has been configured.
Procedure
l
Run the display ospfv3 interface [ area area-id ] [ interface-type interface-number ]

command to check the OSPFv3 interface information.

nssa-routes ]
----End
Issue 02 (2013-12-31)

2288

Equipment
8 IP Routing
8.6.7 Controlling OSPFv3 Routing Information

This section describes how to control OSPFv3 routing information. Detailed operations include
configuring route aggregation, filtering the received routes, and importing external routes.
Before You Start

Before controlling OSPFv3 routing information, familiarize yourself with the usage scenario,
complete pre-configuration tasks, and obtain the required data. This can help you complete the
Through the configuration in this section, you can control the advertising and receiving of
OSPFv3 routing information and configure OSPFv3 to import external routes.
Before controlling OSPFv3 routing information, complete the following tasks:
l
Data Preparation
To control OSPFv3 routing information, you need the following data.
No.
Data
Prefix of IPv6 routes after aggregation
Filtering list or name used to filter routing information
Link cost on an OSPFv3 interface
Name, process ID, and metric of external routes to be imported
Configuring OSPFv3 Route Aggregation

An ABR can summarize routes with the same prefix into one LSA and advertise the summarized
route in other areas. An ASBR can also summarize imported routes with the same prefix into
one LSA and then advertise the summarized route to other areas. This can reduce the size of the
LSDB in other areas.
Context
If multiple continuous network segments exist in this area, use the abr-summary command to
summarize them into one network segment. In this way, the ABR only sends an LSA after
summarization. No LSA that belongs to the summarization network segment is separately
transmitted, therefore reducing the LSDB size of other areas.
Issue 02 (2013-12-31)

2289

Equipment
8 IP Routing
When a large number of routes are imported, use the asbr-summary command to summarize
the imported routes and set the delay for advertising the summarized route. In this manner, the
summarized route advertised each time contains more valid routing information, and network
flapping caused by incorrect routing information is avoided.
Procedure
l
Configure route summarization on an ABR.

Perform the following steps on the ABR that runs OSPFv3:
1.
Run:
system-view

2.
Run:

3.
Run:
area area-id

4.
Run:
abr-summary ipv6-address prefix-length [ cost cost | not-advertise ]*
Route summarization is configured in the OSPFv3 area.

cost cost set the cost of a summarized route. By default, the cost of a summarized
route is the maximum cost among those of routes that are summarized. The value
ranges from 1 to 16777214.
If not-advertise is set, no routing information of the network segment is advertised.
l
Configure route summarization on an ASBR.

Perform the following steps on the ASBR that runs OSPFv3:
1.
Run:
system-view

2.
Run:

3.
Run:
asbr-summary ipv6-address prefix-length [ cost cost | tag tag | notadvertise | distribute-delay interval ] *
Route summarization is configured on the ASBR.

cost cost specifies the cost of a summarized route. By default, the cost of a summarized
route is the maximum cost among those of routes that are summarized. The value
ranges from 1 to 16777214.
Issue 02 (2013-12-31)

2290

Equipment
8 IP Routing
tag tag specifies the tag used to control route advertisement. The value of this
parameter ranges from 1 to 4294967295.
If not-advertise is specified in the command, the summarized IPv6 route that matches
a specified IPv6 prefix or prefix length is not advertised.
distribute-delay interval specifies the delay for advertising a summarized route.
----End
Configuring OSPFv3 to Filter the Received Routes

By configuring filtering conditions for routing information, you can allow only the routes that
pass the filtering to be received or advertised.
Context
After receiving LSAs, OSPFv3 determines whether to add the calculated routes to the local
routing table according to the filtering policy.
Procedure
Step 1 Run:
system-view

Step 2 Run:

l Configure a basic ACL:
1.
Run:
filter-policy { acl6-number | acl6-name acl6-name } import
OSPFv3 is configured to filter the imported routes.

2.
Run:
quit

3.
Run
acl ipv6 { [ number ] acl6-number1 | name acl-name [ number acl-number2 ] }

4.
Run

address range specified by source and the time period specified by time-range are valid
as the rules.
Issue 02 (2013-12-31)

2291

Equipment
8 IP Routing

by the system.
l Configure an advanced ACL:
1.
Run:
filter-policy acl6-name acl6-name import

2.
Run:
quit

3.
Run
config } ]

4.
Run
rule [ rule-id ] { deny | permit } protocol [ source { source-ipv6-address
prefix-length | source-ipv6-address/prefix-length | any } | time-range timename ] *

by the system.
Issue 02 (2013-12-31)

2292

Equipment
8 IP Routing
Run:
filter-policy ipv6-prefix ipv6-prefix-name import

Using the filter-policy command, you can only filter the routes calculated by OSPFv3. Routes
that do not pass the filtering are neither added to the OSPFv3 routing table nor advertised.
----End
Configuring OSPFv3 to Import External Routes

Importing the routes discovered by other routing protocols can enrich OSPFv3 routing
information.
Context
Because OSPFv3 is a link state-based routing protocol and cannot directly filter the advertised
LSAs, OSPFv3 must filter the routes when importing them. Then, only the routes that pass the
filtering can be advertised.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
default { cost cost | tag tag | type type }
Issue 02 (2013-12-31)

2293

Equipment
8 IP Routing
The default cost of the imported route is set.

Step 4 Run:
import-route protocol [ process-id ] [ { cost cost | inherit-cost } | type type |
tag tag | route-policy route-policy-name ] *
External routes are imported.

import-route bgp [ permit-ibgp ] [ { cost cost | inherit-cost } | type type | tag
tag | route-policy route-policy-name ] *
IBGP routes are imported in OSPFv3 process.

NOTE
Importing IBGP routes in OSPFv3 process can lead to routing loops.

default-route-advertise [ always | cost cost | type type | tag tag | route-policy
route-policy-name ] *
Default routes are advertised to the OSPFv3 route area.

l Configure a basic ACL:
1.
Run:
filter-policy { acl6-number | acl6-name acl6-name } export [ protocol
[ process-id ] ]
The imported external routes are filtered.

2.
Run:
quit

3.
Run
acl ipv6 { [ number ] acl6-number1 | name acl-name [ number acl-number2 ] }

4.
Run

address range specified by source and the time period specified by time-range are valid
as the rules.
Issue 02 (2013-12-31)

2294

Equipment
8 IP Routing
by the system.
l Configure an advanced ACL:
1.
Run:
filter-policy acl6-name acl6-name export [ protocol [ process-id ] ]

2.
Run:
quit

3.
Run
config } ]

4.
Run
rule [ rule-id ] { deny | permit } protocol [ source { source-ipv6-address
prefix-length | source-ipv6-address/prefix-length | any } | time-range timename ] *

by the system.
Issue 02 (2013-12-31)

2295

Equipment
8 IP Routing
Run:
filter-policy ipv6-prefix ipv6-prefix-name export [ protocol [ process-id ] ]

s
After you run the import-route command on an OSPFv3 device to import external routes, the
ATN becomes an ASBR.
You can configure OSPFv3 to filter a certain type of routing information by specifying the
protocol. If protocol is not specified, OSPFv3 filters all the imported routes.
NOTE
The filter-policy command takes effect only on the routes imported through the import-route command
by the ASBR, that is, filters the imported routes. The routes that are filtered out do not generate LSAs and
cannot be advertised by OSPFv3. If the import-route command is not configured to import other external
routes (including OSPFv3 devices in different processes), the filter-policy command does not takes effect.
----End
(Optional) Configuring OSPFv3 to Filter LSAs in an Area

Filtering LSAs in an area can prevent unnecessary LSA transmission. This reduces the size of
the LSDB on the neighboring ATN and speeds up network convergence.
Context
After filtering conditions are set for the incoming or outgoing Type 3 LSAs (Inter-Area-Prefix
LSAs) in an area, only the Type 3 LSAs that meet the filtering conditions can be received or
advertised.
This function is applicable only to the ABR.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 02 (2013-12-31)

2296

Equipment
8 IP Routing

Step 3 Run:
area area-id

Step 4 Filter incoming or outgoing Type 3 LSAs in the area.
l Filter incoming Type 3 LSAs in the area, run any of the following commands as required:
1.
Run:
filter { acl6-number | acl6-name acl6-name } import

2.
Run:
quit
Return to the OSPFv3 view.

3.
Run:
quit

4.
Run

5.
Run

valid as the rules.
Issue 02 (2013-12-31)

2297

Equipment
8 IP Routing
routes.
1.
Run:
filter acl6-name acl6-name import

2.
Run:
quit

3.
Run:
quit

4.
Run
config } ]

5.
Run

Issue 02 (2013-12-31)

2298

Equipment
8 IP Routing
routes.
Run:
filter ipv6-prefix ipv6-prefix-name import

Run:
filter route-policy route-policy-name import

l Filter outgoing Type 3 LSAs in the area, run any of the following commands as required:
1.
Run:
filter { acl6-number | acl6-name acl6-name } export

2.
Run:
quit

3.
Run:
quit

4.
Run

5.
Run

valid as the rules.
Issue 02 (2013-12-31)

2299

Equipment
8 IP Routing
routes.
1.
Run:
filter acl6-name acl6-name export

2.
Run:
quit

3.
Run:
quit

4.
Run
config } ]

5.
Run

Issue 02 (2013-12-31)

2300

Equipment
8 IP Routing
routes.
Run:
filter ipv6-prefix ipv6-prefix-name export

Run:
filter route-policy route-policy-name export

----End

After OSPFv3 route attributes are configured, you can check the OSPFv3 interface, LSDB, and
routing table.
Prerequisites
Controlling OSPFv3 Routing Information has been configured.
Procedure
l
Run the commands as follow to check the OSPFv3 route aggregation:

display ospfv3 [ process-id ] abr-summary-list [ ipv6-address prefix-length ]
display ospfv3 [ process-id ] asbr-summary [ ipv6-address prefix-length ]
[ verbose ]
Issue 02 (2013-12-31)

2301

Equipment
8 IP Routing

nssa-routes ]
----End
8.6.8 Optimizing an OSPFv3 Network

By configuring OSPFv3 functions in special network environments, you can adjust and optimize
the OSPFv3 network performance.
Before You Start

Before optimizing an OSPFv3 network, familiarize yourself with the usage scenario, complete
By adjusting the OSPFv3 timer, you can change the convergence speed of an OSPFv3 network
and the network overload caused by protocol packets. On low-speed links, you need to consider
the delay in transmitting LSAs on the interface. By adjusting the SPF calculation interval, you
can mitigate resource consumption due to frequent network changes.
You can specify the DR priority of an interface to affect the DR/BDR election in a broadcast
network.
Before optimizing an OSPFv3 network, complete the configuration tasks:
l
Data Preparation
To optimize an OSPFv3 network, you need the following data.
Issue 02 (2013-12-31)
No.
Data
Values of OSPFv3 timers
Values of SPF timers
DR priority of the interface

2302

Equipment
8 IP Routing
Configuring the SPF Timer

By setting the interval for SPF calculation, you can reduce resource consumption caused by
frequent network changes.
Context
Whenever the LSDB of OSPFv3 changes, the shortest path should be recalculated. Calculating
the shortest path each time the LSDB changes consumes enormous resources and lowers the
efficiency of a ATN.
Adjusting the SPF delay and hold interval can suppress frequent network changes to avoid
resource consumption.
Procedure
l
Configure an SPF normal timer.

1.
Run:
system-view

2.
Run:

3.
Run:
spf timers delay-interval hold-interval
An SPF normal timer is configured.

l
Configure an SPF intelligent timer.

1.
Run:
system-view

2.
Run:

3.
Run:
spf-schedule-interval { delay-interval hold-interval | intelligent-timer
max-interval start-interval hold-interval-1 }
An SPF intelligent timer is configured.

NOTE
An SPF normal timer and an SPF intelligent timer are mutually exclusive.
----End
Setting the Interval for Receiving LSAs

Setting the interval for receiving LSAs prevents unnecessary LSA updates.
Issue 02 (2013-12-31)

2303

Equipment
8 IP Routing
Context
When a network is unstable, control the minimum interval for receiving the same LSA update.
To prevent unnecessary LSA updates caused by network changes, by default, set the interval for
receiving the same LSA update to 1000 ms.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
lsa-arrival-interval arrival-interval
The interval for receiving LSAs is set.

----End
Configuring an Intelligent Timer for Generating LSAs

Configuring an intelligent timer for generating LSAs speeds up network convergence.
Context
Setting the millisecond-level interval for generating the same LSA speeds up network
convergence. When a network becomes unstable, reduce the interval for generating the same
LSA by using an intelligent timer.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
lsa-originate-interval intelligent-timer max-interval start-interval
hold-interval
The interval for generating the same LSA is set.

l max-interval specifies the maximum interval for updating LSAs.
l start-interval specifies the initial interval for updating LSAs.
Issue 02 (2013-12-31)

2304

Equipment
8 IP Routing
l hold-interval specifies the hold interval for updating LSAs.

----End
Suppressing an Interface from Sending and Receiving OSPFv3 Packets

By suppressing the OSPFv3 interface from receiving and sending OSPFv3 packets, you can
prevent routers on a certain network from obtaining OSPFv3 routing information and prevent
the local router from receiving routing information from other routers.
Context
To prevent a ATN from advertising routes to the ATN on a certain network and from importing
the routes of other ATNs, you can suppress the interface on which OSPFv3 is enabled from
receiving and sending OSPFv3 packets.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
silent-interface interface-type interface-number
The interface is suppressed from sending and receiving OSPFv3 packets.

----End
Follow-up Procedure
Different processes can suppress the same interface from sending and receiving OSPFv3 packets,
but the silent-interface command is valid only for the OSPFv3 interface on which the specified
process is enabled, and does not take effect on the interface of other processes.
After an OSPFv3 interface is set to be silent, the interface can still advertise its direct routes
through the Intra-Area-Prefix-LSA of the same router. No OSPFv3 neighbor relationship can
be set up on the interface. Therefore, the OSPFv3 adaptability is enhanced.
Configuring DR Priority of an Interface

When configuring a broadcast network or an NBMA network, you can specify the DR priority
for each interface to change the results of DR/BDR election on the network.
Context
The DR priority on a ATN interface qualifies the interface for the Designated Router (DR)
election. If the DR priority is 0, the ATN cannot be elected as a DR or Backup Designated Router
(BDR).
Issue 02 (2013-12-31)

2305

Equipment
8 IP Routing
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ospfv3 dr-priority priority [ instance instance-id ]
The DR priority of the interface is set.

----End
Follow-up Procedure
After the DR priority is changed, you can re-elect a DR or BDR through the following methods,
which, however, will result in the interruption of the OSPFv3 neighbor relationship between
ATNs and therefore are used only when necessary.
l
Restarting all ATNs.
Running the shutdown and undo shutdown commands on the interface on which the
OSPFv3 neighbor relationship is set up.
Configuring Stub Routers

When a router has a heavy load and cannot forward any other packets, you can configure it as
a stub router. After the router is configured as a stub router, other OSPFv3 devices do not use
this router to forward data but they can have a route to this stub router.
Context
A stub router is used to control traffic. It notifies OSPFv3 devices not to forward data by the
stub router, but they can have a route to the stub router.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
stub-router [ on-startup [ interval ] ]
The stub router is configured.

Issue 02 (2013-12-31)

2306

Equipment
8 IP Routing
NOTE
There is no correlation between the stub router configured through this command and the router in the stub
area.
----End
Ignoring MTU Check on DD Packets

By disabling an interface from checking the MTU field in the received DD packet, you can
enable an OSPFv3 device to receive the packet with the MTU field being 0.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ospfv3 mtu-ignore [ instance instance-id ]
The MTU check on DD packets is ignored.

After the command is used, the interface does not check the MTU field of a received DD packet.
----End

After an OSPFv3 network is optimized, you can check the OSPFv3 interface, LSDB, and routing
table.
Prerequisites
Optimizing an OSPFv3 Network has been configured.
Procedure
l
Run the display ospfv3[ process-id ] interface [ area area-id ] [ interface-type interfacenumber ] command to check the OSPFv3 interface information.
l
Issue 02 (2013-12-31)

2307

Equipment
8 IP Routing

nssa-routes ]
----End
8.6.9 Configuring the Network Management Function of OSPFv3

OSPFv3 supports the network management function. You can bind the OSPFv3 MIB to a certain
OSPFv3 process.
Before You Start

Before configuring the network management function for OSPFv3, familiarize yourself with the
usage scenario, complete pre-configuration tasks, and obtain the required data. This can help
OSPFv3 supports the network management function. You can bind OSPFv3 MIB and a certain
OSPFv3 process. In addition, OSPFv3 also supports the trap function and the log function.
Before configuring the network management function of OSPFv3, complete the following tasks:
l
Data Preparation
None.
Configuring OSPFv3 MIB Binding

The MIB is a virtual database of the device status maintained by the managed devices.
Context
When multiple OSPFv3 processes are enabled, you can configure OSPFv3 MIB to select the
process to be processed, that is, that is, configure OSPFv3 MIB to select the process to which it
is bound.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 02 (2013-12-31)

2308

Equipment
8 IP Routing
ospfv3 mib-binding process-id
OSPFv3 MIB binding is configured.

----End
Configuring OSPFv3 Trap

Traps are the notifications sent from a router to inform the NMS of the fault detected by the
system.
Procedure
Step 1 Run:
system-view

Step 2 Run:
snmp-agent trap enable feature-name ospfv3 trap-name
{ authenticationsequencenumberwrap | ifconfigerror | ifrxbadpacket | ifstatechange
| lastauthenticationkeyexpiry | nbrrestarthelperstatuschange | nbrstatechange |
nssatranslatorstatuschange | restartstatuschange | virtifconfigerror |
virtifrxbadpacket | virtifstatechange | virtnbrrestarthelperstatuschange |
virtnbrstatechange } }
The trap function for the OSPFv3 module is enabled.

snmp-agent trap feature-name ospfv3 trap-name trap-name description descriptiontext
The descriptions for OSPFv3 traps is configured.

----End

After the network management function is configured for OSPFv3, you can check the contents
of the information channel, and information recorded in the information center, log buffer, and
trap buffer.
Prerequisites
The Network Management Function of OSPFv3 has been configured.
Procedure
l
Run the display current-configuration command to check the configuration parameters

currently validated on the ATN.
Run the display snmp-agent trap feature-name ospfv3 all command to view all trap
messages of the OSPFv3 module.
----End
Issue 02 (2013-12-31)

2309

Equipment
8 IP Routing
8.6.10 Maintaining OSPFv3

Maintaining OSPFv3 and Debugging OSPFv3 involve resetting OSPFv3.
Resetting OSPFv3
Restarting OSPFv3 can reset OSPFv3. In addition, you can reset OSPFv3 through GR.
Context
NOTICE
The OSPFv3 adjacency is removed when you reset the OSPFv3 connection by using the reset
ospfv3 command. Exercise caution when running this command.
After modifying the OSPFv3 routing policy or protocol, reset the OSPFv3 connection to validate
the modification. To reset OSPFv3 connections, run the following reset ospfv3 command in the
user view.
Procedure
l
To validate the new configuration, run the following commands:

reset ospfv3 { process-id | all } [ graceful-restart [ extend-period period ] ]
reset ospfv3 { process-id | all } counters [ neighbor [ interface-type interfacenumber ] [ router-id ] ]
----End
8.7 IS-IS Configuration

This chapter describes the basic principle of IS-IS and procedures for configuring IS-IS, and
provides configuration examples.
8.7.1 Introduction
By building IS-IS networks, you can enable IS-IS to discover and calculate routes in ASs.
Basic Concepts of IS-IS

As an IGP, IS-IS is used inside an AS. IS-IS is a link-state protocol. It uses the SPF algorithm
to calculate routes.
The Intermediate System-to-Intermediate System (IS-IS) is a dynamic routing protocol that was
originally created by the International Organization for Standardization (ISO) for its
Connectionless Network Protocol (CLNP).
Issue 02 (2013-12-31)

2310

Equipment
8 IP Routing
To support the IP routing, the Internet Engineering Task Force (IETF) extended and modified
IS-IS in RFC 1195. IS-IS can therefore be applied to both TCP/IP and OSI environments. This
type of IS-IS is called the Integrated IS-IS or Dual IS-IS.
As an Interior Gateway Protocol (IGP), IS-IS is used in Autonomous Systems (ASs). IS-IS is a
link-state protocol. It uses the Shortest Path First (SPF) algorithm to calculate routes. It resembles
the Open Shortest Path First (OSPF) protocol.
IS-IS Areas
To support large-scale networks, the IS-IS adopts a two-level structure in a Routing Domain
(RD). A large RD is divided into one or more areas. The intra-area routes are managed by the
Level-1 routers, whereas the inter-area routes are managed by the Level-2 routers.
Figure 8-22 shows an IS-IS network. Its topology is similar to that of a multi-area OSPF network.
Area 1 is a backbone area. All routers in this area are Level-2 routers. The other four areas are
non-backbone areas. They are connected to Area 1 through Level-1-2 routers.
Figure 8-22 IS-IS topology
Area2
Area3
L1/2
L1
L1/2
L2
L2
L2
Area4
Area1
L2
Area5
L1/2
L1/2
L1
L1
L1
L1
L1
Figure 8-23 shows another type of IS-IS topology. The Level-1-2 routers are used to connect
the Level-1 and the Level-2 routers, and are used to establish the backbone network together
with the other Level-2 routers.The IS-IS backbone network does not refer to a specific area, in
this topology, no area is specified as a backbone area. All the Level-2 routers constitute an ISIS backbone network. The devices may belong to different areas, but the areas must be
successive.
Issue 02 (2013-12-31)

2311

Equipment
8 IP Routing
Figure 8-23 IS-IS topology II

Area1
L1
L1
L2
Area2
L1/L2
L1/L2
Area4 L1
L2
L2
Area3
This type of networking shows differences between IS-IS and OSPF. For OSPF, the inter-area
routes are forwarded by the backbone area and the SPF algorithm is used in the same area. For
IS-IS, both Level-1 routers and Level-2 routers use the SPF algorithm to generate Shortest Path
Trees (SPTs).
Network Types
IS-IS supports only two network types, which can classify as follows according to physical links:
l
Broadcast links such as Ethernet and Token-Ring.
Point-to-point links such as PPP .

NOTE
For a Non-Broadcast Multi-Access (NBMA) network such as ATM, you need to configure sub-interfaces
for it. The type of subnets cannot be Point-to-Multipoint (P2MP). IS-IS cannot run on P2MP networks.
IS-IS Features Supported by the ATN

The ATN supports various Intermediate System-to-Intermediate System (IS-IS) protocol
features, including multi-instance, multi-process, hot standby (HSB), graceful restart (GR),
traffic engineering (TE), administrative tags, Link State Protocol Data Unit (LSP) fragment
extension, dynamic host name exchange, fast convergence, Bidirectional Forwarding Detection
(BFD), and three-way handshake.
Multi-Instance and Multi-Process

IS-IS supports multi-process and multi-instance, facilitating management and improving control
efficiency of IS-IS.
l
Multi-process
Multi-process allows a group of interfaces to be associated with a specific IS-IS process.
This ensures that the specific IS-IS process performs all the protocol-based operations only
on the group of interfaces. Multiple IS-IS processes can run on a single ATN and each
process is responsible for a unique group of interfaces.
l
Issue 02 (2013-12-31)
Multi-instance
2312

Equipment
8 IP Routing
After the VPN feature is enabled, multi-instance allows an IS-IS process to be associated
with a specific VPN instance so that all the interfaces of this IS-IS process will be associated
with the VPN instance.
IS-IS HSB
The ATN of a distributed architecture supports IS-IS HSB. In the IS-IS HSB process, IS-IS
backs up data from the active main board (AMB) to the standby main board (SMB). Whenever
the AMB fails, the SMB becomes active. This ensures uninterrupted running of IS-IS.
In the IS-IS HSB process, IS-IS configurations on the AMB and the SMB are consistent. After
a master/slave AMB/SMB switchover, IS-IS on the current AMB performs GR, obtains
adjacencies from its neighbors, and synchronizes its link state database (LSDB) with the LSDB
on the SMB. This prevents service interruption.
NOTE
Only the ATN 950B supports this function.
IS-IS GR
GR is a function used to restart a router gracefully. It ensures uninterrupted traffic forwarding
during the restart of a router in a short time.
If IS-IS restarts in a non-graceful mode, IS-IS sessions are reset and Link State Protocol Data
Units (LSPs) are regenerated and flooded. This triggers the SPF calculation in the entire area,
which causes route flapping and forwarding interruption in the area. The IETF defines IS-IS GR
in RFC 3847, in which the specifications of protocol restart with FIB tables reserved and
unreserved are stated.
NOTE
ATN device can only be used as a GR Helper and not be used as a GR Restarter. For details about IS-IS
GR, see the "IS-IS" chapter in the Feature Description-IP Routing.
IS-IS TE
IS-IS TE supports MPLS to set up and maintain the label switched paths (LSPs).
When establishing constraint-based routed (CR) LSPs, MPLS needs to learn the traffic attributes
of all the links in the local area. CR-LSPs can acquire the TE information of the links using ISIS.
NOTE
For details about IS-IS TE, see the Configuration Guide-MPLS.

All the other LSPs referred to in this chapter are link state protocol data units. Differentiate the two
acronyms.
Administrative Tag
The use of administrative tags simplifies management. Administrative tags can advertise IP
address prefixes in the IS-IS area to control routes. The administrative tag carries the
administrative information about an IP address prefix. It is used to control the routes of different
levels and routes imported from different areas, various routing protocols, multiple IS-IS
instances running on a ATN, and carrying of tags.
Issue 02 (2013-12-31)

2313

Equipment
8 IP Routing
Each administrative tag is associated with certain attributes. If the prefix of the reachable IP
address to be advertised by IS-IS has this attribute, IS-IS adds the administrative tag to the
reachability TLV in the prefix. In this manner, the tag is advertised throughout the entire IS-IS
area.
LSP Fragment Extension

When more information is carried in an LSP to be advertised by IS-IS, IS-IS advertises multiple
LSP fragments. Each LSP fragment is identified by the LSP identifier field of an LSP. The LSP
identifier field is 1 byte long. Therefore, the maximum number of fragments that can be generated
by an IS-IS router is 256.
The IS-IS fragment extension feature allows an IS-IS router to generate more LSP fragments.
To implement this feature, you can use the network manager to configure additional system IDs
for the ATN. Each system ID represents a virtual system, which can generate 256 LSP fragments.
With more additional system IDs (up to 50 virtual systems), an IS-IS router can generate a
maximum of 13056 LSP fragments.
l
Related terms are as follows:

Originating system
In this document, the originating system is the ATN that actually runs the IS-IS protocol,
and each IS-IS process is regraded as multiple virtual routers to generate LSP fragments.
Normal system ID
It is the system ID of the originating system.
Additional System-ID
An additional system ID, assigned by the network administrator, represents a virtual
system. Each virtual system is allowed to generate up to 256 extended LSP fragments.
Like a normal system ID, an additional system ID must be unique in a routing domain.
Virtual system
It is a virtual system for generating extended LSP fragments. Each virtual system has a
unique additional system ID, and each extended LSP fragment carries an additional
system ID.
Operating mode
An IS-IS router can run the LSP fragment extension feature in the following modes:
Mode 1: The originating system sends a link to each virtual system. Then each virtual
system sends a link to the originating system. The virtual systems function as the
ATNs that are connected to the originating system on the network. This mode is used
when some routers on the network do not support the LSP fragment extension feature.
In this mode, only the routing information can be advertised in the LSPs of the virtual
systems.
Mode 2: All the ATNs on the network can learn that the LSPs generated by the virtual
systems actually belong to the originating system. This mode is used when all the
ATNs on the network support the LSP fragment extension feature. In this mode, all link
state information can be advertised in the LSPs of the virtual systems.
Dynamic Host Name Exchange Mechanism

The dynamic host name exchange mechanism is introduced to conveniently manage and
maintain IS-IS networks. The mechanism provides a service of mapping host names to system
Issue 02 (2013-12-31)

2314

Equipment
8 IP Routing
IDs for the IS-IS routers. The dynamic host name information is advertised in the form of a
dynamic host name TLV in an LSP.
The dynamic host name exchange mechanism also provides a service to associate a host name
with the designated intermediate system (DIS) on a broadcast network. Then LSPs of pseudo
nodes advertise this association in the form of a dynamic host name TLV.
It is easier to identify and memorize the host name than the system ID. After this function is
configured, the host name will displays when display command is used.
IS-IS Route Summarization

Route summarization is a function for summarizing routes with the same IP prefix into one route.
On a large-scale IS-IS network, you can configure route summarization to reduce the number
of IS-IS routes in the routing table. This improve the usage of system resources and facilitates
route management.
IP network segments are not affected when a link frequently alternates between Up and Down
on an IP network segment. This prevents route flapping and improves the network stability.
The ATN supports classless network-based route summarization.
IS-IS Load Balancing

If there are redundant links on an IS-IS network, there may be multiple equal-cost routes.
Configuring IS-IS load balancing can evenly distribute traffic to each link. This increases the
bandwidth usage of each link and prevents network congestion caused by some overloaded links.
IS-IS load balancing, however, may affect traffic management because traffic will be randomly
forwarded in this mode.
IS-IS Preference
If there are redundant links on an IS-IS network, there may be multiple equal-cost routes.
The ATN allows you to configure preference values for equal-cost IS-IS routes so that only the
route with the highest preference will be used and the others will function as backups.
This facilitates traffic management, improves the network reliability, and avoids configuration
change.
IS-IS Fast Convergence

l
Incremental SPF (I-SPF)

I-SPF calculates only changed routes at a time, but not all routes.
ISO-10589 defines Dijkstra as the algorithm to calculate routes. When a node is added to
or removed from a network topology, all routes of all nodes need to be calculated if the
Dijkstra algorithm is adopted. As a result, it takes a long time and occupies excessive
resources, reducing the route convergence speed of the entire network.
I-SPF improves this algorithm. Except for the first time, only changed nodes instead of all
nodes are involved in calculation. The SPT generated at last is the same as that generated
by the Dijkstra algorithm. This decreases the CPU usage and speeds up route convergence.
Issue 02 (2013-12-31)

2315

Equipment
8 IP Routing
Partial route calculation (PRC)

Similar to I-SPF, only changed nodes are involved in PRC. PRC, however, does not
calculate the shortest path but updates leaf routes based on the SPT calculated by I-SPF.
In route calculation, a leaf represents a route, and a node represents a ATN. If the SPT
calculated using I-SPF changes, PRC calculates all the leaves on only the changed node;
if the SPT calculated using I-SPF does not change, PRC calculates only the changed leaf.
For example, if an interface of a node is enabled with IS-IS, the SPT of the entire network
remains unchanged. In this case, PRC updates the routes on only the interface of this node,
reducing the CPU usage.
PRC working with I-SPF further improves the convergence performance of the network.
As an improvement of the original SPF algorithm, RPC and I-SPF replace the original
algorithm.
NOTE
In real world applications of ATNs, only I-SPF and PRC are used to calculate IS-IS routes.
LSP fast flooding

Based on the RFC, when IS-IS receives LSPs from other routers and the LSPs are more
updated than those in its own LSDB, IS-IS uses a timer to flood out the LSPs in the LSDB
at specified intervals. Therefore, the LSDB synchronization is slow.
LSP fast flooding addresses the problem. When a ATN configured with this feature receives
one or more LSPs, it floods out the LSPs less than the specified number before route
calculation. This accelerates the LSDB synchronization and speeds up network
convergence to the great extent.
Intelligent timer
Although the route calculation algorithm is improved, the long interval for triggering route
calculation also affects the convergence speed. Using a millisecond timer can shorten the
interval, however, excessive CPU resources will be consumed if the network topology
changes frequently. An SPF intelligent timer can quickly respond to certain emergent events
and also prevent excessive CPU resource consumption.
An IS-IS network running normally is stable. The network seldom changes frequently, and
an IS-IS router does not calculate routes frequently. Therefore, you can set a short interval
(in milliseconds) for triggering the route calculation for the first time. If the network
topology changes frequently, the value of the intelligent timer increases with the calculation
times, and the interval for route calculation becomes longer. This prevents excessive CPU
resource consumption.
The LSP generation intelligent timer is similar to the SPF intelligent timer. In IS-IS, when
the LSP generation timer expires, the system regenerates its own LSP according to the
current topology. In the original implementation mechanism, a timer with a fixed value is
used, which, however, cannot meet the requirements on fast convergence and low CPU
usage. Therefore, the LSP generation timer is designed as an intelligent timer so that it can
respond quickly to some emergent events (such as interface alternation between Up an
Down) to speed up network convergence. In addition, when the network changes
frequently, the value of the intelligent timer becomes greater automatically to prevent
excessive CPU resource consumption.
NOTE
Determine whether to configure intelligent timers based on actual network situations and
specifications of deployed routers.
Issue 02 (2013-12-31)

2316

Equipment
8 IP Routing
BFD for IS-IS

The ATN supports BFD for IS-IS to detect IS-IS neighbor relationships. BFD can fast detect
the faults on links between IS-IS neighbors and reports them to IS-IS. Fast convergence of ISIS is then implemented.
NOTE
BFD detects only one-hop links between IS-IS neighbors. This is because IS-IS establishes only one-hop
neighbors.
Static BFD
To configure static BFD, use command lines to configure single-hop BFD parameters, such
as local and remote discriminators. Then configure the device to send BFD session setup
requests.
A static BFD session can only be established and released manually. A configuration error
will lead to a BFD failure. For example, if the configured local discriminator or remote
discriminator is incorrect, a BFD session will not work properly.
The ATN supports static IPv4 BFD for IS-IS.
Dynamic BFD
Dynamic BFD refers to the dynamic establishment of BFD sessions using routing protocols.
When a new IS-IS neighbor relationship is set up, BFD is notified of the parameters of the
neighbor and the detection parameters (including source and destination IP addresses).
Then a BFD session will be established based on the received parameters of the neighbor.
Dynamic BFD is more flexible than static BFD.
Connection status between an IS-IS device and its neighbors can be monitored by
exchanging Hello packets at intervals. The sending interval is usually set to 10s, and a
neighbor is declared Down after at least three intervals (during which no response Hello
packet is received from the neighbor). It takes IS-IS some seconds to sense a Down
neighbor, resulting in loss of a large amount of high-speed data.
Dynamic BFD can provide link failure detection with light load and high speed (at the
millisecond level). Dynamic BFD does not take the place of the Hello mechanism of ISIS, but helps IS-IS to detect the faults on neighbors or links more quickly, and instruct ISIS to recalculate routes to correctly guide packet forwarding.
The ATN supports dynamic IPv4 BFD for IS-IS.
NOTE
For details about IS-IS GR, see the "IS-IS" chapter in the Feature Description-IP Routing.
IS-IS Three-Way Handshake

A reliable link layer protocol is required when IS-IS runs on a point-to-point (P2P) link. Based
on ISO 10589, the two-way handshake mechanism of IS-IS uses Hello packets to set up P2P
adjacencies between neighboring ATNs. Once the ATN receives a Hello packet from its peer,
it regards the status of the peer as Up and sets up an adjacency with the peer.
This mechanism has obvious defects. For example, when an adjacency is set up, the unstable
link status causes the loss of Complete Sequence Number Packets (CSNPs). As a result, the
LSDB fails to be synchronized during the update period of an LSP. If two or more links exist
between two ATNs, an adjacency can still be set up when one link is Down and the other is Up
in the same direction. The parameters of the other link, however, are also used in SPF calculation.
Issue 02 (2013-12-31)

2317

Equipment
8 IP Routing
TheATN does not detect any fault of the link that is in the Down state and still tries to forward
packets over this link.
The three-way handshake mechanism addresses the problem on the unreliable P2P link. In threeway handshake mode, the ATN regards the neighbor as Up only after confirming that the
neighbor receives the packet that it sends and then sets up an adjacency with the neighbor. In
addition, a 32-bit circuit ID is used in the three-way handshake mechanism, which is an extension
of the local 8-bit circuit ID that defines 255 P2P links.
8.7.2 Configuring Basic IPv4 IS-IS Functions

This section describes the procedures for configuring basic IPv4 IS-IS functions, including the
procedures for configuring IS-IS processes and interfaces, to implement communication
between nodes on an IPv4 IS-IS network.
Before You Start

Before configuring basic IPv4 IS-IS functions, familiarize yourself with the usage scenario,
To deploy IS-IS on an IPv4 network, configure basic IS-IS functions to implement
communication between different nodes on the network.
Other IS-IS functions can be configured only after basic IS-IS functions are configured.
Configuring basic IPv4 IS-IS functions includes the following operations:
1.
Create IPv4 IS-IS processes.
2.
Configure IPv4 IS-IS interfaces.
Before configuring basic IPv4 IS-IS functions, complete the following tasks:
l
Configure a link layer protocol.
Data Preparation
To configure basic IPv4 IS-IS functions, you need the following data.
Issue 02 (2013-12-31)
No.
Data
IS-IS process ID
NTE of an IS-IS process
Level of each device and level of each interface

2318

Equipment
8 IP Routing
Creating IPv4 IS-IS Processes

Before configuring basic IPv4 IS-IS functions, create IPv4 IS-IS processes and then enable IPv4
IS-IS interfaces.
Context
To create an IPv4 IS-IS process, perform the following operations:
l
Create an IS-IS process and configure the NET of a device.
(Optional) Configure the level of a device.

The level of a device is Level-1-2 by default.
Configure the device level based on the network planning. If no device level is configured,
IS-IS establishes separate neighbor relationships for Level-1 and Level-2 devices and
maintains two identical LSDBs, consuming excessive system resources.
(Optional) Configure IS-IS host name mapping.

After IS-IS host name mapping is configured, a host name but not the system ID of a device
will display by using display commands. This configuration improves the maintainability
on an IS-IS network.
(Optional) Enable the output of the IS-IS adjacency status.

If the local terminal monitor is enabled and the output of the IS-IS adjacency status is
enabled, IS-IS adjacency changes will be output to the router until the output of the
adjacency status is disabled.
Procedure
l

1.
Run:
system-view

2.
Run:
isis [ process-id ]
An IS-IS process is created, and the IS-IS process view is displayed.

The process-id parameter specifies the ID of an IS-IS process. The default value of
process-id is 1. To associate an IS-IS process with a VPN instance, run the isis processid vpn-instance vpn-instance-name command.
3.
Run:
network-entity net
or
network-entity area area-id auto-systemid lsr-id
A NET is configured.
NET of IS-IS consists of three parts:
Part one is the area ID that is variable (1 to 13 bytes), and the area IDs of the devices
in the same area are identical.
Issue 02 (2013-12-31)

2319

Equipment
8 IP Routing
Part two is the system ID (6 bytes) of this device, which must be unique in the
whole area and backbone area.
Part three is the last byte "SEL", whose value must be "00".
For example, the NET of IS-IS device can be configured as 10.1234.6e9f.0001.00.
NOTICE
l An area ID is used to uniquely identify an area in the same IS-IS domain. All
ATNs in the same Level-1 area must share the same area ID, while routers in the
same Level-2 area can have different area IDs.
l The system ID must be unique in the whole area and backbone area.
l A maximum of three area IDs can be configured for an IS-IS process. Therefore,
a maximum of three NETs can be configured. When configuring multiple NETs,
ensure that they share the same system ID.
Configuring loopback interface addresses based on NETs is recommended to ensures
that a NET is unique on the network. If NETs are not unique, route flapping will easily
occur.
System ID used in IS-IS can be obtained in the following way: extend each part of the
IP address to 3 bits, add 0 to the front of any part that is shorter than 3 bits, divide the
extended address into three parts, with each part consisting of four decimal digits, and
the reconstructed address is the system ID.
4.
(Optional) Run:
description
Descriptions for the IS-IS process are configured.

l

1.
Run:
is-level { level-1 | level-1-2 | level-2 }
The level of the ATN is configured.

l

1.
Run:
is-name symbolic-name
IS-IS dynamic host name mapping is configured. The system ID of the local device
is mapped to the specified host name.
The value of symbolic-name is contained in LSP packets and advertised to other ISIS devices.
On another IS-IS device displays the value of symbolic-name, but not the system ID,
of the local IS-IS device.
2.
Run:
is-name map system-id symbolic-name
IS-IS static host name mapping is configured. The system ID of a peer IS-IS device
Issue 02 (2013-12-31)

2320

Equipment
8 IP Routing
This command configuration takes effect only on the local IS-IS device. The value of
symbolic-name will not be added to LSP packets.
If dynamic host name mappings is configured on an IS-IS network, the mappings on
the network overwrite the mappings configured on the local ATN.
l

1.
Run:
log-peer-change
The output of the adjacency status is enabled.

----End
Configuring IPv4 IS-IS Interfaces

To configure an interface of an IS-IS device to send Hello packets or flood LSPs, enable IS-IS
on this interface first.
Context
The level of an IS-IS device and level of an interface determine the level of a neighbor
relationship. By default, Level-1 and Level-2 neighbor relationships are established between
two Level-1-2 devices. If only one level of neighbor relationships is required, you can configure
the level of an interface to prevent the establishment of the other level of neighbor relationships.
After IS-IS is enabled on an interface, the interface automatically sends Hello packets, attempting
to establish neighbor relationships. If a peer device is not an IS-IS device or an interface is not
expected to send Hello packets, suppress the interface. Then this interface only advertises routes
of the network segment where the interface resides, but does not send Hello packets. This
suppression improves the link bandwidth usage.
Procedure
l
Configure an IS-IS interface.

1.
Run:
system-view

2.
Run:

3.
Run:
isis enable [ process-id ]
An IS-IS interface is configured.

After this command is run, the IS-IS device uses the specified interface to send Hello
packets and flood LSPs.
NOTE
No neighbor relationship needs to be established between loopback interfaces. If this command

is run on a loopback interface, the routes of the network segment where the loopback interface
resides will be advertised through other IS-IS interfaces.
Issue 02 (2013-12-31)

2321

Equipment
8 IP Routing
(Optional) Configure the level of an IS-IS interface.

1.
Run:
isis circuit-level [ level-1 | level-1-2 | level-2 ]
The level of the interface is configured.

By default, the level of an interface is level-1-2.
NOTE
Changing the level of an IS-IS interface is valid only when the level of the IS-IS device is
Level-1-2. If the level of the IS-IS device is not a Level-1-2, the level of the IS-IS device
determines the level of the adjacency to be established.
(Optional) Suppress an IS-IS interface.

1.
Run:
isis silent [ advertise-zero-cost ]
The IS-IS interface is suppressed.

A suppressed IS-IS interface does not send or receive IS-IS packets. The routes of the
network segment where the interface resides, however, can still be advertised to other
routers within the area.
l
(Optional) Configure a delay for the IS-IS neighbor relationship establishment.

Run:
isis delay-peer track last-peer-expired [ delay-time delay-interval ]
A delay is configured for the IS-IS neighbor relationship establishment.

By default, delay-interval is 60s.
If a new delay-interval is configured and it is less than the remaining time of the ongoing
delay, the new delay-interval takes effect immediately; if the new delay-interval is greater
than the remaining time of the ongoing delay, the ongoing delay continues until the new
delay-interval takes effect at the next delay.
----End
(Optional) Configuring the IPv4 IS-IS Interfaces

Configuring the IS-IS interface costs can control IS-IS route selection.
Context
The costs of IS-IS interfaces can be determined in the following modes in descending order by
priority:
l
Interface cost: is configured for a specified interface.
Global cost: is configured for all interfaces.
Automatically calculated cost: is automatically calculated based on the interface

bandwidth.
If none of the preceding configurations is performed, the default cost of an IS-IS interface is 10,
and the default cost style is narrow.
Issue 02 (2013-12-31)

2322

Equipment
8 IP Routing
Procedure
l
Configure the IS-IS cost type.

1.
Run:
system-view

2.
Run:
isis [ process-id ]
The IS-IS view is displayed.

3.
Run:
cost-style { narrow | wide | wide-compatible | { { narrow-compatible |
compatible } [ relax-spf-limit ] } }
The IS-IS cost type is configured.

The cost range of an interface and a route received by the interface vary with the cost type.
If the cost type is narrow, the cost of an interface ranges from 1 to 63. The maximum
cost of a route received by the interface is 1023.
If the cost style is narrow-compatible or compatible, the cost of an interface ranges from
1 to 63. The cost of a received route is related to relax-spf-limit.
If relax-spf-limit is not specified, the cost of a route works as follows:
If the cost of a route is not greater than 1023 and the cost of every interface that the
route passes through is smaller than or equal to 63, the cost of the route received by
the interface is the actual cost.
If the cost of a route is not greater than 1023 but the costs of all interfaces that the
route passes through are greater than 63, the IS-IS device can learn only the routes
to the network segment where the interface resides and the routes imported by the
interface. The cost of the route received by the interface is the actual cost. Subsequent
routes forwarded by the interface are discarded.
If the cost of a route is greater than 1023, the IS-IS device can learn only the interface
whose route cost exceeds 1023 for the first time. That is, the cost of each interface
before this interface is not greater than 63. The routes of the network segment where
the interface resides and the routes imported by the interface can all be learned. The
cost of the route is 1023. Subsequent routes forwarded by the interface are discarded.
If relax-spf-limit is specified, the cost of a route works as follows:
There is no limit on costs of interfaces or route costs. The cost of a route received
by an interface is the actual cost.
If the cost style is wide-compatible or wide, the cost of the interface ranges from 1 to
16777215. When the cost is 16777215, the neighbor TLV generated on the link cannot
be used for route calculation but for the transmission of TE information. The maximum
cost of a received route is 0xFFFFFFFF.
l
Configure the cost of an IS-IS interface.

1.
Run:
system-view

2.
Issue 02 (2013-12-31)
Run:
2323

Equipment
8 IP Routing

3.
Run:
isis cost { cost | maximum } [ level-1 | level-2 ]
The cost of the IS-IS interface is configured.

You can use the isis cost command to configure the cost of a specified interface.
l
Configure the global IS-IS cost.

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
circuit-cost { cost | maximum } [ level-1 | level-2 ]
The global IS-IS cost is configured.

You can use the circuit-cost command to configure the costs of all interfaces at a time.
l
Enable IS-IS to automatically calculate interface costs.

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
bandwidth-reference value
The reference value of the bandwidth is configured. By default, the bandwidth

reference value is 100 Mbit/s.
4.
Run:
auto-cost enable
The interface is configured to automatically calculate its cost.

The configuration of the bandwidth reference value takes effect only when the cost type is
wide or wide-compatible. In this case, Cost of each interface = (Value of bandwidthreference/Interface bandwidth) x 10.
NOTE
The auto-cost enable command can be run on Eth-Trunk interfaces as same with on physical
interfaces. If the command is run on an Eth-Trunk interface, the bandwidth of the Eth-Trunk interface
is equal to the total bandwidth of all its member interfaces.
If the cost-style is narrow, narrow-compatible, or compatible, the cost of each interface is

based on costs listed in Table 8-3.
Issue 02 (2013-12-31)

2324

Equipment
8 IP Routing
Table 8-3 Mapping between IS-IS interface costs and interface bandwidth
Cost
Bandwidth Range
60
Interface bandwidth 10 Mbit/s
50
10 Mbit/s < interface bandwidth 100 Mbit/

s
40

s
30

s
20
622 Mbit/s < Interface bandwidth 2.5 Gbit/

s
10
Interface bandwidth > 2.5 Gbit/s
NOTE
To change the cost of a loopback interface, run the isis cost command only in the loopback interface
view.
----End
(Optional) Configuring IPv4 IS-IS Attributes for Interfaces on Different Types of

Networks
Different IS-IS attributes can be configured for different types of network interfaces.
Context
The establishment modes of IS-IS neighbor relationships are different on a broadcast network
and on a P2P network. Different IS-IS attributes can be configured for interfaces on different
types of networks.
IS-IS is required to select a DIS on a broadcast network. Configure the DIS priorities of IS-IS
interfaces so that the interface with the highest priority will be selected as the DIS.
The network types of the IS-IS interfaces on both ends of a link must be the same; otherwise,
the IS-IS neighbor relationship cannot be established between the two interfaces. For example,
if the type of an interface on a peer device is P2P, you can configure the type of an interface on
the local device to P2P so that an IS-IS neighbor relationship can be established between the
two devices.
IS-IS on a P2P network is not required to select a DIS. Therefore, you do not need to configure
DIS priorities. To ensure the reliability of P2P links, configure IS-IS to use the three-way
handshake mode for IS-IS neighbor relationship establishment so that faults on a unidirectional
link can be detected.
Issue 02 (2013-12-31)

2325

Equipment
8 IP Routing
Procedure
l
Configure the DIS priority of an IS-IS interface.

1.
Run:
system-view

2.
Run:

3.
Run:
isis dis-priority priority [ level-1 | level-2 ]
The DIS priority is configured on the interface. The greater the value, the higher the
priority.
4.
(Optional) Run:
isis dis-name symbolic-name
The name of the DIS is configured for easier maintenance and management.
l
Configure the network type of an IS-IS interface.

1.
Run:
system-view

2.
Run:

3.
Run:
isis circuit-type p2p
The network type of the interface is set to P2P.

The network type of an interface is determined by the physical type of the interface
by default.
When the network type of an IS-IS interface changes, interface configurations change
accordingly.
After a broadcast interface is configured as a P2P interface using the isis circuittype p2p command, the default settings are restored for the interval for sending
Hello packets, the number of Hello packets that IS-IS fails to receive from a
neighbor before the neighbor is declared Down, interval for retransmitting LSPs
on a P2P link, and various IS-IS authentication modes. Consequently, other
configurations such as the DIS priority, DIS name, and interval for sending CSNPs
on a broadcast network become invalid.
After the undo isis circuit-type command is run to restore the network type, the
default settings are restored for the interval for sending Hello packets, the number
of Hello packets that IS-IS fails to receive from a neighbor before the neighbor is
declared Down, interval for retransmitting LSPs on a P2P link, various IS-IS
authentication modes, DIS priority, and interval for sending CSNPs on a broadcast
network.
Issue 02 (2013-12-31)

2326

Equipment
8 IP Routing
Set the negotiation mode in which P2P neighbor relationships can be set up.
1.
Run:
system-view

2.
Run:

3.
Run:
isis ppp-negotiation { 2-way | 3-way [ only ] }
The negotiation mode is specified on the interface.

By default, the 3-way handshake negotiation mode is adopted.
The isis ppp-negotiation command can only be used for the establishment of the
neighbor relationships on P2P links. In the case of a broadcast link, you can run the
isis circuit-type p2p command to set the link type to P2P, and then run the isis pppnegotiation command to set the negotiation mode for the establishment of the
neighbor relationship.
l
Configure OSICP negotiation check on PPP interfaces.

1.
Run:
system-view

2.
Run:

3.
Run:
isis ppp-osicp-check
The OSICP negotiation status is checked on a PPP interface.

By default, the OSICP negotiation status of a PPP interface does not affect the status
of an IS-IS interface.
The isis ppp-osicp-check command is applicable only to PPP interfaces. This
command is invalid for other P2P interfaces.
After this command is run, the OSICP negotiation status of a PPP interface affects the
status of an IS-IS interface. When PPP detects that the OSI network fails, the link
status of the IS-IS interface goes Down and the route to the network segment where
the interface resides is not advertised through LSPs.
l
Configure the scale of the Hello packets sent on the IS-IS interface.
1.
Run:
system-view

2.
Run:

Issue 02 (2013-12-31)

2327

Equipment
8 IP Routing
NOTE
Step 3 and Step 4 are mutually exclusive. Run the command as needed.
3.
Run:
isis small-hello
The Hello packets without the padding field are configured to be sent on the interface.
4.
Run:
isis padding-hello
The standard Hello packets without the padding field are configured to be sent on the
interface.
l
Configure IS-IS not to check whether the IP addresses of received Hello packets are on the
same network segment.
1.
Run:
system-view

2.
Run:

3.
Run:
isis peer-ip-ignore
IS-IS is configured not to check whether the IP addresses of received Hello packets
are on the same network segment.
----End

After basic IPv4 IS-IS functions are configured, you can view information about IS-IS neighbors,
interfaces, and routes.
Prerequisites
The configurations of basic IPv4 IS-IS functions are complete.
Procedure
Step 1 Run the display isis name-table [ process-id | vpn-instance vpn-instance-name ] command to
check the mapping from the name of the local device to the system ID.
Step 2 Run the display isis peer [ verbose ] [ process-id | vpn-instance vpn-instance-name ] command
to check information about IS-IS neighbors.
Step 3 Run the display isis interface [ verbose ] [ process-id | vpn-instance vpn-instance-name ]
command to check information about IS-IS interfaces.
Issue 02 (2013-12-31)

2328

Equipment
8 IP Routing
Step 4 Run the display isis route [ process-id | vpn-instance vpn-instance-name ] [ ipv4 ] [ verbose |
[ level-1 | level-2 ] | ip-address [ mask | mask-length ] ] * command to check information about
IS-IS routes.
----End
Example
Run the display isis name-table command to view the mappings between host names and system
IDs.
<HUAWEI> display isis name-table
Name table information for ISIS(1)
System ID
Hostname
Type
------------------------------------------------------------------------------1111.1111.1111
DeviceA
DYNAMIC
2222.2222.2222
DeviceB
DYNAMIC
Run the display isis peer command. The command output shows the status of an IS-IS neighbor,
DeviceB. System Id is displayed as DeviceB.
<HUAWEI> display isis peer
Peer information for ISIS(1)
System Id
Interface
Circuit Id
State HoldTime Type
PRI
------------------------------------------------------------------------------DeviceB
GE0/2/1
DeviceB.01
Up
9s
L1
64
Total Peer(s): 1
Run the display isis interface verbose command to view information about IS-IS interfaces.
The command output shows that the DIS status of a broadcast interface is Yes, the priority of
the DIS is 20, and the cost of the interface is 30.
<HUAWEI> display isis interface verbose
Interface information for ISIS(1)
--------------------------------IPV4.State
MTU Type DIS
Up
1497 L1/L2 Yes/No
: Standard
: HUAWEI, GigabitEthernet0/2/1 Int
Interface
Id
GE1/0/0
001
Circuit MT State
Description
erface
SNPA Address
IP Address
Csnp Timer Value
Hello Timer Value
DIS Hello Timer Value
Hello Multiplier Value
LSP-Throttle Timer
Cost
Priority
Retransmit Timer Value
Bandwidth-Value
Static Bfd
Dynamic Bfd
Fast-Sense Rpr
Suppress Base
Issue 02 (2013-12-31)
: 00e0-770a-8100
: 12.1.1.2
: L1
10 L2
: L1
10 L2
: L1
3 L2
: L1
3 L2
: L12
50
: L1
30 L2
: L1
20 L2
: L12
5
: Low 1000000000
: NO
: NO
: NO
: NO
10
10
3
3
30
20
High

2329

Equipment
8 IP Routing
Run the display isis route command to view information about IS-IS routes. The command
output shows a route with the destination network segment of 12.1.1.0/24 and with the next-hop
address of 23.1.1.0/24.
<HUAWEI> display isis route
Route information for ISIS(1)
----------------------------ISIS(1) Level-2 Forwarding Table
-------------------------------IPV4 Destination
IntCost
ExtCost ExitInterface
NextHop
Flags
------------------------------------------------------------------------------12.1.1.0/24
40
NULL
23.1.1.1
A/-/-/23.1.1.0/24
10
NULL
Direct
D/-/L/Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut,
U-Up/Down Bit Set
8.7.3 Establishing or Maintaining IS-IS Neighbor Relationships or

Adjacencies
This section describes how to configure the parameters that affect the IS-IS neighbor
relationship.
Before You Start

Before configuring the parameters that affect the IS-IS neighbor relationship, familiarize
This section describes how to establish or maintain the IS-IS neighbor relationship, covering:
l
Adjusting timers of various IS-IS packets, including Hello packets, CSNPs, and LSPs
Adjusting parameters of LSPs
Before establishing or maintaining IS-IS neighbor relationships or adjacencies, complete the
following tasks:
l
Configuring IP addresses of interfaces to make neighboring nodes reachable
Data Preparation
To establish or maintain IS-IS neighbor relationships or adjacencies, you need the following
data.
Issue 02 (2013-12-31)

2330

Equipment
No.
Data
Parameters of IS-IS timers
LSP parameters
8 IP Routing
Configuring IS-IS Timers for Packets

This part describes how to set the intervals for sending Hello packets, Complete Sequence
Number PDUs (CSNPs), and Link State PDUs (LSPs).
Context
Perform the following steps on the ATN that runs IS-IS.
Procedure
l
Configuring the Interval for Sending Hello Packets

1.
Run:
system-view

2.
Run:

3.
Run:
isis timer hello hello-interval [ level-1 | level-2 ]
The interval for sending the Hello packets is set on an interface.

On a broadcast link, there are Level-1 and Level-2 Hello packets. For different types
of packets, you can set different intervals. If no level is specified, both the Level-1
timer and Level-2 timer are configured. On a P2P link, there is only one type of Hello
packets. Therefore, neither level-1 nor level-2 is required.
NOTE
Parameters level-1 and level-2 are configured only on a broadcast interface.
Configuring the Invalid Number of Hello Packets

1.
Run:
system-view

2.
Run:

3.
Run:
isis timer holding-multiplier number [ level-1 | level-2 ]
The invalid number of Hello packets is set.

Issue 02 (2013-12-31)

2331

Equipment
8 IP Routing
If no level is specified, both the Level-1 timer and Level-2 timer are configured.
NOTE
level-1 and level-2 can be found only on the broadcast interface.
IS-IS maintains neighbor relationships with neighbors through Hello packets. If the local
router does not receive any Hello packet from a neighbor within holding time, the local
router declares that the neighbor is invalid.
In IS-IS, the period during which the local router and its neighbor keep the neighbor
relationship is determined by the invalid number of Hello packets and the interval for
sending Hello packets.
l
Configuring the Interval for Sending CSNPs

1.
Run:
system-view

2.
Run:

3.
Run:
isis timer csnp csnp-interval [ level-1 | level-2 ]
The interval for sending CSNPs is set.

CSNPs are transmitted by the Designated IS (DIS) to synchronize an LSDB in a broadcast
network. If the level is not specified, the timer of the current level is configured.
l
Configuring the Minimum Interval for Sending LSPs

1.
Run:
system-view

2.
Run:

3.
Run:
isis timer lsp-throttle throttle-interval [ count count ]
The minimum interval for sending LSPs is set.

count: specifies the maximum number of LSP packets to be sent within the period
specified by throttle-interval. The value ranges from 1 to 1000.
You can set the minimum interval for sending LSPs on an IS-IS interface, that is, the delay
between two consecutive LSPs. The value is also the interval for sending fragments of a
CSNP.
----End
Issue 02 (2013-12-31)

2332

Equipment
8 IP Routing
Configuring LSP Parameters

By configuring the LSP generation timer, you can adjust the time that an IS-IS network generates
LSPs. Setting the size of the LSP to be generated or received by IS-IS can affect the transmission
of LSPs.
Context
Procedure
l
Configure the interval for refreshing LSPs

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
timer lsp-refresh refresh-time
The LSP refreshment period is set.

To synchronize all the LSPs in an area, the ATNs in the area periodically send all the current
LSPs.
By default, the LSP refreshment period is 900 seconds, and the maximum lifetime of an
LSP is 1200 seconds. When performing configurations, ensure that the LSP refresh interval
is 300 seconds shorter than the maximum LSP Keepalive time. In this way, new LSPs can
reach all ATNs in an area before existing LSPs expire.
NOTE
It is recommended to adjust the difference between the LSP refresh period and the maximum
Keepalive time of the LSP depending on the network scale.
Configure the max lifetime of an LSP

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
timer lsp-max-age age-time
The lifetime of an LSP is set.

When a ATN generates an LSP, it sets the max lifetime for the LSP. After the LSP is
received by other ATNs, its lifetime decreases as time passes. If a ATN does not receive
Issue 02 (2013-12-31)

2333

Equipment
8 IP Routing
any updated LSP and the lifetime of this LSP decreases to 0, the lifetime of the LSP lasts
60s. If a new LSP is still not received, this LSP is deleted from the LSDB.
l
Configure the intelligent timer used to generate LSPs

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
timer lsp-generation max-interval [ init-interval [ incr-interval ] ]
[ level-1 | level-2 ]
The intelligent timer used to generate LSPs is set.

If no level is configured, both Level-1 and Level-2 are configured.
The initial delay for generating the same LSPs (or LSP fragments) is init-interval. The delay
for generating the same LSPs (or LSP fragments) secondly is incr-interval. When the routes
change each time, the delay for generating the same LSPs (or LSP fragments) is twice as
the previous value until the delay is up to max-interval. After the delay reaches maxinterval for three times or reset the IS-IS process, the interval is reduced to init-interval.
When incr-interval is not used and generating the same LSPs (or LSP fragments) for the
first time, init-interval is used as the initial delay. Then, the delay for generating the same
LSPs (or LSP fragments) is max-interval. After the delay reaches max-interval for three
times or the IS-IS process is reset, the interval is reduced to init-interval.
When only max-interval is used, the intelligent timer changes into a normal one-short timer.
l
Configure the size of an LSP

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
lsp-length originate max-size
The size of an LSP generated by the system is set.

4.
Run:
lsp-length receive max-size
The size of a received LSP is set.

NOTE
When using max-size, ensure that the value of the max-size of the generated LSP packet (or the
forwarded LSP packet) must be smaller than or equal to that of the received LSP packet.
The value of max-size set by using the lsp-length command must meet the following
conditions.
Issue 02 (2013-12-31)

2334

Equipment
8 IP Routing
The MTU value of an Ethernet interface must be greater than or equal to the sum of
max-size and 3.
The MTU value of a P2P interface must be greater than or equal to the value of maxsize.
l
Adding an Interface to a Mesh Group

1.
Run:
system-view

2.
Run:

3.
Run:
isis mesh-group { mesh-group-number | mesh-blocked }
The interface is added to a mesh group.

On the Non Broadcast Multiple Access (NBMA) network, after receiving an LSP, the
interface of a ATN floods the LSP to the other interfaces. In a network with higher
connectivity and multiple P2P links, however, the flooding method causes repeated LSP
flooding and wastes bandwidth.
To avoid the preceding problem, you can configure several interfaces to form a mesh group.
The ATN in the mesh group does not flood the LSP received from an interface of the group
to the other interfaces of the group, but floods it to interfaces of other groups or interfaces
that do not belong to any group. When mesh-blocked is configured on an interface, the
interface is blocked and cannot flood LSPs outside. All the interfaces added to a mesh group
implement global LSDB synchronization through CSNP and PSNP mechanisms.
NOTE
In an ATM or FR network, IS-IS routers are connected through Virtual Circuits (VCs), and the
interface here is the logical P2P sub-interface.
Configure LSP fragments extension

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
lsp-fragments-extend
mode-2 ] ] *
[ [ level-1 | level-2 | level-1-2 ] | [ mode-1 |
LSP fragments extension is enabled in an IS-IS process.

4.
Run:
virtual-system virtual-system-id
A virtual system is configured.

Issue 02 (2013-12-31)

2335

Equipment
8 IP Routing
To configure a ATN to generate extended LSP fragments, you must configure at least one
virtual system. The ID of the virtual system must be unique in the domain.
An IS-IS process can be configured with up to 50 virtual system IDs.
If neither the mode nor the level is specified when LSP fragments extension is configured,
mode-1 and Level-1-2 are used by default.
----End

After configuring parameters that affect the IS-IS neighbor relationship, you can check
information about the IS-IS interface and statistics about the IS-IS process.
Prerequisites
The configurations of Establishing or Maintaining IS-IS Neighbor Relationships or Adjacencies
are complete.
Procedure
l
Run display isis interface [ [ verbose | traffic-eng ] * | tunnel ] [ process-id | vpninstance vpn-instance-name ] command to check information about the interface enabled
with IS-IS.
Check the statistics of the IS-IS process:

display isis statistics [ level-1 | level-2 | level-1-2 ] [ process-id | vpn-instance vpninstance-name ]
display isis statistics packet [ interface interface-type interface-number ]
display isis process-id statistics [ level-1 | level-2 | level-1-2 | packet ]
----End
8.7.4 Configuring IPv4 IS-IS Route Selection

Configuring IS-IS route selection can achieve refined control over route selection.
Before You Start

Before configuring IPv4 IS-IS route selection, familiarize yourself with the usage scenario,
After basic IPv4 IS-IS functions are configured, IS-IS routes will be generated, enabling
communication between different nodes on a network.
If multiple routes are available, a route discovered by IS-IS may not the optimal route. This does
not meet network planning requirements nor facilitates traffic management. Therefore, configure
IPv4 IS-IS route selection to implement refined control over route selection.
To implement refined control over IPv4 IS-IS route selection, perform the following operations:
Issue 02 (2013-12-31)

2336

Equipment
8 IP Routing
Configuring the IPv4 IS-IS Interfaces.

NOTE
Changing the IS-IS cost for an interface can achieve the function of controlling route selection, but
requires routes on the interface to be recalculated and reconverged when a network topology changes,
especially on a large-scale network. In addition, the configuration result may not meet your
expectation.
Therefore, the configuration of changing IS-IS costs has best to be finished when configuring basic
IS-IS functions.
Configure IPv4 IS-IS route leaking.
Configure principles for selecting equal-cost IPv4 IS-IS routes.
Filter IPv4 IS-IS routes.
Configure an overload bit for an IPv4 IS-IS device.
Configuring IS-IS to Generate IPv4 Default Routes
Configuring an IPv4 IS-IS Interface to Automatically Adjust the Link Cost
Before configuring IPv4 IS-IS route selection, complete the following tasks:
l
the network layer
Configuring Basic IPv4 IS-IS Functions
Data Preparation
To configure IPv4 IS-IS route selection, you need the following data.
No.
Data
ACL for filtering routes, IP prefix list, or routing policy
Maximum number of load-balancing equal-cost IS-IS routes
Preference of the next hop
Time when an IS-IS device enters the overload state
Configuring IPv4 IS-IS Route Leaking

Configuring IS-IS route leaking enables you to optimize IS-IS route selection on a two-levelarea network.
Context
If multiple Level-1-2 devices in a Level-1 area are connected to devices in the Level-2 area, a
Level-1 LSP sent by each Level-1-2 device carries an ATT flag bit of 1. This Level-1 area will
have multiple routes to the Level-2 area and to other Level-1 areas.
By default, routes in a Level-1 area can be leaked into the Level-2 area so that Level-1-2 and
Level-2 devices can learn about the topology of the entire network. Devices in a Level-1 area
Issue 02 (2013-12-31)

2337

Equipment
8 IP Routing
are unaware of the entire network topology because they only maintain LSDBs in the local
Level-1 area. Therefore, a device in a Level-1 area can forward traffic to a Level-2 device only
through the nearest Level-1-2 device. The route used may not be the optimal route to the
destination.
To enable a device in a Level-1 area to select the optimal route, configure IPv4 IS-IS route
leaking so that specified routes in the Level-2 area can be leaked into the local Level-1 area.
Routes of services deployed only in the local Level-1 area do not need to be leaked into the
Level-2 area. A policy can be configured to leak only desired routes into the Level-2 area.
Procedure
l
Specify routes in the Level-2 area and other Level-1 areas that can be leaked into the local
Level-1 area.
1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.

a.
Run import-route isis level-2 into level-1 [ tag tag | filter-policy { aclnumber | acl-name acl-name } ] *, routes in the Level-2 area and other Level-1
areas that meet the specified conditions are leaked into the local Level-1 area.
b.
c.
Run acl { [ number ] acl-number1 | name acl-name basic [ number aclnumber2 ] } [ match-order { auto | config } ], the basic ACL view is
displayed.
d.
Run rule [ rule-id ] { deny | permit } [ fragment-type fragment-typename | source { source-ip-address source-wildcard | any } | time-range timename | vpn-instance vpn-instance-name ] *, a rule is configured for the basic
ACL.
If the action specified in an ACL rule is permit, a route that matches the
rule will be received or advertised by the system.
If the action specified in an ACL rule is deny, a route that matches the
rule will not be received or advertised by the system.
If a route has not matched any ACL rules, the route will not be received
or advertised by the system.
If an ACL does not contain any rules, all routes matching the routepolicy that references the ACL will not be received or advertised by the
system.
If the ACL referenced by the route-policy does not exist, all routes
matching the route-policy will be received or advertised by the system.
Issue 02 (2013-12-31)

2338

Equipment
8 IP Routing
In the configuration order, the system first matches a route with a rule that
has a smaller number and then matches the route with a rule with a larger
number. Routes can be filtered using a blacklist or a whitelist:
Route filtering using a blacklist: Configure a rule with a smaller number
and specify the action deny in this rule to filter out the unwanted routes.
Then, configure another rule with a larger number in the same ACL and
specify the action permit in this rule to receive or advertise the other
routes.
Route filtering using a whitelist: Configure a rule with a smaller number
and specify the action permit in this rule to permit the routes to be received
or advertised by the system. Then, configure another rule with a larger
number in the same ACL and specify the action deny in this rule to filter
out unwanted routes.
Based on the named advanced ACL:
a.
Run import-route isis level-2 into level-1 [ tag tag | filter-policy aclname acl-name ] *, routes in the Level-2 area and other Level-1 areas that
meet the specified conditions are leaked into the local Level-1 area.
b.
c.

{ auto | config } ], the basic ACL view is displayed.
d.
Run rule [ rule-id ] { deny | permit } protocol [ source { source-ip-address

source-wildcard | any } | time-range time-name ] *, a rule is configured for
the basic ACL.
system.
routes.
Issue 02 (2013-12-31)

2339

Equipment
8 IP Routing
Based on the IP prefix: import-route isis level-2 into level-1 [ tag tag | filterpolicy ip-prefix ip-prefix-name ] *
Based on the Route-Policy: import-route isis level-2 into level-1 [ tag tag | filterpolicy route-policy route-policy-name ] *
NOTE
The command is run on the Level-1-2 device that is connected to an external area.
By default, routes in the Level-2 area are not leaked into Level-1 areas. After this command is
run, only routes that meet the specified conditions can be leaked into Level-1 areas.
Configure routes in Level-1 areas to leak into the Level-2 area.

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.

a.
Run import-route isis level-1 into level-2 [ tag tag | filter-policy { aclnumber | acl-name acl-name } ] *, routes that meet the specified conditions
in Level-1 areas are leaked into the Level-2 area.
b.
c.
displayed.
d.
ACL.
system.
Issue 02 (2013-12-31)

2340

Equipment
8 IP Routing
routes.
a.
Run import-route isis level-1 into level-2 [ tag tag | filter-policy aclname acl-name ] *, routes that meet the specified conditions in Level-1 areas
are leaked into the Level-2 area.
b.
c.

d.

the basic ACL.
system.
routes.
Issue 02 (2013-12-31)

2341

Equipment
8 IP Routing
Based on the IP prefix: import-route isis level-1 into level-2 [ tag tag | filterpolicy ip-prefix ip-prefix-name ] *
Based on the Route-Policy: import-route isis level-1 into level-2 [ tag tag | filterpolicy route-policy route-policy-name ] *
NOTE
By default, all routes in a Level-1 area are leaked into the Level-2 area. After this command is
run, only routes that meet the specified conditions can be leaked into the Level-2 area.
----End
Configuring Principles for Using Equal-Cost IPv4 IS-IS Routes

If multiple equal-cost IS-IS routes are available on a network, configure the equal-cost IS-IS
routes to work in load-balancing mode to increase the bandwidth usage of each link, or configure
preference values for the equal-cost IS-IS routes to facilitate traffic management.
Context
If there are redundant IS-IS links, multiple routes may have an equal cost. Choose either of the
following methods to use these equal-cost IS-IS routes:
l
Configure load balancing for equal-cost IS-IS routes so that traffic will be evenly balanced
among these links.
This mechanism increases the link bandwidth usage and prevents network congestion
caused by link overload. However, this mechanism may make traffic management more
difficult because traffic will be randomly forwarded.
Configure preference values for equal-cost IS-IS routes so that only the route with the
highest preference will be used and the others function as backups.
This configuration facilitates traffic management and improves the network reliability,
without the need to change original configurations.
Procedure
l
Configure equal-cost IS-IS routes to work in load-balancing mode.

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
The maximum number of load-balancing equal-cost IS-IS routes is set.

Issue 02 (2013-12-31)

2342

Equipment
8 IP Routing
NOTE
When the number of equal-cost routes is greater than number specified in the maximum loadbalancing command, valid routes are selected for load balancing based on the following
criteria:
1. Route preference: Routes with lower preferences are selected for load balancing. For details
about route preference configuration, see Configure preference values for equal-cost ISIS routes.
2. Interface index: If routes have the same priorities, routes with higher interface index values
are selected for load balancing.
3. Next hop IP address: If routes have the same priorities and interface index values, routes
with larger IP address are selected for load balancing.
Configure preference values for equal-cost IS-IS routes.

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
nexthop ip-address weight value
A preference value is configured for an equal-cost IS-IS route.

NOTE
A larger value of the value parameter indicates a higher preference.
----End
Filtering IPv4 IS-IS Routes

If some IS-IS routes are not preferred, configure conditions to filter IS-IS routes. Only IS-IS
routes meeting the specified conditions can be added to an IP routing table.
Context
Only routes in an IP routing table can be used to forward IP packets. An IS-IS route can take
effect only after this IS-IS route has been successfully added to an IP routing table.
If an IS-IS route does not need to be added to a routing table, specify conditions, such as a basic
ACL, IP prefix, and routing policy, to filter routes so that only IS-IS routes that meet the specified
conditions can add to an IP routing table. IS-IS routes that do not meet the specified conditions
cannot be added to the IP routing table and cannot be selected to forward IP packets.
Procedure
Step 1 Run:
system-view

Issue 02 (2013-12-31)

2343

Equipment
8 IP Routing
Step 2 Run:
isis [ process-id ]

1.
Run filter-policy { acl-number | acl-name acl-name } import, conditions for filtering

IS-IS routes are configured.
2.
3.

4.

by the system.

1.
Run filter-policy acl-name acl-name import, conditions for filtering IS-IS routes are
configured.
2.
3.

4.
Issue 02 (2013-12-31)

2344

Equipment
8 IP Routing
by the system.
l Based on the IP prefix: filter-policy ip-prefix ip-prefix-name import
l Based on the Route-Policy: filter-policy route-policy route-policy-name import
----End
Configuring an Overload Bit for an IPv4 IS-IS Device

If an IS-IS device needs to be temporarily isolated, configure the IS-IS device to enter the
overload state to prevent other devices from forwarding traffic to this IS-IS device and prevent
blackhole routes.
Context
If an IS (for example, an IS to be upgraded or maintained) needs to be temporarily isolated,
configure the IS to enter the overload state so that no device will forward traffic to this IS.
IS-IS routes converge more quickly than BGP routes. To prevent blackhole routes on a network
where both IS-IS and BGP are configured, set an overload bit to instruct an IS to enter the
overload state during its start or restart. After BGP convergence is complete, cancel the overload
bit.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 02 (2013-12-31)

2345

Equipment
8 IP Routing
isis [ process-id ]

Step 3 Run:
set-overload [ on-startup [ timeout1 | start-from-nbr system-id [ timeout1
[ timeout2 ] ] | wait-for-bgp [ timeout1 ] ] ] [ allow { interlevel | external }
* ]
The overload bit is configured.

----End

After configuring IPv4 IS-IS route selection, run the following commands to verify that the
configurations are correct.
Procedure
l
Run the display isis route [ process-id | [ vpn-instance vpn-instance-name | vpn6instance vpn6-instance-name ] * ] [ ipv4 ] [ verbose | [ level-1 | level-2 ] | ip-address
[ mask | mask-length ] ] * [ | count ] command to check IS-IS routing information.
Run the display isis lsdb [ { level-1 | level-2 } | verbose | { local | lsp-id | is-name symbolicname } ] * [ process-id | vpn-instance vpn-instance-name ] command to check information
in the IS-IS LSDB.
----End
Example
On a Level-1 device, run the display isis route command to check IS-IS routing information.
If the Level-1-2 device is enabled to leak IS-IS routes in the Level-2 area to Level-1 areas, the
output of the display isis route command is similar to the following information. For example,
the route 192.168.1.0/24 in the Level-2 area is displayed, and Up/Down is U.
-------------------------------IPV4 Destination
IntCost
NextHop
Flags
------------------------------------------------------------------------------0.0.0.0/0
10
NULL
GE0/2/1
10.1.1.2
A/-/-/192.168.1.0/24
30
NULL
GE0/2/1
10.1.1.2
A/-/-/U
10.1.1.0/24
10
NULL
GE0/2/1
Direct
D/-/L/20.1.1.0/24
20
NULL
GE0/2/1
10.1.1.2
A/-/-/Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut,
U-Up/Down Bit Set
On the Level-1-2 device, run the display isis lsdb verbose command to check whether the
Level-1-2 device has leaked the route 192.168.1.0/24 to Level-1 areas.
<HUAWEI> display isis lsdb verbose
Database information for ISIS(1)
Issue 02 (2013-12-31)

2346

Equipment
8 IP Routing
-------------------------------Level-1 Link State Database

LSPID
Seq Num
Checksum
Holdtime
Length ATT/P/OL
------------------------------------------------------------------------------1111.1111.1111.00-00 0x00000004
0xb05f
962
68
0/0/0
SOURCE
1111.1111.1111.00
NLPID
IPV4
AREA ADDR
10
INTF ADDR
10.1.1.1
NBR ID
2222.2222.2222.01 COST: 10
IP-Internal 10.1.1.0
255.255.255.0
COST: 10
2222.2222.2222.00-00* 0x00000008
0x133c
SOURCE
2222.2222.2222.00
NLPID
IPV4
AREA ADDR
10
INTF ADDR
10.1.1.2
INTF ADDR
20.1.1.1
NBR ID
2222.2222.2222.01 COST: 10
255.255.255.0
255.255.255.0
IP-Internal* 192.168.1.0
255.255.255.0
2222.2222.2222.01-00* 0x00000001
0xdcb2
SOURCE
2222.2222.2222.01
NLPID
IPV4
NBR ID
2222.2222.2222.00 COST: 0
NBR ID
1111.1111.1111.00 COST: 0
1190
96
1/0/0
55
0/0/0
COST: 10
COST: 10
COST: 10
980
Total LSP(s): 3
*(In TLV)-Leaking Route, *(By LSPID)-Self LSP, +-Self LSP(Extended),
ATT-Attached, P-Partition, OL-Overload
Level-2 Link State Database

LSPID
Seq Num
Checksum
Holdtime
Length ATT/P/OL
------------------------------------------------------------------------------2222.2222.2222.00-00* 0x00000008
0x1d57
1017
84
0/0/0
SOURCE
2222.2222.2222.00
NLPID
IPV4
AREA ADDR
10
INTF ADDR
10.1.1.2
INTF ADDR
20.1.1.1
NBR ID
3333.3333.3333.00 COST: 10
255.255.255.0
COST: 10
255.255.255.0
COST: 10
3333.3333.3333.00-00 0x00000006
0x5c57
SOURCE
3333.3333.3333.00
NLPID
IPV4
AREA ADDR
20
INTF ADDR
20.1.1.2
INTF ADDR
192.168.1.1
NBR ID
2222.2222.2222.00 COST: 10
255.255.255.0
255.255.255.0
1029
84
0/0/0
COST: 10
COST: 0
Run the display isis lsdb command to check whether an IS-IS device is in the overload state. If
an IS-IS device is in the overload state, the command output is similar to the following
information.
<HUAWEI> display isis lsdb
Issue 02 (2013-12-31)

2347

Equipment
8 IP Routing

-------------------------------ATTENTION :: System is overloaded
Manual overload set
YES
OverLoad on Startup
NO
System Memory Low
NO
Memory Allocate Failure NO

LSPID
Seq Num
Checksum
Holdtime
Length ATT/P/OL
------------------------------------------------------------------------------1111.1111.1111.00-00* 0x00000005
0xb258
1193
68
0/0/1
2222.2222.2222.00-00 0x0000016317 0xd2fd
1167
84
1/0/0
2222.2222.2222.01-00 0x00000001
0xdcb2
449
55
0/0/0
Total LSP(s): 3
Run the display isis route command to check IS-IS routing information. If equal-cost IS-IS
routes are configured to work in load-balancing mode, multiple next hops will be displayed in
the command output. For example, two next hops, 10.1.1.2 and 10.1.2.2, to the 172.17.1.0/24
network segment are displayed, and their route costs are both 30.
-------------------------------IPV4 Destination
IntCost
NextHop
Flags
--------------------------------------------------------------------------192.168.1.0/24
20
NULL
GE0/2/2
10.1.2.2
A/-/L/10.1.1.0/24
10
NULL
GE0/2/1
Direct
D/-/L/172.16.1.0/24
10
NULL
GE0/2/0
Direct
D/-/L/172.17.1.0/24
30
NULL
GE0/2/1
10.1.1.2
A/-/L/GE0/2/2
10.1.2.2
10.1.2.0/24
10
NULL
GE0/2/2
Direct
D/-/L/192.168.0.0/24
20
NULL
GE0/2/1
10.1.1.2
A/-/L/Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut,
U-Up/Down Bit Set
8.7.5 Configuring IPv4 IS-IS Route Summarization

To improve the route searching efficiency and simplify route management on a large-scale ISIS network, configure IS-IS route summarization to reduce the number of IS-IS routes in a
routing table.
Context
Route summarization is used to summarize routes with the same IP prefix into one route.
On a large-scale IS-IS network, route summarization can be configured to reduce the number
of IS-IS routes in a routing table. This summarization improves the usage of system resources
and facilitates route management.
If a link on an IP network segment that is summarized frequently alternates between Up and
Down states, IP network segments that are not summarized will not be affected, preventing route
flapping and improving the network stability.
Issue 02 (2013-12-31)

2348

Equipment
8 IP Routing
Procedure
Step 1 Run:
system-view

Step 2 Run:
isis [ process-id ]

Step 3 Run:
summary ip-address mask [ avoid-feedback | generate_null0_route | tag tag |
[ level-1 | level-1-2 | level-2 ] ] *
The specified IS-IS routes are summarized into one IS-IS route.
NOTE
After route summarization is configured on an IS, the local routing table still contains all specific routes
before the summarization.
The routing tables on other ISs contain only the summary route, and the summary route is deleted only
after all its specific routes are deleted.
----End

After the route summarization function is configured, perform the following steps to check
whether the route summarization function has taken effect.
l
Run the display isis route command to check summary routes in the IS-IS routing table.
Run the display ip routing-table [ verbose ] command to check summary routes in the IP
routing table.
8.7.6 Configuring IPv4 IS-IS to Interact with Other Routing

Protocols
If other routing protocols are configured on an IS-IS network, you need to configure IS-IS to
interact with these protocols to ensure successful communication between them.
Before You Start

Before configuring IPv4 IS-IS to interact with other routing protocols, familiarize yourself with
the usage scenario, complete the pre-configuration tasks, and obtain the data required for the
configuration.
If other routing protocols are configured on an IS-IS network, the following issues need to be
considered:
l
Preference of IS-IS routes

If multiple routes to the same destination are discovered by different routing protocols
running on the same device, the route discovered by the protocol with the highest preference
Issue 02 (2013-12-31)

2349

Equipment
8 IP Routing
is selected. For example, if both OSPF and IS-IS are configured, the route discovered by
OSPF is used because OSPF enjoys a higher preference than IS-IS by default.
Therefore, if you want the route discovered by IS-IS to be used, configure IS-IS to have
the highest preference.
l
Communication between an IS-IS area and other areas

If other routing protocols are configured on an IS-IS network, you need to configure IS-IS
to interact with those routing protocols so that IS-IS areas can communicate with non-ISIS areas.
NOTE
The LSDBs of different IS-IS processes on a device are independent of each other. Therefore, each
IS-IS process on the device considers routes of the other IS-IS processes as external routes.
To ensure successful traffic forwarding, configure IS-IS to interact with other routing
protocols on a device where external routes are configured, for example, a Level-1-2 ISIS router. Available method is configuring IS-IS to import external routes. This mode
enables all devices in IS-IS areas to learn external routes, implementing refined control
over traffic forwarding.
To ensure successful forwarding of traffic destined for IS-IS areas, you must also enable
the other routing protocols to interact with IS-IS.
Before configuring IPv4 IS-IS to interact with other routing protocols, complete the following
tasks:
l
Configuring the link layer protocol on interfaces
the network layer
Configuring basic functions of other routing protocols
Data Preparation
To configure the IPv4 IS-IS route convergence speed, you need the following data.
No.
Data
ACL for filtering routes, IP prefix list, or routing policy
Preference value of IS-IS
Configuring a Preference Value for IPv4 IS-IS

If multiple routes to the same destination are discovered by different routing protocols,
configuring the highest preference value for IS-IS allows a route discovered by IS-IS to be
selected preferentially.
Issue 02 (2013-12-31)

2350

Equipment
8 IP Routing
Context
If multiple routes to the same destination are discovered by different routing protocols running
on the same device, the route discovered by the protocol with the highest preference is selected.
For example, if both OSPF and IS-IS are configured on a network, the route discovered by OSPF
is used because OSPF has a higher preference than IS-IS by default.
To prefer a route discovered by IS-IS, configure a higher preference value for IS-IS. In addition,
a routing policy can be configured to increase the preferences of specified IS-IS routes, without
affecting route selection.
Procedure
l
Configure the IS-IS preference value.

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
preference preference
The IS-IS preference value is configured.

NOTE
A smaller preference value indicates a higher preference.

The default IS-IS preference value is 15.
Configure preference values for specified IS-IS routes.

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
preference preference route-policy route-policy-name
The preference values are configured for the specified IS-IS routes.
NOTE
preference takes effect only for IS-IS routes that match the specified routing policy.
----End
Configuring IPv4 IS-IS to Advertise a Default Route

To forward all traffic in an IS-IS area through a default route, configure IS-IS on a Level-1-2
device to advertise the default route.
Issue 02 (2013-12-31)

2351

Equipment
8 IP Routing
Context
Only the route 0.0.0.0/0 can be advertised as a default route on a Level-1-2 device. All traffic
destined for other areas is first forwarded to the Level-1-2 device.
To ensure successful traffic forwarding, external routes must be learned on the Level-1-2 device.
NOTE
Configuring static default routes can also achieve the function of interaction between different routing
protocols, but require large configurations and are difficult to manage.
If multiple Level-1-2 devices are deployed, a routing policy can be configured to allow only the Level-1-2
device that meets the specified conditions to advertise a default route, preventing blackhole routes.
Procedure
Step 1 Run:
system-view

Step 2 Run:
isis [ process-id ]

Step 3 Run:
default-route-advertise [ always | match default | route-policy route-policy-name ]
[ cost cost | tag tag | [ level-1 | level-1-2 | level-2 ] ] * [ avoid-learning ]
IS-IS is configured to advertise a default route.

----End
Configuring IPv4 IS-IS to Import External Routes

If devices in an IS-IS routing domain need to learn external routes, configure IS-IS on a Level-1-2
device of this routing domain to import external routes.
Context
If IS-IS is configured on a Level-1-2 device to advertise a default route, all traffic in IS-IS routing
domains will be forwarded by this Level-1-2 device. This will burden this Level-1-2 device
because no external route can be learned on the devices in the IS-IS routing domains.
If multiple Level-1-2 devices are deployed, optimal routes to other routing domains need to be
selected. To ensure optimal routes are selected, all the other devices in the IS-IS routing domains
must learn all or some external routes.
Routing policies can be configured to import or advertise external routes that meet specified
conditions to the IS-IS routing domains.
Procedure
l
Configure IS-IS to import external routes.

1.
Run:
system-view
Issue 02 (2013-12-31)

2352

Equipment
8 IP Routing

2.
Run:
isis [ process-id ]

3.
Configuring IS-IS to Import External Routes

If you want to set the cost for the imported route, you can run the import-route
{ direct | static | unr | { ospf | rip | isis } [ process-id ] | bgp [ permit-ibgp ] }
[ cost-type { external | internal } | cost cost | tag tag | route-policy route-policyname | [ level-1 | level-2 | level-1-2 ] ] * command to import the external routes.
If you want to keep the original cost for the imported route, you can run the importroute { { ospf | rip | isis } [ process-id ] | bgp [ permit-ibgp ] | direct } inheritcost [ tag tag | route-policy route-policy-name | [ level-1 | level-2 | level-1-2 ] ]
* command to import the external routes. When configuring IS-IS to retain the
original cost value of the imported route, the source routes cannot be static.
NOTE
IS-IS will advertise all imported external routes to an IS-IS routing domain by default.
If only some imported external routes need to be advertised, run the filter-policy export
command to set a filtering policy.
If an IS-IS device has a small routing table capacity, run the import-route limit limitnumber [ threshold-alarm upper-limit upper-limit-value lower-limit lower-limit-value ]
{ level-1 | level-2 | level-1-2 } command to set the maximum number of external routes that
can be imported into an IS-IS routing domain.
Configure IS-IS to advertise some external routes to an IS-IS routing domain.

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.

a.
Run filter-policy { acl-number | acl-name acl-name } import, IS-IS is

configured to advertise specified external routes to the IS-IS routing domain.
b.
c.
displayed.
d.
ACL.
Issue 02 (2013-12-31)

2353

Equipment
8 IP Routing
system.
routes.
a.
Run filter-policy acl-name acl-name import, IS-IS is configured to advertise

specified external routes to the IS-IS routing domain.
b.
c.

d.

the basic ACL.
system.
Issue 02 (2013-12-31)

2354

Equipment
8 IP Routing

routes.
Based on the IP prefix: filter-policy ip-prefix ip-prefix-name import
Based on the Route-Policy: filter-policy route-policy route-policy-name import
NOTE
After this command is run, only external routes that meet the specified conditions can be
advertised to the IS-IS routing domain.
----End

After IS-IS is enabled to import routes from other protocols, run the following commands to
verify that the configurations are correct.
Procedure
l
Run the display isis lsdb [ { level-1 | level-2 } | verbose | { local | lsp-id | is-name symbolicname } ] * [ process-id | vpn-instance vpn-instance-name ] command to check IS-IS LSDB
information.
Run the display isis route [ process-id | [ vpn-instance vpn-instance-name | vpn6instance vpn6-instance-name ] * ] [ ipv4 ] [ verbose | [ level-1 | level-2 ] | ip-address
[ mask | mask-length ] ] * [ | count ] command to check IS-IS routing information.
Run the display ip routing-table ip-prefix ip-prefix-name [ verbose ] command to check

the IP routing table.
----End
Example
Run the display isis lsdb verbose command on the device that generates a default route. The
command output shows that IS-IS has advertised a default route.
LSPID
Seq Num
Checksum
Holdtime
Length ATT/P/OL
------------------------------------------------------------------------------1111.1111.1111.00-00 0x00000004
0xb25b
1123
68
0/0/0
SOURCE
1111.1111.1111.00
NLPID
IPV4
AREA ADDR
10
Issue 02 (2013-12-31)

2355

Equipment
INTF ADDR
NBR ID
IP-Internal
10.1.1.1
2222.2222.2222.01 COST: 10
10.1.1.0
255.255.255.0
2222.2222.2222.00-00* 0x00000007
0xd63a
SOURCE
2222.2222.2222.00
NLPID
IPV4
AREA ADDR
10
INTF ADDR
10.1.1.2
INTF ADDR
20.1.1.1
NBR ID
2222.2222.2222.01 COST: 10
NBR ID
3333.3333.3333.00 COST: 10
255.255.255.0
255.255.255.0
2222.2222.2222.00-01* 0x00000001
0xc25d
SOURCE
2222.2222.2222.00
IP-Internal 0.0.0.0
0.0.0.0
8 IP Routing
COST: 10
1165
95
0/0/0
41
0/0/0
COST: 10
COST: 10
1189
COST: 0
2222.2222.2222.01-00* 0x00000001
0xdcb2
SOURCE
2222.2222.2222.01
NLPID
IPV4
NBR ID
2222.2222.2222.00 COST: 0
NBR ID
1111.1111.1111.00 COST: 0
1141
55
0/0/0
3333.3333.3333.00-00 0x00000004
0xac80
SOURCE
3333.3333.3333.00
NLPID
IPV4
AREA ADDR
10
INTF ADDR
20.1.1.2
NBR ID
2222.2222.2222.00 COST: 10
255.255.255.0
1164
68
0/0/0
COST: 10
Total LSP(s): 5
Run the display isis route command on the device that receives the default route. The command
output shows that the default route with a next-hop address of 20.1.1.2 has been imported into
the Level-2 IS-IS routing table.
-------------------------------IPV4 Destination
IntCost
NextHop
Flags
------------------------------------------------------------------------------10.1.1.0/24
10
NULL
GE0/2/0
Direct
D/-/L/20.1.1.0/24
10
NULL
GE0/2/1
Direct
U-Up/Down Bit Set
ISIS(1) Level-2 Forwarding Table

-------------------------------IPV4 Destination
IntCost
NextHop
Flags
------------------------------------------------------------------------------0.0.0.0/0
10
NULL
GE0/2/4
20.1.1.2
A/-/-/10.1.1.0/24
10
NULL
GE0/2/0
Direct
D/-/L/20.1.1.0/24
10
NULL
GE0/2/1
Direct
Issue 02 (2013-12-31)

2356

Equipment
8 IP Routing
U-Up/Down Bit Set
Run the display isis route command to view the IS-IS routing table. The command output shows
that the direct route 192.168.1.0/24 and OSPF route 14.1.1.1/32 have been imported into the
Level-2 IS-IS routing table.
-------------------------------IPV4 Destination
IntCost
NextHop
Flags
------------------------------------------------------------------------------10.1.1.0/24
20
NULL
GE0/2/2
20.1.1.1
A/-/-/20.1.1.0/24
10
NULL
GE0/2/2
Direct
U-Up/Down Bit Set
ISIS(1) Level-2 Redistribute Table

---------------------------------Type IPV4 Destination
IntCost
ExtCost Tag
------------------------------------------------------------------------------D
192.168.1.0/24
0
20
O
14.1.1.1/32
0
20
Type: D-Direct, I-ISIS, S-Static, O-OSPF, B-BGP, R-RIP
Run the display ip routing-table command to view the IP routing table. The command output
shows that the value of Preference of IPv4 IS-IS has been changed from its default value 15 to
20.
Destinations : 6
Routes : 6
Destination/Mask
10.1.1.0/24
10.1.1.1/32
10.1.1.2/32
22.2.2.0/24
127.0.0.0/8
127.0.0.1/32
Proto
Pre
Direct
Direct
Direct
ISIS-L2
Direct
Direct
0
0
0
20
0
0
Cost
0
0
0
10
0
0
Flags NextHop
D
D
D
D
D
D
10.1.1.1
127.0.0.1
10.1.1.2
10.1.1.2
127.0.0.1
127.0.0.1
Interface
GE0/2/3
InLoopBack0
GE0/2/3
GE0/2/3
InLoopBack0
InLoopBack0
8.7.7 Configuring the IPv4 IS-IS Route Convergence Speed

Accelerating IS-IS route convergence can improve the fault location efficiency and improve the
Before You Start

Before configuring the IPv4 IS-IS route convergence speed, familiarize yourself with the usage
Issue 02 (2013-12-31)

2357

Equipment
8 IP Routing
The procedure for implementing IS-IS is as follows:
l
Establishment of neighboring relationships: establishes neighboring relationships by

exchanging Hello packets between two devices.
LSP flooding: implements LSDB synchronization between devices in the same area.
SPF calculation: uses the SPF algorithm to calculate IS-IS routes, and delivers the IS-IS
routes to the routing table.
To accelerate the IS-IS route convergence speed, configure the following parameters:
l
Interval for detecting IS-IS neighboring device failures
Flooding parameters of CSNPs and LSPs
Interval for SPF calculation
You can also configure convergence priorities for IPv4 IS-IS routes so that key routes can be
converged by preference when a network topology changes. This minimizes adverse impacts on
key services.
Before configuring the IPv4 IS-IS route convergence speed, complete the following tasks:
l
the network layer
Data Preparation
No.
Data
Interval at which Hello packets are sent and the holding time of neighboring
devices
Flooding time of CSNPs and LSPs
Route convergence priority
Configuring the Interval for Detecting IS-IS Neighboring Device Failures

To minimize the effects caused by neighboring device failures on an IS-IS network, accelerate
the speed of detecting IS-IS neighboring device failures.
Context
Connection status between an IS-IS device and its neighboring devices can be monitored by
exchanging Hello packets at intervals. An IS-IS neighboring device is considered Down if the
Issue 02 (2013-12-31)

2358

Equipment
8 IP Routing
IS-IS device does not receive any Hello packets from the neighboring device within the specified
period (called the holding time). A failure in an IS-IS neighboring device will trigger LSP
flooding and SPF calculation, after which IS-IS routes are reconverged.
To speed up fault detection, use the following methods to accelerate the speed of detecting ISIS neighboring device failures:
l
Shorten the interval at which Hello packets are sent.
Shorten the holding time of neighboring devices.
Configuring Dynamic IPv4 BFD for IS-IS.

NOTE
Configuring IPv4 BFD for IS-IS is recommended because this method provides a faster fault detection
speed than the other two methods.
Procedure
l
Set an interval at which Hello packets are sent.

1.
Run:
system-view

2.
Run:

3.
Run:
The interval at which Hello packets are sent is set.

NOTE
A broadcast link can transmit both Level-1 and Level-2 Hello packets. You can set different
sending intervals for these two types of Hello packets. By default, both Level-1 and Level-2
Hello packets are sent.
A P2P link can transmit only one type of Hello packets. Therefore, there is no need to specify
the level-1 or level-2 parameter if a P2P link is used.
Set the holding multiplier for neighboring devices.

1.
Run:
system-view

2.
Run:

3.
Run:
The holding multiplier of neighboring devices is set.

Issue 02 (2013-12-31)

2359

Equipment
8 IP Routing
NOTE
----End
Setting Flooding Parameters of SNPs and LSPs

To speed up LSDB synchronization between devices, set flooding parameters of SNPs and LSPs
to proper values.
Context
SNPs consist of CSNPs and PSNPs. CSNPs carry summaries of all LSPs in LSDBs, ensuring
LSDB synchronization between neighboring routers. SNPs are processed differently on
broadcast links and P2P links.
l
On a broadcast link, CSNPs are periodically sent by a DIS device. If a router detects that
its LSDB is not synchronized with that on its neighboring router, the router will send PSNPs
to apply for missing LSPs.
On a P2P link, CSNPs are sent only during initial establishment of neighboring
relationships. If a request is acknowledged, a neighboring router will send a PSNP in
response to a CSNP. If a router detects that its LSDB is not synchronized with that on its
neighboring router, the router will also send PSNPs to apply for missing LSPs.
To speed up LSDB synchronization, modify the following parameters of SNPs and LSPs on the
ATN:
l
Interval at which CSNPs are sent
Intelligent timer controlling LSP generation
Maximum length of LSPs
Refresh interval of LSPs
Maximum lifetime of LSPs
Minimum interval at which LSPs are sent
LSP fast flooding
Interval at which LSPs are retransmitted over a P2P link
Set an interval at which CSNPs are sent.
Procedure
1.
Run:
system-view

2.
Run:

Issue 02 (2013-12-31)

2360

Equipment
3.
8 IP Routing
Run:
The interval at which CSNPs are sent is set on the specified interface.
NOTE
Configure Level-1 and Level-2 only when a broadcast interface is specified.
Configure the intelligent timer controlling LSP generation.

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
The intelligent timer controlling LSP generation is configured.

If a level is not specified, both level-1 and level-2 are used by default.
The delay in generating an LSP or an LSP fragment for the first time is determined
by init-interval; the delay in generating an LSP or an LSP fragment for the second
time is determined by incr-interval. From the third time on, the delay in generating
an LSP increases twice every time until the delay reaches the value specified by maxinterval. After the delay remains at the value specified by max-interval for three times
or the IS-IS process is restarted, the delay decreases to the value specified by initinterval.
If incr-interval is not specified, the delay in generating an LSP or LSP fragment for
the first time is determined by init-interval. From the second time on, the delay in
generating an LSP is determined by max-interval. After the delay remains at the value
specified by max-interval for three times or the IS-IS process is restarted, the delay
decreases to the value specified by init-interval.
When only max-interval is specified, the intelligent timer functions as an ordinary
one-time triggering timer.
l
Set the maximum length for LSPs.

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
The maximum length is set for each LSP to be generated.

Issue 02 (2013-12-31)

2361

Equipment
4.
8 IP Routing
Run:
The maximum length is set for each LSP to be received.

NOTE
Ensure that the value of max-size for LSPs to be generated must be smaller than or equal to the
value of max-size for LSPs to be received.
The value of max-size in the lsp-length command must meet the following conditions.
The MTU of an Ethernet interface must be greater than or equal to the sum of the
value of max-size and 3.
The MTU of a P2P interface must be greater than or equal to the value of maxsize.
l
Set the refresh interval for LSPs.

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
A refresh interval is set for LSPs.

To synchronize all LSPs in the areas, IS-IS regularly transmits all the current LSPs to
neighbors.
By default, the LSP refresh interval is 900s, and the maximum lifetime of an LSP is
1200s. Ensure that the LSP refresh interval is more than 300s shorter than the
maximum LSP lifetime. This allows new LSPs to reach all routers in an area before
existing LSPs expire.
NOTE
The larger a network, the greater the deviation between the LSP refresh interval and the
maximum LSP lifetime.
Set the maximum lifetime for LSPs.

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
The maximum lifetime is set for LSPs.

Issue 02 (2013-12-31)

2362

Equipment
8 IP Routing
When a router generates the system LSP, it fills in the maximum lifetime for this LSP.
After this LSP is received by other routers, the lifetime of the LSP is reduced gradually.
If the router does not receive any more update LSPs and the lifetime of the LSP is
reduced to 0, the LSP will be deleted from the LSDB 60s later if no more updated
LSPs are received.
l
Set the minimum interval at which LSPs are sent.

1.
Run:
system-view

2.
Run:

3.
Run:
The minimum interval at which LSPs are sent is set.

The count parameter specifies the maximum number of LSPs that can be sent within
the interval specified by throttle-interval. The value of count is an integer ranging
from 1 to 1000.
l
Enable LSP fast flooding.

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
flash-flood [ lsp-count | max-timer-interval interval | [ level-1 |
level-2 ] ] *
The LSP fast flooding is enabled.

The flash-flood command speeds up LSP flooding by flooding newly generated or
received LSPs immediately without waiting for the expiry of the timer set using the
isis timer lsp-throttle command.
You can specify lsp-count to flood a certain number of LSPs and specify interval to
flood LSPs at a certain interval. If the number of LSPs to be flooded exceeds the value
of lsp-count, a maximum of lsp-count number of LSPs are flooded each time in time
sequence at an interval specified by interval until all the LSPs are flooded.
When LSP fast flooding is enabled, Level-1 LSPs and Level-2 LSPs are fast flooded
by default if no level is specified.
l
Set an interval at which LSPs are retransmitted over a P2P link.

1.
Run:
system-view
Issue 02 (2013-12-31)

2363

Equipment
8 IP Routing

2.
Run:

3.
(Optional) Run:
Emulate a broadcast interface to the P2P interface.

4.
Run:
isis timer lsp-retransmit retransmit-interval
The interval at which LSPs are retransmitted over a P2P link is set.
----End
Setting the SPF Calculation Interval

To improve the fault location efficiency on an IS-IS network and prevent SPF calculation from
consuming excessive system resources, set the SPF calculation interval to a proper value.
Context
A network change always triggers IS-IS to perform SPF calculation. Frequent SPF calculation
will consume excessive CPU resources, affecting services.
To solve this problem, configure an intelligent timer to control the interval for SPF calculation.
For example, to speed up IS-IS route convergence, set the interval for SPF calculation to a small
value, and set the interval to a large value after the IS-IS network becomes stable.
Procedure
Step 1 Run:
system-view

Step 2 Run:
isis [ process-id ]

Step 3 Run:
timer spf max-interval [ init-interval [ incr-interval ] ]
The SPF intelligent timer is configured.

The intelligent timer changes as follows:
l The delay for the first SPF calculation is determined by init-interval; the delay for the second
SPF calculation is determined by incr-interval. From the third time on, the delay in SPF
calculation increases twice every time until the delay reaches the value specified by maxinterval. After the delay remains at the value specified by max-interval for three times or the
IS-IS process is restarted, the delay decreases to the value specified by init-interval.
l If incr-interval is not specified, the delay in SPF calculation for the first time is determined
by init-interval. From the second time on, the delay in SPF calculation is determined by maxIssue 02 (2013-12-31)

2364

Equipment
8 IP Routing
interval. After the delay remains at the value specified by max-interval for three times or the
l When only max-interval is specified, the intelligent timer functions as an ordinary one-time
triggering timer.
spf-slice-size duration-time
The maximum duration for SPF calculation is configured.

----End
Configuring Convergence Priorities for IPv4 IS-IS Routes

If some IS-IS routes need to be converged by preference to minimize adverse impacts on services,
configure those routes to have the highest convergence priority.
Context
By default, the convergence priority of 32-bit host routes is medium, and the convergence
priority of the other IS-IS routes is low.
The ATN allows you to configure the highest convergence priority for specific IS-IS routes so
that those IS-IS routes will be converged first when a network topology changes.
Procedure
Step 1 Run:
system-view

Step 2 Run:
isis [ process-id ]

Step 3 Run:
prefix-priority [ level-1 | level-2 ] { critical | high | medium } { ip-prefix
prefix-name | tag tag-value }
Convergence priorities are set for IS-IS routes.

The application rules of the convergence priorities for IS-IS routes are as follows:
l Existing IS-IS routes are converged based on the priorities configured in the prefixpriority command.
l New IS-IS routes are converged based on the priorities configured in the prefix-priority
command.
l If an IS-IS route conforms to the matching rules of multiple convergence priorities, the
highest convergence priority is used.
l The convergence priority of a Level-1 IS-IS route is higher than that of a Level-2 IS-IS route.
l If the route level is not specified, the configuration of the prefix-priority command takes
effect for both Level-1 and Level-2 IS-IS routes.
Issue 02 (2013-12-31)

2365

Equipment
8 IP Routing
NOTE
The prefix-priority command is only applicable to the public network.

After the prefix-priority command is run, the convergence priority of 32-bit host routes is low, and the
convergence priorities of the other routes are determined as specified in the prefix-priority command.

quit

ip route prefix-priority-scheduler critical-weight high-weight medium-weight lowweight
The preference-based scheduling ratio of IPv4 routes is configured.

By default, the preference-based scheduling ratio of IPv4 routes is 8:4:2:1.
----End

After the parameters specifying the IPv4 IS-IS route convergence speed are set, run the following
commands to verify that the configurations are correct.
Procedure
l
Run the display isis interface [ [ verbose | traffic-eng ] * | tunnel ] [ process-id | vpninstance vpn-instance-name ] command to check IS-IS packet information.
Run the display isis route [ process-id | vpn-instance vpn-instance-name ] [ ipv4 ]

[ verbose | [ level-1 | level-2 ] | ip-address [ mask | mask-length ] ] * [ | count ] command
to check the preference of IS-IS routes.
----End
Example
Run the display isis interface verbose command. The command output shows that GE0/3/3
sends Hello packets at an interval of 15 s, the holding multiplier of neighboring devices is 10,
the sending interval for Level-1 CSNPs is 123 s, and the minimum sending interval for LSPs is
159 s.
--------------------------------Interface
Id
IPV4.State
MTU Type DIS
GE0/2/3
001
Up
1497 L1/L2 No/No
Description
: HUAWEI, Quidway Series, GigabitEthernet0/2/3 Interface
SNPA Address
: 00e0-095b-4201
IP Address
: 123.1.1.1
Csnp Timer Value
: L1
123 L2
10
Hello Timer Value
: L1
15 L2
15
: L1
5 L2
5
: L1
10 L2
10
LSP-Throttle Timer
: L12 159
Cost
: L1
10 L2
10
Priority
: L1
64 L2
64
: L12
5
Issue 02 (2013-12-31)

2366

Equipment
Bandwidth-Value
Static Bfd
Dynamic Bfd
Fast-Sense Rpr
8 IP Routing
:
:
:
:
Low 100000000
NO
NO
NO
High
Run the display isis route verbose command. The command output shows that the convergence
priority of the route 10.10.10.0/24 imported by IS-IS is Critical.
<HUAWEI> display isis route verbose
-------------------------------IPV4 Dest
Admin Tag
Priority
NextHop
1.1.1.2
: 10.10.10.0/24
: : Critical
:
Int. Cost : 20
Src Count : 2
Ext. Cost : NULL

Flags
: A/-/-/-
Interface :
GE0/2/1
ExitIndex :
0x80000001
IPV4 Dest
Admin Tag
Priority
NextHop
Direct
: 1.1.1.0/24
: : Medium
:
Int. Cost : 10
Src Count : 2
Ext. Cost : NULL

Flags
: D/-/L/-
Interface :
GE0/2/1
ExitIndex :
0x00000000
IPV4 Dest
Admin Tag
Priority
NextHop
1.1.1.2
: 20.20.20.0/24
: : Low
:
Int. Cost : 20
Src Count : 2
Ext. Cost : NULL

Flags
: A/-/-/-
Interface :
GE0/2/1
ExitIndex :
0x80000001
Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut

U-Up/Down Bit Set
8.7.8 Configuring Basic IPv6 IS-IS Functions

This section describes the procedures for configuring basic IPv6 IS-IS functions, including the
procedures for configuring IS-IS processes and interfaces, to implement communication
between nodes on an IPv6 IS-IS network.
Before You Start

Before configuring basic IPv6 IS-IS functions, familiarize yourself with the usage scenario,
To deploy IS-IS on an IPv6 network, configure basic IS-IS functions to implement
communication between different nodes on the network.
Other IS-IS functions can be configured only after basic IS-IS functions are configured.
Configuring basic IPv6 IS-IS functions includes the following operations:
1.
Create IPv6 IS-IS processes.
2.
Configure IPv6 IS-IS interfaces.
Issue 02 (2013-12-31)

2367

Equipment
8 IP Routing
Before configuring basic IPv6 IS-IS functions, complete the following tasks:
l
Configure a link layer protocol.
Assign an IPv6 address to each interface to ensure IP connectivity.
Enable the IPv6 in system view.
Data Preparation
To configure basic IPv6 IS-IS functions, you need the following data.
No.
Data
IS-IS process ID
NTE of an IS-IS process
Level of each device and level of each interface
Creating IPv6 IS-IS Processes

Before configuring basic IPv6 IS-IS functions, create IPv6 IS-IS processes and then enable IPv6
IS-IS interfaces.
Context
To create an IPv6 IS-IS process, perform the following operations:
l

The level of a device is level-1-2 by default.
Configure the device level based on the network planning. If no device level is configured,
IS-IS establishes separate neighbor relationships for Level-1 and Level-2 devices and
maintains two identical LSDBs, consuming excessive system resources.

After IS-IS host name mapping is configured, a host name but not the system ID of a device
will display by using display commands. This configuration improves the maintainability
on an IS-IS network.

If the local terminal monitor is enabled and the output of the IS-IS adjacency status is
enabled, IS-IS adjacency changes will be output to the router until the output of the
adjacency status is disabled.
(Optional) Enable IS-IS adjacency strict-check.

If both IPv4 and IPv6 are running on a network, and the IPv6 topology type of this network
is standard or compatible, enable IS-IS adjacency strict-check to ensure that an IS-IS
adjacency is established only when both IPv4 and IPv6 go Up. IS-IS adjacency strict-check
improves network reliability and prevents traffic losses.
Issue 02 (2013-12-31)

2368

Equipment
8 IP Routing
Procedure
l
Create an IS-IS process and configure the NET of a device, enable IPv6 for the process.
1.
Run:
system-view

2.
Run:
isis [ process-id ]
An IS-IS process is created, and the IS-IS process view is displayed.

The process-id parameter specifies the ID of an IS-IS process. The default value of
process-id is 1. To associate an IS-IS process with a VPN instance, run the isis processid vpn-instance vpn-instance-name command.
3.
Run:
network-entity net
or
network-entity area area-id auto-systemid lsr-id
A NET is configured.
NOTICE
Configuring loopback interface addresses based on NETs is recommended to ensures
that a NET is unique on the network. If NETs are not unique, route flapping will easily
occur.
System ID used in IS-IS can be obtained in the following way: extend each part of the
IP address to 3 bits, add 0 to the front of any part that is shorter than 3 bits, divide the
extended address into three parts, with each part consisting of four decimal digits, and
the reconstructed address is the system ID.
Area addresses of NETs are checked when Level-1 IS-IS neighbor relationships are
being established, but not checked when Level-2 IS-IS neighbor relationships are
being established. Level-1 IS-IS neighbor relationships can be established only if area
addresses of NETs are the same.
4.
Run:
ipv6 enable
The IPv6 of IS-IS process is enabled.

l

1.
Run:
is-level { level-1 | level-1-2 | level-2 }
The level of the ATN is configured.

l

1.
Run:
is-name symbolic-name
Issue 02 (2013-12-31)

2369

Equipment
8 IP Routing
IS-IS dynamic host name mapping is configured. The system ID of the local device
The value of symbolic-name is contained in LSP packets and advertised to other ISIS devices.
On another IS-IS device displays the value of symbolic-name, but not the system ID,
of the local IS-IS device.
2.
Run:
is-name map system-id symbolic-name
IS-IS static host name mapping is configured. The system ID of a peer IS-IS device
This command configuration takes effect only on the local IS-IS device. The value of
symbolic-name will not be added to LSP packets.
If dynamic host name mappings is configured on an IS-IS network, the mappings on
the network overwrite the mappings configured on the local ATN.
l

1.
Run:
log-peer-change
The output of the adjacency status is enabled.

l
(Optional) Enable IS-IS adjacency strict-check.

1.
Run:
adjacency-strict-check enable
IS-IS adjacency strict-check is enabled.

----End
Configuring IPv6 IS-IS Interfaces

To configure an interface on an IS-IS device to send Hello packets or flood LSPs, IS-IS must
be enabled on this interface.
Context
The level of an IS-IS device and level of an interface together determine the level of a neighbor
relationship. By default, Level-1 and Level-2 neighbor relationships will be established between
two Level-1-2 devices. If only one level of neighbor relationships is required, you can configure
the level of an interface to prevent the establishment of the other level of neighbor relationships.
After IS-IS is enabled on an interface, the interface will automatically send Hello packets,
attempting to establish neighbor relationships. If a peer device is not an IS-IS device or if an
interface is not expected to send Hello packets, suppress the interface. Then this interface only
advertises routes of the network segment where the interface resides, but does not send Hello
packets. This suppression improves the link bandwidth usage.
Procedure
l
Issue 02 (2013-12-31)
Configure an IS-IS interface.

2370

Equipment
1.
8 IP Routing
Run:
system-view

2.
Run:

3.
Run:
ipv6 enable
The IPv6 of interface is enabled.

4.
Run:
isis ipv6 enable [ process-id ]
An IS-IS interface is configured.

After this command is run, the IS-IS device uses the specified interface to send Hello
packets and flood LSPs.
NOTE
No neighbor relationship needs to be established between loopback interfaces. Therefore, if

this command is run on a loopback interface, the routes of the network segment where the
loopback interface resides will be advertised through other IS-IS interfaces.
(Optional) Configure the level of an IS-IS interface.

1.
Run:
isis circuit-level [ level-1 | level-1-2 | level-2 ]
The level of the interface is configured.

By default, the level of an interface is level-1-2.
NOTE
Changing the level of an IS-IS interface is valid only when the level of the IS-IS device is
Level-1-2. If the level of the IS-IS device is not a Level-1-2, the level of the IS-IS device
determines the level of the adjacency to be established.
(Optional) Suppress an IS-IS interface.

1.
Run:
isis silent [ advertise-zero-cost ]
The IS-IS interface is suppressed.

A suppressed IS-IS interface does not send or receive IS-IS packets. The routes of the
network segment where the interface resides, however, can still be advertised to other
routers within the area.
----End
(Optional) Configuring the IPv6 IS-IS Interfaces

Configuring the IS-IS interface costs can control IS-IS route selection.
Issue 02 (2013-12-31)

2371

Equipment
8 IP Routing
Context
The costs of IS-IS interfaces can be determined in the following modes in descending order by
priority:
l
Interface cost: is configured for a specified interface.
Global cost: is configured for all interfaces.
Automatically calculated cost: is automatically calculated based on the interface

bandwidth.
If none of the preceding configurations is performed, the default cost of an IS-IS interface is 10,
and the default cost style is narrow.
Procedure
l
Configure the IS-IS cost type.

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
cost-style { narrow | wide | wide-compatible | { { narrow-compatible |
compatible } [ relax-spf-limit ] } }
The IS-IS cost type is configured.

The cost range of an interface and a route received by the interface vary with the cost type.
If the cost type is narrow, the cost of an interface ranges from 1 to 63. The maximum
cost of a route received by the interface is 1023.
If the cost style is narrow-compatible or compatible, the cost of an interface ranges from
1 to 63. The cost of a received route is related to relax-spf-limit.
If relax-spf-limit is not specified, the cost of a route works as follows:
If the cost of a route is not greater than 1023 and the cost of every interface that the
route passes through is smaller than or equal to 63, the cost of the route received by
the interface is the actual cost.
If the cost of a route is not greater than 1023 but the costs of all interfaces that the
route passes through are greater than 63, the IS-IS device can learn only the routes
to the network segment where the interface resides and the routes imported by the
interface. The cost of the route received by the interface is the actual cost. Subsequent
routes forwarded by the interface are discarded.
If the cost of a route is greater than 1023, the IS-IS device can learn only the interface
whose route cost exceeds 1023 for the first time. That is, the cost of each interface
before this interface is not greater than 63. The routes of the network segment where
the interface resides and the routes imported by the interface can all be learned. The
cost of the route is 1023. Subsequent routes forwarded by the interface are discarded.
If relax-spf-limit is specified, the cost of a route works as follows:
Issue 02 (2013-12-31)

2372

Equipment
8 IP Routing
There is no limit on costs of interfaces or route costs. The cost of a route received
by an interface is the actual cost.
If the cost style is wide-compatible or wide, the cost of the interface ranges from 1 to
16777215. When the cost is 16777215, the neighbor TLV generated on the link cannot
be used for route calculation but for the transmission of TE information. The maximum
cost of a received route is 0xFFFFFFFF.
l
Configure the cost of an IS-IS interface.

1.
Run:
system-view

2.
Run:

3.
Run:
isis ipv6 cost { cost | maximum } [ level-1 | level-2 ]
The cost of the IS-IS interface is configured.

You can use the isis ipv6 cost command to configure the cost of a specified interface.
l
Configure the global IS-IS cost.

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
ipv6 circuit-cost { cost | maximum } [ level-1 | level-2 ]
The global IS-IS cost is configured.

You can use the ipv6 circuit-cost command to configure the costs of all interfaces at
a time.
l
Enable IS-IS to automatically calculate interface costs.

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
ipv6 bandwidth-reference value
The reference value of the bandwidth is configured. By default, the bandwidth

reference value is 100 Mbit/s.
Issue 02 (2013-12-31)

2373

Equipment
4.
8 IP Routing
Run:
ipv6 auto-cost enable
The interface is configured to automatically calculate its cost.

The configuration of the bandwidth reference value takes effect only when the cost type is
wide or wide-compatible. In this case, Cost of each interface = (Value of bandwidthreference/Interface bandwidth) x 10.
NOTE
The auto-cost enable command can be run on Eth-Trunk interfaces as same with on physical
interfaces. If the command is run on an Eth-Trunk interface, the bandwidth of the Eth-Trunk interface
is equal to the total bandwidth of all its member interfaces.
If the cost-style is narrow, narrow-compatible, or compatible, the cost of each interface is

based on costs listed in Table 8-4.
Table 8-4 Mapping between IS-IS interface costs and interface bandwidth
Cost
Bandwidth Range
60
Interface bandwidth 10 Mbit/s
50

s
40

s
30

s
20
622 Mbit/s < Interface bandwidth 2.5 Gbit/

s
10
Interface bandwidth > 2.5 Gbit/s
NOTE
To change the cost of a loopback interface, run the isis ipv6 cost command only in the loopback
interface view.
----End
(Optional) Configuring IPv6 IS-IS Attributes for Interfaces on Different Types of

Networks
Different IS-IS attributes can be configured for different types of network interfaces.
Context
The establishment modes of IS-IS neighbor relationships are different on a broadcast network
and on a P2P network. Different IS-IS attributes can be configured for interfaces on different
types of networks.
Issue 02 (2013-12-31)

2374

Equipment
8 IP Routing
IS-IS is required to select a DIS on a broadcast network. Configure the DIS priorities of IS-IS
interfaces so that the interface with the highest priority will be selected as the DIS.
The network types of the IS-IS interfaces on both ends of a link must be the same; otherwise,
the IS-IS neighbor relationship cannot be established between the two interfaces. For example,
if the type of an interface on a peer device is P2P, you can configure the type of an interface on
the local device to P2P so that an IS-IS neighbor relationship can be established between the
two devices.
IS-IS on a P2P network is not required to select a DIS. Therefore, you do not need to configure
DIS priorities. To ensure the reliability of P2P links, configure IS-IS to use the three-way
handshake mode for IS-IS neighbor relationship establishment so that faults on a unidirectional
link can be detected.
Procedure
l
Configure the DIS priority of an IS-IS interface.

1.
Run:
system-view

2.
Run:

3.
Run:
isis dis-priority priority [ level-1 | level-2 ]
The DIS priority is configured on the interface. The greater the value, the higher the
priority.
l
Configure the network type of an IS-IS interface.

1.
Run:
system-view

2.
Run:

3.
Run:
The network type of the interface is set to P2P.

The network type of an interface is determined by the physical type of the interface
by default.
When the network type of an IS-IS interface changes, interface configurations change
accordingly.
After a broadcast interface is configured as a P2P interface using the isis circuittype p2p command, the default settings are restored for the interval for sending
Hello packets, the number of Hello packets that IS-IS fails to receive from a
neighbor before the neighbor is declared Down, interval for retransmitting LSPs
Issue 02 (2013-12-31)

2375

Equipment
8 IP Routing
on a P2P link, and various IS-IS authentication modes. Consequently, other

configurations such as the DIS priority, DIS name, and interval for sending CSNPs
on a broadcast network become invalid.
After the undo isis circuit-type command is run to restore the network type, the
default settings are restored for the interval for sending Hello packets, the number
of Hello packets that IS-IS fails to receive from a neighbor before the neighbor is
declared Down, interval for retransmitting LSPs on a P2P link, various IS-IS
authentication modes, DIS priority, and interval for sending CSNPs on a broadcast
network.
l
Set the negotiation mode in which P2P neighbor relationships can be set up.
1.
Run:
system-view

2.
Run:

3.
Run:
isis ppp-negotiation { 2-way | 3-way [ only ] }
The negotiation mode is specified on the interface.

By default, the 3-way handshake negotiation mode is adopted.
The isis ppp-negotiation command can only be used for the establishment of the
neighbor relationships on P2P links. In the case of a broadcast link, you can run the
isis circuit-type p2p command to set the link type to P2P, and then run the isis pppnegotiation command to set the negotiation mode for the establishment of the
neighbor relationship.
l
Configure OSICP negotiation check on PPP interfaces.

1.
Run:
system-view

2.
Run:

3.
Run:
isis ppp-osicp-check
The OSICP negotiation status is checked on a PPP interface.

By default, the OSICP negotiation status of a PPP interface does not affect the status
of an IS-IS interface.
The isis ppp-osicp-check command is applicable only to PPP interfaces. This
command is invalid for other P2P interfaces.
After this command is run, the OSICP negotiation status of a PPP interface affects the
status of an IS-IS interface. When PPP detects that the OSI network fails, the link
Issue 02 (2013-12-31)

2376

Equipment
8 IP Routing
status of the IS-IS interface goes Down and the route to the network segment where
the interface resides is not advertised through LSPs.
l
Configure IS-IS not to check whether the IP addresses of received Hello packets are on the
same network segment.
1.
Run:
system-view

2.
Run:

3.
Run:
isis peer-ip-ignore
IS-IS is configured not to check whether the IP addresses of received Hello packets
are on the same network segment.
----End

After basic IPv6 IS-IS functions are configured, you can view information about IS-IS neighbors,
interfaces, and routes.
Prerequisites
Basic IPv6 IS-IS functions have been configured.
Procedure
Step 1 Run the display isis name-table [ process-id | vpn-instance vpn-instance-name ] command to
check the mapping from the name of the local device to the system ID.
Step 2 Run the display isis peer [ verbose ] [ process-id | vpn-instance vpn-instance-name ] command
to check information about IS-IS neighbors.
Step 3 Run the display isis interface [ [ verbose | traffic-eng ] * | tunnel ] [ process-id | vpninstance vpn-instance-name ] command to check information about IS-IS interfaces.
Step 4 Run the display isis route [ process-id | vpn-instance vpn-instance-name ] ipv6 [ verbose |
[ level-1 | level-2 ] | ipv6-address [ prefix-length ] ] * [ | count ] command to check information
about IS-IS routes.
----End
Example
Run the display isis name-table command to view the mappings between host names and system
IDs.
<HUAWEI> display isis name-table
Name table information for ISIS(1)
Issue 02 (2013-12-31)

2377

Equipment
8 IP Routing
System ID
Hostname
Type
------------------------------------------------------------------------------1111.1111.1111
DeviceA
DYNAMIC
2222.2222.2222
DeviceB
DYNAMIC
Run the display isis peer command. The command output shows the status of an IS-IS neighbor,
DeviceB. System Id is displayed as DeviceB.
<HUAWEI> display isis peer
System Id
Interface
Circuit Id
State HoldTime Type
PRI
------------------------------------------------------------------------------DeviceB
GE1/0/0
DeviceB.01
Up
9s
L1
64
Total Peer(s): 1
Run the display isis interface verbose command to view information about IS-IS interfaces.
The command output shows that the DIS status of a broadcast interface is Yes, the priority of
the DIS is 20, and the cost of the interface is 30.
--------------------------------IPV4.State
IPV6.State
MTU Type DIS
Down
Up
1497 L1/L2 Yes/No
: Standard
: HUAWEI, Quidway Series, GigabitEthernet1/0/0
Interface
Id
GE1/0/0
001
Circuit MT State
Description
Interface
SNPA Address
IP Address
IPV6 Link Local Address
IPV6 Global Address(es)
Csnp Timer Value
Hello Timer Value
LSP-Throttle Timer
Cost
Ipv6 Cost
Priority
Bandwidth-Value
Static Bfd
Dynamic Bfd
Dynamic IPv6 Bfd
Fast-Sense Rpr
Suppress Base
IPv6 Suppress Base
: 00e0-870b-8100
:
: FE80::2E0:87FF:FE0B:8100
: 10:1::1/64
: L1
10 L2
10
: L1
10 L2
10
: L1
3 L2
3
: L1
3 L2
3
: L12
50
: L1
10 L2
10
: L1
30 L2
30
: L1
20 L2
20
: L12
5
: Low 1000000000 High
: NO
: NO
: NO
: NO
: NO
: NO
Run the display isis route command to view information about IS-IS IPv6 routes. The command
output shows a route with the destination network segment of 30:1::/64 and with the next-hop
address of 10:1::/64.
--------------------------------
Issue 02 (2013-12-31)

2378

Equipment
8 IP Routing
IPV6 Dest.
ExitInterface
NextHop
Cost
Flags
------------------------------------------------------------------------------30:1::/64
Pos1/0/2
Direct
10
D/L/10:1::/64
Pos1/0/2
FE80::2002:0:7A20:2
20
A/-/Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut,
U-Up/Down Bit Set
8.7.9 Configuring IPv6 IS-IS Route Selection

Configuring IS-IS route selection can achieve refined control over route selection.
Before You Start

Before configuring IPv6 IS-IS route selection, familiarize yourself with the usage scenario,
After basic IPv6 IS-IS functions are configured, IS-IS routes will be generated, enabling
communication between different nodes on a network.
If multiple routes are available, a route discovered by IS-IS may not the optimal route. This does
not meet network planning requirements nor facilitates traffic management. Therefore, configure
IPv6 IS-IS route selection to implement refined control over route selection.
To implement refined control over IPv6 IS-IS route selection, perform the following operations:
l
Configuring the IPv6 IS-IS Interfaces.

NOTE
Changing the IS-IS cost for an interface can achieve the function of controlling route selection, but
requires routes on the interface to be recalculated and reconverged when a network topology changes,
especially on a large-scale network. In addition, the configuration result may not meet your
expectation.
Therefore, the configuration of changing IS-IS costs has best to be finished when configuring basic
IS-IS functions.
Configure IPv6 IS-IS route leaking.
Filter IPv6 IS-IS routes.
Configure an overload bit for an IPv6 IS-IS device.
Before configuring IPv6 IS-IS route selection, complete the following tasks:
l
Configuring the link layer protocol on interfaces.
the network layer.
Configuring Basic IPv6 IS-IS Functions.
Data Preparation
To configure the IPv6 IS-IS route selection, you need the following data.
Issue 02 (2013-12-31)

2379

Equipment
No.
Data
ACL6 for filtering routes, IPv6 prefix list, or routing policy
Time when an IS-IS device enters the overload state
8 IP Routing
Configuring IPv6 IS-IS Route Leaking

Configuring IS-IS route leaking enables you to optimize IS-IS route selection on a two-levelarea network.
Context
If multiple Level-1-2 devices in a Level-1 area are connected to devices in the Level-2 area, a
Level-1 LSP sent by each Level-1-2 device carries an ATT flag bit of 1. This Level-1 area will
have multiple routes to the Level-2 area and to other Level-1 areas.
By default, routes in a Level-1 area can be leaked into the Level-2 area so that Level-1-2 and
Level-2 devices can learn about the topology of the entire network. Devices in a Level-1 area
are unaware of the entire network topology because they only maintain LSDBs in the local
Level-1 area. Therefore, a device in a Level-1 area can forward traffic to a Level-2 device only
through the nearest Level-1-2 device. The route used may not be the optimal route to the
destination.
To enable a device in a Level-1 area to select the optimal route, configure IPv6 IS-IS route
leaking so that specified routes in the Level-2 area can be leaked into the local Level-1 area.
Routes of services deployed only in the local Level-1 area do not need to be leaked into the
Level-2 area. A policy can be configured to leak only desired routes into the Level-2 area.
Procedure
l
Configure routes in the Level-2 area to leak into Level-1 area.

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
ipv6 import-route isis level-2 into level-1 [ tag tag | filter-policy { acl6number | acl6-name acl6-name } ] *
Routes in the Level-2 area and other Level-1 areas that meet the specified
conditions are leaked into the local Level-1 area based on the ACL.
a.
Run:
quit
Issue 02 (2013-12-31)

2380

Equipment
8 IP Routing

b.
Run:
quit

c.
Run

d.
Run
rule [ rule-id ] { deny | permit } [ fragment | source { sourceipv6-address prefix-length | source-ipv6-address/prefix-length
| any } | time-range time-name | vpn-instance vpn-instancename ] *

When the rule command is run to configure rules for a named ACL, only
the source address range specified by source and the time period specified
by time-range are valid as the rules.
If the action specified in an ACL rule is permit, a route that matches
the rule will be received or advertised by the system.
If an ACL does not contain any rules, all routes matching the routepolicy that references the ACL will not be received or advertised by
the system.
matching the route-policy will be received or advertised by the
system.
In the configuration order, the system first matches a route with a rule
that has a smaller number and then matches the route with a rule with
a larger number. Routes can be filtered using a blacklist or a whitelist:
Route filtering using a blacklist: Configure a rule with a smaller
number and specify the action deny in this rule to filter out the
unwanted routes. Then, configure another rule with a larger number in
the same ACL and specify the action permit in this rule to receive or
advertise the other routes.
Route filtering using a whitelist: Configure a rule with a smaller
number and specify the action permit in this rule to permit the routes
to be received or advertised by the system. Then, configure another
rule with a larger number in the same ACL and specify the action
deny in this rule to filter out unwanted routes.
a.
Run
acl ipv6 name acl-name [ number acl-number2 ] [ match-order
{ auto | config } ]
Issue 02 (2013-12-31)

2381

Equipment
8 IP Routing

b.
Run
rule [ rule-id ] { deny | permit } protocol [ source { sourceipv6-address prefix-length | source-ipv6-address/prefix-length
| any } | time-range time-name ] *

the system.
system.
ipv6 import-route isis level-2 into level-1 [ tag tag | filter-policy ipv6-prefix
ipv6-prefix-name ] *
conditions are leaked into the local Level-1 area based on the prefix list.
ipv6 import-route isis level-2 into level-1 [ tag tag | filter-policy route-policy
conditions are leaked into the local Level-1 area based on the route policy.
NOTE
By default, routes in the Level-2 area are not leaked into Level-1 areas. After this command is
run, only routes that meet the specified conditions can be leaked into Level-1 areas.
l
Issue 02 (2013-12-31)
Configure routes in Level-1 areas to leak into the Level-2 area.

2382

Equipment
1.
8 IP Routing
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
ipv6 import-route isis level-1 into level-2 [ tag tag | filter-policy { acl6number | acl6-name acl6-name } ] *
Routes that meet the specified conditions in Level-1 areas are leaked into the
Level-2 area based on the ACL.
a.
Run:
quit

b.
Run:
quit

c.
Run

d.
Run

the system.
system.
Issue 02 (2013-12-31)

2383

Equipment
8 IP Routing
a.
Run
{ auto | config } ]

b.
Run

the system.
system.
Issue 02 (2013-12-31)

2384

Equipment
8 IP Routing
ipv6 import-route isis level-1 into level-2 [ tag tag | filter-policy ipv6-prefix
ipv6-prefix-name ] *
Level-2 area based on the prefix list.
ipv6 import-route isis level-1 into level-2 [ tag tag | filter-policy route-policy
Level-2 area based on the route policy.
NOTE
By default, all routes in a Level-1 area are leaked into the Level-2 area. After this command is
run, only routes that meet the specified conditions can be leaked into the Level-2 area.
----End
Filtering IPv6 IS-IS Routes

If some IS-IS routes are not preferred, configure conditions to filter IS-IS routes. Only IS-IS
routes meeting the specified conditions can be added to an IP routing table.
Context
Only routes in an IP routing table can be used to forward IP packets. An IS-IS route can take
effect only after this IS-IS route has been successfully added to an IP routing table.
If an IS-IS route does not need to be added to a routing table, specify conditions, such as a basic
ACL, IPv6 prefix, and routing policy, to filter routes so that only IS-IS routes that meet the
specified conditions can add to an IP routing table. IS-IS routes that do not meet the specified
conditions cannot be added to the IP routing table and cannot be selected to forward IP packets.
Procedure
Step 1 Run:
system-view

Step 2 Run:
isis [ process-id ]

Step 3 Run:
l ipv6 filter-policy { acl6-number | acl6-name acl6-name } import
Conditions for filtering IS-IS routes are configured based on the ACL.
Issue 02 (2013-12-31)

2385

Equipment
1.
8 IP Routing
Run:
quit

2.
Run:
quit

3.
Run

4.
Run

valid as the rules.
routes.
1.
Run
config } ]

Issue 02 (2013-12-31)

2386

Equipment
2.
8 IP Routing
Run

routes.
l ipv6 filter-policy ipv6-prefix ipv6-prefix-name import
Conditions for filtering IS-IS routes are configured based on the prefix list.
l ipv6 filter-policy route-policy route-policy-name import
Conditions for filtering IS-IS routes are configured based on the route policy.
----End
Configuring an Overload Bit for an IPv6 IS-IS Device

If an IS-IS device needs to be temporarily isolated, configure the IS-IS device to enter the
overload state to prevent other devices from forwarding traffic to this IS-IS device and prevent
blackhole routes.
Context
If an IS (for example, an IS to be upgraded or maintained) needs to be temporarily isolated,
configure the IS to enter the overload state so that no device will forward traffic to this IS.
IS-IS routes converge more quickly than BGP routes. To prevent blackhole routes on a network
where both IS-IS and BGP are configured, set an overload bit to instruct an IS to enter the
Issue 02 (2013-12-31)

2387

Equipment
8 IP Routing
overload state during its start or restart. After BGP convergence is complete, cancel the overload
bit.
Procedure
Step 1 Run:
system-view

Step 2 Run:
isis [ process-id ]

Step 3 Run:
set-overload [ on-startup [ timeout1 | start-from-nbr system-id [ timeout1
[ timeout2 ] ] | wait-for-bgp [ timeout1 ] ] ] [ allow { interlevel | external }
* ]
The overload bit is configured.

----End
Configuring IS-IS to Generate IPv6 Default Routes

This section describes how to configure Intermediate System to Intermediate System (IS-IS) to
generate IPv6 default routes to control the advertising of IS-IS routing information.
Context
The destination address and mask of a default route are all 0s. If the destination address of a
packet does not match any entry in the routing table of a device, the device sends the packet
along the default route. If neither the default route nor the destination address of the packet exists
in the routing table, the device discards the packet and informs the source end that the destination
address or network is unreachable.
IS-IS can generate default routes using either of the following mode:
l
Command-triggered default route generation mode

You can run the default-route-advertise command on a device so that the device adds a
default route to the LSP before sending the LSP to a neighbor. Therefore, the neighbor can
learn this default route.
ATT bit 1-triggered default route generation mode

IS-IS defines that a Level-1-2 router sets the ATT bit to 1 in the LSP to be advertised to a
Level-1 area if the Level-1-2 router can reach more Level-1 areas through the Level-2 area
than through the Level-1 area. After a Level-1 router in the Level-1 area receives the LSP,
it generates a default route destined for the Level-1-2 router. Based on the network
requirements, you can configure whether the Level-1-2 router sets the ATT bit carried in
the LSP and whether a Level-1 router generates a default route after it receives the LSP
carrying ATT bit 1.
NOTE
This mode applies only to Level-1 routers.
Issue 02 (2013-12-31)

2388

Equipment
8 IP Routing
Procedure
l
Configure command-triggered default route generation mode.

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
default-route-advertise [ always | match default | route-policy routepolicy-name ] [ cost cost ] [ tag tag ] [ level-1 | level-1-2 | level-2 ]
[ avoid-learning ]
IS-IS is configured to generate default routes.

l
Configure ATT bit 1-triggered default route generation mode.

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.

To set the ATT bit in the LSPs sent by the Level-1-2 router, run the attached-bit
advertise { always | never } command.
If the always parameter is specified, the ATT bit is set to 1. After receiving the
LSPs carrying the ATT bit 1, the Level-1 router generates a default route.
If the never parameter is specified, the ATT bit is set to 0. After receiving the
LSPs carrying the ATT bit 0, the Level-1 router does not generate a default
route, which reduces the size of a routing table.
To disable the Level-1 router from generating default routes even though it receives
the LSPs carrying ATT bit 1, run the attached-bit avoid-learning command.
----End

After configuring IPv6 IS-IS route selection, run the following commands to verify that the
configurations are correct.
Procedure
l
Issue 02 (2013-12-31)

[ verbose | [ level-1 | level-2 ] | ipv6-address [ prefix-length ] ] * [ | count ] command to
check IS-IS routing information.
2389

Equipment
8 IP Routing
Run the display isis lsdb [ { level-1 | level-2 } | verbose | { local | lsp-id | is-name symbolicname } ] * [ process-id | vpn-instance vpn-instance-name ] command to check information
in the IS-IS LSDB.
----End
Example
On a Level-1 device, run the display isis route command to check IS-IS routing information.
If the Level-1-2 device is enabled to leak IS-IS routes in the Level-2 area to Level-1 areas, the
output of the display isis route command is similar to the following information. For example,
the route 44:4::/64 in the Level-2 area is displayed, and Up/Down is U.
-------------------------------IPV4 Destination
IntCost
NextHop
Flags
------------------------------------------------------------------------------0.0.0.0/0
10
NULL
IPV6 Dest.
ExitInterface
NextHop
Cost
Flags
------------------------------------------------------------------------------::/0
GE1/0/0
FE80::2E0:51FF:FE52:8100
10
A/-/20:1::/64
GE1/0/0
FE80::2E0:51FF:FE52:8100
20
A/-/10:1::/64
GE1/0/0
Direct
10
D/L/44:4::/64
GE1/0/0
FE80::2E0:51FF:FE52:8100
20
A/-/U
Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut,
U-Up/Down Bit Set
On the Level-1-2 device, run the display isis lsdb verbose command to check whether the
Level-1-2 device has leaked the route 44:4::/64 to Level-1 areas.
LSPID
Seq Num
Checksum
Holdtime
Length ATT/P/OL
------------------------------------------------------------------------------1111.1111.1111.00-00 0x00000004
0x7fd7
875
87
0/0/0
SOURCE
1111.1111.1111.00
NLPID
IPV4
NLPID
IPV6
AREA ADDR
10
INTF ADDR V6 10:1::1
Topology
Standard
NBR ID
1111.1111.1111.01 COST: 10
IPV6
10:1::/64
COST: 10
1111.1111.1111.01-00 0x00000001
0x8fd8
SOURCE
1111.1111.1111.01
NLPID
IPV4
NLPID
IPV6
NBR ID
1111.1111.1111.00 COST: 0
NBR ID
2222.2222.2222.00 COST: 0
Issue 02 (2013-12-31)
875

56
0/0/0
2390

Equipment
2222.2222.2222.00-00* 0x00000007
0x459e
SOURCE
2222.2222.2222.00
NLPID
IPV6
AREA ADDR
10
Topology
Standard
NBR ID
1111.1111.1111.01 COST: 10
IPV6
10:1::/64
IPV6
20:1::/64
IPV6*
44:4::/64
8 IP Routing
1194
130
1/0/0
COST: 10
COST: 10
COST: 10
Total LSP(s): 3

LSPID
Seq Num
Checksum
Holdtime
Length ATT/P/OL
------------------------------------------------------------------------------2222.2222.2222.00-00* 0x00000008
0x8eb1
993
116
0/0/0
SOURCE
2222.2222.2222.00
NLPID
IPV6
AREA ADDR
10
Topology
Standard
NBR ID
3333.3333.3333.00 COST: 10
IPV6
10:1::/64
COST: 10
IPV6
20:1::/64
COST: 10
3333.3333.3333.00-00 0x00000005
0xe7e3
SOURCE
3333.3333.3333.00
NLPID
IPV6
AREA ADDR
20
Topology
Standard
NBR ID
2222.2222.2222.00 COST: 10
IPV6
20:1::/64
IPV6
44:4::/64
997
116
0/0/0
COST: 10
COST: 0
Total LSP(s): 2
Run the display isis route command to check IS-IS routing information. If equal-cost IS-IS
routes are configured to work in load-balancing mode, multiple next hops will be displayed in
the command output. For example, two next hops, FE80::2E0:51FF:FE52:8100 and
FE80::2E0:FFFF:FE50:8200, to the 44:4::/64 network segment are displayed, and their route
costs are both 20.
-------------------------------IPV6 Dest.
ExitInterface
NextHop
Cost
Flags
------------------------------------------------------------------------------13:1::/64
GE1/0/1
Direct
10
D/L/34:1::/64
GE1/0/1
FE80::2E0:FFFF:FE50:8200
20
A/-/-
Issue 02 (2013-12-31)

2391

Equipment
20:1::/64
10:1::/64
44:4::/64
GE1/0/0
GE1/0/0
GE1/0/0
GE1/0/1
8 IP Routing
FE80::2E0:51FF:FE52:8100
Direct
FE80::2E0:51FF:FE52:8100
FE80::2E0:FFFF:FE50:8200
20
10
20
A/-/D/L/A/-/-

U-Up/Down Bit Set
8.7.10 Configuring IPv6 IS-IS Route Summarization

To improve the route searching efficiency and simplify route management on a large-scale ISIS network, configure IS-IS route summarization to reduce the number of IS-IS routes in a
routing table.
Context
Route summarization is used to summarize routes with the same IP prefix into one route.
On a large-scale IS-IS network, route summarization can be configured to reduce the number
of IS-IS routes in a routing table. This summarization improves the usage of system resources
and facilitates route management.
If a link on an IP network segment that is summarized frequently alternates between Up and
Down states, IP network segments that are not summarized will not be affected, preventing route
flapping and improving the network stability.
Procedure
Step 1 Run:
system-view

Step 2 Run:
isis [ process-id ]

Step 3 Run:
ipv6 summary ipv6-address prefix-length [ avoid-feedback | generate_null0_route |
tag tag | [ level-1 | level-1-2 | level-2 ] ] *
The specified IS-IS routes are summarized into one IS-IS route.
NOTE
After route summarization is configured on an IS, the local routing table still contains all specific routes
before the summarization.
The routing tables on other ISs contain only the summary route, and the summary route is deleted only
after all its specific routes are deleted.
----End

After the route summarization function is configured, perform the following steps to check
whether the route summarization function has taken effect.
Issue 02 (2013-12-31)

2392

Equipment
8 IP Routing
Run the display isis route command to check summary routes in the IS-IS routing table.
Run the display ipv6 routing-table [ verbose ] command to check summary routes in the
IP routing table.
8.7.11 Configuring IPv6 IS-IS to Interact with Other Routing

Protocols
If other routing protocols are configured on an IS-IS network, you need to configure IS-IS to
interact with these protocols to ensure successful communication between them.
Before You Start

Before configuring IPv6 IS-IS to interact with other routing protocols, familiarize yourself with
the usage scenario, complete the pre-configuration tasks, and obtain the data required for the
configuration.
If other routing protocols are configured on an IS-IS network, the following issues need to be
considered:
l
Preference of IS-IS routes

If multiple routes to the same destination are discovered by different routing protocols
running on the same device, the route discovered by the protocol with the highest preference
is selected. For example, if both OSPFv3 and IS-IS are configured, the route discovered
by OSPFv3 is used because OSPFv3 enjoys a higher preference than IS-IS by default.
Therefore, if you want the route discovered by IS-IS to be used, configure IS-IS to have
the highest preference.
Communication between an IS-IS area and other areas

If other routing protocols are configured on an IS-IS network, you need to configure IS-IS
to interact with those routing protocols so that IS-IS areas can communicate with non-ISIS areas.
NOTE
The LSDBs of different IS-IS processes on a device are independent of each other. Therefore, each
IS-IS process on the device considers routes of the other IS-IS processes as external routes.
To ensure successful traffic forwarding, configure IS-IS to interact with other routing
protocols on a device where external routes are configured, for example, a Level-1-2 ISIS router. Available method is configuring IS-IS to import external routes. This mode
enables all devices in IS-IS areas to learn external routes, implementing refined control
over traffic forwarding.
To ensure successful forwarding of traffic destined for IS-IS areas, you must also enable
the other routing protocols to interact with IS-IS.
Before configuring IPv6 IS-IS to interact with other routing protocols, complete the following
tasks:
l
Issue 02 (2013-12-31)

2393

Equipment
8 IP Routing
the network layer
Configuring basic functions of other routing protocols
Data Preparation
To configure the IPv6 IS-IS to interact with other routing protocols, you need the following data.
No.
Data
ACL6 for filtering routes, IPv6 prefix list, or routing policy
Preference value of IS-IS
Configuring a Preference Value for IPv6 IS-IS

If multiple routes to the same destination are discovered by different routing protocols,
configuring the highest preference value for IS-IS allows a route discovered by IS-IS to be
selected preferentially.
Context
If multiple routes to the same destination are discovered by different routing protocols running
on the same device, the route discovered by the protocol with the highest preference is selected.
For example, if both OSPFv3 and IS-IS are configured on a network, the route discovered by
OSPFv3 is used because OSPFv3 has a higher preference than IS-IS by default.
To prefer a route discovered by IS-IS, configure a higher preference value for IS-IS. In addition,
a routing policy can be configured to increase the preferences of specified IS-IS routes, without
affecting route selection.
Procedure
l
Configure the IS-IS preference value.

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
ipv6 preference preference
The IS-IS preference value is configured.

Issue 02 (2013-12-31)

2394

Equipment
8 IP Routing
NOTE
A smaller preference value indicates a higher preference.

The default IS-IS preference value is 15.
Configure preference values for specified IS-IS routes.

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
ipv6 preference route-policy route-policy-name preference
The preference values are configured for the specified IS-IS routes.
NOTE
preference takes effect only for IS-IS routes that match the specified routing policy.
----End
Configuring IPv6 IS-IS to Import External Routes

If devices in an IS-IS routing domain need to learn external routes, configure IS-IS on a Level-1-2
device of this routing domain to import external routes.
Context
If IS-IS is configured on a Level-1-2 device to advertise a default route, all traffic in IS-IS routing
domains will be forwarded by this Level-1-2 device. This will burden this Level-1-2 device
because no external route can be learned on the devices in the IS-IS routing domains.
If multiple Level-1-2 devices are deployed, optimal routes to other routing domains need to be
selected. To ensure optimal routes are selected, all the other devices in the IS-IS routing domains
must learn all or some external routes.
Routing policies can be configured to import or advertise external routes that meet specified
conditions to the IS-IS routing domains.
Procedure
l
Configure IS-IS to import external routes.

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Issue 02 (2013-12-31)
Configuring IS-IS to Import External IPv6 Routes

2395

Equipment
8 IP Routing
If you want to set the cost for the imported route, you can run the ipv6 importroute { direct | static | { ospfv3 | ripng | isis } [ process-id ] | bgp [ permitibgp ] } [ cost cost | tag tag | route-policy route-policy-name | { level-1 | level-2
| level-1-2 } ] * command to import the external routes.
If you want to keep the original cost for the imported route, you can run the ipv6
import-route { { ripng | isis | ospfv3 } [ process-id ] | direct | bgp } inheritcost [ tag tag | route-policy route-policy-name | [ level-1 | level-2 | level-1-2 ] ]
* command to import the external routes. When configuring IS-IS to retain the
original cost value of the imported route, the source routes cannot be static.
NOTE
IS-IS will advertise all imported external routes to an IS-IS routing domain by default.
If only some imported external routes need to be advertised, run the ipv6 filter-policy
export command to set a filtering policy.
If an IS-IS device has a small routing table capacity, run the ipv6 import-route limit limitnumber [ threshold-alarm upper-limit upper-limit-value lower-limit lower-limit-value ]
{ level-1 | level-2 | level-1-2 } command to set the maximum number of external routes that
can be imported into an IS-IS routing domain.
(Optional) Configure IS-IS to advertise some external routes to an IS-IS routing domain.
1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
ipv6 filter-policy { acl6-number | acl6-name acl6-name } export [ protocol
[ process-id ] ]
IS-IS is configured to advertise specified external routes to the IS-IS routing
domain based on the ACL.
a.
Run:
quit

b.
Run:
quit

c.
Run

d.
Run
Issue 02 (2013-12-31)

2396

Equipment
8 IP Routing

the system.
system.
a.
Run
{ auto | config } ]

b.
Run

Issue 02 (2013-12-31)

2397

Equipment
8 IP Routing
the system.
system.
ipv6 filter-policy ipv6-prefix ipv6-prefix-name export [ protocol [ process-id ] ]
domain based on the prefix list.
ipv6 filter-policy route-policy route-policy-name export [ protocol [ processid ] ]
domain based on the route policy.
NOTE
After this command is run, only external routes that meet the specified conditions can be
advertised to the IS-IS routing domain.
----End

After IS-IS is enabled to import routes from other protocols, run the following commands to
verify that the configurations are correct.
Procedure
l
Run the display isis lsdb [ { level-1 | level-2 } | verbose | { local | lsp-id | is-name symbolicname } ] * [ process-id | vpn-instance vpn-instance-name ] command to check IS-IS LSDB
information.

check IS-IS routing information.
Issue 02 (2013-12-31)

2398

Equipment
8 IP Routing
Run the display ipv6 routing-table ipv6-prefix ipv6-prefix-name [ verbose ] command

to check the IP routing table.
----End
Example
Run the display isis lsdb verbose command on the device that generates a default route. The
command output shows that IS-IS has advertised a default route.
LSPID
Seq Num
Checksum
Holdtime
Length ATT/P/OL
------------------------------------------------------------------------------1111.1111.1111.00-00 0x0000000a
0xfab7
1120
86
0/0/0
SOURCE
1111.1111.1111.00
NLPID
IPV6
AREA ADDR
10
Topology
Standard
NBR ID
2222.2222.2222.01 COST: 10
IPV6
12:1::/64
COST: 10
2222.2222.2222.00-00* 0x0000000f
0xe95c
SOURCE
2222.2222.2222.00
NLPID
IPV6
AREA ADDR
10
Topology
Standard
NBR ID
2222.2222.2222.01 COST: 10
IPV6
12:1::/64
2222.2222.2222.00-01* 0x00000003
SOURCE
2222.2222.2222.00
IPV6
::/0
0x7cbc
1138
86
0/0/0
35
0/0/0
COST: 10
1195
COST: 0
2222.2222.2222.01-00* 0x00000002
0xe1ea
SOURCE
2222.2222.2222.01
NLPID
IPV6
NBR ID
2222.2222.2222.00 COST: 0
NBR ID
1111.1111.1111.00 COST: 0
1138
55
0/0/0
3333.3333.3333.00-00 0x00000004
0xac80
SOURCE
3333.3333.3333.00
NLPID
IPV4
AREA ADDR
10
INTF ADDR
20.1.1.2
NBR ID
2222.2222.2222.00 COST: 10
255.255.255.0
231
68
0/0/0
COST: 10
Total LSP(s): 5
Run the display isis route command on the device that receives the default route. The command
output shows that the default route ::/0 with a next-hop address of FE80::7D7E:0:22D7:1 has
been imported into the Level-2 IS-IS routing table.
Issue 02 (2013-12-31)

2399

Equipment
8 IP Routing

-------------------------------IPV6 Dest.
ExitInterface
NextHop
Cost
Flags
------------------------------------------------------------------------------::/0
Pos1/0/0
FE80::7D7E:0:22D7:1
10
A/-/13:1::/64
GE1/0/1
Direct
10
D/L/34:1::/64
Pos1/0/0
Direct
10
D/L/20:1::/64
Pos1/0/0
FE80::7D7E:0:22D7:1
20
A/-/10:1::/64
GE1/0/1
FE80::2E0:BAFF:FE1E:8200
20
A/-/44:4::/64
Pos1/0/0
FE80::7D7E:0:22D7:1
10
U-Up/Down Bit Set
Run the display isis route command to view the IS-IS routing table. The command output shows
that the OSPFv3 route 44:4::/64 has been imported into the Level-2 IS-IS routing table.
-------------------------------IPV6 Dest.
ExitInterface
NextHop
Cost
Flags
------------------------------------------------------------------------------13:1::/64
Pos1/0/0
FE80::907D:0:103A:1
20
A/-/34:1::/64
Pos1/0/0
Direct
10
D/L/20:1::/64
Pos1/0/1
Direct
10
D/L/10:1::/64
Pos1/0/1
FE80::DC23:0:FC15:3
20
U-Up/Down Bit Set
ISIS(1) Level-2 Redistribute Table

---------------------------------Type IPV6 Destination
IntCost
Tag
------------------------------------------------------------------------------O
44:4::/64
20
Type: D-Direct, I-ISIS, S-Static, O-OSPF, B-BGP, R-RIP
Run the display ipv6 routing-table command to view the IP routing table. The command output
shows that the value of Preference of IPv6 IS-IS has been changed from its default value 15 to
20.
<HUAWEI> display ipv6 routing-table
Routing Table : Public
Destinations : 10
Routes : 10
Issue 02 (2013-12-31)
Destination
NextHop
Cost
RelayNextHop
Interface
:
:
:
:
:
::
FE80::7D7E:0:22D7:1
10
::
Pos1/0/0
Destination
: ::1
PrefixLength
Preference
Protocol
TunnelID
Flags
:
:
:
:
:
0
20
ISIS-L2
0x0
D
PrefixLength : 128

2400

Equipment
8 IP Routing
NextHop
Cost
RelayNextHop
Interface
:
:
:
:
::1
0
::
InLoopBack0
Preference
Protocol
TunnelID
Flags
:
:
:
:
0
Direct
0x0
D
Destination
NextHop
Cost
RelayNextHop
Interface
:
:
:
:
:
10:1::
FE80::2E0:BAFF:FE1E:8200
20
::
PrefixLength
Preference
Protocol
TunnelID
Flags
:
:
:
:
:
64
20
ISIS-L2
0x0
D
Destination
NextHop
Cost
RelayNextHop
Interface
:
:
:
:
:
13:1::
13:1::2
0
::
PrefixLength
Preference
Protocol
TunnelID
Flags
:
:
:
:
:
64
0
Direct
0x0
D
Destination
NextHop
Cost
RelayNextHop
Interface
:
:
:
:
:
13:1::2
::1
0
::
InLoopBack0
PrefixLength
Preference
Protocol
TunnelID
Flags
:
:
:
:
:
128
0
Direct
0x0
D
Destination
NextHop
Cost
RelayNextHop
Interface
:
:
:
:
:
20:1::
FE80::7D7E:0:22D7:1
20
::
Pos1/0/0
PrefixLength
Preference
Protocol
TunnelID
Flags
:
:
:
:
:
64
20
ISIS-L2
0x0
D
Destination
NextHop
Cost
RelayNextHop
Interface
:
:
:
:
:
34:1::
34:1::1
0
::
Pos1/0/0
PrefixLength
Preference
Protocol
TunnelID
Flags
:
:
:
:
:
64
0
Direct
0x0
D
Destination
NextHop
Cost
RelayNextHop
Interface
:
:
:
:
:
34:1::1
::1
0
::
InLoopBack0
PrefixLength
Preference
Protocol
TunnelID
Flags
:
:
:
:
:
128
0
Direct
0x0
D
Destination
NextHop
Cost
RelayNextHop
Interface
:
:
:
:
:
44:4::
FE80::7D7E:0:22D7:1
10
::
Pos1/0/0
PrefixLength
Preference
Protocol
TunnelID
Flags
:
:
:
:
:
64
20
ISIS-L2
0x0
D
Destination
NextHop
Cost
RelayNextHop
Interface
:
:
:
:
:
FE80::
::
0
::
NULL0
PrefixLength
Preference
Protocol
TunnelID
Flags
:
:
:
:
:
10
0
Direct
0x0
D
8.7.12 Configuring the IPv6 IS-IS Route Convergence Speed

Accelerating IS-IS route convergence can improve the fault location efficiency and improve the
Before You Start

Before configuring the IPv6 IS-IS route convergence speed, familiarize yourself with the usage
Issue 02 (2013-12-31)

2401

Equipment
8 IP Routing
The procedure for implementing IS-IS is as follows:
l
Establishment of neighboring relationships: establishes neighboring relationships by

exchanging Hello packets between two devices.
LSP flooding: implements LSDB synchronization between devices in the same area.
SPF calculation: uses the SPF algorithm to calculate IS-IS routes, and delivers the IS-IS
routes to the routing table.
To accelerate the IS-IS route convergence speed, configure the following parameters:
l
Interval for detecting IS-IS neighboring device failures.
Flooding parameters of CSNPs and LSPs.
Interval for SPF calculation.
You can also configure convergence priorities for IPv6 IS-IS routes so that key routes can be
converged by preference when a network topology changes. This minimizes adverse impacts on
key services.
Before configuring the IPv6 IS-IS route convergence speed, complete the following tasks:
l
Configuring the link layer protocol on interfaces.
the network layer.
Configuring Basic IPv6 IS-IS Functions.
Data Preparation
No.
Data
Interval at which Hello packets are sent and the holding time of neighboring
devices
Flooding time of CSNPs and LSPs
Route convergence priority
Configuring the Interval for Detecting IS-IS Neighboring Device Failures

To minimize the effects caused by neighboring device failures on an IS-IS network, accelerate
the speed of detecting IS-IS neighboring device failures.
Context
Connection status between an IS-IS device and its neighboring devices can be monitored by
exchanging Hello packets at intervals. An IS-IS neighboring device is considered Down if the
Issue 02 (2013-12-31)

2402

Equipment
8 IP Routing
IS-IS device does not receive any Hello packets from the neighboring device within the specified
period (called the holding time). A failure in an IS-IS neighboring device will trigger LSP
flooding and SPF calculation, after which IS-IS routes are reconverged.
To speed up fault detection, use the following methods to accelerate the speed of detecting ISIS neighboring device failures:
l
Procedure
1.
Run:
system-view

2.
Run:

3.
Run:
The interval at which Hello packets are sent is set.

NOTE

1.
Run:
system-view

2.
Run:

3.
Run:
The holding multiplier of neighboring devices is set.

----End
Setting Flooding Parameters of SNPs and LSPs

To speed up LSDB synchronization between devices, set flooding parameters of SNPs and LSPs
to proper values.
Issue 02 (2013-12-31)

2403

Equipment
8 IP Routing
Context
SNPs consist of CSNPs and PSNPs. CSNPs carry summaries of all LSPs in LSDBs, ensuring
LSDB synchronization between neighboring routers. SNPs are processed differently on
broadcast links and P2P links.
l
On a broadcast link, CSNPs are periodically sent by a DIS device. If a router detects that
its LSDB is not synchronized with that on its neighboring router, the router will send PSNPs
to apply for missing LSPs.
On a P2P link, CSNPs are sent only during initial establishment of neighboring
relationships. If a request is acknowledged, a neighboring router will send a PSNP in
response to a CSNP. If a router detects that its LSDB is not synchronized with that on its
neighboring router, the router will also send PSNPs to apply for missing LSPs.
To speed up LSDB synchronization, modify the following parameters of SNPs and LSPs on the
ATN:
l
Procedure
1.
Run:
system-view

2.
Run:

3.
Run:
The interval at which CSNPs are sent is set on the specified interface.
NOTE
Configure Level-1 and Level-2 only when a broadcast interface is specified.

1.
Run:
system-view

2.
Run:
isis [ process-id ]
Issue 02 (2013-12-31)

2404

Equipment
8 IP Routing

3.
Run:
The intelligent timer controlling LSP generation is configured.

If a level is not specified, both level-1 and level-2 are used by default.
The delay in generating an LSP or an LSP fragment for the first time is determined
by init-interval; the delay in generating an LSP or an LSP fragment for the second
time is determined by incr-interval. From the third time on, the delay in generating
an LSP increases twice every time until the delay reaches the value specified by maxinterval. After the delay remains at the value specified by max-interval for three times
or the IS-IS process is restarted, the delay decreases to the value specified by initinterval.
If incr-interval is not specified, the delay in generating an LSP or LSP fragment for
the first time is determined by init-interval. From the second time on, the delay in
generating an LSP is determined by max-interval. After the delay remains at the value
specified by max-interval for three times or the IS-IS process is restarted, the delay
decreases to the value specified by init-interval.
When only max-interval is specified, the intelligent timer functions as an ordinary
one-time triggering timer.
l

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
The maximum length is set for each LSP to be generated.

4.
Run:
The maximum length is set for each LSP to be received.

NOTE
Ensure that the value of max-size for LSPs to be generated must be smaller than or equal to the
value of max-size for LSPs to be received.
The value of max-size in the lsp-length command must meet the following conditions.
The MTU of an Ethernet interface must be greater than or equal to the sum of the
value of max-size and 3.
The MTU of a P2P interface must be greater than or equal to the value of maxsize.
l
Issue 02 (2013-12-31)

2405

Equipment
1.
8 IP Routing
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
A refresh interval is set for LSPs.

To synchronize all LSPs in the areas, IS-IS regularly transmits all the current LSPs to
neighbors.
By default, the LSP refresh interval is 900s, and the maximum lifetime of an LSP is
1200s. Ensure that the LSP refresh interval is more than 300s shorter than the
maximum LSP lifetime. This allows new LSPs to reach all routers in an area before
existing LSPs expire.
NOTE
The larger a network, the greater the deviation between the LSP refresh interval and the
maximum LSP lifetime.

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
The maximum lifetime is set for LSPs.

When a router generates the system LSP, it fills in the maximum lifetime for this LSP.
After this LSP is received by other routers, the lifetime of the LSP is reduced gradually.
If the router does not receive any more update LSPs and the lifetime of the LSP is
reduced to 0, the LSP will be deleted from the LSDB 60s later if no more updated
LSPs are received.
l

1.
Run:
system-view

2.
Run:

Issue 02 (2013-12-31)

2406

Equipment
3.
8 IP Routing
Run:
The minimum interval at which LSPs are sent is set.

The count parameter specifies the maximum number of LSPs that can be sent within
the interval specified by throttle-interval. The value of count is an integer ranging
from 1 to 1000.
l

1.
Run:
system-view

2.
Run:
isis [ process-id ]

3.
Run:
flash-flood [ lsp-count | max-timer-interval interval | [ level-1 |
level-2 ] ] *
The LSP fast flooding is enabled.

Running the flash-flood command speeds up LSP flooding. The lsp-count parameter
specifies the number of LSPs flooded each time, which is applicable to all interfaces.
If the number of LSPs to be sent is greater than the value of lsp-count, lsp-count takes
effect. If the number of LSPs to be sent is smaller than the value of lsp-count, LSPs
of the actual number are sent. If a timer is configured and the configured timer does
not expire before the route calculation, the LSPs are flooded immediately when being
received; otherwise, the LSPs are sent when the timer expires.
When LSP fast flooding is enabled, Level-1 LSPs and Level-2 LSPs are fast flooded
by default if no level is specified.
l

1.
Run:
system-view

2.
Run:

3.
Run:
isis timer lsp-retransmit retransmit-interval
The interval at which LSPs are retransmitted over a P2P link is set.
----End
Setting the SPF Calculation Interval

To improve the fault location efficiency on an IS-IS network and prevent SPF calculation from
consuming excessive system resources, set the SPF calculation interval to a proper value.
Issue 02 (2013-12-31)

2407

Equipment
8 IP Routing
Context
A network change always triggers IS-IS to perform SPF calculation. Frequent SPF calculation
will consume excessive CPU resources, affecting services.
To solve this problem, configure an intelligent timer to control the interval for SPF calculation.
For example, to speed up IS-IS route convergence, set the interval for SPF calculation to a small
value, and set the interval to a large value after the IS-IS network becomes stable.
Procedure
Step 1 Run:
system-view

Step 2 Run:
isis [ process-id ]

Step 3 Run:
timer spf max-interval [ init-interval [ incr-interval ] ]
The SPF intelligent timer is configured.

The intelligent timer changes as follows:
l The delay for the first SPF calculation is determined by init-interval; the delay for the second
SPF calculation is determined by incr-interval. From the third time on, the delay in SPF
calculation increases twice every time until the delay reaches the value specified by maxinterval. After the delay remains at the value specified by max-interval for three times or the
l If incr-interval is not specified, the delay in SPF calculation for the first time is determined
by init-interval. From the second time on, the delay in SPF calculation is determined by maxinterval. After the delay remains at the value specified by max-interval for three times or the
l When only max-interval is specified, the intelligent timer functions as an ordinary one-time
triggering timer.
----End
Configuring Convergence Priorities for IPv6 IS-IS Routes

If some IS-IS routes need to be converged by preference to minimize adverse impacts on services,
configure those routes to have the highest convergence priority.
Context
By default, the convergence priority of 128-bit host routes is medium, and the convergence
priority of the other IS-IS routes is low.
The ATN allows you to configure the highest convergence priority for specific IS-IS routes so
that those IS-IS routes will be converged first when a network topology changes.
Issue 02 (2013-12-31)

2408

Equipment
8 IP Routing
Procedure
Step 1 Run:
system-view

Step 2 Run:
isis [ process-id ]

Step 3 Run:
ipv6 prefix-priority [ level-1 | level-2 ] { critical | high | medium } { ipv6prefix prefix-name | tag tag-value }
Convergence priorities are set for IS-IS routes.

The application rules of the convergence priorities for IS-IS routes are as follows:
l Existing IS-IS routes are converged based on the priorities configured in the ipv6 prefixpriority command.
l New IS-IS routes are converged based on the priorities configured in the ipv6 prefixpriority command.
l If an IS-IS route conforms to the matching rules of multiple convergence priorities, the
highest convergence priority is used.
l The convergence priority of a Level-1 IS-IS route is higher than that of a Level-2 IS-IS route.
l If the route level is not specified, the configuration of the prefix-priority command takes
effect for both Level-1 and Level-2 IS-IS routes.
NOTE
The ipv6 prefix-priority command is only applicable to the public network.

After the ipv6 prefix-priority command is run, the convergence priority of 32-bit host routes is low, and
the convergence priorities of the other routes are determined as specified in the ipv6 prefix-priority
command.

quit

ipv6 route prefix-priority-scheduler critical-weight high-weight medium-weight lowweight
The preference-based scheduling ratio of IPv6 routes is configured.

By default, the preference-based scheduling ratio of IPv6 routes is 8:4:2:1.
----End

After the parameters specifying the IPv6 IS-IS route convergence speed are set, run the following
commands to verify that the configurations are correct.
Issue 02 (2013-12-31)

2409

Equipment
8 IP Routing
Procedure
l
Run the display isis interface [ [ verbose | traffic-eng ] * | tunnel ] [ process-id | vpninstance vpn-instance-name ] command to check IS-IS packet information.
Run the display isis route [ process-id | vpn-instance vpn-instance-name ] ipv6

check the preference of IS-IS routes.
----End
Example
Run the display isis interface verbose command. The command output shows that GE 6/0/0
sends Hello packets at an interval of 15 ms, the number of IS-IS Hello packets sent by the
neighbor before IS-IS should declare the neighbor is invalid is 3, the sending interval for Level-1
CSNPs is 123 ms, and the minimum sending interval for LSPs is 159 ms.
--------------------------------IPV4.State
IPV6.State
MTU Type DIS
Down
Up
1497 L1/L2 No/Yes
: Standard
: HUAWEI, Quidway Series, GigabitEthernet1/0/0
Interface
Id
GE1/0/1
001
Circuit MT State
Description
Interface
SNPA Address
IP Address
IPV6 Link Local Address
IPV6 Global Address(es)
Csnp Timer Value
Hello Timer Value
LSP-Throttle Timer
Cost
Ipv6 Cost
Priority
Bandwidth-Value
Static Bfd
Dynamic Bfd
Dynamic IPv6 Bfd
Fast-Sense Rpr
Graceful Down
Suppress Base
IPv6 Suppress Base
: 00e0-ff50-8200
:
: FE80::2E0:FFFF:FE50:8200
: 13:1::2/64
: L1 123 L2
10
: L1
15 L2
15
: L1
10 L2
10
: L1
3 L2
3
: L12
50
: L1
10 L2
10
: L1
10 L2
10
: L1
64 L2
64
: L12
5
: Low 1000000000 High
: NO
: NO
: NO
: NO
: NO
: NO
: NO
Run the display isis route verbose command. The command output shows that the convergence
priority of the IS-IS route 13:1::/64 is Critical, and the convergence priority of the other IS-IS
routes is Low.
<HUAWEI> display isis route verbose
-------------------------------IPV6 Dest
Admin Tag
Issue 02 (2013-12-31)
: 13:1::/64
: -
Cost : 20
Src Count : 2

Flags: A/-/Priority: Critical
2410

Equipment
8 IP Routing
NextHop
:
FE80::907D:0:103A:1
Interface :
Pos1/0/0
ExitIndex :
0x00000007
IPV6 Dest
Admin Tag
NextHop
Direct
: 34:1::/64
: :
Cost : 10
Src Count : 2
Interface :
Pos1/0/0
Flags: D/L/Priority: ExitIndex :

0x00000000
IPV6 Dest
Admin Tag
NextHop
Direct
: 20:1::/64
: :
Cost : 10
Src Count : 2
Interface :
Pos1/0/1
Flags: D/L/Priority: ExitIndex :

0x00000000
IPV6 Dest : 10:1::/64

Admin Tag : NextHop
:
FE80::DC23:0:FC15:3
Cost : 20
Src Count : 2
Interface :
Pos1/0/1
Flags: A/-/Priority: Low

ExitIndex :
0x00000003

U-Up/Down Bit Set
8.7.13 Configuring Static IPv4 BFD for IS-IS

BFD can provide link failure detection featuring light load and high speed (at the millisecond
level). Static IPv4 BFD can be configured to monitor IS-IS links.
Context
In a static BFD session scenario, you need to configure single-hop BFD parameters, such as
local and remote discriminators and then configure the device to send BFD session setup
requests.
A static BFD session can only be established and released manually. A configuration error will
lead to a BFD failure. For example, if a local or remote discriminator is incorrectly configured,
a BFD session will not work properly.
Before configuring static IPv4 BFD for IS-IS, complete the following tasks:
l
No.
Data
Procedure
l
Issue 02 (2013-12-31)
Enable BFD globally.

2411

Equipment
1.
8 IP Routing
Run:
system-view

2.
Run:
bfd

3.
Run:
quit

l
Configure a single-hop BFD session.

1.
Run:
bfd cfg-name bind peer-ip ip-address [ interface interface-type interfacenumber ]
BFD is enabled between the specified interface and peer router.

If a peer IP address and a local interface are specified in the bfd command, BFD
monitors only a single-hop link with the interface specified in the bfd command as
the outbound interface and with the peer IP address specified in the peer-ip command
as the next-hop address.
2.
Set discriminators.
Run:
A local discriminator is set.

Run:
A remote discriminator is set.

The local discriminator of a device must be the remote discriminator of the device on
the other end; otherwise, a BFD session cannot be established. In addition, the local
and remote discriminators cannot be modified after being configured.
NOTE
The local discriminator set using the local discr-value command on a device must be the same
as the remote discriminator set using the remote discr-value command on the device of the
other end.
3.
Run:
commit
Configurations are committed.

4.
Run:
quit

l
Enable static IPv4 BFD on an interface.

1.
Run:
Issue 02 (2013-12-31)

2412

Equipment
8 IP Routing

2.
Run:
isis bfd static
Static IPv4 BFD is enabled on the specified interface.

----End

Information about a BFD session can be viewed only after parameters of the BFD session are
set and the BFD session is established.
Run the display isis interface verbose command. The command output shows that the status
of static BFD for IS-IS process 1 is Yes.
--------------------------------Interface
Id
IPV4.State
MTU Type DIS
Loop1
001
Up
1500 L1/L2 -Circuit Parameters
: passive
Description
: HUAWEI, LoopBack1 Interface
SNPA Address
: 0000-0000-0000
IP Address
: 8.8.8.8
Csnp Timer Value
: L12
10
Hello Timer Value
:
10
:
:
3
Cost
: L1
0 L2
0
: L12
5
LSP-Throttle Timer
: L12
50
Bandwidth-Value
: Low
0 High
Static Bfd
: YES
Dynamic Bfd
: NO
Fast-Sense Rpr
: NO
8.7.14 Configuring Dynamic IPv4 BFD for IS-IS

Dynamic IPv4 BFD for IS-IS can accelerate IS-IS route convergence.
Context
Connection status between an IS-IS device and its neighbors can be monitored by exchanging
Hello packets at intervals. The minimum allowable sending interval is 3s, and a neighbor is
declared Down after at least three intervals during which no response Hello packet is received
from the neighbor. IS-IS takes more than one second to detect that a neighbor becomes Down,
resulting in loss of a large amount of high-speed data.
To solve this problem, BFD must be configured for IS-IS. IPv4 BFD provides millisecond-level
fault detection. After detecting a link or node failure, BDF will notify IS-IS of the failure,
accelerating the IS-IS route convergence speed.
Dynamic IPv4 BFD for IS-IS implements dynamic setup of BFD sessions. When a new IS-IS
neighbor relationship is set up, BFD is notified of the neighbor parameters and the detection
parameters (including source and destination IP addresses). Then a BFD session will be
established based on the received neighbor parameters. Dynamic BFD is more flexible than
static BFD.
Issue 02 (2013-12-31)

2413

Equipment
8 IP Routing
Before configuring dynamic IPv4 BFD for IS-IS, complete the following tasks:
l
Configuring Basic IS-IS Functions
No.
Data
Number of the IS-IS process to be enabled with BFD
Parameter values of a BFD session
You can use either of the following methods to enable dynamic IPv4 BFD for IS-IS:
l
Enable dynamic IPv4 BFD for specified IS-IS processes. This method is recommended
if you need to enable dynamic IPv4 BFD for IS-IS on a large number of IS-IS interfaces.
Enable dynamic IPv4 BFD for specified interfaces. This method is recommended if you
need to enable dynamic IPv4 BFD for IS-IS on a small number of IS-IS interfaces.
Enable dynamic IPv4 BFD for an IS-IS process.
Procedure
1.
Run:
system-view

2.
Run:
bfd

3.
Run:
quit

4.
Run:
isis process-id

5.
Run:
BFD for IS-IS is enabled.

After BFD is enabled globally and the neighbor status becomes Up, IS-IS adopts
default BFD parameters to establish BFD sessions on all interfaces.
Issue 02 (2013-12-31)

2414

Equipment
6.
8 IP Routing
(Optional) Run:
bfd all-interfaces { min-rx-interval receive-interval | min-tx-interval
transmit-interval | detect-multiplier multiplier-value | frr-binding } *
The parameters for establishing BFD sessions are set for all interfaces.
The command execution result is applicable to BFD session parameters on all IS-IS
interfaces.
7.
Run:
quit

To disable the BFD function on an interface, run the isis bfd block command in the
interface view to disable the interface from establishing BFD sessions.
l
Enable dynamic IPv4 BFD on an interface.

1.
Run:
system-view

2.
Run:
bfd

3.
Run:
quit

4.
Run:

5.
Run:
isis bfd enable
BFD is enabled on the interface.

After BFD is configured globally and the neighbor status is Up (on a broadcast
network, DIS is in the Up state), default BFD parameters will be used to establish
BFD sessions on the specified interface.
6.
(Optional) Run:
isis bfd { min-rx-interval receive-interval | min-tx-interval transmitinterval | detect-multiplier multiplier-value } *
Run this command when BFD session parameters need to be configured for a specified
interface.
NOTE
The priority of BFD configured on an interface is higher than that of BFD configured for a
process. If BFD session parameters are configured for both a process and an interface, the
parameters on the interface will be used to establish a dynamic BFD session.
----End
Issue 02 (2013-12-31)

2415

Equipment
8 IP Routing

After BFD is enabled on both ends of a link, run the display isis [ process-id | vpn-instance
vpn-instance-name ] bfd session { all | peer ip-address | interface interface-type interfacenumber } command. The command output shows that BFD status is up.
<HUAWEI> display isis bfd session all
BFD session information for ISIS(1)
----------------------------------Peer System ID : 0000.0000.0002
Interface : GE0/2/0
TX : 1000
BFD State : up
Peer IP Address : 1.1.1.2
RX : 1000
LocDis : 8192
Local IP Address: 1.1.1.1
Multiplier : 3
RemDis : 8192
Type : L2
Diag : No diagnostic information
Run the display isis [ process-id ] bfd interface command to view all the interfaces enabled
with BFD and the values of the BFD session parameters on these interfaces.
<HUAWEI> display isis bfd interface
BFD information of interface for ISIS(1)
----------------------------------------Interface
BFD.State
Min-Tx
Min-Rx
Mul
GE0/2/0
enable
1000
1000
3
Total interfaces: 1
Total bfd enabled interfaces: 1
8.7.15 Configuring IPv4 IS-IS Auto FRR

With IS-IS Auto FRR, traffic on a faulty link can be quickly switched to the backup link of the
faulty link. This ensures that the traffic interruption time is within 50 ms and improves the
reliability of IS-IS networks.
Before You Start

Before configuring IS-IS Auto FRR, familiarize yourself with the usage scenario, complete the
At present, the VoIP and on-line video services require high-quality real-time transmission.
Nevertheless, if an IS-IS fault occurs, multiple processes, including fault detection, LSP update,
LSP flooding, route calculation, and FIB entry delivery, must be performed to switch the traffic
to a new link. As a result, it takes much more than 50 ms to recover the link from the fault, which
cannot meet the requirement for real-time services on the network.
IS-IS Auto FRR ensures fast switchover of traffic to the backup link before the network
convergence, avoiding traffic interruption. This protects traffic and improves reliability of an
IS-IS network. The ATN supports IPv4 IS-IS Auto FRR.
IS-IS Auto FRR is suitable for IP services that require a low delay and low packet loss ratio.
Before configuring IS-IS Auto FRR, complete the following tasks:
l
Issue 02 (2013-12-31)
Configuring IP addresses for interfaces to make neighboring nodes reachable at the network
layer
2416

Equipment
8 IP Routing
Configuring the link cost to ensure that the backup path is the sub-optimal route.
Data Preparation
To configure IS-IS Auto FRR, you need the following data.
No.
Data
IS-IS process ID
Interface to be enabled with IS-IS Auto FRR
Enabling IPv4 IS-IS Auto FRR

IS-IS can create the loop-free backup route only when the interface cost is in compliance with
the traffic protection inequality of IS-IS Auto FRR.
Context
Perform the following steps on the ATN that needs the protection for the forwarded traffic:
Procedure
Step 1 Run:
system-view

Step 2 Run:
isis [ process-id ]
The IS-IS process is enabled and the IS-IS view is displayed.

Step 3 Run:
frr
The IS-IS FRR view is displayed.

frr-policy route route-policy route-policy-name
Backup routes are filtered using a filtering policy. Only backup routes that have passed the
filtering policy are added to the routing table.
Step 5 Run:
loop-free-alternate [ level-1 | level-2 | level-1-2 ]
IS-IS Auto FRR is enabled and the loop-free backup route is created.
If the IS-IS level is not specified, IS-IS Auto FRR is enabled on Level-1 and Level-2 to create
the backup route.
For detailed information about IS-IS Auto FRR, refer to the Feature Description - IP Routing.
Issue 02 (2013-12-31)

2417

Equipment
8 IP Routing
NOTE
For detailed information about IS-IS Auto FRR, refer to the ATNMulti-service Access EquipmentFeature
Description - IP Routing.
IS-IS can create the loop-free backup route only if the interface cost is in compliance with the traffic
protection inequality of IS-IS Auto FRR.
----End
(Optional) Disabling an Interface from Being Involved in IPv4 LFA Calculation

To facilitate network management and fault location, you can prevent certain interfaces from
participating in the LFA calculation and specify the interfaces that can function as backup
outbound interfaces.
Context
Perform the following steps on the IS-IS interface to be disabled from participating in the LoopFree Alternate (LFA) calculation:
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
undo isis lfa-backup [ level-1 | level-2 | level-1-2 ]
The interface is disabled from participating in the LFA calculation.

----End

After configuring IS-IS Auto FRR, you can check the IS-IS backup route and traffic protection
type.
Prerequisites
All IS-IS Auto FRR configurations are complete.
Procedure
l
Issue 02 (2013-12-31)

[ verbose | [ level-1 | level-2 ] | ip-address [ mask | mask-length ] ] * command to check
information about the primary link and backup link after IS-IS Auto FRR is enabled.
2418

Equipment
8 IP Routing
Run the display isis spf-tree [ systemid systemid | dname dname ] [ [ level-1 | level-2 ] |
verbose ] * [ process-id | vpn-instance vpn-instance-name ] command to check the traffic
protection type of IS-IS Auto FRR.
----End
8.7.16 Configuring IS-IS GR

By configuring IS-IS GR, you can enable ATN to restart gracefully and avoid temporary black
holes.
Before You Start

Before configuring IS-IS GR, familiarize yourself with the usage scenario, complete the preconfiguration tasks, and obtain the required data. This can help you complete the configuration
The restart of an IS-IS router causes the temporary interruption of the network, because the
adjacency relationship between the ATN and its neighbor is torn down. The LSPs packets of the
ATN are deleted, which makes route calculation inaccurate. Packets are therefore lost.
You can configure IS-IS GR to solve this problem. After IS-IS GR is enabled, the ATN notifies
the neighbor of the restart status, and reestablishes the adjacency relationship with its neighbor
without interrupting the forwarding.
The advantages of IS-IS GR are as follows:
l
When IS-IS restarts, the ATN can resend connection requests to its neighbor. The adjacency
relationship is not torn down.
Before LSPs packets are generated, GR minimizes the interference caused by waiting for
the database synchronization.
If the ATN starts for the first time, the ATN sets the overload bit in LSPs until the LSDB
synchronization is complete. This avoids route black holes.
Before configuring IS-IS GR, complete the following tasks:
l
Configuring IP addresses for interfaces to ensure network connectivity between

neighboring nodes.
Data Preparation
To configure IS-IS GR, you need the following data.
Issue 02 (2013-12-31)
No.
Data
ID of an IS-IS process
Interval for reestablishing GR sessions

2419

Equipment
8 IP Routing
No.
Data
Whether to suppress the advertisement of the adjacency when the GR restarter restarts
Enabling IS-IS GR
Before configuring IS-IS GR, you need to enable the GR capability for IS-IS.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
isis [ process-id ]

Step 3 Run:
graceful-restart
IS-IS GR is enabled.
By default, IS-IS GR is disabled.
----End
Configuring Parameters of an IS-IS GR Session

By setting Intermediate System to Intermediate System (IS-IS) graceful restart (GR) parameters,
you can avoid temporary black holes on the network.
Context
The ATN that starts for the first time does not maintain the forwarding status. If the ATN restarts,
the LSPs generated when the ATN runs last time may exist in the link state database (LSDB) of
other ATNs in the network.
The sequence number of an LSP fragment is reinitialized when the ATN starts. Therefore, the
ATN considers that the previously advertised LSP stored on other ATNs is newer than the LSP
generated locally after the ATN starts. This leads to the temporary black hole in the network,
which lasts until the normal LSDB synchronization process finishes. The ATN then regenerates
its LSPs and advertises the LSPs with the highest sequence number.
When this ATN starts, if the neighbor of the ATN suppresses the advertisement of the adjacency
until this ATN advertises the updated LSPs, the preceding case can therefore be avoided.
Perform the following steps on the ATN that runs IS-IS:
Issue 02 (2013-12-31)

2420

Equipment
8 IP Routing
Procedure
Step 1 Run:
system-view

Step 2 Run:
isis [ process-id ]

Step 3 Run:
graceful-restart no-impact-holdtime
The holdtime of an IS-IS neighbor is configured to remain unchanged in IS-IS GR mode.

graceful-restart t2-interval interval-value
A value is configured for the T2 timer during the IS-IS GR.

The value of the T2 timer indicates the longest time during which the system waits for the LSDB
synchronization. Each Level-1 or Level-2 router maintains a T2 timer and disables it after the
LSDB synchronization among Level-1 or Level-2 routers ends. If LSDBs are not synchronized
yet when the T2 timer expires, the GR fails.
By default, the value of the T2 timer is 60 seconds. Keeping the default value is recommended.
graceful-restart interval interval-value
A value is configured for the T3 timer during the IS-IS GR.

The value of the T3 timer indicates the longest time that a GR lasts. A router disables the T3
timer after the LSDB synchronization ends in all areas. If LSDBs are not synchronized yet when
the T3 timer expires, the GR fails.
By default, the value of the T3 timer is 300 seconds. Keeping the default value is recommended.
During a GR, an IS-IS neighbor of the restarter sets the value of the T3 timer to the holdtime of
the neighbor relationship between them, which prevents routes from being recalculated on the
whole network due to a neighbor disconnection during the GR.
graceful-restart suppress-sa
The GR restarter is configured to suppress the Suppress-Advertisement (SA) bit of the restart
TLV.
The SA bit determines whether a neighbor (GR helper) advertises the neighbor relationship with
the restarter. The helper suppresses the advertisement of the neighbor relationship with the
restarter until the helper receives a packet in which SA is set to 0. By default, the SA bit is not
suppressed.
----End
Issue 02 (2013-12-31)

2421

Equipment
8 IP Routing

After configuring IS-IS GR, you can check the IS-IS GR status and parameters.
Prerequisites
The configurations of IS-IS GR are complete.
Procedure
Step 1 Run display isis graceful-restart status [ level-1 | level-2 ] [ process-id | vpn-instance vpninstance-name ] command to check the status of IS-IS GR.
----End
8.7.17 Improving Security of an IS-IS Network

On a network that requires high security, you can configure IS-IS authentication or optional
checksum to improve the security of the IS-IS network.
Before You Start

Before configuring authentication or optional checksum on an Intermediate System to
Intermediate System (IS-IS) network, familiarize yourself with the usage scenario, complete the
In a network that has a high requirement for security, you can configure IS-IS authentication or
optional checksum to improve security of the IS-IS network.
l
IS-IS authentication encapsulates authentication information into Hello packets, Link State
Protocol Data Units (LSPs), and Sequence Number Protocol Data Units (SNPs). After an
IS-IS device receives the packets, it checks whether the encapsulated authentication
information is correct. The IS-IS device only accepts the packets with correct authentication
information. The authentication mechanism enhances IS-IS network security. IS-IS
authentication consists of area authentication, routing domain authentication, and interface
authentication.
IS-IS authentication ensures that the data is correctly transmitted at the network layer.
IS-IS optional checksum encapsulates checksum Type-Length-Values (TLVs) into SNPs

and Hello packets. After an IS-IS device receives the packets, it checks whether the
checksum TLVs are correct. The IS-IS device only accepts the packets with correct
checksum TLVs. The authentication mechanism enhances IS-IS network security.
IS-IS optional checksum ensures that the data is correctly transmitted at the link layer.
Before configuring IS-IS authentication, complete the following tasks:
l
Issue 02 (2013-12-31)
Configure IP addresses of interfaces to make neighboring nodes reachable.

2422

Equipment
8 IP Routing
Data Preparation
To configure IS-IS authentication, you need the following data.
No.
Data
Authentication mode and password used in the authentication
Configuring IS-IS Authentication

After Intermediate System to Intermediate System (IS-IS) authentication is configured,
authentication information can be encapsulated into Link State Protocol Data Units (LSPs) and
Sequence Number Protocol Data Units (SNPs) to ensure the packet transmission security. By
default, authentication is not configured for IS-IS. Configuring authentication is recommended
to ensure system security.
Context
By default, sent IS-IS packets are not encapsulated with authentication information, and received
packets are not authenticated. In order to avoid malicious text attack network, configuring ISIS authentication helps to improve the network security. Three IS-IS authentication modes and
the usage scenarios are as follows:
l
Area authentication: Authentication passwords are encapsulated into IS-IS packets in

Level-1 areas. The receiver only accepts the packets that have been authenticated.
Therefore, you need to configure IS-IS area authentication to authenticate packets in
Level-1 areas.
Routing domain authentication: Authentication passwords are encapsulated into IS-IS

packets in Level-2 areas. The receiver only accepts the packets that have been authenticated.
Therefore, you need to configure IS-IS routing domain authentication to authenticate
packets in Level-2 areas.
Interface authentication: The authentication information is encapsulated into IS-IS Hello

packets. The neighboring can establish a neighbor relationship with the local router after
IS-IS Hello packets can be authenticated. Therefore, you need to configure interface
authentication to ensure validity and correctness of neighbor relationships.
NOTE
In configuring IS-IS authentication, the authentication modes and passwords of all devices in the same area
or routing domain must be consistent. Otherwise, IS-IS packets cannot be normally flooded.
An IS-IS neighbor relationship cannot be established if interface authentication fails. An IS-IS neighbor
relationship can be established regardless of whether IS-IS area or routing domain authentication succeeds.
When configuring an authentication password, select the ciphertext mode becasue the password is saved
in configuration files in plaintext if you select plaintext mode, which has a high risk. To ensure device
security, change the password periodically.
Procedure
l
Configure IS-IS area authentication.

1.
Run:
system-view
Issue 02 (2013-12-31)

2423

Equipment
8 IP Routing

2.
Run:
isis [ process-id ]

3.
Run:
area-authentication-mode { simple { [ plain ] plain-text | cipher plaincipher-text } | md5 { [ cipher ] plain-cipher-text | plain plain-text } }
[ ip | osi ] [ snp-packet { authentication-avoid | send-only } | all-sendonly ]
or
area-authentication-mode keychain keychain-name [ snp-packet
{ authentication-avoid | send-only } | all-send-only ]
or
area-authentication-mode hmac-sha256 key-id key-id { plain plain-text |
[ cipher ] plain-cipher-text } [ snp-packet { authentication-avoid | sendonly } | all-send-only ]
The area authentication mode is configured.
NOTICE
If the area-authentication-mode command is run, all Level-1 LSPs in the local LSDB
that fail to be authenticated and the newly received Level-1 LSPs and SNPs that fail
to be authenticated will be discarded. Therefore, to prevent the original Level-1 LSPs
from being discarded, specify send-only in the command.
The MD5 authentication password that starts and ends with $@$@ is invalid, because
$@$@ is used to distinguish old and new passwords.
IS-IS authentication involves the following situations:
Authentication information is encapsulated in the sent LSPs and SNPs. The
received LSPs and SNPs should pass the authentication, and the ones that do not
pass the authentication are discarded. In this case, snp-packet or all-send-only is
inapplicable.
Authentication information is encapsulated in the sent LSPs and received LSPs are
checked; however, authentication information is not encapsulated in the sent SNPs
and the received SNPs are not checked. In this case, snp-packet authenticationavoid needs to be configured.
received LSPs are checked and the received SNPs are not checked. In this case,
snp-packet send-only needs to be configured.
Authentication information is encapsulated in the sent LSPs and SNPs and the
received LSPs and SNPs are not checked. In this case, all-send-only needs to be
configured.
l
Configure IS-IS routing domain authentication.

1.
Run:
system-view

Issue 02 (2013-12-31)

2424

Equipment
2.
8 IP Routing
Run:
isis [ process-id ]

3.
Run:
domain-authentication-mode { simple { [ plain ] plain-text | cipher plaincipher-text } | md5 { [ cipher ] plain-cipher-text | plain plain-text } }
[ ip | osi ] [ snp-packet { authentication-avoid | send-only } | all-sendonly ]
or
domain-authentication-mode keychain keychain-name [ snp-packet
{ authentication-avoid | send-only } | all-send-only ]
or
domain-authentication-mode hmac-sha256 key-id key-id { plain plain-text |
[ cipher ] plain-cipher-text } [ snp-packet { authentication-avoid | sendonly } | all-send-only ]
The routing domain authentication mode is configured.
NOTICE
If the domain-authentication-mode command is run, all Level-2 LSPs in the local
LSDB that fail to be authenticated and the newly received Level-2 LSPs and SNPs
that fail to be authenticated will be discarded. Therefore, to prevent the original
Level-2 LSPs from being discarded, specify send-only in the command.
The MD5 authentication password that starts and ends with $@$@ is invalid, because
$@$@ is used to distinguish old and new passwords.
IS-IS authentication involves the following situations:
received LSPs and SNPs should pass the authentication, and the ones that do not
pass the authentication are discarded. In this case, snp-packet or all-send-only is
inapplicable.
Authentication information is encapsulated in the sent LSPs and received LSPs are
checked; however, authentication information is not encapsulated in the sent SNPs
and the received SNPs are not checked. In this case, snp-packet authenticationavoid needs to be configured.
received LSPs are checked and the received SNPs are not checked. In this case,
snp-packet send-only needs to be configured.
Authentication information is encapsulated in the sent LSPs and SNPs and the
received LSPs and SNPs are not checked. In this case, all-send-only needs to be
configured.
l
Configure IS-IS interface authentication.

1.
Run:
system-view

2.
Run:
Issue 02 (2013-12-31)

2425

Equipment
8 IP Routing

3.
Run:
isis authentication-mode { simple { [ plain ] plain-text | cipher plaincipher-text } | md5 { [ cipher ] plain-cipher-text | plain plain-text } }
[ Level-1 areas | level-2 ] [ ip | osi ] [ send-only ]
Or
isis authentication-mode keychain keychain-name [ Level-1 areas |
level-2 ] [ send-only ]
or
isis authentication-mode hmac-sha256 key-id key-id { plain plain-text |
[ cipher ] plain-cipher-text } [ level-1 | level-2 ] [ send-only ]
The IS-IS authentication mode and password are configured on the interface.
When you select parameters, note the following rules:
If send-only is specified correctly, the ATN only encapsulates the sent Hello
packets with authentication information rather than checks whether the received
Hello packets pass authentication. The neighbor relationships can be set up when
the authentication is not necessary or packets pass the authentication.
If send-only is not configured, ensure that passwords of all interfaces with the
same level in the same network are consistent.
Level-1 areas and level-2 can be set only on Ethernet interfaces.
When IS-IS interfaces are Level-1-2 interfaces and Level-1 areas or level-2 is not
specified in the command, authentication modes and passwords are configured for
both Level-1 areas and Level-2 Hello packets.
----End
Configuring the Optional Checksum

The optional checksum encapsulates optional checksum Type-Length-Values (TLVs) into
Sequence Number Protocol Data Units (SNPs) and Hello packets to ensure packet correctness,
improving network security.
Context
The optional checksum encapsulates optional checksum TLVs into the Complete Sequence
Numbers Protocol Data Units (CSNPs), Partial Sequence Number Protocol Data Units (PSNPs),
and Hello packets sent by IS-IS devices. When the peer device receives the encapsulated packets,
it checks whether TLVs carried in the packets are correct. If TLVs are not correct, the peer device
discards the packets for network security.
Procedure
Step 1 Run:
system-view

Step 2 Run:
isis
An IS-IS process is created and the IS-IS view is displayed.

Issue 02 (2013-12-31)

2426

Equipment
8 IP Routing
Step 3 Run:
optional-checksum enable
IS-IS optional checksum is enabled.

NOTE
If MD5 authentication or Keychain authentication with valid MD5 authentication is configured on an ISIS interface or area, IS-IS devices send Hello packets and SNP packets carrying no checksum TLVs and
verify the checksum of the received packets.
----End

By configuring various IS-IS authentication modes, you can improve the security of the IS-IS
network.
Prerequisites
The configurations of Improving Security of an IS-IS Network are complete.
Procedure
Step 1 Run display isis peer [ verbose ] [ process-id | vpn-instance vpn-instance-name ] command to
check information about the IS-IS neighbor.
----End
8.7.18 Maintaining IS-IS

Maintaining IS-IS involves resetting IS-IS and clearing IS-IS statistics.
Resetting IS-IS Data Structure

By restarting IS-IS, you can reset IS-IS. You can also reset IS-IS in GR mode.
Context
NOTICE
The IS-IS data structure cannot be restored after you reset it. All the previous structure
information and the neighbor relationship are reset. Exercise caution when running this
command.
To clear the IS-IS data structure, run the following reset command in the user view.
Procedure
Step 1 Run reset isis all [ [ process-id | vpn-instance vpn-instance-name ] | graceful-restart ] *
command to reset the IS-IS data structure.
Issue 02 (2013-12-31)

2427

Equipment
8 IP Routing
By default, the IS-IS data structure is not reset.

----End
Resetting a Specific IS-IS Neighbor

By restarting IS-IS neighbors, you can reset the IS-IS neighbor relationship, and therefore make
the new configuration take effect.
Context
NOTICE
The specified IS-IS neighbor relationship is deleted after you reset a specified IS-IS neighbor
by using the reset isis peer command. Exercise caution when running this command.
After the IS-IS routing policy or the protocol changes, you can reset a specific IS-IS neighbor
to validate the new configuration.
To reset a specific IS-IS neighbor, run the following reset command in the user view.
Procedure
Step 1 Run reset isis peer system-id [ process-id | vpn-instance vpn-instance-name ] command to reset
a specific IS-IS neighbor.
----End

This section provides several configuration examples of IS-IS. The configuration examples
explain networking requirements, configuration notes, and configuration roadmap.
Example for Configuring Basic IS-IS Functions

This part provides an example for interconnecting IPv4 networks through IS-IS.
l
ATN-A, CX-B, CX-C, and CX-D belong to the same AS. IS-IS is enabled on the devices
to implement interconnection in the IP network.
The area addresses of ATN-A, CX-B, and CX-C are all 10, and the area address of CX-D
is 20.
ATN-A and CX-B are Level-1 routers, CX-C is a Level-1-2 router. CX-D is a Level-2
router.
Issue 02 (2013-12-31)

2428

Equipment
8 IP Routing
Figure 8-24 Networking diagram for configuring basic IS-IS functions
IS-IS
Area10
GE0/2/0
GE1/0/0
10.1.1.2/24 10.1.1.1/24
POS3/0/0
192.168.0.1/24
POS2/0/0 CX-C
10.1.2.1/24 L1/2
ATN-A
L1
POS1/0/0
10.1.2.2/24
CX-D
L2
GE2/0/0
172.16.1.1/16
POS1/0/0
192.168.0.2/24
IS-IS
Area20
CX-B
L1
1.
Enable IS-IS on each device, configure the levels of routers, and specify an NET.
2.
Set ATN-A and CX-C to authenticate Hello packets in specified mode and with the
specified password.
3.
Check the IS-IS database and the routing table of each device.
Data Preparation
l
Area addresses of ATN-A, CX-B, CX-C and CX-D
Levels of ATN-A, CX-B, CX-C, and CX-D
Procedure
Step 2 Configure basic IS-IS functions.
# Configure ATN-A.
[ATN-A] isis 1
[ATN-A-isis-1] is-level level-1
[ATN-A-isis-1] network-entity 10.0000.0000.0001.00
[ATN-A-isis-1] quit
[ATN-A] interface GigabitEthernet0/2/0
[ATN-A-GigabitEthernet0/2/0] isis enable 1
Issue 02 (2013-12-31)

2429

Equipment
8 IP Routing
# Configure CX-B.
[CX-B] isis 1
[CX-B-isis-1] is-level level-1
[CX-B-isis-1] network-entity 10.0000.0000.0002.00
[CX-B-isis-1] quit
[CX-B] interface Pos 1/0/0
[CX-B-Pos1/0/0] isis enable 1
[CX-B-Pos1/0/0] quit
# Configure CX-C.
[CX-C] isis 1
[CX-C-isis-1] network-entity 10.0000.0000.0003.00
[CX-C-isis-1] quit
[CX-C] interface GigabitEthernet 1/0/0
[CX-C-GigabitEthernet1/0/0] isis enable 1
[CX-C] interface Pos 2/0/0
[CX-C-Pos2/0/0] isis enable 1
[CX-C-Pos2/0/0] quit
[CX-C] interface Pos 3/0/0
# Configure CX-D.
[CX-D] isis 1
[CX-D-isis-1] is-level level-2
[CX-D-isis-1] network-entity 20.0000.0000.0004.00
[CX-D-isis-1] quit
[CX-D-GigabitEthernet2/0/0] isis enable 1
[CX-D] interface Pos 1/0/0
[CX-D-Pos1/0/0] isis enable 1
[CX-D-Pos1/0/0] quit
Step 3 Configure the authentication mode and password for ATN-A and CX-C to authenticate Hello
packets.
# Configure ATN-A.
[ATN-A] interface Gigabit Ethernet 0/2/0
[ATN-A-GigabitEthernet0/2/0] isis authentication-mode md5 huawei
# Configure CX-C.
[CX-C] interface GigabitEthernet1/0/0
[CX-C-GigabitEthernet1/0/0] isis authentication-mode md5 huawei

# Display the IS-IS LSDB of each device.
[ATN-A] display isis lsdb
LSPID
Seq Num
Checksum
Holdtime
Length ATT/P/OL
------------------------------------------------------------------------0000.0000.0001.00-00* 0x00000006
0xbf7d
649
68
0/0/0
0000.0000.0002.00-00 0x00000003
0xef4d
545
68
0/0/0
0000.0000.0003.00-00 0x00000008
0x3340
582
111
1/0/0
[CX-B] display isis lsdb
Issue 02 (2013-12-31)

2430

Equipment
8 IP Routing

LSPID
Seq Num
Checksum
Holdtime
Length ATT/P/OL
------------------------------------------------------------------------0000.0000.0001.00-00 0x00000006
0xbf7d
642
68
0/0/0
0000.0000.0002.00-00* 0x00000003
0xef4d
538
68
0/0/0
0000.0000.0003.00-00 0x00000008
0x3340
574
111
1/0/0
[CX-C] display isis lsdb
LSPID
Seq Num
Checksum
Holdtime
Length ATT/P/OL
------------------------------------------------------------------------0000.0000.0001.00-00 0x00000006
0xbf7d
638
68
0/0/0
0000.0000.0002.00-00 0x00000003
0xef4d
533
68
0/0/0
0000.0000.0003.00-00* 0x00000008
0x3340
569
111
1/0/0
LSPID
Seq Num
Checksum
Holdtime
Length ATT/P/OL
------------------------------------------------------------------------0000.0000.0003.00-00* 0x00000008
0x55bb
650
100
0/0/0
0000.0000.0004.00-00 0x00000005
0x651
629
84
0/0/0
[CX-D] display isis lsdb
LSPID
Seq Num
Checksum
Holdtime
Length ATT/P/OL
------------------------------------------------------------------------0000.0000.0003.00-00 0x00000008
0x55bb
644
100
0/0/0
0000.0000.0004.00-00* 0x00000005
0x651
624
84
0/0/0
# Display the IS-IS routing information of each device. A default route must exist in the Level-1
routing table and the next hop is a Level-1-2 router. A Level-2 router must have all Level-1 and
Level-2 routes.
[ATN-A] display isis route
-------------------------------IPV4 Destination
IntCost
NextHop
Flags
------------------------------------------------------------------------10.1.1.0/24
10
NULL
GE0/2/0
Direct
D/-/L/10.1.2.0/24
20
NULL
GE0/2/0
10.1.1.1
A/-/L/192.168.0.0/24
20
NULL
GE0/2/0
10.1.1.1
A/-/L/0.0.0.0/0
10
NULL
GE0/2/0
10.1.1.1
U-Up/Down Bit Set
[CX-C] display isis route
-------------------------------IPV4 Destination
IntCost
NextHop
Flags
------------------------------------------------------------------------10.1.1.0/24
10
NULL
GE1/0/0
Direct
D/-/L/10.1.2.0/24
10
NULL
P2/0/0
Direct
D/-/L/192.168.0.0/24
10
NULL
P3/0/0
Direct
Issue 02 (2013-12-31)

2431

Equipment
8 IP Routing
U-Up/Down Bit Set

ISIS(1) Level-2 Forwarding Table
-------------------------------IPV4 Destination
IntCost
NextHop
Flags
------------------------------------------------------------------------10.1.1.0/24
10
NULL
GE1/0/0
Direct
D/-/L/10.1.2.0/24
10
NULL
P2/0/0
Direct
D/-/L/192.168.0.0/24
10
NULL
P3/0/0
Direct
D/-/L/172.16.0.0/16
20
NULL
P3/0/0
192.168.0.2
U-Up/Down Bit Set
[CX-D] display isis route
-------------------------------IPV4 Destination
IntCost
NextHop
Flags
------------------------------------------------------------------------192.168.0.0/24
10
NULL
P3/0/0
Direct
D/-/L/10.1.1.0/24
20
NULL
P3/0/0
192.168.0.1
A/-/L/10.1.2.0/24
20
NULL
P3/0/0
192.168.0.1
A/-/L/172.16.0.0/16
10
NULL
GE2/0/0
Direct
U-Up/Down Bit Set
----End
Configuration Files
l

#
sysname ATN-A
#
isis 1
is-level level-1
network-entity 10.0000.0000.0001.00
#
ip address 10.1.1.2 255.255.255.0
isis enable 1
isis authentication-mode md5 huawei
#
return

#
sysname CX-B
#
isis 1
is-level level-1
network-entity 10.0000.0000.0002.00
#
interface Pos1/0/0
link-protocol ppp
ip address 10.1.2.2 255.255.255.0
isis enable 1
#
return

#
sysname CX-C
#
isis 1
network-entity 10.0000.0000.0003.00
#
Issue 02 (2013-12-31)

2432

Equipment
8 IP Routing
ip address 10.1.1.1 255.255.255.0
isis enable 1
isis authentication-mode md5 huawei
#
interface Pos2/0/0
link-protocol ppp
ip address 10.1.2.1 255.255.255.0
isis enable 1
#
interface Pos3/0/0
link-protocol ppp
ip address 192.168.0.1 255.255.255.0
isis enable 1
#
return

#
sysname CX-D
#
isis 1
is-level level-2
network-entity 20.0000.0000.0004.00
#
ip address 172.16.1.1 255.255.0.0
isis enable 1
#
interface Pos1/0/0
link-protocol ppp
ip address 192.168.0.2 255.255.255.0
isis enable 1
#
return
Example for Configuring the DIS Election of IS-IS

This part provides an example for specifying the DIS on a broadcast network.
l
CX-A, CX-B, ATN-C, and CX-D run IS-IS to implement interconnection in the network.
The four devices belong to area 10, and the network type is broadcast (Ethernet).
CX-A and CX-B are Level-1-2 routers, ATN-C is a Level-1 router, and CX-D is a Level-2
router.
The DIS priority of CX-A is 100.
You can change the DIS priority of the interface to configure CX-A as a Level-1-2 DIS.
Issue 02 (2013-12-31)

2433

Equipment
8 IP Routing
Figure 8-25 Configuring the DIS election of IS-IS
CX-A
L1/L2
CX-B
L1/L2
GE1/0/0
10.1.1.1/24
GE1/0/0
10.1.1.2/24
GE0/2/0
10.1.1.3/24
ATN-C
L1
GE1/0/0
10.1.1.4/24
CX-D
L2
1.
Enable IS-IS on each device and specify the network entity to implement interconnection.
2.
Check information about IS-IS interfaces on each device in the case of the default
preference.
3.
Configure the DIS priority of each device.
Data Preparation
l
Area addresses of device A, device B, device C and device D
Levels of device A, device B, device C and device D
DIS priority of CX-A
Procedure
Step 1 Configure an IPv4 address for each interface.
Step 2 Check the MAC address of the GE interface on each device.
# Check the MAC address of GigabitEthernet 1/0/0 on CX-A.
[CX-A] display arp interface gigabitethernet 1/0/0
IP ADDRESS
MAC ADDRESS EXPIRE(M) TYPE INTERFACE
Issue 02 (2013-12-31)

VPN-INSTANCE
2434

Equipment
8 IP Routing
VLAN PVC
------------------------------------------------------------------------10.1.1.1
00e0-fc10-afec
I
GE1/0/0
------------------------------------------------------------------------Total:1
Dynamic:0
Static:0
Interface:1
# Check the MAC address of GigabitEthernet1/0/0 on CX-B.

[CX-B] display arp interface gigabitethernet 1/0/0
IP ADDRESS
VPN-INSTANCE
VLAN PVC
------------------------------------------------------------------------10.1.1.2
00e0-fccd-acdf
I
GE1/0/0
------------------------------------------------------------------------Total:1
Dynamic:0
Static:0
Interface:1
# Check the MAC address of GigabitEthernet1/0/0 on ATN-C.

[ATN-C] display arp interface gigabitethernet 0/2/0
IP ADDRESS
VPN-INSTANCE
VLAN PVC
------------------------------------------------------------------------10.1.1.3
00e0-f100-25fe
I
GE0/2/0
------------------------------------------------------------------------Total:1
Dynamic:0
Static:0
Interface:1
# Check the MAC address of GigabitEthernet1/0/0 on CX-D.

[CX-D] display arp interface gigabitethernet 1/0/0
IP ADDRESS
VPN-INSTANCE
VLAN PVC
------------------------------------------------------------------------10.1.1.4
00e0-ff1d-305c
I
GE1/0/0
------------------------------------------------------------------------Total:1
Dynamic:0
Static:0
Interface:1
Step 3 Enable IS-IS.

# Configure CX-A.
[CX-A] isis 1
[CX-A-isis-1] network-entity 10.0000.0000.0001.00
[CX-A-isis-1] quit
[CX-A-GigabitEthernet1/0/0] isis enable 1
# Configure CX-B.
[CX-B] isis 1
[CX-B-isis-1] quit
[CX-B-GigabitEthernet1/0/0] isis enable 1
# Configure ATN-C.
[ATN-C] isis 1
[ATN-C-isis-1] network-entity 10.0000.0000.0003.00
[ATN-C-isis-1] is-level level-1
[ATN-C-isis-1] quit
[ATN-C] interface gigabitethernet 0/2/0
[ATN-C-GigabitEthernet0/2/0] isis enable 1
# Configure CX-D.
Issue 02 (2013-12-31)

2435

Equipment
8 IP Routing
[CX-D] isis 1
[CX-D-isis-1] network-entity 10.0000.0000.0004.00
[CX-D-isis-1] is-level level-2
[CX-D-isis-1] quit
[CX-D-GigabitEthernet1/0/0] isis enable 1
# Display the IS-IS neighbors of CX-A.

[CX-A] display isis peer
System Id
0000.0000.0002
0000.0000.0003
0000.0000.0002
0000.0000.0004
Interface
GE1/0/0
GE1/0/0
GE1/0/0
GE1/0/0

---------------------------Circuit Id
State HoldTime
0000.0000.0002.01
Up
9s
0000.0000.0002.01
Up
27s
0000.0000.0004.01
Up
28s
0000.0000.0004.01
Up
7s
Type
L1(L1L2)
L1
L2(L1L2)
L2
PRI
64
64
64
64
# Display the IS-IS interface of CX-A.

[CX-A] display isis interface
--------------------------------Interface
Id
IPV4.State
MTU Type DIS
GE1/0/0
001
Up
1497 L1/L2 No/No
# Display the IS-IS interface on CX-B.

[CX-B] display isis interface
--------------------------------Interface
Id
IPV4.State
MTU Type DIS
GE1/0/0
001
Up
1497 L1/L2 Yes/No
# Display the IS-IS interface of CX-D.

[CX-D] display isis interface
--------------------------------Interface
Id
IPV4.State
MTU Type DIS
GE1/0/0
001
Up
1497 L1/L2 No/Yes
NOTE
When the default DIS priority is used, the MAC address of the interface on CX-B is the largest one among
those of Level-1 routers. CX-B is thus the DIS of the Level-1 area. The MAC address of interface on CXD is the largest one among those of Level-2 routers. CX-D is the DIS of the Level-2 area. The Level-1 and
Level-2 pseudo nodes are 0000.0000.0002.01 and 0000.0000.0004.01 respectively.
Step 4 Configure the DIS priority of CX-A.

[CX-A-GigabitEthernet1/0/0] isis dis-priority 100
# Display the IS-IS neighbors of CX-A.

[CX-A] display isis peer
System Id
0000.0000.0002
0000.0000.0003
0000.0000.0002
0000.0000.0004
Interface
GE1/0/0
GE1/0/0
GE1/0/0
GE1/0/0

---------------------------Circuit Id
State
0000.0000.0001.01 Up
0000.0000.0001.01 Up
0000.0000.0001.01 Up
0000.0000.0001.01 Up
HoldTime
21s
27s
28s
30s
Type
L1(L1L2)
L1
L2(L1L2)
L2
PRI
64
64
64
64

# Display the IS-IS interface of CX-A.
Issue 02 (2013-12-31)

2436

Equipment
8 IP Routing
[CX-A] display isis interface

--------------------------------Interface
Id
IPV4.State
MTU Type DIS
GE1/0/0
001
Up
1497 L1/L2 Yes/Yes
NOTE
After the DIS priority of the IS-IS interface changes, CX-A becomes the DIS of the Level-1-2 area instantly
and its pseudo node is 0000.0000.0001.01.
# Display the IS-IS neighbors and IS-IS interfaces of CX-B.

[CX-B] display isis peer
System Id
0000.0000.0001
0000.0000.0003
0000.0000.0001
0000.0000.0004
[CX-B] display
Interface
GE1/0/0

---------------------------Interface
Circuit Id
State HoldTime
GE1/0/0
0000.0000.0001.01 Up
7s
GE1/0/0
0000.0000.0001.01 Up
25s
GE1/0/0
0000.0000.0001.01 Up
7s
GE1/0/0
0000.0000.0001.01 Up
25s
isis interface
--------------------------------Id
IPV4.State
MTU Type DIS
001
Up
1497 L1/L2 No/No
Type
L1(L1L2)
L1
L2(L1L2)
L2
PRI
100
64
100
64
# Display the IS-IS neighbors and interfaces of CX-D.

[CX-D] display isis peer
---------------------------System Id
Interface
Circuit Id
State HoldTime Type
0000.0000.0001 GE1/0/0
0000.0000.0001.01 Up
9s
L2
0000.0000.0002 GE1/0/0
0000.0000.0001.01 Up
28s
L2
[CX-D] display isis interface
--------------------------------Interface
Id
IPV4.State
MTU Type DIS
GE1/0/0
001
Up
1497 L1/L2 No/No
PRI
100
64
----End
Configuration Files
l

#
sysname CX-A
#
isis 1
network-entity 10.0000.0000.0001.00
#
ip address 10.1.1.1 255.255.255.0
isis enable 1
isis dis-priority 100
#
return

#
sysname CX-B
#
isis 1
network-entity 10.0000.0000.0002.00
#
Issue 02 (2013-12-31)

2437

Equipment
8 IP Routing
ip address 10.1.1.2 255.255.255.0

isis enable 1
#
return

#
sysname ATN-C
#
isis 1
is-level level-1
network-entity 10.0000.0000.0003.00
#
ip address 10.1.1.3 255.255.255.0
isis enable 1
#
return

#
sysname CX-D
#
isis 1
is-level level-2
network-entity 10.0000.0000.0004.00
#
ip address 10.1.1.4 255.255.255.0
isis enable 1
#
return
Example for Configuring IS-IS Load Balancing

This part provides an example for implementing load balancing through IS-IS.
l
ATNA, CX-B, CX-C, and CX-D run IS-IS to implement interconnection in the IP network.
ATNA, CX-B, CX-C, and CX-D are Level-2 routers in area 10.
Load balancing is required to transmit the traffic of ATNA to CX-D through CX-B and
CX-C.
Issue 02 (2013-12-31)

2438

Equipment
8 IP Routing
Figure 8-26 Networking diagram of configuring IS-IS load balancing
Area10
GE1/0/0
POS2/0/0
CX-B
L2
GE0/2/0
POS1/0/0
GE3/0/0
GE0/2/1
ATNA
L2
GE0/2/4
POS2/0/0
CX-D
L2
POS2/0/0
GE1/0/0
CX-C
L2
Device
Interface
IP Address
Device
Interface
IP Address
ATNA
GE 0/2/1
172.16.1.1/2
4
CX-C
GE 1/0/0
10.1.2.2/24
GE 0/2/0
10.1.1.1/24
POS 2/0/0
GE 0/2/4
10.1.2.1/24
192.168.1.1/
24
GE 1/0/0
10.1.1.2/24
GE 3/0/0
172.17.1.1/2
4
POS 2/0/0
192.168.0.1/
24
POS 1/0/0
192.168.0.2/
24
POS 2/0/0
192.168.1.2/
24
CX-B
CX-D
1.
Enable basic IS-IS functions on each device to implement interconnection.
2.
Cancel load balancing and check the routing table.
3.
Configure load balancing on ATNA and check the routing table of it.
4.
(Optional) Configure the preference for equal-cost routes on ATNA.
Issue 02 (2013-12-31)

2439

Equipment
8 IP Routing
Data Preparation
l
Levels and the area addresses of the four devices.
Number of load balancing paths on ATNA is 1.
Preference value of equal-cost routes on CX-C is 1.
Procedure
Step 1 Assign an IP address for each device.
Step 3 Cancel load balancing on ATNA.
[ATNA] isis 1
[ATNA-isis-1] maximum load-balancing 1
[ATNA-isis-1] quit
# Check the routing table of ATNA.

[ATNA] display isis route
-------------------------------IPV4 Destination
IntCost
NextHop
Flags
------------------------------------------------------------------------192.168.1.0/24
20
NULL
GE0/2/4
10.1.2.2
A/-/L/10.1.1.0/24
10
NULL
GE0/2/0
Direct
D/-/L/172.16.1.0/24
10
NULL
GE0/2/1
Direct
D/-/L/172.17.1.0/24
30
NULL
GE0/2/0
10.1.1.2
A/-/L/10.1.2.0/24
10
NULL
GE0/2/4
Direct
D/-/L/192.168.0.0/24
20
NULL
GE0/2/0
10.1.1.2
U-Up/Down Bit Set
As shown in the routing table, when the maximum number of equal-cost routes for load balancing
is set to 1, the next hop to network segment 172.17.2.0 is 10.1.1.2. This is because the system
ID of CX-B is small. IS-IS chooses the route with the next hop being 10.1.1.2 as the unique
optimal route.
Step 4 Restore the default number of load balancing paths on ATNA.
[ATNA] isis 1
[ATNA-isis-1] undo maximum load-balancing
[ATNA-isis-1] quit

-------------------------------IPV4 Destination
IntCost
NextHop
Flags
------------------------------------------------------------------------192.168.1.0/24
20
NULL
GE0/2/4
10.1.2.2
A/-/L/10.1.1.0/24
10
NULL
GE0/2/0
Direct
D/-/L/-
Issue 02 (2013-12-31)

2440

Equipment
172.16.1.0/24
172.17.1.0/24
10
30
8 IP Routing
NULL
NULL
GE0/2/1
Direct
D/-/L/GE0/2/0
10.1.1.2
A/-/L/GE0/2/4
10.1.2.2
10.1.2.0/24
10
NULL
GE0/2/4
Direct
D/-/L/192.168.0.0/24
20
NULL
GE0/2/0
10.1.1.2
As shown in the routing table, the default value is used when load balancing is canceled. The
two next hops of ATNA, that is, 10.1.1.2 (that is, CX-B) and 10.1.1.2 (that is, CX-C), are valid
routes. This is because the default value of the maximum equal-cost routes is 3.
NOTE
For different products and different protocols, the maximum number of equal-cost routes is different. You
can adjust the maximum number by purchasing the license.
Step 5 (Optional) Configure the preference of equal-cost routes on ATNA.

If you do not perform load balancing through CX-B and CX-C, configure the preference of the
equal-cost routes and specify the next hop.
[ATNA] isis
[ATNA-isis-1] nexthop 10.1.2.2 weight 1
[ATNA-isis-1] quit

-------------------------------IPV4 Destination
IntCost
NextHop
Flags
-------------------------------------------------------------------------------192.168.1.0/24
20
NULL
GE0/2/0
10.1.2.2
A/-/L/10.1.1.0/24
10
NULL
GE0/2/0
Direct
D/-/L/172.16.1.0/24
10
NULL
GE0/2/1
Direct
D/-/L/172.17.1.0/24
30
NULL
GE0/2/0
10.1.2.2
A/-/L/10.1.2.0/24
10
NULL
GE0/2/4
Direct
D/-/L/192.168.0.0/24
20
NULL
GE0/2/0
10.1.1.2
As shown in the routing table, because the preference (metric is 1) of next hop 10.1.2.2 (that is,
CX-C) is higher than that of next hop 10.1.1.2 (that is, CX-B), IS-IS chooses the route with the
next hop being 10.1.2.2 as the optimal route.
----End
Configuration Files
l

#
sysname ATNA
#
isis 1
is-level level-2
network-entity 10.0000.0000.0001.00
#
ip address 172.16.1.1 255.255.255.0
isis enable 1
#
Issue 02 (2013-12-31)

2441

Equipment
8 IP Routing
ip address 10.1.1.1 255.255.255.0
isis enable 1
#
ip address 10.1.2.1 255.255.255.0
isis enable 1
#
return

#
sysname CX-B
#
isis 1
is-level level-2
network-entity 10.0000.0000.0002.00
#
ip address 10.1.1.2 255.255.255.0
isis enable 1
#
interface Pos2/0/0
link-protocol ppp
ip address 192.168.0.1 255.255.255.0
isis enable 1
#
return

#
sysname CX-C
#
isis 1
is-level level-2
network-entity 10.0000.0000.0003.00
#
ip address 10.1.2.2 255.255.255.0
isis enable 1
#
interface Pos2/0/0
link-protocol ppp
ip address 192.168.1.1 255.255.255.0
isis enable 1
#
return

#
sysname CX-D
#
isis 1
is-level level-2
network-entity 10.0000.0000.0004.00
#
ip address 172.17.1.1 255.255.255.0
isis enable 1
#
interface POS1/0/0
link-protocol ppp
ip address 192.168.0.2 255.255.255.0
isis enable 1
#
interface POS2/0/0
link-protocol ppp
Issue 02 (2013-12-31)

2442

Equipment
8 IP Routing
ip address 192.168.1.2 255.255.255.0

isis enable 1
#
return
Example for Configuring IS-IS Fast Convergence

This part provides an example for implementing fast route convergence by adjusting IS-IS
timers.
l
ATN-A and CX-B run IS-IS.
ATN-A and CX-B belong to area 10. They are Level-2 routers.
A Layer 2 switch, which need not be configured, connects ATN-A and CX-B.
Figure 8-27 Networking diagram of IS-IS fast convergence
GE1/0/0
100.1.1.2/24
GE0/2/0
ATN-A 100.1.1.1/24
CX-B
1.
Enable basic IS-IS functions on each device.
2.
Enable BFD on ATN-A and CX-B.
3.
Set the time parameters of fast convergence on ATN-A and CX-B.
Data Preparation
To configure IS-IS fast convergence, you need the following data:
l
Levels and area addresses of the two devices
Time parameters of fast convergence
Procedure
# Configure ATN-A.
Issue 02 (2013-12-31)

2443

Equipment
8 IP Routing
[ATN-A] isis 1
[ATN-A-isis-1] quit
[ATN-A] interface gigabitethernet 0/2/0
# Configure CX-B.
[CX-B] isis 1
[CX-B-isis-1] quit
Step 3 Simulate the link in the Down state on CX-B. View the neighbor status and the time of route
calculation on ATN-A.
# Enable the debugging on ATN-A and output information to the VTY tunnel.
[ATN-A]
[ATN-A]
<ATN-A>
<ATN-A>
<ATN-A>
info-center source bfd channel 1 log level debugging state on

quit
debugging isis spf-summary
terminal debugging
terminal monitor
Run the shutdown command on GE 1/0/0 of CX-B.

[CX-B-GigabitEthernet1/0/0] shutdown
# View the information about neighbors of ATN-A.

<ATN-A> display isis peer
System Id
Interface
0000.0000.0002 GE0/2/0

---------------------------Circuit Id
State
0000.0000.0001.01
Up
HoldTime
7s
Type
L2
PRI
64
After the link goes Down, the system does not immediately advertise that the neighbor becomes
invalid but deletes the neighbor after the Holdtime timer times out, and then starts route
calculation. You can view the time of the SPF calculation through the following debugging
information.
*0.670620 ATN-A ISIS/6/ISIS:

Signal SPF at Sec = 00670, MSec = 620.
ISpf starts at Sec = 00670, MSec = 680.ISIS-1-SPF-STATS: RT Calculation: Elaps
ed time: 0 Milliseconds(IS09_8227)
ISIS-1-SPF-PRC: Received L2 System Change Event for 0000.0000.0001.01, Change =
2(IS10_7213)
2(IS10_7213)
Issue 02 (2013-12-31)

2444

Equipment
8 IP Routing

ISpf ends(and prc starts) at Sec = 00670, MSec = 680.
Prc job starts to run at Sec = 00670, MSec = 680.ISIS-1-SPF-PRC: Processing Mt
0, L2 LSPs of System :0000.0000.0002, Change Type = 2(IS10_7649)
In the Holdtime period, packets cannot correctly reach the destination because the route passing
through GE 1/0/0 is discarded. You then need to enable BFD and set the time parameters of fast
convergence. The devices can quickly sense the changes of the topology and recalculate routes
when the network changes.
Step 4 Restart the interface on CX-B to make the link become Up.
# Run the undo shutdown command on GE1/0/0 of CX-B.
Step 5 Configure BFD.

# Configure ATN-A.
[ATN-A] bfd
[ATN-A-bfd] quit
[ATN-A] bfd atob bind peer-ip 100.1.1.2 interface gigabitethernet 0/2/0
[ATN-A-bfd-session-atob] discriminator local 1
[ATN-A-bfd-session-atob] discriminator remote 2
[ATN-A-bfd-session-atob] commit
[ATN-A-bfd-session-atob] quit
[ATN-A-GigabitEthernet0/2/0] isis bfd static
# Configure CX-B.
[CX-B] bfd
[CX-B-bfd] quit
[CX-B] bfd btoa bind peer-ip 100.1.1.1 interface gigabitethernet 1/0/0
[CX-B-bfd-session-btoa] discriminator local 2
[CX-B-bfd-session-btoa] discriminator remote 1
[CX-B-bfd-session-btoa] commit
[CX-B-bfd-session-btoa] quit
[CX-B-GigabitEthernet1/0/0] isis bfd static
Step 6 Set the time parameters of fast convergence.

# Configure ATN-A.
[ATN-A] isis
[ATN-A-isis-1]
[ATN-A-isis-1]
[ATN-A-isis-1]
[ATN-A-isis-1]
flash-flood
timer spf 1 20 100
timer lsp-generation 1 1 120
quit
# Configure CX-B.
[CX-B] isis
[CX-B-isis-1] flash-flood
[CX-B-isis-1] timer spf 1 20 100
Issue 02 (2013-12-31)

2445

Equipment
8 IP Routing
[CX-B-isis-1] timer lsp-generation 1 1 120

[CX-B-isis-1] quit
NOTE
l In IS-IS, if LSDB changes, routes are calculated and then a new LSP is generated to report this change.
Frequent route calculations consume lots of system resources and degrades the system performance.
Delaying SPF calculation, generating a new LSP time, and LSP fast flooding improves the efficiency
in route calculation and reduces the consumption of system resources.
l Using the flash-flood command, you can enable LSP fast flooding to speed up the convergence of an
IS-IS network.
l Run the timer spf command to set the interval of the SPF calculation. By default, the interval is 5
seconds.
l Run the timer lsp-generation command to set the delay for generating an LSP. By default, the delay
is 2 seconds.

# Run the shutdown command on GE 1/0/0 of CX-B to simulate the link in the Down state.
# View the information about neighbors of ATN-A.

<ATN-A> display isis peer
Information about neighbors of ATN-A does not exist.

When BFD detects that the link goes Down, it notifies the route management (RM) module
immediately. IS-IS then deletes neighbors immediately and triggers the route calculation. This
results in the fast convergence of the network. You can view that the time of the SPF calculation
is shortened by comparing debugging information displayed before and after fast convergence.
Prc job completed at Sec = 00962, MSec = 280.
# The initial interval for the ISPF calculation is shortened to 20 ms.

ISpf starts at Sec = 01318, MSec = 820.ISIS-1-SPF-STATS: RT Calculation: Elaps
ed time: 0 Milliseconds(IS09_8227)
2(IS10_7213)
2(IS10_7213)

ISpf ends(and prc starts) at Sec = 01318, MSec = 820.
Prc job starts to run at Sec = 01318, MSec = 820.ISIS-1-SPF-PRC: Processing Mt
Issue 02 (2013-12-31)

2446

Equipment
8 IP Routing
0, L2 LSPs of System :0000.0000.0002, Change Type = 2(IS10_7649)

----End
Configuration Files
l

#
sysname ATN-A
#
info-center source BFD channel 1 log level debugging
#
bfd
#
isis 1
is-level level-2
timer lsp-generation 1 1 120 level-1
network-entity 10.0000.0000.0001.00
flash-flood
timer spf 1 20 100
#
ip address 100.1.1.1 255.255.255.0
isis enable 1
isis bfd static
#
commit
#
return

#
sysname CX-B
#
bfd
#
isis 1
is-level level-2
network-entity 10.0000.0000.0002.00
flash-flood
timer spf 1 20 100
#
ip address 100.1.1.2 255.255.255.0
isis enable 1
isis bfd static
#
commit
#
return
Issue 02 (2013-12-31)

2447

Equipment
8 IP Routing
Example for Configuring IS-IS GR

This part provides an example for implementing nonstop packet forwarding when master-slave
switchover occurs on the device that runs IS-IS.
In the network shown in Figure 8-28, ATN-A, CX-B, and CX-C belong to the same AS. Network
interconnection is implemented through IS-IS and the GR mechanism is provided.
After IS-IS adjacencies are set up between ATN-A, CX-B, and CX-C, the three devices start to
exchange routing information. When IS-IS on ATN-A restarts, ATN-A resends connection
requests to neighbors to synchronize the LSDB.
Figure 8-28 Networking diagram for configuring IS-IS GR
GE0/2/0
100.1.1.1/24
GE1/0/0
100.1.1.2/24
POS2/0/0
100.2.1.1/24
CX-B
ATN-A
POS1/0/0
100.2.1.2/24 CX-C
1.
Configure GR in the IS-IS views of all the devices.
2.
Set the same restart interval in the IS-IS views of all the devices.
Data Preparation
l
IS-IS process number
Restart interval
Procedure
Step 2 Configure the basic IS-IS functions.
Step 3 Configure IS-IS GR.
# Enable IS-IS GR on ATN-A and set the restart interval. The configurations of CX-B and CXC are the same as the configuration of ATN-A. Take the configuration of ATN-A as an example.
[ATN-A] isis 1
Issue 02 (2013-12-31)

2448

Equipment
8 IP Routing
[ATN-A-isis-1] graceful-restart
[ATN-A-isis-1] graceful-restart interval 150

# Run the display fib command on ATN-A to view the Forwarding Information Base (FIB)
table.
<ATN-A> display fib
FIB Table:
Total number of Routes : 6
Destination/Mask
Nexthop
127.0.0.1/32
127.0.0.1
127.0.0.0/8
127.0.0.1
100.1.1.1/32
127.0.0.1
100.1.1.0/24
100.1.1.1
100.1.1.2/32
100.1.1.2
100.2.1.0/24
100.1.1.2
Flag TimeStamp
HU
t[21]
U
t[21]
HU
t[20678]
U
t[20678]
HU
t[20678]
DGU t[79388]
Interface
InLoop0
InLoop0
InLoop0
GE0/2/0
GE0/2/0
GE0/2/0
TunnelID
0x0
0x0
0x0
0x0
0x0
0x0
# Restart the IS-IS process on ATN-A in GR mode.

<ATN-A> reset isis all graceful-restart
NOTE
A device restarts an IS-IS process in GR mode only when GR is enabled in the IS-IS process.
# Run the display fib command on ATN-A, and view the FIB table to check whether GR works
normally. If GR works normally, the FIB table does not change and the forwarding service is
not affected when ATN-A restarts the IS-IS process in GR mode.
<ATN-A> display fib
FIB Table:
Destination/Mask
Nexthop
127.0.0.1/32
127.0.0.1
127.0.0.0/8
127.0.0.1
100.1.1.1/32
127.0.0.1
100.1.1.0/24
100.1.1.1
100.1.1.2/32
100.1.1.2
100.2.1.0/24
100.1.1.2
Flag TimeStamp
HU
t[21]
U
t[21]
HU
t[20678]
U
t[20678]
HU
t[20678]
DGU t[79388]
Interface
InLoop0
InLoop0
InLoop0
GE0/2/0
GE0/2/0
GE0/2/0
TunnelID
0x0
0x0
0x0
0x0
0x0
0x0
As shown in the display, the FIB table on ATN-A does not change and the forwarding service
is not affected.
# Disable IS-IS GR on ATN-A.
[ATN-A] isis 1
[ATN-A-isis-1] undo graceful-restart
# Restart the IS-IS process on ATN-A not in GR mode.

<ATN-A> reset isis all graceful-restart
# Run the display fib command on ATN-A immediately to view the FIB table.
<ATN-A> display fib
FIB Table:
Destination/Mask
Nexthop
127.0.0.1/32
127.0.0.1
127.0.0.0/8
127.0.0.1
100.1.1.1/32
127.0.0.1
100.1.1.0/24
100.1.1.1
100.1.1.2/32
100.1.1.2
Issue 02 (2013-12-31)
Flag TimeStamp
HU
t[21]
U
t[21]
HU
t[20678]
U
t[20678]
HU
t[20678]

Interface
InLoop0
InLoop0
InLoop0
GE0/2/0
GE0/2/0
TunnelID
0x0
0x0
0x0
0x0
0x0
2449

Equipment
8 IP Routing
As shown in the display, ATN-A does not restart the IS-IS process in GR mode; the FIB table
changes; compared with the IS-IS process in GR mode, the route to network segment 100.2.1.0
does not exist; service forwarding is affected.
----End
Configuration Files
l

#
sysname ATN-A
#
isis 1
graceful-restart
graceful-restart interval 150
is-level level-1
network-entity 10.0000.0000.0001.00
#
clock slave
ip address 100.1.1.1 255.255.255.0
isis enable 1
#
return

sysname CX-B
#
isis 1
graceful-restart
network-entity 10.0000.0000.0003.00
#
clock master
ip address 100.1.1.2 255.255.255.0
isis enable 1
#
interface Pos2/0/0
link-protocol ppp
clock master
ip address 100.2.1.1 255.255.255.0
isis enable 1
#
return

#
sysname CX-C
#
isis 1
graceful-restart
is-level level-2
network-entity 10.0000.0000.0002.00
#
interface Pos1/0/0
link-protocol ppp
clock slave
ip address 100.2.1.2 255.255.255.0
isis enable 1
#
return
Issue 02 (2013-12-31)

2450

Equipment
8 IP Routing
Example for Configuring Static BFD for IS-IS

This part provides an example for configuring static BFD for IS-IS to fast detect faults and report
them to IS-IS. In this manner, the fast switchover of service traffic is triggered.
As show in Figure 8-29:
l
A Layer 2 switch exists between ATN-A and CX-B.
ATN-A, CX-B and CX-C run IS-IS.
BFD is configured to detect the IS-IS neighbor relationship between ATN-A and CX-B.
When the link between ATN-A and CX-B is faulty, BFD can fast detect the default and
report it to IS-IS.
Figure 8-29 Networking diagram of configuring static BFD for IS-IS
GE0/2/0
100.1.1.1/24
GE1/0/0
100.1.1.2/24
ATN-A
POS2/0/0
100.2.1.1/24
CX-B
POS1/0/0
100.2.1.2/24 CX-C
NOTE
BFD for IS-IS cannot be used to detect the multi-hops link between ATN-A and CX-C, because the IS-IS
neighbor relationship cannot be established between ATN-A and CX-C.
1.
Enable basic IS-IS functions on each device.
2.
Enable BFD on ATN-A and CX-B.
Data Preparation
l
IS-IS process ID
Area addresses of ATN-A, CX-B, and CX-C
Levels of ATN-A, CX-B, and CX-C
Name of the BFD session set up between ATN-A and CX-B and the peer IP address to be
detected
Local and remote discriminators of the BFD session set up between ATN-A and CX-B
Procedure
Issue 02 (2013-12-31)

2451

Equipment
8 IP Routing

Step 2 Configuration basic IS-IS functions.
# Configure ATN-A.
[ATN-A] isis 1
[ATN-A-isis-1] network-entity aa.1111.1111.1111.00
[ATN-A-isis-1] quit
# Configure CX-B.
[CX-B] isis 1
[CX-B-isis-1] network-entity aa.2222.2222.2222.00
[CX-B-isis-1] quit
[CX-B] interface Pos 2/0/0
[CX-B-Pos2/0/0] isis enable 1
[CX-B-Pos2/0/0] quit
# Configure CX-C.
[CX-C] isis 1
[CX-C-isis-1] is-level level-2
[CX-C-isis-1] network-entity aa.3333.3333.3333.00
[CX-C-isis-1] quit
[CX-C] interface pos 1/0/0
After the preceding configurations, you can view that the neighbor relationship is established
between ATN-A and CX-B.
[ATN-A] display isis peer
System Id
Interface
2222.2222.2222 GE0/2/0

---------------------------Circuit Id
State HoldTime Type
001
Up
23s
L2
PRI
64
The IS-IS routing table of ATN-A has entries to CX-B and CX-C.
[ATN-A] display isis route
-------------------------------IPV4 Destination
IntCost
NextHop
Flags
------------------------------------------------------------------------100.1.1.0/24
10
NULL
GE0/2/0
Direct
D/-/L/100.2.1.0/24
20
NULL
GE0/2/0
100.1.1.2
Step 3 Configure BFD.

# Enable BFD on ATN-A and configure a BFD session.
[ATN-A] bfd
[ATN-A-bfd] quit
[ATN-A] bfd atob bind peer-ip 100.1.1.2 interface gigabitethernet 0/2/0
[ATN-A-bfd-session-atob] discriminator local 1
Issue 02 (2013-12-31)

2452

Equipment
8 IP Routing
[ATN-A-bfd-session-atob] discriminator remote 2

[ATN-A-bfd-session-atob] commit
[ATN-A-bfd-session-atob] quit
# Enable BFD on CX-B and configure a BFD session.

[CX-B] bfd
[CX-B-bfd] quit
[CX-B] bfd btoa bind peer-ip 100.1.1.1 interface gigabitethernet 0/2/0
[CX-B-bfd-session-btoa] discriminator local 2
[CX-B-bfd-session-btoa] discriminator remote 1
[CX-B-bfd-session-btoa] commit
[CX-B-bfd-session-btoa] quit
After the preceding configurations, you can view that the status of the BFD session is Up when
the display bfd session command is used on ATN-A or CX-B.
The display on ATN-A is as follows:
[ATN-A] display bfd session all
-----------------------------------------------------------------------Local Dis Remote Dis Peer IP Address Interface Name
State
Type
-----------------------------------------------------------------------1
2
100.1.1.2
GE0/2/0
Up
S_IP
-----------------------------------------------------------------------Total UP/DOWN Session Number : 1/0
Step 4 Enable IS-IS fast sense.

# Configure ATN-A.
[ATN-A-GigabitEthernet0/2/0] isis bfd static
# Configure CX-B.
[CX-B-GigabitEthernet1/0/0] isis bfd static

# Enable the debugging on ATN-A and output information to the VTY tunnel.
[ATN-A]
[ATN-A]
<ATN-A>
<ATN-A>
<ATN-A>
<ATN-A>
info-center source bfd channel 1 log level debugging state on

quit
debugging isis circuit-information
terminal debugging
terminal logging
terminal monitor
# Run the shutdown command on GigabitEthernet1/0/0 of CX-B to simulate a link fault.

# On ATN-A, the following log information and debugging information are displayed. It
indicates that IS-IS deletes the neighbor relationship with CX-B according to the fault reported
by BFD.
Sep 12 2007 11:32:18 RT2 %%01ISIS/4/PEER_DOWN_BFDDOWN(l): IS-IS process id 1 nei
ghbor 2222.2222.2222 is down on the interface GE1/0/0 because BFD node is Down.
The last Hello packet is received at 11:32:10. The maximum interval for sending
Hello packets is 9247. The local device sends 426 Hello packets and receives 61
Hello packets. The Hello packet type is Lan Level-2.
*0.481363988 RT2 ISIS/6/ISIS:
ISIS-1-FastSense: Deleting Neighbour by IP Address 100.1.1.2 On GE1/0/0(IS01_1048)
Issue 02 (2013-12-31)

2453

Equipment
8 IP Routing
Run the display isis route command or the display isis peer command on ATN-A, no
information is displayed. This indicates that the IS-IS neighbor relationship between ATN-A
and CX-B is deleted.
----End
Configuration Files
l

#
sysname ATN-A
#
info-center source BFD channel 1 log level debugging
#
bfd
#
isis 1
is-level level-2
network-entity aa.1111.1111.1111.00
#
ip address 100.1.1.1 255.255.255.0
isis enable 1
isis bfd static
#
bfd atob bind peer-ip 100.1.1.2 interface GigabitEthernet0/2/0
commit
#
return

#
sysname CX-B
#
bfd
#
isis 1
is-level level-2
#
ip address 100.1.1.2 255.255.255.0
isis enable 1
isis bfd static
#
interface Pos2/0/0
ip address 100.2.1.1 255.255.255.0
isis enable 1
#
commit
#
return

#
sysname CX-C
#
isis 1
is-level level-2
Issue 02 (2013-12-31)

2454

Equipment
8 IP Routing
#
interface Pos1/0/0
ip address 100.2.1.2 255.255.255.0
isis enable 1
#
return
Example for Configuring Dynamic BFD for IS-IS

This part provides an example for configuring dynamic BFD for IS-IS to fast detect faults and
report them to IS-IS. In this manner, the fast switchover of service traffic is triggered.
As shown in Figure 8-30, it is required as follows:
l
Run IS-IS on ATN-A, CX-B, and CX-C.
Enable BFD of the IS-IS process on ATN-A, CX-B, and CX-C.
Traffic is transmitted on the active link ATN-A CX-B. The link ATN-A CX-B
CX-C acts as the standby link.
Enable BFD of the interface on the link between ATN-A and CX-B. When the link between
ATN-A and CX-B fails, BFD can quickly detect the fault and notify IS-IS of the fault;
therefore, the traffic is transmitted on the standby link.
Figure 8-30 Networking diagram of configuring the dynamic BFD
Active link
ATN-A GE0/2/4
3.3.3.1/24
GE2/0/0 CX-B GE3/0/0

3.3.3.2/24
172.16.1.1/24
GE0/2/0
1.1.1.1/24
an
St
GE1/0/0
1.1.1.2/24
db
ink
yl
GE1/0/0
2.2.2.2/24
GE1/0/0
2.2.2.1/24
CX-C
Issue 02 (2013-12-31)

2455

Equipment
8 IP Routing
1.
Enable IS-IS on each device and ensure the connectivity of the devices
2.
Set the interface cost of IS-IS to control the route selection of the devices.
3.
Enable global BFD.
4.
Enable the BFD detection mechanism of the IS-IS process on ATN-A, CX-B, and CX-C.
5.
Enable the BFD detection mechanism of the interfaces on ATN-A and CX-B.
Data Preparation
l
Process ID of IS-IS
Area numbers of ATN-A, CX-B, and CX-C
Interface cost of ATN-A, CX-B and CX-C
Interface number and type number of BFD enabled on ATN-A and CX-B
Minimum interval for sending the BFD packets, minimum interval for receiving the BFD
packets, and local detection multiple on ATN-A and CX-B
Procedure
The detailed configuration is not mentioned here.
Step 2 Configure the basic IS-IS functions.
# Configure ATN-A.
[ATN-A] isis
[ATN-A-isis-1] quit
# Configure CX-B.
[CX-B] isis
[CX-B-isis-1] quit
# Configure CX-C.
[CX-C] isis
[CX-C-isis-1] is-level level-2
[CX-C-isis-1] network-entity 10.0000.0000.0003.00
Issue 02 (2013-12-31)

2456

Equipment
[CX-C-isis-1] quit
[CX-C] interface gigabitethernet
[CX-C-GigabitEthernet1/0/0] isis
[CX-C] interface gigabitethernet
[CX-C-GigabitEthernet2/0/0] isis
8 IP Routing
1/0/0
enable 1
2/0/0
enable 1
# After the preceding configurations are complete, use the display isis peer command. You can
view that the neighboring relationship is set up between ATN-A and CX-B, and that between
ATN-A and CX-C. Take the configuration on ATN-A as an example:
[ATN-A] display isis peer
---------------------------Interface
Circuit Id
State HoldTime Type
GE0/2/4
0000.0000.0002.01 Up
9s
L2
GE0/2/0
0000.0000.0001.02 Up
21s
L2
System Id
0000.0000.0002
0000.0000.0003
Total Peer(s): 2
PRI
64
64
# The devices have learnt routes of each other. Take the routing table of ATN-A as an example:
Destinations : 8
Routes : 9
Destination/Mask
Proto
Pre Cost
Flags NextHop
Interface
1.1.1.0/24 Direct
0
0
D 1.1.1.1
1.1.1.1/32 Direct
0
0
D 127.0.0.1
InLoopBack0
2.2.2.0/24 ISIS-L2 15
20
D 1.1.1.2
3.3.3.0/24 Direct
0
0
D 3.3.3.1
3.3.3.1/32 Direct
0
0
D 127.0.0.1
InLoopBack0
127.0.0.0/8
Direct
0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct
0
0
D 127.0.0.1
InLoopBack0
172.16.1.0/24 ISIS-L2 15
20
D 3.3.3.2
As shown in the routing table, the next hop address of the route to 172.16.1.0/24 is 3.3.3.2 and
traffic is transmitted on the active link from ATN-A to CX-B.
Step 3 Set the interface cost.
# Configure ATN-A.
[ATN-A-GigabitEthernet0/2/4] isis cost 5
# Configure CX-B.
[CX-B-GigabitEthernet2/0/0] isis cost 5
Step 4 Configure BFD of the IS-IS process.

# Enable BFD of the IS-IS process on ATN-A.
[ATN-A] bfd
[ATN-A-bfd] quit
[ATN-A] isis
[ATN-A-isis-1] bfd all-interfaces enable
[ATN-A-isis-1] quit
# Enable BFD of the IS-IS process on CX-B.

[CX-B] bfd
Issue 02 (2013-12-31)

2457

Equipment
8 IP Routing
[CX-B-bfd] quit
[CX-B] isis
[CX-B-isis-1] bfd all-interfaces enable
[CX-B-isis-1] quit
# Enable BFD of the IS-IS process on CX-C.

[CX-C] bfd
[CX-C-bfd] quit
[CX-C] isis
[CX-C-isis-1] bfd all-interfaces enable
[CX-C-isis-1] quit
# After the preceding configurations are complete, run the display isis bfd session all command
on ATN-A, CX-B, or CX-C. You can view that the status of BFD is Up.
Take the display of ATN-A as an example:
[ATN-A] display isis bfd session all
----------------------------------Peer System ID : 0000.0000.0002
Interface : GE0/2/4
TX : 10
BFD State : up
RX : 10
LocDis : 8192
Multiplier : 3
RemDis : 8192
Type : L2
Peer System ID : 0000.0000.0003
Interface : GE0/2/0
TX : 10
BFD State : up
RX : 10
LocDis : 8193
Multiplier : 3
RemDis : 8192
Type : L2
From the preceding display, you can view that the status of the BFD session between ATN-A
and CX-B and that between ATN-A and CX-C are Up.
Step 5 Configure BFD of the interfaces.
# Configure BFD on GE 0/2/4 of ATN-A, set the minimum interval for sending the packets and
multiple to 4.
[ATN-A-GigabitEthernet0/2/4] isis bfd enable
[ATN-A-GigabitEthernet0/2/4] isis bfd min-tx-interval 100 min-rx-interval 100
detect-multiplier 4
# Configure BFD on GE 2/0/0 of CX-B, set the minimum interval for sending the packets and
multiple to 4.
[CX-B] bfd
[CX-B-bfd] quit
[CX-B-GigabitEthernet2/0/0] isis bfd enable
[CX-B-GigabitEthernet2/0/0] isis bfd min-tx-interval 100 min-rx-interval 100
detect-multiplier 4
# After the preceding configurations are complete, run the display isis bfd session all command
on ATN-A or CX-B. You can view that the parameters of the BFD have taken effect. Take the
display of CX-B as an example:
[CX-B] display isis bfd session all
Issue 02 (2013-12-31)

2458

Equipment
8 IP Routing
----------------------------------Peer System ID : 0000.0000.0001

Interface : GE2/0/0
TX : 100
BFD State : up
RX : 100
LocDis : 8192
Multiplier : 4
RemDis : 8192
Type : L2
Peer System ID : 0000.0000.0003
Interface : GE1/0/0
TX : 100
BFD State : up
RX : 100
LocDis : 8192
TX : 10
BFD State : up
RX : 10
LocDis : 8193
Multiplier : 3
RemDis : 8193
Type : L2

# Run the shutdown command on GE 2/0/0 of CX-B to simulate the active link failure.
Step 7 # Display the routing table on ATN-A.

Destinations : 8
Routes : 8
Destination/Mask
Proto
Pre Cost
Flags NextHop
Interface
1.1.1.0/24 Direct
0
0
D 1.1.1.1
1.1.1.1/32 Direct
0
0
D 127.0.0.1
InLoopBack0
2.2.2.0/24 ISIS-L2 15
20
D 1.1.1.2
3.3.3.0/24 Direct
0
0
D 3.3.3.1
3.3.3.1/32 Direct
0
0
D 127.0.0.1
InLoopBack0
127.0.0.0/8
Direct
0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct
0
0
D 127.0.0.1
InLoopBack0
172.16.1.0/24 ISIS-L2 15
20
D 1.1.1.2
As shown in the routing table, the standby link ATN-A CX-C CX-B takes effect after the
active link fails. The next hop address of the route to 172.16.1.0/24 becomes 1.1.1.2.
# Run the display isis bfd session all command on ATN-A. You can view the status of the BFD
session is Up between ATN-A and CX-C.
[ATN-A] display isis bfd session all
----------------------------------Peer System ID : 0000.0000.0003
Interface : GE0/2/0
TX : 100
BFD State : up
RX : 100
LocDis : 8192
TX : 10
BFD State : up
RX : 10
LocDis : 8193
TX : 10
BFD State : up
RX : 10
LocDis : 8193
Multiplier : 3
RemDis : 8192
Type : L2
----End
Configuration Files
l

#
sysname ATN-A
#
bfd
Issue 02 (2013-12-31)

2459

Equipment
8 IP Routing
#
isis 1
is-level level-2
network-entity 10.0000.0000.0001.00
#
undo shutdown
ip address 1.1.1.1 255.255.255.0
isis enable 1
#
undo shutdown
ip address 3.3.3.1 255.255.255.0
isis enable 1
isis cost 5
isis bfd enable
isis bfd min-tx-interval 100 min-rx-interval 100 detect-multiplier 4
#
return

#
sysname CX-B
#
bfd
#
isis 1
is-level level-2
network-entity 10.0000.0000.0002.00
#
undo shutdown
ip address 2.2.2.2 255.255.255.0
isis enable 1
#
undo shutdown
ip address 3.3.3.2 255.255.255.0
isis enable 1
isis cost 5
isis bfd enable
isis bfd min-tx-interval 100 min-rx-interval 100 detect-multiplier 4
#
undo shutdown
ip address 172.16.1.1 255.255.255.0
isis enable 1
#
return

#
sysname CX-C
#
bfd
#
isis 1
is-level level-2
network-entity 10.0000.0000.0003.00
#
undo shutdown
ip address 1.1.1.2 255.255.255.0
isis enable 1
Issue 02 (2013-12-31)

2460

Equipment
8 IP Routing
#
undo shutdown
ip address 2.2.2.1 255.255.255.0
isis enable 1
#
return
8.8 BGP Configuration

BGP is used between ASs to transmit routing information on large-scale and complex networks.
8.8.1 Introduction
BGP is a dynamic routing protocol used between ASs.
BGP Overview
The Border Gateway Protocol (BGP) advertises and maintains a large number of routes between
autonomous systems (ASs).
Background
When Internal Gateway Protocol (IGP) was first deployed, it was able to meet network
deployment requirements because networks were not as large as they now are. However,
increasing numbers of routes on large modern networks impose tough challenges on the
performance of devices. To solve this problem, ASs were introduced. One IGP runs within an
AS, and one Exterior Gateway Protocol (EGP) runs between ASs.
EGP, however, has the following shortcomings: It forwards routes without selecting optimal
routes and therefore cannot avoid loops. Therefore, EGP was replaced with BGP.
BGP overcomes these shortcomings and can advertise and maintain a large number of routes
more efficiently. BGP is deployed between ASs that may be under different technical
administrations. Therefore, BGP must have powerful routing control capabilities and can be
easily extended so that network security can be ensured.
BGP-1 (defined in RFC 1105), BGP-2 (defined in RFC 1163), and BGP-3 (defined in RFC 1267)
are three earlier-released versions of BGP. The current BGP version is BGP-4 defined in RFC
4271. As an exterior routing protocol on the Internet, BGP is widely used among Internet Service
Providers (ISPs).
NOTE
This document refers to BGP-4, unless stated otherwise.
BGP Characteristics
Characteristics of BGP are as follows:
l
Issue 02 (2013-12-31)
Different from IGPs such as the Open Shortest Path First (OSPF) and Routing Information
Protocol (RIP), BGP is an EGP, which controls route advertisement and selects the optimal
route between ASs rather than discover or calculate routes.
2461

Equipment
8 IP Routing
BGP uses the Transport Control Protocol (TCP) with port number 179 as the transport layer
protocol. The reliability of BGP is therefore enhanced.
BGP supports Classless Inter-Domain Routing (CIDR).
BGP transmits only the updated routes, saving the bandwidth used for route distribution.
Therefore, BGP is applicable to the Internet where a large number of routes are transmitted.
BGP eliminates routing loops by adding AS_Path information to BGP routes.
BGP provides multiple routing policies for flexible route selection and filtering.
BGP can be easily extended and can adapt to the development of networks.
Related Terms
BGP is an inter-AS dynamic routing protocol and can be classified into IBGP and EBGP when
running on the ATN.
l
AS: Planned by a technical administration, an AS accommodates a series of routers. The

AS number is allocated by a dedicated institute.
IBGP (Internal BGP): When BGP runs within an AS, it is called IBGP.
EBGP (External BGP): When BGP runs between ASs, it is called EBGP.
BGP Features Supported by the ATN

The system supports various BGP features, including route summarization, peer group, route
reflector, confederation, community, MP-BGP, route dampening,BFD for BGP, BGP auto FRR,
BGP GR, and BGP security.
Main Route Attributes

l
Origin attribute
AS_Path attribute
Next_Hop attribute
Multi-Exit-Discriminator (MED) attribute
Local_Pref attribute
Community attribute
Principles of Route Selection

On the ATN, when there are multiple active routes to the same destination, BGP selects routes
according to the following principles:
1.
Prefers the route with the highest PreVal.

PrefVal is a Huawei-specific parameter. It is valid only on the device where it is configured.
2.
Prefers the route with the highest Local_Pref.

A route without Local_Pref is considered to have had the value set by using the default
local-preference command or to have a value of 100 by default.
3.
Issue 02 (2013-12-31)
Prefers a locally originated route. A locally originated route takes precedence over a route
learned from a peer.
2462

Equipment
8 IP Routing
Locally originated routes include routes imported by using the network command or the
import-route command, manually aggregated routes, and automatically summarized
routes.
4.
a.
A summarized route is preferred. A summarized route takes precedence over a nonsummarized route.
b.
A route obtained by using the aggregate command is preferred over a route obtained
by using the summary automatic command.
c.
A route imported by using the network command is preferred over a route imported
by using the import-route command.
Prefers the route with the shortest AS_Path.

l The AS_CONFED_SEQUENCE and AS_CONFED_SET are not included in the
AS_Path length.
l An AS_SET counts as 1, no matter how many ASs are in the set.
l After the bestroute as-path-ignore command is run, the AS_Path attributes of routes
are not compared in the route selection process.
5.
Prefers the route with the highest Origin type. IGP is higher than EGP, and EGP is higher
than Incomplete.
6.
Prefers the route with the lowest Multi Exit Discriminator (MED).
l The MEDs of only routes from the same AS but not a confederation sub-AS are
compared. MEDs of two routes are compared only when the first AS number in the
AS_SEQUENCE (excluding AS_CONFED_SEQUENCE) is the same for the two
routes.
l A route without any MED is assigned a MED of 0, unless the bestroute med-none-asmaximum command is run. If the bestroute med-none-as-maximum command is run,
the route is assigned the highest MED of 4294967295.
l After compare-different-as-med command is run, the MEDs in routes sent from peers
in different ASs are compared. Do not use this command unless it is confirmed that
different ASs use the same IGP and route selection mode. Otherwise, a loop may occur.
l If the bestroute med-confederation command is run, MEDs are compared for routes
that consist only of AS_CONFED_SEQUENCE. The first AS number in the
AS_CONFED_SEQUENCE must be the same for the routes.
l After the deterministic-med command is run, routes are not selected in the sequence
in which routes are received.
7.
Prefers EBGP routes over IBGP routes.

EBGP is higher than IBGP, IBGP is higher than LocalCross, and LocalCross is higher than
RemoteCross.
If the ERT of a VPNv4 route in the routing table of a VPN instance on a PE matches the
IRT of another VPN instance on the PE, the VPNv4 route will be added to the routing table
of the second VPN instance. This is called LocalCross. If the ERT of a VPNv4 route from
a remote PE is learned by the local PE and matches the IRT of a VPN instance on the local
PE, the VPNv4 route will be added to the routing table of that VPN instance. This is called
RemoteCross.
8.
Issue 02 (2013-12-31)
Prefers the route with the lowest IGP metric to the BGP next hop.

2463

Equipment
8 IP Routing
NOTE
Assume that load balancing is configured. If the preceding rules are the same and there are multiple
external routes with the same AS_Path, load balancing will be performed based on the number of
configured routes.
9.
Prefers the route with the shortest Cluster_List.
10. Prefers the route advertised by the ATN with the smallest router ID.
NOTE
If routes carry the Originator_ID, the originator ID is substituted for the router ID during route
selection. The route with the smallest Originator_ID is preferred.
11. Prefers the route learned from the peer with the smallest address if the IP addresses of peers
are compared in the route selection process.
Policies for BGP Route Advertisement

On the ATN, BGP advertises routes based on the following policies:
l
When there are multiple active routes, the BGP speaker advertises only the optimal route
to its peer.
The BGP speaker advertises only the preferred routes to its peer.
The BGP speaker advertises the routes learned from EBGP peers to all BGP peers
(including EBGP peers and IBGP peers) except the peers that advertise these routes.
The BGP speaker does not advertise the routes learned from IBGP peers to its IBGP peers.
The BGP speaker advertises the routes learned from IBGP peers to its EBGP peers.
The BGP speaker advertises all preferred BGP routes to the new peers when peer
relationships are established.
Routing Selection Policies for Load Balancing

In BGP, the next-hop address of a generated route may not be the address of the peer that is
directly connected to the local ATN. One common scenario is that the next hop is not changed
when a route is advertised between IBGP peers. Therefore, before forwarding a packet, the
ATN must find a directly reachable address, through which the packet can reach the next hop
specified in the routing table. In this process, the route to the directly reachable address is called
a dependent route. BGP routes depend on these dependent routes for packet forwarding. The
process of finding a dependent route based on the next-hop address is called route iteration.
The ATN supports iteration-based BGP load balancing. If load balancing is configured for a
dependent route (assume that there are three next-hop addresses), BGP generates the same
number of next-hop addresses to forward packets. BGP load balancing based on iteration does
not need to be configured by using commands. This feature is always enabled on the ATN.
BGP load balancing is different from IGP load balancing in the following implementation
methods:
l
In IGPs, if there are different routes to the same destination address, an IGP calculates
metrics of these routes based on its own routing algorithm and performs load balancing
among the routes with the same metric.
BGP does not have a routing algorithm. Therefore, BGP cannot determine whether to
perform load balancing among routes based on explicit metrics. BGP, however, contains
many route attributes, which have different priorities in route selection policies. Therefore,
Issue 02 (2013-12-31)

2464

Equipment
8 IP Routing
BGP performs load balancing according to route selection policies. That is, load balancing
is performed according to the configured maximum number of equal-cost routes only when
all the routes have the same high preference.
NOTE
l By default, BGP performs load balancing only among the routes with the same AS_Path attribute. You
can use the bestroute as-path-ignore
command to configure BGP not to compare the AS_Path attribute of routes when performs load
balancing.
l BGP load balancing is also applicable between ASs in a confederation.
Route Summarization
On a large-scale network, the BGP routing table is large. You can configure route summarization
to reduce the size of the routing table.
Route summarization is the process of consolidating multiple routes into one single
advertisement. After route summarization is configured, BGP advertises only the summarized
route rather than all specific routes to its peers.
The ATN supports automatic summarization and manual summarization. Manual
summarization can be used to control attributes of the summarized route and determine whether
to advertise its specific routes.
Synchronization Between IBGP and IGP

Synchronization between IBGP and IGP is a method of preventing external routes from being
imported by error.
If the synchronization function is configured, the IGP routing table is examined before an IBGP
route is added to the routing table and advertised to EBGP peers. The IBGP route is added to
the routing table and advertised to EBGP peers only when the IGP knows this IBGP route.
The synchronization function can be disabled in the following situations:
l
The local AS is not a transit AS.
Full-mesh IBGP connections are established between all ATNs in the local AS.
NOTE
In the ATN, the synchronization function is disabled by default.
Peer Group
A peer group is a group of peers with the same policies. After a peer is added to a peer group,
it inherits the configurations of this peer group. When the configurations of the peer group are
changed, the configurations of peers in the peer group are changed accordingly.
On a large-scale BGP network, there are a large number of peers and most of them have the
same policies. To configure these peers, you have to repeatedly use some commands. In such a
case, you can simplify configurations by using the peer group.
Adding many peers to a peer group also speeds up route advertisement.
Issue 02 (2013-12-31)

2465

Equipment
8 IP Routing
Route Reflector
To ensure the routing synchronization between IBGP peers, you need to establish full-mesh
connections between the IBGP peers. If there are n ATNs in an AS, n (n-1)/2 IBGP connections
need to be established. When there are a large number of IBGP peers, network resources and
CPU resources are greatly consumed.
To solve this problem, route reflection is introduced. In an AS, one ATN functions as a route
reflector (RR) and other ATNs serve as the clients of the RR. The clients establish IBGP
connections with the RR. The RR transmits or reflects routes among clients, and the clients do
not need to establish BGP connections.
A BGP ATN that is neither an RR nor a client is a non-client. Full-mesh connections must be
established between non-clients and an RR, and between all non-clients.
Confederation
Confederation is another method of dealing with increasing IBGP connections in an AS. It
divides an AS into several sub-ASs. IBGP connections are established between IBGP peers
within each sub-AS, and EBGP connections are established between sub-ASs.
For BGP speakers outside a confederation, sub-ASs in the same confederation are invisible.
External devices do not need to know the topology of each sub-AS. The confederation ID is the
AS number that is used to identify the entire confederation.
The confederation has disadvantages. That is, if the ATN needs to be reconfigured in a
confederation, the logical typology changes accordingly.
On a large-scale BGP network, the RR and confederation can be used together.
Community
The community attribute is a route attribute. It is transmitted between BGP peers and is not
restricted by the AS. A peer group allows a group of peers to share the same policies, whereas
the community allows a group of BGP routers in multiple ASs to share the same policies.
Before a BGP ATN advertises the route with the community attribute to other peers, it can change
the community attribute of this route.
Besides well-known communities, you can use a community filter to filter self-defined extended
community attributes to control routing policies in a more flexible manner.
Introduction to MP-BGP
Traditional BGP-4 manages only IPv4 unicast routing information and has limitations in interAS routing when used in the applications of other network layer protocols.
To support multiple network layer protocols, the Internet Engineering Task Force (IETF) extends
BGP-4 to Multiprotocol Extensions for BGP-4 (MP-BGP). The current MP-BGP standard is
RFC 2858 (Multiprotocol Extensions for BGP-4).
MP-BGP is forward compatible. That is, the ATNs that support MP-BGP can communicate with
the ATNs that do not support MP-BGP.
Issue 02 (2013-12-31)

2466

Equipment
8 IP Routing
Extended Attributes of MP-BGP

Among BGP-4 packets, an Update packet carries three IPv4-related attributes: Network Layer
Reachability Information (NLRI), Next_Hop, and Aggregator. The Aggregator attribute
contains the IP address of the BGP speaker that performs route summarization.
To support multiple types of network layer protocols, BGP-4 needs to carry network layer
protocol information in the NLRI attribute and Next_Hop attribute. MP-BGP introduces two
new route attributes:
l
Multiprotocol Reachable NLRI (MP_REACH_NLRI): It is used to advertise reachable

routes and next hops.
Multiprotocol Unreachable NLRI (MP_UNREACH_NLRI): It is used to withdraw

unreachable routes.
The two new attributes are optional non-transitive. Therefore, the BGP speakers that do not
support the multiprotocol capability will ignore the two attributes, and do not advertise the
information to peers.
Address Family
BGP uses address families to distinguish different network layer protocols. For the values of
address families, see RFC 1700 (Assigned Numbers). The ATN supports multiple MP-BGP
extensions, such as VPN extension, which are configured in their respective address family
views.
NOTE
This chapter does not describe the commands related to a specific application in the MP-BGP address
family view.
For the configuration in the BGP VPNv4 address family view, BGP VPN instance address family view,
and BGP L2VPN address family view, see the Configuration Guide - VPN.
BGP ORF
BGP Outbound Route Filtering (ORF) is used to implement on-demand BGP route distribution.
A device configured with BGP ORF filters BGP routes based on an export policy (only IP prefix
list can be used in the export policy currently) before sending them to a remote peer. This export
policy is provided by the remote peer. This enables the local device to send only routes required
by the remote peer and prevents unnecessary route distribution. The local device does not need
to maintain an export policy for each BGP peer. This greatly reduces the load of the local device
and configuration load.
BGP Tracking
BGP tracking speeds up network convergence by adjusting the interval between peer
unreachbility discovery and connection interruption. It is easy to deploy and has a good
extensibility.
Route Dampening
Route dampening is a method of solving the problem of route instability. Route instability is
reflected by route flapping. That is, a route in the routing table disappears and appears repeatedly.
Issue 02 (2013-12-31)

2467

Equipment
8 IP Routing
If route flapping occurs, a routing protocol sends an Update message to its peers. After receiving
this Update message, the peers recalculate routes and modify their routing tables. Frequent route
flapping consumes a lot of bandwidth and CPU resources, even affecting the normal operation
of the network.
In most cases, BGP is applicable to complex networks where routes change frequently. To avoid
the impact of frequent route flapping, BGP suppresses unstable routes by using route dampening.
BGP Path MTU Auto Discovery

Path MTU auto discovery discovers the smallest MTU on a path to ensure that BGP message
transmission meets the path MTU requirement. This can improve the efficiency of BGP message
transmission.
BGP Next Hop Delayed Response

BGP next hop delayed response can be used to speed up BGP route convergence and minimize
traffic loss when the upstream path of a PE connected to an RR changes.
BFD for BGP

The ATN supports Bidirectional Forwarding Detection (BFD) in IPv4 to provide fast link failure
detection for BGP peer relationship.
BFD can rapidly detect faults on the links between BGP peers and report the faults to BGP, thus
implementing fast convergence of BGP routes.
BGP Auto FRR

After BGP Auto FRR is enabled on a device, the device selects the optimal route from the routes
that are destined for the same destination network. In addition, the device automatically adds
information about the sub-optimal route to the backup forwarding entries of the optimal route,
and delivers the backup forwarding entry to the FIB table. If the primary link fails, the system
quickly switches traffic to the backup link. The switchover does not depend on route
convergence. Therefore, the service interruption time is very short.
BGP GR
If BGP restarts, the peer relationship needs to be re-established and traffic forwarding is
interrupted. After Graceful Restart (GR) is enabled, traffic interruption is avoided.
BGP Security
l
The ATN authenticates BGP peers by using MD5 and Key-Chain, preventing packet fraud
or unauthorized packet modification.
The number of routes received from the BGP peer is limited to prevent the resources from
exhausting. See Configuring to Controll the Acceptment of BGP Routing
Information.
The lengths of AS paths on the inbound interface and the outbound interface are limited.
The excess packets are discarded. See Configuring AS_Path Attributes for Routes.
Issue 02 (2013-12-31)

2468

Equipment
8 IP Routing
8.8.2 Configuring Basic BGP Functions

Configuring basic BGP functions is the prerequisite to building a BGP network.
Before You Start

Basic BGP functions must be configured first when you build up a BGP network.
BGP can be configured on a network to implement communication among ASs. This section
describes how to configure basic BGP functions.
Because BGP uses TCP connections, you need to specify the IP address of the peer when
configuring BGP. The BGP peer may not be the neighboring ATN. The BGP peer relationship
can also be established by using logical links. Loopback interface addresses are usually used to
establish BGP connections to enhance the stability of these connections.
Configuring basic BGP functions includes the following steps:
l
Start BGP processes. This step is a prerequisite for configuring basic BGP functions.
Establish BGP peer relationships: Devices can exchange BGP routing information only
after they are configured as peers and establish peer relationships.
Import routes. BGP itself cannot discover routes. Instead, it imports routes discovered by
other protocols to implement communication between ASs.
NOTE
The commands in the BGP-IPv4 unicast address family view can be run in the BGP view. These commands
are described in the BGP-IPv4 unicast address family view in configuration files.
Before configuring basic BGP functions, complete the following task:
l
the link layer protocol on the interfaces is Up
Data Preparation
To configure basic BGP functions, you need the following data.
Issue 02 (2013-12-31)
No.
Data
Local AS number and router ID
IPv4 address and AS number of a peer
Interface originating an Update message

2469

Equipment
8 IP Routing
Starting a BGP Process

Starting a BGP process is a prerequisite for configuring basic BGP functions. When starting a
BGP process on a device, specify the number of the AS to which the device belongs.
Context
Perform the following steps on the ATN where a BGP connection needs to be established:
Procedure
Step 1 Run:
system-view

Step 2 Run:
BGP is enabled (the local AS number is specified), and the BGP view is displayed.
router-id ipv4-address
A router ID is set.
Configuring or changing the router ID of BGP causes the BGP peer relationship between
ATNs to be reset.
NOTE
To enhance network reliability, configuring a loopback interface address as the router ID is recommended.
If no router ID is set, BGP automatically selects the router ID in the system view as the router ID of BGP.
For the rule for selecting a router ID in the system view, see the router-id command .
----End
Configuring BGP Peers

Two devices can exchange BGP routing information only after they are configured as peers and
establish a peer relationship.
Context
Because BGP uses TCP connections, you need to specify IP addresses for peers when
configuring BGP. Two BGP peers are not definitely neighboring to each other. Such BGP peers
establish a BGP peer relationship by using a logical link. Using loopback interface addresses to
set up BGP peer relationships improves the stability of BGP connections, and therefore is
recommended.
IBGP peer relationships are established between the devices within an AS. EBGP peer
relationships are established between the devices in different ASs.
Procedure
l
Issue 02 (2013-12-31)
Configure an IBGP peer.

2470

Equipment
1.
8 IP Routing
Run:
system-view

2.
Run:

3.
Run:
peer ipv4-address as-number { as-number-plain | as-number-dot }
The IP address of a peer and the number of the AS where the peer resides are specified.
The number of the AS where the specified peer resides must be the same as that of
the local AS.
The IP address of the specified peer can be one of the following types:
IP address of an interface on a directly-connected peer
IP address of a loopback interface on a reachable peer
IP address of a sub-interface on a directly-connected peer
4.
Run:
peer ipv4-address connect-interface interface-type interface-number
[ ipv4-source-address ]
The source interface and source address are specified for establishing a TCP
connection.
By default, BGP uses the physical interface that is directly connected to the peer as
the local interface of a TCP connection.
NOTE
When loopback interfaces are used to establish a BGP connection, run the peer connectinterface command at both ends of the connection to ensure that the connection is correctly
established. If this command is run on only one end, the BGP connection may fail to be
established.
5.
(Optional) Run:
peer ipv4-address description description-text
A description is configured for the peer.

Configuring a description for a peer simplifies network management.
l
Configure an EBGP peer.

1.
Run:
system-view

2.
Run:

3.
Run:
The IP address of a peer and the number of the AS where the peer resides are specified.
Issue 02 (2013-12-31)

2471

Equipment
8 IP Routing
The number of the AS where the specified peer resides must be different from that of
the local AS.
The IP address of the specified peer can be one of the following types:
IP address of an interface on a directly-connected peer
IP address of a loopback interface on a reachable peer
IP address of a sub-interface on a directly-connected peer
4.
(Optional) Run:
peer ipv4-address connect-interface interface-type interface-number
[ ipv4-source-address ]
The source interface and source address are specified for establishing a TCP
connection.
By default, BGP uses the physical interface that is directly connected to the peer as
the local interface of a TCP connection.
NOTE
When loopback interfaces are used to establish a BGP connection, run the peer connectinterface command at both ends of the connection to ensure that the connection is correctly
established. If this command is run on only one end, the BGP connection may fail to be
established.
5.
(Optional) Run:
peer ipv4-address ebgp-max-hop [ hop-count ]
The default value of hop-count is 255.

The maximum number of hops is configured for establishing an EBGP connection.
A direct physical link must be available between EBGP peers. If such a link does not
exist, the peer ebgp-max-hop command must be used to allow EBGP peers to
establish a TCP connection over multiple hops.
NOTE
If loopback interfaces are used to establish an EBGP peer relationship, the peer ebgp-maxhop command (hop-count 2) must be run. Otherwise, the peer relationship cannot be
established.
6.
(Optional) Run:
peer ipv4-address description description-text
A description is configured for the peer.

Configuring a description for a peer simplifies network management.
----End
Configuring BGP to Import Routes

BGP can import routes from other protocols. When routes are imported from a dynamic routing
protocol, the process IDs of the routing protocol must be specified.
Issue 02 (2013-12-31)

2472

Equipment
8 IP Routing
Context
BGP itself cannot discover routes. Instead, it imports routes discovered by other protocols such
as an IGP or the static routing protocol into the BGP routing table. These imported routes are
then transmitted within an AS or between ASs.
BGP can import routes in either Import or Network mode:
l
In Import mode, BGP imports routes by a specific routing protocol. RIP routes, OSPF
routes, IS-IS routes, static routes, or direct routes can be imported into the BGP routing
table.
In Network mode, routes with the specified prefix and mask are imported into the BGP
routing table. Compared with the Import mode, the Network mode imports more specific
routes.
Configure BGP to import routes in Import mode.
Procedure
1.
Run:
system-view

2.
Run:

3.
(Optional) Run:
ipv4-family unicast
The BGP-IPv4 unicast address family view is displayed.

By default, the BGP-IPv4 unicast address family view is displayed.
4.
Run:
import-route protocol [ process-id ] [ med med | route-policy route-policyname ] *
BGP is configured to import routes from other protocols.

By configuring the parameter med, you can set Multi_Exit Discriminator (MED)
values for the imported routes. The EBGP peer selects the route with the smallest
MED for traffic entering an AS.
By configuring the parameter route-policy route-policy-name, you can filter the
routes imported from other protocols.
NOTE
The process ID of a routing protocol needs to be specified if IS-IS, OSPF, or RIP routes are to
be imported.
5.
(Optional) Run:
default-route imported
BGP is configured to import default routes.

To import default routes, run both the default-route imported command and the
import-route command. If only the import-route command is used, no default route
Issue 02 (2013-12-31)

2473

Equipment
8 IP Routing
can be imported. In addition, the default-route imported command is used to import

only the default routes that exist in the local routing table.
l
Configure BGP to import routes in Network mode.

1.
Run:
system-view

2.
Run:
bgp{ as-number-plain | as-number-dot }

3.
(Optional) Run:
ipv4-family unicast

By default, the BGP-IPv4 unicast address family view is displayed.
4.
Run:
network ipv4-address [ mask | mask-length ] [ route-policy route-policyname ]
BGP is configured to advertise local routes.

If no mask or mask length is specified, the IP address is processed as a classful address.
A local route to be advertised must be in the local IP routing table. Routing policies
can be used to control the routes to be advertised more flexibly.
NOTE
l The destination address and mask specified in the network command must be consistent
with those of the corresponding entry in the local IP routing table. Otherwise, the specified
route cannot be advertised.
l When using the undo network command to clear the existing configuration, specify a
correct mask.
----End

After basic BGP functions are configured, you can view information about BGP peers and BGP
routes.
Prerequisites
Basic BGP functions have been configured.
Procedure
l
Run the display bgp peer [ verbose ] command to check information about all BGP peers.
Run the display bgp peer ipv4-address { log-info | verbose } command to check log
information of a specified BGP peer.
Issue 02 (2013-12-31)

2474

Equipment
8 IP Routing
Run the display bgp routing-table [ ipv4-address [ mask | mask-length ] ] command to

check BGP routes.
----End
Example
# Run the display bgp peer command to view the BGP connection status.
<HUAWEI> display bgp peer
Peer
V
AS MsgRcvd
9.1.1.2
4 65009
49
9.1.3.2
4 65009
56
200.1.1.2
4 65008
49

OutQ Up/Down
State PrefRcv
0
0
1
MsgSent
62
56
65
# Run the display bgp routing-table 60.0.0.35 command to view a specified BGP route.
<HUAWEI> display bgp routing-table 60.0.0.35
Paths:
Network route.
From: 0.0.0.0 (0.0.0.0)
Route Duration: 3d04h00m12s
Direct Out-interface: InLoopBack0
AS-path Nil, origin igp, MED 0, pref-val 0, valid, local, best, select, pre 0
8.8.3 Configuring BGP Route Attributes

BGP has many route attributes. Configuring route attributes can change route selection results.
Before You Start

Before configuring BGP route attributes, familiarize yourself with the usage scenario, complete
BGP has many route attributes. You can change route selection results by configuring attributes
for routes. Route attributes are listed as follows:
l
BGP preference
Setting the BGP preference can affect route selection between BGP routes and other routing
protocols' routes.
Preferred values
After preferred values are set for BGP routes, the route with the greatest value is preferred
when multiple routes to the same destination exist in the BGP routing table.
l
Issue 02 (2013-12-31)
Local_Pref
2475

Equipment
8 IP Routing
The Local_Pref attribute has the same function as the preferred value of a route. If both of
them are configured for a BGP route, the preferred value takes precedence over the
Local_Pref attribute.
l
Multi_Exit Discriminator (MED)

The MED attribute is used to determine the optimal route for traffic that enters an AS. The
route with the smallest MED value is selected as the optimal route if the other attributes of
the routes are the same.
Next_Hop
BGP route selection can be flexibly controlled by changing Next_Hop attributes for routes.
AS_Path
The AS_Path attribute is used to prevent rooting loops and control route selection.
Accumulated Interior Gateway Protocol Metric (AIGP)

The AIGP attribute is used to select the optimal route in an AIGP administrative domain.
Before configuring BGP route attributes, complete the following tasks:
l
Configuring IP addresses for interfaces to ensure IP connectivity between neighboring

nodes
Configuring Basic BGP Functions
Data Preparation
To configure BGP route attributes, you need the following data.
No.
Data
AS number
BGP preference value
Local_Pref value
MED value
Configuring the BGP Preference

Setting the BGP preference can affect route selection between BGP routes and other routing
protocols' routes.
Context
Multiple dynamic routing protocols can be run on a device at the same time. In this case, there
is a problem of route sharing and selecting among routing protocols. To address this problem,
the system sets a default preference for each routing protocol. If different protocols have routes
to the same destination, the protocol with the highest preference is selected to forward IP packets.
Perform the following steps on a device running BGP.
Issue 02 (2013-12-31)

2476

Equipment
8 IP Routing
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ipv4-family unicast
The IPv4 unicast address family view is displayed.

Step 4 Run:
preference { external internal local | route-policy route-policy-name }
The BGP preference is set.

The smaller the preference value, the higher the preference.
BGP has the following types of routes:
l EBGP routes learned from peers in other ASs
l IBGP routes learned from peers in the same AS
l Locally originated routes (A locally originated route is a route summarized by using the
summary automatic command or the aggregate command.)
Different preference values can be set for these three types of routes.
In addition, a routing policy can also be used to set the preferences for the routes that match the
policy. The routes that do not match the policy use the default preference.
NOTE
At present, the peer route-policy command cannot be used to set the BGP preference.
----End
Configuring Preferred Values for BGP Routes

After preferred values are set for BGP routes, the route with the greatest value is preferred when
multiple routes to the same destination exist in the BGP routing table.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Issue 02 (2013-12-31)

2477

Equipment
8 IP Routing
Step 3 Run:
peer { group-name | ipv4-address } preferred-value value
A preferred value is set for all the routes learned from a specified peer.
The original preferred value of a route learned from a peer defaults to 0.
If there are multiple routes to the same address prefix, the route with the highest preferred value
is preferred.
----End
Configuring a Default Local_Pref Attribute for a Device

The Local_Pref attribute is used to determine the optimal route for traffic that leaves an AS.
Context
The Local_Pref attribute is used to determine the optimal route for traffic that leaves an AS. If
a BGP device obtains multiple routes from different IBGP peers and these routes have different
next hops to the same destination, the BGP device will select the route with the greatest
Local_Pref value.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ipv4-family unicast

Step 4 Run:
default local-preference preference
A default Local_Pref attribute is set for the local device.

----End
Configuring MED Attributes for BGP Routes

The Multi_Exit Discriminator (MED) attribute equals a metric used in an IGP. The MED
attribute is used to determine the optimal route for traffic that enters an AS. The route with the
smallest MED value is selected as the optimal route if the other attributes of the routes are the
same.
Issue 02 (2013-12-31)

2478

Equipment
8 IP Routing
Context
The MED attribute equals a metric used in an IGP, and is used to determine the optimal route
for traffic that enters an AS. If a BGP device obtains multiple routes from different EBGP peers
and these routes have different next hops to the same destination, the BGP device will select the
route with the smallest MED value.
Procedure
l
Set the default MED value on a device.

1.
Run:
system-view

2.
Run:

3.
Run:
ipv4-family unicast

4.
Run:
default med med
The default MED value is set.

NOTE
The default med command is valid only for routes imported using the import-route command
and BGP summarized routes on the local device.
Compare the MED values of the routes from different ASs.

1.
Run:
system-view

2.
Run:

3.
Run:
ipv4-family unicast

4.
Run:
compare-different-as-med
The MED values of routes from different ASs are compared.

By default, the BGP device compares the MED values of only routes from different
peers in the same AS. This command enables the BGP device to compare the MED
values of routes from different ASs.
l
Issue 02 (2013-12-31)
Configure the deterministic-MED function.

2479

Equipment
1.
8 IP Routing
Run:
system-view

2.
Run:

3.
Run:
ipv4-family unicast

4.
Run:
deterministic-med
The deterministic-MED function is enabled.

If the deterministic-MED function is not enabled and an optimal route is to be selected
among routes that are received from different ASs and carry the same prefix, the
sequence in which routes are received is relevant to the route selection result. After
the deterministic-MED function is enabled and an optimal route is to be selected
among routes that are received from different ASs and carry the same prefix, routes
are first grouped based on the leftmost AS number in the AS_Path attribute. Routes
with the same leftmost AS number are grouped together and compared, and an optimal
route is selected in the group. The optimal route in this group is then compared with
the optimal routes from other groups to determine the final optimal route. This route
selection mode allows the route selection result to be independent of the sequence in
which routes are received.
l
Configure the method used by BGP to handle the situation where a route has no MED
attribute during route selection.
1.
Run:
system-view

2.
Run:

3.
Run:
ipv4-family unicast

4.
Run:
bestroute med-none-as-maximum
The system treats a BGP route as one with the maximum MED value if the route has
no MED value.
After the bestroute med-none-as-maximum command is run, BGP treats a BGP
route as one with the maximum MED value if the route that has no MED attribute
when selecting an optimal route. If this command is not run, BGP uses 0 as the MED
value for a route that has no MED value.
Issue 02 (2013-12-31)

2480

Equipment
8 IP Routing
Compare the MED values of routes in a confederation.

1.
Run:
system-view

2.
Run:

3.
Run:
ipv4-family unicast

4.
Run:
bestroute med-confederation
The MED values of routes in a confederation are compared.

----End
Configuring Next_Hop Attributes for Routes

Setting Next_Hop attributes for routes flexibly controls BGP route selection.
Procedure
l
Configure a device to change the next-hop address of a route when the device advertises
the route to an IBGP peer.
By default, a device does not change the next-hop address of a route learned from an EBGP
peer before forwarding the route to IBGP peers. The next-hop address of a route advertised
by an EBGP peer to this device is the address of the EBGP peer. After being forwarded to
IBGP peers, this route cannot become an active route because the next hop is unreachable.
The relevant ASBR must be configured to change the next-hop address of the route to the
ASBR's own IP address before the ASBR advertises the route to an IBGP peer. The route
is active on the IBGP peer if the next hop is reachable.
1.
Run:
system-view

2.
Run:

3.
Run:
ipv4-family unicast

4.
Run:
peer { ipv4-address | group-name } next-hop-local
The device is configured to change the next-hop address of a route to the device's own
IP address before the device advertises the route to an IBGP peer.
Issue 02 (2013-12-31)

2481

Equipment
8 IP Routing
By default, a device does not change the next-hop address of a route when advertising
the route to an IBGP peer.
NOTE
If BGP load balancing is configured, the local ATN changes the next-hop address of a route to
it's own IP address when advertising the route to IBGP peers or peer groups, regardless of
whether the peer next-hop-local command is used.
Prevent a device from changing the next-hop address of a route imported from an IGP when
the device advertises the route to an IBGP peer.
Perform the following steps on a ATN that runs BGP and has imported IGP routes:
1.
Run:
system-view

2.
Run:

3.
Run:
ipv4-family unicast

4.
Run:
peer { ipv4-address | group-name } next-hop-invariable
The device is prevented from changing the next-hop address of a route imported from
an IGP before advertising the route to an IBGP peer.
By default, a device changes the next-hop address of a route imported from an IGP to
the address of the interface connecting the device to its peer when advertising the route
to an IBGP peer.
l
Prevent a device from changing the next-hop address of a route when the device advertises
the route to an EBGP peer.
1.
Run:
system-view

2.
Run:

3.
Run:
ipv4-family vpnv4 [ unicast ]
The BGP-VPNv4 sub-address family view is displayed.

4.
Run:
peer { group-name | ipv4-address } next-hop-invariable
The device is prevented from changing the next-hop address of a route when
advertising the route to an EBGP peer.
Issue 02 (2013-12-31)

2482

Equipment
8 IP Routing
By default, provider edges (PEs) in different ASs set up EBGP peer relationships with
each other, and they do not change next-hop addresses of routes when advertising the
routes to their EBGP peers.
In the inter-AS VPN option C networking where route reflectors (RRs) are used, the
peer next-hop-invariable command needs to be run to prevent the RRs from changing
the next-hop address of a route when the RRs advertise the route to EBGP peers. This
ensures that the remote PE iterates a route to the BGP Label Switched Path (LSP)
destined for the local PE during traffic transmission.
l
Configure routing-policy-based next hop iteration.

1.
Run:
system-view

2.
Run:

3.
Run:
ipv4-family unicast

4.
Run:
nexthop recursive-lookup route-policy route-policy-name
Routing-policy-based next hop iteration is configured.

By default, routing-policy-based next hop iteration is not configured.
Next-hop iteration based on a specified routing policy can control the iterated next
hop based on specific conditions. If a route cannot match the specified routing policy,
the route cannot be iterated.
----End
Configuring AS_Path Attributes for Routes

The AS_Path attribute is used to prevent rooting loops and control route selection.
Procedure
l
Allow repeated local AS numbers.

BGP uses AS numbers to detect routing loops. In Hub and Spoke networking, if EBGP
runs between a Hub-PE and a Hub-CE, the route sent from the Hub-PE to the Hub-CE
carries the AS number of the Hub-PE. After the Hub-CE sends an Update message that
contains the AS number of the Hub-PE to the Hub-PE, the Hub-PE will deny it.
To ensure proper route transmission in Hub and Spoke networking, configure all the BGP
peers on the path, along which the Hub-CE advertises private network routes to the SpokeCE, to accept the routes in which the local AS number repeats once.
1.
Run:
system-view
Issue 02 (2013-12-31)

2483

Equipment
8 IP Routing

2.
Run:

3.
Run:
ipv4-family unicast

4.
Run:
peer { ipv4-address | group-name } allow-as-loop [ number ]
The local AS number is allowed to repeat in the AS_Path attribute.

Generally, a BGP device checks the AS_Path attribute of a route sent from a peer. If
the local AS number already exists in the AS_Path attribute, BGP ignores this route
to avoid a routing loop.
In some special applications, you can use the peer allow-as-loop command to allow
the AS_Path attributes of routes sent from the peers to contain the local AS number.
You can also set the number of times the local AS number is repeated.
l
Configure BGP not to compare AS_Path attributes of routes in the route selection process.
1.
Run:
system-view

2.
Run:

3.
Run:
ipv4-family unicast

4.
Run:
bestroute as-path-ignore
BGP is configured to ignore AS_Path attributes of routes during route selection.

l
Configure a fake AS number.

Generally, a device supports only one BGP process. This means that a device supports only
one AS number. If AS numbers need to be replaced during network migration, you can run
the peer fake-as command to set a fake AS number for a specified peer to ensure smooth
network migration.
1.
Run:
system-view

2.
Run:

Issue 02 (2013-12-31)

2484

Equipment
3.
8 IP Routing
Run:
peer { ipv4-address | group-name } fake-as { as-number-plain | as-numberdot }
A fake AS number is configured.

The peer fake-as command can be used to hide the actual AS number of a BGP device.
EBGP peers in other ASs will use the fake AS number of this BGP device to set up
EBGP peer relationships with this device.
NOTE
This command can be used only on EBGP peers.
Enable AS number replacement.

Before advertising a route to a specified CE, a PE enabled with AS number replacement
replaces the AS number of the CE in the AS_Path attribute of the route with the local AS
number.
NOTICE
Exercise caution when running the peer substitute-as command, because improper use of
this command may cause routing loops.
1.
Run:
system-view

2.
Run:

3.
Run:

4.
Run:
peer { ipv4-address | group-name } substitute-as
AS number replacement is enabled.

l
Configure the AS_Path attribute to carry only public AS numbers.

A route advertised by a BGP device to its peer usually carries an AS number. The AS
number may be public or private. Public AS numbers can be used on the Internet. They are
assigned and managed by the Internet Assigned Number Authority (IANA). Private AS
numbers cannot be advertised to the Internet, and they are used only within ASs. If private
AS numbers are advertised to the Internet, a routing loop may occur. To address this
problem, you can run the peer public-as-only command to allow the AS_Path attribute to
carry only public AS numbers.
1.
Run:
system-view
Issue 02 (2013-12-31)

2485

Equipment
8 IP Routing

2.
Run:

3.
Run:
ipv4-family unicast

4.
Run:
peer { ipv4-address | group-name } public-as-only
The AS_Path attribute is configured to carry only public AS numbers.

An AS number ranges from 1 to 4294967295. A public AS number ranges from 1 to
64511, and from 65536 (1.0 in the x.y format) to 4294967295 (65535.65535 in the
x.y format). A private AS number ranges from 64512 to 65534. The AS number 65535
is reserved for particular use.
The peer public-as-only command can be used only on EBGP peers.
l
Set the maximum number of AS numbers in the AS_Path attribute.

1.
Run:
system-view

2.
Run:

3.
Run:
as-path-limit as-path-limit-num
The maximum number of AS numbers in the AS_Path attribute is set.

By default, a maximum of 255 AS numbers can be contained in the AS_Path attribute.
After the as-path-limit command is run on a device, the device checks whether the
number of AS numbers in the AS_Path attribute of a received route exceeds the
maximum value. If the number of AS numbers exceeds the maximum value, the route
is discarded. If the maximum number of AS numbers in the AS_Path attribute is too
small, routes whose number of AS numbers exceeding the maximum value will be
discarded.
l
Prevent a BGP device from checking the first AS number contained in the AS_Path attribute
of an Update message received from an EBGP peer.
1.
Run:
system-view

2.
Run:

Issue 02 (2013-12-31)

2486

Equipment
3.
8 IP Routing
Run:
undo check-first-as
The BGP device is prevented from checking the first AS number contained in the
AS_Path attribute of an Update message received from an EBGP peer.
By default, a BGP device checks whether the first AS number contained in the
AS_Path attribute of an Update message received from an EBGP peer is the same as
the number of the AS where the EBGP peer resides. If the numbers are not the same,
the BGP device discards the Update message and closes the EBGP connection with
the EBGP peer.
NOTICE
Exercise caution when running the undo check-first-as command, because use of this
command increases the possibility of routing loops.
After the configuration is complete, run the refresh bgp command if you want to
check the received routes again.
----End

After BGP route attributes are configured, you can view information about these route attributes.
Prerequisites
The BGP route attribute configuration is complete.
Procedure
l
Run the display bgp paths [ as-regular-expression ] command to check information about
AS_Path attributes of routes.
Run the display bgp routing-table different-origin-as command to check information

about routes that have the same destination address but different source AS numbers.
Run the display bgp routing-table regular-expression as-regular-expression command

to check information about routes matching a specified regular expression.
Run the display bgp routing-table [ network [ { mask | mask-length } [ longerprefixes ] ] ] command to check routing information in a BGP routing table.
----End
Example
# Run the display bgp paths command to view information about AS_Path attributes of routes.
<HUAWEI> display bgp paths
Total Number of Paths: 7
Issue 02 (2013-12-31)

2487

Equipment
Address
0xA276A44C
0xA276A50C
0xA276A4AC
0xA276A56C
0xA276A32C
0xA276A2CC
0xA276A20C
8 IP Routing
Refcount MED Path/Origin

2
20 10i
3
20 10 100i
2
10i
3
10 100i
2
0
20?
4
0
?
1
0
10i
# Run the display bgp routing-table 60.0.0.35 command to view information about a specified
BGP route.
Paths:
Network route.
From: 0.0.0.0 (0.0.0.0)
Direct Out-interface: InLoopBack0
AS-path Nil, origin igp, MED 0, pref-val 0, valid, local, best, select, pre 0
8.8.4 Configuring BGP to Advertise Routes

BGP is used to transmit routing information. BGP advertises only the wanted routes after filtering
routes to be advertised, and modifies route attributes to direct network traffic.
Before You Start

Before configuring BGP to advertise routes, familiarize yourself with the usage scenario,
BGP is used to transmit routing information between ASs. Route advertisement directly affects
traffic forwarding.
There are usually a large number of routes in a BGP routing table. Transmitting a great deal of
routing information brings a heavy load to devices. Routes to be advertised need to be controlled
to address this problem. You can configure devices to advertise only routes that these devices
want to advertise or routes that their peers require.
Multiple routes to the same destination may exist and traverse different ASs. Routes to be
advertised need to be filtered in order to direct routes to specific ASs.
Filters can be used to filter routes to be advertised by BGP. BGP can filter routes to be advertised
to a specific peer or peer group.
Before configuring BGP to advertise routes, complete the following task:
l
Issue 02 (2013-12-31)

2488

Equipment
8 IP Routing
Data Preparation
To configure BGP to advertise routes, you need the following data.
No.
Data
Name or number of an ACL
Name, number, and matching mode of an IP prefix list
Number or name of an AS_Path filter
Number or name and matching mode of a community filter
Number or name and matching mode of an extcommunity filter
Name and matching mode of a route-policy, and number of the route-policy's node
Configuring BGP Filters

BGP filters filter routes to be advertised.
Context
BGP uses the following types of filters to filter routes:
l
Access Control List(ACL)
IP-Prefix List
AS_Path filter
Community filter
Extcommunity filter
Route-Policy
Configure an ACL.
Procedure
An ACL is a series of sequential rules composed of permit and deny clauses. These rules
are described based on source addresses, destination addresses, and port numbers of
packets. ACL rules are used to classify packets. After ACL rules are applied to a device,
the device permits or denies packets based on the ACL rules.
For details on ACL configurations, see the Configuration Guide - IP Services.
An ACL can be used as a matching condition of a route-policy or used in the filterpolicy { acl-number | acl-name acl-name } export [ protocol [ process-id ] ] command or
the peer { group-name | ipv4-address } filter-policy { acl-number | acl-name acl-name }
export command.
l
Configure an IP prefix list.

An IP prefix list is a type of filter used to filter routes based on destination addresses. An
IP prefix list is identified by its name. An IP prefix list can be used flexibly to implement
Issue 02 (2013-12-31)

2489

Equipment
8 IP Routing
accurate filtering. For example, it can be used to filter a route or routes to a network segment.
If a large number of routes that do not have the same prefix need to be filtered, configuring
an IP prefix list to filter the routes is very complex.
An IP prefix list can be used as a matching condition of a route-policy or used in the filterpolicy ip-prefix ip-prefix-name export [ protocol [ process-id ] ] command or the peer
{ group-name | ipv4-address } ip-prefix ip-prefix-name export command.
1.
Run:
system-view

2.
Run:
ip ip-prefix ip-prefix-name [ index index-number ] { permit | deny } ipaddress mask-length [ match-network ] [ greater-equal greater-equalvalue ] [ less-equal less-equal-value ]
An IPv4 prefix list is configured.

match-network is used to filter routes to a specified IP address and can be configured
only when ipv4-address is 0.0.0.0. For example, the ip ip-prefix prefix1 permit
0.0.0.0 8 command filters all routes with mask length 8, while the ip ip-prefix prefix1
permit 0.0.0.0 8 match-network command filters all routes to the IP address range
from 0.0.0.1 to 0.255.255.255.
The mask length range can be specified as mask-length <= greater-equal-value <=
less-equal-value <= 32. If only greater-equal is specified, the prefix range is [greaterequal-value, 32]. If only less-equal is specified, the prefix range is [mask-length, lessequal-value].
An IPv4 prefix list is identified by its name, and each IP prefix list can contain multiple
entries. Each entry is identified by an index number, and can specify a matching range
in the form of a network prefix uniquely. An IPv4 prefix list named abcd is used as
an example.
#
ip ip-prefix abcd index 10 permit 1.0.0.0 8
During route matching, the system checks the entries by index number in ascending
order. If a route matches an entry, the route will not be matched with the next entry.
The ATN denies all unmatched routes by default. If all entries in an IPv4 prefix list
are in deny mode, all routes will be denied by the IPv4 prefix list. In this case, you
must define an entry permit 0.0.0.0 0 less-equal 32 after the entries in deny mode to
allow all the other IPv4 routes to by permitted by the IPv4 prefix list.
NOTE
If more than one IP prefix entry is defined, at least one entry should be set in permit mode.
Configure an AS_Path filter.

An AS_Path filter is used to filter BGP routes based on the AS_Path attributes contained
in the BGP routes. If you do not want traffic to pass through an AS, configure an AS_Path
filter to filter out the traffic carrying the number of the AS. If the BGP routing table of each
device on a network is large, configuring an ACL or an IP prefix list to filter BGP routes
may be complicated and make it difficult to maintain new routes.
Issue 02 (2013-12-31)

2490

Equipment
8 IP Routing
NOTE
If the AS_Path information of a summarized route is lost, the AS_Path filter cannot be used to filter
the summarized route, but can still be used to filter the specific routes from which the summarized
route is derived.
An AS_Path filter can be used as a matching condition of a route-policy or be used in the

peer as-path-filter command.
1.
Run:
system-view

2.
Run:
ip as-path-filter { as-path-filter-number | as-path-filter-name }
{ permit | deny } regular-expression
An AS_Path filter is configured.

NOTE
For details on how to use AS_Path filters, see 8.8.23 Applying BGP AS_Path Regular
Expressions.
Configure a community filter.

A BGP community attribute is used to identify a group of routes with the same properties.
Routes can be classified by community attribute. This facilitates route management.
Some AS internal routes may not need to be advertised to any other AS, whereas AS external
routes need to be advertised to other ASs. These AS external routes have different prefixes
(as a result, an IP prefix list is inapplicable) and may come from different ASs (as a result,
an AS_Path filter is inapplicable). You can set a community attribute value for these AS
internal routes and another community attribute value for these AS external routes on an
ASBR to control and filter these routes.
1.
Run:
system-view

2.
Run:
ip community-filter
A community filter is configured.

To configure a standard community filter, run the ip community-filter { basic
comm-filter-name { permit | deny } [ community-number | aa:nn ] * &<1-16> |
basic-comm-filter-num { permit | deny } [ community-number | aa:nn ] *
&<1-16> } [ internet | no-export-subconfed | no-advertise | no-export ] *
command.
To configure an advanced community filter, run the ip community-filter
{ advanced comm-filter-name | adv-comm-filter-num } { permit | deny } regularexpression command.
l
Configure an extcommunity filter.

Similar to a BGP community filter, a BGP extcommunity filter is used to filter private
network routes.
Issue 02 (2013-12-31)

2491

Equipment
1.
8 IP Routing
Run:
system-view

2.
Perform either of the following operations as required to configure an extcommunity

filter.
To configure a basic extcommunity filter, run the ip extcommunity-filter { basicextcomm-filter-num | basic basic-extcomm-filter-name } { deny | permit } { rt
{ { as-number-plain | as-number-dot }:nn | ipv4-address:nn } } &<1-16>
command.
To configure an advanced extcommunity filter, run the ip extcommunity-filter
{ adv-extcomm-filter-num | advanced adv-extcomm-filter-name } { deny |
permit } regular-expression command.
Multiple entries can be defined in an extcommunity filter. The relationship between
the entries is "OR". This means that if a route matches one of the rules, the route
matches the filter.
A route-policy is used to match routes or route attributes, and to change route attributes
when specific conditions are met. As the preceding filters can be used as matching
conditions of a route-policy, the route-policy is powerful in functions and can be used
flexibly.
1.
Run:
system-view

2.
Run:
A node is configured for a route-policy, and the view of the route-policy is displayed.
A route-policy consists of multiple nodes. For example, the route-policy routepolicy-example permit node 10 command specifies node 10 and the route-policy
route-policy-example deny node 20 command specifies node 20. The two nodes
belong to the route-policy specified by route-policy-example. The relationship
between the nodes of a route-policy is "OR". The details are as follows:
If a route matches one node, the route matches the route-policy and will not be
matched with the next node. For example, there are two nodes defined using the
route-policy route-policy-example permit node 10 and route-policy routepolicy-example deny node 20 commands. If a route matches the node defined
using the route-policy route-policy-example permit node 10 command, the route
will not be matched with the node defined using the route-policy route-policyexample deny node 20 command.
If a route does not match any node, the route fails to match the route-policy.
When a route-policy is used to filter a route, the route is first matched with the node
with the smallest node value. For example, if two nodes are configured using the
route-policy route-policy-example permit node 10 and route-policy route-policyexample deny node 20 commands, a route is first matched with the node configured
using the route-policy route-policy-example permit node 10 command.
Issue 02 (2013-12-31)

2492

Equipment
8 IP Routing
NOTE
The ATN considers that each unmatched route fails to match the route-policy by default. If
more than one node is defined in a route-policy, at least one of them must be in permit mode.
3.
(Optional) Perform the following operations as needed to configure if-match clauses

for current nodes of the route-policy.
if-match clauses are used to filter routes. If no if-match clause is specified, all routes
will match the node in the route-policy.
To match an ACL, run the if-match acl { acl-number | acl-name } command.
To match an IP prefix list, run the if-match ip-prefix ip-prefix-name command.
NOTE
The if-match acl and if-match ip-prefix commands cannot be used together in the same
node of a route-policy, because the latest configuration will override the previous one.
To match the AS_Path attribute of BGP routes, run the if-match as-path-filter
{ as-path-filter-number | as-path-filter-name } &<1-16> command.
To match the community attribute of BGP routes, run either of the following
commands:
if-match community-filter { basic-comm-filter-num [ whole-match ] | advcomm-filter-num }* &<1-16>
if-match community-filter comm-filter-name [ whole-match ]
To match the extended community attribute of BGP routes, run the if-match
extcommunity-filter { { basic-extcomm-filter-num | adv-extcomm-filter-num }
&<1-16> | basic-extcomm-filter-name | advanced-extcomm-filter-name }
command.
The operations in Step 3 can be performed in any order. A node may have multiple
if-match clauses or no if-match clause.
NOTE
The relationship between the if-match clauses in a node of a route-policy is "AND". A route
must match all the rules before the action defined by the apply clause is taken. For example,
if two if-match clauses (if-match acl 2003 and if-match as-path-filter 100) are defined in the
route-policy route-policy-example permit node 10 command, a route is considered to match
node 10 only when it matches the two if-match clauses.
4.
(Optional) Perform the following operations as needed to configure apply clauses for
current nodes of the route-policy:
apply clauses can be used to set attributes for routes matching if-match clauses. If
this step is not performed, the attributes of routes matching if-match clauses keep
unchanged.
To replace or add a specified AS number in the AS_Path attribute of a BGP route,
run the apply as-path { as-number-plain | as-number-dot } &<1-10> { additive
| overwrite } | none overwrite } command.
To delete a specified BGP community attribute from a route, run the apply commfilter comm-filter-number delete command.
Issue 02 (2013-12-31)

2493

Equipment
8 IP Routing
NOTE
The apply comm-filter delete command deletes a specified community attribute from a
route. An instance of the ip community-filter command can specify only one community
attribute each time. To delete more than one community attribute, run the ip communityfilter command multiple times. If multiple community attributes are specified in one
community filter, none of them can be deleted. For more information, see the Command
Reference - IP Routing.
To delete all community attributes from a BGP route, run the apply community
none command.
To set community attributes for a BGP route, run the apply community
{ community-number | aa:nn | internet | no-advertise | no-export | no-exportsubconfed } &<1-32> [ additive ] command.
To set an extended community attribute (route-target) for a route, run the apply
extcommunity { rt { as-number:nn | 4as-number:nn | ipv4-address:nn } }
&<1-16> [ additive ] command.
To set the local preference for a BGP route, run the apply local-preference
preference command.
To set the Origin attribute for a BGP route, run the apply origin { igp | egp { asnumber-plain | as-number-dot } | incomplete } command.
To set a preferred value for a BGP route, run the apply preferred-value preferredvalue command.
To set dampening parameters for an EBGP route, run the apply dampening halflife-reach reuse suppress ceiling command.
apply clauses or no apply clause.
----End
Configuring to Controll the Advertisement of BGP Routing Information

After a route advertisement policy is configured on a device, the device advertises only routes
matching the policy to its peers.
Procedure
l
Configure a BGP device to advertise routes to all peers or peer groups.

You can configure a BGP device to filter routes to be advertised. Perform the following
steps on a BGP ATN:
1.
Run:
system-view

2.
Run:

3.
Run:
ipv4-family unicast
Issue 02 (2013-12-31)

2494

Equipment
8 IP Routing

4.
Perform either of the following operations to configure the BGP device to advertise
routes to all peers or peer groups:
To filter routes based on a basic ACL, perform the following steps:
a.
Run filter-policy { acl-number | acl-name acl-name } export [ protocol

[ process-id ] ], the advertised routes is filtered based on an ACL.
b.
Run quit, return to the BGP view.
c.
d.
displayed.
e.
ACL.
When the rule command is run to configure rules for a named ACL, only the
source address range specified by source and the time period specified by
time-range are valid as the rules.
system.
routes.
To filter routes based on an advanced ACL, perform the following steps:

Issue 02 (2013-12-31)

2495

Equipment
8 IP Routing
a.
Run filter-policy acl-name acl-name export [ protocol [ process-id ] ], the

advertised routes is filtered based on an ACL.
b.
c.
d.

e.

the basic ACL.
system.
routes.
To filter routes based on an IP prefix list, run the filter-policy ip-prefix ip-prefixname export [ protocol [ process-id ] ] command.
If protocol is specified, only routes discovered by a specific routing protocol are
filtered. If protocol is not specified, all the routes to be advertised are filtered, including
routes imported using the import-route (BGP) command and local routes advertised
using the network (BGP) command.
NOTE
If an ACL has been referenced in the filter-policy command but no VPN instance is specified
in the ACL rule, BGP will filter routes including public and private network routes in all address
families. If a VPN instance is specified in the ACL rule, only the data traffic from the VPN
instance will be filtered, and no route of this VPN instance will be filtered.
Issue 02 (2013-12-31)

2496

Equipment
8 IP Routing
Configure a BGP device to advertise routes to a specific peer or peer group.

You can configure a BGP device to filter routes to be advertised. Perform the following
steps on a BGP ATN:
1.
Run:
system-view

2.
Run:

3.
Run:
ipv4-family unicast

4.
Perform any of the following operations to configure the BGP device to advertise
routes to a specific peer or peer group:
a.
Run peer { ipv4-address | group-name } filter-policy { acl-number | aclname acl-name } export, the advertised routes is filtered based on an ACL.
b.
c.
d.
displayed.
e.
ACL.
system.
Issue 02 (2013-12-31)

2497

Equipment
8 IP Routing
routes.
a.
Run peer { ipv4-address | group-name } filter-policy acl-name acl-name

export, the advertised routes is filtered based on an ACL.
b.
c.
d.

e.

the basic ACL.
system.
routes.
Issue 02 (2013-12-31)

2498

Equipment
8 IP Routing
To filter routes based on an IP prefix list, run the peer { ipv4-address | groupname } ip-prefix ip-prefix-name export command.
To filter routes based on an AS_Path filter, run the peer { ipv4-address | groupname } as-path-filter { as-path-filter-number | as-path-filter-name } export
command.
To filter routes based on a route-policy, run the peer { ipv4-address | groupname } route-policy route-policy-name export command.
A peer group and its members can use different export policies to filter routes. Each
peer can select its policy when advertising routes.
----End
Configuring BGP Soft Reset

BGP soft reset allows the system to refresh a BGP routing table dynamically without tearing
down any BGP connection if routing policies are changed.
Context
After changing a BGP import policy, you must reset BGP connections for the new import policy
to take effect, interrupting these BGP connections temporarily. BGP route-refresh allows the
system to refresh a BGP routing table dynamically without tearing down any BGP connection
if routing policies are changed.
l
If a device's peer supports route-refresh, the refresh bgp command can be used on the
device to softly reset the BGP connection with the peer and update the BGP routing table.
If a device's peer does not support route-refresh, the peer keep-all-routes command can
be used on the device to remain all routing updates received from the peer so that the device
can refresh its routing table without closing the connection with the peer.
If the device's peers support route-refresh, perform the following operations:
Procedure
1.
(Optional) Enable route-refresh.

a.
Run:
system-view

b.
Run:

c.
Run:
peer { ipv4-address | group-name } capability-advertise route-refresh
Route-refresh is enabled.
By default, route-refresh is enabled.
If route-refresh is enabled on all BGP devices and the import policy of the local device
is changed, the local device sends a route-refresh message to peers or peer groups.
Issue 02 (2013-12-31)

2499

Equipment
8 IP Routing
After receiving the message, the peers or peer groups resend routing information to
the local BGP device. This enables the local device to dynamically refresh its BGP
routing table and apply the new routing policy without closing any BGP connections.
2.
Configure BGP soft reset.

a.
Run the refresh bgp [ vpn-instance vpn-instance-name ipv4-family | vpnv4 |

vpn-target | l2vpn-ad ] { all | ipv4-address | group group-name | external |
internal } { export | import } command in the user view to softly reset the BGP
connections between the devices and its peers or peer groups.
external softly resets an EBGP connection, and internal softly resets an IBGP
connection.
export triggers outbound BGP soft reset, and import triggers inbound BGP soft reset.
l
If the device's peers do not support route-refresh, perform the following operations:
Configure the device to store all the routing updates received from its peers or peer
groups.
1.
Run:
system-view

2.
Run:

3.
Run:
ipv4-family unicast

4.
Run:
peer { ipv4-address | group-name } keep-all-routes
The device is configured to store all the routing updates received from its peers
or peer groups.
By default, the device stores only the routing updates that are received from peers or
peer groups and match a configured import policy.
After this command is used, all routing updates sent by a specified peer or peer group
are stored, regardless of whether an import policy is used. When the local routing
policy changes, the information can be used to regenerate BGP routes again.
NOTE
This command must be run on the local device and its peers. If the peer keep-all-routes
command is run on the device for the first time, the sessions between the device and its peers
are reestablished.
The peer keep-all-routes command does not need to be run on the ATN that supports routerefresh. If the peer keep-all-routes command is run on the ATN, the sessions between the
ATN and its peers will not be reestablished but the refresh bgp command does not take effect
on the ATN.
----End
Issue 02 (2013-12-31)

2500

Equipment
8 IP Routing

After the configurations of controlling BGP route advertisement has been configured, you can
view filters, routes matching a specified filter, and routes advertised to BGP peers.
Prerequisites
The BGP route advertisement configurations have been configured.
Procedure
l
Run the display ip as-path-filter [ as-path-filter-number | as-path-filter-name ] command

to check information about a configured AS_Path filter.
Run the display ip community-filter [ basic-comm-filter-num | adv-comm-filter-num |

comm-filter-name ] command to check information about a configured community filter.
Run the display ip extcommunity-filter [ extcomm-filter-number | extcomm-filter-name ]

command to check information about a configured extcommunity filter.
Run the display bgp routing-table as-path-filter { as-path-filter-number | as-path-filtername } command to check information about routes matching a specified AS_Path filter.
Run the display bgp routing-table community-filter { { community-filter-name | basiccommunity-filter-number } [ whole-match ] | advanced-community-filter-number }
command to check information about routes matching a specified BGP community filter.
Run the display bgp routing-table peer ipv4-address advertised-routes [ statistics ]

command to check information about routes advertised by a BGP device to its peers.
----End
Example
After an AS_Path filter is configured, run the display ip as-path-filter [ as-path-filternumber | as-path-filter-name ] command in the system view to view information about the
configured AS_Path filter. Run the display bgp routing-table as-path-filter { as-path-filternumber | as-path-filter-name } command to view information about routes matching a specified
AS_Path filter.
# View information about AS_Path filter 3.
<HUAWEI> display ip as-path-filter 3
ListID
Mode
Expression
3
deny
[30]
3
permit
.*
# View routes matching AS_Path filter 3.

<HUAWEI> display bgp routing-table as-path-filter 3
*>i
Issue 02 (2013-12-31)
Network
NextHop
1.1.1.1/32
10.1.1.2
MED
LocPrf
100

PrefVal Path/Ogn
0
2501

Equipment
*>
i
*>
*>
*>
*>
*>
*>
* i
*>
*>i
10.1.1.0/24
10.1.1.1/32
10.3.1.0/24
10.3.1.1/32
127.0.0.0
127.0.0.1/32
192.168.1.0
192.168.1.121/32
192.168.3.0
0.0.0.0
10.1.1.2
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
10.1.1.2
0.0.0.0
10.1.1.2
8 IP Routing
0
0
0
0
0
0
0
0
0
0
0
100
100
100
0
0
0
0
0
0
0
0
0
0
0
?
?
?
?
?
?
?
?
?
?
?
8.8.5 Configuring BGP to Receive Routes

BGP is used to transmit routing information. BGP can filter received routes to accept only the
expected routes, and can modify route attributes to direct network traffic.
Before You Start

Before configuring BGP to receive routes, familiarize yourself with the usage scenario, complete
BGP is used to transmit routing information between ASs. Route reception directly affects traffic
forwarding.
The BGP device may receive routes to the same destination from different BGP peers. To control
traffic forwarding paths, the device needs to filter the received BGP routes.
The device may be attacked and receive a large number of routes from its BGP peers, consuming
lots of resources of the device. Therefore, the administrator must limit the resources to be
consumed based on networking planning and device capacities, no matter whether too many
BGP routes caused by malicious attacks or incorrect configurations.
Filters can be used to filter routes to be received by BGP. BGP can filter the routes received
from all peers or peer groups or only the routes received from a specific peer or peer group.
Before configuring BGP to receive routes, complete the following task:
l
Data Preparation
To configure BGP to receive routes, you need the following data.
Issue 02 (2013-12-31)
No.
Data
Name or number of an ACL
Name, number, and matching mode of an IP prefix list
Number or name of an AS_Path filter

2502

Equipment
8 IP Routing
No.
Data
Number or name and matching mode of a community filter
Number or name and matching mode of an extended community filter
Name and matching mode of a route-policy, and number of the route-policy's node
Configuring BGP Filters

BGP filters can be used to filter routes to be received.
Context
Filters are needed to filter routes to flexibly receive routes. Currently, six filters are available
for BGP:
l
Access Control List(ACL)
IP-Prefix List
AS_Path filter
Community filter
Extcommunity filter
Route-Policy
Configure an ACL.
Procedure
An ACL is a series of sequential rules composed of permit and deny clauses. These rules
are described based on source addresses, destination addresses, and port numbers of
packets. ACL rules are used to classify packets. After ACL rules are applied to a device,
the device permits or denies packets based on the ACL rules.
For details on ACL configurations, see the Configuration Guide - IP Services.
An ACL can be used as a matching condition of a route-policy or used in the filterpolicy { acl-number | acl-name acl-name } import command or the peer { group-name |
ipv4-address } filter-policy { acl-number | acl-name acl-name } import command.
l
Configure an IP prefix list.

An IP prefix list is a type of filter used to filter routes based on destination addresses. An
IP prefix list is identified by its name. An IP prefix list can be used flexibly to implement
accurate filtering. For example, it can be used to filter a route or routes to a network segment.
If a large number of routes that do not have the same prefix need to be filtered, configuring
an IP prefix list to filter the routes is very complex.
An IP prefix list can be used as a matching condition of a route-policy or used in the filterpolicy ip-prefix ip-prefix-name import command or the peer { group-name | ipv4address } ip-prefix ip-prefix-name import command.
1.
Run:
system-view
Issue 02 (2013-12-31)

2503

Equipment
8 IP Routing

2.
Run:
ip ip-prefix ip-prefix-name [ index index-number ] { permit | deny } ipaddress mask-length [ match-network ] [ greater-equal greater-equalvalue ] [ less-equal less-equal-value ]
An IPv4 prefix list is configured.

match-network is used to filter routes to a specified IP address and can be configured
only when ipv4-address is 0.0.0.0. For example, the ip ip-prefix prefix1 permit
0.0.0.0 8 command filters all routes with mask length 8, while the ip ip-prefix prefix1
permit 0.0.0.0 8 match-network command filters all routes to the IP address range
from 0.0.0.1 to 0.255.255.255.
The mask length range can be specified as mask-length <= greater-equal-value <=
less-equal-value <= 32. If only greater-equal is specified, the prefix range is [greaterequal-value, 32]. If only less-equal is specified, the prefix range is [mask-length, lessequal-value].
An IPv4 prefix list is identified by its name, and each IP prefix list can contain multiple
entries. Each entry is identified by an index number, and can specify a matching range
in the form of a network prefix uniquely. An IPv4 prefix list named abcd is used as
an example.
#
During route matching, the system checks the entries by index number in ascending
order. If a route matches an entry, the route will not be matched with the next entry.
The ATN denies all unmatched routes by default. If all entries in an IPv4 prefix list
are in deny mode, all routes will be denied by the IPv4 prefix list. In this case, you
must define an entry permit 0.0.0.0 0 less-equal 32 after the entries in deny mode to
allow all the other IPv4 routes to by permitted by the IPv4 prefix list.
NOTE
If more than one IP prefix entry is defined, at least one entry should be set in permit mode.
Configure an AS_Path filter.

An AS_Path filter is used to filter BGP routes based on the AS_Path attributes contained
in the BGP routes. If you do not want traffic to pass through an AS, configure an AS_Path
filter to filter out the traffic carrying the number of the AS. If the BGP routing table of each
device on a network is large, configuring an ACL or an IP prefix list to filter BGP routes
may be complicated and make it difficult to maintain new routes.
NOTE
If the AS_Path information of a summarized route is lost, the AS_Path filter cannot be used to filter
the summarized route, but can still be used to filter the specific routes from which the summarized
route is derived.
An AS_Path filter can be used as a matching condition of a route-policy or be used in the

peer as-path-filter command.
1.
Run:
system-view
Issue 02 (2013-12-31)

2504

Equipment
8 IP Routing

2.
Run:
ip as-path-filter { as-path-filter-number | as-path-filter-name }
{ permit | deny } regular-expression
An AS_Path filter is configured.

NOTE
For details on how to use AS_Path filters, see 8.8.23 Applying BGP AS_Path Regular
Expressions.
Configure a community filter.

A BGP community attribute is used to identify a group of routes with the same properties.
Routes can be classified by community attribute. This facilitates route management.
Some AS internal routes may not need to be advertised to any other AS, whereas AS external
routes need to be advertised to other ASs. These AS external routes have different prefixes
(as a result, an IP prefix list is inapplicable) and may come from different ASs (as a result,
an AS_Path filter is inapplicable). You can set a community attribute value for these AS
internal routes and another community attribute value for these AS external routes on an
ASBR to control and filter these routes.
1.
Run:
system-view

2.
Run:
ip community-filter
A community filter is configured.

To configure a standard community filter, run the ip community-filter { basic
comm-filter-name { permit | deny } [ community-number | aa:nn ] * &<1-16> |
basic-comm-filter-num { permit | deny } [ community-number | aa:nn ] *
&<1-16> } [ internet | no-export-subconfed | no-advertise | no-export ] *
command.
To configure an advanced community filter, run the ip community-filter
{ advanced comm-filter-name | adv-comm-filter-num } { permit | deny } regularexpression command.
l
Configure an extcommunity filter.

Similar to a BGP community filter, a BGP extcommunity filter is used to filter private
network routes.
1.
Run:
system-view

2.
Perform either of the following operations as required to configure an extcommunity

filter.
To configure a basic extcommunity filter, run the ip extcommunity-filter { basicextcomm-filter-num | basic basic-extcomm-filter-name } { deny | permit } { rt
Issue 02 (2013-12-31)

2505

Equipment
8 IP Routing
{ { as-number-plain | as-number-dot }:nn | ipv4-address:nn } } &<1-16>

command.
To configure an advanced extcommunity filter, run the ip extcommunity-filter
{ adv-extcomm-filter-num | advanced adv-extcomm-filter-name } { deny |
permit } regular-expression command.
Multiple entries can be defined in an extcommunity filter. The relationship between
the entries is "OR". This means that if a route matches one of the rules, the route
matches the filter.
l
A route-policy is used to match routes or route attributes, and to change route attributes
when specific conditions are met. As the preceding filters can be used as matching
conditions of a route-policy, the route-policy is powerful in functions and can be used
flexibly.
1.
Run:
system-view

2.
Run:
A node is configured for a route-policy, and the view of the route-policy is displayed.
A route-policy consists of multiple nodes. For example, the route-policy routepolicy-example permit node 10 command specifies node 10 and the route-policy
route-policy-example deny node 20 command specifies node 20. The two nodes
belong to the route-policy specified by route-policy-example. The relationship
between the nodes of a route-policy is "OR". The details are as follows:
If a route matches one node, the route matches the route-policy and will not be
matched with the next node. For example, there are two nodes defined using the
route-policy route-policy-example permit node 10 and route-policy routepolicy-example deny node 20 commands. If a route matches the node defined
using the route-policy route-policy-example permit node 10 command, the route
will not be matched with the node defined using the route-policy route-policyexample deny node 20 command.
If a route does not match any node, the route fails to match the route-policy.
When a route-policy is used to filter a route, the route is first matched with the node
with the smallest node value. For example, if two nodes are configured using the
route-policy route-policy-example permit node 10 and route-policy route-policyexample deny node 20 commands, a route is first matched with the node configured
using the route-policy route-policy-example permit node 10 command.
NOTE
The ATN considers that each unmatched route fails to match the route-policy by default. If
more than one node is defined in a route-policy, at least one of them must be in permit mode.
3.
(Optional) Perform the following operations as needed to configure if-match clauses

for current nodes of the route-policy.
if-match clauses are used to filter routes. If no if-match clause is specified, all routes
will match the node in the route-policy.
Issue 02 (2013-12-31)

2506

Equipment
8 IP Routing
To match an ACL, run the if-match acl { acl-number | acl-name } command.

To match an IP prefix list, run the if-match ip-prefix ip-prefix-name command.
NOTE
The if-match acl and if-match ip-prefix commands cannot be used together in the same
node of a route-policy, because the latest configuration will override the previous one.
To match the AS_Path attribute of BGP routes, run the if-match as-path-filter
{ as-path-filter-number | as-path-filter-name } &<1-16> command.
To match the community attribute of BGP routes, run either of the following
commands:
if-match community-filter { basic-comm-filter-num [ whole-match ] | advcomm-filter-num }* &<1-16>
if-match community-filter comm-filter-name [ whole-match ]
To match the extended community attribute of BGP routes, run the if-match
extcommunity-filter { { basic-extcomm-filter-num | adv-extcomm-filter-num }
&<1-16> | basic-extcomm-filter-name | advanced-extcomm-filter-name }
command.
if-match clauses or no if-match clause.
NOTE
The relationship between the if-match clauses in a node of a route-policy is "AND". A route
must match all the rules before the action defined by the apply clause is taken. For example,
if two if-match clauses (if-match acl 2003 and if-match as-path-filter 100) are defined in the
route-policy route-policy-example permit node 10 command, a route is considered to match
node 10 only when it matches the two if-match clauses.
4.
(Optional) Perform the following operations as needed to configure apply clauses for
current nodes of the route-policy:
apply clauses can be used to set attributes for routes matching if-match clauses. If
this step is not performed, the attributes of routes matching if-match clauses keep
unchanged.
To replace or add a specified AS number in the AS_Path attribute of a BGP route,
run the apply as-path { as-number-plain | as-number-dot } &<1-10> { additive
| overwrite } | none overwrite } command.
To delete a specified BGP community attribute from a route, run the apply commfilter comm-filter-number delete command.
NOTE
The apply comm-filter delete command deletes a specified community attribute from a
route. An instance of the ip community-filter command can specify only one community
attribute each time. To delete more than one community attribute, run the ip communityfilter command multiple times. If multiple community attributes are specified in one
community filter, none of them can be deleted. For more information, see the Command
Reference - IP Routing.
To delete all community attributes from a BGP route, run the apply community
none command.
Issue 02 (2013-12-31)

2507

Equipment
8 IP Routing
To set community attributes for a BGP route, run the apply community
{ community-number | aa:nn | internet | no-advertise | no-export | no-exportsubconfed } &<1-32> [ additive ] command.
To set an extended community attribute (route-target) for a route, run the apply
extcommunity { rt { as-number:nn | 4as-number:nn | ipv4-address:nn } }
&<1-16> [ additive ] command.
To set the local preference for a BGP route, run the apply local-preference
preference command.
To set the Origin attribute for a BGP route, run the apply origin { igp | egp { asnumber-plain | as-number-dot } | incomplete } command.
To set a preferred value for a BGP route, run the apply preferred-value preferredvalue command.
To set dampening parameters for an EBGP route, run the apply dampening halflife-reach reuse suppress ceiling command.
apply clauses or no apply clause.
----End
Configuring to Controll the Acceptment of BGP Routing Information

After an import policy is configured, only the routes that match the import policy can be received.
Procedure
l
Configure BGP to receive routes from all its peers or peer groups.
You can configure a BGP device to filter received routes. Perform the following steps on
a BGP ATN:
1.
Run:
system-view

2.
Run:

3.
Run:
ipv4-family unicast

4.
Perform either of the following operations to configure the BGP device to filter the
routes received from all its peers or peer groups:
Issue 02 (2013-12-31)
a.
Run filter-policy { acl-number | acl-name acl-name } import, the received

routes is filtered based on an ACL.
b.
c.

2508

Equipment
8 IP Routing
d.
displayed.
e.
ACL.
system.
routes.

a.
Run filter-policy acl-name acl-name import, the received routes is filtered

based on an ACL.
b.
c.
d.

e.

the basic ACL.
Issue 02 (2013-12-31)

2509

Equipment
8 IP Routing
system.
routes.
To filter routes based on an IP prefix list, run the filter-policy ip-prefix ip-prefixname import command.
NOTE
If an ACL has been referenced in the filter-policy command but no VPN instance is specified
in any ACL rule, BGP will filter routes including public network routes and private network
routes in all address families. If a VPN instance is specified in an ACL rule, only the data traffic
from the VPN instance will be filtered, and no routes of this VPN instance will be filtered.
Configure a BGP device to receive routes from a specific peer or peer group.
You can configure a BGP device to filter received routes. Perform the following steps on
a BGP ATN:
1.
Run:
system-view

2.
Run:

3.
Run:
ipv4-family unicast

4.
Issue 02 (2013-12-31)
Perform any of the following configurations to configure the BGP device to filter the
routes received from a specific peer or peer group:
2510

Equipment
8 IP Routing

a.
Run peer { ipv4-address | group-name } filter-policy { acl-number | aclname acl-name } import, the advertised routes is filtered based on an ACL.
b.
c.
d.
displayed.
e.
ACL.
system.
routes.
Issue 02 (2013-12-31)
a.
Run peer { ipv4-address | group-name } filter-policy acl-name acl-name

import, the advertised routes is filtered based on an ACL.
b.
c.

2511

Equipment
8 IP Routing
d.

e.

the basic ACL.
system.
routes.
To filter routes based on an IP prefix list, run the peer { ipv4-address | groupname } ip-prefix ip-prefix-nameimport command.
To filter routes based on an AS_Path filter, run the peer { ipv4-address | groupname } as-path-filter { as-path-filter-number | as-path-filter-name } import
command.
To filter routes based on a route-policy, run the peer { ipv4-address | groupname } route-policy route-policy-name import command.
A peer group and its members can use different import policies when receiving routes.
This means that each member in a peer group can select its own policy to filter received
routes.
l
Limit the number of the routes received from a peer or peer group.
When the ATN running BGP is attacked or network configuration errors occur, the ATN
receives a large number of routes from its neighbor. As a result, a large number of resources
of the ATN are consumed. Therefore, the administrator must limit the resources used by
the ATN based on network planning and the capacity of the ATN. BGP provides peer-based
Issue 02 (2013-12-31)

2512

Equipment
8 IP Routing
route control to limit the number of routes to be sent by a neighbor. Therefore, the preceding
problem is addressed.
1.
Run:
system-view

2.
Run:

3.
Run:
ipv4-family unicast

4.
Run:
peer { group-name | ipv4-address } route-limit limit [ percentage ]
[ alert-only | idle-forever | idle-timeout times ]
The number of routes that can be received from a peer or peer group is set.
The command provides the limit on the number of received routes based on peers.
You can configure specific parameters as required to control BGP after the number
of the routes received from a peer exceeds the threshold.
alert-only: The peer relationship is kept. No route is received after the number of
received routes exceeds the threshold, and an alarm is generated and recorded in
the log.
idle-forever: The peer relationship is interrupted. The router does not retry setting
up a connection. An alarm is generated and recorded in the log. In this case, run
the display bgp peer [ verbose ] command, and you can find that the status of the
peer is Idle. To restore the BGP connection, run the reset bgp command.
idle-timeout: The peer relationship is interrupted. The router retries setting up a
connection after the timer expires. An alarm is generated and recorded in the log.
In this case, run the display bgp peer [ verbose ] command, and you can find that
the status of the peer is Idle. To restore the BGP connection before the timer
expires, run the reset bgp command.
If none of the preceding parameters is set, the peer relationship is disconnected.
The router retries setting up a connection after 30 seconds. An alarm is generated
and recorded in the log.
NOTE
If the number of routes received by the local router exceeds the upper limit and the peer routelimit command is used for the first time, the local router and its peer reestablish the peer relationship,
regardless of whether alert-only is set.
----End
Configuring BGP Soft Reset

BGP soft reset allows the system to refresh a BGP routing table dynamically without tearing
down any BGP connection if routing policies are changed.
Issue 02 (2013-12-31)

2513

Equipment
8 IP Routing
Context
After changing a BGP import policy, you must reset BGP connections for the new import policy
to take effect, interrupting these BGP connections temporarily. BGP route-refresh allows the
system to refresh a BGP routing table dynamically without tearing down any BGP connection
if routing policies are changed.
l
If a device's peer supports route-refresh, the refresh bgp command can be used on the
device to softly reset the BGP connection with the peer and update the BGP routing table.
If a device's peer does not support route-refresh, the peer keep-all-routes command can
be used on the device to remain all routing updates received from the peer so that the device
can refresh its routing table without closing the connection with the peer.
If the device's peers support route-refresh, perform the following operations:
Procedure
1.
(Optional) Enable route-refresh.

a.
Run:
system-view

b.
Run:

c.
Run:
peer { ipv4-address | group-name } capability-advertise route-refresh
Route-refresh is enabled.
By default, route-refresh is enabled.
If route-refresh is enabled on all BGP devices and the import policy of the local device
is changed, the local device sends a route-refresh message to peers or peer groups.
After receiving the message, the peers or peer groups resend routing information to
the local BGP device. This enables the local device to dynamically refresh its BGP
routing table and apply the new routing policy without closing any BGP connections.
2.
Configure BGP soft reset.

a.
Run the refresh bgp [ vpn-instance vpn-instance-name ipv4-family | vpnv4 |

vpn-target | l2vpn-ad ] { all | ipv4-address | group group-name | external |
internal } { export | import } command in the user view to softly reset the BGP
connections between the devices and its peers or peer groups.
external softly resets an EBGP connection, and internal softly resets an IBGP
connection.
export triggers outbound BGP soft reset, and import triggers inbound BGP soft reset.
l
If the device's peers do not support route-refresh, perform the following operations:
Configure the device to store all the routing updates received from its peers or peer
groups.
1.
Run:
system-view
Issue 02 (2013-12-31)

2514

Equipment
8 IP Routing

2.
Run:

3.
Run:
ipv4-family unicast

4.
Run:
peer { ipv4-address | group-name } keep-all-routes
The device is configured to store all the routing updates received from its peers
or peer groups.
By default, the device stores only the routing updates that are received from peers or
peer groups and match a configured import policy.
After this command is used, all routing updates sent by a specified peer or peer group
are stored, regardless of whether an import policy is used. When the local routing
policy changes, the information can be used to regenerate BGP routes again.
NOTE
This command must be run on the local device and its peers. If the peer keep-all-routes
command is run on the device for the first time, the sessions between the device and its peers
are reestablished.
The peer keep-all-routes command does not need to be run on the ATN that supports routerefresh. If the peer keep-all-routes command is run on the ATN, the sessions between the
ATN and its peers will not be reestablished but the refresh bgp command does not take effect
on the ATN.
----End

After configuring BGP route reception, you can view the imported routes matching a specified
filter.
Prerequisites
The BGP route reception configurations have been configured.
Procedure
l
Run the display ip as-path-filter [ as-path-filter-number | as-path-filter-name ] command

to check a configured AS_Path filter.
Run the display ip community-filter [ basic-comm-filter-num | adv-comm-filter-num |

comm-filter-name ] command to check information about a configured community filter.
Run the display ip extcommunity-filter [ extcomm-filter-number ] command to check

information about a configured extended community filter.
Run the display bgp routing-table as-path-filter { as-path-filter-number | as-path-filtername } command to check information about routes matching a specified AS_Path filter.
Issue 02 (2013-12-31)

2515

Equipment
8 IP Routing
Run the display bgp routing-table community-filter { { community-filter-name | basiccommunity-filter-number } [ whole-match ] | advanced-community-filter-number }
command to check information about routes matching a specified BGP community filter.
Run the display bgp routing-table peer ipv4-address received-routes [ active ]

[ statistics ] command to check information about routes received by a BGP device from
its peers.
Run the display bgp routing-table peer ipv4-address accepted-routes command to check
information about the routes that are received by a BGP device from a specified peer and
match the routing policy.
----End
Example
After an AS_Path filter is configured, run the display ip community-filter [ basic-comm-filternum | adv-comm-filter-num | comm-filter-name ] command in the system view to view
information about the configured AS_Path filter. Run the display bgp routing-table peer ipv4address accepted-routes command to view information about the routes that are received by a
BGP device from a specified peer and match the routing policy.
# View information about a configured community filter.
<HUAWEI> display ip community-filter
Named Community basic filter: aa (ListID = 200)
permit 100
Named Community basic filter: bb (ListID = 201)
permit 200
# View the routes matching the specified BGP community filter named aa.
<HUAWEI> display bgp routing-table community-filter aa

Network
NextHop
*>
*>
*>
1.1.1.1/32
2.2.2.2/32
3.3.3.3/32
10.1.1.2
10.1.1.2
10.1.1.2
MED
LocPrf
100
100
100
PrefVal Community
0
0
0
<0:100>
<0:100>
<0:100>
# View the routes that are received by a BGP device from its peer at 10.1.1.2 and match the
routing policy.
<HUAWEI> display bgp routing-table peer 10.1.1.2 accepted-routes

Network
NextHop
*>
*>
*>
Issue 02 (2013-12-31)
1.1.1.1/32
2.2.2.2/32
3.3.3.3/32
10.1.1.2
10.1.1.2
10.1.1.2
MED
LocPrf
100
100
100

PrefVal Path/Ogn
0
0
0
200?
200?
200?
2516

Equipment
8 IP Routing
8.8.6 Configuring BGP Route Aggregation

Configuring BGP Route Aggregation on a device can reduce the sizes of routing tables on the
peers of the device.
The BGP routing table of a device on a medium or large BGP network contains a large number
of routing entries. Storing the routing table consumes a large number of memory resources, and
transmitting and processing routing information consume lots of network resources. Configuring
route aggregation can reduce the size of a routing table, prevent specific routes from being
advertised, and minimize the impact of route flapping on network performance. BGP route
aggregation and routing policies enable BGP to effectively transmit and control routes.
BGP supports automatic and manual aggregation. Manual aggregation takes precedence over
automatic aggregation. When using manual aggregation, you can apply various routing policies
and set route attributes.
Before configuring BGP route aggregation, complete the following task:
l
Configure automatic route aggregation.
Procedure
1.
Run:
system-view

2.
Run:

3.
Run:
ipv4-family unicast

4.
Run:
summary automatic
Automatic aggregation is configured for imported routes.

The summary automatic command aggregates routes imported by BGP. The routes
can be direct routes, static routes, RIP routes, OSPF routes, or IS-IS routes. After this
command is run, BGP aggregates routes based on natural network segments. The
command, however, cannot aggregate routes imported using the network command.
l
Configure manual route aggregation.

1.
Run:
system-view
Issue 02 (2013-12-31)

2517

Equipment
8 IP Routing

2.
Run:
bgp{ as-number-plain | as-number-dot }

3.
Run:
ipv4-familyunicast

4.
Run:
aggregate ipv4-address { mask | mask-length } [ as-set | attribute-policy
route-policy-name1 | detail-suppressed | origin-policy route-policy-name2
| suppress-policyroute-policy-name3 ] *
Manual route aggregation is configured.

as-set is used to generate an aggregated route in which the AS_Path attribute contains
AS_Path information of specific routes. If many routes need to be aggregated, exercise
caution when using this parameter. Frequent changes in specific routes cause flapping
of the aggregated route.
detail-suppressed is used to suppress the advertisement of specific routes. After
detail-suppressed is set, only aggregated routes are advertised. Aggregated routes
carry the atomic-aggregate attribute, not the community attributes of specific routes.
suppress-policy is used to suppress the advertisement of specified routes. The ifmatch clause of route-policy can be used to filter routes to be suppressed. Only the
routes matching the policy will be suppressed, and the other routes will still be
advertised. The peer route-policy command can also be used to filter out the routes
not to be advertised to peers.
After origin-policy is used, only the routes matching route-policy are aggregated.
attribute-policy is used to set attributes for an aggregated route. If the AS_Path
attribute is set in the policy using the apply as-path command and as-set is set in the
aggregate command, the AS_Path attribute in the policy does not take effect. The
peer route-policy command can also be used to set attributes for an aggregated route.
Only the routes that exist in the local BGP routing table can be manually aggregated.
For example, if route 10.1.1.1/24 is not in the BGP routing table, BGP will not generate
an aggregated route for it even if the aggregate 10.1.1.1 16 command is used.
----End

After route aggregation is configured, you can check whether the configuration is correct.
l
Run the display bgp routing-table [ network [ mask | mask-length ] ] command to check
information about BGP aggregated routes.
# Run the display bgp routing-table network command to view information about BGP
aggregated routes.
Issue 02 (2013-12-31)

2518

Equipment
8 IP Routing
Paths:
From: 10.2.1.2 (3.3.3.3)
Relay IP Out-interface: Ethernet0/2/1
AS-path 100, origin incomplete, pref-val 0, valid, external, best, select, pre
255
Aggregator: AS 100, Aggregator ID 3.3.3.3, Atomic-aggregate
10.1.1.1
10.2.1.2
8.8.7 Configuring BGP Peer Groups

Configuring BGP peer groups simplifies the BGP network configuration and improves the route
advertisement efficiency.
Before You Start

Before configuring BGP peer groups, familiarize yourself with the usage scenario, complete the
A BGP peer group consists of BGP peers that have the same update policies and configurations.
A large-scale BGP network has a large number of peers. Configuring and maintaining these
peers is difficult. To address this problem, configure a BGP peer group for BGP peers with the
same configurations. Configuring BGP peer groups simplifies peer management and improves
the route advertisement efficiency.
Based on the ASs where peers reside, peer groups are classified as follows:
l
IBGP peer group: The peers of an IBGP peer group are in the same AS.
Pure EBGP peer group: The peers of a pure EBGP peer group are in the same external AS.
Mixed EBGP peer group: The peers of a mixed EBGP peer group are in different external
ASs.
If a function is configured on a peer and its peer group, the function configured on the peer takes
precedence over that configured on the peer group. After a peer group is created, peers can be
added to the peer group. If these peers are not configured separately, they will inherit the
configurations of the peer group. If a peer in a peer group has a specific configuration
requirement, the peer can be configured separately. The configuration of this peer will override
the configuration inherited by the peer from the peer group.
Before configuring BGP peer groups, complete the following task:
l
Issue 02 (2013-12-31)

2519

Equipment
8 IP Routing
Data Preparation
To configure BGP peer groups, you need the following data.
No.
Data
Type and name of a peer group, and IP addresses of peer group members
Creating IBGP Peer Groups

If multiple IBGP peers exist, adding them to an IBGP peer group can simplify the BGP network
configuration and management. When creating an IBGP peer group, you do not need to specify
an AS number for the IBGP peer group.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
group group-name internal
An IBGP peer group is created.

Step 4 Run:
peer ipv4-address group group-name
A peer is added to the peer group.

NOTE
You can repeat step 4 to add multiple peers to the peer group. If the local device has not established a peer
relationship with this peer, the device will attempt to establish a peer relationship with this peer, and set
the AS number of this peer to the AS number of the peer group.
When creating an IBGP peer group, you do not need to specify the AS number.
After configuring a peer group, you can configure BGP functions for the peer group. By default,
all peers in a peer group inherit the entire configuration of the peer group. The inherited
configuration can be overridden if you directly configure commands for the peer.
----End
Creating Pure EBGP Peer Groups

If multiple EBGP peers exist in an AS, adding them to an EBGP peer group can simplify the
BGP network configuration and management. All the peers in a pure EBGP peer group must
have the same AS number.
Issue 02 (2013-12-31)

2520

Equipment
8 IP Routing
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
group group-name external
A pure EBGP peer group is created.

Step 4 Run:
peer group-name as-number { as-number-plain | as-number-dot }
An AS number is set for the EBGP peer group. If peers already exist in a peer group, you can
neither change the AS number of the peer group nor delete the AS number of the peer group by
using the undo peer as-number command.
Step 5 Run:
A peer is added to the peer group.

NOTE
You can repeat step 5 to add multiple peers to the peer group. If the local device has not established a peer
relationship with this peer, the device will attempt to establish a peer relationship with this peer, and set
the AS number of this peer to the AS number of the peer group.
----End
Creating Mixed EBGP Peer Groups

If multiple EBGP peers exist in different ASs, adding them to a mixed EBGP peer group can
simplify the BGP network configuration and management. When creating a mixed EBGP peer
group, you need to specify an AS number for each peer.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Issue 02 (2013-12-31)

2521

Equipment
8 IP Routing
Step 3 Run:
group group-name external
A mixed EBGP peer group is created.

Step 4 Run:
A peer is created and an AS number is set for this peer.

Step 5 Run:
The peer is added to the peer group.

NOTE
You can repeat Steps 4 and 5 to add multiple peers to the peer group.
You need to specify an AS number for each peer in a mixed EBGP peer group.
----End

After BGP peer groups are configured, you can view information about BGP peers and BGP
peer groups.
Prerequisites
The BGP peer group configurations have been configured.
Procedure
l
Run the display bgp peer [ ipv4-address ] verbose command to check detailed information
about BGP peers.
Run the display bgp group [ group-name ] command to check information about BGP
peer groups.
NOTE
This command is applied only to devices on which BGP peer groups are created.
If a peer group is specified in this command, detailed information about this peer group
will be displayed. If no peer group is specified in this command, information about all BGP
peer groups is displayed.
----End
Example
Run the display bgp group [ group-name ] command in the system view to view information
about a specified peer group.
# View information about a peer group named rr.
Issue 02 (2013-12-31)

2522

Equipment
8 IP Routing
<HUAWEI> display bgp group rr

BGP peer-group: rr
Remote AS: 100
Authentication type configured: None
Group's BFD has been enabled
Type : internal
Configured hold timer value: 180
Keepalive timer value: 60
Minimum route advertisement interval is 15 seconds
PeerSession Members:
10.1.1.2
10.1.1.3
Maximum allowed route limit: 100
Threshold: 75%, Parameter: always connect-retry(default)
Peer Preferred Value: 0
No routing policy is configured
Peer Members:
Peer
V
AS MsgRcvd MsgSent OutQ Up/Down
State PrefRcv
10.1.1.2 4
100
2004
2175
0 0028h55m Established
0
10.1.1.3 4
100
0
0
0 00:14:52
Connect
0
8.8.8 Configuring BGP Route Reflectors

Deploying BGP RRs allows IBGP peers to communicate without establishing full-mesh
connections between them. Using BGP RRs simplifies network configurations and improves
route advertisement efficiency.
Before You Start

Before configuring BGP RRs, familiarize yourself with the usage scenario, complete the preconfiguration tasks, and obtain the data required for the configuration.
BGP uses the AS_Path attribute to prevent route loops, but it does not change the AS_Path
attribute of a route sent between IBGP peers within an AS. This may cause a route loop. To
prevent this problem, the BGP standard defines that a BGP device is prohibited from advertising
any route that received from another IBGP peer. Full-mesh connections then must be created
between IBGP peers to ensure the connectivity between them. If many IBGP peers exists, the
overhead will be large and the configuration workload will be heavy for establishing full-mesh
logical connections between ATNs. In addition, the network will be difficult to maintain.
Using BGP confederations or RRs can solve these problems. A BGP confederation consists of
several sub-ASs in an AS. Full-mesh logical connections need to be established and maintained
between IBGP peers in each sub-AS. To deploy RRs, you only need to configure the RR
functionality on ATNs and do not need to change configurations on other devices. In this regard,
deploying RRs is easier and more flexible than deploying confederations.
Before configuring a BGP RR, complete the following task:
l
Data Preparation
To configure a BGP RR, you need the following data.
Issue 02 (2013-12-31)

2523

Equipment
No.
Data
Role of each ATN (RR, client, or non-client)
(Optional) Cluster ID of the RR
8 IP Routing
Configuring a Route Reflector and Specifying Clients

Deploying an RR and clients in an address family allows IBGP peers to communicate without
having full-mesh logical connections established between them, reducing network configuration
and maintenance workload, and improving network performance.
Context
In an AS, one ATN serves as an RR, and the other ATNs serve as clients. IBGP peer relationships
are set up between the RR and clients. The RR reflects routes between clients, and BGP
connections do not need to be established between the clients. A BGP device that is neither an
RR nor a client is called a non-client. Non-clients and the RR must establish full-mesh
connections with each other.
After receiving IBGP routes, the RR selects optimal routes based on BGP route selection policies
and advertises learned routes to its clients and non-clients following the rules described below:
l
After learning routes from non-clients, the RR advertises the routes to all clients.
After learning routes from clients, the RR advertises the routes to all non-clients and clients.
In addition, the RR advertises learned EBGP routes to all non-clients and clients.
It is easy to configure an RR. The RR functionality only needs to be configured on one ATN.
Configurations on clients are not required.
Perform the following steps on the ATN that is running BGP and is to be specified as an RR:
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ipv4-family unicast

Step 4 Run:
peer { ipv4-address | group-name } reflect-client
The ATN is specified as an RR and its clients are configured.

Issue 02 (2013-12-31)

2524

Equipment
8 IP Routing
To add more clients, repeat the step.

reflect-client configured in an address family is valid only in this address family and cannot be
inherited by other address families. Configuring reflect-client in a specified address family is
recommended.
----End
(Optional) Disabling Route Reflection Between Clients

If the clients of an RR are fully meshed, prohibiting route reflection among the clients can reduce
the link cost.
Context
The RR usually advertises the routes learned from clients to all non-clients and clients. If fullmesh logical connections have been established between all the clients of the RR, the clients are
capable of sending routes to each other without the help of the RR. Route reflection can be
disabled between clients to reduce the stress on the RR.
Perform the following steps on the RR that is running BGP.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ipv4-family unicast

Step 4 Run:
undo reflect between-clients
Route reflection is disabled between clients.

If the clients of an RR have established full-mesh connections with each other, the undo reflect
between-clients command can be used to disable route reflection between clients in order to
reduce the link cost. By default, route reflection is enabled between the clients of an RR.
This command can only be configured on the RR.
----End
(Optional) Configuring the Cluster ID for a Route Reflector

If several RRs are deployed in a cluster, assigning the same cluster ID to them can prevent route
loops.
Issue 02 (2013-12-31)

2525

Equipment
8 IP Routing
Context
A backup RR is usually deployed in an AS to prevent a fault on an RR from causing the clients
and non-clients unable to receive routing information. This backup RR improves network
reliability.
As shown in Figure 8-31, RR1 and RR2 are configured as backups for each other in AS 65000.
Clients 1, 2, and 3 are their clients. An IBGP peer relationship is set up between RR1 and RR2
so that each RR is the other RR's non-client.
Figure 8-31 RR cluster
RR2
RR1
IBGP
Cluster
IBGP
Client1
IBGP
IBGP
Client2
Client3
AS65000
Route loops may easily occur in this network. For example, when Client1 receives an updated
route from an EBGP peer, it uses IBGP to advertise this route to RR1 and RR2. Then the
following problems will happen in the same time:
l
RR1 advertises it to its clients and non-client (RR2),
RR2 advertises it to its clients and non-client (RR1).
As a result, a route loop occurs between RR1 and RR2.

To address this problem, configure all ATNs on the network shown in Figure 8-31 into the same
cluster and assign them the same cluster ID. After the configuration is complete, if Client1
receives an updated route from an EBGP peer, it uses IBGP to advertise this route to RR1 and
RR2.
l
After receiving this route, RR1 reflects it to its clients and RR2 and adds the local cluster
ID to the front of the cluster list.
After receiving the route reflected from RR1, RR2 checks the cluster list. After finding that
the local cluster ID is already on the cluster list, RR2 discards the route.
NOTE
Using a cluster list prevents route loops between RRs within an AS.
Issue 02 (2013-12-31)

2526

Equipment
8 IP Routing
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ipv4-family unicast

Step 4 Run:
reflector cluster-id cluster-id
A cluster ID is configured.
If a cluster has multiple RRs, use this command to set the same cluster-id for these RRs to prevent
route loops.
NOTE
To ensure that a client can learn the routes reflected by an RR, the Cluster ID configured on the RR must
be different from the Cluster ID of the client (By default, the client uses its Router ID as the cluster ID). If
the Cluster ID is the same as the Cluster ID of the client, the client discards received routes.
----End
(Optional) Preventing BGP Routes from Being Added into the IP Routing Table
Disabling BGP route delivery to the IP routing table on an RR can prevent traffic from being
forwarded by the RR, improving route advertisement efficiency.
Context
Usually, BGP routes are delivered to the IP routing table on the ATN to guide traffic forwarding.
If the ATN does not need to forward traffic, disable BGP route delivery to the IP routing table
on the ATN.
BGP route delivery to the IP routing table is generally disabled on RRs. An RR transmits routes
and forwards traffic within an AS. If the RR is connected to many clients and non-clients, the
route transmission task will consume a lot of CPU resources of the RR and cause the RR unable
to implement traffic forwarding. To improve the efficiency of route transmission, disable BGP
route delivery to the IP routing table on the RR to make the RR dedicated to route transmission.
Procedure
Step 1 Run:
system-view

Issue 02 (2013-12-31)

2527

Equipment
8 IP Routing
Step 2 Run:

Step 3 Run:
ipv4-family unicast

Step 4 Run:
routing-table rib-only [ route-policy route-policy-name ]
BGP route delivery to the IP routing table is disabled.

The routes preferred by BGP are delivered to the IP routing table by default.
If route-policy route-policy-name is configured in the routing-table rib-only command, routes
matching the policy are not delivered to the IP routing table, and routes not matching the policy
are delivered to the IP routing table, with the route attributes unchanged.
NOTE
The routing-table rib-only command and the active-route-advertise command are mutually exclusive.
----End
(Optional) Enabling the RR to Modify the Route Attributes Using the Export Policy
You can enable the route reflector (RR) to modify the route attributes using the export policy to
change route selection results of the BGP.
Context
According to RFC 4456, the route attributes on the RR cannot be modified using the export
policy. This is because it may cause route loops. By default, the RR is disabled from modifying
the route attributes using the export policy. But if you need to re-plan the network traffic, you
can enable the RR to modify the route attributes by using the export policy.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ipv4-family unicast

Step 4 Run:
reflect change-path-attribute
Issue 02 (2013-12-31)

2528

Equipment
8 IP Routing
You can enable the RR to modify the route attributes of the BGP routes using the export policy.
By default, you can disable the RR from modifying the route attributes using the export policy.
After you enable the reflect change-path-attribute command on an RR, the configurations of
the RR attributes modified using the export policy takes effect immediately. Perform the
l Run the apply as-path command to modify the AS_Path attributes of BGP routes.
l Run the apply comm-filter delete command to delete all community attributes from a BGP
route.
l Run the apply community command modifies the community attributes of BGP routes.
l Run the apply cost command to modify the cost of BGP routes, that is, to modify its
multi_exit discriminator (MED).
l Run the apply ip-address nexthop command to modify the next hop of the BGP routes.
l Run the apply local-preference command to modify the local preference of BGP routes.
l Run the apply origin command to modify the Origin attributes of BGP routes.
l Run the apply extcommunity command to modify the extended community attributes of
BGP routes.
NOTE
After the reflect change-path-attribute command is run on the RR, the peer route-policy export
command takes precedence over the peer next-hop-invariable and peer next-hop-local commands.
----End

After configuring BGP RRs, you can view BGP RR configurations and routing information
transmitted by BGP.
Prerequisites
All BGP RR configurations have been configured.
Procedure
l
Run the display bgp [ vpnv4 [ vpn-instance vpn-instance-name | all ] | vpn-target |

l2vpn | vpls ] peer [ ipv4-address ] verbose command to check detailed information about
BGP peers.
Run the display bgp routing-table [ network [ { mask | mask-length } [ longerprefixes ] ] ] command to check information in a BGP routing table.
----End
Example
# After a BGP RR is configured, run the following command to view detailed information about
its peers.
<HUAWEI> display bgp peer 10.1.1.2 verbose
BGP Peer is 10.1.1.2,
Issue 02 (2013-12-31)
remote AS 65009

2529

Equipment
8 IP Routing
Type: IBGP link

BGP version 4, Remote router ID 4.4.4.4
Update-group ID: 1
BGP current state: Established, Up for 00h01m24s
BGP current event: KATimerExpired
BGP last state: OpenConfirm
BGP Peer Up count: 1
Received total routes: 0
Received active routes total: 0
Advertised total routes: 0
Port: Local - 179
Remote - 50450
Configured: Connect-retry Time: 32 sec
Configured: Active Hold Time: 180 sec
Keepalive Time:60 sec
Received : Active Hold Time: 180 sec
Negotiated: Active Hold Time: 180 sec
Peer optional capabilities:
Peer supports bgp multi-protocol extension
Peer supports bgp route refresh capability
Peer supports bgp 4-byte-as capability
Address family IPv4 Unicast: advertised and received
Received: Total 3 messages
Update messages
1
Open messages
1
KeepAlive messages
2
Notification messages
0
Refresh messages
0
Sent: Total 4 messages
Update messages
1
Open messages
2
KeepAlive messages
2
0
Refresh messages
0
Last keepalive received: 2012-03-06 19:17:37 UTC-08:00
Last keepalive sent
: 2012-03-06 19:17:37 UTC-08:00
Last update
received: 2012-03-06 19:17:43 UTC-08:00
Last update
sent
: 2012-03-06 19:17:37 UTC-08:00
Optional capabilities:
Route refresh capability has been enabled
4-byte-as capability has been enabled
It's route-reflector-client
Routing policy configured:
NOTE
The message of It's route-reflector-client will be displayed in the command output only after the display
bgp peer ipv4-address verbose command is run on an RR.
8.8.9 Configuring a BGP Confederation

BGP confederations can be configured on a large BGP network to reduce the number of IBGP
connections and simplify routing policy management, increasing route advertisement efficiency.
A confederations can be used to reduce the number of IBGP connections in an AS. It divides an
AS into several sub-ASs. Full-mesh IBGP connections are established between devices in each
sub-AS, and full-mesh EBGP connections are established between devices in different sub-ASs,
Compared with RRs, confederations facilitate IGP extensions.
Issue 02 (2013-12-31)

2530

Equipment
8 IP Routing
Before configuring a BGP confederation, complete the following tasks:
l
Configure a BGP confederation.
Procedure
Perform the following steps on a BGP device:
1.
Run:
system-view

2.
Run:

3.
Run:
confederation id { as-number-plain | as-number-dot }
A confederation ID is set.
4.
Run:
confederation peer-as { as-number-plain | as-number-dot } &<1-32>
The number of the sub-AS where other EBGP peers connected to the local AS reside
is set.
{ as-number-plain | as-number-dot } is valid in the confederation only when the subASs of the confederation are configured.
The confederation id and confederation peer-as commands must be run on all the
EBGP peers in the same confederation, and the same confederation ID must be set for
these EBGP peers.
NOTE
An old speaker that has a 2-byte AS number cannot be in the same confederation with a new
speaker that has a 4-byte AS number. Otherwise, a routing loop may occur. This is because the
AS4_Path attribute does not support confederations.
Configure confederation compatibility.

Other ATNs may implement the confederation that does not comply with the RFC standard.
In such a situation, confederation compatibility must be configured. Perform the following
steps on a BGP device:
1.
Run:
system-view

2.
Run:
Issue 02 (2013-12-31)

2531

Equipment
8 IP Routing

3.
Run:
confederation nonstandard
The ATNs are configured to be compatible with the nonstandard AS confederation.

By default, the configured confederation accords with RFC 3065.
----End

After a confederation is configured, you can check whether the configuration is correct.
l
about BGP peers.
# Run the display bgp routing-table network command to view information about a specified
BGP route. For example:
Paths:
From: 10.1.3.1 (1.1.1.1)
Relay IP Out-Interface: GE0/2/1
AS-path 100, origin igp, MED 0, localpref 100, pref-val 0, valid, internalconfed, best, select, active, pre 255
8.8.10 Configuring BGP Community Attributes

Community attributes are used to simplify routing policy management.
Before You Start

Before configuring BGP community attributes, familiarize yourself with the usage scenario,
Community attributes are used to simplify routing policy application and facilitate network
maintenance. They allow a group of BGP devices in different ASs to share the same routing
policies. Before advertising a route with the community attribute to peers, a BGP device can
change the original community attribute of this route. Community attributes are route attributes,
which are transmitted between BGP peers, and the transmission is not restricted within an AS.
Before configuring BGP community attributes, complete the following task:
Issue 02 (2013-12-31)

2532

Equipment
8 IP Routing
Data Preparation
To configure BGP Community attributes, you need the following data.
No.
Data
Community attribute value
Route-policy name, node sequence number, and matching condition
Names of inbound and outbound routing policies
Configuring Community Attribute-Related Routing Policies

A routing policy that references a community attribute needs to be configured before the
community attribute is advertised.
Procedure
Step 1 Run:
system-view

Step 2 Run:
A node is configured for a routing policy, and the view of the routing policy is displayed.
Step 3 (Optional) Configure filtering conditions (if-match clauses) for a routing policy. Community
attributes can be added only to the routes that pass the filtering, and the community attributes
of only the routes that pass the filtering can be modified.
For configuration details, see (Optional) Configuring if-match Clauses.
Step 4 Configure community or extended community attributes for BGP routes.
l Run:
apply community { community-number | aa:nn | internet | no-advertise | noexport | no-export-subconfed } &<1-32> [ additive ]
Community attributes are configured for BGP routes.

NOTE
A maximum of 32 community attributes can be configured in the apply community command.
l Run:
apply extcommunity { rt { as-number:nn | ipv4-address:nn } } &<1-16>
[ additive ]
An extended community attribute (Route-Target) is configured for BGP routes.

----End
Issue 02 (2013-12-31)

2533

Equipment
8 IP Routing
Configuring a BGP Device to Send Community Attributes to Its Peer

A community attribute takes effect only after the community attribute and the routing policy
referencing the community attribute are advertised.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ipv4-family unicast

Step 4 Run:
peer { ipv4-address | group-name } route-policy route-policy-name export
An export routing policy is configured.

NOTE
When configuring a BGP community, use a routing policy to define the community attribute, and apply
the routing policy to the routes to be advertised.
For details on routing policy configurations, see the chapter "Routing Policy Configuration."
Step 5 Run the following commands to advertise community attributes to the peer group.
l To configure the BGP device to send a standard community attribute to its peer or peer group,
run:
peer { ipv4-address | group-name } advertise-community
l To advertise an extended community attribute to a specified peer or peer group, perform the
following steps:
1.
Run the peer { ipv4-address | group-name } advertise-ext-community command to

advertise an extended community attribute to a specified peer or peer group.
2.
(Optional) Run the ext-community-change enable command to enable the device to

change extended community attributes using a routing policy.
By default, BGP peers cannot change extended community attributes using a routepolicy; specifically, BGP peers advertise only the extended community attributes
carried in routes to a specified peer or peer group, and the peer route-policy command
cannot be used to modify the extended community attributes.
NOTE
After the peer advertise-ext-community command is enabled, BGP sends the routes with extended
community attribute to its peer or peer group. If the peer or peer group only want to receive the routes, but
not extended community attribute, you can configure the peer discard-ext-community command on the
peer or peer group to discard the extended community attribute from the received routing information.
----End
Issue 02 (2013-12-31)

2534

Equipment
8 IP Routing

After configuring BGP community attributes, you can view the configured BGP community
attributes.
Prerequisites
The BGP community attribute configurations have been configured.
Procedure
l
Run the display bgp routing-table network [ mask | mask-length ] command to check the
detailed information about BGP routes.
Run the display bgp routing-table community [ community-number | aa:nn ] &<1-29>

[ internet | no-advertise | no-export | no-export-subconfed ] * [ whole-match ] command
to check information about the routes carrying specified BGP community attributes.
----End
Example
# Run the display bgp routing-table community command to view the routes carrying specified
BGP community attributes.
<HUAWEI> display bgp routing-table community
Network
NextHop
MED
LocPrf
PrefVal Community
*
1.1.1.0/24
1.1.1.1
0
0
no-export
*
1.1.1.2/32
1.1.1.1
0
0
no-export
*>
192.168.10.0
10.2.1.2
0
0
no-exportsubconfed
*>
192.168.15.0
10.2.1.2
0
0
internet
*>
192.168.18.0
10.2.1.2
0
0
no-advertise
8.8.11 Configuring Prefix-based BGP ORF

Prefix-based BGP outbound route filtering (ORF) is used to enable a BGP device to send to its
BGP peer a set of routing policies that can be used by its peer to filter out unwanted routes during
route advertisement.
During routing information transmission between two devices, routing policies can be used on
receiving and sending devices to filter routes.
l
Issue 02 (2013-12-31)
If a routing policy is used to filter routing information received by the route receiving device
but no policy is used to filter routing information to be sent by the route sending device
and the route sending device sends a great deal of routing information, the route receiving
device will have to process a great deal of unwanted routing information. This consumes
a lot of network bandwidth resources.

2535

Equipment
8 IP Routing
If routes to be advertised by the route sending device need to be filtered and the device has
many BGP peers, many export policies need to be configured on the device. This is
unhelpful for network planning and maintenance and consumes lots of memory resources.
To address these problems, prefix-based BGP ORF is used to implement on-demand BGP route
advertisement. A BGP device uses an export policy provided by a route receiving device to filter
routes before sending these routes. It is unnecessary for the local device to provide a separate
export policy for each BGP peer. As a result, the loads of the two communication devices,
network bandwidth consumption, and configuration workload are reduced.
NOTE
Currently, only prefix-based export policies are supported.
Before configuring prefix-based BGP ORF, complete the following tasks:
l
Configuring an IPv4 Prefix List
Data Preparation
To configure prefix-based BGP ORF, you need the following data.
No.
Data
Address of a peer or name of a peer group
Name of an IP prefix list
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ipv4-family unicast

Step 4 Run:
peer { group-name | ipv4-address } capability-advertise orf [ non-standardcompatible ] ip-prefix { both | receive | send }
Prefix-based ORF is enabled for a BGP peer or peer group.

By default, prefix-based ORF is not enabled for a peer or peer group.
Issue 02 (2013-12-31)

2536

Equipment
8 IP Routing
NOTE
This step needs to be performed on both communication devices.

The ORF capability supported by non-Huawei devices may be different from that defined in the RFC
standard. To enable a Huawei device to communicate with a non-Huawei device, ensure that the devices
are configured with the same compatibility mode (either non-standard-compatible or RFC-compatible).
By default, the RFC-compatible mode is used.
BGP ORF has three modes: send, receive, and both. In send mode, a device can send ORF information. In
receive mode, a device can receive ORF information. In both mode, a device can either send or receive
ORF information. To enable a device to receive ORF IP-prefix information, configure the both or receive
mode on the device and the both or send mode on its peer.
Step 5 Run:
peer { group-name | ipv4-address } ip-prefix ip-prefix-name import
A prefix-based import policy is configured for a peer or peer group.

NOTE
This step is performed only on the receiving device. An IP prefix list specified by ip-prefix-name must
have been configured. Otherwise, route filtering cannot be implemented. For details on IPv4 prefix list
configurations, see Configuring an IPv4 Prefix List.
----End

After prefix-based BGP ORF is configured, you can run the following commands to check the
l
Run the display bgp peer [ ipv4-address ] verbose command to check prefix-based BGP
ORF negotiation information.
Run the display bgp peer ipv4-address orf ip-prefix command to check prefix-based BGP
ORF information received from a specified peer.
NOTE
The display bgp peer ipv4-address orf ip-prefix command must be run only on devices that have
sent routing information.
# View prefix-based BGP ORF negotiation information.

BGP Peer is 10.1.1.2, remote AS 200
Type: EBGP link
Update-group ID: 1
BGP current event: RecvRouteRefresh
Port: Local - 179
Remote - 54545
Issue 02 (2013-12-31)

2537

Equipment
8 IP Routing
Peer supports bgp outbound route filter capability

Support Address-Prefix: IPv4-UNC address-family, rfc-compatible, both
Update messages
1
Open messages
1
KeepAlive messages
1
0
Refresh messages
1
Update messages
5
Open messages
2
KeepAlive messages
1
0
Refresh messages
1
Last keepalive sent
: 2012-03-06 19:17:37 UTC-8:00
Last update
received: 2012-03-06 19:17:43 UTC-8:00
Last update
sent
: 2012-03-06 19:17:37 UTC-8:00
Outbound route filter capability has been enabled
Enable Address-Prefix: IPv4-UNC address-family, rfc-compatible, both
Multi-hop ebgp has been enabled
No import update filter list
No export update filter list
Import prefix list is: 1
No export prefix list
No import route policy
No export route policy
No import distribute policy
No export distribute policy
# View prefix-based ORF information received from a specified peer.

<HUAWEI> display bgp peer 10.1.1.1 orf ip-prefix
Total number of ip-prefix received: 1
Index
Action Prefix
MaskLen MinLen
10
Permit 3.3.3.3
32
MaxLen
8.8.12 Configuring to Adjust the BGP Network Convergence Speed

You can adjust the BGP network convergence speed by adjusting BGP peer connection
parameters to adapt to changes on large-scale networks.
Before You Start

Before adjusting the BGP network convergence speed, familiarize yourself with the usage
BGP is used to transmit routing information on large-scale networks. Frequent network changes
affect the establishment and maintenance of BGP peer relationships, affecting the BGP network
convergence speed.
Issue 02 (2013-12-31)

2538

Equipment
8 IP Routing
The route dampening and triggered update functions of BGP suppress frequent route changes
to a certain extent, but cannot minimize the impact of network flapping on BGP connections.
You can configure BGP timers, disabling rapid EBGP connection reset, and enable BGP peer
tracking to suppress BGP network flapping and speed up BGP network convergence.
l
ConnectRetry timer
A ConnectRetry timer is used to set an interval between BGP attempts to initiate TCP
connections. After BGP initiates a TCP connection, the ConnectRetry timer will be stopped
if the TCP connection is established successfully. If the first attempt to establish a TCP
connection fails, BGP tries again to establish the TCP connection after the ConnectRetry
timer expires.
You can accelerate or slow down the establishment of BGP peer relationships by changing
the BGP ConnectRetry interval. For example, if the ConnectRetry interval is reduced, BGP
will wait less time before retrying to establish a TCP connection when the previous attempt
fails. This speeds up TCP connection establishment. If a BGP peer flaps constantly, the
ConnectRetry interval can be increased to suppress route flapping caused by BGP peer
flapping. This speeds up route convergence.
BGP Keepalive and hold timers

BGP uses Keepalive messages to maintain BGP peer relationships and monitor connection
status.
After establishing a BGP connection, two peers send Keepalive messages periodically to
each other to detect the BGP connection status. If the ATN does not receive any Keepalive
message or any other types of packets from the peer within the hold time, the ATN considers
the BGP connection interrupted and closes the BGP connection.
BGP MinRouteAdvertisementIntervalTimer
BGP does not periodically update a routing table. When BGP routes change, BGP updates
the changed BGP routes in the BGP routing table by sending Update messages. If a route
changes frequently, to prevent the ATN from sending Update messages upon every change,
set the interval at which Update messages are sent.
Rapid EBGP connection reset

Rapid EBGP connection reset is enabled by default so that EBGP can quickly detect the
status of interfaces used to establish EBGP connections. If the interface status is changed
frequently, rapid EBGP connection reset can be disabled. As a result, direct EBPG sessions
will not be reestablished and deleted as interface alternates between Up and Down. This
implements rapid network convergence.
BGP peer tracking

BGP peer tracking can speed up network convergence by adjusting the interval between
peer unreachability discovery and connection interruption. BGP peer tracking is easy to
deploy and has good extensibility.
Before adjusting the BGP network convergence speed, complete the following tasks:
l
Data Preparation
To adjust the BGP network convergence speed, you need the following data.
Issue 02 (2013-12-31)

2539

Equipment
8 IP Routing
No.
Data
Value of the ConnectRetry timer
Values of BGP Keepalive and hold timers
Value of the MinRouteAdvertisementIntervalTimer
Interval between peer unreachability discovery and connection interruption
Configuring a BGP ConnectRetry Timer

You can control the speed at which BGP peer relationships are established by changing the BGP
ConnectRetry timer value.
Context
After BGP initiates a TCP connection, the ConnectRetry timer will be stopped if the TCP
connection is established successfully. If the first attempt to establish a TCP connection fails,
BGP tries again to establish the TCP connection after the ConnectRetry timer expires.
l
Setting a short ConnectRetry interval reduces the period BGP waits between attempts to
establish a TCP connection. This speeds up the establishment of the TCP connection.
Setting a long connectRetry interval suppresses routing flapping caused by peer relationship
flapping.
A ConnectRetry timer can be configured either for all peers or peer groups, or for a specific peer
or peer group. A ConnectRetry timer configured for a specific peer takes precedence over that
configured for the peer group of this peer. In addition, a ConnectRetry timer configured for a
specific peer or peer group takes precedence over that configured for all peers or peer groups.
Procedure
l
Configure a BGP ConnectRetry timer for all peers or peer groups.

Perform the following steps on a BGP ATN:
1.
Run:
system-view

2.
Run:

3.
Run:
timer connect-retry connect-retry-time
A BGP ConnectRetry timer is configured for all peers or peer groups.

By default, the ConnectRetry timer value is 32s.
l
Configure a ConnectRetry timer for a specific peer or peer group.

Issue 02 (2013-12-31)

2540

Equipment
1.
8 IP Routing
Run:
system-view

2.
Run:

3.
Run:
peer { group-name | ipv4-address } timer connect-retry connect-retry-time
A ConnectRetry timer is configured for a specific peer or peer group.

By default, the ConnectRetry timer value is 32s.
The ConnectRetry timer configured for a peer or peer group takes precedence over
that configured for all peers or peer groups.
----End
Configuring BGP Keepalive and Hold Timers

The values of BGP Keepalive and hold timers determine the speed at which BGP detects network
faults. You can adjust the values of these timers to improve network performance.
Context
Keepalive messages are used by BGP to maintain peer relationships. After establishing a BGP
connection, two peers periodically send Keepalive messages to each other to detect BGP peer
relationship status. If a device receives no Keepalive message from its peer after the hold timer
expires, the device considers the BGP connection to be closed.
l
If short Keepalive time and holdtime are set, BGP can detect a link fault quickly. This
speeds up BGP network convergence, but increases the number of Keepalive messages on
the network and loads of ATNs, and consumes more network bandwidth resources.
If long Keepalive time and holdtime are set, the number of Keepalive messages on the
network is reduced. This reduces loads of ATNs. If the Keepalive time is too long, BGP is
unable to detect link status changes in a timely manner. This is unhelpful for implementing
rapid BGP network convergence and may cause many packets to be lost.
NOTICE
Changing timer values using the timer command or the peer timer command interrupts BGP
peer relationships between ATNs. Therefore, exercise caution before changing the value of a
timer.
Keepalive and hold timers can be configured either for all peers or peer groups, or for a specific
peer or peer group. Keepalive and hold timers configured for a specific peer take precedence
over those configured for the peer group of this peer. In addition, Keepalive and hold timers
configured for a specific peer or peer group take precedence over those configured for all peers
or peer groups.
Issue 02 (2013-12-31)

2541

Equipment
8 IP Routing
Procedure
l
Configure BGP timers for all peers or peer groups.

1.
Run:
system-view

2.
Run:

3.
Run:
timer keepalive keepalive-time hold hold-time [ min-holdtime minholdtime ]
BGP timers are configured.

The proper maximum interval at which Keepalive messages are sent is one third the
holdtime and is not less than one second. If the holdtime is not set to 0, it is 3s at least.
By default, the keepalive-time value is 60s and the hold-time value is 180s.
NOTE
Setting the Keepalive time to 20s is recommended. If the Keepalive time is smaller than 20s,
sessions between peers may be closed.
When setting values of keepalive-time and hold-time, note the following points:
The keepalive-time and hold-time values cannot be both set to 0. Otherwise, the
BGP timers become invalid, meaning that BGP will not send Keepalive messages
to detect connection status.
The hold-time value cannot be much greater than the keepalive-time value. For
example, keepalive-time cannot be set to 1 while hold-time is set to 65535. If the
hold-time value is too large, BGP cannot detect connection status in time.
After a connection is established between peers, the keepalive-time and hold-time
values are negotiated by the peers. The smaller one of the hold-time values carried by
Open messages of both peers is taken as the hold-time value. The smaller of one third
of the hold-time value and the locally configured keepalive-time value is taken as the
keepalive-time value.
If the local device establishes BGP peer relationships with many devices, it needs to
process huge BGP messages. If hold-time negotiated among BGP peers is small, the
timer may expire before the local device processes the Keepalive messages sent from
other BGP peers. The peer relationships are then interrupted, and routes flap. To solve
the preceding problem, you can configure an appropriate value for min-holdtime minholdtime based on the CPU processing capability of the local device.
If the value of min-holdtime is changed, but the values of keepalive-time and holdtime negotiated between two BGP peers remain unchanged, the established peer
relationship is not affected. Only when the local device attempts to re-establish a
relationship with a remote device, the value of min-holdtime configured on the local
device takes effect. The local device compares min-holdtime with hold-time sent from
the remote device. If the value of min-holdtime exceeds that of hold-time, hold-time
negotiation fails, and the peer relationship fails to be established.
Issue 02 (2013-12-31)

2542

Equipment
8 IP Routing
NOTE
If min-holdtime is configured on the local device, and the value of hold-time sent from the
remote device is 0, hold-time negotiation between the two devices succeeds. The negotiated
value of hold-time is 0, and the peer relationship is established. The value 0 of hold-time
indicates that the peer relationship never expires.
Configure timers for a specific peer or peer group.

1.
Run:
system-view

2.
Run:

3.
Run:
peer { ipv4-address | group-name } timer keepalive keepalive-time hold
hold-time [ min-holdtime min-holdtime ]
The Keepalive and hold timer values are set for a specific peer or peer group.
For information about the relationship between the keepalive-time and hold-time
values, see Configure BGP timers for all peers or peer groups.
NOTE
Setting the Keepalive time to 20s is recommended. If the Keepalive time is smaller than 20s,
sessions between peers may be closed.
Timers set for a specific peer or peer group takes precedence over timers set for all
peers or peer groups.
----End
Configuring a MinRouteAdvertisementIntervalTimer
A proper MinRouteAdvertisementIntervalTimer can be configured to suppress frequent route
changes, improving BGP network stability.
Context
BGP peers use update messages to exchange routing information. Update messages can be used
to advertise multiple reachable routes with the same attributes or withdraw multiple unreachable
routes.
BGP does not periodically update a routing table. When BGP routes change, BGP updates the
changed BGP routes in the BGP routing table by sending Update messages. If a route changes
frequently, to prevent the ATN from sending Update messages upon every change, set the
interval at which Update messages are sent.
Issue 02 (2013-12-31)

2543

Equipment
8 IP Routing
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
peer { ipv4-address | group-name } route-update-interval interval
A MinRouteAdvertisementIntervalTimer is configured.
By default, the interval at which Update messages are sent to IBGP peers is 15s, and the interval
at which Update messages are sent to EBGP peers is 30s.
ipv4-address specifies the address of a specific group. group-name specifies the name of a peer
group. The MinRouteAdvertisementIntervalTimer configured for a peer takes precedence over
the MinRouteAdvertisementIntervalTimer configured for a peer group.
----End
Disabling Fast Reset of EBGP Connections

Disabling rapid EBGP connection reset can prevent repeated reestablishment and deletion of
EBGP sessions in the event of route flapping. This speeds up BGP network convergence.
Context
Rapid EBGP connection reset is enabled by default. This allows BGP to immediately respond
to a fault on an interface and delete the direct EBGP sessions on the interface without waiting
for the hold timer to expire and implements rapid BGP network convergence.
NOTE
Rapid EBGP connection reset enables BGP to quickly respond to interface faults but does not enable BGP
to quickly respond to interface recovery. After the interface recovers, BGP uses its state machine to restore
relevant sessions.
If the status of an interface used to establish an EBGP connection changes frequently, the EBGP
session will be deleted and reestablished repeatedly, causing network flapping. Rapid EBGP
connection reset can be disabled in such a situation. BGP will delete direct EBGP sessions on
the interface until the hold timer expires. This suppresses BGP network flapping, helps to
implement rapid BGP network convergence, and reduces network bandwidth consumption.
Perform the following steps on a BGP ATN.
Procedure
Step 1 Run:
system-view

Issue 02 (2013-12-31)

2544

Equipment
8 IP Routing
Step 2 Run:

Step 3 Run:
undo ebgp-interface-sensitive
Rapid EBGP connection reset is disabled.

NOTE
Rapid EBGP connection reset is disabled in a situation where the status of an interface used to establish
an EBGP connection changes frequently. If the status of the interface becomes stable, run the ebgpinterface-sensitive command to enable rapid EBGP connection reset to implement rapid BGP network
convergence.
----End
Enabling BGP Peer Tracking

BGP peer tracking can be used to adjust the interval between peer unreachability discovery and
connection interruption. This suppresses BGP peer relationship flapping caused by route
flapping and improves BGP network stability.
Context
BGP can be configured to detect peer relationship status changes in order to implement rapid
BGP convergence. BFD, however, needs to be configured on the entire network, and has poor
extensibility. If BFD cannot be deployed on a device to detect BGP peer relationship status,
BGP peer tracking can be enabled on the device to quickly detect link or peer unreachability,
implementing rapid network convergence.
Perform the following steps on a BGP ATN.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
peer { group-name | ipv4-address } tracking [ delay delay-time ]
BGP peer tracking is enabled on the device to detect the status of a specified peer.
By default, BGP peer tracking is disabled.
ipv4-address specifies the address of a peer. group-name specifies the name of a peer group.
BGP peer tracking configured on a peer takes precedence over BGP peer tracking configured
on the peer group of this peer.
Issue 02 (2013-12-31)

2545

Equipment
8 IP Routing
If delay-time is not specified, the default delay (0 seconds) is used. This means that a BGP device
tears down the connection with a peer immediately after detecting the peer unreachable.
A proper delay-time value can ensure network stability.
l If an IBGP peer relationship is established based on an IGP route, the delay-time values set
on BGP peers must be greater than the IGP route convergence time. Otherwise, if IGP route
flapping occurs, the BGP peer relationship will be interrupted before network convergence
is complete.
NOTE
IGP GR is configured and a BGP peer relationship is established based on an IGP route. If a device
becomes faulty and performs an active/standby switchover, the IGP will not delete routes received by
the device. As a result, the BGP peer relationship will not be interrupted, even through BGP peer
tracking does not take effect.
l If BGP peers have negotiated the GR capability and one of the peers performs an active/
standby switchover, the delay-time values on the BGP peers must be greater than the GR
time. Otherwise, the BGP peer relationship will be interrupted before the GR time expires.
As a result, GR becomes invalid.
----End

After the BGP network convergence speed is adjusted, you can view information about BGP
peers and peer groups.
Prerequisites
Adjusting the BGP network convergence speed has been configured.
Procedure
l
Run the display bgp peer [ verbose ] command to check information about BGP peers.
Run the display bgp group [ group-name ] command to check information about BGP
peer groups.
----End
Example
Run the display bgp peer verbose command in the system view to view the configured
Keepalive timer, hold timer, MinRouteAdvertisementIntervalTimer, and BGP tracking function.
# View detailed information about BGP peers.
<HUAWEI> display bgp peer verbose
Type: EBGP link
Update-group ID: 1
BGP current event: RecvKeepalive
Issue 02 (2013-12-31)

2546

Equipment
8 IP Routing

Port: Local - 49290
Remote - 179
Configured: Min Hold Time: 15 sec
Update messages
1
Open messages
1
KeepAlive messages
1
0
Refresh messages
0
Update messages
1
Open messages
1
KeepAlive messages
1
0
Refresh messages
0
Last keepalive sent
: 2012-03-06 19:17:37 UTC-8:00
Last update
received: 2012-03-06 19:17:43 UTC-8:00
Last update
sent
: 2012-03-06 19:17:37 UTC-8:00
Tracking has been enabled, and the delay is 50s
NOTE
"Tracking has been enabled, and the delay is 50s" is displayed only when the display bgp peer verbose
command is run on the ATN enabled with BGP tracking.
8.8.13 Configuring BGP Route Dampening

BGP route dampening can be configured to suppress unstable routes.
The main cause of route instability is route flapping. A route is considered to be flapping when
it repeatedly appears and then disappears in the routing table. BGP is generally applied to
complex networks where routes change frequently. Frequent route flapping consumes lots of
bandwidth and CPU resources and even seriously affects network operations.
BGP route dampening prevents frequent route flapping by using a penalty value to measure route
stability. When a route flaps for the first time, a penalty value is assigned to the route. Later,
each time the route flaps, the penalty value of the route increases by a specific value. The greater
the penalty value, the less stable the route. If the penalty value of a route exceeds the pre-defined
threshold, the route will not be advertised until the penalty value of the route reduces to the reuse
threshold.
Route dampening applies only to EBGP routes. IBGP routes, however, cannot be dampened.
Generally, IBGP routes include routes from the local AS, requiring that the forwarding tables
Issue 02 (2013-12-31)

2547

Equipment
8 IP Routing
be the same. In addition, IGP fast convergence aims to achieve information synchronization. If
IBGP routes are dampened, dampening parameters vary on different devices, and the forwarding
tables are inconsistent.
Before configuring BGP route dampening, complete the following task:
l
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ipv4-family unicast

Step 4 Run:
dampening [ half-life-reach reuse suppress ceiling | route-policy route-policyname ] *
BGP route dampening parameters are set.

NOTE
The dampening command takes effect only for EBGP routes.
When you configure BGP route dampening, the values of reuse, suppress, and ceiling should
meet the relationship of reuse<suppress<ceiling.
If routes are differentiated based on policies and the dampening command is run to reference
a route-policy, BGP can use different route dampening parameters to suppress different routes.
----End

After BGP route dampening is configured, you can check whether the configuration is correct.
l
Run the display bgp routing-table flap-info [ regular-expression as-regularexpression | as-path-filter as-path-filter-number | network-address [ { mask | masklength } [ longer-match ] ] ] command to check route flapping statistics.
Run the display bgp routing-table dampened command to check dampened BGP routes.
Run the display bgp routing-table dampening parameter command to check configured
BGP route dampening parameters.
Issue 02 (2013-12-31)

2548

Equipment
8 IP Routing
# Run the display bgp routing-table flap-info command to view BGP route flapping statistics.
For example:
<HUAWEI> display bgp routing-table flap-info
h - history, i - internal, s - suppressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
From
Flaps Duration
d
*>
d
*>
d
d
d
5
1
5
1
5
5
5
129.1.1.0
129.1.1.0
129.1.2.0
129.1.2.0
129.1.3.0
129.1.4.0
129.1.5.0
20.20.200.200
20.20.200.202
20.20.200.200
20.20.200.202
20.20.200.200
20.20.200.200
20.20.200.200
00:00:36
00:04:07
00:00:36
00:04:07
00:00:36
00:00:36
00:00:36
Reuse
00:40:47
00:40:47
00:40:47
00:40:47
00:40:47
Path/Ogn
600i
100?
600i
100?
600i
600i
600i
# Run the display bgp routing-table dampened command to view dampened BGP routes. For
example:
<HUAWEI> display bgp routing-table dampened
Status codes: * - valid, > - best, d - damped
Network
From
d 8.6.244.0/23
223.1.41.247
d 9.17.79.0/24
223.1.41.247
d 9.17.110.0/24
223.1.41.247
d 61.57.144.0/20
223.1.41.247
18429,18429i
d 63.76.216.0/24
223.1.41.247
d 63.78.142.0/24
223.1.41.247
d 63.115.136.0/23
223.1.41.247
d 65.243.170.0/24
223.1.41.247
Reuse
01:06:25
01:06:25
01:06:25
01:06:25
Path/Origin
65534 4837 174 11096 6356i
65534 837 3356 23504 29777i
65534 837 3356 23504 29777i
65534 4837 10026 9924
01:06:25
01:06:25
01:06:25
01:06:25
65534
65534
65534
65534
4837
4837
4837
4837
701
701
701
701
26959i
26959i
26956i
26959i
# Run the display bgp routing-table dampening parameter command to view configured BGP
route dampening parameters. For example:
<HUAWEI> display bgp routing-table dampening parameter
Maximum Suppress Time(in second) : 3973
Ceiling Value
: 16000
Reuse Value
: 750
HalfLife Time(in second)
: 900
Suppress-Limit
: 2000
8.8.14 Configuring a BGP Device to Send a Default Route to Its Peer

After a BGP device is configured to send a default route to its peer, the BGP device sends a
default route with the local address as the next-hop address to a specified peer, regardless of
whether there are default routes in the local routing table. This greatly reduces the number of
routes on the network.
The BGP routing table of a device on a medium or large BGP network contains a large number
of routing entries. Storing the routing table consumes a large number of memory resources, and
transmitting and processing routing information consume lots of network resources. If a device
Issue 02 (2013-12-31)

2549

Equipment
8 IP Routing
needs to send multiple routes to its peer, the device can be configured to send only a default
route with the local address as the next-hop address to its peer, regardless of whether there are
default routes in the local routing table. This greatly reduces the number of routes on the network
and the consumption of memory resources on the peer and network resources.
Figure 8-32 Networking diagram for configuring a BGP device to send a default route to its
peer
20.1.1.0/24
ATNA
192.168.2.2/24
192.168.2.1/24
20.2.1.0/24
ATNB
20.3.1.0/24
On the network shown in Figure 8-32, ATN A and ATN B have established a BGP peer
relationship. ATN B has imported routes to network segments 20.1.1.0/24, 20.2.1.0/24, and
20.3.1.0/24 to its BGP routing table. ATN A needs to learn these routes from ATN B. To reduce
the consumption of memory resources of ATN A and bandwidth used by ATN B for sending
routing information to ATN A, configure ATN B to send a default route to its peer (ATN A)
and use a routing policy to prevent all the routes to network segments 20.1.1.0/24, 20.2.1.0/24,
and 20.3.1.0/24 from being sent to ATN A. Then, ATN A stores only one default route but can
still send traffic to the three network segments.
Before configuring a BGP device to send a default route to its peer, complete the following task:
l
Procedure
Step 1 Run:
system-view

Step 2 Run:

Issue 02 (2013-12-31)

2550

Equipment
8 IP Routing
Step 3 Run:
ipv4-family unicast

Step 4 Run:
peer { group-name | ipv4-address } default-route-advertise [ route-policy routepolicy-name ] [ conditional-route-match-all { ipv4-address1 { mask1 | masklength1 } } &<1-4> | conditional-route-match-any { ipv4-address2 { mask2 | masklength2 } } &<1-4> ]
The device is configured to send a default route to a peer or a peer group.

If route-policy route-policy-name is set, the BGP device changes attributes of a default route
based on the specified route policy.
If conditional-route-match-all { ipv4-address1 { mask1 | mask-length1 } } &<1-4> is set, the
BGP device sends a default route to the peer only when all specified routes exist in the local
routing table.
If conditional-route-match-any { ipv4-address2 { mask2 | mask-length2 } } &<1-4> is set, the
local device sends a default route to the peer when one of the specified routes exists in the local
routing table.
NOTE
After the peer default-route-advertise command is used on a device, the device sends a default route with
the local address as the next-hop address to a specified peer, regardless of whether there is a default route
in the routing table.
----End

After a BGP device is configured to send a default route to a peer, you can check whether the
configuration is correct.
l
Run the display bgp routing-table [ ipv4-address [ mask | mask-length ] ] command on a

peer to check information about a received BGP default route.
# Run the display bgp routing-table command on a peer to view information about a received
BGP default route.
<HUAWEI> display bgp routing-table

Network
NextHop
*>i
*>
*>i
*>i
*>i
*>
Issue 02 (2013-12-31)
0.0.0.0
1.1.1.1/32
4.0.0.0
10.0.0.0
10.2.1.0/24
10.3.1.0/24
10.1.1.2
10.3.1.1
10.2.1.2
10.2.1.2
10.1.1.2
0.0.0.0
10.3.1.1
MED
LocPrf
0
0
0
0
0

100
100
100
PrefVal Path/Ogn
0
0
0
0
0
0
0
i
20?
100?
100?
i
i
20?
2551

Equipment
*>i
*>i
192.168.0.0/16
192.168.15.0
10.2.1.2
10.2.1.2
8 IP Routing
100
100
0
0
100?
100?
8.8.15 Configuring BGP Load Balancing

Configuring BGP load balancing better utilizes network resources and reduces network
congestion.
On large networks, there may be multiple valid routes to the same destination. BGP, however,
advertises only the optimal route to its peers. This may result in unbalanced traffic on different
routes.
The following two methods can be used to address the problem of unbalanced traffic:
l
Use BGP routing policies to allow traffic to be balanced. For example, use a routing policy
to modify the Local_Pref, AS_Path, Origin, and Multi_Exit Discriminator (MED) attributes
of BGP routes to direct traffic to different forwarding paths for load balancing. For details
on how to modify attributes of BGP routes, see Configuring BGP Route Attributes.
Use multiple paths for load balancing. In this method, multiple equal-cost routes need to
be configured for traffic load balancing.
NOTE
Equal-cost BGP routes can be generated for traffic load balancing only when the first 9 route attributes
described in "Principles of Route Selection" in BGP Features Supported by the ATN are the same,
and the AS_Path attributes are also the same.
Before configuring BGP load balancing, complete the following task:
l
Data Preparation
To configure BGP load balancing, you need the following data.
No.
Data
Number of BGP routes to be used for load balancing
Number of EBGP and IBGP routes to be used for load balancing
Procedure
l
Set the number of BGP routes to be used for load balancing.

1.
Run:
system-view

2.
Run:
Issue 02 (2013-12-31)

2552

Equipment
8 IP Routing

3.
Run:
ipv4-family unicast

4.
Run:
maximum load-balancing [ ebgp | ibgp ] number
The number of BGP routes to be used for load balancing is set.

By default, the number of BGP routes to be used for load balancing is 1, meaning that
load balancing is not implemented.
ebgp indicates that load balancing is implemented only among EBGP routes.
ibgp indicates that load balancing is implemented only among IBGP routes.
If neither ebgp nor ibgp is specified, both EBGP and IBGP routes participate in
load balancing, and the number of EBGP routes to be used for load balancing is
the same as the number of IBGP routes to be used for load balancing.
NOTE
The maximum load-balancing number command cannot be configured together with the
maximum load-balancing ebgp number or maximum load-balancing ibgp number
command.
When routes with the same destination addresses carry out load balancing on the public
network, the system determines the type of optimal routes first. If the optimal routes are IBGP
routes, only IBGP routes carry out load balancing. If the optimal routes are EBGP routes, only
EBGP routes carry out load balancing. This means that load balancing cannot be implemented
among IBGP and EBGP routes with the same destination address.
5.
(Optional) Run:
load-balancing as-path-ignore
The ATN is configured not to compare the AS_Path attributes of the routes to be used
for load balancing.
By default, the ATN compares the AS_Path attributes of the routes to be used for load
balancing.
NOTE
l If there are multiple routes to the same destination but these routes pass through different
ASs, load balancing cannot be implemented among these routes by default. To implement
load balancing among these routes, run the load-balancing as-path-ignore command.
After the load-balancing as-path-ignore command is run, the device no longer compares
the AS_Path attributes of the routes to be used for load balancing. Therefore, exercise
caution when using this command.
l The load-balancing as-path-ignore and bestroute as-path-ignore commands are
mutually exclusive.
6.
(Optional) Run:
bestroute igp-metric-ignore
BGP labeled routes can be selected, regardless of their IGP metric values.
By default, BGP labeled routes with the same destination but different next-hop metric
values cannot balance traffic. To enable these routes to balance traffic, run the
bestroute igp-metric-ignore command. After this command is run, routes can be
Issue 02 (2013-12-31)

2553

Equipment
8 IP Routing
selected to balance traffic, regardless of their IGP metric values. Exercise caution
when using this command.
l
Set the maximum number of EBGP and IBGP routes to be used for load balancing.
This configuration is used in a VPN where a CE is dual-homed to two PEs. When the CE
and one PE belong to an AS and the CE and the other PE belong to a different AS, you can
set the number of EBGP and IBGP routes to be used for load balancing. This allows VPN
traffic to be balanced among EBGP and IBGP routes.
1.
Run:
system-view

2.
Run:

3.
Run:
The BGP-VPN instance view is displayed.

4.
Run:
maximum load-balancing eibgp number
The maximum number of EBGP and IBGP routes is set for load balancing.
By default, the maximum number of EBGP and IBGP routes to be used for load
balancing is not set.
5.
(Optional) Run:
load-balancing as-path-ignore
The ATN is configured not to compare the AS_Path attributes of the routes to be used
for load balancing.
By default, the ATN compares the AS_Path attributes of the routes to be used for load
balancing.
NOTE
l After the load-balancing as-path-ignore command is run, the ATN no longer compares
the AS_Path attributes of the routes to be used for load balancing. Therefore, exercise
caution when using this command.
l The load-balancing as-path-ignore and bestroute as-path-ignore commands are
mutually exclusive.
----End

After the BGP load balancing configurations have been configured, you can run the following
commands to check the configurations.
l
Issue 02 (2013-12-31)
2554

Equipment
8 IP Routing
Run the display ip routing-table vpn-instance vpn-instance-name [ verbose ] command

to view the routing table of a VPN instance.
# View the routing table of the VPN instance vpn1. You can see the routes to be used for load
balancing.
<HUAWEI> display ip routing-table vpn-instance vpn1
Destinations : 4
Routes : 6
Destination/Mask
Proto
10.1.1.0/24 IBGP
IBGP
10.2.1.0/24 IBGP
IBGP
10.3.1.0/24 Direct
10.3.1.1/32 Direct
Pre
Cost
Flags NextHop
255
RD
5.5.5.9
255
RD
4.4.4.9
255
RD
4.4.4.9
255
RD
5.5.5.9
10.3.1.1
127.0.0.1
Interface
InLoopBack0
Exception Handling
After the maximum load-balancing number command is run on a device, the device changes
the next hop addresses of the routes received from EBGP peers to the IP address used by the
device to establish a peer relationship with an IBGP peer. Then the device advertises the routes
to the IBGP peer. In Figure 8-33, ATN B is an EBGP peer of ATN A and ATN D, and ATN B
and ATN C are IBGP peers.
Figure 8-33 Networking diagram of configuring BGP load balancing
AS 100
AS 200
10.1.1.1/
1.1.1.9
30
10.1.1.2/
/32
10.1.2.1/
30
ATNA
30
AS 300
4.4.4.9
/32
10.1.3.2/
30
ATND
ATNB 10.1.2.2/ ATNC

10.1.3.1/
30
30
If the maximum load-balancing number command is not run ATN B, ATN B does not change
the next hop addresses of routes received from ATN A and ATN D before advertising the routes
to ATN C. The command output on ATN C is used as an example.
<ATNC> display bgp routing-table
Issue 02 (2013-12-31)

2555

Equipment
8 IP Routing

Network
NextHop
MED
LocPrf
i
i
*>
0
0
0
100
100
1.1.1.9/32
4.4.4.9/32
10.1.2.0/30
10.1.1.1
10.1.3.2
0.0.0.0
PrefVal Path/Ogn
0
0
0
100i
300i
i
After the maximum load-balancing number command is run on ATN B, ATN B changes the
next hop addresses of routes received from ATN A and ATN D to 10.1.2.1 used by ATN B to
establish an IBGP peer relationship with ATN C. Then ATN B advertises the routes to ATN C.
The command output on ATN C is used as an example.

Network
NextHop
MED
LocPrf
*>i
*>i
*>
0
0
0
100
100
1.1.1.9/32
4.4.4.9/32
10.1.2.0/30
10.1.2.1
10.1.2.1
0.0.0.0
PrefVal Path/Ogn
0
0
0
100i
300i
i
The next hop address change may lead to the change of the link along which data packets are
forwarded. In Figure 8-33, if you want to keep the next hop addresses of the routes received
from ATN D before ATN B sends them to ATN C, configure import and export routing policies
on ATN B.
First, configure an import routing policy on ATN B to apply a community attribute to routes
received from ATN D. Second, configure an export routing policy with the community attribute
set in the import routing policy as the filtering condition on ATN B. If a route matches the
filtering condition, ATN B changes the next hop address of the route back to the IP address used
by ATN D to establish an EBGP peer relationship with ATN B. Then, ATN B advertises the
route to ATN C. Detailed configurations are as follows:
bgp 200
ipv4-family unicast
peer 10.1.2.2 route-policy out export
peer 10.1.3.2 route-policy in import
#
route-policy in permit node 10
if-match ip next-hop ip-prefix prefix1
apply community 1:1
#
route-policy in permit node 20
#
route-policy out permit node 10
if-match community-filter filter1
apply ip-address next-hop 10.1.3.2
#
route-policy out permit node 20
#
ip ip-prefix prefix1 index 10 permit 10.1.3.2 32
#
ip community-filter basic filter1 permit 1:1
Issue 02 (2013-12-31)

2556

Equipment
8 IP Routing
After the preceding configurations, ATN B changes the next hop addresses of the routes received
from ATN D back to the IP address (10.1.3.2) used by ATN D to establish an EBGP peer
relationship with ATN B. Then, ATN B advertises the route to ATN C. The command output
on ATN C is used as an example.

Network
NextHop
MED
LocPrf
*>i
i
*>
0
0
0
100
100
1.1.1.9/32
4.4.4.9/32
10.1.2.0/30
10.1.2.1
10.1.3.2
0.0.0.0
PrefVal Path/Ogn
0
0
0
100i
300i
i
8.8.16 Configuring Path MTU Auto Discovery

Path MTU auto discovery allows BGP to discover the smallest MTU value on a path to ensure
that BGP messages satisfy the path MTU requirement. This function improves transmission
efficiency and BGP performance.
The link-layer MTUs of different networks that a communication path traverses vary from each
other. The smallest MTU on the path is the most important factor that influences the
communication between the two ends of the path and is called the path MTU.
The path MTU varies with the selected route and therefore may change. In addition, path MTUs
in the inbound and outbound directions may be inconsistent. The path MTU auto discovery
function is used to find the smallest MTU on the path from the source to the destination. The
path MTU will be used as a basis for IP datagram fragmentation when TCP is used to transmit
BGP messages.
As shown in Figure 8-34, a BGP peer relationship is set up between ATN A and ATN D. BGP
messages are encapsulated into TCP data packets for transmission. The default maximum
segment size (MSS) is 536. Therefore, ATN A sends TCP data packets of the default MSS of
536 to ATN D. As a result, a lot of BGP messages are sliced and packed into different packets,
and the number of ACK packets corresponding to these messages increases, leading to a low
transmission efficiency. Path MTU auto discovery solves this problem. As shown in Figure
8-34, the path MTU between ATN A and ATN D is 1496. To speed up BGP message
transmission and improve BGP performance, configure path MTU auto discovery between
ATN A and ATN D to allow BGP messages to be transmitted based on the MSS of 1496.
Figure 8-34 Networking diagram for path MTU auto discovery
MTU=1500
ATNA
Issue 02 (2013-12-31)
MTU=1496
ATNB
MTU=1500
ATNC

ATND
2557

Equipment
8 IP Routing
Before configuring path MTU auto discovery, complete the following task:
l
Data Preparation
To configure path MTU auto discovery, you need the following data.
No.
Data
(Optional) Aging time of the path MTU
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
peer { group-name | ipv4-address } path-mtu auto-discovery
Path MTU auto discovery is enabled.

By default, path MTU auto discovery is disabled.
After the command is run, a BGP peer learns the path MTU, preventing BGP messages to be
fragmented during transmission.
NOTE
The transmit and receive paths between two BGP peers may be different. Therefore, running this command
on both ends is recommended. It makes both peers exchange messages based on the path MTU.
----End

After configuring path MTU auto discovery, you can run the following commands to check the
l
Run the display bgp peer [ ipv4-address ] verbose command to check whether path MTU
auto discovery has been successfully configured.
# After configuring path MTU auto discovery, view detailed information about the BGP peer at
10.1.1.2.
Issue 02 (2013-12-31)

2558

Equipment
8 IP Routing

Type: IBGP link
Update-group ID: 1
BGP current state: Established, Up for 1d00h25m21s
Port: Local - 179
Remote - 50450
Update messages
0
Open messages
1
KeepAlive messages
1466
0
Refresh messages
0
Update messages
0
Open messages
2
KeepAlive messages
1466
0
Refresh messages
0
Last keepalive sent
: 2012-03-06 19:17:37 UTC-8:00
Last update
received: 2012-03-06 19:17:43 UTC-8:00
Last update
sent
: 2012-03-06 19:17:37 UTC-8:00
Path MTU discovery has been configured
NOTE
The message of Path MTU discovery has been configured will be displayed only after the display bgp
peer ipv4-address verbose command is run on the ATN where path MTU auto discovery has been enabled.
8.8.17 Configuring the BGP Next Hop Delayed Response

Configuring the BGP next hop delayed response can minimize traffic loss during route changes.
Context
Configuring the BGP next hop delayed response can speed up BGP route convergence and
minimize traffic loss.
As shown in Figure 8-35, PE1, PE2, and PE3 are the clients of the RR. CE2 is dual-homed to
PE1 and PE2. PE1 and PE2 advertise their routes to CE2 to the RR. The RR advertises the route
Issue 02 (2013-12-31)

2559

Equipment
8 IP Routing
from PE1 to PE3. PE3 has a route to CE2 only and advertises this route to CE1. After the route
exchange, CE1 and CE2 can communicate. If PE1 fails, PE3 detects that the next hop is
unreachable and instructs CE1 to delete the route to CE2. Traffic is interrupted. After BGP route
convergence is complete, the RR selects the route advertised by PE2 and sends a route update
message to PE3. PE3 then advertises this route to CE1, and traffic forwarding is restored to the
normal state. A high volume of traffic will be lost during traffic interruption because BGP route
convergence is rather slow.
If the BGP next hop delayed response is enabled on PE3, PE3 does not reselect a route or instruct
CE1 to delete the route to CE2 immediately after detecting that the route to PE1 is unreachable.
After BGP convergence is complete, the RR selects the route advertised by PE2 and sends the
route to PE3. PE3 then reselects a route and sends a route update message to CE1. Traffic
forwarding is restored to the normal state. After the BGP next hop delayed response is enabled
on PE3, PE3 does not need to delete the route or instruct CE1 to delete the route. This delayed
response speeds up BGP route convergence and minimizes traffic loss.
Figure 8-35 Networking diagram for configuring the BGP next hop delayed response
CE1
PE3
PE1
CE2
RR
PE2
The BGP next hop delayed response applies to a scenario where the next hop has multiple links
to reach the same destination. If there is only one link between the next hop and the destination,
configuring the BGP next hop delayed response may cause heavier traffic loss when the link
fails because link switching is impossible.
Before configuring the BGP next hop delayed response, complete the following task:
l
Issue 02 (2013-12-31)

2560

Equipment
8 IP Routing
Data Preparation
To configure the BGP next hop delayed response, you need the following data.
No.
Data
Delay in responding to changes of the next hop
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
nexthop recursive-lookup delay [ delay-time ]
A delay in responding to a next hop change is set.

The default delay time is 5 seconds.
NOTE
BGP route convergence depends on IGP route convergence. If IGP route convergence is quick, the default
delay time does not need to be changed. If IGP route convergence is slow, setting a delay time longer than
IGP route convergence time is recommended.
----End

After configuring the BGP next hop delayed response, you can run the following command to
check the previous configuration.
l
Run the display current-configuration configuration bgp | include nexthop recursivelookup delay command to view information about the delay in responding to a next hop
change.
Run the display current-configuration configuration bgp | include nexthop recursivelookup non-critical-event delay command to view information about the delay in
responding to non-urgent next hop changes.
# Display the delay in responding to a next hop change.

<HUAWEI> display current-configuration configuration bgp | include nexthop
recursive-lookup delay
nexthop recursive-lookup delay 20
# Display the delay in responding to non-urgent next hop changes.

<HUAWEI> display current-configuration configuration bgp | include nexthop
recursive-lookup non-critical-event delay
Issue 02 (2013-12-31)

2561

Equipment
8 IP Routing
nexthop recursive-lookup non-critical-event delay 25
8.8.18 Configuring BFD for BGP

BFD for BGP speeds up fault detection and therefore increases the route convergence speed.
Usage Scenario
As technologies develop, voice and video services are widely applied. These services are
sensitive to the packet loss and delay. BGP periodically sends Keepalive packets to its peers to
detect the status of its peers. The detection mechanism, however, takes more than one second.
When the data transmission rate reaches the level of Gbit/s, such slow detection will cause a
large amount of data to be lost. As a result, the requirement for high reliability of carrier-class
networks cannot be met.
BFD for BGP can be used to reduce packet loss and delay. BFD for BGP detects faults on links
between BGP peers within 50 milliseconds. The fast detection speed ensures fast BGP route
convergence and minimizes traffic loss.
Before configuring BFD for BGP, configure basic BGP functions.
Data Preparation
To configure BFD for BGP, you need the following data.
No.
Data
IP address of the BGP peer or name of the peer group for which BFD needs to be
configured
BFD parameters, including the minimum and maximum intervals for receiving BFD
packets, Wait-to-Restore (WTR) time of a BFD session, and the detection multiplier
Name of the VPN instance for which BFD needs to be configured
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd

Step 3 Run:
quit

Issue 02 (2013-12-31)

2562

Equipment
8 IP Routing
Step 4 Run:


NOTE
BFD for BGP can be configured for the VPN in this view. To configure BFD for BGP for the public
network, skip this step.

peer { group-name | ipv4-address } bfd { min-tx-interval min-tx-interval | min-rxinterval min-rx-interval | detect-multiplier multiplier | wtr wtr-value } *

NOTE
The BFD parameters of peers take precedence over those of peer groups. If BFD parameters are configured
on peers, they will be used in BFD session establishment.
The default interval for transmitting BFD packets and the default detection multiplier are
recommended. When changing the default values, pay attention to the network status and the
network reliability requirement. A short interval for transmitting BFD packets can be configured
for a link that has a higher reliability requirement. A long interval for transmitting BFD packets
can be configured for a link that has a lower reliability requirement.
NOTE
There are three formulas: Actual interval for the local device to send BFD packets = max {Locally
configured interval for transmitting BFD packets, Remotely configured interval for receiving BFD
packets}, Actual interval for the local device to receive BFD packets = max {Remotely configured interval
for transmitting BFD packets, Locally configured interval for receiving BFD packets}, and Local detection
period = Actual interval for receiving BFD packets x Remotely configured BFD detection multiplier.
For example:
l On the local device, the configured interval for transmitting BFD packets is 200 ms, the interval for
receiving BFD packets is 300 ms, and the detection multiplier is 4.
l On the peer device, the configured interval for transmitting BFD packets is 100 ms, the interval for
receiving BFD packets is 600 ms, and the detection multiplier is 5.
Then:
l On the local device, the actual interval for transmitting BFD packets is 600 ms calculated by using the
formula max {200 ms, 600 ms}; the interval for receiving BFD packets is 300 ms calculated by using
the formula max {100 ms, 300 ms}; the detection period is 1500 ms calculated by multiplying 300 ms
by 5.
l On the peer device, the actual interval for transmitting BFD packets is 300 ms calculated by using the
formula max {100 ms, 300 ms}; the interval for receiving BFD packets is 600 ms calculated by using
the formula max {200 ms, 600 ms}; the detection period is 2400 ms calculated by multiplying 600 ms
by 4.
wtr wtr-value can be specified in the command to suppress frequent BFD and BGP session
flapping caused by link flapping. If a BFD session over a link goes Down, it does not go Up
immediately after the link recovers. Instead, the BFD session waits for the WTR timer to expire
before going Up. If the link fails again before the WTR timer expires, BFD does not send a link
fault message to BGP, and the BGP session status is stabilized.
Issue 02 (2013-12-31)

2563

Equipment
8 IP Routing
The default value of wtr-value is 0, which means that the WTR timer will not be started.
Step 7 Run:
peer { group-name | ipv4-address } bfd enable [ single-hop-prefer ]
BFD is enabled for the peer or peer group, and a BFD session is established using default
parameters.
single-hop-prefer takes effect only on IBGP peers. By default, if single-hop-prefer is not
specified, multi-hop sessions are established between direct IBGP peers (Huawei devices). To
interconnect a Huawei device and a non-Huawei device that defaults the sessions between IBGP
peers to single-hop, configure single-hop-prefer in the command.
After BFD is enabled for a peer group, BFD sessions will be created on the peers that belong to
this peer group and are not configured with the peer bfd block command.
peer ipv4-address bfd block
A peer is prevented from inheriting the BFD function of the peer group to which it belongs.
If a peer joins a peer group enabled with BFD, the peer inherits the BFD configuration of the
group and creates a BFD session. To prevent the peer from inheriting the BFD function of the
peer group, perform this step.
NOTE
The peer bfd block command and the peer bfd enable command are mutually exclusive. After the peer
bfd block command is run, the BFD session is automatically deleted.
----End

After configuring BFD for BGP, you can run the following command to check the
configurations.
l
Run the display bgp bfd session { [ vpnv4 vpn-instance vpn-instance-name ] peer ipv4address | all } command to check information about the BFD session between BGP peers.
# View information about the BFD session between BGP peers.

<HUAWEI> display bgp
Local_Address
10.1.1.1
Tx-interval(ms)
100
Wtr-interval(m)
0
bfd session peer 10.1.1.2

Peer_Address
LD/RD
10.1.1.2
8192/8192
Rx-interval(ms)
Multiplier
100
3
Interface
Session-State
Up
8.8.19 Configuring BGP Auto FRR

Border Gateway Protocol (BGP) Auto fast reroute (FRR), a protection measure against link
faults, applies to the network topology with both primary and backup links. It can be configured
for services that are sensitive to packet loss and delay.
Issue 02 (2013-12-31)

2564

Equipment
8 IP Routing
As networks evolve continuously, voice, on-line video, and financial services raise increasingly
high requirements for real-time performance. Usually, primary and backup links are deployed
on a network to ensure the stability of these services.
In a traditional forwarding mode, the ATN selects an optimal route out of several routes destined
for the same network and delivers the optimal route to the FIB table for data forwarding. If the
optimal route fails, the ATN can reselect an optimal route only after routes are converged. During
this period, services are interrupted. After the ATN delivers the reselected optimal route to the
FIB table, services are restored. Service interruption in this mode lasts a long time, which cannot
meet service requirements.
After BGP Auto FRR is enabled on the ATN, the ATN selects an optimal route from the routes
destined for the same network. In addition, the ATN automatically adds information about the
second optimal route to the backup forwarding entries of the optimal route and delivers the
backup forwarding entries to the FIB table. If the primary link fails, the ATN switches traffic to
the backup link immediately. The switchover completes within sub-seconds because it does not
depend on route convergence.
Before configuring BGP Auto FRR, configure basic BGP Functions.
Data Preparation
To configure BGP Auto FRR, you need the following data.
No.
Data
IP address family for which BGP Auto FRR needs to be configured
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ipv4-family unicast
The BGP IPv4 unicast address family view is displayed.

Step 4 Run:
auto-frr
BGP Auto FRR for unicast routes is enabled.

Issue 02 (2013-12-31)

2565

Equipment
8 IP Routing
By default, BGP Auto FRR is disabled for unicast routes.

NOTE
On a network with both primary and backup links, the ATN may also use IP FRR for link protection. BGP
Auto FRR takes effect on a BGP route only when the route fails to match the routing policy specified in
the ip frr command run in the system view because IP FRR takes precedence over BGP Auto FRR.
Step 5 (Optional) Prevent path-switchover-triggered packet loss.

In a BGP Auto FRR scenario, if the device on which FRR is configured completes refreshing
forwarding entries before the intermediate device on the primary path does after the primary
path recovers, traffic may be lost after it switches back to the primary path. The severity of packet
loss is proportional to the number of routes stored on the intermediate device. To solve this
problem, perform any of the following operations to prevent path-switchover-triggered packet
loss:
l In the BGP view of the intermediate device on the primary path, run:
out-delay delay-value
A delay for sending Update packets to all BGP peers is configured. An appropriate delay
ensures that traffic switches back to the primary path after the intermediate device on the
primary path completes refreshing forwarding entries.
The delay-value value is an integer ranging from 0 to 3600, in seconds. The default delayvalue value is 0, indicating that the intermediate device on the primary path sends Update
packets without a delay. The delay-value value is inversely proportional to the route
convergence performance of the device on which FRR is configured.
l In the BGP view or BGP-IPv4 unicast address family view of the intermediate device on the
primary path, run:
peer { group-name | ipv4-address } out-delay delay-value
A delay for sending Update packets is configured. An appropriate delay ensures that traffic
switches back to the primary path after the intermediate device on the primary path completes
refreshing forwarding entries.
The delay-value value is an integer ranging from 0 to 3600, in seconds. The default delayvalue value is 0, indicating that the intermediate device on the primary path sends Update
packets without a delay. The delay-value value is inversely proportional to the route
convergence performance of the device on which FRR is configured.
l In the BGP view or BGP-IPv4 unicast address family view of the device on which FRR is
configured, run:
route-select delay delay-value
A delay for selecting a route to the intermediate device on the primary path is configured.
An appropriate delay ensures that traffic switches back to the primary path after the
intermediate device completes refreshing forwarding entries.
The delay-value value is an integer ranging from 0 to 3600, in seconds. The default delayvalue value is 0, indicating that the device on which FRR is configured selects a route to the
intermediate device on the primary path without a delay.
----End

After configuring BGP Auto FRR, you can run the following commands to check the
configurations.
Issue 02 (2013-12-31)

2566

Equipment
8 IP Routing
Run the display bgp routing-table [ network [ { mask | mask-length } [ longerprefixes ] ] ] command to check information in a BGP routing table.
Run the display ip routing-table [ ip-address [ mask | mask-length ] [ longer-match ] ]

verbose command to check backup forwarding entries in an IP routing table.
# Run the display bgp routing-table ip-address mask-length longer-prefixes command. The
command output shows that there are two next hops destined for 4.4.4.4/32. The route with next
hop 10.1.1.2 has a smaller MED value and therefore becomes the optimal route.
<HUAWEI> display bgp routing-table 4.4.4.4 32 longer-prefixes
*>
*
Network
NextHop
4.4.4.4/32
4.4.4.4/32
10.1.1.2
10.2.1.2
MED
LocPrf
80
120
PrefVal Path/Ogn
0
0
200i
200i
# Run the display ip routing-table ip-address mask-length verbose command. The command
output shows that there are two next hops destined for 4.4.4.4/32 and that 10.2.1.2 is the backup
next hop.
<HUAWEI> display ip routing-table 4.4.4.4 32 verbose
Summary Count : 1
Protocol: EBGP
Process ID: 0
Preference: 255
Cost: 80
NextHop: 10.1.1.2
Neighbour: 10.1.1.2
State: Active Adv
Age: 00h05m41s
Tag: 0
Priority: low
Label: NULL
QoSInfo: 0x0
IndirectID: 0x2
Interface: GE0/2/1
TunnelID: 0x0
Flags: D
BkNextHop: 10.2.1.2
BkInterface: GE0/2/2
BkLabel: NULL
SecTunnelID: 0x0
BkPETunnelID: 0x0
BkPESecTunnelID: 0x0
BkIndirectID: 0x1
8.8.20 Configuring BGP GR

BGP GR can be configured to avoid traffic interruption due to protocol restart.
Before You Start

Before configuring BGP GR, familiarize yourself with the usage scenario, complete the preconfiguration tasks, and obtain the data required for the configuration.
BGP restart causes peer relationship reestablishment and traffic interruption. After GR is
enabled, traffic interruption can be prevented in the event of BGP restart.
Issue 02 (2013-12-31)

2567

Equipment
8 IP Routing
The following roles are involved in BGP GR:

l
GR restarter: is a device that is restarted by the administrator or in the case of a failure. The
GR restarter must be a GR-capable device.
GR helper: is a neighbor of the GR restarter. The GR helper must also have the GR
capability.
Before configuring BGP GR, complete the following task:
l
Data Preparation
To configure BGP GR, you need the following data.
No.
Data
BGP AS number
Maximum period of time for reestablishing a BGP session
Period of time for waiting for End-Of-RIB messages
Enabling BGP GR
Enabling or disabling BGP GR may delete and re-establish all BGP sessions and instances.
Context
A GR-capable device can establish GR sessions with a GR-capable neighbor. By controlling the
session negotiation mechanism of BGP, the GR restarter and the GR helper can understand each
other's GR capability. When detecting the restart of the GR restarter, the GR helper does not
delete the routing and forwarding entries related to the GR restarter, but waits to re-establish a
BGP connection with the GR restarter. After establishing a new BGP connection, the GR
restarter and the GR helper update BGP routes.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
graceful-restart
BGP GR is enabled.
Issue 02 (2013-12-31)

2568

Equipment
8 IP Routing
By default, BGP GR is disabled.

graceful-restart peer-reset
The ATN is enabled to reset a BGP session in GR mode.

Currently, BGP does not support dynamic capability negotiation. Therefore, each time a new
BGP capability is enabled on a ATN, the BGP speaker tears down existing sessions with its peer
and renegotiates BGP capabilities. This process will interrupt ongoing services. To prevent the
service interruptions, run the graceful-restart peer-reset command to enable the ATN to reset
a BGP session in GR mode. Then, the ATN will not delete routing entries for existing sessions
when a new BGP capability is enabled.
----End
Configuring Parameters for a BGP GR Session

BGP GR session parameter values can be adjusted as needed, but default values are
recommended. Changing the BGP restart period reestablishes BGP peer relationships.
Context
GR time is the period of time during which the GR helper retains the forwarding information
after having found the GR restarter Down. If the GR helper finds that the GR restarter goes
Down, the GR helper keeps the topology information or routes learned from the GR restarter
till the GR time expires.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
graceful-restart timer restart time
The maximum period of time used for reestablishing a BGP session is set.
The restart period of the ATN is the maximum waiting period from the time when the GR helper
discovers that the GR restarter restarts to the time when the BGP session is reestablished. By
default, the restart period is 150 seconds.
NOTE
Changing the BGP restart period reestablishes BGP peer relationships.
Step 4 Run:
graceful-restart timer wait-for-rib time
The length of time the GR restarter and GR helper wait for End-of-RIB messages is set.
Issue 02 (2013-12-31)

2569

Equipment
8 IP Routing
By default, the time for waiting for End-Of-RIB messages is 600s.

NOTE
You can adjust BGP GR session parameter values as needed, but default values are recommended.
----End

After BGP GR is configured, you can view the BGP GR status.
Prerequisites
The BGP GR configurations have been configured.
Procedure
l
Run the display bgp peer verbose command to check the BGP GR status.
----End
Example
# Run the display bgp peer ipv4-address verbose command to view the BGP GR status. For
example:
Type: IBGP link
Update-group ID: 1
BGP current event: RecvUpdate
Port: Local - 179
Remote - 52510
Graceful Restart Capability: advertised and received
Restart Timer Value received from Peer: 150 seconds
Address families preserved for peer in GR:
IPv4 Unicast (was preserved)
Update messages
1
Open messages
1
KeepAlive messages
1
0
Refresh messages
0
Update messages
2
Open messages
2
KeepAlive messages
1
0
Issue 02 (2013-12-31)

2570

Equipment
8 IP Routing
Refresh messages
0
Last keepalive sent
: 2012-03-06 19:17:37 UTC-8:00
Last update
received: 2012-03-06 19:17:43 UTC-8:00
Last update
sent
: 2012-03-06 19:17:37 UTC-8:00
8.8.21 Configuring BGP Security

Authentication can be implemented during the establishment of a TCP connection to enhance
BGP security.

Before configuring BGP security, familiarize yourself with the applicable environment,
will help you complete the configuration task quickly and efficiently.
MD5 authentication, or keychain authentication can be configured on a BGP network to enhance
BGP security.
l
MD5 authentication
BGP uses TCP as the transport protocol and considers a packet valid as long as the source
address, destination address, source port, destination port, and TCP sequence number of
the packet are correct. Most parameters in a packet can be easily obtained by attackers. To
protect BGP against attacks, MD5 authentication can be used during TCP connection
establishment between BGP peers to reduce the possibility of attacks.
To prevent the MD5 password set on a BGP peer from being decrypted, you need to update
the MD5 password periodically.
Keychain authentication
A keychain consists of multiple authentication keys, each of which contains an ID and a
password. Each key has a lifecycle. Based on the life cycle of a key, you can dynamically
select different authentication keys from the keychain. After keychains with the same rules
are configured on the two ends of a BGP connection, the keychains can dynamically select
authentication keys to enhance BGP attack defense.
Before configuring BGP security, complete the following task:
l
Data Preparation
To configure BGP security, you need the following data.
Issue 02 (2013-12-31)

2571

Equipment
No.
Data
Each ATN's peer address or peer group name
MD5 authentication password
Keychain authentication name
8 IP Routing
Configuring MD5 Authentication

In BGP, MD5 authentication sets an MD5 authentication password for a TCP connection, and
is performed by TCP. If authentication fails, no TCP connection will be established.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
peer { ipv4-address | group-name } password { cipher cipher-password | simple
simple-password }
An MD5 authentication password is set.

An MD5 authentication password can be set either in cipher or plain text.
l cipher cipher-password indicates that a password is recorded in cipher text. This means that
a password is encrypted using a special algorithm and then recorded in a configuration file.
l simple simple-password indicates that a password is recorded in plain text. This means that
a password is directly recorded in a configuration file.
NOTE
When configuring an authentication password, select the ciphertext mode because the password is saved
in configuration files in plaintext if you select simple mode, which has a high risk. To ensure device security,
change the password periodically.
The peer password command run in the BGP view is also applicable to the BGP-VPNv4 address family
view, because both BGP and BGP-VPNv4 use the same TCP connection.
----End
Configuring Keychain Authentication

Keychain authentication needs to be configured on two devices that establish a BGP peer
relationship. The encryption algorithms and passwords for keychain authentication on both peers
must be the same. This allows the peers to establish a TCP connection to exchange BGP packets.
Issue 02 (2013-12-31)

2572

Equipment
8 IP Routing
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
peer { ipv4-address | group-name } keychain keychain-name
Keychain authentication is configured.

Keychain authentication needs to be configured on two devices that establish a BGP peer
relationship. The encryption algorithms and passwords for keychain authentication on both peers
must be the same. This allows the peers to establish a TCP connection to exchange BGP packets.
Before configuring BGP keychain authentication, ensure that the keychain specified by
keychain-name has been configured. Otherwise, no TCP connection can be set up between two
BGP peers.
NOTE
l The peer keychain command run in the BGP view is also applicable to the BGP-VPNv4 address family
view, because both BGP and BGP-VPNv4 use the same TCP connection.
l BGP MD5 authentication and BGP keychain authentication are mutually exclusive.
----End

After configuring BGP security, you can view authentication information about BGP peers.
Prerequisites
The BGP security configurations are complete.
Procedure
l
about MD5 and keychain authentication on BGP peers.
----End
Example
# Run the display bgp peer ipv4-address verbose command to view detailed information about
MD5 authentication on BGP peers. For example:
Type: EBGP link
Issue 02 (2013-12-31)

2573

Equipment
8 IP Routing
Update-group ID: 2
Port: Local - 50505
Remote - 179
Update messages
1
Open messages
1
KeepAlive messages
3
0
Refresh messages
0
Update messages
0
Open messages
1
KeepAlive messages
3
0
Refresh messages
0
Authentication type configured: MD5
Last keepalive received: 2011/04/14 17:11:05 UTC-08:00
# Run the display bgp peer ipv4-address verbose command to view detailed information about
keychain authentication on BGP peers. For example:
Type: EBGP link
Update-group ID: 1
BGP current state: Idle
BGP current event: Stop
BGP last state: Active
Update messages
0
Open messages
0
KeepAlive messages
0
0
Refresh messages
0
Update messages
0
Open messages
0
KeepAlive messages
0
0
Refresh messages
0
Authentication type configured: Keychain(key)
Issue 02 (2013-12-31)

2574

Equipment
8 IP Routing

8.8.22 Maintaining BGP

Maintaining BGP involves resetting a BGP connection and clearing BGP statistics.
Resetting BGP Connections

Resetting a BGP connection will interrupt the peer relationship. You can also reset BGP in GR
mode.
Context
NOTICE
The BGP peer relationship is interrupted after you reset BGP connections with the reset bgp
command. Exercise cautions when running this command.
To reset a BGP session in GR mode, run the reset bgp command with the graceful parameter
specified and run the graceful-restart peer-reset command. If the graceful parameter is not
specified in the reset bgp command or if the graceful-restart peer-reset command is not run,
the GR reset mode does not take effect, so that routing entries will be deleted for existing sessions,
interrupting services. The services will be restored after the BGP peer relationship is
reestablished.
When the BGP routing policy on the ATN that does not support Route-refresh changes, you
need to reset BGP connections to validate the configuration. To reset BGP connections, run the
following reset commands in the user view.
Procedure
l
To validate the new configurations, run the reset bgp all [ graceful ] command in the user
view to reset all BGP connections.
To validate the new configurations, run the reset bgp { as-number-plain | as-numberdot } [ graceful ] command in the user view to reset the BGP connection between the
specified AS.
To validate the new configurations, run the reset bgp ipv4-address [ graceful ] command
in the user view to reset the BGP connection between a specified peer.
To validate the new configurations, run the reset bgp external [ graceful ] command in
the user view to reset all the EBGP connections.
To validate the new configurations, run the reset bgp group group-name [ graceful ]
command in the user view to reset the BGP connection with the specified peer-groups.
To validate the new configurations, run the reset bgp internal [ graceful ] command in
the user view to reset all IBGP connections.
----End
Issue 02 (2013-12-31)

2575

Equipment
8 IP Routing
Clearing BGP Information

This section describes how to clear the statistics of BGP accounting, flapped routes, and
suppressed routes.
Context
NOTICE
BGP statistics cannot be restored after being cleared. Exercise caution when running this
command.
Procedure
l
Run the reset bgp flap-info [ regexp as-path-regexp | as-path-filter | ipv4-address

[ mask | mask-length ] ] command in the user view to clear the statistics of flapped routes.
Run the reset bgp dampening [ ipv4-address [ mask | mask-length ] ] command in the user
view to clear the dampened routes and advertise the suppressed routes.
Run the reset bgp ipv4-address flap-info command in the user view to clear the statistics
of route flapping.
----End
8.8.23 Applying BGP AS_Path Regular Expressions

A regular expression is a string of characters that define a rule, against which other strings of
characters are matched. For example, you can define an As_Path regular expression for an
AS_Path Filter and match the AS_Path information carried in BGP routes against the expression
to filter the BGP routes.
AS_Path Components
An AS_Path consists of one or more AS_Path components. The components are expressed using
binary numbers, parentheses "( )", brackets "[ ]", braces "{ }", and spaces. The AS_Path
components are as follows:
l
AS_Sequence: records in reverse order all the numbers of the ASs through which a route
passes from the local device to the destination.
AS_Set: records without an order all the numbers of the ASs through which a route passes
from the local device to the destination. In most cases, AS_Set is used after route
summarization because BGP speakers do not know the actual sequence of ASs through
which the specific routes pass. During route selection, a router considers that AS_Set carries
only one AS number regardless of the actual number of ASs.
AS_Confed_Sequence: records in reverse order all the numbers of the sub-ASs within a
BGP confederation through which a route passes from the local device to the destination.
AS_Confed_Set: records without an order all the numbers of the sub-ASs within a BGP
confederation through which a route passes from the local device to the destination.
Issue 02 (2013-12-31)

2576

Equipment
8 IP Routing
Figure 8-36 shows the complete format of an AS_Path in a BGP routing table.
Figure 8-36 Format of AS_Path in a BGP routing table
AS_Path: (65001 65003) [65002 65004] 100 200 300 {400 500}
AS_Confed_Sequence
AS_Set
AS_Confed_Set
AS_Sequence
AS_Path Regular Expressions

An AS_Path filter uses a regular expression to define matching rules. A regular expression
consists of the following parts:
l
Metacharacter: defines matching rules.
General character: defines matching objects.
Table 8-5 lists metacharacters supported by BGP AS_Path regular expressions.

Table 8-5 Metacharacters supported by BGP AS_Path regular expressions
Meta
chara
cter
Description
Example
Matches AS_Paths with any

single character except "\n",
including spaces.
.* matches any AS_Path or route.
Matches AS_Paths with 0 or

more sequences of the
character before the asterisk
"*".
See the preceding example.
Matches AS_Paths with 1 or

more sequences of the
character before the plus "+".
65+ matches AS_Paths that begin with 6 and include

one 5 or consecutive 5s.
NOTE
If you have configured a rule in deny mode for an AS_Path
filter, run the ip as-path-filter as-path-filter-name
permit .* command so that other routes will not be
discarded.
l AS_Path examples that 65+ matches: 65, 655,

6559, 65259, and 65529
l AS_Path examples that 65+ does not match: 56,
556, 5669, 55269, 56259, and 56259
Issue 02 (2013-12-31)
Matches any AS_Path with

characters on either side of
the vertical bar "|".
100|65002|65003 matches 100, 65002, or 65003.

2577

Equipment
8 IP Routing
Meta
chara
cter
Description
Example
Matches AS_Paths
beginning with the characters
that follow the caret "^".
^65 matches AS_Paths beginning with 65.

l AS_Path examples that ^65 matches: 65, 651,
6501, and 65001
l AS_Path examples that ^65 does not match: 165,
1650, 6650, and 60065
Matches AS_Paths ending

with the characters before the
dollar sign "$".
65$ matches AS_Paths ending with 65.

l AS_Path examples that 65$ matches: 65, 165,
1065, 10065, and 60065
l AS_Path examples that 65$ does not match: 651,
1650, 6650, 60650, and 65001
NOTE
^$ matches null strings of characters (null AS_Path) and
can be used to match the locally generated routes.
(xyz)
Matches AS_Paths with the

characters in the parentheses
as a whole. (xyz) is used with
the vertical bar "|" in most
cases.
(123) matches 123.
[xyz]

character in the brackets "[ ]".
[896] matches AS_Paths with 8, 9, or 6, such as 6,

8, 9, 18, 89, 96, 109, 9986, 65001, 1.6, and 8.9.
[^xyz]

character except those in the
brackets "[ ]".
[^896] matches AS_Paths with any character except

8, 9, and 6.
(8|9|67) matches 8, 9, or 67.
l AS_Path examples that [^896] matches: 3, 18,

109, 9867, 65001, 1.6, and 8.9.
l AS_Path examples that [^896] does not match:
6, 8, 9, 89, 96, 698, 986, 9986, and 66899.
[a-z]
[â-z]
Issue 02 (2013-12-31)

character within the range
specified in the brackets "[ ]".
[2-4] matches 2, 3, and 4, and [0-9] matches numbers

from 0 to 9.
Matches AS_Paths without

any character within the
range specified in the
brackets "[ ]".
[^2-4] matches AS_Paths without 2, 3, or 4, and

[^0-9] matches AS_Paths without numbers from 0
to 9.
NOTE
The characters in the brackets "[ ]" can only be numbers
from 0 to 9. To match AS_Paths within the range from 735
to 907, use (73[5-9]|7[4-9][0-9]|8[0-9][0-9]|90[0-7]).

2578

Equipment
8 IP Routing
Meta
chara
cter
Description
Example
Matches AS_Paths with a

sign, such as a comma ",", left
brace "{", right brace "}", left
parenthesis "(", right
parenthesis ")", or space. The
underscore "_" can be used at
the beginning of a regular
expression with the same
function as the caret "^" or at
the end of a regular
expression with the same
function as the dollar sign
"$".
l ^65001_ matches AS_Paths that begin with

65001 followed by a sign. Specifically, ^65001_
matches AS_Paths with 65001 as the leftmost
AS number (the number of the last AS through
which a route passes) or the routes sent by peers
in AS 65001.
Indicates an escape
character.
A backslash "\" is used to disable special functions

of signs in regular expressions, such as the left
parenthesis "(" and right parenthesis ")" in an
AS_Confed_Sequence, the left bracket "[" and right
bracket "]" in an AS_Confed_Set, and the left brace
"{" and right brace "}" in an AS_Set.
l _65001_ matches AS_Paths with 65001 or

routes that pass through AS 65001.
l _65001$ matches AS_Paths that end with a sign
followed by 65001. Specifically, _65001$
matches AS_Paths with 65001 as the rightmost
AS number (the number of the first AS through
which a route passes) or the routes that originate
in AS 65001.
l $65002_ matches AS_Confed_Sequences that

begin with (65002 followed by a sign.
Specifically, \(65002_ matches AS_Confed_Sequences with 65002 as the leftmost AS number
(the number of the last AS through which a route
passes) or the routes sent by peers in AS 65002.
l \(.*_65003_.*$ matches AS_Confed_Sequences with 65003 or routes that pass through AS
65003.
l _65004\) matches AS_Confed_Sequences that
end with a sign followed by 65004). Specifically,
_65004\) matches AS_Confed_Sequences with
65004 as the rightmost AS number (the number
of the first AS through which a route passes) or
the routes that originate in AS 65004. _65004\)
and 65004\) have the same function.
Multiple rules (permit or deny) can be specified in a filter. The relationship between theses rules
is "OR", which means that if a route meets one of the matching rules, the route matches the
AS_Path filter. The following part demonstrates the functions of AS_Path filters in different
scenarios.
Issue 02 (2013-12-31)

2579

Equipment
8 IP Routing
Common Application Scenario

In Figure 8-37, EBGP peer relationships are established between ATN A and ATN B, between
ATN A and ATN C, between ATN B and ATN C, between ATN B and ATN D, between
ATN C and ATN D, and between ATN D and ATN E.
Figure 8-37 Typical BGP networking
2.2.2.7/32
AS 65121
AS 65001
ATN A
AS 65011
1.1.1.9/32
AS 65101
ATN B
ATN C
AS 300
ATN D
ATN E
2.2.2.9/32
3.3.3.9/32
2.2.2.8/32
Before an AS_Path filter is configured on ATN A, the BGP routing table on ATN A is as follows:
[ATNA] display bgp routing-table

Network
NextHop
*>
*>
*
*>
*
*>
*
*>
300i
*
300i
1.1.1.9/32
2.2.2.7/32
2.2.2.8/32
2.2.2.9/32
3.3.3.9/32
0.0.0.0
10.1.1.2
10.1.2.2
10.1.2.2
10.1.1.2
10.1.1.2
10.1.2.2
10.1.1.2
MED
LocPrf
0
0
0
10.1.2.2
PrefVal Path/Ogn
0
0
0
0
0
0
0
0
i
65001i
65011 65001i
65011i
65001 65011i
65001 65101i
65011 65101i
65001 65101
65011 65101
Case 1: Configure an AS_Path filter named s1 and allow ATN A to accept only routes that
originate in AS 300.
[ATNA] ip as-path-filter s1 permit _300
Issue 02 (2013-12-31)

2580

Equipment
8 IP Routing
[ATNA] display bgp routing-table as-path-filter s1


Network
NextHop
*>
300i
*
300i
3.3.3.9/32
MED
LocPrf
PrefVal Path/Ogn
10.1.1.2
65001 65101
10.1.2.2
65011 65101
The preceding command output shows that the BGP routing table contains only routes that
originate in AS 300.
Case 2: Configure an AS_Path filter named s2 and allow ATN A to accept all routes except those
that originate in AS 300.
[ATNA] ip as-path-filter s2 deny _300
[ATNA] ip as-path-filter s2 permit .*

Network
NextHop
*>
*>
*
*>
*
*>
*
1.1.1.9/32
2.2.2.7/32
2.2.2.8/32
2.2.2.9/32
0.0.0.0
10.1.1.2
10.1.2.2
10.1.2.2
10.1.1.2
10.1.1.2
10.1.2.2
MED
LocPrf
0
0
PrefVal Path/Ogn
0
0
0
0
0
0
0
i
65001i
65011 65001i
65011i
65001 65011i
65001 65101i
65011 65101i
The preceding command output shows that the BGP routing table contains all routes except
those that originate in AS 300.
Case 3: Configure an AS_Path filter named s3 and allow ATN A to discard routes that pass
through AS 65101.
[ATNA] ip as-path-filter s3 deny _65101_

Network
NextHop
*>
*>
*
*>
*
Issue 02 (2013-12-31)
1.1.1.9/32
2.2.2.7/32
2.2.2.8/32
0.0.0.0
10.1.1.2
10.1.2.2
10.1.2.2
10.1.1.2
MED
LocPrf
0
0
0

PrefVal Path/Ogn
0
0
0
0
0
i
65001i
65011 65001i
65011i
65001 65011i
2581

Equipment
8 IP Routing
those that pass through AS 65101.
through intermediate AS 65101.
[ATNA] ip as-path-filter s4 deny ._65101_.

Network
NextHop
*>
*>
*
*>
*
*>
*
1.1.1.9/32
2.2.2.7/32
2.2.2.8/32
2.2.2.9/32
0.0.0.0
10.1.1.2
10.1.2.2
10.1.2.2
10.1.1.2
10.1.1.2
10.1.2.2
MED
LocPrf
0
0
PrefVal Path/Ogn
0
0
0
0
0
0
0
i
65001i
65011 65001i
65011i
65001 65011i
65001 65101i
65011 65101i
those that pass through intermediate AS 65101.
Case 5: Configure an AS_Path filter named s5 and allow ATN A to accept only locally generated
routes.
[ATNA] ip as-path-filter s5 permit ^$

Network
NextHop
*>
1.1.1.9/32
0.0.0.0
MED
LocPrf
PrefVal Path/Ogn
0
The preceding command output shows that the BGP routing table contains only locally generated
routes.
Case 6: Configure an AS_Path filter named s6 and allow ATN A to accept routes that originate
in AS 300 and pass through AS 65001.
[ATNA] ip as-path-filter s6 permit _65001 .+ 300$

Network
NextHop
Issue 02 (2013-12-31)
MED
LocPrf

PrefVal Path/Ogn
2582

Equipment
*>
300i
3.3.3.9/32
8 IP Routing
10.1.1.2
65001 65101
The preceding command output shows that the BGP routing table contains only one route that
originates in AS 300 and passes through AS 65001.
Route Summarization Scenario

In Figure 8-37, after the aggregate 2.2.2.0 27 as-set detail-suppressed command is run on
ATN B and ATN C, the BGP routing table on ATN A is as follows:

Network
NextHop
*>
*>
i
*
i
*>
300i
*
300i
1.1.1.9/32
2.2.2.0/27
3.3.3.9/32
0.0.0.0
10.1.1.2
MED
LocPrf
PrefVal Path/Ogn
0
0
i
65001 {65101}
10.1.2.2
65011 {65101}
10.1.1.2
65001 65101
10.1.2.2
65011 65101
through AS 65011.
[ATNA] ip as-path-filter s7 deny 65011

Network
NextHop
*>
*>
i
*>
300i
1.1.1.9/32
2.2.2.0/27
0.0.0.0
10.1.1.2
3.3.3.9/32
10.1.1.2
MED
LocPrf
PrefVal Path/Ogn
0
0
i
65001 {65101}
65001 65101
those that pass through AS 65011.
Case 8: Configure an AS_Path filter named s8 and allow ATN A to accept only the routes
carrying an AS_Sequence with 65011 and an AS_Set with 65101.
[ATNA] ip as-path-filter s8 permit .*65011.*\{.*65101.*\}
Issue 02 (2013-12-31)

2583

Equipment
8 IP Routing


Network
NextHop
*
i
2.2.2.0/27
MED
LocPrf
PrefVal Path/Ogn
10.1.2.2
65011 {65101}
The preceding command output shows that the BGP routing table contains only one route
destined for 2.2.2.0/27 with 10.1.2.2 as the next hop.
Case 9: Configure an AS_Path filter named s9 and allow ATN A to accept only the routes
carrying an AS_Sequence with 65011 and an AS_Set with 65101 and the routes carrying an
AS_Sequence with 300.
[ATNA] ip as-path-filter s9 permit .*65011.*\{.*65101.*\}
[ATNA] ip as-path-filter s9 permit 300

Network
NextHop
*
i
*>
300i
*
300i
MED
LocPrf
PrefVal Path/Ogn
2.2.2.0/27
10.1.2.2
65011 {65101}
3.3.3.9/32
10.1.1.2
65001 65101
10.1.2.2
65011 65101
The preceding command output shows that the BGP routing table contains only the routes
carrying an AS_Sequence with 65011 and an AS_Set with 65101 and the routes carrying an
AS_Sequence with 300. In this case, the ip as-path-filter s9 permit .*65011.*\{.*65101.*\} and
ip as-path-filters9 permit 300 commands can be replaced with the ip as-path-filter s9
permit .*65011.*\{.*65101.*\}|300 command.
[ATNA] ip as-path-filter s9 permit .*65011.*\{.*65101.*\}|300

Network
NextHop
*
i
*>
300i
*
300i
Issue 02 (2013-12-31)
MED
LocPrf
PrefVal Path/Ogn
2.2.2.0/27
10.1.2.2
65011 {65101}
3.3.3.9/32
10.1.1.2
65001 65101
10.1.2.2
65011 65101

2584

Equipment
8 IP Routing
BGP Confederation Scenario

In Figure 8-38, EBGP peer relationships are established between ATN A and ATN B, between
ATN A and ATN C, between ATN B and ATN C, between ATN B and ATN D, between
ATN C and ATN D, and between ATN D and ATN E. AS 65001, AS 65011, AS 65101, and
AS 65121 form a BGP confederation with AS 200 as its ID.
Figure 8-38 Typical BGP Confederation networking
2.2.2.7/32
AS 200
AS 65121
AS 65001
ATN A
AS 65011
1.1.1.9/32
AS 65101
ATN B
ATN C
AS 300
ATN D
ATN E
2.2.2.9/32
3.3.3.9/32
2.2.2.8/32
Before an AS_Path filter is configured on ATN A, the BGP routing table on ATN A is as follows:

Network
NextHop
*>
*>i
* i
i
*>i
* i
i
*>i
i
* i
i
i
300i
Issue 02 (2013-12-31)
MED
LocPrf
PrefVal Path/Ogn
1.1.1.9/32
2.2.2.7/32
0.0.0.0
10.1.1.2
10.1.3.1
0
0
0
100
100
0
0
0
i
(65001)i
(65011 65001)
2.2.2.8/32
10.1.2.2
10.1.3.2
0
0
100
100
0
0
(65011)i
(65001 65011)
2.2.2.9/32
10.1.4.2
100
(65001 65101)
10.1.5.2
100
(65011 65101)
10.1.6.2
3.3.3.9/32

100
(65001 65101)
2585

Equipment
i
65101) 300i
10.1.6.2
8 IP Routing
0
100
(65011 65001
Case 10: Configure an AS_Path filter named s10 and allow ATN A to discard routes advertised
by peers in AS 65011.
[ATNA] ip as-path-filter s10 deny $65011_

Network
NextHop
*>
*>i
* i
i
*>i
i
i
300i
MED
LocPrf
PrefVal Path/Ogn
1.1.1.9/32
2.2.2.7/32
2.2.2.8/32
0.0.0.0
10.1.1.2
10.1.3.2
0
0
0
100
100
0
0
0
i
(65001)i
(65001 65011)
2.2.2.9/32
10.1.4.2
100
(65001 65101)
3.3.3.9/32
10.1.6.2
100
(65001 65101)
those advertised by peers in AS 65011.
Case 11: Configure an AS_Path filter named s11 and allow ATN A to discard routes that originate
in AS 65101.
[ATNA] ip as-path-filter s11 deny _65101$

Network
NextHop
*>
*>i
* i
i
*>i
* i
i
MED
LocPrf
PrefVal Path/Ogn
1.1.1.9/32
2.2.2.7/32
0.0.0.0
10.1.1.2
10.1.3.1
0
0
0
100
100
0
0
0
i
(65001)i
(65011 65001)
2.2.2.8/32
10.1.2.2
10.1.3.2
0
0
100
100
0
0
(65011)i
(65001 65011)
those that originate in AS 65101.
Route Summarization Scenario Within a Confederation

In Figure 8-38, after the aggregate 2.2.2.0 27 as-set detail-suppressed command is run on
ATN B, the BGP routing table on ATN B is as follows:
[ATNB] display bgp routing-table
Issue 02 (2013-12-31)

2586

Equipment
8 IP Routing


Network
NextHop
*>i 1.1.1.9/32
* i
i
*>
2.2.2.0/27
i
s>
2.2.2.7/32
s>i 2.2.2.8/32
* i
i
* i
i
s>i 2.2.2.9/32
* i
65101)i
* i
i
*>i 3.3.3.9/32
10.1.1.1
10.1.2.1
MED
LocPrf
0
0
100
100
127.0.0.1
PrefVal Path/Ogn
0
0
(65121)i
(65011 65121)
[65011 65101]
0.0.0.0
10.1.3.2
10.1.2.2
0
0
0
100
100
0
0
0
i
(65011)i
(65121 65011)
10.1.5.1
100
(65101 65011)
10.1.4.2
10.1.5.2
0
0
100
100
0
0
(65101)i
(65121 65011
10.1.5.2
100
(65011 65101)
10.1.6.2
100
(65101) 300i
Case 12: Configure an AS_Path filter named s12 and allow ATN B to accept only routes carrying
an AS_Confed_Set with 65101.
[ATNB] ip as-path-filter s12 permit \[.*65101.*\]
[ATNB] display bgp routing-table as-path-filter s12

Network
NextHop
*>
i
2.2.2.0/27
MED
LocPrf
127.0.0.1
PrefVal Path/Ogn
0
[65011 65101]
The preceding command output shows that the BGP routing table contains only the route
carrying an AS_Confed_Set with 65101.
Case 13: Configure an AS_Path filter named s13 and allow ATN B to accept only routes carrying
an AS_Confed_Set in which 65011 is the rightmost AS number.
[ATNB] ip as-path-filter s13 permit _65011\]
[ATNB] display bgp routing-table as-path-filter s13
The preceding command output shows that the BGP routing table contains no routes. Although
the route to 2.2.2.0/27 carries an AS_Confed_Set with 65011, 65011 is not the rightmost AS
number. As a result, this route is also discarded.

BGP configuration examples explain networking requirements, networking diagram,
configuration notes, configuration roadmap, and configuration procedure.
Issue 02 (2013-12-31)

2587

Equipment
8 IP Routing
Example for Configuring Basic BGP Functions

After configuring basic BGP functions, you can build up a BGP network to use BGP to transmit
routing information.
Multiple ASs exist in a region. To access each other, these ASs must exchange their local routes.
As multiple devices exist in the ASs, there are a large number of routes that change frequently.
How to transmit a great deal of routing information efficiently between ASs without consuming
lots of bandwidth resources has become a problem. BGP can be used to solve this problem.
On the network shown in Figure 8-39, ATN-A is in AS 65008. CX-B, CX-C, and CX-D are in
AS 65009. The routing tables of these devices store many routes, and the routes change
frequently. After BGP is enabled on the devices, the devices can exchange routing information.
When routes of one devices changes, the devices will send Update messages carrying only
changed routing information to its peers, and will not send its entire routing table. This greatly
reduces bandwidth consumption.
Figure 8-39 Networking diagram for configuring basic BGP functions
GE0/2/1
8.1.1.1/8
GE0/2/2
200.1.1.2/24
POS3/0/0
9.1.3.2/24
POS3/0/0
9.1.3.1/24
ATN-A
AS 65008
POS2/0/0
200.1.1.1/24
POS2/0/0
9.1.2.1/24
CX-C
AS 65009
POS1/0/0
CX-B 9.1.1.1/24
POS2/0/0
9.1.2.2/24
POS1/0/0
CX-D
9.1.1.2/24
1.
Establish IBGP connections between CX-B, CX-C, and CX-D so that these devices can
exchange routing information.
2.
Establish an EBGP connection between ATN-A and CX-B so that these devices can
3.
Run the network command to configure ATN-A to advertise route 8.1.1.1/8.
4.
Configure CX-B to import direct routes and view the routing tables of ATN-A and CX-C.
Data Preparation
Issue 02 (2013-12-31)

2588

Equipment
8 IP Routing
Router IDs 2.2.2.2, 3.3.3.3, and 4.4.4.4 and AS number 65009 of CX-B, CX-C, and CXD respectively
Router ID 1.1.1.1 and AS number 65008 of ATN-A
Procedure
Step 1 Configure an IP address for each interface. The configuration details are not provided here.
Step 2 Establish IBGP connections.
# Configure CX-B.
[CX-B] bgp
[CX-B-bgp]
[CX-B-bgp]
[CX-B-bgp]
65009
router-id 2.2.2.2
# Configure CX-C.
[CX-C] bgp
[CX-C-bgp]
[CX-C-bgp]
[CX-C-bgp]
65009
router-id 3.3.3.3
# Configure CX-D.
[CX-D] bgp
[CX-D-bgp]
[CX-D-bgp]
[CX-D-bgp]
65009
router-id 4.4.4.4
Step 3 Establish an EBGP connection.

# Configure ATN-A.
[ATN-A] bgp 65008
[ATN-A-bgp] router-id 1.1.1.1
[ATN-A-bgp] peer 200.1.1.1 as-number 65009
# Configure CX-B.
[CX-B-bgp] peer 200.1.1.2 as-number 65008
# View the status of BGP connections.

[CX-B] display bgp peer
Peer
V
AS MsgRcvd
9.1.1.2
4 65009
49
9.1.3.2
4 65009
56
200.1.1.2
4 65008
49
MsgSent
62
56
65

OutQ Up/Down
State PrefRcv
0
0
1
The preceding command output shows that BGP connections have been established between
CX-B and other devices.
Step 4 Configure ATN-A to advertise a route.
# Configure ATN-A to advertise route 8.0.0.0/8.
[ATN-A-bgp] ipv4-family unicast
[ATN-A-bgp-af-ipv4] network 8.0.0.0 255.0.0.0
# View the routing table of ATN-A.

Issue 02 (2013-12-31)

2589

Equipment
8 IP Routing
[ATN-A] display bgp routing-table


Network
NextHop
MED
*>
8.0.0.0
0.0.0.0
LocPrf
PrefVal Path/Ogn
0
# View the routing table of CX-B.

[CX-B] display bgp routing-table

Network
NextHop
MED
*>
8.0.0.0
200.1.1.2
LocPrf
PrefVal Path/Ogn
0
65008i

[CX-C] display bgp routing-table

Network
NextHop
i
8.0.0.0
200.1.1.2
MED
LocPrf
100
PrefVal Path/Ogn
0
65008i
NOTE
The preceding command output shows that CX-C has learned the route to destination 8.0.0.0 in AS 65008.
The route, however, is invalid because the next hop 200.1.1.2 of this route is unreachable.
Step 5 Configure BGP to import direct routes.

# Configure CX-B.
[CX-B-bgp] ipv4-family unicast
[CX-B-bgp-af-ipv4] import-route direct


Network
NextHop
Issue 02 (2013-12-31)
MED
LocPrf

PrefVal Path/Ogn
2590

Equipment
*>
*>
*>
*>
*>
*>
*>
8.0.0.0
9.1.1.0/24
9.1.1.2/32
9.1.3.0/24
9.1.3.2/32
200.1.1.0
200.1.1.2/32
8 IP Routing
0.0.0.0
200.1.1.1
200.1.1.1
200.1.1.1
200.1.1.1
200.1.1.1
200.1.1.1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
i
65009?
65009?
65009?
65009?
65009?
65009?

[CX-C] display bgp routing-table

Network
NextHop
*>i
*>i
*>i
*>i
*>i
*>i
*>i
8.0.0.0
9.1.1.0/24
9.1.1.2/32
9.1.3.0/24
9.1.3.2/32
200.1.1.0
200.1.1.2/32
200.1.1.2
9.1.3.1
9.1.3.1
9.1.3.1
9.1.3.1
9.1.3.1
9.1.3.1
MED
0
0
0
0
0
0
0
LocPrf
100
100
100
100
100
100
100
PrefVal Path/Ogn
0
0
0
0
0
0
0
65008i
?
?
?
?
?
?
The preceding command output shows that the route to destination 8.0.0.0 becomes valid
because the next-hop address of this route is the address of ATN-A.
# Run the ping 8.1.1.1 command on CX-C.
[CX-C] ping 8.1.1.1
0.00% packet loss
ms
ms
ms
ms
ms
----End
Configuration Files
l

#
sysname ATN-A
#
ip address 8.1.1.1 255.0.0.0
#
link-protocol ppp
ip address 200.1.1.2 255.255.255.0
#
bgp 65008
router-id 1.1.1.1
#
Issue 02 (2013-12-31)

2591

Equipment
8 IP Routing
ipv4-family unicast
network 8.0.0.0
#
return

#
sysname CX-B
#
interface Pos1/0/0
link-protocol ppp
ip address 9.1.1.1 255.255.255.0
#
interface Pos2/0/0
link-protocol ppp
ip address 200.1.1.1 255.255.255.0
#
interface Pos3/0/0
link-protocol ppp
ip address 9.1.3.1 255.255.255.0
#
bgp 65009
router-id 2.2.2.2
#
ipv4-family unicast
import-route direct
peer 9.1.1.2 enable
peer 9.1.3.2 enable
#
return

#
sysname CX-C
#
interface Pos2/0/0
link-protocol ppp
ip address 9.1.2.1 255.255.255.0
#
interface Pos3/0/0
link-protocol ppp
ip address 9.1.3.2 255.255.255.0
#
bgp 65009
router-id 3.3.3.3
#
ipv4-family unicast
peer 9.1.2.2 enable
peer 9.1.3.1 enable
#
return

#
sysname CX-D
#
interface Pos1/0/0
Issue 02 (2013-12-31)

2592

Equipment
8 IP Routing
link-protocol ppp
ip address 9.1.1.2 255.255.255.0
#
interface Pos2/0/0
link-protocol ppp
ip address 9.1.2.2 255.255.255.0
#
bgp 65009
router-id 4.4.4.4
#
ipv4-family unicast
peer 9.1.1.1 enable
peer 9.1.2.1 enable
#
return
Example for Configuring BGP to Interact with an IGP

Configuring BGP to interact with an IGP can enrich routing tables.
As the Internet grows, devices in different networks need to access each other, data needs to be
reliably transmitted, and the traffic interruption time needs to be minimized. This requires that
routing information be transmitted widely and network convergence be accelerated. BGP can
transmit routing information efficiently and widely. BGP, however, does not calculate routes by
itself. An IGP can implement rapid route convergence, but it transmits routing information with
a low efficiency in a limited scope. After BGP is configured to interact with an IGP, IGP routes
can be imported into BGP routing tables and can be transmitted efficiently, and BGP routes can
also be imported to IGP routing tables so that ASs can access each other.
The network shown in Figure 8-40 is divided into AS 65008 and AS 65009. In AS 65009, an
IGP is used to calculate routes. In this example, OSPF is used as an IGP. BGP can be configured
to enable the two ASs to access each other. Interaction between BGP and the IGP can be
configured on edge devices in the two ASs so that the two ASs can exchange routes efficiently
and access each other.
Figure 8-40 Networking diagram for configuring BGP to interact with an IGP
GE0/2/1
8.1.1.1/24
ATN-A
AS 65008
Issue 02 (2013-12-31)
GE0/2/2
3.1.1.2/24
POS2/0/0
3.1.1.1/24
POS1/0/0
9.1.1.1/24
CX-B

GE2/0/0
9.1.2.1/24
POS1/0/0 CX-C
9.1.1.2/24
AS 65009
2593

Equipment
8 IP Routing
1.
Configure OSPF on CX-B and CX-C so that these devices can access each other.
2.
Establish an EBGP connection between ATN-A and CX-B so that these devices can
3.
Configure BGP and OSPF to import routes from each other on CX-B and view routing
information in the routing table of CX-B.
4.
(Optional) Configure BGP route summarization on CX-B to simplify the BGP routing table.
Data Preparation
l
Area ID 0 of CX-B and CX-C
Router IDs 1.1.1.1 and 2.2.2.2 and AS numbers 65008 and 65009 of ATN-A and CX-B
respectively
Procedure
Step 1 Configure an IP address for each interface. The configuration details are not provided here.
Step 2 Configuring OSPF
# Configure CX-B.
[CX-B] ospf 1
[CX-B-ospf-1] quit
# Configure CX-C.
[CX-C] ospf 1
[CX-C-ospf-1] quit
Step 3 Establish an EBGP connection.

# Configure ATN-A.
[ATN-A] bgp 65008
[ATN-A-bgp] router-id 1.1.1.1
[ATN-A-bgp] peer 3.1.1.1 as-number 65009
[ATN-A-bgp] ipv4-family unicast
[ATN-A-bgp-af-ipv4] network 8.1.1.0 255.255.255.0
# Configure CX-B.
[CX-B] bgp 65009
[CX-B-bgp] router-id 2.2.2.2
Step 4 Configure BGP to interact with an IGP

# On CX-B, configure BGP to import OSPF routes.
Issue 02 (2013-12-31)

2594

Equipment
8 IP Routing

[CX-B-bgp-af-ipv4] import-route ospf 1
[CX-B-bgp-af-ipv4] quit
[CX-B-bgp] quit

Network
NextHop
MED
LocPrf
PrefVal Path/Ogn
*>
8.1.1.0/24
0.0.0.0
0
0
i
*>
9.1.1.0/24
3.1.1.1
0
0
65009?
*>
9.1.2.0/24
3.1.1.1
2
0
65009?
# On CX-B, configure OSPF to import BGP routes.

[CX-B] ospf
[CX-B-ospf-1] import-route bgp
[CX-B-ospf-1] quit

[CX-C] display ip routing-table
Destinations : 7
Routes : 7
Destination/Mask
Proto
8.1.1.0/24 O_ASE
9.1.1.0/24 Direct
9.1.1.2/32 Direct
9.1.2.0/24 Direct
9.1.2.1/32 Direct
127.0.0.0/8
Direct
127.0.0.1/32 Direct
Pre
Cost
Flags NextHop
150
0
0
0
1
0
0
0
D
D
D
D
9.1.1.1
9.1.1.2
127.0.0.1
9.1.2.1
127.0.0.1
0
0
0
0
D
D
127.0.0.1
127.0.0.1
Interface
Pos1/0/0
Pos1/0/0
Pos1/0/0
InLoopBack0
InLoopBack0
Step 5 (Optional) Configure automatic route summarization.

BGP is used to transmit routing information on large-scale networks. BGP route summarization
can be configured to simplify routing tables of devices on these networks.
# Configure CX-B.
[CX-B] bgp 65009
[CX-B-bgp-af-ipv4] summary automatic

Network
NextHop
MED
LocPrf
PrefVal Path/Ogn
*>
8.1.1.0/24
0.0.0.0
0
0
i
*>
9.0.0.0
3.1.1.1
0
65009?
# Run the ping -a 8.1.1.1 9.1.2.1 command on ATN-A.

Issue 02 (2013-12-31)

2595

Equipment
[ATN-A] ping -a 8.1.1.1 9.1.2.1
0.00% packet loss
8 IP Routing
ms
ms
ms
ms
ms
----End
Configuration Files
l

#
sysname ATN-A
#
ip address 8.1.1.1 255.255.255.0
#
link-protocol ppp
ip address 3.1.1.2 255.255.255.0
#
bgp 65008
router-id 1.1.1.1
#
ipv4-family unicast
network 8.1.1.0 255.255.255.0
peer 3.1.1.1 enable
#
return

#
sysname CX-B
#
interface Pos1/0/0
link-protocol ppp
ip address 9.1.1.1 255.255.255.0
#
interface Pos2/0/0
link-protocol ppp
ip address 3.1.1.1 255.255.255.0
#
bgp 65009
router-id 2.2.2.2
#
ipv4-family unicast
summary automatic
import-route ospf 1
peer 3.1.1.2 enable
#
ospf 1
import-route bgp
area 0.0.0.0
network 9.1.1.0 0.0.0.255
#
Issue 02 (2013-12-31)

2596

Equipment
8 IP Routing
return

#
sysname CX-C
#
ip address 9.1.2.1 255.255.255.0
#
interface Pos1/0/0
link-protocol ppp
ip address 9.1.1.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 9.1.1.0 0.0.0.255
network 9.1.2.0 0.0.0.255
#
return
Example for Configuring a BGP Routing Policy

By configuring BGP routing policies, you can flexibly control the traffic on a complex network.
Figure 8-41 shows the simplified MPLS network that carries multiple types of L3VPN services,
such as multimedia, signaling, and accounting. In Figure 8-41, two sites, each of which has two
PEs accessing the core layer, are taken as an example. The core layer is divided into two planes.
All the P nodes on the same plane are full-meshed P nodes. Nodes on different planes are
connected to provide backup paths across plane. MP-BGP is used to advertise inner labels and
VPNv4 routes between the PEs. All PEs set up MP-IBGP peer relationships with the RR.
NOTE
Figure 8-41 is a simplified networking diagram, in which two sites are taken as an example and each plane
takes three P nodes and one RR as an example. In the actual network, there are 14 sites with 28 PEs and
each plane has four P nodes and two RR nodes, and each RR needs to set up MP-IBGP connections with
28 PEs.
Figure 8-41 Networking diagram
P1
P3
Plane A
PE3
GE0/2/0
P5
PE1
GE0/2/5
GE0/2/4
VPN site 2
10.22.1.0/24
VPN site 1
10.21.1.0/24
RR
P2
PE4
P4
PE2
Plane
PlaneB B
Issue 02 (2013-12-31)
P6

2597

Equipment
8 IP Routing
In Figure 8-41, each PE sends BGP Update messages to the RR, other PEs receive BGP Update
messages from different planes. Therefore, routing policies need to be deployed to ensure that
one VPN flow is transmitted only through one plane.
1.
Configure different RDs for two PEs in the same site to ensure that each PE can receive
two routes from different BGP next hops in the remote site. When two PEs in a site advertise
the routes to the same destination, configuring different RDs for the two PEs can ensure
that BGP peers consider the advertised routes as two different routes. This is because BGPVPNv4 uses the VPNv4 addresses that consist of IPv4 addresses and RDs.
2.
Assign different communities for BGP routes from PE in plane A and BGP routes from PE
in plane B.
3.
Set different local preferences for routes based on the community attributes of the routes.
In this manner, the PEs in plane A choose the routes advertised by remote PEs in plane A,
and the PEs in plane B always choose the routes advertised by the remote PEs in plane B.
Data Preparation
Table 8-6 IP addresses of physical interfaces
Local Device
Local Interface
and Its IP Address
Remote Interface
and Its IP Address
Remote Device
P1
GE 1/0/0
GE 1/0/0
P3
10.1.1.1/30
10.1.1.2/30
GE 2/0/0
GE 1/0/0
10.1.2.1/30
10.1.2.2/30
GE 3/0/0
GE 1/0/0
10.1.3.1/30
10.1.3.2/30
GE 4/0/0
GE 1/0/0
10.1.4.1/30
10.1.4.2/30
GE 5/0/0
GE 0/2/0
10.1.5.1/30
10.1.5.2/30
GE 4/0/0
GE 1/0/0
10.1.6.1/30
10.1.6.2/30
GE 3/0/0
GE 1/0/0
10.1.7.1/30
10.1.7.2/30
P1
P1
P1
P1
P2
P2
Issue 02 (2013-12-31)

P5
RR
P2
PE1
P6
P4
2598

Equipment
8 IP Routing
Local Device
Local Interface
and Its IP Address
Remote Interface
and Its IP Address
Remote Device
P2
GE 2/0/0
GE 2/0/0
RR
10.1.8.1/30
10.1.8.2/30
GE 5/0/0
GE 1/0/0
10.1.9.1/30
10.1.9.2/30
GE 2/0/0
GE 2/0/0
10.1.10.1/30
10.1.10.2/30
GE 3/0/0
GE 2/0/0
10.1.11.1/30
10.1.11.2/30
GE 4/0/0
GE 1/0/0
10.1.12.1/30
10.1.12.2/30
GE 3/0/0
GE 3/0/0
10.1.13.1/30
10.1.13.2/30
GE 4/0/0
GE 1/0/0
10.1.14.1/30
10.1.14.2/30
GE 3/0/0
GE 2/0/0
10.1.15.1/30
10.1.15.2/30
GE 0/2/4
GE 2/0/0
10.1.16.1/30
10.1.16.2/30
GE 2/0/0
GE 2/0/0
10.1.17.1/30
10.1.17.2/30
P2
P3
P3
P3
P4
P4
P5
PE1
PE3
PE2
P5
P4
PE3
P6
PE4
P6
PE2
PE4
Table 8-7 IP addresses of loopback interfaces
Issue 02 (2013-12-31)
Local Device
IP Address of the
local Loopback 0
Interface
Remote Device
IP Address of the
Remote Loopback
0 Interface
P1
10.1.1.9/32
P2
10.2.2.9/32
P3
10.3.3.9/32
P4
10.4.4.9/32
P5
10.5.5.9/32
P6
10.6.6.9/32
PE1
10.7.7.9/32
PE2
10.8.8.9/32
PE3
10.9.9.9/32
PE4
10.10.10.9/32
RR
10.11.11.9/32

2599

Equipment
8 IP Routing
Table 8-8 BGP parameter Value

BGP Parameter
Value
AS number
65000
Router ID
Same as the address of Loopback 0 interface
BGP community attribute
Plane A: 65000:100
Plane B: 65000:200
BGP local preference
Plane A: The local preference of community

attribute 65000:100 is set to 200.
Plane B: The local preference of community
attribute 65000:200 is set to 200.
NOTE
By default, the BGP local preference is 100. The
greater the value, the higher the preference.
Routing policy name
Route import policy: local_pre

Route export policy: comm
Community filter name
BGP peer group name
Client
Procedure
Step 1 Configure names for devices and IP addresses for interfaces.
For detailed configurations, see the configuration files of this example.
Step 2 Configure an IGP.
In this example, IS-IS is used as an IGP. For detailed configurations, see the configuration files
of this example.
After the configuration, run the display ip routing-table command. You can view that PEs, Ps
and PEs, and Ps have learned the addresses of Loopback 0 interfaces from each other.
Step 3 Establish MP-IBGP connections between the PEs and RR.
# Take the configuration of PE1 as an example. Configurations of other PEs are the same as that
of PE1, and are not mentioned here.
[PE1] bgp 65000
[PE1-bgp] peer 10.11.11.9 connect-interface LoopBack0
[PE1-bgp] ipv4-family unicast
[PE1-bgp-af-ipv4] undo peer 10.11.11.9 enable
# Configure the RR.

[RR] bgp 65000
[RR-bgp] group client internal
Issue 02 (2013-12-31)

2600

Equipment
8 IP Routing
[RR-bgp] peer client connect-interface LoopBack0

[RR-bgp] ipv4-family unicast
[RR-bgp-af-ipv4] undo peer client enable
[RR-bgp-af-ipv4] quit
[RR-bgp] ipv4-family vpnv4
[RR-bgp-af-vpnv4] undo policy vpn-target
[RR-bgp-af-vpnv4] peer client enable
[RR-bgp-af-vpnv4] peer 10.7.7.9 group client
[RR-bgp-af-vpnv4] peer client reflect-client
NOTE
You need to run the undo policy vpn-target command in the BGP-VPNv4 address family view of the RR
to ensure that VPN-target-based filtering is not performed on VPNv4 routes. By default, an RR performs
VPN-target-based filtering on the received VPNv4 routes. The matching routes are added to the VPN
routing table, and the other routes are discarded. In this example, VPN instances are not configured on the
RR. As a result, if VPN-target-based filtering is enabled, all the received VPNv4 routes will be discarded.
After the configuration, run the display bgp vpnv4 all peer command on the RR. You can view
that the RR sets up MP-IBGP peers with all PEs.
<RR> display bgp vpnv4 all peer
Peers in
Peer
V
AS
MsgRcvd MsgSent OutQ
PrefRcv
10.7.7.9
4
65000 79
82
0
0
10.8.8.9
4
65000 42
66
0
0
10.9.9.9
4
65000 21
34
0
0
10.10.10.9
4
65000 2
4
0
0
established state : 4
Up/Down
State
00:01:31
Established
00:01:16
Established
00:00:50
Established
00:00:21
Established
Step 4 Configure a routing policy.

NOTE
Take the configurations of PE1, PE2, and the RR as an example. The configurations of PE3 and PE4 are
the same as the configurations of PE1 and PE2 respectively, and are not mentioned here.
# Configure a routing policy on PE1 so that the BGP VPNv4 route advertised by PE1 can carry
community attribute 65000:100.
[PE1] route-policy comm permit node 10
[PE1] apply community 65000:100
# Configure the routing policy on PE2 so that the BGP VPNv4 route advertised by PE2 can carry
community attribute 65000:200.
[PE2] route-policy com permit node 10
[PE2] apply community 65000:200
# On PE1, apply the routing policy to the BGP VPNv4 route advertised by PE1 to the RR so
that the route can carry the community attribute.
[PE1] bgp 65000
[PE1-bgp-af-vpnv4] peer 10.11.11.9 route-policy comm export
[PE1-bgp-af-vpnv4] peer 10.11.11.9 advertise-community
# On PE2, apply the routing policy to the BGP VPNv4 route advertised by PE2 to the RR so
that the route can carry the community attribute.
Issue 02 (2013-12-31)

2601

Equipment
8 IP Routing
[PE2] bgp 65000

[PE2-bgp-af-vpnv4] peer 10.11.11.9 route-policy comm export
[PE2-bgp-af-vpnv4] peer 10.11.11.9 advertise-community
# Configure the RR to advertise the community attribute to the PEs.

[RR] bgp 65000
[RR-bgp] ipv4-family vpnv4
[RR-bgp-af-vpnv4] peer client advertise-community
# Configure the community attribute filter on PE1.

[PE1] ip community-filter 1 permit 65000:100
# Configure the community attribute filter on PE2.

[PE2] ip community-filter 1 permit 65000:200
# On PE1, configure a routing policy and set the local preference of the route with community
attribute 65000:100 to 200.
[PE1] route-policy
[PE1-route-policy]
[PE1-route-policy]
[PE1-route-policy]
local_pre permit node 10

if-match community-filter 1
apply local-preference 200
quit
# On PE2, configure a routing policy and set the local preference of the route with community
attribute 65000:200 to 200.
[PE2] route-policy
[PE2-route-policy]
[PE2-route-policy]
[PE2-route-policy]
local_pre permit node 10

quit
# On PE1, apply the routing policy to the imported BGP VPNv4 route so that the PE1 chooses
the route advertised by the remote PEs in plane A.
[PE1] bgp 65000
[PE1-bgp-af-vpnv4] peer 10.11.11.9 route-policy local_pre import
# On PE2, apply the routing policy to the imported BGP VPNv4 route so that the PE2 chooses
the route advertised by the remote PEs in plane B.
[PE2] bgp 65000
[PE2-bgp-af-vpnv4] peer 10.11.11.9 route-policy local_pre import
NOTE
After this configuration, you also need to configure MPLS, establish tunnels, configure MPLS L3VPN, and
configure PEs to access CEs. For detailed configurations, see the configuration files of this example.

Run the display bgp vpnv4 all routing-table community command on a PE. You can view
information about the VPNv4 routes with community attributes. Take the display on PE1 and
PE2 as an example.
[PE1] display bgp routing-table community
Total Number of Routes from all PE: 2
Route Distinguisher: 65000:10001012
Issue 02 (2013-12-31)

2602

Equipment
*>
*
Network
10.22.1.0/24
NextHop
10.9.9.9
10.10.10.9
8 IP Routing
MED
0
0
Total routes of vpn-instance NGN_Media: 2

Network
NextHop
MED
*>i 10.22.1.0/24
10.9.9.9
0
*
10.10.10.9
0
LocPrf
200
100
PrefVal
Community
65000:100
65000:200
LocPrf
200
100
PrefVal
0
0
Community
65000:100
65000:200
[PE2] display bgp routing-table community

Total Number of Routes from all PE: 2
Route Distinguisher: 65000:10001011
Network
NextHop
MED
LocPrf
PrefVal Community
*>
10.22.1.0/24
10.10.10.9
0
200
65000:200
*
10.9.9.9
0
100
65000:100
Total routes of vpn-instance NGN_Media: 2
Network
NextHop
MED
*>i 10.22.1.0/24
10.10.10.9
0
*
10.9.9.9
0
LocPrf
200
100
PrefVal
0
0
Community
65000:200
65000:100
Run the display ip routing-table vpn-instance vpna 10.22.1.0 24 command on PE1, and you
can find that the next hop of route 10.22.1.0/24 is PE3. That is, PE1 chooses the route advertised
by PE3.
[PE1] display ip routing-table vpn-instance NGN_Media 10.22.1.0 24
-----------------------------------------------------------------------------Routing Tables: NGN_Media
Destination/Mask Proto Pre Cost Flags NextHop
Interface
10.22.1.0/24
IBGP
255 0
RD
10.9.9.9 GigabitEthernet0/2/0
----End
Configuration Files
l
Configuration file of P1
#
sysname P1
#
mpls
#
mpls ldp
#
isis 64
network-entity 49.0091.0100.0100.1009.00
#
description toP3GE1/0/0
undo shutdown
ip address 10.1.1.1 255.255.255.252
isis enable 64
mpls
mpls ldp
#
undo shutdown
ip address 10.1.2.1 255.255.255.252
isis enable 64
mpls
Issue 02 (2013-12-31)

2603

Equipment
8 IP Routing
mpls ldp
#
description toRRGE1/0/0
undo shutdown
ip address 10.1.3.1 255.255.255.252
isis enable 64
mpls
mpls ldp
#
undo shutdown
ip address 10.1.4.1 255.255.255.252
isis enable 64
mpls
mpls ldp
#
undo shutdown
ip address 10.1.5.1 255.255.255.252
isis enable 64
mpls
mpls ldp
#
interface LoopBack0
ip address 10.1.1.9 255.255.255.255
isis enable 64
#
return
#
sysname P2
#
mpls
#
mpls ldp
#
isis 64
network-entity 49.0091.0100.0200.2009.00
#
undo shutdown
ip address 10.1.4.2 255.255.255.252
isis enable 64
mpls
mpls ldp
#
description toRRGE2/0/0
undo shutdown
ip address 10.1.8.1 255.255.255.252
isis enable 64
mpls
mpls ldp
#
undo shutdown
ip address 10.1.7.1 255.255.255.252
isis enable 64
mpls
mpls ldp
Issue 02 (2013-12-31)

2604

Equipment
8 IP Routing
#
undo shutdown
ip address 10.1.6.1 255.255.255.252
isis enable 64
mpls
mpls ldp
#
description toPE2GE1/0/0
undo shutdown
ip address 10.1.9.1 255.255.255.252
isis enable 64
mpls
mpls ldp
#
interface LoopBack0
ip address 10.2.2.9 255.255.255.255
isis enable 64
#
return
#
sysname P3
#
mpls
#
mpls ldp
#
isis 64
network-entity 49.0091.0100.0300.3009.00
#
undo shutdown
ip address 10.1.1.2 255.255.255.252
isis enable 64
mpls
mpls ldp
#
undo shutdown
ip address 10.1.10.1 255.255.255.252
isis enable 64
mpls
mpls ldp
#
undo shutdown
ip address 10.1.11.1 255.255.255.252
isis enable 64
mpls
mpls ldp
#
undo shutdown
ip address 10.1.12.1 255.255.255.252
isis enable 64
mpls
mpls ldp
#
Issue 02 (2013-12-31)

2605

Equipment
8 IP Routing
interface LoopBack0
ip address 10.3.3.9 255.255.255.255
isis enable 64
#
return
#
sysname P4
#
mpls
#
mpls ldp
#
isis 64
network-entity 49.0091.0100.0400.4009.00
#
undo shutdown
ip address 10.1.7.2 255.255.255.252
isis enable 64
mpls
mpls ldp
#
undo shutdown
ip address 10.1.11.2 255.255.255.252
isis enable 64
mpls
mpls ldp
#
undo shutdown
ip address 10.1.13.1 255.255.255.252
isis enable 64
mpls
mpls ldp
#
undo shutdown
ip address 10.1.14.1 255.255.255.252
isis enable 64
mpls
mpls ldp
#
interface LoopBack0
ip address 10.4.4.9 255.255.255.255
isis enable 64
#
return
#
sysname P5
#
mpls
#
mpls ldp
#
isis 64
network-entity 49.0091.0100.0500.5009.00
Issue 02 (2013-12-31)

2606

Equipment
8 IP Routing
#
undo shutdown
ip address 10.1.2.2 255.255.255.252
isis enable 64
mpls
mpls ldp
#
undo shutdown
ip address 10.1.10.2 255.255.255.252
isis enable 64
mpls
mpls ldp
#
undo shutdown
ip address 10.1.15.1 255.255.255.252
isis enable 64
mpls
mpls ldp
#
interface LoopBack0
ip address 10.5.5.9 255.255.255.255
isis enable 64
#
return
#
sysname P6
#
mpls
#
mpls ldp
#
isis 64
network-entity 49.0091.0100.0600.6009.00
#
undo shutdown
ip address 10.1.6.2 255.255.255.252
isis enable 64
mpls
mpls ldp
#
undo shutdown
ip address 10.1.15.2 255.255.255.252
isis enable 64
mpls
mpls ldp
#
undo shutdown
ip address 10.1.13.2 255.255.255.252
isis enable 64
mpls
mpls ldp
#
Issue 02 (2013-12-31)

2607

Equipment
8 IP Routing
interface LoopBack0
ip address 10.6.6.9 255.255.255.255
isis enable 64
#
return

#
sysname PE1
#
ip vpn-instance NGN_Media
vpn-target 65000:100 65000:200 65000:300 import-extcommunity
ip vpn-instance NGN_Other
ip vpn-instance NGN_Signaling
#
mpls
#
mpls ldp
#
isis 64
network-entity 49.0091.0100.0700.7009.00
#
undo shutdown
ip address 10.1.5.2 255.255.255.252
isis enable 64
mpls
mpls ldp
#
undo shutdown
ip address 10.1.16.1 255.255.255.252
isis enable 64
mpls
mpls ldp
#
#
vlan-type dot1q 10
ip binding vpn-instance NGN_Media
ip address 10.21.1.73 255.255.255.252
#
vlan-type dot1q 11
ip binding vpn-instance NGN_Signaling
ip address 10.21.1.77 255.255.255.252
#
vlan-type dot1q 12
ip binding vpn-instance NGN_Other
ip address 10.21.1.81 255.255.255.252
#
Issue 02 (2013-12-31)

2608

Equipment
8 IP Routing
interface LoopBack0
ip address 10.7.7.9 255.255.255.255
isis enable 64
#
bgp 65000
peer 10.11.11.9 as-number 65000
#
ipv4-family unicast
undo peer 10.11.11.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 10.11.11.9 route-policy local_pre import
peer 10.11.11.9 route-policy comm export
peer 10.11.11.9 advertise-community
#
ipv4-family vpn-instance NGN_Media
aggregate 10.21.1.0 255.255.255.0 detail-suppressed
import-route direct
#
ipv4-family vpn-instance NGN_Other
import-route direct
#
ipv4-family vpn-instance NGN_Signaling
import-route direct
#
route-policy comm permit node 10
apply community 65000:100
#
route-policy local_pre permit node 10
#
ip community-filter 1 permit 65000:100
#
return

#
sysname PE2
#
#
mpls
#
mpls ldp
#
Issue 02 (2013-12-31)

2609

Equipment
8 IP Routing
isis 64
network-entity 49.0091.0100.0800.8009.00
#
undo shutdown
ip address 10.1.9.2 255.255.255.252
isis enable 64
mpls
mpls ldp
#
undo shutdown
ip address 10.1.16.2 255.255.255.252
isis enable 64
mpls
mpls ldp
#
#
vlan-type dot1q 10
ip address 10.21.1.13 255.255.255.252
#
vlan-type dot1q 11
ip address 10.21.1.17 255.255.255.252
#
vlan-type dot1q 12
ip address 10.21.1.21 255.255.255.252
#
interface LoopBack0
ip address 10.8.8.9 255.255.255.255
isis enable 64
#
bgp 65000
peer 10.11.11.9 as-number 65000
#
ipv4-family unicast
#
ipv4-family vpnv4
policy vpn-target
#
import-route direct
#
import-route direct
#
import-route direct
#
Issue 02 (2013-12-31)

2610

Equipment
8 IP Routing

#
#
#
return

#
sysname PE3
#
#
mpls
#
mpls ldp
#
isis 64
network-entity 49.0091.0100.0900.9009.00
#
undo shutdown
ip address 10.1.12.2 255.255.255.252
isis enable 64
mpls
mpls ldp
#
undo shutdown
ip address 10.1.17.1 255.255.255.252
isis enable 64
mpls
mpls ldp
#
#
vlan-type dot1q 10
ip address 10.22.1.73 255.255.255.252
#
vlan-type dot1q 11
ip address 10.22.1.77 255.255.255.252
#
Issue 02 (2013-12-31)

2611

Equipment
8 IP Routing
vlan-type dot1q 12
ip address 10.22.1.81 255.255.255.252
#
interface LoopBack0
ip address 10.9.9.9 255.255.255.255
isis enable 64
#
bgp 65000
peer 10.11.11.9 as-number 65000
#
ipv4-family unicast
#
ipv4-family vpnv4
policy vpn-target
#
import-route direct
#
import-route direct
#
import-route direct
#
#
#
#
#
return

#
sysname PE4
#
Issue 02 (2013-12-31)

2612

Equipment
8 IP Routing

#
mpls
#
mpls ldp
#
isis 64
network-entity 49.0091.0100.1001.0009.00
#
undo shutdown
ip address 10.1.14.2 255.255.255.252
isis enable 64
mpls
mpls ldp
#
undo shutdown
ip address 10.1.17.2 255.255.255.252
isis enable 64
mpls
mpls ldp
#
#
vlan-type dot1q 10
ip address 10.22.1.13 255.255.255.252
#
vlan-type dot1q 11
ip address 10.22.1.17 255.255.255.252
#
vlan-type dot1q 12
ip address 10.22.1.21 255.255.255.252
#
interface LoopBack0
ip address 10.10.10.9 255.255.255.255
isis enable 64
#
bgp 65000
peer 10.11.11.9 as-number 65000
#
ipv4-family unicast
#
ipv4-family vpnv4
policy vpn-target
#
import-route direct
#
Issue 02 (2013-12-31)

2613

Equipment
8 IP Routing

import-route direct
#
import-route direct
#
#
#
#
return
Configuration file of the RR

#
sysname RR
#
isis 64
network-entity 49.0091.0100.1101.1009.00
#
undo shutdown
ip address 10.1.3.2 255.255.255.252
isis enable 64
#
undo shutdown
ip address 10.1.8.2 255.255.255.252
isis enable 64
#
interface LoopBack0
ip address 10.11.11.9 255.255.255.255
isis enable 64
#
bgp 65000
group client internal
peer client connect-interface LoopBack0
peer 10.10.10.9 as-number 65000
#
ipv4-family unicast
undo peer client enable
#
ipv4-family vpnv4
peer client enable
peer client reflect-client
peer client advertise-community
peer 10.7.7.9 group client
Issue 02 (2013-12-31)

2614

Equipment
8 IP Routing

#
return
Example for Configuring BGP Load Balancing and the MED Attribute
By properly configuring load balancing, you can fully utilize network resources and thus reduce
network congestion.
As shown in Figure 8-42, all equipment are configured with BGP. ATN A resides in AS65008.
CX-B and CX-C reside in AS65009. EBGP runs betweenATN A and CX-B, and between ATN
A and CX-C. IBGP runs between CX-B and CX-C.
Figure 8-42 Networking diagram of BGP route selection
POS2/0/0
200.1.1.1/24
GE0/2/0
AS 65008 200.1.1.2/24
CX-B
GE1/0/0
9.1.1.1/24
EBGP
IBGP
ATN-A
GE0/2/4
200.1.2.2/24 EBGP
AS 65009
GE1/0/0
9.1.1.2/24
POS2/0/0
200.1.2.1/24
CX-C
1.
Configure EBGP connections between ATN A and CX-B, and between ATN A and CXC.
2.
Configure IBGP connections between CX-B and CX-C.
3.
Configure load balancing and set the MED on ATN A, and check the routes.
Data Preparation
Issue 02 (2013-12-31)

2615

Equipment
8 IP Routing
The Router ID of ATN A is 1.1.1.1, and the number of its AS where it resides is 65008.
The number of routes for load balancing is 2
The Router ID of CX-B is 2.2.2.2, and the number of its AS where it resides is 65009. The
default MED of CX-B is 100
The Router ID of CX-C is 3.3.3.3, and the number of its AS where it resides is 65009.
Procedure
Step 2 Configure the BGP connection.
# Configure ATN A.
[ATNA] bgp
[ATNA-bgp]
[ATNA-bgp]
[ATNA-bgp]
[ATNA-bgp]
65008
router-id 1.1.1.1
quit
# Configure CX-B.
[CX-B] bgp 65009
[CX-B-bgp] router-id 2.2.2.2
[CX-B-bgp-af-ipv4] network 9.1.1.0 255.255.255.0
[CX-B-bgp-af-ipv4] quit
[CX-B-bgp] quit
# Configure CX-C.
[CX-C] bgp 65009
[CX-C-bgp] router-id 3.3.3.3
[CX-C-bgp] peer 200.1.2.2 as-number 65008
[CX-C-bgp] peer 9.1.1.1 as-number 65009
[CX-C-bgp] ipv4-family unicast
[CX-C-bgp-af-ipv4] network 9.1.1.0 255.255.255.0
[CX-C-bgp-af-ipv4] quit
[CX-C-bgp] quit
# Display the routing table of ATN A.

[ATNA] display bgp routing-table 9.1.1.0 24
Paths:
From: 200.1.1.1 (2.2.2.2)
Direct Out-interface: 0/2/0
AS-path 65009, origin igp, MED 0, pref-val 0, valid, external, best, select,
active, pre 255
200.1.1.1
200.1.2.1
From: 200.1.2.1 (3.3.3.3)
Issue 02 (2013-12-31)

2616

Equipment
8 IP Routing

AS-path 65009, origin igp, MED 0, pref-val 0, valid, external, pre 255, not
selected for router ID
You can view that there are two valid routes to the destination 9.1.1.0/24. The route whose next
hop is 200.1.1.1 is the optimal route. This is because the router ID of ATN B is smaller.
Step 3 Configure load balancing.
# Configure ATN A.
[ATNA] bgp 65008
[ATNA-bgp] ipv4-family unicast
[ATNA-bgp-af-ipv4] maximum load-balancing 2
[ATNA-bgp-af-ipv4] quit
[ATNA-bgp] quit
# Check the routing table of ATN A.

Paths:
From: 200.1.1.1 (2.2.2.2)
active, pre 255
200.1.1.1
200.1.2.1
From: 200.1.2.1 (3.3.3.3)
AS-path 65009, origin igp, MED 0, pref-val 0, valid, external, select, active, pre
255, not selected for router ID
You can view that BGP route 9.1.1.0/24 has two next hops: 200.1.1.1 and 200.1.2.1. They are
optimal routes.
Step 4 Set the MEDs.
# Set the MED sent by CX-B to ATN A through the policy.
[CX-B] route-policy 10 permit node 10
[CX-B-route-policy] apply cost 100
[CX-B-route-policy] quit
[CX-B] bgp 65009
[CX-B-bgp] peer 200.1.1.2 route-policy 10 export
# Check the routing table of ATN A.

Issue 02 (2013-12-31)

2617

Equipment
8 IP Routing

Paths:
From: 200.1.2.1 (3.3.3.3)
active, pre 255, not selected for router ID
200.1.1.1
200.1.2.1
From: 200.1.1.1 (2.2.2.2)
AS-path 65009, origin igp, MED 100, pref-val 0, valid, external, pre 255, not
selected for MED
You can view that the MED of the route with the next hop 200.1.1.1 (CX-B) is 100, and the
MED of the route with the next hop 200.1.2.1 is 0. Therefore, the route with the smaller MED
is preferred.
----End
Configuration Files
l

#
sysname ATNA
#
interface 0/2/0
link-protocol ppp
ip address 200.1.1.2 255.255.255.0
#
interface 0/2/4
link-protocol ppp
ip address 200.1.2.2 255.255.255.0
#
bgp 65008
router-id 1.1.1.1
#
ipv4-family unicast
maximum load-balancing 2
#
return

#
sysname CX-B
#
ip address 9.1.1.1 255.255.255.0
#
interface Pos2/0/0
link-protocol ppp
Issue 02 (2013-12-31)

2618

Equipment
8 IP Routing
ip address 200.1.1.1 255.255.255.0

#
bgp 65009
router-id 2.2.2.2
#
ipv4-family unicast
network 9.1.1.0 255.255.255.0
peer 9.1.1.2 enable
#
route-policy 10 permit node 10
apply cost 100
#
return

#
sysname CX-C
#
ip address 9.1.1.2 255.255.255.0
#
interface Pos2/0/0
link-protocol ppp
ip address 200.1.2.1 255.255.255.0
#
bgp 65009
router-id 3.3.3.3
#
ipv4-family unicast
network 9.1.1.0 255.255.255.0
peer 9.1.1.1 enable
#
return
Example for Configuring Prefix-based BGP ORF

After prefix-based BGP ORF is configured, on-demand route advertisement can be
implemented.
As shown in Figure 8-43, PE1 and PE2 are in AS 100; PE1 requires PE2 to send only the routes
matching the inbound policy of PE1.
Issue 02 (2013-12-31)

2619

Equipment
8 IP Routing
Figure 8-43 Networking diagram of configuring prefix-based BGP ORF
AS100
PE1
GE0/2/0
111.1.1.1/24
GE1/0/0
111.1.1.2/24
PE2
1.
Establish an IPv4 unicast peer relationship between PE1 and PE2.
2.
Apply prefix-based inbound policy to PE1 and configure PE1 to import routes from PE2.
Then, check the sent routes and received routes.
3.
Check the sent and received routes after configuring prefix-based BGP ORF.
Data Preparation
l
Router ID and AS number of PE1 (in this example, the router ID of PE1 is 1.1.1.1, and the
AS number of PE1 is 100)
Router ID and AS number of PE2 (in this example, the router ID of PE2 is 2.2.2.2, and the
AS number of PE2 is 100)
Procedure
Step 1 Establish an IPv4 unicast peer relationship between PE1 and PE2.
# Configure PE1.
[PE1-GigabitEthernet0/2/0] ip address 111.1.1.1 255.255.255.0
[PE1] bgp 100
Issue 02 (2013-12-31)

2620

Equipment
8 IP Routing
# Configure PE2.
[PE2-GigabitEthernet1/0/0] ip address 111.1.1.2 255.255.255.0
[PE2] bgp 100
Step 2 Apply the prefix-based inbound policy on PE1.

# Configure PE1.
[PE1] ip ip-prefix 1 permit 4.4.4.0 24 greater-equal 32
[PE1] bgp 100
[PE1-bgp] peer 111.1.1.2 ip-prefix 1 import
# Configure PE2.
[PE2] ip route-static 3.3.3.3 255.255.255.255 NULL0
[PE2] bgp 100
[PE2-bgp] import static
# Check the routes sent by PE2 to PE1.

[PE2] display bgp routing peer 111.1.1.1 advertised-routes
*>
*>
*>
Network
NextHop
MED
3.3.3.3/32
4.4.4.4/32
5.5.5.5/32
0.0.0.0
0.0.0.0
0.0.0.0
0
0
0
LocPrf
PrefVal Path/Ogn
0
0
0
?
?
?
# Check the routes received by PE1 from PE2.

[PE1] display bgp routing-table peer 111.1.1.2 received-routes
*>i
Network
NextHop
4.4.4.4/32
111.1.1.2
MED
LocPrf
100
PrefVal Path/Ogn
0
When prefix-based BGP ORF is not enabled, PE2 sends routes 3.3.3.3, 4.4.4.4, and 5.5.5.5 to
PE1. Because the prefix-based inbound policy is applied on PE1, PE1 receives only route 4.4.4.4.
Step 3 Enable prefix-based BGP ORF.
# Enable prefix-based BGP ORF on PE1.
[PE1] bgp 100
[PE1-bgp] peer 111.1.1.2 capability-advertise orf ip-prefix both
# Enable prefix-based BGP ORF on PE2.

Issue 02 (2013-12-31)

2621

Equipment
8 IP Routing
[PE2] bgp 100

[PE2-bgp] peer 111.1.1.1 capability-advertise orf ip-prefix both

# Check the negotiation of prefix-based BGP ORF.
<PE1> display bgp peer 111.1.1.2 verbose
Type: IBGP link
Update-group ID: 2
Port: Local - 54845
Remote - 179
Peer supports bgp outbound route filter capability
Support Address-Prefix: IPv4-UNC address-family, rfc-compatible, both
Update messages
1
Open messages
1
KeepAlive messages
2
0
Refresh messages
1
Update messages
0
Open messages
1
KeepAlive messages
2
0
Refresh messages
1
Outbound route filter capability has been enabled
Enable Address-Prefix: IPv4-UNC address-family, rfc-compatible, both
No import update filter list
No export update filter list
Import prefix list is: 1
No export prefix list
No import route policy
No export route policy
No import distribute policy
No export distribute policy
# Check the routes sent by PE2 to PE1.

<PE2> display bgp routing peer 111.1.1.1 advertised-routes
Issue 02 (2013-12-31)

2622

Equipment
8 IP Routing

*>
Network
NextHop
MED
4.4.4.4/32
0.0.0.0
LocPrf
PrefVal Path/Ogn
0
# Check the routes received by PE1 from PE2.

<PE1> display bgp routing-table peer 111.1.1.2 received-routes
*>i
Network
NextHop
4.4.4.4/32
111.1.1.2
MED
LocPrf
100
PrefVal Path/Ogn
0
After being enabled with prefix-based BGP ORF, PE2 sends only route 4.4.4.4 matching the
inbound policy of PE1.
----End
Configuration Files
l

#
sysname PE1
#
ip address 111.1.1.1 255.255.255.0
#
bgp 100
#
ipv4-family unicast
peer 111.1.1.2 ip-prefix 1 import
peer 111.1.1.2 capability-advertise orf ip-prefix both
#
#
route-policy 1 permit node 10
#
ip ip-prefix 1 index 10 permit 4.4.4.0 24 greater-equal 32 less-equal 32
#
return

#
sysname PE2
#
ip address 111.1.1.2 255.255.255.0
#
bgp 100
#
ipv4-family unicast
Issue 02 (2013-12-31)

2623

Equipment
8 IP Routing
import-route static
peer 111.1.1.1 capability-advertise orf ip-prefix both
#
#
return
8.9 BGP4+ Configuration

BGP4+, which is applicable to the large-scale IPv6 network with a complicated structure, is used
between ASs to transmit routing information.
8.9.1 Introduction
BGP4+ is a dynamic routing protocol used between ASs.
BGP4+ Overview
BGP4+ is mainly used to control route transmission and select optimal routes.
BGP4+ is a dynamic routing protocol used between Autonomous Systems (ASs), and it is an
extension of BGP.
The traditional BGP4 can manage only the IPv4 routing information. For other network layer
protocols such as IPv6, the traditional BGP4 has a limited capability to transmit routing
information.
The Internet Engineering Task Force (IETF) introduces BGP4+ as a supplement to BGP4 to
support multiple network layer protocols. The RFC for BGP4+ is RFC 2858 (Multiprotocol
Extensions for BGP4).
To support IPv6, BGP4 needs to reflect the IPv6 protocol information to the Network Layer
Reachable Information (NLRI) attribute and the Next_Hop attribute.
BGP4+ introduces two NLRI attributes:
l
Multiprotocol Reachable NLRI (MP_REACH_NLRI): advertises the reachable routes and

the next hop information.
Multiprotocol Unreachable NLRI (MP_UNREACH_NLRI): withdraws the unreachable

routes.
The Next_Hop attribute of BGP4+ is in the format of an IPv6 address. It can be an IPv6 global
unicast address or the link-local address of the next hop.
BGP4+ can be applied to an IPv6 network by using the BGP attribute of multiple protocol
extension. The message and routing mechanisms of BGP remain unaltered.
BGP4+ Features Supported by the ATN

The system supports various BGP4+ features, including route aggregation, route dampening,
community, route reflector, confederation, BGP4+ accounting, 6VPE, BFD for BGP4+, BGP4
+ NSR, and BGP4+ GR.
Issue 02 (2013-12-31)

2624

Equipment
8 IP Routing
Most of BGP4+ features supported by the ATN are similar to those of BGP supported by the
ATN. For details, refer to the chapter "BGP Configuration".
NOTE
BGP4+ does not support summary automatic.
8.9.2 Configuring Basic BGP4+ Functions

Before building BGP4+ networks, you need to configure basic BGP4+ functions.
Before You Start

Before configuring basic BGP4+ functions, familiarize yourself with the usage scenario,
BGP4+ is configured in an IPv6 network.
Before configuring basic BGP4+ functions, complete the following tasks:
l
Enabling IPv6
Configuring link layer protocol parameters and IPv6 addresses for interfaces to make link
layers of the interfaces Up
Data Preparation
To configure BGP4+, you need the following data.
No.
Data
Local AS number and Router ID
IPv6 address and AS number of the peer
(Optional) Interfaces that set up the BGP4+ session
Starting a BGP Process

Starting a BGP4+ process is a prerequisite for configuring basic BGP4+ functions. When starting
a BGP4+ process, you need to specify the number of the AS that the device belongs to.
Context
Perform the following steps on the ATN on which the BGP4+ connection needs to be set up:
Issue 02 (2013-12-31)

2625

Equipment
8 IP Routing
Procedure
Step 1 Run:
system-view

Step 2 Run:
BGP is enabled (the local AS number is specified) and the BGP view is displayed.
router-id ipv4-address
The router ID is set.

Setting or changing the router ID of BGP resets the BGP peer relationship between ATNs.
NOTE
l To enhance the network reliability, you can manually configure the address of a loopback interface as
the router ID. If the router ID is not set, BGP uses the router ID in the system view. To select the router
ID in the system view, refer to the Command Reference - IP Routing.
l If no interface of a ATN is configured with an IPv4 address, you must set a router ID for the ATN.
----End
Configuring an IPv6 Peer

Devices can exchange BGP4+ routing information only after BGP4+ peers are configured and
the BGP4+ peer relationship is established.
Procedure
l
Configuring an IBGP Peer

Perform the following steps on the ATN on which the IBGP connection needs to be set up:
1.
Run:
system-view

2.
Run:

3.
Run:
peer { ipv6-address | group-name } as-number { as-number-plain | as-numberdot }
The peer address and the AS where the peer resides are configured.
The AS number of the specified peer must be the same as the local AS number.
When the IPv6 address of a specified peer is a loopback address or a sub-interface
address, you need to perform Configuring the Local Interfaces Used for BGP4+
Connections to ensure the establishment of the peer.
Issue 02 (2013-12-31)

2626

Equipment
4.
8 IP Routing
(Optional) Run:
peer { ipv6-address | group-name } listen-only
A peer (group) is configured only to listen to connection requests, but not to send
After this command is used, the existing peer relationship is interrupted. The peer on
which this command is used waits for the connection request from its peer to
reestablish the neighbor relationship. This configuration can prevent the conflict of
sending connection requests.
NOTE
This command can be used on only one of two peers. If this command is used on the two peers,
the connection between the two peers cannot be established.
5.
Run:
ipv6-family [ unicast ]

6.
Run:
peer { ipv6-address | group-name } enable
The IPv6 peers are enabled.

After configuring the BGP4+ peers in the BGP view, you need to enable these peers
in the BGP IPv6 unicast address family view.
l
Configuring an EBGP Peer

Perform the following steps on the ATN on which the EBGP connection needs to be set
up:
1.
Run:
system-view

2.
Run:

3.
Run:
peer { ipv6-address | group-name } as-number { as-number-plain | as-numberdot }
The IP address and the AS number of a specified BGP peer are specified.
The AS number of the specified BGP peer should be different from the local AS
number.
If the IP address of the specified peer is that of a loopback interface on the reachable
peer or that of a sub-interface on the directly connected peer, you need to complete
the task of Configuring the Local Interfaces Used for BGP4+ Connections to
ensure that the peer is correctly established.
4.
Run:
peer { ipv6-address | group-name } ebgp-max-hop [ hop-count ]
The maximum number of hops in the EBGP connections is set.

Issue 02 (2013-12-31)

2627

Equipment
8 IP Routing
Usually, a direct physical link should be available between the EBGP peers. If this
requirement cannot be met, you can use the peer ebgp-max-hop command to
configure the EBGP peers to establish the TCP connections through multiple hops.
NOTE
When establishing the EBGP connection through loopback interfaces, you must use the peer
ebgp-max-hop command specifying that hop-count is greater than or equal to 2. Otherwise,
BGP cannot set up the EBGP connection with the peer.
5.
(Optional) Run:
peer { ipv6-address | group-name } listen-only
The peer or peer group is configured only to listen to connection requests, but not to
send any connection request.
After this command is used, the existing peer relationship is removed. The peer on
which this command is used reestablishes the peer relationship after receiving the
connection request from its peer. After this configuration is done, the conflict of
connection requests is avoided.
NOTE
This command can be used on only one of two peers. If this command is used on the two peers,
the connection between the two peers cannot be established.
6.
Run:

7.
Run:
peer { ipv6-address | group-name } enable
An IPv6 peer is enabled.

After configuring a BGP4+ peer in the BGP view, enable the peer in the BGP IPv6
unicast address family view.
----End
(Optional) Configuring the Local Interfaces Used for BGP4+ Connections

When establishing BGP4+ peer relationship between two devices through various links, you
need to specify the local interface during the setup of a BGP4+ session on the devices.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
Issue 02 (2013-12-31)

2628

Equipment
8 IP Routing
peer { ipv6-address | group-name } connect-interface interface-type interfacenumber [ ipv6-source-address ]
The source interface and source address used to set up a TCP connection are specified.
Usually, BGP4+ uses the physical interface that is directly connected to the peer as the session
interface used for the TCP connection.
To increase the reliability and stability of the BGP4+ connections, configure the local interface
used for the BGP4+ connection as the loopback interface. In this way, when there are redundant
links on the network, the BGP4+ connections are not interrupted due to the failure of a certain
interface or a link.
NOTE
When establishing BGP4+ peer relationship between two devices through various links, specify the local
interface during the setup of a BGP4+ session on the devices by using the peer connect-interface command
is recommended.
----End

After basic BGP4+ functions are configured, you can check BGP4+ peer information.
Prerequisites
Basic BGP4+ functions has been configured.
Procedure
l
Run the display bgp ipv6 peer ipv4-address verbose command to check information about
the BGP4+ peers.
Run the display bgp ipv6 peer ipv6-address { log-info | verbose } command to check
information about the BGP4+ peers.
----End
8.9.3 Configuring BGP4+ Route Attributes

BGP4+ has many route attributes. By configuring these attributes, you can change BGP4+
routing policies.
Before You Start

Before controlling BGP4+ route selection, familiarize yourself with the usage scenario, complete
You can change the BGP4+ routing policies by configuring the route attributes.
l
Issue 02 (2013-12-31)
BGP4+ priority
2629

Equipment
8 IP Routing
After the BGP4+ priority is configured, Route Management (RM) is affected in routing
between BGP4+ and the other routing protocols.
l
Preferred value of BGP4+ routing information

After the preferred value of BGP4+ routing information is configured, the route with the
greatest preferred value is selected when multiple routes to the same destination exist in
the BGP4+ routing table.
Local_Pref attribute
The function of the Local_Pref attribute is similar to that of the preferred value of BGP4+
routing information. The preferred value of BGP4+ routing information takes precedence
over the Local_Pref attribute.
Multi_Exit Discriminator (MED) attribute

After the MED attribute is configured, EBGP peers select the route with the smallest MED
value when the traffic enters an AS.
Next_Hop attribute
A route with an unreachable next hop is ignored.
Community attribute
The community attribute can simplify the management of routing policies. The
management range of the community attribute is wider than that of the peer group. The
community attribute can control the routing policies of multiple BGP4+ devices.
AS_Path attribute
After the AS_Path attribute is configured, the route with a shorter AS path is selected.
Accumulated interior gateway protocol metric (AIGP)

The AIGP attribute is used to select the optimal route in an AIGP administrative domain.
Before configuring BGP4+ route attributes, complete the following tasks:
l
Configuring Basic BGP4+ Functions
Data Preparation
To configure BGP4+ route attributes, you need the following data.
Issue 02 (2013-12-31)
No.
Data
AS number
Protocol priority
Local_Pref
MED
Name of the routing policy for using the community attribute

2630

Equipment
8 IP Routing
Configuring the BGP4+ Preference

Setting the BGP4+ preference can affect route selection between BGP4+ and another routing
protocol.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:

Step 4 Run:
preference { external internal local | route-policy route-policy-name }
The BGP4+ preference is set.

NOTE
Using peer route-policy command to configure the preference of the BGP protocol on the peers is not
currently supported.
----End
Configuring BGP4+ Preferred Value for Routing Information

After the preferred value is configured for routing information, the route with the largest
preferred value is selected when multiple routes to the same destination exist in the BGP4+
routing table.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:

Step 4 Run:
Issue 02 (2013-12-31)

2631

Equipment
8 IP Routing
peer { group-name | ipv4-address | ipv6-address } preferred-value value
The preferred value of a peer is configured.

By default, the preferred value of the route learned from a neighbor is 0.
----End
Configuring the Default Local_Pref Attribute of the Local Router

The Local_Pref attribute is used to determine the optimal route for the traffic that leaves an AS.
When a BGP4+ router obtains multiple routes to the same destination address but with different
next hops from different IBGP peers, the route with the largest Local_Pref value is selected.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:

Step 4 Run:
default local-preference preference
The default Local_Pref of the local router is configured.

----End
Configuring the MED Attribute

The Multi_Exit Discriminator (MED) attribute serves as the metric used by an IGP. After MED
attributes are set, EBGP peers select the route with the smallest MED value for the traffic that
enters an AS.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
Issue 02 (2013-12-31)

2632

Equipment
8 IP Routing

Step 4 Run the following commands to configure the BGP4+ MED attribute as required:
l Run:
default med med
The default MED attribute is configured.

l Run:
compare-different-as-med
The MED values from different ASs are compared.

l Run:
deterministic-med
Deterministic-MED is enabled.
If this command is not configured, when an optimal route is to be selected from among routes
which are received from different ASs and which carry the same prefix, the sequence in
which routes are received is relevant to the result of route selection. After the command is
configured, however, when an optimal route is to be selected from among routes which are
received from different ASs and which carry the same prefix, routes are first grouped
according to the leftmost AS in the AS_Path. Routes with the same leftmost AS are grouped
together, and after comparison, an optimal route is selected for the group. The group optimal
route is then compared with optimal routes from other groups to determine the final optimal
route. This mode of route selection ensures that the sequence in which routes are received is
no longer relevant to the result of route selection.
l Run:
bestroute med-none-as-maximum
The maximum MED value is used when the current MED is not available.
l Run:
bestroute med-confederation
The MED values of routes advertised in the local confederation are compared.
The commands in Step 4 can be used regardless of the order.
----End
Configuring the Next_Hop Attribute

By setting the Next_Hop attribute, you can flexibly control BGP4+ route selection.
Procedure
l
Modifying the Next Hop When Advertising a Route to an IBGP Peer

1.
Run:
system-view

2.
Run:

Issue 02 (2013-12-31)

2633

Equipment
3.
8 IP Routing
Run:

4.
Run:
peer ipv6-address next-hop-local
The local address is configured as the next hop when routes are advertised.
In some networking environments, to ensure that the IBGP neighbors find the correct
next hop, configure the next hop address as its own address when routes are advertised
to the IBGP peers.
NOTE
If BGP load balancing is configured, the local ATN changes the next hop address to its own
address when advertising routes to the IBGP peer groups, regardless of whether the peer nexthop-local command is used.
The next-hop iteration based on the routing policy

1.
Run:
system-view

2.
Run:

3.
Run:

4.
Run:
nexthop recursive-lookup route-policy route-policy-name
The next-hop iteration based on the specified routing policy is enabled.

By default, the next-hop iteration based on the specified routing policy is disabled.
The next-hop iteration based on the specified routing policy can control the iterated
route according to certain conditions. The route that fails to pass the policy is ignored.
----End
Configuring the AS-Path Attribute

The AS_Path attribute is used to avoid routing loops and control route selection.
Procedure
l
Configuring the AS_Path Attribute in the IPv6 Address Family View

1.
Run:
system-view

Issue 02 (2013-12-31)

2634

Equipment
2.
8 IP Routing
Run:

3.
Run:

4.
Run the following commands to configure the AS-Path attribute as required:

Run:
peer { ipv6-address | group-name } allow-as-loop [ number ]
The local AS number can be used repeatedly.

Run:
bestroute as-path-ignore
The AS-Path attribute is not configured as one of the route selection rules.
Run:
peer { ipv6-address | group-name } public-as-only
The AS-Path attribute is configured to carry only the public AS number.

The commands in Step 4 can be used regardless of the order.
l
Configuring the Fake AS Number

1.
Run:
system-view

2.
Run:

3.
Run:
peer { ipv6-address | group-name } fake-as { as-number-plain | as-numberdot }
The fake AS number is set.

You can hide the actual AS number of the local ATN by using this command. EBGP
peers in other ASs can only see this fake AS number. That is, peers in other ASs need
to specify the number of the AS where the local peer resides as this fake AS number.
NOTE
This command is applicable only to EBGP peers.
Substituting the AS Number in the AS-Path Attribute

1.
Run:
system-view

2.
Run:

Issue 02 (2013-12-31)

2635

Equipment
3.
8 IP Routing
Run:

4.
Run:
peer { ipv6-address | group-name } substitute-as
The AS number in the AS-Path attribute is substituted.

After this command is used, if the AS-Path attribute contains the AS number of the
peer, you can substitute the local AS number for the AS number of the peer before
advertising routes to the peer.
NOTICE
If the configuration is not correct, the command may cause routing loops.
----End
Configuring the BGP4+ Community Attribute

The community attribute is used to simplify the management of routing policies. The
management scope of the community attribute is far larger than that of the peer group. The
community attribute can control the routing policies of multiple BGP4+ ATNs.
Procedure
l
Configuring the ATNs to Advertise the Community Attribute to the Peers

1.
Run:
system-view

2.
Run:

3.
Run:

4.
Run the following commands to advertise community attributes to the peer group:
To configure the BGP device to send a standard community attribute to its peer or
peer group, run:
peer { ipv4-address | ipv6-address | group-name } advertise-community
ATNs are configured to advertise the standard community attribute to a peer group.
To configure the BGP device to send an extended community attribute to its peer
or peer group, perform the following steps:
Issue 02 (2013-12-31)

2636

Equipment
8 IP Routing
a.
Run the peer { ipv4-address | group-name } advertise-ext-community

command to advertise an extended community attribute to a specified peer or
peer group.
b.
(Optional) Run the ext-community-change enable command to enable the

device to change extended community attributes using a routing policy.
By default, BGP peers cannot change extended community attributes using
a route-policy; specifically, BGP peers advertise only the extended
community attributes carried in routes to a specified peer or peer group, and
the peer route-policy command cannot be used to modify the extended
community attributes.
Applying the Routing Policies to the Advertised Routing Information

1.
Run:
system-view

2.
Run:

3.
Run:

4.
Run:
peer { ipv4-address | ipv6-address | group-name } route-policy routepolicy-name export
The outbound routing policies are configured.

NOTE
l When configuring a BGP4+ community, you should define the specific community
attribute by using the routing policies. Then, apply these routing policies to the
advertisement of routing information.
l For the configuration of routing policies, refer to Routing Policy Configuration. For the
configuration of community attributes, refer to 8.8 BGP Configuration.
----End

After BGP4+ route attributes are configured, you can check information about route attributes.
Prerequisites
BGP4+ route attributes has been configured.
Procedure
l
Run the display bgp ipv6 paths [ as-regular-expression ] command to check the AS-Path
information.
Run the display bgp ipv6 routing-table different-origin-as command to check the route
with the different source AS.
Issue 02 (2013-12-31)

2637

Equipment
8 IP Routing
Run the display bgp ipv6 routing-table regular-expression

ATN 910&910I&910B&950B V200R003C00 Configuration Guide 02 (CLI)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ATN 910&910I&910B&950B V200R003C00 Configuration Guide 02 (CLI)

Uploaded by

Copyright:

Available Formats

ATN 910&910I&910B&950B Multi-Service Access

HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2013. All rights reserved.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Huawei Industrial Base

Huawei Proprietary and Confidential

ATN 910&910I&910B&950B Multi-Service Access

About This Document

About This Document

A device can store keys in plaintext, reversible algorithm encryption, or irreversible

Data Configuration Engineer

Network Monitoring Engineer

System Maintenance Engineer

Huawei Proprietary and Confidential

ATN 910&910I&910B&950B Multi-Service Access

About This Document

The keywords of a command line are in boldface.

Command arguments are in italics.

Items (keywords or arguments) in brackets [ ] are optional.

Optional items are grouped in braces and separated by

Optional items are grouped in brackets and separated by

Optional items are grouped in braces and separated by

Optional items are grouped in brackets and separated by

Huawei Proprietary and Confidential

ATN 910&910I&910B&950B Multi-Service Access

About This Document

Buttons, menus, parameters, tabs, window, and dialog titles

Multi-level menus are in boldface and separated by the ">"

Changes in Issue 02 (2013-12-31)

Changes in Issue 01 (2013-10-31)

Huawei Proprietary and Confidential

ATN 910&910I&910B&950B Multi-Service Access

Huawei Proprietary and Confidential

ATN 910&910I&910B&950B Multi-Service Access

1.7 Configuring System Startup.......................................................................................................................................143

Huawei Proprietary and Confidential

ATN 910&910I&910B&950B Multi-Service Access

2.3.1 Overview of RMON and RMON2..........................................................................................................................345

Huawei Proprietary and Confidential

ATN 910&910I&910B&950B Multi-Service Access

2.5.31 Maintaining NQA..................................................................................................................................................545

Huawei Proprietary and Confidential

ATN 910&910I&910B&950B Multi-Service Access

3.3.1 Bit-Error-Triggered Protection Switching Overview..............................................................................................749

Huawei Proprietary and Confidential

ATN 910&910I&910B&950B Multi-Service Access

3.7.4 Configuring Remote Loopback...............................................................................................................................973

Huawei Proprietary and Confidential

ATN 910&910I&910B&950B Multi-Service Access

4.4.1 Flapping Control Configuration Overview............................................................................................................1238

5 LAN Access and MAN Access..............................................................................................1262

Huawei Proprietary and Confidential

ATN 910&910I&910B&950B Multi-Service Access

5.4.8 Configuring Interface Isolation in a VLAN..........................................................................................................1366

Huawei Proprietary and Confidential

ATN 910&910I&910B&950B Multi-Service Access

5.10.2 Configuring Automatic Link Discovery..............................................................................................................1610

Huawei Proprietary and Confidential

ATN 910&910I&910B&950B Multi-Service Access

6.5.3 Configuring PPP Optional Parameters..................................................................................................................1783

Huawei Proprietary and Confidential

ATN 910&910I&910B&950B Multi-Service Access